One of my colleagues recently pointed out a potential interaction between
HTTPS RRs (RFC 9460) as it relates to ACME and HTTP-01 DV. If a hostname
get an HTTPS RR into DNS prior to getting a cert validated, then there
would be a problem if the ACME client resolved the HTTPS RR and
auto-upgraded th
On Tue, Apr 15, 2025 at 7:08 PM Stephen Farrell
wrote:
>
> Hiya,
>
> On 15/04/2025 23:50, Erik Nygren wrote:
> > Thanks. I went ahead and filed an errata for this.
>
> That adds: "(The HTTP client must not resolve and/or must ignore
> any HTTPS DNS RRs [RFC 9460].)"
>
> Is that correct? What abo
Thanks. I went ahead and filed an errata for this.
Erik
On Tue, Apr 15, 2025 at 6:10 PM Michael Richardson
wrote:
>
> Erik Nygren wrote:
> > One of my colleagues recently pointed out a potential interaction
> between
> > HTTPS RRs (RFC 9460) as it relates to ACME and HTTP-01 DV.
The following errata report has been submitted for RFC8555,
"Automatic Certificate Management Environment (ACME)".
--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid8381
--
Type: Technical
Report
Hiya,
On 15/04/2025 23:50, Erik Nygren wrote:
Thanks. I went ahead and filed an errata for this.
That adds: "(The HTTP client must not resolve and/or must ignore
any HTTPS DNS RRs [RFC 9460].)"
Is that correct? What about aliasMode or different ports? Are we
insisting that ACME servers igno
Erik Nygren wrote:
> One of my colleagues recently pointed out a potential interaction between
> HTTPS RRs (RFC 9460) as it relates to ACME and HTTP-01 DV. If a hostname
> get an HTTPS RR into DNS prior to getting a cert validated, then there
> would be a problem if the ACME clie
