Re: [Acme] Support for domains with redundant but not immediately synchronized servers
Jacob Hoffman-Andrews <jsha@eff.org> Fri, 12 February 2016 23:00 UTC
Return-Path: <jsha@eff.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DBF11ABD35 for <acme@ietfa.amsl.com>; Fri, 12 Feb 2016 15:00:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.104
X-Spam-Level:
X-Spam-Status: No, score=-5.104 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0m3YIfvjEBMg for <acme@ietfa.amsl.com>; Fri, 12 Feb 2016 15:00:06 -0800 (PST)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A4A61AC3B1 for <acme@ietf.org>; Fri, 12 Feb 2016 15:00:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:References:To:Subject; bh=3MZA8WiG4snipC0WvYO0AgozYFUlQ94QWOSQ6PN8Ank=; b=blV5J00wm8C19VGJa0HOwfuNMOizdSkb/p8eNhqSrpgWPvjm4JXbpgFUaK5gBj2ogSMQqhf+fhnOCrqQ7ZSkB+DgBZ3j97jfqOeEsEjVaUfbUgJBsvEfI3VuDqEEpjxv4UCQmMcO/eVFbJS29eY48ytUjjuKhxMnEXcyk4NzSMg=;
Received: ; Fri, 12 Feb 2016 15:00:05 -0800
To: Jonas Wielicki <jonas@wielicki.name>, acme@ietf.org
References: <565C84A1.9040102@wielicki.name> <20151204084601.GQ18430@eff.org> <255B9BB34FB7D647A506DC292726F6E13BB473EFFB@WSMSG3153V.srv.dir.telstra.com> <56A0C558.2070202@wielicki.name> <046f30469e8d4cdfafb01b7e7f9d4608@usma1ex-dag1mb1.msg.corp.akamai.com> <56B9BDD8.9010008@wielicki.name> <56BA4372.1010706@eff.org>
From: Jacob Hoffman-Andrews <jsha@eff.org>
X-Enigmail-Draft-Status: N1110
Message-ID: <56BE63F4.2000600@eff.org>
Date: Fri, 12 Feb 2016 15:00:04 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <56BA4372.1010706@eff.org>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Received-SPF: skipped for local relay
Received-SPF: skipped for local relay
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/Jm_MJOH1XJOb-U37akDv4n2C4xY>
Subject: Re: [Acme] Support for domains with redundant but not immediately synchronized servers
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Feb 2016 23:00:07 -0000
On 02/09/2016 11:52 AM, Jacob Hoffman-Andrews wrote: > As I said previously, I think it would be better for implementers to > query each IP they receive, until they get a success. I thought some more about this from a CA implementation perspective, and it would actually be rather painful and error-prone to implement. In Boulder, we have a maximum amount of time we are willing to spend on validating a challenge. Currently it's 60 seconds. We may increase it at some point, but there will always be some limit. For hostnames that return a large number of IP addresses, it's entirely possible we would timeout before reaching the one IP address that is provisioned with the challenge. That means that instead of the nice clean "Push a challenge to any server and it will work" guarantee, we would have a "Push a challenge to any server, and it will work provided you don't have too many IP addresses and the other instances respond quickly enough" guarantee.
- [Acme] Support for domains with redundant but not… Jonas Wielicki
- Re: [Acme] Support for domains with redundant but… Hugo Landau
- Re: [Acme] Support for domains with redundant but… Jonas Wielicki
- Re: [Acme] Support for domains with redundant but… Salz, Rich
- Re: [Acme] Support for domains with redundant but… Jacob Hoffman-Andrews
- Re: [Acme] Support for domains with redundant but… Martin Thomson
- Re: [Acme] Support for domains with redundant but… Peter Eckersley
- Re: [Acme] Support for domains with redundant but… Ryan Pendleton
- Re: [Acme] Support for domains with redundant but… Yoav Nir
- Re: [Acme] Support for domains with redundant but… Ted Hardie
- Re: [Acme] Support for domains with redundant but… Manger, James
- Re: [Acme] Support for domains with redundant but… Jonas Wielicki
- Re: [Acme] Support for domains with redundant but… Salz, Rich
- Re: [Acme] Support for domains with redundant but… Michael Wyraz
- Re: [Acme] Support for domains with redundant but… Jonas Wielicki
- Re: [Acme] Support for domains with redundant but… Michael Wyraz
- Re: [Acme] Support for domains with redundant but… Jonas Wielicki
- Re: [Acme] Support for domains with redundant but… Jonas Wielicki
- Re: [Acme] Support for domains with redundant but… Jacob Hoffman-Andrews
- Re: [Acme] Support for domains with redundant but… Jonas Wielicki
- Re: [Acme] Support for domains with redundant but… Michael Wyraz
- Re: [Acme] Support for domains with redundant but… Jacob Hoffman-Andrews
- Re: [Acme] Support for domains with redundant but… Jacob Hoffman-Andrews