Hi, When example.com zone and its child zone, www.example.com, are hosted in the same DNS server, most of DNS server implementations response authoritative answers to queries for the child zone, even if the parent does not delegate the child.
Some DNS hosting providers do not confirm whether the owner of the domain is reasonable or not. A person unconcerned with example.com can contract www.example.com zone on those providers. ACME spec says: > The client constructs the validation domain name by > prepending the label "_acme-challenge" to the domain name being > validated, then provisions a TXT record with the digest value under > that name. For example, if the domain name being validated is > "example.com", then the client would provision the following DNS > record: > > _acme-challenge.example.com. 300 IN TXT "gfj9Xq...Rg85nM" So, if an evil person contracts www.example.com zone on the DNS provider which hosts example.com and creates _acme-challenge.www.example.com record, then he can steal the certificate for www.example.com. If he contracts _acme-challenge.example.com zone, he can get the cert for example.com itself. If DNS providers refuse improper zones, this approach doesn't work. But it is difficult for a third party to confirm it. Regards. _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
