Hi, I filed a pull request proposing some text around the following issue [1]:
It appears to me that it is not unlikely to get a subdomain from someone else's domain. Nobody would assume that the subdomain could be used to compromise or endanger the actual domain. This is how dynamic dns services operate: Everyone can get foo.dyndns.example I'm concerned that an attacker might request _acme-challenge.dyndns.example and get a valid certificate for dyndns.example. Comparing the dns challenge scheme with other meaningful TXT records (e.g., SPF), I would suggest that the dns challenge TXT record should maybe live on the domains TXT record itself? e.g., dyndns.example IN TXT "_acme-challenge=value" As far as I understand, this attack is not as bad because a security conscious domain holder has their domain registered as a public suffix. Cheers, Frederik [1] https://github.com/ietf-wg-acme/acme/pull/76 _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
