It would be great if there was a way for domain owners to control which authentication methods can be used. E.g. someone using DNS-01 might want to disable all other methods. Combined with DNSSEC this would provide great security.
We now already have DNS CAA Records, so it appears a good idea to add another subrecord type to CAA which allows to define valid authentication methods e.g. like this
@ IN CAA 0 method “DNS-01”
Answering to myself here. I just found that there is already a RFC draft for that:
Now, what is holding letsencrypt back from just implementing that? As it is up to each CA what methods to provide it appears that there is no need to wait for any standardization before implementing this as a security measure available optionally to any user. And it appears that this would be quite a simple and easy addition but I might be wrong at that.
ACME protocol is supposed to be used not only by Let’s Encrypt, but also other certification authorities (I believe that for e.g. DigiCert is working on it), hence standardization of protocol itself and related extensions is feasible. Also, there are some issues with RFC describing CAA record itself, which should probably be resolved before introducing extensions.
If someone uses DNS-01 challenge, I believe they could also probably script publishing and unpublishing CAA records forbidding issuance completely, as a temporary workaround.
See also the most recent discussion at
And there was a potential issue with the draft noted as recently as 3 days ago.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.