> https://github.com/ietf-wg-acme/acme/pull/82
I am against adding an address hint to the spec. I think it's unnecessary complication to the spec, and introduces client control of a critical security field. It would be too easy for implementers to incorrectly check that the address was present in the DNS response. Additionally, this fails to address GSLB / geo-based DNS, as Michael Wyraz pointed out. So it winds up being a half solution. As I said previously, I think it would be better for implementers to query each IP they receive, until they get a success. For GSLB cases, the subscriber would need to either (1) use an HTTP redirect to a non-GSLB domain name, (2) ensure that every frontend is capable of serving the challenge at the appropriate time, or (3) use the dns-01 challenge. _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
