> On 14 Dec 2015, at 18:44, Ilari Liusvaara <[email protected]> wrote: > >> On Mon, Dec 14, 2015 at 06:25:56PM +0100, Julian Dropmann wrote: >> >> If there for example where a standard to make changes to you DNS >> zone/nameserver, this would be a much better approach to verify domain >> ownership automatically, so why not provide an automation for that first? >> But of course I also see the practical approach here... > > Like DNS UPDATE? Standardized in 1997... > > IIRC, there have been patches to the reference ACME client (I don't > think those have gotten merged) that implement the client side of > DNS UPDATE. > > It actually depends on usecase which of DNS or HTTP is more convinient. > > > -Ilari
If this standard exists, why do we not solely rely on that instead of introducing weaker mechanisms? You already answered it: Because its more convenient. You do not rely on name server providers to support that. By providing those other methods, there is now even less incentive to implement/using it. And by only having a single CA accepting the HTTP method you already have no security benefit anyway using it. _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
