dns-01 walk-up

[My1]

one of the problems of dns-01 is that it's hard to automate without giving up the complete control over the DNS to the LE server, meaning that important data like the password (or in case of "smarter" DNS solutions, an API key, which still has a lot of access) and especially in cases with strict security you might not want to automate everything because it's more transparent when you do the stuff yourself.
well let's cut the preamble and get to the point.
omne of the key annoyances (aside from using random challenges (see #88) is that you have to add a record for each and every domain, which means that e.g. for a 100 name SAN cert which are all under 1 domain you have to add and/or change a whole 100 records (and sign the whole stuff when using DNSSec)
aside from being annoying this the inefficient, seriously.
my idea would be (based on the currect TXT record structure:

_acme-challenge.x.y.example.com 120 IN TXT "9C0DqKC_4MkowIFByHhFaP8u0Zv4z7Wz2IHM91lTKec"

that the following will be used instead:

_acme-challenge.example.com 120 IN TXT "delegate 9C0DqKC_4MkowIFByHhFaP8u0Zv4z7Wz2IHM91lTKec"

combining this with #88 results in

_acme-challenge.example.com 120 IN TXT "delegate key h53FF1QB43DZTQleR4VQQCxl7UQu1AgNAErm791z3DO3lrNMqfbLWsLw80RLHximiAFyY+i8nySyo7LJsbjpaw"

with the order of the flags not mattering (key delegate and delegate key being treated as the same)
and when checking for example for x.y.example.com
it goes the follwing way:
check the challenge records for x.y.example.com, if a valid one is found, stop and mark as complete, if not continue
check the challenge records for y.example.com for delegation flagged ones, if valid, mark as complete, if not continue.
check exmaple.com for valid delegation challenges, if valid, mark as complete, if not STOP, because com is on PSL.

[hardie]

Along with #88, proposed at IETF 95 to defer this into an extension specification.

[My1]

oh nice. cant wait for this to happen, this makes it a lot easier in many ways.