Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://mastodon.social/users/tykling/statuses/111415848466985250">Thomas Steen Rasmussen (tykling@mastodon.social)'s status on Thursday, 16-Nov-2023 03:39:40 JST</a><a href="https://mastodon.social/@tykling" title="tykling@mastodon.social"><img src="https://gnusocial.jp/avatar/213246-48-20231115171141.webp" width="48" height="48" alt="Thomas Steen Rasmussen" style="position: absolute; left: 0; top: 0;">Thomas Steen Rasmussen</a><div><a href="https://bikeshed.party/objects/0d76e15f-c089-4c1f-8a5d-9ae5790b3a29" rel="in-reply-to">in reply to</a><ul><li></ul></div></section><article><p><a href="https://bikeshed.party/users/feld">@feld</a> I agree that DNS-01 should be pushed, and pinned. ACME tools should check for CAA records and recommend they be added.</p><p>But IMO you should never let any tool on an internet-facing server edit your zone directly, or an attacker compromising the server can also edit your zone.</p><p>Instead you should make CNAMEs for the _acme-challenge records to a dedicated subzone which is used exclusively for ACME challenges. This has all the advantages of DNS-01, but doesn't hand over control of your zone :)</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/2332221#notice-4603594">In conversation</a><time datetime="2023-11-16T03:39:40+09:00" title="Thursday, 16-Nov-2023 03:39:40 JST">Thursday, 16-Nov-2023 03:39:40 JST</time> <span>from <span><a href="https://mastodon.social/@tykling/111415848466985250" rel="external" title="Sent from mastodon.social via ActivityPub">mastodon.social</a></span></span><a href="https://mastodon.social/@tykling/111415848466985250">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Thomas Steen Rasmussen (tykling@mastodon.social)'s status on Thursday, 16-Nov-2023 03:39:40 JSTThomas Steen Rasmussen
in reply to
- feld
@feld I agree that DNS-01 should be pushed, and pinned. ACME tools should check for CAA records and recommend they be added.
But IMO you should never let any tool on an internet-facing server edit your zone directly, or an attacker compromising the server can also edit your zone.
Instead you should make CNAMEs for the _acme-challenge records to a dedicated subzone which is used exclusively for ACME challenges. This has all the advantages of DNS-01, but doesn't hand over control of your zone :)
In conversationThursday, 16-Nov-2023 03:39:40 JST from mastodon.socialpermalink

Public

Embed Notice

HTML Code

Corresponding Notice