Would it be worthwhile to submit, as a feature request, consideration of DNS authz against
example.com to imply authz of all subdomains of that domain?
In other words, if I successfully do dns-01 against
example.com, then a few seconds later start authz against
foo.example.com, the authz object that comes back would already be valid, without need for an additional challenge execution.
Assuming clients take advantage of this and do authz on shorter domains before longer ones, this would:
- significantly reduce the need for clients to update DNS records
- eliminate a large number of challenge POSTs (and the actual challenge verifications as well) because then authz against the subdomains doesn’t require additional challenge POSTs
It would seem to be a win-win for both LE and clients.