Section 8.4 of the ACME spec says: To validate a DNS challenge, the server performs the following steps: 1. Compute the SHA-256 digest of the stored key authorization 2. Query for TXT records for the validation domain name 3. Verify that the contents of one of the TXT records match the digest value
Regarding point 2, it's not explained exactly what is queried for the TXT records. I've not gone looking at Boulder code, but from some message board postings, it seems like one of the authoritative DNS servers for the domain is queried. It'd be nice if the spec could include this information, to make writing automated clients easier. In practical terms, only nameservers authoritative for the domain need to be updated (no need to worry about any other caching effects) and all such nameservers need to be updated (because the ACME server will choose an arbitrary nameserver from that list). Thanks, Danek _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme