On Wed, Jan 24, 2018 at 05:54:56PM +0000, Tim Hollebeek wrote: > So, if what is below can actually be made to work, it would be very > interesting as > it would be a demonstration of how to use CNAME to evade the intent of the > current BR validation requirements! Luckily I don't think it works. > > "_acme-challenge.label-to-validate.example.com CNAME _acme- > challenge.label-to-validate.example.com.account-id-ref-to-account- > pubkey.shard1.dynamic-dns-service.theca.example.net" > > If this succeeds, you are ONLY allowed to issue for > "_acme-challenge.label-to-validate.example.com" and not > "label-to-validate.example.com". I realize there's a proposal in this thread > to change that but I think this discussion shows why that would be a very > bad idea and would weaken the existing Baseline Requirements.
There is no "proposal" to allow it, it _is_ allowed by the BRs, the very definition of DNS validation. -Ilari _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme