I don’t know. While it gives you flexibility if you know what you’re doing, it really is a hack that messes with the natural flow of things, so I wouldn’t expect to find this feature anywhere.
True! I will think about it.
As for round-robin DNS, I agree with you but for sure the caching issue does not make it very robust.
Also, what I like in client-side load-balancing is the low DNS maintenance needed to make it work as it is only used to get the seed list.
As an alternative solution, I though about renting a IP block from my provider, allocate the whole block to my front-end servers, buy a certificate with all IPs declared in the SAN fields, and install it on all servers. I would loose automation a la Let's Encrypt but I guess it would work?
Just for my understanding, what is the rationale behind not allowing to add the IP addresses present in the DNS record? Is there a security issue?
Anyway, thank you very much for your help and time, I better understand the problem now.
Regards,
Erick
Keep in mind that the solution you propose, where clients explicitly request a JSON list of servers to contact, also is subject to caching. That is, most clients will probably fetch that list and select a server once at startup, and then never change it. Whereas with the DNS solution, the client's HTTP library may wind up doing a fresh resolution on each connection. And so long as you set TTL=0 and the client's resolver observes it, you should get good load balancing.
We've been discussing possibly implementing IP address issuance, though it's not yet on any roadmap. The main concern we had at launch is that the lifetime of ownership of a given IP address can be quite short; on the order of hours for VPSes. So a certificate issued at one moment might be misleading just a few moments later.
Hi @jsha,
Right, and for this case, we will enforce using our driver if they want to avoid service interruption during rolling release and downtime. For plain http client, we will follow your suggestion of DNS round-robin + TTL=0, thanks.
I understand. From my point of view, I think this should not be an issuer's issue, and that as many features as possible should be proposed as far as automation can be done. But I may be missing the point.
For now, I will implement your solution of providing the servers by name. Every problem is solved with an extra level of indirection... 
Thank you very much for sharing your experience on this, it was very helpful,
Best wishes,
Erick
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.