On Wed, 20 Sep 2023, Paul Hoffman wrote:
That might not be the case. As with "null encryption", these modes are
more and more being removed from code bases to avoid exploits.
At that point, you couldn't use the library any more, correct?
At that point, you would not have a library anymore that you can use, as
all libraries will do some basic verification checks regardless. And
mainstream DNS server software vendors are not going to write their
own crypto code to work around that.
I also do find the value of using selfsigned certs over ACME certs
on the auth server pretty low. It's pretty easy to give a nameserver
with a static name an automatic ACME based certificate. With the
"opportunistic" part being that if the cert fails, to go back to do53.
Is there widespread availability for "ACME certs" for authoritative DNS name
servers that have no web server component reasonably available now? When I looked a few
years ago, they weren't at all.
The DNS challange method yes. I think it is as old as the web method.
Which is why I've kept saying it should be very very easy for a DNS
server to put in a record and run ACME. I personally use dehydrated,
see https://github.com/dehydrated-io/dehydrated/wiki#dns-providers
Paul
_______________________________________________
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy
