IETF Logo Mail Archive

[DNSOP] Re: on the more general problem of delegating to other namespaces in the DNS

Peter van Dijk <peter.van.dijk@powerdns.com> Fri, 25 July 2025 22:45 UTC

Return-Path: <peter.van.dijk@powerdns.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 098054B65DE5 for <dnsop@mail2.ietf.org>; Fri, 25 Jul 2025 15:45:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=powerdns.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ei5sgMhpuUPV for <dnsop@mail2.ietf.org>; Fri, 25 Jul 2025 15:45:07 -0700 (PDT)
Received: from mx2.open-xchange.com (mx2.open-xchange.com [89.163.165.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 63E124B65DE0 for <dnsop@ietf.org>; Fri, 25 Jul 2025 15:45:07 -0700 (PDT)
Received: from mx2.open-xchange.com (localhost.localdomain [127.0.0.1]) by mx2.open-xchange.com (Proxmox) with ESMTP id 2F514E1170; Sat, 26 Jul 2025 00:45:06 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=powerdns.com; h= cc:content-transfer-encoding:content-type:content-type:date:from :from:in-reply-to:message-id:mime-version:references:reply-to :subject:subject:to:to; s=s1dus; bh=Jkw8sEOQkYtcJIqXinesIAh1AESd piD5qFg6EapVyZY=; b=QmMA8ck2M0XbkgFzF+7S/OJncrgIPAC+IpnMxyDv6+UR lJUmV1c1pz2TNgDmaF65oJptURR4NrdIzc5H8NL2bgS1A2TUSYWo2QrKSXE8YYl9 OmVfYiE4iqWzPrP4A8YuHlOBD4KSSfo1Q2s+dBm+AzvoBMaMMx94h6S/tmoUoyCB 0H8SsUxlkKAK9QzhEn1MSJriDEdvbCGUKe/y2fGozo8Ik58rgX1VoSUBiAUA/yj9 Qi4/i6xBWwBaTpSsFv7vs7L2V7YWo6tWyI7Cdmu7IOr2u6fXJMAY0+MoFNYXovup 0e815U5g8xeooWJ5Ju5+s68Rl7rcamPICLBZWwFyew==
Received: from imap.open-xchange.com (unknown [10.120.0.15]) by mx2.open-xchange.com (Proxmox) with ESMTPS id C4440E030F; Sat, 26 Jul 2025 00:45:05 +0200 (CEST)
Received: from [10.91.39.94] ([86.85.149.247]) by imap.open-xchange.com with ESMTPSA id GpRiBfEIhGihcRUA3c6Kzw (envelope-from <peter.van.dijk@powerdns.com>); Sat, 26 Jul 2025 00:45:05 +0200
Message-ID: <13f4740a1d6d001fedafdf4a69777d1266a9ff87.camel@powerdns.com>
From: Peter van Dijk <peter.van.dijk@powerdns.com>
To: dnsop <dnsop@ietf.org>
Date: Sat, 26 Jul 2025 00:45:04 +0200
In-Reply-To: <761F6D32-25FE-4742-9682-819A338C8EC9@strandkip.nl>
References: <761F6D32-25FE-4742-9682-819A338C8EC9@strandkip.nl>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.56.1-1
MIME-Version: 1.0
Message-ID-Hash: ZRGXMWUDY6GKEFS3UI4BHHFKEMQBZB37
X-Message-ID-Hash: ZRGXMWUDY6GKEFS3UI4BHHFKEMQBZB37
X-MailFrom: peter.van.dijk@powerdns.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: on the more general problem of delegating to other namespaces in the DNS
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/fkIC_O690vMCNJmfzTP8tqmqUZ4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On Tue, 2025-06-17 at 17:44 +0200, Joe Abley wrote:
> Hi all,
> 
> Warren, Wes and I put our respective heads together in Prague and came up with this:
> 
>   https://datatracker.ietf.org/doc/draft-jabley-dnsop-zone-cut-to-nowhere/
> 
> This is some general advice for how to delegate a domain to another namespace.

Based on my limited understanding of the ACME specification, and
specifically https://github.com/letsencrypt/boulder/issues/7050 being
an open, unimplented ticket for Boulder, the Let's Encrypt CA software,
I strongly suspect that adding such zone cuts would prevent the
issuance, via the dns-01 method (which, I think, is the only one
suitable for issuing certificates for private names), of Let's Encrypt
certificates.

Longer version: many people run private subdomains of public domains.
The document clearly recognises that. Some of those people use TXT
records in the public domain to complete ACME/LE dns-01 challenges to
generate certificates for those private names. With a zone cut to
nowhere, there is no place to put those TXT records. The CA/B Baseline
Requirements allow a successful challenge for example.com to also be
used to issue a cert for internal.example.com,
office.internal.example.com, *.internal.example.com, etcetera. But the
ACME specification as it is written in RFC8855 does not provide this
freedom (based on my reading). RFC9444 adds this, but LE has not
implemented it.

If I'm wrong, awesome. If I'm right, this may warrant a note in the
document. I hope somebody better versed in ACME, and specifically Let's
Encrypt's implementation, can give a more definitive answer.

I also did not look at other ACME-supporting providers.

Kind regards,
-- 
Peter van Dijk
PowerDNS.com B.V. - https://www.powerdns.com/

v2.35.0 | Report a Bug | By Email | System Status