Hiya, On 26/06/2019 16:58, Michael Richardson wrote: > > Stephen Farrell <stephen.farr...@cs.tcd.ie> wrote: > > My web server doesn't have an API it can use to update > > ESNIKeys in the DNS. Many implementations/deployments may > > have such an API but in my case, the zone file that > > includes the ESNIKeys RR is on another machine and the > > web server doesn't have write access to that. I do > > control both machines as it happens, but I still don't > > want to give general write-access to the web server. > > When you say, "general write-access", did you mean that you didn't want to > setup Dynamic DNS to be able to update the QNAMEs involved, because that > usually permits the web server to delete A and AAAA records, as well as > updating the ESNI ? > > Or did you mean "general write-access", meaning NFS or something like that?
Both really. NFS, or scripting up something with ssh, would be easy but isn't desirable for local reasons. DDNS seemed like more work, (but I didn't check it out in detail tbh), wouldn't be otherwise useful in my setup, and yes would need an authorisation model that doesn't exist at the moment in our setup. Like I said, what I did won't be needed everywhere, but maybe it's useful enough to document properly and/or standardise, not sure. Cheers, S. > > -- > Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works > -= IPv6 IoT consulting =- > > >
0x5AB2FAF17B172BEA.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
