Re: [DNSOP] Question about usage of and

"Paul Hoffman" <> Mon, 12 March 2018 17:37 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 20060126579 for <>; Mon, 12 Mar 2018 10:37:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id a5WQOkvuZVKw for <>; Mon, 12 Mar 2018 10:37:29 -0700 (PDT)
Received: from (Opus1.Proper.COM []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B368E1200C5 for <>; Mon, 12 Mar 2018 10:37:29 -0700 (PDT)
Received: from [] ( []) (authenticated bits=0) by (8.15.2/8.15.2) with ESMTPSA id w2CHavrW053570 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 12 Mar 2018 10:36:58 -0700 (MST) (envelope-from
X-Authentication-Warning: Host [] claimed to be []
From: "Paul Hoffman" <>
To: "Roland Bracewell Shoemaker" <>
Date: Mon, 12 Mar 2018 10:37:27 -0700
X-Mailer: MailMate (1.10r5443)
Message-ID: <>
In-Reply-To: <>
References: <>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [DNSOP] Question about usage of and
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 12 Mar 2018 17:37:31 -0000

On 12 Mar 2018, at 8:58, Roland Bracewell Shoemaker wrote:

> I’m working on a document in the ACME WG that concerns methods for 
> validating control of IP addresses (draft-ietf-acme-ip) and wanted to 
> see if anyone here could provide some input on a question I had 
> regarding usage of the and zones.
> In the original incarnation of this document one outlined method 
> revolved around requesting that a user place a TXT record containing a 
> random token in the relevant or child zone for 
> the address being validated and then verifying that this record was 
> present. After reading RFC 3172 there was some concern that this would 
> not be a ‘blessed’ usage of the zones and that they should only 
> contain records that related to mapping protocol addresses to service 
> names. Because of this we reworked the method to require placing the 
> TXT record at the target of a PTR record in the relevant zone instead.
> After a number of discussions I’m interested in returning to the 
> original concept as it simplifies a number of use cases that this 
> document is intended to support but am still not sure whether or not 
> this would be widely considered ‘ok’ by DNS folks. Obviously 
> it’s entirely possible to do this as these child zones are delegated 
> to users and they _can_ put whatever they want in them. Does this WG 
> have strong opinions on whether we should/shouldn’t do this for 
> technical reasons or we just being a bit too strict in our reading of 
> 3172?

If the use case here is to be able to issue certificates for TLS servers 
based on the IP address instead of the domain name, creating something 
new in the DNS may be overkill. That is, why even have Section 4.1 of 
draft-ietf-acme-ip at all? What's wrong with only having direct HTTPS 

--Paul Hoffman