On Tue, Dec 15, 2015 at 9:26 PM, Stephen Farrell <[email protected]> wrote:
> > Hiya, > > On 16/12/15 01:44, Julian Dropmann wrote: > > The target users are server admins right? In order to set up their > > services, they should be familiar with DNS. > > Familiar with != has write access to. > > In my university, I have root on 24U of boxen with zero write > access to the routers, f/w, DNS or mail servers, meaning that > for 13 years I couldn't get the two that are publicly visible > web servers certified by any CA any time I checked, which was > admittedly not that often. > That is my experience as well. And it is even worse in a home situation. I do have real DNS servers on my net. But they are heavily integrated into development systems and flaky as heck. Most of my home related boxen sit on the DNS server on the WiFi box which only supports A records. > ACME (via LE in that case, but I've no allegiance) fixed that > in a couple of minutes. And those minutes didn't require deep > knowledge of anything - relative ignorance would have worked > just as well, which is fantastic:-) > > And before someone argues, sure there are other situations but > our goal here is to define a protocol that works in the most > common of those cases as easily as possible and that supports > automation. Yes. And minimizing the amount of code people need to write to implement the protocol is not a priority for me. I need a protocol that will work with the ugly facts of real world networking like NAT boxes. > > > To use the current > > mechanism they already need to configure the A record. > > Not necessarily the same admins. That much is pretty obvious > and unless someone has demographics about how many sysadmins > have what access to what (which would be great!) I think this > is repetitive argument and therefore pointless. > I think you probably overstate your difficulty just slightly. I think that if you were to make a case to the campus IT folk, you could get them to touch the DNS one time only to insert some records that will allow you to automate issue of certs. But that is a much smaller ask than wanting to plug in a challenge/response scheme into the local DNS. To make the current protocol work in my (fairly typical) home network, I would probably have to create some mechanism that allows me to write out the challenge responses from the host making the application to the machine running the outward facing Web Servers. That is do-able but a chore.
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
