On 29.01.2016 16:11, moparisthebest wrote: > Hello Frederik, > > On 01/29/2016 08:47 AM, Frederik Braun wrote: >> I'm concerned that an attacker might request >> _acme-challenge.dyndns.example and get a valid certificate for >> dyndns.example. > > Does there exist a dynamic DNS service that allows setting TXT records? > I've never seen one. Also this can also be easily mitigated by them > just disallowing the _acme-challenge subdomain similar to the way they > probably all disallow www.
https://freedns.afraid.org/ allows TXT records. They now forbid _acme-challenge subdomains after I reached out. I'm concerned that everyone having to update their blacklists[1] will lead to more trouble. [1] Of course, security based on black lists is not a great idea. But that's the reality. _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
