I was wondering how a domain can specify that they only wish to allow dns-01 or http-01 challenges (in my case, I'd like to only allow dns-01 for my domains).
I've checked the various docs, the community forum, a couple of search engines. Unfortunately, it seems that no one's asked this before or that the terms are simply too vague to get accurate results.
I did find a thread that trailed off on the IETF's Acme list about this, so I don't know if it's possible to do this with a CAA record or a custom record at this time.
As one commenter to that thread stated:
I was about to say that such users could just specify an "issue" directive and a "validation-methods" directive, but the CAA spec is actually unclear on how the rules combine. I suppose that's because CAA right now is really only a CA whitelist, so there's no need for combining.
That is about where I'm at with this. I do not have a ready way to test this with Let's Encrypt, nor do I have any guarantee that the behavior I see will remain in place.
Any insights/thoughts/etc. welcome. Even better would be a cluebat with a pointer to documentation that I missed.
draft-ietf-acme-caa-03 defines validation-methods, as you’ve already noted, but I have no idea whether CAA implementations currently observe it/whether the draft is implemented.
I believe that the most specific CAA record is observed and any less specific records are ignored. At least, this is how it behaves for my domains.
Edit: I just did a test on a junk domain of mine, Let’s Encrypt happily issued a certificate via dns-01 when CAA only permitted http-01. Looks like it’s not implemented yet.
@mnordhoff’s got it exactly right: There an IETF draft in progress. A helpful contributor implemented it for us. We merged it, but there was a bug so we backed it out. Not currently implemented.
I expect we'll revisit implementing this once the dust has settled a bit with the V2 API and Wildcards. I'm certainly interested in having this feature implemented one day