Hello! I’d like to get some feedback on next steps for a challenge I’ve run into when trying to get wildcard certs, which require the DNS-01 challenge type. The way this challenge is designed, it currently requires proving you have ownership over the specific domain by updating your DNS to include
_acme-challenge.<domain-name> as a TXT record. But this is not scalable for services that would like to automate certificates for every subdomain in a given zone.
For example, take a hypothetical service which hosts content for users at
example.com. It can easily get a wildcard cert for
*.example.com that covers all users of that service. But to allow users to put other content at
*.<user>.example.com, we’d have to add a TXT record at the user’s subdomain, and do this for every user on the service (e.g.
_acme-challenge.<user>.example.com. This will quickly run into some limitations at scale:
- The number of records a given DNS Zone allows
- API rate limits for the amount of DNS updates that would be needed when you have to continuously renew these certificates for every user of your service in that zone.
When a provider controls an entire DNS zone with a wildcard DNS record, I wonder if it would be possible to relax this challenge to allow wildcard certs to be issued for any subdomain in that zone. With a wildcard DNS entry,
a.b.c.d.e.example.com will always resolve to the same servers as
user.example.com, so it seems like it should be reasonably secure to get a certificate for any subdomain in that zone without having to add separate records for each.
Thoughts on this problem? Are there workaround for this maybe I’m missing? Happy to discuss in a more formal RFC/proposal if that’s what’s needed here. Thanks for your time!