On 3/25/23 14:04, Christoph wrote:
My understanding is that ACME is about whether there is a TXT RRset with the
challenge record; if it is not there, it's irrelevant whether the outcome is
NXDOMAIN or NODATA/NOERROR.
OK, now I understand where the misunderstanding comes from. Thanks for
elaborating.
The DNS query we are talking about is not about validating the ACME challenge,
it is a DNS query that lego triggers to learn which DNS record it has to
create/update via the DNS provider's DNS API to place
the challenge in the DNS record in the next step. If there is no CNAME it will create
the record at the fixed place _acme-challenge.<requested SAN> if
_acme-challenge.<requested SAN> is a CNAME it will follow it recursively
to find out which record it should actually update/create.
Since this is the background of the DNS query I find your suggestion a valid
solution for the problem that lego could implement.
I agree! Thanks for clearing this up, I was on the wrong track about what the
goal of that query was.
Cheers,
Peter
--
https://desec.io/
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
