Hello everyone, we are discussing whether it is technically legal to validate the DNS challenge TXT record when the validation domain is delegated away from the domain to a different zone.
Scenario: a certificate request for domain = "foo.bar.com", which would have fqdn = "_acme-challenge.foo.bar.com". Assuming bar.com IN NS ns1.bar.com which has a record _acme-challenge.foo.bar.com IN NS ns.confusion.party and ns.confusion.party has the record _acme-challenge.foo.bar.com IN TXT "keyauth" The spec stipulates that: "the client must demonstrate to the server both (1) that it holds the private key of the account key pair, and (2) that it has authority over the identifier being claimed." One could argue that requirement (2) is not satisfied when the validation domain is delegated away from the domain: Creating a record under the validation domain is not indicative of control/authority of the (parent) certificate domain. On the other hand, the spec does not specifically exclude this scenario. Thoughts?
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
