Hi,
(This is a repost to the mailing list as requested by Jacob
Hoffman-Andrews)
I am working on a letsencrypt client and read your draft.
I am thinking that there is (maybe) an incoherence and complication in
the DNS challenge.
If I understood correctly your draft, dns record MUST be like this :
_acme-challenge.example.com. IN TXT digest(token.thumbprint)
The small problem is with a rsa key of 4096 length, the digest has a
length of 684 in my case.
The complication is that popular dns server and provider don't accept
txtdata of more than 255 characters.
I don't remember the rfc describing that this string can be split over
multiple 255 long record, but a problem remain with dns server
randomizing order of answer.
(in my case I use my domain registrar dns and it miss this feature with
the interface)
I re-read domain rfc, it state that subdomain can be up to 63 character
long, then why not mirror dns challenge on http one ?
An idea would be to have :
_acme-challenge.token IN TXT token.thumbprint
I don't know if this was designed to avoid 3rd party to recover token
and thumbprint with an AXFR request, but it's possible to retrieve
thumbprint all the same
with http check if the configuration is something like :
RewriteEngine on
RewriteOptions InheritBefore
RewriteRule /\.well\-known/acme\-challenge/([-_a-zA-Z0-9]+)
/path/acme.cgi?key=$1
+
RewriteEngine on in default+wanted virtualhosts
Or a
Option +Indexes on the .well-known/acme-challenge directory.
So would it be possible to use my proposition for dns check ?
(it seems disabled in lot of letsencrypt client because of
imprementation difficulties)
Best regards
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
