Re: [Acme] Support for domains with redundant but not immediately synchronized servers

2016-02-09 Thread Jonas Wielicki
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 09.02.2016 14:53, Michael Wyraz wrote: > Hello Jonas, >> >>> IMO a better way to support your scenario as well as those I >>> described above would be to check for an SRV-Record before >>> checking A-Records. This would be 100% compatible

[Acme] Clarity: DNS validation domain delegated to another zone

2016-02-09 Thread Jan Broer
Hello everyone, we are discussing whether it is technically legal to validate the DNS challenge TXT record when the validation domain is delegated away from the domain to a different zone. Scenario: a certificate request for domain = "foo.bar.com", which would have fqdn =

Re: [Acme] Support for domains with redundant but not immediately synchronized servers

2016-02-09 Thread Jonas Wielicki
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 21.01.2016 15:13, Salz, Rich wrote: > >> I am not at all familiar with the processes in an IETF WG. What >> is the way forward to get my proposal either into the protocol or >> officially dismissed? > > This is the way it works. :) People

Re: [Acme] Support for domains with redundant but not immediately synchronized servers

2016-02-09 Thread Jonas Wielicki
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello Michael, (re-sent to include the list, sorry for the noise, Michael) On 09.02.2016 11:52, Michael Wyraz wrote: > thank you for the proposal. I think addressing such setups is a > good idea. Thank you for your feedback! > The solution you

Re: [Acme] Support for domains with redundant but not immediately synchronized servers

2016-02-09 Thread Michael Wyraz
Hello Jonas, > > > IMO a better way to support your scenario as well as those I > > described above would be to check for an SRV-Record before checking > > A-Records. This would be 100% compatible with existing acme http-01 > > clients. In your case you would resolve the SRV record to the > >

Re: [Acme] Clarity: DNS validation domain delegated to another zone

2016-02-09 Thread Ted Hardie
On Tue, Feb 9, 2016 at 12:29 PM, Jan Broer wrote: > Hello everyone, > > we are discussing whether it is technically legal to validate the DNS > challenge TXT record when the validation domain is delegated away from the > domain to a different zone. > > So, I find the phrase

Re: [Acme] Support for domains with redundant but not immediately synchronized servers

2016-02-09 Thread Michael Wyraz
Hi Jonas, > So if I understand this correctly, the ACME client would have to set > (or modify) the SRV records in such a way that the host which is > currently running the client is the one with the highest priority? > This sounds like you could just use the DNS challenge, right? > > And it is a