Shouldn't verification via DNS record be a priority?


if we ycould get the ability to change the port using that SRV I am all into it, I could tell it to use some port I dont really use and then forward that to my raspi. while my PC doesnt care at all about anything


It seems that the dns-01 challenge is currently not offered by the server running at: even though the implementation is already in boulder. Is there already a timeline for when this authorization method will be available?

What is not exactly clear is whether the authorization of a domain through a dns-01 challenge does imply the authorization of all hosts (excluding sub domains) under this domain, possibly even for host names which do not (yet) have a DNS record?



I’m also very interested in DNS validation (or DNS SRV records), is there any news on this ?


@Euclid in that case they could also issue wildcards.


Any news on where this might sit on the priorities list now that you’re in public beta?


It’s very high on our priorities list now. :slight_smile:


that’s nice then I will be able to get my certs soo without hassle coz doing manual over SSH (windows PC with XAMPP, nothing supporting that) from my raspi for like 14 domains is annoying, I rather just bind a has of my public key or whatever to it.


[quote=“jsha, post:23, topic:604”]
It’s very high on our priorities list now. :smile:
[/quote]that is awesome news :sunglasses:


it truly is. also if possible try to make it a static identifier liked to the account so as long as I dont take the record out that I can get my certs, also include subdomains please.


You might want to think this through. It’s a horrible idea in the form you are suggesting.


why that?
it’s not as if someone can inject their account keys into my DNS.


Bad option to allow it for an unlimited time period. It might be okay for 7-14 days, though and only for a specific account public key to issue.

But if the certificate authority isn’t checking the record against some other signifier like the account public key, then anyone could get a cert for your domain as the validation would continue to work.


well LE uses the account keys for keeping the validation valid for 10 months altrady that is a fact, so I think they will check they acc keys. and if LE would check whether I have the correct privkey for the pubkey in the DNS, then (as long as I dont lose my keys) it should be pretty secure.


+1 for DNS verifications
It will be super easy to implement with Amazon Route53 :sunglasses:


Am I missing something here?
The authenticator service is already using a dns A record to verify the IP for ownership. How much extra programming is required to check a SRV record?

If someone else has access to my dns setup, I would guess that they also would have no problem adding false A records.


I have been following letsencrypt for a couple of days now and looking through the available information I must say THANK YOU! thank you for the great start of (what I hope will be) great service in the future and I have also already been looking towards implementing letsencrypt certificated all around our shared hosting but for that I would really love the DNS verification option; hope this will be implemented soon.

Again thank you for the great work and keep it up!


+1, need this badly.

making an API call to route53 to create an SRV or TXT record is much easier than file based auth.


:+1: here, too. Would strongly prefer to authenticate via DNS.


Excellent, it’s so much more convenient than uploading files to the webserver. Hope this gets released soon!!


+1 Looking forward to the release of this functionality as this method would be far easier for us using Route53