Authority Claims and Clients found via DNS SRV Records

[andrewtj]

I'm interested in using ACME with services that are found via DNS SRV records. These services may not be on privileged ports and the ACME client may have a different hostname to the service it is providing.

Using XMPP as an example, a service would be found by retrieving a record such as:

_xmpp-server._tcp.userdomain.example. 0 IN SRV 0 0 5269 xmpp-host.example.

Wherein xmpp-host.example. would be expected to provide a certificate for userdomain.example. and 5269 is the unprivileged default port used by XMPP servers.

As I understand the spec the client (xmpp-host.example.) could successfully request a certificate if it is only given a DNS Challenge and if it can manipulate _acme-challenge.userdomain.example. IN TXT. In my case answering that challenge wouldn't be an issue however if the other challenges were employed in addition to or in place of the DNS Challenge the client wouldn't be able to proceed.

That seems a narrow window for success. Is this use-case in scope for the project?

[andrewtj]

Currently DVSNI challenges involve the server connecting to port 443 at the address found via A/AAAA records of the domain name being verified. Trusting A/AAAA records does not seem all that different to trusting SRV records, so perhaps clients could be allowed to provide their host, port and service type to the server which could then check that the host and port are in the appropriate SRV RRSet.