I think so too. but I also think that while talking about wildcard validation in DNS that it would be pretty intresting to bring this up: https://github.com/ietf-wg-acme/acme/issues/89 in short, this would let the dns-challenge walk up meaning that if you already have completed the challenge for a higher level domain you can automatically also count as authorized for a subdomain.
this would also be nice because the randomness of the token makes it REALLY annoying to create a large SAN cert in a manual environment (e.g. there's no proper client for your use-case, machine etc.) before the DNS Challenge was a thing I had to copy the strings for webroot/http-01 auth from my SSH to my computer (while making sure not to hit ctrl-c because it doesnt copy but cancel in terminal, making it even more annoying as it already is.) Regards. 2016-03-21 9:02 GMT+01:00 Niklas Keller <[email protected]>: > i would propose for either http or dns verification requiring at least a >> temporary wilcard in dns >> then for the verification server to either lookup >> >> http://random-generated.domain.tld/.well-known/acme-challenge/challenge-string > > > That's not possible, because several providers allow the registration of > any subdomain, e.g. DynDNS providers. > > >> dns verification is trickyer but could require instead of >> _acme-challenge.example.com. 300 IN TXT "token" >> >> _acme-challenge.challenge-string.example.com. 300 IN TXT "token" >> > > For DNS challenges, I think it's fine when _acme-challenge.example.com > authorizes *.example.com. > > >> for example or >> _acme-challenge._wildcard_.example.com. 300 IN TXT "token" >> >> or to demon straight ability to create wildcards >> random-generated._acme-challenge.example.com. 300 IN TXT "token" >> >> as this would require the applicant setup >> *._acme-challenge.example.com. >> >> >> i hope this is the right place if not please feel free to redirect me, as >> either way acme is a huge leap forward in cert issuance and improving >> reliability through automation >> > > Regards, Niklas > > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme > >
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
