*sigh* TIL there is a domain tlsa[.]is whose whole purpose is letting you write cursed stuff like
_25._tcp.mail IN CNAME _letsencrypt.tlsa.is.
Conversation
We get unbelievably perfect tools for establishing trust of keys without gratuitous third party authorities and yet some admins can't be bothered to manage their own private key identity and instead outsource through 3+ gratuitous third parties.
1
(3 = .is TLD, tllsa[.]is domain, and Lets Encrypt, who are awesome but completely unneeded here)
2
Replying to
Let's Encrypt is also primarily providing certificates via unauthenticated HTTP(S) verification of domain control. It's going to become possible to restrict it to only DNS-based verification via CAA but for the time being either can always be used. It's more than a trusted party.
I find it fairly annoying that they don't have a secure way to bootstrap from DNS since I don't particularly want to give my web servers control over DNS. It would be nice if it enforced DANE TLSA records for HTTP(S) verification of domain control instead of requiring DNS method.
1
1
Replying to
I wish LE/ACME would add HTTPS-only mode, where the self-referentiality is avoided by insisting on having a DANE record matching the server's key at the time of ACME request.
1
1
1
AFAICT the DNS mode is a non-starter because it requires dynamic updates to DNS which requires your signing key for DNSSEC be online.
1