Ryan Sleevi <ryan-i...@sleevi.com> wrote:
>> The client has control over lex.example, but and can prove it with dns-01
>> TXT
>> record placed at _acme-challenge.lex.example. Why does it matter whether
>> it
>> is so.me.comp.lex.example or ve.ry.so.me.comp.lex.example.
>> or an.other.comp.lex.example??
> The mistake you’ve made here is assuming the client has control over
> lex.example, and thus all subdomains. The point of all of this is that is
> an unrealistic assumption: the client may only have control over the DNS
> zone at so.me.comp.lex.example or they might have control at the
> me.comp.lex.example, but no control at comp.lex.example.
I don't understand.
If the client doesn't control lex.example, then why would it expect to get
any kind of control of that?
Same as without subdomains.
> The existing approach with ACME assumes and expects that validation will
be
> done at the FQDN (this is an oversimplification, but the nuance here isn’t
> as important).
Yes, the FULLY-QUALIFIED. Not the public name.
dns-01 works just fine today for so.me.comp.lex.example.
The client does not demonstrate control over lex.example using dns-01 when it
asks for so.me.comp.lex.example.
--
Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
