On 02/09/2016 11:52 AM, Jacob Hoffman-Andrews wrote: > As I said previously, I think it would be better for implementers to > query each IP they receive, until they get a success. I thought some more about this from a CA implementation perspective, and it would actually be rather painful and error-prone to implement.
In Boulder, we have a maximum amount of time we are willing to spend on validating a challenge. Currently it's 60 seconds. We may increase it at some point, but there will always be some limit. For hostnames that return a large number of IP addresses, it's entirely possible we would timeout before reaching the one IP address that is provisioned with the challenge. That means that instead of the nice clean "Push a challenge to any server and it will work" guarantee, we would have a "Push a challenge to any server, and it will work provided you don't have too many IP addresses and the other instances respond quickly enough" guarantee. _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
