Hi,
are there any information when DNS challenge will be available ?
Gruß Thomas
Am 11.12.2015 um 23:03 schrieb Jacob Hoffman-Andrews:
On 12/11/2015 12:50 PM, Michael Wyraz wrote:
I'm new to this mailing list. Today I started a discussion on IRC about
the fact that ACME with http-01 won't work if the A record points to an
intranet IP address
In general, publicly trusted CAs are supposed to verify that a name is
available on the public Internet.
or is resolved dynamically dependent on geo locations or similar.
This is a potential issue, and is similar to recently discussed issue
about choosing from multiple available IPs, but is a harder problem to
solve. If you push a challenge to just one geo region, a validation
attempt from a different geo region may not see any relevant IPs.
The idea to solve these issues is simple: why not using some special dns
record to resolve an URL that is responsible for ACME-challenges for a
certian domain? This is more flexible than building the URL based on
A-Record on a fixed scheme.
If you're willing to accept a dependency on DNS, it makes sense to just
use the DNS challenge instead. I think that's probably the ideal
solution for services that have many frontends and do geo load balancing.
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
