Hi Michael,
You are right that it's like a BCP. It introduced no protocol changes, only how
DNS UPDATE should be used for ACME, access control (additional requirements on
top of RFC3007), etc.
OAM is not really a new "layer of indirection" as there always needs to be some
entity that performs the configuration operations, be it a program, a machine,
a person, etc. It's not a specific component in the system. We can remove it if
it creates confusion.
We picked TSIG out of TSIG/SIG(0) because TSIG seems to have better support. We
could use SIG(0) for the initial authentication key and TSIG for transaction
keys (established via TKEY), but that requires clients/servers to implement
both TSIG and SIG(0).
If we use SIG(0) for both the initial authentication key and transaction keys,
the client needs to use DNS UPDATE to upload SIG(0) public keys to the server.
Not sure if it's a good practice as I have only seen SIG(0) using
pre-configured keys.
A YANG module for TSIG/SIG(0) could be nice, but it should probably be in a new
document for DNSOP? If such a document exists, we would mention it as a way to
configure the initial key. Cloud-init can be used here as well, but it seems
more suitable for specific client software?
Best Regards,
Ruochen
-----Original Message-----
From: Michael Richardson <mcr+i...@sandelman.ca>
Sent: Saturday, 1 March, 2025 03:28
To: acme@ietf.org
Subject: [Acme] Re: IETF122 Time Slot Request for
draft-li-acme-dns-update-00.txt
liruochen \(A\) <li.ruochen=40huawei....@dmarc.ietf.org> wrote:
> Dear ACME chairs,
> We would like to request for a 5-10 min time slot at IETF122 to introduce
our new draft.
> Title: Secure DNS RR Update for ACME DNS Based Challenges
> URL: https://datatracker.ietf.org/doc/draft-li-acme-dns-update/
> length: 5-10 min
> Presenter: Li Ruochen
I'm struggling to understand what this document standardizes other than saying,
"Use RFC3007"
Perhaps if it's making some operational statement, then it's some kind of
BCP. It seems that it's just adding a layer of indirection via the OAM.
It would be different storey if what was proposed was a new YANG module to
configure the TSIG/SIG(0) update key. SIG(0) is way better to use, although
it's been harder for people to configure.
I'd want to go even further and define a cloud-init method to configure these
keys. That's not an IETF responsability, but worth describing.
--
Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
_______________________________________________
Acme mailing list -- acme@ietf.org
To unsubscribe send an email to acme-le...@ietf.org
