dns resolution on mac is broken while concourse-up is trying to create letsencryp cert

[vchrisb]

I'm having a weird situation and not able to locate the root cause. I have a domain domain.com which has NS records configured to forward gcp.domain.com to a google managed zone. The google nameservers for this subdomain are ns-cloud-d1.googledomains.com, ns-cloud-d2.googledomains.com, ns-cloud-d3.googledomains.com, ns-cloud-d4.googledomains.com. The SOA nameserver is ns-cloud-a1.googledomains.com. I'm using ci.gcp.domain.com for concourse-up.

When I'm running concourse-up it successfully creates the dns record in google and adds the TXT record for acme/lego. But it runs in the 10min timeout with error: time limit exceeded: last error: NS ns-cloud-d3.googledomains.com. returned REFUSED for _acme-challenge.ci.gcp.domain.com

Why is it using ns-cloud-d3.googledomains.com and not the SOA ns-cloud-a1.googledomains.com? ns-cloud-d3.googledomains.com does not respond to normal dns queries for that domain.

The most weird part is, that while concourse-up is trying to validate the TXT record, DNS resolution for the complete domain gcp.domain.com is broken on my mac!! Once concourse-up exit, dns for that domain is working again!

What is lego doing in the background? I was not able to find details on that.

Any idea??

[vchrisb]

sooo, I screwed up with a different (failed) terraform configuration my nameserver configuration in gcp... :(

[DanielJonesEB]

@vchrisb No worries - thanks for following up! Please let us know if you have any other problems.