Change how the validation label is constructed

aaomidi · Sep 1, 2023 · 2916810 · 2916810
1 parent c5be0e1
commit 2916810
Showing 1 changed file with 3 additions and 15 deletions.
diff --git a/draft-ietf-acme-dns-account-01.mkd b/draft-ietf-acme-dns-account-01.mkd
@@ -120,9 +120,9 @@ A client can fulfill this challenge by performing the following steps:
 
 - Construct a key authorization {{!RFC8555, Section 8.1}} from the `token` value provided in the challenge and the client's account key
 - Compute the SHA-256 digest {{FIPS180-4}} of the key authorization
-- Construct the validation domain name by prepending the following label to the domain name being validated:
+- Construct the validation domain name by prefixing the following label to the domain name being validated:
 
-      "_acme-challenge_" || base32(SHA-256(Account Resource URL)[0:9])
+      "_" || base32(SHA-256(Account Resource URL)[0:9]) || "_acme-challenge_"
 
    - SHA-256 is the SHA hashing operation defined in {{!RFC6234}}
    - `[0:9]` is the operation that selects the first ten bytes (bytes 0 through 9 inclusive) from the previous SHA256 operation
@@ -135,7 +135,7 @@ A client can fulfill this challenge by performing the following steps:
 For example, if the domain name being validated is "www.example.org", and the account URL of "https://example.com/acme/acct/ExampleAccount" then the client would provision the following DNS record:
 
 ~~~
-_acme-challenge_ujmmovf2vn55tgye.www.example.org 300 IN TXT "LoqXcYV8...jxAjEuX0.9jg46WB3...fm21mqTI"
+_ujmmovf2vn55tgye._acme-challenge.www.example.org 300 IN TXT "LoqXcYV8...jxAjEuX0.9jg46WB3...fm21mqTI"
 ~~~
 
 (In the above, "..." indicates that the token and the JWK thumbprint in the key authorization have been truncated to fit on the page.)
@@ -194,18 +194,6 @@ The first 10 bytes were picked as a tradeoff: the value needs to be short enough
 
 # IANA Considerations
 
-## DNS Parameters
-
-The Underscored and Globally Scoped DNS Node Names is to be updated to include the following entry:
-
-~~~
-RR Type: TXT
-_NODE NAME: _acme-challenge_*
-Reference: This document
-~~~
-
-Where `_acme-challenge_*` denotes all node names beginning with the string `_acme-challenge_`. It does NOT refer to a DNS wildcard specification.
-
 ## ACME Validation Method
 
 The "ACME Validation Methods" registry is to be updated to include the following entry: