Here are a couple of other useful resources on addressing this problem on
the client side. Essentially, you can run your own nameserver dedicated to
answering challenges, and delegate to it with CNAMEs.
https://github.com/joohoi/acme-dns
https://www.eff.org/deeplinks/2018/02/technical-deep-dive-se
On Sun, Sep 13, 2020 at 5:25 AM Simon Ser wrote:
> > The question would be whether or not it would get implemented.
>
> Yes, this is why I'm writing to this mailing list. Maybe I should've CC'ed
> some
> Let's Encrypt specific mailing list as well.
It's certainly possible, but to be clear: any
This is the least secure option and most likely to be deprecated going
forward. Sending an email, even to the IANA-defined boundaries, is simply
not a substitute for proof of domain control.
On Sun, Sep 13, 2020 at 5:17 AM Philipp Junghannß
wrote:
> maybe one could make it so an email specific
Simon Ser wrote:
>> For now, this is for many ACME clients a manual step. If you run your
>> authoritative DNS service locally in your network, perhaps you could
>> look into any options for automatically update the zone content.
> I agree a standardized API for DNS operators wou
Den søn. 13. sep. 2020 kl. 14.10 skrev Philipp Junghannß <
teamhydro55...@gmail.com>:
> Simon Ser said:
>
> > > Are there specific reasons why dns-01 requires updating a DNS
>> record?
>> >
>> > Yes, because it proves you control the zone.
>> Right, but there could be other ways to prove this
Simon Ser said:
> > Are there specific reasons why dns-01 requires updating a DNS
> record?
> >
> > Yes, because it proves you control the zone.
> Right, but there could be other ways to prove this as well.
care to share? what other methods are there to prove that you have access
to the DNS
On 9/13/2020 12:13 PM, Simon Ser wrote:
Ultimately, ACME clients need a way to update DNS records to solve the dns-01
challenge. Ignoring and pushing the problem down to the DNS operators does not
fix the root cause.
I can't agree more, so what about going after dns-02 challenge instead
of try
On Friday, September 11, 2020 7:06 PM, Michael Richardson
wrote:
> Simon Ser wrote:
> > dns-01 requires the ACME client to complete the challenge by updating a
> DNS
> > record. This is bothersome because this often requires interacting with
> the
> > DNS registry operator. This i
maybe one could make it so an email specific to the domain that is
verified could be used instead to just screw the entire DNS thing? I mean
CAs have used e-Mail based issuance over the address in the whois (no
longer practical due to increase of whois privacy by default) or the
standardized host
> On Friday, September 11, 2020 4:26 PM, Ryan Sleevi
> wrote:
>
> > On Fri, Sep 11, 2020 at 9:28 AM Philipp Junghannß
> > wrote:
> >
> > > problem is obviously also the CA/Browser Forum has certain requirements,
> > > and I guess having access to some kind of direct verification at the time
> >
On Friday, September 11, 2020 3:41 PM, Patrik Wallström
wrote:
> Simon Ser skrev den 2020-09-11 kl. 15:25:
>
> > Hi,
> > On Friday, September 11, 2020 3:17 PM, Felipe Gasper
> > fel...@felipegasper.com wrote:
> >
> > > > On Sep 11, 2020, at 9:08 AM, Simon Ser cont...@emersion.fr wrote:
> > > >
Ilari Liusvaara wrote:
>> For now, this is for many ACME clients a manual step. If you run your
>> authoritative DNS service locally in your network, perhaps you could
>> look into any options for automatically update the zone content.
> I think the current best way is to have _a
Simon Ser wrote:
> dns-01 requires the ACME client to complete the challenge by updating a
DNS
> record. This is bothersome because this often requires interacting with
the
> DNS registry operator. This is typically done via vendor-specific APIs,
with
> access control handled v
On Fri, Sep 11, 2020 at 03:41:08PM +0200, Patrik Wallström wrote:
>
>
> The missing piece of this puzzle is a standardized API for registrars
> (or DNS operators), where changes can be made for a zone at a registrar.
> Much like registry changes coming from registrars to a registry using
> EPP. M
On Fri, Sep 11, 2020 at 9:28 AM Philipp Junghannß
wrote:
> problem is obviously also the CA/Browser Forum has certain requirements,
> and I guess having access to some kind of direct verification at the time
> of issue might be probably one of these.
>
This is the correct answer.
While the IETF
Simon Ser skrev den 2020-09-11 kl. 15:25:
> Hi,
>
> On Friday, September 11, 2020 3:17 PM, Felipe Gasper
> wrote:
>
>>> On Sep 11, 2020, at 9:08 AM, Simon Ser cont...@emersion.fr wrote:
>>> For instance, it would be possible to require users to add a short public
>>> key
>>> in a DNS TXT rec
well Certificate transparency is one something should maybe keep
notifications for.
Also I can understand the problem, but I have not decided the outcome, I
merely stated what I got as an answer back then.
problem is obviously also the CA/Browser Forum has certain requirements,
and I guess having
Hi,
On Friday, September 11, 2020 3:17 PM, Felipe Gasper
wrote:
> > On Sep 11, 2020, at 9:08 AM, Simon Ser cont...@emersion.fr wrote:
> > For instance, it would be possible to require users to add a short public
> > key
> > in a DNS TXT record, then ask the ACME client to sign challenges with
Hi,
On Friday, September 11, 2020 3:13 PM, Philipp Junghannß
wrote:
> I have asked that question in the LE forum iirc the problem is that
> someone could place that record once and as long as someone doesnt
> look at it all the time one can easily miss the fact that someone can
> create wildcar
> On Sep 11, 2020, at 9:08 AM, Simon Ser wrote:
>
> For instance, it would be possible to require users to add a short public key
> in a DNS TXT record, then ask the ACME client to sign challenges with that
> key.
> Something like this would significantly ease the development of ACME clients.
I have asked that question in the LE forum iirc the problem is that someone
could place that record once and as long as someone doesnt look at it all
the time one can easily miss the fact that someone can create wildcards and
stuff for that domain, so the point is to prove that dns access is given
Hi all,
I've been working on an ACME client acting as a TLS termination proxy. In order
to retrieve wildcard certificates from the Let's Encrypt ACME servers, support
for the dns-01 challenge is required.
dns-01 requires the ACME client to complete the challenge by updating a DNS
record. This is
22 matches
Mail list logo
