On Tue, Jan 23, 2018 at 07:53:12PM +0000, Tim Hollebeek wrote: > > > Oh, and the method very similar to the propose one (involving static CNAME > > as > > persistent authentication) is being used in the wild. And due to > > fundamential > > nature of DNS, even static zone can result variable results for names under > > the > > zone. > > By who? I don't think it's possible for such a method to be compliant with > any > of the current BR methods. If it is, we'll fix it.
Amazon ACM DNS validation based on descriptions I have seen. And the reading that is complies with 10 methods is way less bizarre than the reading that ACME HTTP-01 complies. And DNS specifications are darn clear that TXT lookups chase CNAMEs. And CNAMEs are not the only authority transfer mechanism. And then there are DNS servers that can run arbitrary computable impure(!) functions to answer queries. Versus those you do not even have snowball's chance in hell. -Ilari _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
