DNS lookup vs DNS provider

[cirrusflyer]

It seems the script needs to "find" the DNS to add the temporary text file. This can cause the split DNS issue. Why doesn't the script just reference the DNS provider that you've selected and use that to know where to connect to place the txt file? I think acme.sh works this way. It doesn't care what your internal DNS is. Let me know if this sounds completely wrong though, as I'm not an expert.

[JessThrysoee]

Is the "split DNS issue" referrring to #13 ? Have a look at https://github.com/JessThrysoee/synology-letsencrypt/issues/13#issuecomment-1967600122. It looks like the bunny provider have implemented some workaounds that was needed at some point, but doesn't work for delegated sub-domains and don't seem to be needed anymore.

[cirrusflyer]

Sort of - what I'm asking is does your script - or lego - look to the DNS to determine where to place the txt file for DNS verification, or does it look to the DNS provider in the env file. It seems it looks at DNS, and why the "--dns.resolvers" is needed when you want to force it to look at external DNS.

[JessThrysoee]

If you have a local DNS resolver cache, like dnsmasq, https://github.com/JessThrysoee/synology-letsencrypt/issues/18#issuecomment-1969994845 tries to explain a scenario where --dns.resolvers might be necessary.

The, e.g. bunny, API is used to place the _acme-challenge TXT record in your DNS zone, then lego makes DNS queries to determine when the record is available before it continues. Here is a short description of the DNS-01 challenge, where the following is relevant to your question:

The best DNS APIs provide a way for you to automatically check whether an update is fully propagated. If your DNS provider doesn’t have this, you just have to configure your client to wait long enough (often as much as an hour) to ensure the update is propagated before triggering validation.

[JessThrysoee]

Closing as answered.