Re: [Acme] Proposal for http challenge: Lookup SRV records before A/AAAA records
Eric Rescorla <ekr@rtfm.com> Wed, 10 February 2016 14:25 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 298A71B2B4C for <acme@ietfa.amsl.com>; Wed, 10 Feb 2016 06:25:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ec60QPtxzijw for <acme@ietfa.amsl.com>; Wed, 10 Feb 2016 06:25:09 -0800 (PST)
Received: from mail-wm0-x22f.google.com (mail-wm0-x22f.google.com [IPv6:2a00:1450:400c:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 732001B2B4A for <acme@ietf.org>; Wed, 10 Feb 2016 06:25:07 -0800 (PST)
Received: by mail-wm0-x22f.google.com with SMTP id p63so30955774wmp.1 for <acme@ietf.org>; Wed, 10 Feb 2016 06:25:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=7hJVb/xLsJ3IpDO7e0XVpGrEL/F/mxZR10Cem7PEvpI=; b=RKNO+t4q9s9lIGeQuYtG1aIRLkcJOyHoqq8nXxolSN++N4eMiRScw9WVZgdEmekAYw 3vKDH8tGguI6xmDgtTSGRx/OxGXG3POe/TKdKyr3jZC0mhTY0no54/XquvCZxijLJx9F efen6pIinCp3ZeP/7TmVWLMx63qLdNkv1apJL1JpSibR3LYj18PSBr3L6/lxM7xmhB8r 8r2OuCG7S8WedmzEtGega7apivFpvfAGdGSwhPXe7vvSz0xnt072zi2Scm2qsNSfciXG G88iZQdyisUJ7t+suH2fEMZkxpZ5zG7nBsWdMyA8p7TcR0f1o8DYnHIuO+iDlNSNzgyc ESjw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=7hJVb/xLsJ3IpDO7e0XVpGrEL/F/mxZR10Cem7PEvpI=; b=FQkl/zykeRMsuIihRZAADJm+fIFZ/cLCDr0Yrzr0+VVvcD1GkWluHQC47JTL8rRrp2 /rdaII+VbDDljAhO2lpEyVS1jamix+3Q09bvFAc1VAakA+l0WSBS+m1mxqB+j0RkM2Tp JyiQDEAEg9wKjDj7MEQZh/h7cud2QgBtDIigYB8En84/tP5VHKtQEqY6tXRMteoiKtOG yncUSsE6zpbuHIKB/h6HCWDi1FkcgvzyX3nboNC4ZfSp4Vj76vn90L4dkilVNHTvc7Wz xl49A0P6ydmUt4T0p5k7/U1aot9ppC1xNppVrw7dfO0Rz+B+eMaX5CfA+rHm0SKEqoio 8j0A==
X-Gm-Message-State: AG10YOTblyTwKYSBxLKArk12vPsgibt9dcSbElpgUplNMKaU3UqW7K3ZXEVvPv/TGe1A3F6B06Ygg9nCCrZV3g==
X-Received: by 10.194.7.67 with SMTP id h3mr39245837wja.44.1455114305955; Wed, 10 Feb 2016 06:25:05 -0800 (PST)
MIME-Version: 1.0
Received: by 10.13.249.5 with HTTP; Wed, 10 Feb 2016 06:24:26 -0800 (PST)
In-Reply-To: <56BA5BFF.2040207@wyraz.de>
References: <56BA5BFF.2040207@wyraz.de>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 10 Feb 2016 15:24:26 +0100
Message-ID: <CABcZeBP=Ck25mGZi+NQ71VhW9eHRS3FzRH7bx6py19ormE0fGg@mail.gmail.com>
To: Michael Wyraz <michael@wyraz.de>
Content-Type: multipart/alternative; boundary="047d7b450aa2508213052b6b3300"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/zOpeLyx-uuMHZC6HL5MgFCllsTo>
Cc: IETF ACME <acme@ietf.org>
Subject: Re: [Acme] Proposal for http challenge: Lookup SRV records before A/AAAA records
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Feb 2016 14:25:11 -0000
On Tue, Feb 9, 2016 at 10:37 PM, Michael Wyraz <michael@wyraz.de> wrote: > Hi, > > as discussed before, acme/http-01 is difficult to implement if the > domain being validated does not resolve to the IP address of the machine > where the client runs on. > > Common cases are: > - multiple physical servers behind a tcp balancer (A-Record resolves to > the load balancer, not to the server where the acme client runs on). > - geo based dns resolution (A-Record resolves to the "nearest" server > which is not necessarily to the server where the acme client runs on) > - A-Record resolves to a device that is not able to run the acme client > (hardware firewall, router, load balancer) > > I've created a proposal for using SRV (with fallback to A/AAAA) to solve > these issues: https://github.com/ietf-wg-acme/acme/pull/83 This doesn't seem like a great idea. ACME should largely behave the same way that Web clients do. If you want to muck with DNS just use the DNS challenges. -Ekr > As you can see, the change only affects a small part of the server side > of the protocol and should have minimal impact to implementations. > > Let me know what you think about it. > > Kind regards, > Michael. > > > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme > >
- [Acme] Proposal for http challenge: Lookup SRV re… Michael Wyraz
- Re: [Acme] Proposal for http challenge: Lookup SR… Eric Rescorla
- Re: [Acme] Proposal for http challenge: Lookup SR… Salz, Rich
- Re: [Acme] Proposal for http challenge: Lookup SR… Phillip Hallam-Baker