Re: [Acme] Support for domains with redundant but not immediately synchronized servers

Jacob Hoffman-Andrews <jsha@eff.org> Tue, 09 February 2016 19:52 UTC

Return-Path: <jsha@eff.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A959A1ACEF4 for <acme@ietfa.amsl.com>; Tue, 9 Feb 2016 11:52:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.003
X-Spam-Level:
X-Spam-Status: No, score=-7.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LK-fV4GsDV_h for <acme@ietfa.amsl.com>; Tue, 9 Feb 2016 11:52:19 -0800 (PST)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E05E1ACEF7 for <acme@ietf.org>; Tue, 9 Feb 2016 11:52:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:References:To:Subject; bh=SVBHNg/bFPii7CcFOcYdqYEk4iZGauH1picI5VI7jmI=; b=dCMQ5YBVg7XVkroRi3QljLuVZCMyaQkmf9IRJrBAd5qMljp1J1rECmraxU5O9S+6VI0W8qezpl4XjzfZIZcfJzLFP7Mmtg/nFJW1AQ1Az0Nlq8b5m6zhhqOa35wggKBopJNs2iEc4sfM7oAQXH7hyK1criv6NwUylgst3J6hFD0=;
Received: ; Tue, 09 Feb 2016 11:52:18 -0800
To: Jonas Wielicki <jonas@wielicki.name>, acme@ietf.org
References: <565C84A1.9040102@wielicki.name> <20151204084601.GQ18430@eff.org> <255B9BB34FB7D647A506DC292726F6E13BB473EFFB@WSMSG3153V.srv.dir.telstra.com> <56A0C558.2070202@wielicki.name> <046f30469e8d4cdfafb01b7e7f9d4608@usma1ex-dag1mb1.msg.corp.akamai.com> <56B9BDD8.9010008@wielicki.name>
From: Jacob Hoffman-Andrews <jsha@eff.org>
Message-ID: <56BA4372.1010706@eff.org>
Date: Tue, 09 Feb 2016 11:52:18 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <56B9BDD8.9010008@wielicki.name>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Received-SPF: skipped for local relay
Received-SPF: skipped for local relay
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/CMdtEI6TPupAmRB8u1nXGEEE4E0>
Subject: Re: [Acme] Support for domains with redundant but not immediately synchronized servers
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Feb 2016 19:52:21 -0000

> https://github.com/ietf-wg-acme/acme/pull/82

I am against adding an address hint to the spec. I think it's
unnecessary complication to the spec, and introduces client control of a
critical security field. It would be too easy for implementers to
incorrectly check that the address was present in the DNS response.

Additionally, this fails to address GSLB / geo-based DNS, as Michael
Wyraz pointed out. So it winds up being a half solution.

As I said previously, I think it would be better for implementers to
query each IP they receive, until they get a success. For GSLB cases,
the subscriber would need to either (1) use an HTTP redirect to a
non-GSLB domain name, (2) ensure that every frontend is capable of
serving the challenge at the appropriate time, or (3) use the dns-01
challenge.