Is it possible to restrict/limit verification for my domain to only the DNS-01 challenge? I don’t see any mention of this at Challenge Types, so I guess not. I’d like to request this feature then.
My rationale is that I’d like the option of not “blessing” IP-based security by providing certificates based on it. I’d rather allow only the DNS-01 challenge with DNSSEC. Not only could my ISP be compromised (or a route be hijacked) but I run some services on my home, dynamic IP-based Internet connection. The IP leases don’t last forever. If say my equipment goes down for a while, the lease could expire while my DNS still points to an IP that’s no longer mine. Some other customer can get my IP and then a certificate for my domain name.
I suppose I could use at least three mitigations for this:
I can set up some kind of “dead man’s switch” to remove the DDNS entry if my server doesn’t check in, and arrange for heartbeat time < kill + DNS propagation time < lease time.
but the first two are cron jobs I have to keep maintaining to be secure, and the third has its own problems. It seems more approachable to do something once ahead of time (like add a configuration TXT record) instead.
What would happen if I had set the “validationmethods” parameter on a production domain CAA right now? Would LE production simply ignore it, or fail the validation?
The CAA RFCs just say that the semantics of parameters are entirely up to the CA.
Let’s Encrypt – or the ACME WG – could decide that unknown parameters should block issuance, or even define some kind of “parameterscritical” parameter.
But the CAA RFCs do not prescribe anything about parameters.
(Note: I only skimmed RFC 8659 and did not check the BRs.)