On Wed, Dec 2, 2015 at 1:09 PM, Romain Fliedel <[email protected]> wrote:
> > > 2015-12-02 18:57 GMT+01:00 Phillip Hallam-Baker <[email protected]>: > >> >> >> On Wed, Dec 2, 2015 at 12:52 PM, Romain Fliedel <[email protected] >> > wrote: >> >>> So we might have a record of the form: >>>> >>>> example.com CAA 0 acmedv1 "port=666" >>>> >>>> >>> If you have to modify the dns to use a custom port, why not use the dns >>> validation method ? (once it's available) >>> >> >> Well there is a slight difference. DNS validation is possibly encumbered >> for a start. >> >> If by DNS validation you mean 'put the response to the challenge in the >> DNS' then that requires a lot more administrative connection to the DNS >> than 'put the fingerprint of the validation key in the DNS' >> > > There was a discussion about dns validation that was suggesting using the > account public key hash as the DNS record value. > Thus it would be a relatively easy to provision the value correct value. > > Well there is prior art on putting keys in the DNS. The idea of using the DNS as a channel for a challenge-response mechanism would make me nervous.
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
