On Mar 13, 2018, at 11:16 AM, Joe Abley <jab...@90.212.199.in-addr.arpa> wrote:
> I think that if Tony can be d...@dotat.at <mailto:d...@dotat.at>, surely I 
> can be jab...@90.212.199.in-addr.arpa <mailto:jab...@90.212.199.in-addr.arpa>.
> A zone is a zone. ARPA is only special by convention, not by protocol.


Thinking through the threat model here, when would this even work?   It would 
certainly work in principle for stable servers that have reverse delegations.   
For servers that move around a lot, it seems like a really crappy solution.   
Why do you trust a server that's moving around a lot?   Presumably because 
you've already established trust with it OOB.   So why do you need ACME in this 

For the case of a server that's not moving around a lot, why is it useful?   
How did your resolver know to contact that particular server?

I don't see anything in the document describing the motivating use case.   Did 
I miss that from some other document?

DNSOP mailing list

Reply via email to