On Tue, Feb 9, 2016 at 10:37 PM, Michael Wyraz <[email protected]> wrote:
> Hi, > > as discussed before, acme/http-01 is difficult to implement if the > domain being validated does not resolve to the IP address of the machine > where the client runs on. > > Common cases are: > - multiple physical servers behind a tcp balancer (A-Record resolves to > the load balancer, not to the server where the acme client runs on). > - geo based dns resolution (A-Record resolves to the "nearest" server > which is not necessarily to the server where the acme client runs on) > - A-Record resolves to a device that is not able to run the acme client > (hardware firewall, router, load balancer) > > I've created a proposal for using SRV (with fallback to A/AAAA) to solve > these issues: https://github.com/ietf-wg-acme/acme/pull/83 This doesn't seem like a great idea. ACME should largely behave the same way that Web clients do. If you want to muck with DNS just use the DNS challenges. -Ekr > As you can see, the change only affects a small part of the server side > of the protocol and should have minimal impact to implementations. > > Let me know what you think about it. > > Kind regards, > Michael. > > > > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme > >
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
