zlacker

[return to "So this guy is now S3. All of S3"]
1. paxys+x4[view] [source] 2023-05-04 19:13:35
>>aendru+(OP)
This is a terrible implementation of domain verification. dns-01 and http-01 are more or less standardized at this point. Use them, and don't roll your own. Reference: https://letsencrypt.org/docs/challenge-types/.
◧◩
2. bob102+S9[view] [source] 2023-05-04 19:37:46
>>paxys+x4
I don't get http-based verification in general. If you want to really prove someone owns a domain, make them change an authoritative DNS record. Everything else feels like it is begging for edge cases to crop up. Why should my social media or SSL certificate vendor care about my web servers?
◧◩◪
3. Camero+0e[view] [source] 2023-05-04 19:57:44
>>bob102+S9
I think people don't want to put DNS admin credentials in places where they might get leaked. Would be cool if a DNS server or provider offered credentials that could only do ACME challenges and not change any other records.
◧◩◪◨
4. aaronm+TK[view] [source] 2023-05-04 23:04:29
>>Camero+0e
> Would be cool if a DNS server or provider offered credentials that could only do ACME challenges

There's nothing preventing you from making the DNS record a CNAME to something under a zone that you're allowed to modify.

This is how one of my setups works; _acme-challenge.someservice.example.net is a CNAME to someservice.acme.example.net, and acme.example.net is served by a bind9 that allows dynamic zone updates based on TSIG-signed DNS update requests over WireGuard.

So the machine that hosts someservice has a DDNS key that signs DNS update requests for someservice.acme.example.net, and bind9 is configured to allow that key to change that record.

[go to top]