Re: [Acme] Support for domains with redundant but not immediately synchronized servers

Jonas Wielicki <> Tue, 09 February 2016 19:40 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id B931D1ACED4 for <>; Tue, 9 Feb 2016 11:40:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id AWf5z-u6tHMd for <>; Tue, 9 Feb 2016 11:40:23 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3FD371ACED7 for <>; Tue, 9 Feb 2016 11:40:22 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTPSA id 2D0192005D1 for <>; Tue, 9 Feb 2016 19:40:20 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=k001.sol; t=1455046820; bh=q1JqKSrOisX0NZjzOihu0uHQpt84DRoIY8h/W5687VE=; h=Subject:To:References:From:Date:In-Reply-To; b=O7gaGXsM9t9c6imWRdMPfPiZn+x0sEHaKC4D81ZW2ldzyUZmTj4s7d3QHTWREPJLZ sxpvK/8m8hYqFNoaj/kkA41YRqWMCbOBLcyPWO3uxYUQkAghockxgWJWuA3L3XDfnx OMWlZlGMk63cwbKQsVSSkmzaVw/c0jGJjXDSMul8rsirNt9/z9PetTcLNy1qNA+5aL PDPPsg4mmpJXITxhGUWkQKyAwI+JEB7Nto12cpKeW/uqsXltoXvCW37TA20TRSzdR0 1Uj2YdaklpSjIts87OWvO49H6DcEqTrS0p6j/2tdHK/Qw3riu850+YtQVtd/y5z9lF 1A43ffm9/B2Kw==
References: <> <> <> <> <> <> <> <> <>
From: Jonas Wielicki <>
Message-ID: <>
Date: Tue, 9 Feb 2016 20:40:17 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [Acme] Support for domains with redundant but not immediately synchronized servers
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 09 Feb 2016 19:40:25 -0000

Hash: SHA512

On 09.02.2016 14:53, Michael Wyraz wrote:
> Hello Jonas,
>>> IMO a better way to support your scenario as well as those I 
>>> described above would be to check for an SRV-Record before
>>> checking A-Records. This would be 100% compatible with existing
>>> acme http-01 clients. In your case you would resolve the SRV
>>> record to the machine that has the acme client running on. The
>>> acme-server would check for the SRV-Record for an address to
>>> lookup the challenge's response at. If no SRV record is
>>> specified, it would continue with A and AAAA records.
>> I am not entirely sure I get what you want to say here. SRV
>> records contain not only a host name, but also priorities,
>> weights and ports, so I wonder how that information would be used
>> in this context.
>> Do you suggest to have the client use an SRV record to specify
>> the address (including the port?) to which the server connects to
>> complete the challenge? In that case, what would the effect of
>> multiple SRV records for the target name be?
> correct, that's exactly what I meant. Example:
> 3600 IN    SRV    10 1 80 
> For multiple SRV weight/priority should be respected.
> Four your case you would resolve to several ip
> addresses: IN A IP-Address-Server1 
> IN A IP-Address-Server2
> While resolves to a single ip address of the
> server where the acme client runs on: IN A
> IP-Address-Server1

So if I understand this correctly, the ACME client would have to set
(or modify) the SRV records in such a way that the host which is
currently running the client is the one with the highest priority?
This sounds like you could just use the DNS challenge, right?

And it is a different use-case from the one I posted initially. If the
clients were able to modify the DNS properly, I could indeed use the
dns-01 challenge in my scenario. This is not the case though.

best regards,
Version: GnuPG v2