Section 8.4 of the ACME spec says:
To validate a DNS challenge, the server performs the following steps:
1. Compute the SHA-256 digest of the stored key authorization
2. Query for TXT records for the validation domain name
3. Verify that the contents of one of the TXT records match the
digest value
Regarding point 2, it's not explained exactly what is queried for the
TXT records. I've not gone looking at Boulder code, but from some
message board postings, it seems like one of the authoritative DNS
servers for the domain is queried. It'd be nice if the spec could
include this information, to make writing automated clients easier.
In practical terms, only nameservers authoritative for the domain need
to be updated (no need to worry about any other caching effects) and
all such nameservers need to be updated (because the ACME server will
choose an arbitrary nameserver from that list).
Thanks,
Danek
_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme
