On Friday, September 11, 2020 7:06 PM, Michael Richardson <[email protected]> wrote:
> Simon Ser <[email protected]> wrote: > > dns-01 requires the ACME client to complete the challenge by updating a > DNS > > record. This is bothersome because this often requires interacting with > the > > DNS registry operator. This is typically done via vendor-specific APIs, > with > > access control handled via vendor-specific means (tokens, public keys, > > etc). > > I guess if you've hosted your zone with the registrar, then that might be > true. my opinion: Don't do that. > > Host your own zone, and/or use Dynamic DNS update (RFC3007), which is mature > technology. > There are some annoyances with TSIG until you realize that the key name > really matters. That sounds like the most reasonable way to solve the dns-01 challenge indeed. The self-hosted zome can even be limited to just _acme-challenge. I'm still wondering whether dns-01 is an absolutely necessary evil (see other replies). > > For instance, it would be possible to require users to add a short > public key > > in a DNS TXT record, then ask the ACME client to sign challenges with > that key. > > Something like this would significantly ease the development of ACME > > clients. > > So, this would be be a client key challenge. > This would not be dns-01. It could certainly work, but it would be a new > effort. > Maybe we could use SIG(0), I'm not sure. Yes, this wouldn't be dns-01 or dns-02, it would be a completely separate thing. > The question would be whether or not it would get implemented. Yes, this is why I'm writing to this mailing list. Maybe I should've CC'ed some Let's Encrypt specific mailing list as well. > > Are there specific reasons why dns-01 requires updating a DNS record? > > Yes, because it proves you control the zone. Right, but there could be other ways to prove this as well. _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
