Closed ShivanKaul closed 3 months ago
I'd say domain verification only proves that control of that exact RRset: any further interpretation is at the discretion of the provider.
https://datatracker.ietf.org/doc/html/draft-ietf-acme-dns-account-challenge-01 improves on this as well and we can reference it.
I believe it is now https://datatracker.ietf.org/doc/draft-ietf-acme-scoped-dns-challenges/
and it has an example ! yah
it is already referenced ACME-SCOPED-CHALLENGE in "Scope Indication" section
Scope of verification: Let's Encrypt - is only for the domain Google - everything under that domain?
Call this out explicitly in the draft.