Hello Jan, IMO it makes no difference weather the one who manages the domain creates a _acme-challenge.foo.bar.com TXT or NS record to delegate this to a trusted destination. Furthermore, the domain admin delegates the "has authority over the identifier being claimed" explicitly to this dns - so if the client can demonstrate the control over it, it should satisfy the spec.
It's very unlikely that someone accidently delegates "_acme-challenge.something" because it's not a valid domain name (in fact I could not even delegate it by intent for some of my domains because the domain name is rejected by most of my domain registrar's nameserver tools). > Hello everyone, > > we are discussing whether it is technically legal to validate the DNS > challenge TXT record when the validation domain is delegated away from > the domain to a different zone. > > Scenario: a certificate request for domain = "foo.bar.com > <http://foo.bar.com>", which would have fqdn = > "_acme-challenge.foo.bar.com <http://acme-challenge.foo.bar.com>". > > Assuming bar.com <http://bar.com> IN NS ns1.bar.com <http://ns1.bar.com> > > which has a record > > _acme-challenge.foo.bar.com <http://acme-challenge.foo.bar.com> IN NS > ns.confusion.party > > and ns.confusion.party has the record > > _acme-challenge.foo.bar.com <http://acme-challenge.foo.bar.com> IN TXT > "keyauth" > > The spec stipulates that: > > "the client must demonstrate to the server both (1) that it holds the > private key of the account key pair, and (2) that it has authority > over the identifier being claimed." > > One could argue that requirement (2) is not satisfied when the > validation domain is delegated away from the domain: Creating a record > under the validation domain is not indicative of control/authority of > the (parent) certificate domain. > > On the other hand, the spec does not specifically exclude this scenario. > > Thoughts? > > > > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
