[Pdns-users] Rcode 3 NXDOMAIN for existing CNAME

Christoph cm at appliedprivacy.net
Sat Mar 25 13:04:01 UTC 2023 

>>  >> However, I doubt this is a reasonable approach for your ACME
>>  >> client.
>>
>> Sounds like a simple enough solution to me, can you elaborate why
>> you doubt it is reasonable?
> 
> My understanding is that ACME is about whether there is a TXT RRset with 
> the challenge record; if it is not there, it's irrelevant whether the 
> outcome is NXDOMAIN or NODATA/NOERROR.

OK, now I understand where the misunderstanding comes from. Thanks for 
elaborating.

The DNS query we are talking about is not about validating the ACME 
challenge, it is a DNS query that lego triggers to learn which DNS 
record it has to create/update via the DNS provider's DNS API to place
the challenge in the DNS record in the next step. If there is no CNAME 
it will create the record at the fixed place _acme-challenge.<requested 
SAN> if
_acme-challenge.<requested SAN> is a CNAME it will follow it recursively
to find out which record it should actually update/create.

Since this is the background of the DNS query I find your suggestion a 
valid solution for the problem that lego could implement.
We will see how the lego developer sees it.
lego had experimental CNAME opt-in support for a while and it is now 
enabled by default.

> If the software's behavior depends on that detail, it doesn't seem like 
> it is doing a reasonable thing. It should not need to know / care about 
> the specific circumstances of the challenge record's absence.
> 
>>> It would be a weird workaround, when the better approach is to make
>>> the ACME client just understand rcodes correctly :)
>>
>> My understanding was that simply looking at the rcode only
>> without Peter Thomassen's workaround is not enough
>> because both cases (existing and not existing) both result in
>> an NXDOMAIN rcode?
> 
> That's right, but I don't see why the ACME client should investigate 
> whether there is a CNAME present. Can you name a reason why it should?

I hope my text above answers your question, if it does not please let me 
know.

best regards,
Christoph

More information about the Pdns-users mailing list