Keep the same DNS challenge string for renewals?
Hi, we've got some internal-only sites we would like to protect, and DNS verification seems to match nicely. We do not have a nice way to restrict DNS API access to just the TXT records we need, and we would prefer not to have the complication of the "throwaway dns with cname" workaround. Is it possible to manually set the TXT record once for setup, and then renew on the same record going forward, like AWS Cert Manager?
-
Hi Captain Mish
The value provisioned as TXT record is the digest of key-authorization (see more here: https://tools.ietf.org/html/rfc8555#section-8.4 and https://tools.ietf.org/html/rfc8555#section-8.1).
It is comprised partly of random value, and it “MUST NOT be used for more than 30 days” according to the Baseline requirements (3.2.2.4.19 in https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.7.1.pdf).
Once domain is authorized by the client, the authorization may be used for some time to issue certificates. However, if the authorization expires, new challenge will be generated and thus TXT record should be generated using new token.
Regards,
Andriy
