Ryan Sleevi <ryan-i...@sleevi.com> wrote: >> The client has control over lex.example, but and can prove it with dns-01 >> TXT >> record placed at _acme-challenge.lex.example. Why does it matter whether >> it >> is so.me.comp.lex.example or ve.ry.so.me.comp.lex.example. >> or an.other.comp.lex.example??
> The mistake you’ve made here is assuming the client has control over > lex.example, and thus all subdomains. The point of all of this is that is > an unrealistic assumption: the client may only have control over the DNS > zone at so.me.comp.lex.example or they might have control at the > me.comp.lex.example, but no control at comp.lex.example. I don't understand. If the client doesn't control lex.example, then why would it expect to get any kind of control of that? Same as without subdomains. > The existing approach with ACME assumes and expects that validation will be > done at the FQDN (this is an oversimplification, but the nuance here isn’t > as important). Yes, the FULLY-QUALIFIED. Not the public name. dns-01 works just fine today for so.me.comp.lex.example. The client does not demonstrate control over lex.example using dns-01 when it asks for so.me.comp.lex.example. -- Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme