The great virtue of the in-band challenge types is that web servers can just handle them out of the box, without any need for a separate setup step that depends on your stack. I think this has done a heck of a lot to increase adoption of HTTPS.
Also, DNS-PERSIST-01 seems to be coming soon for Let's Encrypt, which should allow even people that can't easily dynamically update their DNS records to get wildcard certs. I assume this might become more widely used than HTTP-01 challenges.
I wish someone would write a blog post about the difference between DNS registrars and DNS hosts, because I've seen people assume they need to use a registrar that has an API in order to change their DNS records programmatically. I used to assume that too.
I agree that it can be confusing. I use RFC 2136 DNS UPDATE with my own DNS server. But for example, for my workplace this new challenge is convenient as they refuse to want to run their own DNS server.
- registrars control NS records, however these can be changed
- NS records control other records
- registrars can also use their own nameservers to manage your DNS
The great virtue of the in-band challenge types is that web servers can just handle them out of the box, without any need for a separate setup step that depends on your stack. I think this has done a heck of a lot to increase adoption of HTTPS.
Also, DNS-PERSIST-01 seems to be coming soon for Let's Encrypt, which should allow even people that can't easily dynamically update their DNS records to get wildcard certs. I assume this might become more widely used than HTTP-01 challenges.
I wish someone would write a blog post about the difference between DNS registrars and DNS hosts, because I've seen people assume they need to use a registrar that has an API in order to change their DNS records programmatically. I used to assume that too.
I agree that it can be confusing. I use RFC 2136 DNS UPDATE with my own DNS server. But for example, for my workplace this new challenge is convenient as they refuse to want to run their own DNS server.
- registrars control NS records, however these can be changed - NS records control other records - registrars can also use their own nameservers to manage your DNS
2 replies →