Hi, i can see that there are many bad feelings in using an tunnel. But there would be two challenges that can circumvent the problem because even if the host is IPv6 they does not require an IPv6 connection:
proofOfPossession-01 := here we would check that the client have the private key of an currently valid certificate for the requested domain trusted by any browser trusted ca inclusive LE (for renewal)
dns-01 := here we can combine it with DNS-SEC if necessary and it work as long as there is not an IPv6 only DNS server.
That's completely correct. The resolvers in use by Let's Encrypt fully support DNSSEC today, as well.
Once the DNS challenge is enabled, that'll work fine for IPv6.
2 Likes
the only problem is that DNSSec isnt widely supported, both by DNS (creation) Servers, aka those where you can manage your records, and by registrars, because you need both.
cloudflare started DNSSecing some days ago but my registrar (edis.at) doesnt do DNSSec yet, but seems they plan it for q1 2016.
I agree. DNSSec support during validation will still leave many people with IPv6-only hosts unable to validate, and will disproportionately affect those using budget providers (often theyâre the ones offering IPv6-only) or with less technical skill/understanding.
@gary well I would say support of DNSSec would be great, BUT requiring is is another thing.
but maybe LE should check normal DNS more thoroughly, like checking multiple different DNS Servers or similar stuff.
Possible would also to have the List of Root-DNS servers and do an DNS Lookup from Scratch and Cache only the TLD NS-Records for the Specified TTL.
indeed both my domain/dns managers don't support DNSSec - using dnsmadeeasy and amazon route53 (geo/latency based dns records)
Yes, I meant DNSSec in lieu of proper IPv6 support would be a poor workaround, but DNSSec support for the sake of itself would be a terrific innovation, and very future proof.
For anyone looking for a DNS provider that supports DNSSec, Iâd point you to Gandi.net, who are well respected in the community at large and support a wide swath of TLDs (AWS are currently Gandi resellers). Though Iâd recommend you steer clear of their web hosting if youâre more technically inclined (as imagine is the case where this thread is concerned).
unfortunately for moving dns management would be harder as i use geodns/latency based dns records for 18 servers spread around the several countries - would be a pain to move from Amazon Route53 heh
I totally understand, youâre one of those cases where DNSSec doesnât solve the lack of IPv6-only validation 
In case we end up with DNSSec validation before IPv6-only, Gandi is an option for those who are already on Gandi or are shopping for a new registrar or DNS service.
well I just hope DANE comes as quickly as possible so we can say goodbye to CAs except for EV certs, which do have their use.
(just by the way whatâs the point of OV certs, I mean on first sight you cannot distinguish them from EV certs and both check the entity it belongs to, except that EV cannot be issued to individuals, so OV has pretty much no purpose)
1 Like
well in OV and EV the entity is checked and the bar is green. I dont see a reason to use that since at least the average user wont see the information and when I really want to get the trust by the user I get an EV or if I cannot get an EV for whatever reason a DV will be enough.
the problem is that a user without knowledge cannot see the difference of DV and OV, making the latter ones almost uselessâŚ
yeah perception and education are factors
@My1 as toled in your link EV require much more verification.
https://info.ssl.com/faq-requirements-for-ssl-com-ev/
If you want it in one sentence:
An letterbox company can get an OV cert while this should not be possible for EV.
1 Like
well yeah but an OV is useless if the user (the one who has to trust) doesnt see a difference between OV and DV.
This is correct for WWW Users but will be complete different if the cert is allowed for client/mail authentication.
In this case the OV certificate can fulfill legal requirements as an replace for signature on legal documents.
And also there is no chance to use an DV cert for MS code signing while OV should be possible. People often
forget that X509-Ceritifcate are not only used for WebPages. For example OV can be used in some API cases with
WebServices or XML-Signining to generate invoices where you do not need to verify the company address.
1 Like
well okay that again makes sense.
but what doesnt make sense is that EV certs are not for business entites and what makes even less sense is that iirc .onion shall require EV certs, which essentially kicks out the most important userbase of TORâŚ
Guys can we limit the conversation to LE IPv6 related info please? Itâs not great watching a thread and being sent notifications about unrelated topics.
3 Likes
Any update on IPv6-only hosts verification? (using Apache plug-in)
This is for a mirror of http://test-ipv6.com which loads some tests images from IPv4-only and IPv6-only sites. See below:
Failed authorization procedure. ipv6.test-ipv6.vyncke.org (tls-sni-01): urn:acme:error:unknownHost :: The server could not resolve a domain name :: No IPv4 addresses found for ipv6.test-ipv6.vyncke.org, mtu1280.test-ipv6.vyncke.org (tls-sni-01): urn:acme:error:unknownHost :: The server could not resolve a domain name :: No IPv4 addresses found for mtu1280.test-ipv6.vyncke.org
**IMPORTANT NOTES:**
- The following 'urn:acme:error:unknownHost' errors were reported by
the server:
Domains: ipv6.test-ipv6.vyncke.org, mtu1280.test-ipv6.vyncke.org
Error: The server could not resolve a domain name
By the way: great tool 