dns-02: dynamic challenge request: TXT <$token>._acme-challenge.domain.tld

ietf-wg-acme / acme

A protocol for automating certificate issuance

https://datatracker.ietf.org/doc/draft-ietf-acme-acme/

932 stars 191 forks source link

dns-02: dynamic challenge request: TXT <$token>._acme-challenge.domain.tld #393

Open ProBackup-nl opened 6 years ago

ProBackup-nl commented 6 years ago

One of the problems of dns-01 is that it's not able to automate like http-01: there the webserver is able to respond with $token || '.' || $key-thumbprint

It would be nice when that mechanism comes to DNS, to DNS server developers are able to supply an automated.

Instead of statically querying_acme-challenge.domain.tld to prove host/domain ownership, query the dns including the token, like: <$token>._acme-challenge.host.domain.tld

bifurcation commented 6 years ago

Moving this to Defer, because I think several current implementations have in fact been able to automate the DNS challenge (e.g., lego supports a bunch of DNS providers out of the box). If this is a problem, it can be handled in a follow-on spec.

hooliganznat commented 6 years ago

good