diff --git a/cmd/boulder-wfe2/main.go b/cmd/boulder-wfe2/main.go
index 8e681840e..a8ecfff97 100644
--- a/cmd/boulder-wfe2/main.go
+++ b/cmd/boulder-wfe2/main.go
@@ -14,14 +14,17 @@ import (
 
 	"github.com/letsencrypt/boulder/cmd"
 	"github.com/letsencrypt/boulder/config"
+	"github.com/letsencrypt/boulder/core"
 	emailpb "github.com/letsencrypt/boulder/email/proto"
 	"github.com/letsencrypt/boulder/features"
 	"github.com/letsencrypt/boulder/goodkey"
 	"github.com/letsencrypt/boulder/goodkey/sagoodkey"
 	bgrpc "github.com/letsencrypt/boulder/grpc"
 	"github.com/letsencrypt/boulder/grpc/noncebalancer"
+	"github.com/letsencrypt/boulder/identifier"
 	"github.com/letsencrypt/boulder/issuance"
 	"github.com/letsencrypt/boulder/nonce"
+	"github.com/letsencrypt/boulder/policy"
 	rapb "github.com/letsencrypt/boulder/ra/proto"
 	"github.com/letsencrypt/boulder/ratelimits"
 	bredis "github.com/letsencrypt/boulder/redis"
@@ -101,7 +104,7 @@ type Config struct {
 		// DirectoryCAAIdentity is used for the /directory response's "meta"
 		// element's "caaIdentities" field. It should match the VA's "issuerDomain"
 		// configuration value (this value is the one used to enforce CAA)
-		DirectoryCAAIdentity string `validate:"required,fqdn"`
+		DirectoryCAAIdentity string `validate:"required"`
 		// DirectoryWebsite is used for the /directory response's "meta" element's
 		// "website" field.
 		DirectoryWebsite string `validate:"required,url"`
@@ -186,6 +189,8 @@ type Config struct {
 			// to enable the pausing feature.
 			URL string `validate:"omitempty,required_with=HMACKey JWTLifetime,url,startswith=https://,endsnotwith=/"`
 		}
+
+		cmd.HostnamePolicyConfig
 	}
 
 	Syslog        cmd.SyslogConfig
@@ -330,12 +335,26 @@ func main() {
 	var limiter *ratelimits.Limiter
 	var txnBuilder *ratelimits.TransactionBuilder
 	var limiterRedis *bredis.Ring
+	var pa *policy.AuthorityImpl
 	overridesRefresherShutdown := func() {}
 	if c.WFE.Limiter.Defaults != "" {
 		// Setup rate limiting.
 		limiterRedis, err = bredis.NewRingFromConfig(*c.WFE.Limiter.Redis, stats, logger)
 		cmd.FailOnError(err, "Failed to create Redis ring")
 
+		// Set Policy Authority for ratelimits
+		pa, err = policy.New(
+			map[identifier.IdentifierType]bool{identifier.TypeDNS: true, identifier.TypeIP: true},
+			map[core.AcmeChallenge]bool{},
+			logger)
+		cmd.FailOnError(err, "Couldn't create PA")
+		if c.WFE.HostnamePolicyFile == "" {
+			cmd.Fail("HostnamePolicyFile must be provided.")
+		}
+		err = pa.LoadIdentPolicyFile(c.WFE.HostnamePolicyFile)
+		cmd.FailOnError(err, "Couldn't load hostname policy file")
+		ratelimits.PA = pa
+
 		source := ratelimits.NewRedisSource(limiterRedis.Ring, clk, stats)
 		limiter, err = ratelimits.NewLimiter(clk, source, stats)
 		cmd.FailOnError(err, "Failed to create rate limiter")
@@ -387,6 +406,7 @@ func main() {
 		unpauseSigner,
 		c.WFE.Unpause.JWTLifetime.Duration,
 		c.WFE.Unpause.URL,
+		pa,
 	)
 	cmd.FailOnError(err, "Unable to create WFE")