btw cache poisoning is however an idea acme should consider so it could mandate the verification by CA backends of all dns verification lookups via unrelated sources
aka i submit a http-01 auth of www.my.com it looks up www.my.com on local dns and performs the verification it also looks up www.my.com via google-dns and open-dns to verify the returned ip(s) match if differences occur either fail and demand another auth method OR verify via every ip returned to ensure none is the result of a poisoned local cache (keep alternate sources of dns unlisted so attacker has harder time poisoning 3) (as differences might occur normally with some cdn load balancing systems) worth thinking about? _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
