Secure Delegation for Service Hosting Across Domains

mimi89999 · August 14, 2025, 9:57pm

I think that @petercooperjr summarized the issue well:

There are two possibilities here:

The client expects a certificate for example.com. If some-other-host.example.net is third-party hosted, that brings the practical challenges of obtaining such a certificate that I described in my initial post.
The client expects a certificate for some-other-host.example.net. In this case, a MITM attack could simply redirect the client to evil.com, and it would connect without complaint.

Also, there was no further comment from @aarongable in that thread.

Topic		Replies	Views
Handling of DNS SRV types (XMPP) with HTTP challenge? Feature Requests	25	717	September 3, 2024
[Suggestion] Let's Encrypt operated, TXT-only DNS Hosting for DNS challenges Feature Requests	19	8849	February 14, 2018
Shouldn't verification via DNS record be a priority? Issuance Tech	62	40942	August 25, 2016
Subdomains or SAN additions and DNS validation Help	22	2696	June 25, 2022
Service that automatically provisions CNAME redirection for DNS challenges Client dev	39	4100	December 21, 2018