-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On 09.02.2016 14:53, Michael Wyraz wrote: > Hello Jonas, >> >>> IMO a better way to support your scenario as well as those I >>> described above would be to check for an SRV-Record before >>> checking A-Records. This would be 100% compatible with existing >>> acme http-01 clients. In your case you would resolve the SRV >>> record to the machine that has the acme client running on. The >>> acme-server would check for the SRV-Record for an address to >>> lookup the challenge's response at. If no SRV record is >>> specified, it would continue with A and AAAA records. >> >> I am not entirely sure I get what you want to say here. SRV >> records contain not only a host name, but also priorities, >> weights and ports, so I wonder how that information would be used >> in this context. >> >> Do you suggest to have the client use an SRV record to specify >> the address (including the port?) to which the server connects to >> complete the challenge? In that case, what would the effect of >> multiple SRV records for the target name be? > correct, that's exactly what I meant. Example: > > _acme.http-01._tcp.mydomain.com. 3600 IN SRV 10 1 80 > acme.mydomain.com. > > For multiple SRV weight/priority should be respected. > > Four your case you would resolve www.mydomain.com to several ip > addresses: www.mydomain.com. IN A IP-Address-Server1 > www.mydomain.com. IN A IP-Address-Server2 > > While acme.mydomain.com resolves to a single ip address of the > server where the acme client runs on: acme.mydomain.com. IN A > IP-Address-Server1 So if I understand this correctly, the ACME client would have to set (or modify) the SRV records in such a way that the host which is currently running the client is the one with the highest priority? This sounds like you could just use the DNS challenge, right? And it is a different use-case from the one I posted initially. If the clients were able to modify the DNS properly, I could indeed use the dns-01 challenge in my scenario. This is not the case though. best regards, jwi -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJWukChAAoJEMBiAyWXYliK18cQAIy62Y2z6Lgd0hKKoUcFWhgh qoNzwv6MzJTeEbaUXid7yiNkO13eKMtg2eX5cly32yIYjSjO2/nehVCyUVNMFbis wbWsko57oy+/spIq+ZSjTiEhtU//MNrWz563TC/ug2dZxrAemup/q3QsfvSfBGEc C+7RedeOxmFcFEpNtP67ILTnXe+/yM9z3q6K8Oif2h/qHz+eVwFPb8b1sIJC5/jT tbuHQa4f8+fzh3q6UDiNAgEhGrWudBNVUdYwheMCkv7cf/+tmw1xCGbtY2BvQpfj Qm/KNGb0lzh5WXlmlDvZRGh4GS1tKaQiIKerHkQaxqADwDGVvq8U+76t48AkqXTg vBfdk8OKKTe8GIGTEaBeKKtc7w0wASA73pehQY8hN278uAOURV43FE8JQFmQRmJp uWPbgdcPysq/YVxH79zbBH6w4AkVJ6yK5+gJy0XKCtw4W5tcyQmzA+FMIAmSRJa0 u83zJQO+ax8kCOviRlQSzBcxwpeoziUlCtaqhhsnNVliQYMYwba+NnNJ5HDI+Vch f4oz/WhjgNIDXrOE5+VqecxDMbD/So8ekCn1nIBg2orN+Mz8+OTPdohyr7jhE9fW 04qucj9MQyH9b6vnjSt+yE+rHONlk9ZIHSYwpO0wkY42h21NKd08dQjLvsAiWXWZ 9oIQdJ5IRft4WyN5mdX6 =likc -----END PGP SIGNATURE----- _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
