On Mar 24, 2026, at 01:47, Seo Suchan <[email protected]> wrote: > someone on Let's encrypt forum wanted to add an extension to this to limit > validation to be from a specific IP. > https://community.letsencrypt.org/t/dns-persist-01-add-ability-to-filter-request-ip/246091 > > I personally think it'd be better be a extension of RFC8657 than specific for > dns-persist-01 but still interesting proposal to discuss here.
Thanks for the pointer. The forum poster wants source IP restrictions to replace the DNS API key that dns-persist-01 removes from the issuance path. The problem is that source IP does not work as an independent second factor. CDN and cloud IP ranges are shared infrastructure. If the legitimate client's requests traverse a CDN, an attacker with the stolen key routes through the same CDN and arrives from the same IP range. The constraint does not distinguish between the legitimate client and an attacker on the same network. For dedicated infrastructure with a static IP the constraint is stronger, but it also reintroduces the DNS maintenance dependency that dns-persist-01 was designed to remove. This applies regardless of where the parameter lives — dns-persist-01 TXT record or CAA. Shiloh
_______________________________________________ Acme mailing list -- [email protected] To unsubscribe send an email to [email protected]
