From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id B4C7577CF3 for ; Thu, 29 Apr 2021 09:12:52 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id A21341803E for ; Thu, 29 Apr 2021 09:12:22 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 9D1E218033 for ; Thu, 29 Apr 2021 09:12:21 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 537794646A for ; Thu, 29 Apr 2021 09:12:21 +0200 (CEST) Date: Thu, 29 Apr 2021 09:12:19 +0200 From: Wolfgang Bumiller To: Dietmar Maurer Cc: Proxmox Backup Server development discussion Message-ID: <20210429071219.l2ma4osf3o3xzclm@wobu-vie.proxmox.com> References: <1626464218.1336.1619625327468@webmail.proxmox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1626464218.1336.1619625327468@webmail.proxmox.com> User-Agent: NeoMutt/20180716 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.031 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [bar.com, wikipedia.org] Subject: Re: [pbs-devel] [PATCH v2 backup 02/27] add dns alias schema X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Apr 2021 07:12:52 -0000 On Wed, Apr 28, 2021 at 05:55:27PM +0200, Dietmar Maurer wrote: > Is this the same syntax used for DNS SRV records? > > https://en.wikipedia.org/wiki/SRV_record Disclaimer: My main motivation was, I just followed along with what we're doing in PVE (and did the same in PMG as well). TBH I don't know if any ACME implementation worries about that at all. The main idea is this: * you want to get a certificate for foo.bar.com * giving pbs direct access to managing the `foo.bar.com` or `bar.com` zones is inconvenient or impossible * you setup a `CNAME` for `_acme-challenge.foo.bar.com` to point to X.Y.Z * you configure the domain foo.bar.com and set the alias to X.Y.Z, so that our DNS plugins will set the TXT entry for X.Y.Z instead of `_acme-challenge.foo.bar.comm` * the ACME provider's DNS resolver will decide which values for X, Y and Z they're willing to accept while resolving the TXT entry. Most likely they can be completely arbitrary. We know that due to common practice, they'll most likely allow at least hostnames with the addition of leading underscores, but as far as formal definitions go, the DNS RFC is the only "real source of what-should-be-the-truth", while in practice you'll just have to try and see if it works... And sure, *technically* we could just relax the DNS schema in general, but then user's may run into issues when they configure something that should be legal as per the DNS RFC but is not accepted by their browsers or some other tool. Of course we could still relax it and just keep the "normal" restrictions purely in the GUI... I don't know.