On Tue, Feb 9, 2016 at 12:29 PM, Jan Broer <[email protected]> wrote:
> Hello everyone, > > we are discussing whether it is technically legal to validate the DNS > challenge TXT record when the validation domain is delegated away from the > domain to a different zone. > > So, I find the phrase "delegated away' a bit inexact here. Are you concerned primarily with the case where there is an organizational boundary which is non-obvious (a la dbound)? With the case where there is simply a set of nameservers but no organizational boundary? Both? > Scenario: a certificate request for domain = "foo.bar.com", which would > have fqdn = "_acme-challenge.foo.bar.com". > > Assuming bar.com IN NS ns1.bar.com > > which has a record > > _acme-challenge.foo.bar.com IN NS ns.confusion.party > > and ns.confusion.party has the record > > _acme-challenge.foo.bar.com IN TXT "keyauth" > > The spec stipulates that: > > "the client must demonstrate to the server both (1) that it holds the > private key of the account key pair, and (2) that it has authority over the > identifier being claimed." > > One could argue that requirement (2) is not satisfied when the validation > domain is delegated away from the domain: Creating a record under the > validation domain is not indicative of control/authority of the (parent) > certificate domain. > > On the other hand, the spec does not specifically exclude this scenario. > > Just to be clear, in this scenario the client is capable of provisioning the namesaver at confusion party? > Thoughts? > > > regards, Ted > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme > >
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
