This discussion is more and more about the question if ACME should use a SRV record instead of a A record (as a replacement).
Personally I think that using an optional SRV record for ACME with fallback to A record would be the best solution for all use cases. Those who can not or don't want to setup a SRV record for ACME can use http-01 as it is. Those who sets SRV for ACME can exactly specify which host is allowed to to ACME http-01. An optional ACME SRV record in the spec would make all happy: Those who only have A-record. Those who want to create certs for devices that cannot answer to the challenge (e.g. switches). Those who have geo-based dns (while A-record is geo-dependent, ACME SRV would point to one single location). Those with multiple load-balances backends. And even those who simply don't want anyone to create certs who has an A-record delegated to (like Julian, he can simply create such a record and point it to NIL). Oh and of course the programmers of the acme client (no change needed for most-common use case) and server (just a few more lines of dns-lookup-code to determine the host to which they need to talk for challenge). I can't see any drawbacks this change would bring to ACME, LE or it's users. Kind regards, Michael.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
