[Pdns-users] Rcode 3 NXDOMAIN for existing CNAME
Peter Thomassen
peter at desec.io
Sat Mar 25 13:49:52 UTC 2023
On 3/25/23 14:04, Christoph wrote:
>> My understanding is that ACME is about whether there is a TXT RRset with the challenge record; if it is not there, it's irrelevant whether the outcome is NXDOMAIN or NODATA/NOERROR.
>
> OK, now I understand where the misunderstanding comes from. Thanks for elaborating.
>
> The DNS query we are talking about is not about validating the ACME challenge, it is a DNS query that lego triggers to learn which DNS record it has to create/update via the DNS provider's DNS API to place
> the challenge in the DNS record in the next step. If there is no CNAME it will create the record at the fixed place _acme-challenge.<requested SAN> if
> _acme-challenge.<requested SAN> is a CNAME it will follow it recursively
> to find out which record it should actually update/create.
>
> Since this is the background of the DNS query I find your suggestion a valid solution for the problem that lego could implement.
I agree! Thanks for clearing this up, I was on the wrong track about what the goal of that query was.
Cheers,
Peter
--
https://desec.io/
More information about the Pdns-users
mailing list