On Thu, Nov 12, 2015 at 4:05 PM, Hugo Landau <[email protected]> wrote:
> Currently, the DNS challenge uses a random token which changes every > time an authorization is performed. > > This seems problematic, however. Changes to DNS can take time to > propagate, If the issuer of the DNS challenge flushes its DNS cache and checks with the authoritative server itself, the propagation delay doesn't seem like an issue. Are there particular issuers/conditions for which you believe the issuer would have to rely on caching resolvers? > and changes to DNS may involve manual intervention. If an > authorization fails for any reason, the process has to be started again. > > But isn't that the point? We're looking for a demonstration that they are capable of making a specified change. > This seems like an obstacle to the automated acquisition and renewal of > certificates which ACME is supposed to enable. Since what is ultimately > desired is to authorize an account, wouldn't it make more sense to place > in DNS not a random challenge response, but an unambiguous endorsement > of a given account key to represent the domain? This could be reverified > easily by subsequent authorizations. > > Can you provide text for what you propose? I'm having a bit of trouble parsing your intent. regards, Ted > Hugo Landau > > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme >
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
