At 08:02 21/03/2016 Monday, Niklas Keller wrote: >i would propose for either http or dns verification requiring at least a >temporary wilcard in dns >then for the verification server to either lookup ><http://random-generated.domain.tld/.well-known/acme-challenge/challenge-string>http://random-generated.domain.tld/.well-known/acme-challenge/challenge-string > > >That's not possible, because several providers allow the registration of any >subdomain, e.g. DynDNS providers.
thats why the random part at the beginning of thr checked url was added (only known to the verifier) as long as its long and suitably random it can only match a *.domain.tld in dns (that is added at least till verification completes) not any pre-existing some-other-sub-domain.domain.tld and on the server side (if using name based vhosts) it will only match the primary (default) or explicit *.domain.tld so requiring a certain level of difficulty/unerstanding for those needing wildcards (as it really should) im personally not a fan of the assumption that owning the http://domain.tld should authorize all wild cards above it automatically as the admin of the server for many customer sites i feel fine issuing myself a san for the hosted with us www.theirs.tld and theirs.tld but not for *.theirs.tld unless their dns admin is happy about it also but i think if you can http or dns verify the ownership and desire for a wilcard it should be possible > >dns verification is trickyer but could require instead of >_<http://acme-challenge.example.com>acme-challenge.example.com. 300 IN TXT >"token" > >_<http://acme-challenge.challenge-string.example.com>acme-challenge.challenge-string.example.com. > 300 IN TXT "token" > > >For DNS challenges, I think it's fine when >_<http://acme-challenge.example.com>acme-challenge.example.com authorizes >*.<http://example.com>example.com. > >for example or >_acme-challenge._wildcard_.<http://example.com>example.com. 300 IN TXT "token" > >or to demon straight ability to create wildcards >random-generated._<http://acme-challenge.example.com>acme-challenge.example.com. > 300 IN TXT "token" > >as this would require the applicant setup >*._<http://acme-challenge.example.com>acme-challenge.example.com. > > >i hope this is the right place if not please feel free to redirect me, as >either way acme is a huge leap forward in cert issuance and improving >reliability through automation > > >Regards, Niklas _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
