[victorheld]

Couldn't they just get a wildcard cert for "*.has-a.name"?

[cortesoft]

And give it to everyone?

[VWWHFSfQ]

not sure what you mean by give it to everyone. who are they giving it to?

[RKearney]

Anyone who then wants their site accessible through this. It’s not a proxy, they’re just returning your IPv6 address based on what subdomain you type.

In order for a wildcard to work, every single user of the service needs the private key for that wildcard certificate.

[VWWHFSfQ]

I feel like I'm missing something. How is this different than AWS providing a wildcard certificate for every S3 bucket via https://<bucket>.s3.amazonaws.com. Is it the same thing?

[treysis]

Yes, you are missing something: S3 bucket resolves to Amazon's servers. <ipv6>.has-a.name resolves to the ip address specified in <ipv6>. You will have to install the certificate on the actual server that serves the webpage. For S3 bucket this is Amazon, so they can put their certificate. For your own IP, you need to install the certificate yourself, so they would have to hand you their private key as well, which is not allowed.

[hitpointdrew]

Yup. This is one thing I hate about AWS. Oh sure make it nice and easy to use the wildcard cert on any AWS infrastructure. But what if you want to use that wild card cert somewhere else? Too bad. AWS holds the private key for your wildcard cert, and they don't give it to you. They hold it hostage on their server.

[RKearney]

Because that DNS entry resolves to an Amazon owned servers which have the certificate and key. This service resolves the DNS entries to your own server, meaning requests would hit your server which would require your server respond with the signed certificate and have control of the accompanying private key.