The SRV record allows hosting a service for a specific domain (commonly XMPP) on a different host than the A/AAAA record indicates. However, from what I can read in the documentation, the host that provides a service must still have a certificate authorizing it for the original domain name.
So: Is there any good solution that would allow me to run a secure XMPP server and an HTTP server for the same domain on different machines?
As an example, consider this zone for example.com:
@ 10800 IN A 0.0.0.0
_xmpp-client._tcp 10800 IN SRV 5 0 5222 xmpp.example.com.
_xmpp-server._tcp 10800 IN SRV 5 0 5269 xmpp.example.com.
xmpp 10800 IN A 0.0.0.1
The server at 0.0.0.1 must have a certificate that authenticates it for the name example.com, but only 0.0.0.0 (as the A record for example.com) can acquire that certificate from LetsEncrypt.
Do I just... generate the certificate on 0.0.0.0 and then transfer it over the network each time? Or temporarily set the web server on 0.0.0.0 to forward the /.well-known/acme-challenge/ requests to 0.0.0.1? Neither of these seems very robust or secure.
Are SRV records essentially unusable in the https-everywhere world?
Ah.
LetsEncrypt supports other challenges that don't rely on the A record; specifically a DNS challenge: https://datatracker.ietf.org/doc/html/draft-ietf-acme-acme-01#section-7.5
This merely requires the XMPP server to have access to the DNS registrar's API to allow it to temporarily set a TXT record.