With thanks to an astute reader, 3 corrections that do not change the meat of the problem statement:
On Sat, 2025-07-26 at 00:45 +0200, Peter van Dijk wrote: > On Tue, 2025-06-17 at 17:44 +0200, Joe Abley wrote: > > Hi all, > > > > Warren, Wes and I put our respective heads together in Prague and came up > > with this: > > > > https://datatracker.ietf.org/doc/draft-jabley-dnsop-zone-cut-to-nowhere/ > > > > This is some general advice for how to delegate a domain to another > > namespace. > > Based on my limited understanding of the ACME specification, and > specifically https://github.com/letsencrypt/boulder/issues/7050 being > an open, unimplented ticket for Boulder, the Let's Encrypt CA software, unimplemented, of course. > I strongly suspect that adding such zone cuts would prevent the > issuance, via the dns-01 method (which, I think, is the only one > suitable for issuing certificates for private names), of Let's Encrypt > certificates. dns-01 is not the only suitable one, but it appears to be by far the most popular for this purpose. I believe the problem statement does not change for other challenge types anyway. > Longer version: many people run private subdomains of public domains. > The document clearly recognises that. Some of those people use TXT > records in the public domain to complete ACME/LE dns-01 challenges to > generate certificates for those private names. With a zone cut to > nowhere, there is no place to put those TXT records. The CA/B Baseline > Requirements allow a successful challenge for example.com to also be > used to issue a cert for internal.example.com, > office.internal.example.com, *.internal.example.com, etcetera. But the > ACME specification as it is written in RFC8855 does not provide this RFC8555, of course. > freedom (based on my reading). RFC9444 adds this, but LE has not > implemented it. > > If I'm wrong, awesome. If I'm right, this may warrant a note in the > document. I hope somebody better versed in ACME, and specifically Let's > Encrypt's implementation, can give a more definitive answer. > > I also did not look at other ACME-supporting providers. Kind regards, -- Peter van Dijk PowerDNS.com B.V. - https://www.powerdns.com/ _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
