On Tue, Oct 28, 2025 at 12:04 AM Seo Suchan <[email protected]> wrote:
> 1. While this allows wildcard policy in parent domain to be used for > validation of child domain, but it doesn't specify how to client select > which level of domain to be used for validation. Is CA expected to climb > domain tree to look for authorizing txt record on each level? > Expected to? No. But the CA may, if they want to. This is already encoded in the Baseline Requirements in the form of the "Authorization Domain Name", which may be derived from the applied-for domain name via a number of mechanisms, including pruning domain labels from left to right (i.e. climbing to "parent" domains). Within the ACME protocol, I think it's much more likely that the CA would do this tree-climbing at *order creation time*, not at validation time. If a subscriber requests a certificate for *.shop.example.com, and the CA already has a cached dns-persist-01 validation for example.com, they may populate the order object with that pre-validated authorization. I think it's comparatively unlikely that the CA would do this tree-climbing at validation time, since that's expensive, and the CA and the subscriber would want a way to agree on which level to place the record at.
_______________________________________________ Acme mailing list -- [email protected] To unsubscribe send an email to [email protected]
