It's ok if ACME server works fine (enumerate all TXT records.) We can address this issue in CA's acme usage or by other means since TXT records are rarely used unless they configure Email or participate validation process.
在2022年8月31日星期三 UTC+8 00:01:24<[email protected]> 写道: > I would add last I looked at a reasonable number of the ACME clients make > the assumption that there is a single TXT record and do not enumerate over > all records. > > > On Tue, Aug 30, 2022 at 8:51 AM 'Amir Omidi' via [email protected] > <[email protected]> wrote: > >> The main goal with this proposal is to be able to enable delegating >> domain control validation to multiple providers via CNAME. Since CNAMEs >> have to be unique in a DNS Zone, we're left with modifying the label of the >> TXT record. >> On Tuesday, August 30, 2022 at 11:11:22 AM UTC-4 [email protected] >> wrote: >> >>> How about use multiple TXT records for longer hash? like "_ >>> acme-challenge_accounts.example.com TXT [account hash]" >>> >>> 在2022年8月23日星期二 UTC+8 23:15:04<[email protected]> 写道: >>> >>>> This message is to solicit opinions about a proposed new ACME challenge >>>> to address hosting environments where a user cannot easily prove control >>>> using existing methods, but could via an alternative DNS-based approach. >>>> >>>> We have observed cases where customers want to restrict DNS changes for >>>> most of their domains and delegate the domain control validation through >>>> CNAMEs to a centralized location. However, with DNS-01 having a static >>>> label, these customers are prevented from being able to use CNAME >>>> delegation to integrate with more than one ACME CA for certificate >>>> issuance. >>>> >>>> Being able to have multiple independent instances of an ACME client >>>> obtain certificates for the same domain is particularly important for High >>>> Availability deployments, where Subscribers often set up multiple >>>> independent serving stacks that integrate with multiple ACME CAs for >>>> failover and need a valid certificate in each of them. >>>> >>>> The new challenge is called DNS-ACCOUNT-01 and it extends (but does not >>>> replace) DNS-01 in the following way: the DNS label under which the TXT >>>> record is created to respond to the challenge is account dependent. This >>>> allows a Subscriber to use multiple and separate subdomains to solve ACME >>>> challenges for the same domain. >>>> >>>> We plan to submit this as a draft to the IETF for consideration, to >>>> make the challenge available to all CAs and promote its adoption in ACME >>>> clients. >>>> >>>> >>>> The current draft is available here: >>>> https://daknob.github.io/draft-todo-chariton-dns-account-01/ >>>> >>>> A text version is available here: >>>> https://daknob.github.io/draft-todo-chariton-dns-account-01/draft.txt >>>> >>>> >>>> In DNS-01, the CA checks for DNS records under _acme-challenge. In >>>> DNS-ACCOUNT-01, the CA will check for DNS records under >>>> _acme-challenge_accountUniqueValue, e.g. _acme-challenge_ujmmovf2vn55tgye. >>>> The last part is constructed from base32 encoding a part of the SHA-256 >>>> hash of the ACME Account URL. This allows each ACME account to use a >>>> separate subdomain for the TXT record. We believe that BR Method 3.2.2.4.7 >>>> can be used with the proposed challenge for proof of domain control. >>>> >>>> >>>> We welcome any thoughts you may have on the matter and we will be happy >>>> to discuss this and move it forward. >>>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "[email protected]" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/176e3faa-f19d-42e4-bc93-d89f2cb0fb8bn%40mozilla.org >> >> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/176e3faa-f19d-42e4-bc93-d89f2cb0fb8bn%40mozilla.org?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/6747c191-34c5-473d-978d-ae84b5e98c72n%40mozilla.org.
