enygren
commented
11 months ago (ACME does include a differentiator in the token, but that is not readily available to the DNS administrator who is inserting the record, and both have very different semantics over the scope of control being issued/delegated.)
aaomidi
One of the major issues raised about ACME's DNS-01 challenge in draft-ietf-dnsop-domain-verification-techniques is that a single application label is used for both host-specific and wildcard validations meaning that a DNS administrator can't tell what the scope is for the challenge. If we are making a change to the ACME DNS-01 challenge it would be good to fix this at the same time. Here is the current PR for this:
https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-domain-verification-techniques/pull/90
In the ACME case this would involve having:
_.acme-host-challenge.example.com
._acme-wildcard-challenge.example.com
as distinct. It may make sense to then recommend this as the primary way of doing ACME DNS challenges in the future, so the "-account" could just get dropped and instead be either -host or -wildcard?