IETF Logo Mail Archive

Re: [Acme] DNS-ACCOUNT-01 Updates

Christopher Cook <christopher.cook@webprofusion.com> Tue, 22 August 2023 08:36 UTC

Return-Path: <christopher.cook@webprofusion.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BAAD7C14F73F for <acme@ietfa.amsl.com>; Tue, 22 Aug 2023 01:36:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.905
X-Spam-Level:
X-Spam-Status: No, score=-6.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pqwVoh07CT3i for <acme@ietfa.amsl.com>; Tue, 22 Aug 2023 01:35:58 -0700 (PDT)
Received: from smtp.livemail.co.uk (smtp-out-60.livemail.co.uk [213.171.216.60]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7BD8C14CE2C for <acme@ietf.org>; Tue, 22 Aug 2023 01:35:52 -0700 (PDT)
Received: from [192.168.86.6] (unknown [101.118.226.236]) (Authenticated sender: christopher.cook@webprofusion.com) by smtp.livemail.co.uk (Postfix) with ESMTPSA id 6E976C5A58 for <acme@ietf.org>; Tue, 22 Aug 2023 09:35:47 +0100 (BST)
Message-ID: <f9d1f5fe-3cbe-43f8-832b-8eab14425c9a@webprofusion.com>
Date: Tue, 22 Aug 2023 16:35:43 +0800
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: acme@ietf.org
Content-Language: en-US
From: Christopher Cook <christopher.cook@webprofusion.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/lEpS9tTq_gFbQRKExQAiX9Q_PoM>
Subject: Re: [Acme] DNS-ACCOUNT-01 Updates
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Aug 2023 08:40:04 -0000

Hi,

I will be integrating this challenge type in a fairly popular ACME UI. 
 From the perspective of an ACME client developer (and a regular LE 
forum contributor):

The challenge name won't matter much except for conversational clarity, 
clients/docs will still need to explain what it is anyway. My preference 
is for dns-account-01 because it's specifically ACME account related.

Regarding label format - for automated updates to the same DNS zone the 
user will be largely oblivious except when they are setting up a 
permanent CNAME to delegate validation elsewhere. Having it on the left 
does open up the possibility of NS delegation to a validation zone, but 
it would be 1 domain to one zone so I can't see that being terribly useful.

If the label computation also took into account the full domain within 
the hash then you could theoretically delegate to another zone to have 
automated validation for many domains from a single dedicated zone, but 
I assume it's too late for that.

 From an implementation point of view, some DNS clients will have 
hard-coded values they now need to make variable either way, and if the 
label format is a subdomain of _acme-challenge then some will need work 
to re-think how they split labels. If there is some standards compliance 
that's better enabled by using left-right, then just use that.

Christopher Cook

https://certifytheweb.com

v2.23.0 | Report a Bug | By Email