DNS-Label for wildcard-certificate-validation

I don't think so. A very common hint in this forum is "use dns-validation" if http-validation is not possible or to complicated. And if it is not possible or wanted to open the complete dns-zone with one single api-key another very common hint is -> use cname to another zone. Thats the same like the scenario above. Only one or two _acme-challenge-DNS-Records point via cname to a writable location.

Some months ago no one could imagine, that the delegation of _acme-challenge.example.com could lead to a situation, where _acme-challenge.example.com can be used to get a certificate for foo.example.com or bar.example.com. But now it's even worse - it can be used to get *.example.com. Domain-owner doesn't even know about this change.

Wildcard-certificates are very dangerous, they could compromise security for many services - but why give the server of example.com more rights than necessary?

Even if the server is not running by a third party - i dont want to give a single service such powerful rights. One single compromised server can compromise the security of other services if this server can get wildcard-certificates - domain-owner has no chance to prevent this.

But whats the advantage of using _acme-challenge.example.com for both example.com and *.example.com? It is even validated twice for a single certificate for example.com and *.example.com.

If the user wants to validate both names with the same dns-name - it is possible to cname them to the same dns-name. But if the user want them to be separate (to delegate them to different entities, or to separate privileges) there is no chance.

This decision lowers the security (wildcard-certificates should be protected best, because they are very dangerous) at no benefit.

That's no solution for this problem. Not everyone is able to use caa-records:

The idea in this thread was to opt-in via CAA. Your idea is to opt-out to prevent issuance - thats even worse because the limited number of users.

The solution is to use a new, different dns-label for wildcard-certificates. That would solve all this problems very easily with no downside with no effect to running installations.

CA should not weaken security without explicit opt-in.

1 Like