Is it possible to restrict/limit verification for my domain to only the DNS-01 challenge? I don’t see any mention of this at Challenge Types, so I guess not. I’d like to request this feature then.
My rationale is that I’d like the option of not “blessing” IP-based security by providing certificates based on it. I’d rather allow only the DNS-01 challenge with DNSSEC. Not only could my ISP be compromised (or a route be hijacked) but I run some services on my home, dynamic IP-based Internet connection. The IP leases don’t last forever. If say my equipment goes down for a while, the lease could expire while my DNS still points to an IP that’s no longer mine. Some other customer can get my IP and then a certificate for my domain name.
I suppose I could use at least three mitigations for this:
-
I can set up some kind of “dead man’s switch” to remove the DDNS entry if my server doesn’t check in, and arrange for heartbeat time < kill + DNS propagation time < lease time.
-
I can watch the certificate transparency logs so I can know if this attack happens.
-
I can pin my public key.
but the first two are cron jobs I have to keep maintaining to be secure, and the third has its own problems. It seems more approachable to do something once ahead of time (like add a configuration TXT record) instead.