[Acme] Re: IETF122 Time Slot Request for draft-li-acme-dns-update-00.txt
"liruochen (A)" <li.ruochen@huawei.com> Mon, 03 March 2025 03:50 UTC
Return-Path: <li.ruochen@huawei.com>
X-Original-To: acme@mail2.ietf.org
Delivered-To: acme@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 45C6353BCAC for <acme@mail2.ietf.org>; Sun, 2 Mar 2025 19:50:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.197
X-Spam-Level:
X-Spam-Status: No, score=-4.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WeKswb7MykDV for <acme@mail2.ietf.org>; Sun, 2 Mar 2025 19:50:48 -0800 (PST)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 3F8E853BBF8 for <acme@ietf.org>; Sun, 2 Mar 2025 19:50:38 -0800 (PST)
Received: from mail.maildlp.com (unknown [172.18.186.31]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4Z5l9V3Vw8z6L533; Mon, 3 Mar 2025 11:46:38 +0800 (CST)
Received: from lhrpeml500011.china.huawei.com (unknown [7.191.174.215]) by mail.maildlp.com (Postfix) with ESMTPS id 23D1E1400DC; Mon, 3 Mar 2025 11:50:37 +0800 (CST)
Received: from sinpeml100009.china.huawei.com (7.188.194.204) by lhrpeml500011.china.huawei.com (7.191.174.215) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Mon, 3 Mar 2025 03:50:36 +0000
Received: from sinpeml500010.china.huawei.com (7.188.195.108) by sinpeml100009.china.huawei.com (7.188.194.204) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Mon, 3 Mar 2025 11:50:34 +0800
Received: from sinpeml500010.china.huawei.com ([7.188.195.108]) by sinpeml500010.china.huawei.com ([7.188.195.108]) with mapi id 15.02.1544.011; Mon, 3 Mar 2025 11:50:34 +0800
From: "liruochen (A)" <li.ruochen@huawei.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Thread-Topic: [Acme] Re: IETF122 Time Slot Request for draft-li-acme-dns-update-00.txt
Thread-Index: AduJgqn34SBSQ7SBSVKDPwY30usXHgAURo0AAILF1QA=
Date: Mon, 03 Mar 2025 03:50:34 +0000
Message-ID: <4177a30eafbc4c2f820c368e6e58768b@huawei.com>
References: <d14d5a993fd145a7ab78920af93fa278@huawei.com> <7717.1740770856@obiwan.sandelman.ca>
In-Reply-To: <7717.1740770856@obiwan.sandelman.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.215.38.92]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Message-ID-Hash: T3FK2AQDPMJTBN3A545QKETY2YNCBUN2
X-Message-ID-Hash: T3FK2AQDPMJTBN3A545QKETY2YNCBUN2
X-MailFrom: li.ruochen@huawei.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-acme.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "acme@ietf.org" <acme@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Acme] Re: IETF122 Time Slot Request for draft-li-acme-dns-update-00.txt
List-Id: Automated Certificate Management Environment <acme.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/0T1KzqanL-nFhXiSDCKXRwJ8XvE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Owner: <mailto:acme-owner@ietf.org>
List-Post: <mailto:acme@ietf.org>
List-Subscribe: <mailto:acme-join@ietf.org>
List-Unsubscribe: <mailto:acme-leave@ietf.org>
Hi Michael, You are right that it's like a BCP. It introduced no protocol changes, only how DNS UPDATE should be used for ACME, access control (additional requirements on top of RFC3007), etc. OAM is not really a new "layer of indirection" as there always needs to be some entity that performs the configuration operations, be it a program, a machine, a person, etc. It's not a specific component in the system. We can remove it if it creates confusion. We picked TSIG out of TSIG/SIG(0) because TSIG seems to have better support. We could use SIG(0) for the initial authentication key and TSIG for transaction keys (established via TKEY), but that requires clients/servers to implement both TSIG and SIG(0). If we use SIG(0) for both the initial authentication key and transaction keys, the client needs to use DNS UPDATE to upload SIG(0) public keys to the server. Not sure if it's a good practice as I have only seen SIG(0) using pre-configured keys. A YANG module for TSIG/SIG(0) could be nice, but it should probably be in a new document for DNSOP? If such a document exists, we would mention it as a way to configure the initial key. Cloud-init can be used here as well, but it seems more suitable for specific client software? Best Regards, Ruochen -----Original Message----- From: Michael Richardson <mcr+ietf@sandelman.ca> Sent: Saturday, 1 March, 2025 03:28 To: acme@ietf.org Subject: [Acme] Re: IETF122 Time Slot Request for draft-li-acme-dns-update-00.txt liruochen \(A\) <li.ruochen=40huawei.com@dmarc.ietf.org> wrote: > Dear ACME chairs, > We would like to request for a 5-10 min time slot at IETF122 to introduce our new draft. > Title: Secure DNS RR Update for ACME DNS Based Challenges > URL: https://datatracker.ietf.org/doc/draft-li-acme-dns-update/ > length: 5-10 min > Presenter: Li Ruochen I'm struggling to understand what this document standardizes other than saying, "Use RFC3007" Perhaps if it's making some operational statement, then it's some kind of BCP. It seems that it's just adding a layer of indirection via the OAM. It would be different storey if what was proposed was a new YANG module to configure the TSIG/SIG(0) update key. SIG(0) is way better to use, although it's been harder for people to configure. I'd want to go even further and define a cloud-init method to configure these keys. That's not an IETF responsability, but worth describing. -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
- [Acme] IETF122 Time Slot Request for draft-li-acm… liruochen (A)
- [Acme] Re: IETF122 Time Slot Request for draft-li… Michael Richardson
- [Acme] Re: IETF122 Time Slot Request for draft-li… liruochen (A)
- [Acme] Re: IETF122 Time Slot Request for draft-li… Michael Richardson