| ▲ | patrakov 3 hours ago | |
My preferred procedure is to use DNS-01 validation and have no publicly accessible "A" or "AAAA" record for internal services. Or even a more extreme example: https://crt.sh/?id=27555237869 (sorry for any possible crt.sh downtime) - the domain name in question never existed in public or private DNS by itself. It is used only for a WPA3-Enterprise network, as the CN that WiFi clients expect to be present in the RADIUS server certificate, but never resolve. In the public DNS, only the "_acme-challenge" TXT record exists. | ||
| ▲ | otabdeveloper4 2 hours ago | parent [-] | |
Sounds bonkers. Why not make an overlay LAN and host your own DNS server in 10.0.0.0/8? | ||