On Tue, Jan 16, 2018 at 12:12:00 +0200, Joona Hoikkala wrote: > Would a reasonable solution be to deploy something similar to the > ACME-DNS software closer to the CA?
Hello!
I had some thoughts about the issue too.
Your solution (CNAME + seperate DNS server) sounds like a good solution
to me.
But others are available too:
With bind9 it should be possible with something like this:
zone "example.net" {
...
update-policy {
grant somekey name _acme-challenge.www.example.net TXT;
};
};
AWS Route53 *could* be improved using their IAM system, e.g. add a
condition that record names have a specific pattern.
One possible workaround for AWS Route53 is to create a lambda function
which updates route53. The lambda function could then check the caller's
permission.
Or in general one could run a separate server with full access to DNS
but only HTTP-API access to those servers that need certificates.
I'm currently working on such a (python based) server which implements
ACME client protocol, holds the ACME account key, has access to the DNS
zone somehow (may be full access) and provides an HTTP API where clients
can send their CSRs and receive Certificates. There will be some kind of
ACL "This client may request that certificate".
Client implementation may be as easy as "openssl req -new ...; curl ...;
mv key/cert to webserver conf; restart webserver".
The best solution however might be if all DNS providers / servers would
offer API access with limited access.
I hope that when there are enough securite solutions available, users will
pick one of them instead of giving their webservers full access to their
DNS zones :-)
Perhaps there should be some guide on how to do automated DNS challenges
securely with links to implementations.
Cheers
Jörn Heissler
signature.asc
Description: PGP signature
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
