(community.letsencrypt.org)

314 points Bogdanp | 3 comments | 25 Jun 25 16:21 UTC | HN request time: 0s | source

Show context

Hizonner ◴[25 Jun 25 18:37 UTC] No.44380527[source]▶

>>44379034 (OP) #

So does anybody have a pointer to the official justification for this insanity?

replies(2): >>44380597 #>>44380926 #

1. fredfish ◴[25 Jun 25 18:44 UTC] No.44380597[source]▶

>>44380527 #

https://github.com/cabforum/servercert/pull/579/commits

</s?

replies(1): >>44380808 #

2. Hizonner ◴[25 Jun 25 19:03 UTC] No.44380808[source]▶

>>44380597 (TP) #

I'm sorry, but how is "Require validation of DNSSEC (when present) for CAA and DCV Lookups" related to issuing X.509 certs that include IP address SANs? I don't see any connection, and I didn't spot anything about it on a quick skim of the comments.

replies(1): >>44381269 #

3. fredfish ◴[25 Jun 25 19:56 UTC] No.44381269[source]▶

>>44380808 #

Anything from people who are afraid of increasingly onerous DNS requirements to breakage because they can't fix their parent domains DNSSEC misconfiguration. It seems like an interesting timing coincide to me so I wonder if there's some (ir)rational explanation. (Implementing a new SAN that must inherently have the gap you are finally addressing is not a bit funny to you?)

↑

Getting ready to issue IP address certificates