Henry Birge-Lee <[email protected]> wrote: > and the acme-dns.io hosted offering of https://github.com/joohoi/acme-dns ).
Oh, yes, I knew about this, but since I already had debugged nsupdate, and
could copy and paste that configuration, I never returned to that.
> This approach of using a magic CNAME 1) creates a single point of failure
> where a compromise of a CNAME service (potentially over the network via
DNS
> attacks like cache poisoning or BGP attacks) could take down thousands
> of
DNSSEC solves some of those sins.
And the auxiliary zone is much easier to DNSSEC sign.
> Another perspective to consider is that should a subscriber automate the
> dns-01 challenge, there is a risk the subscriber will put unrestricted DNS
> API keys on their ACME client. This is not an ideal security configuration
> and avoiding the need for online keys on the ACME client is generally
> beneficial for security.
I'm hearing that we might need/want CSR-attestation-like mechanism for
ACME account and API keys too :-)
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Acme mailing list -- [email protected] To unsubscribe send an email to [email protected]
