Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

implement dns authenticator #200

Closed
ThomasWaldmann opened this issue Jan 26, 2015 · 4 comments
Closed

implement dns authenticator #200

ThomasWaldmann opened this issue Jan 26, 2015 · 4 comments
Labels
feature request

Comments

@ThomasWaldmann
Copy link
Contributor

authentication (proof of domain control) for ACME will be possible via dns txt records.

dns updates (of dynamic zones) can be done via the nsupdate cmdline tool or any other rfc2136 compatible client (e.g. the dnspython library has code for that), so that one does not have to automatically modify configuration or data files of misc. nameserver implementations.

i think this authenticator might be nice for various reasons:

  • there are lots of different webserver softwares out there and we can't support them all like the few most popular ones [and even for the popular ones, it might take some time until done], so an alternative way of authentication is needed
  • if one does not want a certificate for https usage, but something else, using an external webserver just to prove control is a bit weird
  • does not depend on a specific nameserver as it uses rfc2136 dynamic updates (nameserver just needs to support that)
  • with a fake "nsupdate" tool that just prints stdin and waits for a key press, manual dns updates for zones without dynamic update capability are possible
  • nameserver does not need to be on same machine as no config file access or restarting is required
  • does not require root for authentication
@ThomasWaldmann
Copy link
Contributor Author

questions:

  • is the ACME demo server already implementing "dns"?
  • apart from the authentication part, how to integrate this into the client in a useful way?

@jdkasten
Copy link
Contributor

The ACME demo server does not currently support the DNS challenge.
A few things are blocking this...

  1. We are still running the Node ACME server code which isn't that sophisticated/fully featured.
  2. The main server development effort will be in the Boulder repo, but it doesn't follow the same protocol. It is currently following an old development branch of the ACME spec.
  3. The ACME spec just changed slightly (on Jan 23rd). This should allow the client and the Boulder server to converge on the same protocol and will allow testing of the more advanced features of the client.

I am very enthusiastic about the DNS authenticator. I especially like the fact that it won't have to be on the same machine. The main code is being prepped to run without an Installer. (See #185)
I would like to see the sudo requirement removed from the client and it should be possible once we have an authenticator that does not require it. We will have to think carefully about the proper policies, but this would be a great contribution to the project.

@ThomasWaldmann
Copy link
Contributor Author

see PR #203.

keep me updated when the server starts supporting dns.

This was referenced Jan 27, 2015
Closed
Closed
@ThomasWaldmann ThomasWaldmann changed the title implement dns authenticator for dynamic zones implement dns authenticator Jan 27, 2015
This was referenced Jan 29, 2015
Closed
Closed
Closed
Closed
Closed
@kuba
Copy link
Contributor

kuba commented Jun 13, 2015

See #496.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kuba @ThomasWaldmann @jdkasten