ever since I issued my first wildcard (March 13, the day they went live) I was suprised how DNS-01 handles verification. Challenging for the root domain and wildcard (*.example.com) need the same TXT hostname (_acme-challenge.domain.tld) which doesn’t seem right, specially considering how critical can a wildcard cert be.
- If this is all about automation, why aren’t more DNS entries required?
- Is a TXT entry on the root domain sufficient?
- Are there any revisions planned for the DNS-01 challenge?
I believe the answers to these questions are more than justified, but I couldn’t stop thinking about this issues. Thanks for your time.