Skip to main content

Telechat Review of draft-ietf-acme-integrations-13

Request Review of draft-ietf-acme-integrations
Requested revision No specific revision (document currently at 17)
Type Telechat Review
Team DNS Directorate (dnsdir)
Deadline 2023-02-28
Requested 2023-02-16
Authors Owen Friel , Richard Barnes , Rifaat Shekh-Yusef , Michael Richardson
I-D last updated 2023-03-01
Completed reviews Dnsdir Last Call review of -14 by Ted Lemon (diff)
Dnsdir Last Call review of -15 by Ted Lemon (diff)
Dnsdir Telechat review of -16 by Ted Lemon (diff)
Dnsdir Last Call review of -12 by Ted Lemon (diff)
Artart Last Call review of -12 by John R. Levine (diff)
Secdir Last Call review of -12 by Joseph A. Salowey (diff)
Opsdir Last Call review of -12 by Bo Wu (diff)
Genart Last Call review of -12 by Tim Evens (diff)
Dnsdir Telechat review of -13 by Ted Lemon (diff)
Secdir Telechat review of -13 by Joseph A. Salowey (diff)
Assignment Reviewer Ted Lemon
State Completed
Request Telechat review on draft-ietf-acme-integrations by DNS Directorate Assigned
Posted at
Reviewed revision 13 (document currently at 17)
Result Ready
Completed 2023-03-01
In my previous review, I mentioned that the text about graph theory seemed to
make the document harder, not easier, to understand. This was an editorial
comment, which the authors mostly ignored, which is fine. They did add an
admonition to the reader to read RFC8499 for further clarification, for what
that's worth.

I also mentioned that the diagrams that show the ACME process aren't
contextualized as being part of ACME, which made it hard to figure out where
these operations were actually described in a standard.  The authors added some
text that may have been intended to address this concern, but it's not clear,
and I don't think this suggestion has been addressed. It was an editorial nit,
so that seems like a reasonable, if disappointing, reaction.

I also mentioned that the text about the use of ACME for subdomains is somewhat
contradictory, since in one place it says they are not necessary, and in
another case it gives an example that depends on them. Some text has been added
that may have been intended to ameliorate this concern. This was a "ready with
issues" point, meaning that I thought it should definitely be corrected. I
think this change addresses the concern.

I also asked for a clarification in the security considerations section (now
section 10) that the mention of using DNS updates and TSIG or SIG(0) was
needlessly prescriptive. The update softens this text and I think addresses my

I also pointed out an issue with the text implying that TSIG uses "DNS key
records," which it does not, and the new text no longer confuses key records
(SIG(0)) and TSIG keys, referring to both as "credentials." This addresses my
concern, and also includes other means of update in the concern about
credential leakage. I think this addresses my concern.

I further requested that references be given for RFC2136 and RFC2931 since the
mechanisms described therein were being referenced. These references have been

So I would say at this point that the concerns I raised have been addressed and
the document is ready to go.