Question about wildcard certs


Hi, I’m working on a project to make some zones with various intentional DNSSEC failures in order to learn how to properly test for DNSSEC validation support in Python (working on a project where a working DNSSEC enforcing resolver running on localhost is important).

While not absolutely necessary, I’d like to run corresponding websites so people can test their browsers.

With DNSSEC failures, Let’s Encrypt won’t be able to verify the IP address but the parent zone will NOT have DNSSEC errors and is under my control.

So in theory, could I get a L.E, wilcard for * and have it work where the subdomains in the * is actually in a delegated child zone - or is that against certificate issuance policy for wildcard certificates?

That lists what I am doing with the delegated zones.


I haven’t read the GitLab yet, but that sounds fine.

Keep in mind that Let’s Encrypt has to be able to resolve's TXT record set and's CAA record set.

But it’s fine if other subdomains don’t work.

The CA software doesn’t explicitly check for, and Let’s Encrypt doesn’t have a policy preventing, subdomain delegations.

(April edit: s/GitHub/GitLab/.)


Thanks, I didn’t think there would be a way for certbot to check to see if delegations exist but if there is a policy against it, I do not want to violate that.

closed #4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.