Hello Jonas, > > > IMO a better way to support your scenario as well as those I > > described above would be to check for an SRV-Record before checking > > A-Records. This would be 100% compatible with existing acme http-01 > > clients. In your case you would resolve the SRV record to the > > machine that has the acme client running on. The acme-server would > > check for the SRV-Record for an address to lookup the challenge's > > response at. If no SRV record is specified, it would continue with > > A and AAAA records. > > I am not entirely sure I get what you want to say here. SRV records > contain not only a host name, but also priorities, weights and ports, > so I wonder how that information would be used in this context. > > Do you suggest to have the client use an SRV record to specify the > address (including the port?) to which the server connects to complete > the challenge? In that case, what would the effect of multiple SRV > records for the target name be? correct, that's exactly what I meant. Example:
_acme.http-01._tcp.mydomain.com. 3600 IN SRV 10 1 80 acme.mydomain.com. For multiple SRV weight/priority should be respected. Four your case you would resolve www.mydomain.com to several ip addresses: www.mydomain.com. IN A IP-Address-Server1 www.mydomain.com. IN A IP-Address-Server2 While acme.mydomain.com resolves to a single ip address of the server where the acme client runs on: acme.mydomain.com. IN A IP-Address-Server1
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
