Hi, Currently ACME RFCs define how DNS challenges, HTTP challenges, etc. are verified by the ACME server, but how an ACME client adds the key authorization to DNS records or HTTP servers is left for implementations. We would like to see a best-practices kind of RFC that specifies a complete deployable solution for integrating ACME into a system. It will serve as a reference for implementing ACME clients and DNS servers.
Currently DNS challenges are usually used with proprietary APIs of various DNS providers and it’s hard to put these into a draft. Therefore we picked RFC2136 which is an existing standard. There are ACME clients that implement RFC2136 ([1]<https://go-acme.github.io/lego/dns/rfc2136/index.html>, [2]<https://certbot-dns-rfc2136.readthedocs.io/en/stable/>, [3]<https://cert-manager.io/docs/configuration/acme/dns01/rfc2136/>, [4]<https://github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_nsupdate>), but afaik most DNS servers that implement RFC2136 (e.g. Bind<https://www.isc.org/bind/>) give the keys too much power (this is true for most proprietary DNS update protocols as well, hence projects like acme-dns<https://github.com/joohoi/acme-dns> exist). Therefore this draft specifies how to use ACME with RFC2136, including how DNS servers should manage key permissions and how to manage keys. So, a) It is an instruction manual for implementors, that fills some missing details in existing ACME and DNS RFCs. b) It is in the context of performing ACME DNS challenges. Not changing ACME protocol itself, but augmenting it with additional implementation considerations. This is a preliminary version of the draft. The key permissioning part may not be complete/well thought out. We will continue working on it if people find it useful! Thank you! Ruochen From: Q Misell <q=40as207960....@dmarc.ietf.org> Sent: Tuesday, 25 February, 2025 22:41 To: liruochen (A) <li.ruoc...@huawei.com> Cc: acme@ietf.org Subject: Re: [Acme] FW: New Version Notification for draft-li-acme-dns-update-00.txt I'm not quite sure what this draft sets out to achieve, perhaps you can enlighten me? It seems mostly to be an instruction manual on how DNS UPDATE works, something that can a) already be found in the DNS RFCs and b) is not specific to ACME. Are you trying to define protocol changes specific to ACME, or document ACME specific pitfalls? ________________________________ Any statements contained in this email are personal to the author and are not necessarily the statements of the company unless specifically stated. AS207960 Cyfyngedig, having a registered office at 13 Pen-y-lan Terrace, Caerdydd, Cymru, CF23 9EU, trading as Glauca Digital, is a company registered in Wales under № 12417574<https://find-and-update.company-information.service.gov.uk/company/12417574>, LEI 875500FXNCJPAPF3PD10. ICO register №: ZA782876<https://ico.org.uk/ESDWebPages/Entry/ZA782876>. UK VAT №: GB378323867. EU VAT №: EU372013983. Turkish VAT №: 0861333524. South Korean VAT №: 522-80-03080. AS207960 Ewrop OÜ, having a registered office at Lääne-Viru maakond, Tapa vald, Porkuni küla, Lossi tn 1, 46001, trading as Glauca Digital, is a company registered in Estonia under № 16755226. Estonian VAT №: EE102625532. Glauca Digital and the Glauca logo are registered trademarks in the UK, under № UK00003718474 and № UK00003718468, respectively. Ar Maw, 25 Chwef 2025 am 10:36 liruochen (A) <li.ruochen=40huawei....@dmarc.ietf.org<mailto:40huawei....@dmarc.ietf.org>> ysgrifennodd: Hi all, We have submitted a new draft that specifies how to use DNS UPDATE [RFC2136] for ACME DNS challenges (dns-01, dns-account-01, etc.). We hope this draft helps with the implementation of ACME clients and DNS servers that support these challenges. Look forward to comments and feedbacks! Thank you! Best Regards, Ruochen -----Original Message----- From: internet-dra...@ietf.org<mailto:internet-dra...@ietf.org> <internet-dra...@ietf.org<mailto:internet-dra...@ietf.org>> Sent: Tuesday, 25 February, 2025 16:21 To: Wang Haiguang <wang.haiguang.shield...@huawei.com<mailto:wang.haiguang.shield...@huawei.com>>; liruochen (A) <li.ruoc...@huawei.com<mailto:li.ruoc...@huawei.com>>; liruochen (A) <li.ruoc...@huawei.com<mailto:li.ruoc...@huawei.com>>; Lei Zhongding (Zander) <lei.zhongd...@huawei.com<mailto:lei.zhongd...@huawei.com>> Subject: New Version Notification for draft-li-acme-dns-update-00.txt A new version of Internet-Draft draft-li-acme-dns-update-00.txt has been successfully submitted by Ruochen Li and posted to the IETF repository. Name: draft-li-acme-dns-update Revision: 00 Title: Secure DNS RR Update for ACME DNS Based Challenges Date: 2025-02-25 Group: Individual Submission Pages: 14 URL: https://www.ietf.org/archive/id/draft-li-acme-dns-update-00.txt Status: https://datatracker.ietf.org/doc/draft-li-acme-dns-update/ HTMLized: https://datatracker.ietf.org/doc/html/draft-li-acme-dns-update Abstract: This document outlines how ACME DNS based challenges can be performed via DNS dynamic updates. About This Document This note is to be removed before publishing as an RFC. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-li-acme-dns-update/. Discussion of this document takes place on the WG Working Group mailing list (mailto:acme@ietf.org<mailto:acme@ietf.org>), which is archived at https://datatracker.ietf.org/wg/acme/about/. Subscribe at https://www.ietf.org/mailman/listinfo/acme/. The IETF Secretariat _______________________________________________ Acme mailing list -- acme@ietf.org<mailto:acme@ietf.org> To unsubscribe send an email to acme-le...@ietf.org<mailto:acme-le...@ietf.org>
_______________________________________________ Acme mailing list -- acme@ietf.org To unsubscribe send an email to acme-le...@ietf.org
