On Mon, Mar 27, 2017 at 07:28:53PM -0400, Richard Barnes wrote: > Thanks, Roland. Interesting draft. > > Couple of first reactions: > > - Why use the target of the PTR instead of just provisioning the TXT record > directly in the reverse DNS. (Is there some restriction in the spec for > reverse DNS that says it's only PTR?) It seems like by using the PTR > target, your security analysis gets much more complicated.
Reading proposed IP validation rules in CABForum, using PTR target would certainly qualify, whereas putting TXT record on the name probably does not. The proposed rules have nothing on DNS apart from PTR lookups. (The current rules have "other equivalent method" clause.) So my reading is, that one has to do the PTR lookup in order to remain compliant with BRs after the proposed tighening of IP validation goes through (I expect it to). > - For the re-use of "http-01", you should probably specify the contents of > the Host header. (Main ACME should probably clarify that for DNS, if it's > not clear already.) Reading the proposed and current rules, the challenge is either invoked on IP address itself, or on reverse-DNS lookup of it. So if you don't do rDNS lookup, then the validation is invoked on IP address itself, which I think leads to empty Host-header. TLS-SNI-02 would work as usual (the proposed rules explicitly list method 10, which is what TLS-SNI-02 falls under). Existing rules don't say anything (but again, equivalent method clause exists). -Ilari _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
