Hello,
I recently ran into "bad [owner] name" errors trying to setup a
'_acme-challenge' subdomain. Yes, this is for Let's Encrypt domain
validation.
I wanted to use the dns-rfc2136 plugin [1], which, as the name suggests,
does dynamic zone updates for the authentication challenge. Since my
registrar does not support NOTIFY and Let's Encrypt queries all name
servers for the domain, I would need to set the propagation time in
accordance with the TTL, which my registrar uses for doing AXFRs, in
order to make this work on the main domain (penguinpee.nl).
On the Let's Encrypt forum it was suggested to use a dedicated zone with
only a single name server, the one dns-rfc2136 is able to update
dynamically. It seems [2] that would only work with '_acme-challenge' as
a delegated zone, which named refuses unless I set 'check-names master
ignore;'.
But it seems common practice, at least in the Let's Encrypt community,
to set it up this way and they are planning on making it the default
behavior for DNS plugins [3].
tl;dr
I was wondering what the opinion is of other DNS administrators
regarding the use of none-standard domain names in DNS. After all,
there's probably a reason for the default behavior of 'check-names' in BIND.
-- Sandro
[1] https://certbot-dns-rfc2136.readthedocs.io/en/stable/
[2]
https://community.letsencrypt.org/t/domain-authentication-fails-with-dns-rfc2136-plugin/180103/8
[3] https://github.com/certbot/certbot/issues/7701
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
