The 301 redirect works only for hostnames with publicly exposed webservers. All other hosts have to deal with the downsides of dns-01 challenges compared to the http-01 flow.
On Fri, Jan 17, 2025 at 2:49 PM Q Misell <q...@as207960.net> wrote: > I still fail to understand why a 301 redirect to somewhere else doesn't > satisfy this? > ------------------------------ > > Any statements contained in this email are personal to the author and are > not necessarily the statements of the company unless specifically stated. > AS207960 Cyfyngedig, having a registered office at 13 Pen-y-lan Terrace, > Caerdydd, Cymru, CF23 9EU, trading as Glauca Digital, is a company > registered in Wales under № 12417574 > <https://find-and-update.company-information.service.gov.uk/company/12417574>, > LEI 875500FXNCJPAPF3PD10. ICO register №: ZA782876 > <https://ico.org.uk/ESDWebPages/Entry/ZA782876>. UK VAT №: GB378323867. > EU VAT №: EU372013983. Turkish VAT №: 0861333524. South Korean VAT №: > 522-80-03080. AS207960 Ewrop OÜ, having a registered office at Lääne-Viru > maakond, Tapa vald, Porkuni küla, Lossi tn 1, 46001, trading as Glauca > Digital, is a company registered in Estonia under № 16755226. Estonian VAT > №: EE102625532. Glauca Digital and the Glauca logo are registered > trademarks in the UK, under № UK00003718474 and № UK00003718468, > respectively. > > > Ar Gwen, 17 Ion 2025 am 19:55 Jared Crawford <jmcrawfor...@gmail.com> > ysgrifennodd: > >> I believe this would achieve all of the same benefits as you describe, >>> except for "Reduced Exposure". At which point, I think it is reasonable >>> to >>> suggest that Applicants use the "dns-01" method if their goal is to get >>> certificates for hostnames whose webservers are not publicly exposed. >> >> >> >> The dns-01 method does address some of these cases but comes with its own >> trade-offs, such as: >> >> - >> >> Performance: We see significantly slower and less reliable >> validations with dns-01 as compared to http-01. >> - >> >> Non-parallelizable issuance: dns-account-01 somewhat addresses this, >> but requires creating / managing multiple accounts. >> >> >> The key distinction is that the HTTP-based delegation retains the >> operational simplicity of http-01 for organizations that are already >> comfortable using it, while addressing the constraints of environments >> where dns-01 performance is problematic. >> >> >> As an alternative, we considered implementing dns-01 with a custom >> DNS-speaking server that fronts a challenge database. This addresses the >> above concerns without a change to ACME, but introduces additional >> complexity and likely isn’t feasible for most consumers. >> >> >> I hope this clarifies the motivation for this proposal. >> _______________________________________________ >> Acme mailing list -- acme@ietf.org >> To unsubscribe send an email to acme-le...@ietf.org >> >
_______________________________________________ Acme mailing list -- acme@ietf.org To unsubscribe send an email to acme-le...@ietf.org
