Ryan Bolger

@rmbolger
42 Followers
35 Following
323 Posts
Dad, tech enthusiast, casual gamer, a cappella music lover, and DDI Architect at Alight Solutions
Githubhttps://github.com/rmbolger
Bloghttps://www.dvolve.net/
Posh-ACMEhttps://poshac.me/docs/latest/
Show threadRyan BolgerFeb 28
@bortzmeyer Maybe one of those crypto bros who think adding blockchain will solve everything.
Show threadRyan BolgerFeb 27
@atarifrosch Let’s Encrypt only cares about A/AAAA records when using http-01 challenge type. You don’t need anything internet facing if you use dns-01 challenge instead. You just need to be able to modify a TXT record. It gets even easier once the new dns-persist-01 challenge becomes available. https://letsencrypt.org/2026/02/18/dns-persist-01
DNS-PERSIST-01: A New Model for DNS-based Challenge Validation

When you request a certificate from Let’s Encrypt, our servers validate that you control the hostnames in that certificate using ACME challenges. For subscribers who need wildcard certificates or who prefer not to expose infrastructure to the public Internet, the DNS-01 challenge type has long been the only choice. DNS-01 works well. It is widely supported and battle-tested, but it comes with operational costs: DNS propagation delays, recurring DNS updates at renewal time, and automation that often requires distributing DNS credentials throughout your infrastructure.

Ryan BolgerFeb 15
@robbienorlyn DNS, being highly distributed and cacheable, doesn’t suffer the same perf impacts from AI crawling as web srvrs. 1000s of pages might need <5 dns queries. Also no good way to tell AI queries from human queries besides fuzzy IP src mapping. There’s no user-agent equivalent to identify them and most queries would be getting funneled through a recursive server on the way to the authoritative. Unless you were referring to performance impacts on the recursive server they might be using?
Show threadRyan BolgerFeb 10
@izoatetech Ironically, accessing the System-About GUI is faster using hotkeys than any of the listed PowerShell methods. Win+x,y
Ryan BolgerFeb 5
@kdawson Essentially, you need to setup pihole to black hole that use-application-dns.com domain. When Firefox tries to resolve it and can’t, it will disable the DoH stuff in Firefox and just use the OS provided dns.
Ryan BolgerFeb 5
@kdawson By “proxies around the block”, do you mean the thing where it uses DoH to a public resolver instead of the OS provided DNS settings? If so, you may find this useful. https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
Canary domain - use-application-dns.net | Firefox Help

Network administrators may configure their networks to modify DNS requests for the following special-purpose domain, called a ''canary domain''.

Show threadRyan BolgerJan 30

@pft I may be misunderstanding, but I think that dude was just trying to imply that allowing free IP certs in general is bad. Not specifically IPs in the CN. And I think his reason is that needing to buy a domain has been an extra an extra hurdle (monetary and paper trail-wise) for bad guys which would be removed if they no longer need one for a valid cert.

I tend to disagree, but I think that was the gist.

Show threadRyan BolgerJan 30
@pft I don’t have any LE certs with IP identifiers to check against, but their profiles documentation seems to indicate they don’t even include a CN property in anything but their `classic` and `tlsclient` profiles. And neither of those allow IP address identifiers. So I don’t think LE is signing any certs with IP in the CN, right? https://letsencrypt.org/docs/profiles/
Profiles

A profile is a collection of characteristics that describe both the validation process required to get a certificate, and the final contents of that certificate. For the vast majority of Let’s Encrypt subscribers, you should never have to worry about this: we automatically select the best profile for you, and ensure that it complies with all of the requirements and best practices that govern the Web PKI. But some people might be interested in proactively selecting a specific profile, so this page exists to provide the information necessary to make that choice.

Show threadRyan BolgerJan 27

@guenther The Microsoft article you included has a link to a related article about TLS for Exchange Online and hybrid deployments. That article has an explicit note that says, “Certificates to relay emails to Exhange Online don’t need an EKU for client authentication.” So it sounds like the eku removal should not affect you, right?

https://learn.microsoft.com/en-us/purview/exchange-online-uses-tls-to-secure-email-connections

How Exchange Online uses TLS to secure email connections

Learn how Exchange Online and Microsoft 365 use Transport Layer Security (TLS) and Forward Secrecy (FS) to secure email communications.

Show threadRyan BolgerJan 21
@Loredo If you need free and also need wildcard or effectively unlimited SANs, your choices right now are Let’s Encrypt, Google, or ZeroSSL.