Hi @jhawkins! Yep, the university model of deeply nested and highly delegated subdomains is definitely something we’ve thought about and would like to figure out the best approach to. Maybe I can flip the question around and ask: What would be your ideal way to handle the situation be? At any given threshold, it’s likely that some of the time, someone in one of the departments will burn through it. Consider, for instance, someone in the CS department experimenting with Let’s Encrypt who sets up a client to issue certificates for each of 1-1000.mydomain.uni.edu. Is there a good, scalable way of “walling off” different entities within the university so they can’t chew up each others’ rate limits? I’ve been trying to think of some way to use CAA DNS records to indicate boundaries, but haven’t come up with anything conclusive yet.
2 Likes