From the mailing list traffic, it seems like some of y'all only care about getting resolver information from DNS (hopefully DNSSEC-signed), while others are fine to use HTTPS with web PKI authentication, particularly when DNSSEC signing is not possible. We have left both methods in the main draft.
I see that draft-ietf-acme-ip-06 is now in last call. It adds IP address certificates to the ACME protocol. The only validation it uses is http challenge to a web server on that IP, not DNS.
It says that since SNI only allows host names, if the challenge sends SNI, it's the rDNS version of the IP in in-addr.arpa or ip6.arpa.
I still think this draft should stick to retrieval of the JSON blob by https to the IP of the resolver and not try to do anything clever in the DNS. It's a lot less to invent.
Regards, John Levine, [email protected], Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
