fix(dns-account-01): update validation domain to remove scope per draft-ietf-acme-dns-account-label-00

Author: sheurich

va/va.go

@@ -365,13 +365,14 @@ func (va VAImpl) validateDNS01(task *vaTask) *core.ValidationRecord {
 }
 
 func (va VAImpl) validateDNSAccount01(task *vaTask) *core.ValidationRecord {
+	// Compute the account-specific DNS label per draft-ietf-acme-dns-account-label-00 section 3.2
+	// "_" || base32(SHA-256(<ACCOUNT_URL>)[0:10]) || "._acme-challenge"
 	acctHash := sha256.Sum256([]byte(task.AccountURL))
-	acctLabel := strings.ToLower(base32.StdEncoding.EncodeToString(acctHash[0:10]))
-	scope := "host"
-	if task.Wildcard {
-		scope = "wildcard"
-	}
-	challengeSubdomain := fmt.Sprintf("_%s._acme-%s-challenge.%s", acctLabel, scope, task.Identifier.Value)
+	// Take first 10 bytes of hash as specified in section 3.2
+	// Use base32 encoding without padding per RFC4648
+	acctLabel := strings.ToLower(base32.StdEncoding.WithPadding(base32.NoPadding).EncodeToString(acctHash[0:10]))
+	// Construct validation domain name according to spec
+	challengeSubdomain := fmt.Sprintf("_%s._acme-challenge.%s", acctLabel, task.Identifier.Value)
 
 	result := &core.ValidationRecord{
 		URL:         challengeSubdomain,