The main goal with this proposal is to be able to enable delegating domain control validation to multiple providers via CNAME. Since CNAMEs have to be unique in a DNS Zone, we're left with modifying the label of the TXT record. On Tuesday, August 30, 2022 at 11:11:22 AM UTC-4 [email protected] wrote:
> How about use multiple TXT records for longer hash? like "_ > acme-challenge_accounts.example.com TXT [account hash]" > > 在2022年8月23日星期二 UTC+8 23:15:04<[email protected]> 写道: > >> This message is to solicit opinions about a proposed new ACME challenge >> to address hosting environments where a user cannot easily prove control >> using existing methods, but could via an alternative DNS-based approach. >> >> We have observed cases where customers want to restrict DNS changes for >> most of their domains and delegate the domain control validation through >> CNAMEs to a centralized location. However, with DNS-01 having a static >> label, these customers are prevented from being able to use CNAME >> delegation to integrate with more than one ACME CA for certificate issuance. >> >> Being able to have multiple independent instances of an ACME client >> obtain certificates for the same domain is particularly important for High >> Availability deployments, where Subscribers often set up multiple >> independent serving stacks that integrate with multiple ACME CAs for >> failover and need a valid certificate in each of them. >> >> The new challenge is called DNS-ACCOUNT-01 and it extends (but does not >> replace) DNS-01 in the following way: the DNS label under which the TXT >> record is created to respond to the challenge is account dependent. This >> allows a Subscriber to use multiple and separate subdomains to solve ACME >> challenges for the same domain. >> >> We plan to submit this as a draft to the IETF for consideration, to make >> the challenge available to all CAs and promote its adoption in ACME clients. >> >> >> The current draft is available here: >> https://daknob.github.io/draft-todo-chariton-dns-account-01/ >> >> A text version is available here: >> https://daknob.github.io/draft-todo-chariton-dns-account-01/draft.txt >> >> >> In DNS-01, the CA checks for DNS records under _acme-challenge. In >> DNS-ACCOUNT-01, the CA will check for DNS records under >> _acme-challenge_accountUniqueValue, e.g. _acme-challenge_ujmmovf2vn55tgye. >> The last part is constructed from base32 encoding a part of the SHA-256 >> hash of the ACME Account URL. This allows each ACME account to use a >> separate subdomain for the TXT record. We believe that BR Method 3.2.2.4.7 >> can be used with the proposed challenge for proof of domain control. >> >> >> We welcome any thoughts you may have on the matter and we will be happy >> to discuss this and move it forward. >> > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/176e3faa-f19d-42e4-bc93-d89f2cb0fb8bn%40mozilla.org.
