Open apburnes opened 2 years ago
it would be ideal if we could match the logic Lets Encrypt does, but they do that using their own resolution logic.
Short of that, I think adding more servers is likely going to be playing whack-a-mole
This CNAME mismatch between the verification servers has only happened two or three times for Federalist sites. Does it make sense to leave this open for ~3 months to record if the issue pops up again?
I think it'd make sense to see how hard it would be to use the LE logic first. If it's possible/plausible, use that. If it's not, then maybe track how often this happens.
this is the server Lets Encrypt uses: https://nlnetlabs.nl/projects/unbound/about/
@apburnes Has this continued to be an issue for Pages? Trying to gauge the value in keeping this ticket open
In order to make dns resolver more robust, we want to add additional
DNS_VERIFICATION_SERVERS
and check other severs if the dns resolver fails. Certain customer name servers may to longer to propagate across other verification servers and lead to failures when creating the external domain service.Acceptance Criteria
Security considerations
none