Hi, Owen opened four issues related to your Security Considerations comments
around RFC3007.
They were:
https://github.com/upros/acme-integrations/issues/49
https://github.com/upros/acme-integrations/issues/47
https://github.com/upros/acme-integrations/issues/40
https://github.com/upros/acme-integrations/issues/48I made a pull request addressing all of these at: https://github.com/upros/acme-integrations/pull/54 I thought RFC3007 was sufficiently complete in its references that we didn't need to cite RFC2136 and RFC2931, but I don't mind. You are both right: RFC3007 is not the only way to do DNS updates. It's what I use for dns-01, btw, and what many of the LE certbot howtos explain. Also, it's what ActiveDirectory/MS-DHCP uses if not using the MS DNS server internally. So that's a lot of usage of 3007, but are you are right: getting the configuration of TSIG is sufficiently tedious that many opt for something else. (how you *name* the TSIG key is relevant, even though it seems like it should be a local consideration) Please comment on the above PR if you have a moment. It's rather a short change. -- Michael Richardson <[email protected]>, Sandelman Software Works -= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
