The Hidden Security Risk in Certificate Automation

The post explains that reducing certificate validity periods (to 47 days) makes automation mandatory, but this introduces a rarely discussed security risk. During DNS validation, providers require API credentials that often have overly broad permissions, allowing an attacker to modify an entire DNS zone if these credentials are leaked. To mitigate this risk, the post suggests delegating control via a CNAME record pointing to a zone managed by the provider, thus avoiding the need to share sensitive credentials. The IETF is formalizing this approach in a draft standard.