DNS authentication is really needed

DNS authentication is really necessary. I, and probably many others, would like to use TLS with network printers, ethernet switches and many other devices where it is impossible to place challenge document in arbitrary place under HTTP server. To take down such devices once per two months just to get certificates is not acceptable. I see some previous discussion on the subject and I somewhat understand security concerns. However, as serving HTTP is dependent on DNS and its integrity, I don’t really see the point.

If anyone has a solution to the basic problem eg. embedded devices etc, please enlighten me!

It does make me smile that when providing a free service of SSL certs, that wasn't done before people complain that some constraints are "not acceptable" :slight_smile: I'm sure it wasn't meant the way I read it though.

I'm assuming they are named as subdomains of a domain you own ? printer1.mydomain.com and switch37.mydomain.com ? if so you could do them as manual (cert only) from the main domain and have DNS pointing there - then manually (or have a script) to internally install the certs on the relevant devices.

I am assuming that the DNS records for the devices you describe are only resolvable internally? If so, create a temporary public wildcard DNS record that points to *.mydomain.com and point this to a server on the public internet.

You can then generate all the certificates you want using the certificate only option, and once generated you can remove the public wildcard DNS record. You then only need to re-add it at the point of renewal.

That being said, if you are wanting certificates for devices that are only accessible internally, why not just create your own Root CA and generate certificates this way? Will be a LOT easier in the long run.

This sounds like something the webroot method in the LE client was designed to solve.

I am sorry about my wording. If you read carefully, I didn’t say that not providing DNS authentication is not acceptable. I merely stated that taking down various embedded devices is not acceptable. And in environments I refer, that is a fact.

Just my 1cents worth… I’m reading this thread with interest, as a small/mid size (OK it’s all relative), the pain(?) in setting up a local certificate authority for all our small number of devices is easy - however, getting all our nomadic employees to have a new certification authority added to their mobile devices is a huge undertaking.

In a large corporation, I can see that a certificate authority makes sense - especially internally. Hey employee - you want to use stuff - then here is your preconfigured device…

My point is, that small/mid size would benefit from longer (ouch sorry to tread on another bunion) certificate that is easily verified (DNS) is a bonus. Given that there is so much wanted from Let’s Encrypt, it would be nice to think that the more vulnerable had better tools. After all, larger corps have other tools in the arsenal to fight with.