1. While this allows wildcard policy in parent domain to be used for
validation of child domain, but it doesn't specify how to client select
which level of domain to be used for validation. Is CA expected to climb
domain tree to look for authorizing txt record on each level?
2. cab ballet SC-088v3 doesn't have word about policy at all and wording
from it blank allowance for wildcard and subdomain validation, even if
record doesn't hold any policy or even explicitly rejecting policy, as
this tag extension to be ignored by CA that doesn't parse it.
25. 10. 7. 23:40에 Shiloh Heurich 이(가) 쓴 글:
Hello,
I'm pleased to announce reference implementations of the dns-persist-01
challenge method specified in draft-sheurich-acme-dns-persist.
Two interoperable implementations are now available:
* Server (letsencrypt/pebble):
https://github.com/sheurich/pebble/compare/main...sheurich:pebble:dns-persist-01
* Client (eggsampler/acme):
https://github.com/sheurich/eggsampler-acme/compare/master...sheurich:eggsampler-acme:dns-persist-01
A fully automated demo script that clones both repositories and demonstrates
end-to-end certificate issuance (regular and wildcard) is available at:
https://gist.github.com/sheurich/82dc4bc86202497c2d6f5f0c592c2bcb
The implementations demonstrate:
- TXT record format per RFC 8659 (issuer-domain-name; accounturi=URI[;
policy=wildcard])
- Persistent validation records reusable across multiple certificate requests
- Wildcard certificate policy enforcement
- Optional persistUntil timestamp support
These implementations support the current call for adoption of
draft-sheurich-acme-dns-persist.
Feedback welcome.
Best regards,
Shiloh Heurich
_______________________________________________
Acme mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
Acme mailing list -- [email protected]
To unsubscribe send an email to [email protected]
