[DNSOP] Re: on the more general problem of delegating to other namespaces in the DNS
Peter van Dijk <peter.van.dijk@powerdns.com> Fri, 25 July 2025 23:20 UTC
Return-Path: <peter.van.dijk@powerdns.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 4DA524B685F0 for <dnsop@mail2.ietf.org>; Fri, 25 Jul 2025 16:20:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=powerdns.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K-sC7kzDLwmd for <dnsop@mail2.ietf.org>; Fri, 25 Jul 2025 16:20:22 -0700 (PDT)
Received: from mx2.open-xchange.com (mx2.open-xchange.com [89.163.165.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 963BA4B685E8 for <dnsop@ietf.org>; Fri, 25 Jul 2025 16:20:22 -0700 (PDT)
Received: from mx2.open-xchange.com (localhost.localdomain [127.0.0.1]) by mx2.open-xchange.com (Proxmox) with ESMTP id 31194E11B1; Sat, 26 Jul 2025 01:20:21 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=powerdns.com; h= cc:content-transfer-encoding:content-type:content-type:date:from :from:in-reply-to:message-id:mime-version:references:reply-to :subject:subject:to:to; s=s1dus; bh=+etcZUjyDTfUFwYSm60GNM248cSp SC5GfRDz6/Ralmw=; b=JFtser/SRzb50zgSeSBFOsjpmG4MFn+ZfqAK0XIAHe4Z cdtQ8mPLHGmiCe+gi/jaHuJJ5wGJjL7vNuvB8dErWOencoC2gRa5/b9DVkf1QcID oKDPpB7pG3RNk5nEA++etn4o8WCWIMzvVNtjlgYwd0Zcdr9/Z/vmPzD3aA7nDFyA mxf0/YayGaavZG7xraGwN9YQi4ObfN6rWcHhWbDRPfSbW89VETEnkNCrUuufVUDN oPY/cCDk74Je5wUYcEi1iimm7sJpKadU1Sb50jqTQpyz//cEGo1JrzotH/IVQvEf 797WIe+gIaLkxdC3oOdXjaU9B8E/7A5q493uqkO/xg==
Received: from imap.open-xchange.com (unknown [10.120.0.15]) by mx2.open-xchange.com (Proxmox) with ESMTPS id DB9A8E0A9C; Sat, 26 Jul 2025 01:20:20 +0200 (CEST)
Received: from [10.91.39.94] ([86.85.149.247]) by imap.open-xchange.com with ESMTPSA id xuTKLTQRhGh/dxUA3c6Kzw (envelope-from <peter.van.dijk@powerdns.com>); Sat, 26 Jul 2025 01:20:20 +0200
Message-ID: <27f50a4a6ebeae9061542b89aab159c447aa0de6.camel@powerdns.com>
From: Peter van Dijk <peter.van.dijk@powerdns.com>
To: dnsop <dnsop@ietf.org>
Date: Sat, 26 Jul 2025 01:20:20 +0200
In-Reply-To: <13f4740a1d6d001fedafdf4a69777d1266a9ff87.camel@powerdns.com>
References: <761F6D32-25FE-4742-9682-819A338C8EC9@strandkip.nl> <13f4740a1d6d001fedafdf4a69777d1266a9ff87.camel@powerdns.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.56.1-1
MIME-Version: 1.0
Message-ID-Hash: OB5L4IPTCUMAQ4PGQXY2G7VNGBRCGAB7
X-Message-ID-Hash: OB5L4IPTCUMAQ4PGQXY2G7VNGBRCGAB7
X-MailFrom: peter.van.dijk@powerdns.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: on the more general problem of delegating to other namespaces in the DNS
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/fSG_xkYGfc2NRhTjxo3QzlaXmBE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
With thanks to an astute reader, 3 corrections that do not change the meat of the problem statement: On Sat, 2025-07-26 at 00:45 +0200, Peter van Dijk wrote: > On Tue, 2025-06-17 at 17:44 +0200, Joe Abley wrote: > > Hi all, > > > > Warren, Wes and I put our respective heads together in Prague and came up with this: > > > > https://datatracker.ietf.org/doc/draft-jabley-dnsop-zone-cut-to-nowhere/ > > > > This is some general advice for how to delegate a domain to another namespace. > > Based on my limited understanding of the ACME specification, and > specifically https://github.com/letsencrypt/boulder/issues/7050 being > an open, unimplented ticket for Boulder, the Let's Encrypt CA software, unimplemented, of course. > I strongly suspect that adding such zone cuts would prevent the > issuance, via the dns-01 method (which, I think, is the only one > suitable for issuing certificates for private names), of Let's Encrypt > certificates. dns-01 is not the only suitable one, but it appears to be by far the most popular for this purpose. I believe the problem statement does not change for other challenge types anyway. > Longer version: many people run private subdomains of public domains. > The document clearly recognises that. Some of those people use TXT > records in the public domain to complete ACME/LE dns-01 challenges to > generate certificates for those private names. With a zone cut to > nowhere, there is no place to put those TXT records. The CA/B Baseline > Requirements allow a successful challenge for example.com to also be > used to issue a cert for internal.example.com, > office.internal.example.com, *.internal.example.com, etcetera. But the > ACME specification as it is written in RFC8855 does not provide this RFC8555, of course. > freedom (based on my reading). RFC9444 adds this, but LE has not > implemented it. > > If I'm wrong, awesome. If I'm right, this may warrant a note in the > document. I hope somebody better versed in ACME, and specifically Let's > Encrypt's implementation, can give a more definitive answer. > > I also did not look at other ACME-supporting providers. Kind regards, -- Peter van Dijk PowerDNS.com B.V. - https://www.powerdns.com/
- [DNSOP] on the more general problem of delegating… Joe Abley
- [DNSOP] Re: on the more general problem of delega… Ted Lemon
- [DNSOP] Re: on the more general problem of delega… Joe Abley
- [DNSOP] Re: on the more general problem of delega… Ted Lemon
- [DNSOP] Re: [Ext] on the more general problem of … Paul Hoffman
- [DNSOP] Re: [Ext] on the more general problem of … John Levine
- [DNSOP] Re: [Ext] on the more general problem of … Joe Abley
- [DNSOP] Re: [Ext] on the more general problem of … Paul Hoffman
- [DNSOP] Re: [Ext] on the more general problem of … Joe Abley
- [DNSOP] Re: [Ext] on the more general problem of … Libor Peltan
- [DNSOP] Re: DNSOP[Ext] on the more general proble… Wes Hardaker
- [DNSOP] Re: on the more general problem of delega… Andrew McConachie
- [DNSOP] Re: on the more general problem of delega… Joe Abley
- [DNSOP] Re: on the more general problem of delega… Andrew McConachie
- [DNSOP] Re: on the more general problem of delega… Peter Thomassen
- [DNSOP] Re: on the more general problem of delega… Joe Abley
- [DNSOP] Re: on the more general problem of delega… Petr Špaček
- [DNSOP] Re: on the more general problem of delega… Ted Lemon
- [DNSOP] Re: on the more general problem of delega… Joe Abley
- [DNSOP] Re: on the more general problem of delega… Peter van Dijk
- [DNSOP] Re: on the more general problem of delega… Peter van Dijk