Rob Seastrom <[email protected]> wrote: > > I might add that I was slightly surprised that this works - it seems > unaddressed in the ACME spec but kind of feels like a potential attack > surface tparticularly since it works even to a non-child, > non-same-origin (pedantically, not quite "out of baliwick" but YKWIM) > zone.
Viktor has answered your question, but wrt this point, Let's Encrypt is in general very happy to follow indirections, whether CNAMEs for dns-01 or redirects for http-01. RFC 8555 mentions HTTP redirects but not CNAMEs. Both kinds of aliasing allow for lots of fun games. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Trafalgar: Northerly or northeasterly 4 to 6, increasing 7 at times in east. Rough or very rough. Fair. Good. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
