Skip to content

Commit 875d541

Browse files
domdomeggdomdomegg
committed
Add comment explaining rationale behind domain ownership
1 parent 9e5aa16 commit 875d541

File tree

1 file changed

+3
-1
lines changed
  • internal/api/handlers/v0/auth

1 file changed

+3
-1
lines changed

internal/api/handlers/v0/auth/dns.go

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -196,7 +196,9 @@ func (h *DNSAuthHandler) buildPermissions(domain string) []auth.Permission {
196196
Action: auth.PermissionActionPublish,
197197
ResourcePattern: fmt.Sprintf("%s/*", reverseDomain),
198198
},
199-
// Grant permissions for all subdomains (e.g., com.example.*)
199+
// DNS implies a hierarchy where subdomains are treated as part of the parent domain,
200+
// therefore we grant permissions for all subdomains (e.g., com.example.*)
201+
// This is in line with other DNS-based authentication methods e.g. ACME DNS-01 challenges
200202
{
201203
Action: auth.PermissionActionPublish,
202204
ResourcePattern: fmt.Sprintf("%s.*", reverseDomain),

0 commit comments

Comments
 (0)