Improve DNS verification for CNAME check

cloud-gov / external-domain-broker

Cloud Foundry service broker to manage Cloud Front, ALBs and Let's Encrypt

Other

3 stars 2 forks source link

Improve DNS verification for CNAME check #237

Open apburnes opened 2 years ago

apburnes commented 2 years ago

In order to make dns resolver more robust, we want to add additional DNS_VERIFICATION_SERVERS and check other severs if the dns resolver fails. Certain customer name servers may to longer to propagate across other verification servers and lead to failures when creating the external domain service.

Acceptance Criteria

[ ] Add additional DNS verification servers to the config
[ ] Given dns get_cname, resolve against multiple verification servers if the previous one fails to resolve the cname.

Security considerations

none

bengerman13 commented 2 years ago

it would be ideal if we could match the logic Lets Encrypt does, but they do that using their own resolution logic.

Short of that, I think adding more servers is likely going to be playing whack-a-mole

apburnes commented 2 years ago

This CNAME mismatch between the verification servers has only happened two or three times for Federalist sites. Does it make sense to leave this open for ~3 months to record if the issue pops up again?

bengerman13 commented 2 years ago

I think it'd make sense to see how hard it would be to use the LE logic first. If it's possible/plausible, use that. If it's not, then maybe track how often this happens.

bengerman13 commented 2 years ago

this is the server Lets Encrypt uses: https://nlnetlabs.nl/projects/unbound/about/

markdboyd commented 2 weeks ago

@apburnes Has this continued to be an issue for Pages? Trying to gauge the value in keeping this ticket open