I'm confused by the claim that MPIC will make DNS validation slower: dns-01 validation reaches out directly to the authoritative nameservers. Once the authoritative nameserver has updated its TXT records, all perspectives should be able to see it at the same time. And even prior to MPIC, no ACME client should be requesting challenge validation until after it is sure that the record has propagated to all authoritative nameservers, because there's no guarantee that the single authoritative perspective would hit the first nameserver to update.
>From a CA perspective, http-01 validation is always much slower than dns-01 validation, because they both require the same number of initial DNS lookups, but http-01 then requires a subsequent HTTP request, which may necessitate further DNS lookups if it is 30X redirected. Aaron On Tue, Jan 21, 2025 at 12:21 PM Jared Crawford <jmcrawfor...@gmail.com> wrote: > I think that if the original web server is not involved, then it's not >> really >> doing authorization. > > > The original web server for delegated http-01 challenges has the same > level of involvement as a dns-01 challenge does with a CNAME today. In both > cases, the challenge flow is immediately delegated to an independent > server. The only difference is that for delegated http-01 the authoritative > source is a web server whereas it’s a DNS server for dns-01. > > dns-01 is not really that difficult if you have the amount of control that >> you'd need for your delegation. > > > > There are quite a few downsides of the dns-01 flow compared to http-01. As > an example, http-01 validation can happen in less than a second, whereas > DNS challenge propagation can take tens of seconds or even minutes. And > with MPIC, this will be further degraded as propagation delay will be > slowest out of N (even with a small N=3, this will shift p50 propagation > delay to be the p80 of single perspective). > > On Mon, Jan 20, 2025 at 2:52 PM Michael Richardson <mcr+i...@sandelman.ca> > wrote: > >> >> Jared Crawford <jmcrawfor...@gmail.com> wrote: >> > The 301 redirect works only for hostnames with publicly exposed >> webservers. >> > All other hosts have to deal with the downsides of dns-01 challenges >> > compared to the http-01 flow. >> >> I think that if the original web server is not involved, then it's not >> really >> doing authorization. >> >> dns-01 is not really that difficult if you have the amount of control that >> you'd need for your delegation. >> >> -- >> Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting >> ) >> Sandelman Software Works Inc, Ottawa and Worldwide >> >> >> >> >> _______________________________________________ > Acme mailing list -- acme@ietf.org > To unsubscribe send an email to acme-le...@ietf.org >
_______________________________________________ Acme mailing list -- acme@ietf.org To unsubscribe send an email to acme-le...@ietf.org
