[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: When should we https our mirrors?

]] Dimitri John Ledkov 

> I'm not a sysadmin. My naive approach would be to have cname specified
> on the certs that are subject to redirect. E.g. ftp.d.o should have
> cname's for all country codes, such that any country mirror can fall
> back to ftp.d.o.

This would restrict us to always point a ftp.XX.d.o name to ftp.d.o.
Sometimes, it'd be more appropriate to point it to a closer geographical
mirror.  (Say ftp.nz were performing maintenance, it'd be a lot more
reasonable to send that traffic to Australia than to the Netherlands.)

Is this impossible to fix/work around?  No.  However, it requires more
thought and design than just slapping a few letsencrypt certs onto
some hosts.

Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are

Reply to: