Change how the validation label is constructed

draft-ietf-acme-dns-account-01.mkd

@@ -122,7 +122,7 @@ A client can fulfill this challenge by performing the following steps:
 - Compute the SHA-256 digest {{FIPS180-4}} of the key authorization
 - Construct the validation domain name by prepending the following label to the domain name being validated:
 
-      "_acme-challenge_" || base32(SHA-256(Account Resource URL)[0:9])
+      "_" || base32(SHA-256(Account Resource URL)[0:9]) || "_acme-challenge"
 
    - SHA-256 is the SHA hashing operation defined in {{!RFC6234}}
    - `[0:9]` is the operation that selects the first ten bytes (bytes 0 through 9 inclusive) from the previous SHA256 operation
@@ -135,7 +135,7 @@ A client can fulfill this challenge by performing the following steps:
 For example, if the domain name being validated is "www.example.org", and the account URL of "https://example.com/acme/acct/ExampleAccount" then the client would provision the following DNS record:
 
 ~~~
-_acme-challenge_ujmmovf2vn55tgye.www.example.org 300 IN TXT "LoqXcYV8...jxAjEuX0.9jg46WB3...fm21mqTI"
+_ujmmovf2vn55tgye._acme-challenge.www.example.org 300 IN TXT "LoqXcYV8...jxAjEuX0.9jg46WB3...fm21mqTI"
 ~~~
 
 (In the above, "..." indicates that the token and the JWK thumbprint in the key authorization have been truncated to fit on the page.)
@@ -194,18 +194,6 @@ The first 10 bytes were picked as a tradeoff: the value needs to be short enough
 
 # IANA Considerations
 
-## DNS Parameters
-
-The Underscored and Globally Scoped DNS Node Names is to be updated to include the following entry:
-
-~~~
-RR Type: TXT
-_NODE NAME: _acme-challenge_*
-Reference: This document
-~~~
-
-Where `_acme-challenge_*` denotes all node names beginning with the string `_acme-challenge_`. It does NOT refer to a DNS wildcard specification.
-
 ## ACME Validation Method
 
 The "ACME Validation Methods" registry is to be updated to include the following entry: