FR: Add capability to generate (and deploy) DANE records

[blackbit42]

Hi!

Provided you want to maintain DANE RFC6698 records, that is a task that is due every time an ACME certificate is renewed, which brings me to the conclusion that this functionality would be well placed alongside an ACME client implementation.

Functionality would be relatively simple and similar to DaneBot.

Is this a feature you would consider to implement?

[breard-r]

Hello,

There is currently 2 ways to maintain such records using ACMEd:

1. Setting kp_reuse = true in the certificate's configuration so the private key is reused and the record doesn't change.
2. Using hooks to update the record when the certificate is renewed.

Obviously, the second option is quite tricky because of DNS propagation. Going this way, I think it's better to use a dedicated software to handle it instead of integrating it directly into ACMEd. This dedicated software would be made aware of a new certificate either by a hook or inotify and then manage the update of the DNS record and deployment of the certificate.

[blackbit42]

Thanks for the quick response.

I think it's better to use a dedicated software to handle it instead of integrating it directly into ACMEd.

What would be the advantage of implementing that functionality in a separate program?

[jcgruenhage]

acmed is modular software, that provides the ability to define hooks for such things. Using this modular approach makes acmed maintainable and light weight, while still being flexible enough to support stuff like setting dane records using a hook.

Why should this be included in acmed instead of being handled by a hook? Writing a shell script that calls danebot, and installing that shell script as a hook in acmed should be fairly easy.

[blackbit42]

I like modular software as much as the next guy. It's a great design pattern. In my mind a modular approach is best applied when the individual modules are useful on their own. Right now I do not see a use case for a piece of software that updates DANE records outside of the context of certificate renewal. Since - provided my train of thought is correct - that updater would only be used in conjunction with an ACME client anyways, I would couple both functionalities. Besides, ACMEd already supports dns-01 challenges and therefore dynamic DNS updates, right? The DANE updater needs the same functionality and hence would need to duplicate code.

[jcgruenhage]

acmed uses hooks for the dns challenge as well, it doesn't implement solving this challenge on it's own.

[breard-r]

Right now I do not see a use case for a piece of software that updates DANE records outside of the context of certificate renewal.

Same thing for tls-alpn-01 challenge validation. ACMEd doesn't do it by itself, it requires a dedicated software, for example tacd. Because it shares some common functions with ACMEd, tacd is developed within the ACMEd repository, but it still remains a different software.

Besides, ACMEd already supports dns-01 challenges and therefore dynamic DNS updates, right? The DANE updater needs the same functionality and hence would need to duplicate code.

Not on its own, it triggers hooks and those hooks a responsible for the challenge resolution. Same thing for http-01 challenge, it still hooks, although ACMEd ships some pre-defined hooks that can be used.

[blackbit42]

Thanks for the clarification, I wasn't aware of those details. Maybe I should rephrase my request then... Would it make sense for you guys to implement a DANE record updater under the same umbrella as ACMd and tacd that can be hooked from ACMEd?

[jcgruenhage]

No, it wouldn't. Such software already exists, it's DaneBot, and hooking it into acmed is just writing a small shell script.

[blackbit42]

No, it wouldn't.

Alright.

I am aware of DaneBot. It's good software. From a functionality standpoint it does virtually everything I desire. There is one little challenge that I couldn't wrap my head around yet though. If you have n domains for which you fetch TLS certificates via ACME, but only n-m domains do DANE, then you must run your cert deployment scripts from your ACME client for a subset of domains and from DaneBot for the second subset of domains, which feels weird and is inconsistent. Maybe one should make DaneBot no-op capable so that call flow is unified for all certificates.

This is definitely a question far outside the scope of this feature request, which I am hereby closing.