I have asked that question in the LE forum iirc the problem is that someone could place that record once and as long as someone doesnt look at it all the time one can easily miss the fact that someone can create wildcards and stuff for that domain, so the point is to prove that dns access is given at the time of issuance. you could maybe use a different DNS Server which has a better API, and potentially even can be used by ACME.
Regards Am Fr., 11. Sept. 2020 um 15:09 Uhr schrieb Simon Ser <cont...@emersion.fr>: > Hi all, > > I've been working on an ACME client acting as a TLS termination proxy. In > order > to retrieve wildcard certificates from the Let's Encrypt ACME servers, > support > for the dns-01 challenge is required. > > dns-01 requires the ACME client to complete the challenge by updating a DNS > record. This is bothersome because this often requires interacting with the > DNS registry operator. This is typically done via vendor-specific APIs, > with > access control handled via vendor-specific means (tokens, public keys, > etc). > > I understand that it's difficult for ACME clients to prove that they are > authorized to obtain wildcard certificates. However, have other > alternatives > been considered? > > For instance, it would be possible to require users to add a short public > key > in a DNS TXT record, then ask the ACME client to sign challenges with that > key. > Something like this would significantly ease the development of ACME > clients. > > Are there specific reasons why dns-01 requires updating a DNS record? > > Thanks, > > Simon Ser > > (CC mholt, I figured you might be interested in this for Caddy too) > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme >
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
