Sounds great, this would lift a huge burden lifted from users. As noted by Joona in the "Trust and security" thread, foreseeable automation options for the existing DNS challenge are really lacking, and improvements there would either require a lot of retooling by e.g. DNS hosts, or convoluted solutions like end-users having to run their own ACME-DNS kinds of services.
One potential issue: there are number of DNS providers that do not permit underscores in CNAME (or NS for that matter) labels, whilst permitting them in TXT labels. It may be worthwhile to do a survey of DNS hosts of domains using Let's Encrypt to check what this looks like in the real world. On Tue, Jan 23, 2018, at 12:09 PM, Jacob Hoffman-Andrews wrote: > > In > effect, the CNAME record would act like a long-term delegation > permitting the CA to issue continuously for the base domain. I can imagine that this introduces a new risk of domain administrators "forgetting" about having made a long-term delegation of _acme-challenge to the CA and unwittingly authorize an account key to issue certificates for any name longer than intended. Any need to mitigate this? _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
