[Pdns-users] Rcode 3 NXDOMAIN for existing CNAME
Peter Thomassen
peter at desec.io
Sat Mar 25 12:15:10 UTC 2023
On 3/25/23 11:44, Christoph wrote:
> >> However, I doubt this is a reasonable approach for your ACME
> >> client.
>
> Sounds like a simple enough solution to me, can you elaborate why
> you doubt it is reasonable?
My understanding is that ACME is about whether there is a TXT RRset with the challenge record; if it is not there, it's irrelevant whether the outcome is NXDOMAIN or NODATA/NOERROR.
If the software's behavior depends on that detail, it doesn't seem like it is doing a reasonable thing. It should not need to know / care about the specific circumstances of the challenge record's absence.
>> It would be a weird workaround, when the better approach is to make
>> the ACME client just understand rcodes correctly :)
>
> My understanding was that simply looking at the rcode only
> without Peter Thomassen's workaround is not enough
> because both cases (existing and not existing) both result in
> an NXDOMAIN rcode?
That's right, but I don't see why the ACME client should investigate whether there is a CNAME present. Can you name a reason why it should?
Thanks,
Peter
--
https://desec.io/
More information about the Pdns-users
mailing list