I have been working on a mechanism to fully automate provisioning of devices that use ACME issued TLS certs.
By fully automate, I mean the user does nothing more than unpack the device, scan a QR code and plug it in. I do not mean spend hours pouring through the certbot documentation, configuring DNS, etc. etc. I mean fully automate. The way to do this is to automate both the DNS provisioning and the cert provisioning through some form of service that lives either locally or in the cloud or both which receives requests from the device and performs all the interactions with the DNS via dynamic DNS and the CA using ACME. My model here is that there will be service providers offering service on a freemium model. So Alice starts off with the free service from provider.test, she is given the subdomain alice.provider.test as her personal 'place'. Alice uses the service to bind her coffee pot which she can now reach as https://coffee.alice.provider.test/ After a while, Alice decides to get her own domain, so she upgrades to the paid service and now she reaches her coffee pot at https://coffee.the-real-alice.test/ And Alice also has an OAUTH online handle bound to @the-real-alice.test using the extensions to OAUTH proposed by BlueSky and people can mail or message her using the Mesh protocols on the same ID. The whole thing seems fairly clean and straightforward. But as I am implementing, being OCD, I can't help but notice how ugly glue records are. I would like to hide that away rather than make the user make a choice or risk a collision when they buy a NayStation1 and try to give it the name ns1. So solutions coming to mind for the glue record name for example.com Prefix the address like we do suffixes: @ IN SOA _primary.example.com. hostmaster.example.com. IN NS _primary.example.com. _primary.example.com. IN A 192.168.1.22 Use a non routed DNS address, does this work though? @ IN SOA example.com.invalid hostmaster.example.com. IN NS example.com.invalid. example.com.invalid. IN A 192.168.1.22 Use a random address @ IN SOA d0cfc2e5319b82cdc71a33873e826c93d7.example.com. hostmaster.example.com. IN NS d0cfc2e5319b82cdc71a33873e826c93d7.example.com. d0cfc2e5319b82cdc71a33873e826c93d7.example.com. IN A 192.168.1.22 Yes, I get that all mean change. But the two are at least mnemonic and could be reserved for the purpose. The peculiar status of glue records has never set easily with me TBH.
_______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
