> > I believe this would achieve all of the same benefits as you describe, > except for "Reduced Exposure". At which point, I think it is reasonable to > suggest that Applicants use the "dns-01" method if their goal is to get > certificates for hostnames whose webservers are not publicly exposed.
The dns-01 method does address some of these cases but comes with its own trade-offs, such as: - Performance: We see significantly slower and less reliable validations with dns-01 as compared to http-01. - Non-parallelizable issuance: dns-account-01 somewhat addresses this, but requires creating / managing multiple accounts. The key distinction is that the HTTP-based delegation retains the operational simplicity of http-01 for organizations that are already comfortable using it, while addressing the constraints of environments where dns-01 performance is problematic. As an alternative, we considered implementing dns-01 with a custom DNS-speaking server that fronts a challenge database. This addresses the above concerns without a change to ACME, but introduces additional complexity and likely isn’t feasible for most consumers. I hope this clarifies the motivation for this proposal.
_______________________________________________ Acme mailing list -- acme@ietf.org To unsubscribe send an email to acme-le...@ietf.org
