Who benefits from this? Even though Let’s Encrypt stresses that most site operators will do fine sticking with ordinary domain certificates, there are still scenarios where a numeric identifier is the only practical choice:
Infrastructure services such as DNS-over-HTTPS (DoH) – where clients may pin a literal IP address for performance or censorship-evasion reasons.
IoT and home-lab devices – think network-attached storage boxes, for example, living behind static WAN addresses.
Ephemeral cloud workloads – short-lived back-end servers that spin up with public IPs faster than DNS records can propagate.
That’s kind of awesome! I have a bunch of home lab stuff, but have been putting off buying a domain (I was a broke college student when I started my lab and half the point was avoiding recurring costs- plus I already run the DNS, as far as the WAN is concerned, I have whatever domain I want). My loose plan was to stand up a certificate authority and push the root public key out with active directory, but being able to certify things against Let’s Encrypt might make things significantly easier.
I use a domain, but for homelab I eventually switched to my own internal CA.
Instead of having to do
service.domain.tldit’s nice to doservice.lan.Any good instructions you would recommend for doing this?
use the official home.arpa as specified in RFC 8375
FYI you can get a numeric xyz domain for 1$ a year
At least for the first year.
Pretty sure it remains $1. But it’s specifically only 6-9 digit numeric .xyz domains.
Setting up a root and a immediate CA is significantly more fun though ;) It’s also teaches you more about PKI which is a good skill to have.
but for the love of god and your own benefit, put a name constraint directly on the root cert