Closed JessThrysoee closed 7 months ago
The split was introduced in #2012 because of #2011
So theoretically, this PR will create a regression.
ping @TECHNOFAB11
To merge this PR I need something that confirms that Bunny has changed their SOA policy/bug. @JessThrysoee do you have some elements?
I take a look at https://github.com/JessThrysoee/synology-letsencrypt/issues/13 and the discussion seems unfinished.
It would be nice if someone would corroborate my tests, but it doesn't seem like the workaround is necessary. Perhaps I'm missing something?
Here is some staging output:
The subtest
domain delegated from example.com
:
For a pseudo sub-domain b.sub.subtest.example.com
:
As you can see the previous behavior was unexpected: https://github.com/go-acme/lego/issues/2011#issuecomment-1704315078
The important information is the response to an SOA call, the authority section is not used.
@ldez I'm not sure I follow. I have delegated subtest
to bunny and their SOA answer looks like the following. And I receive certificates.
$ dig subtest.example.com. SOA
; <<>> DiG 9.18.24 <<>> subtest.example.com. SOA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40666
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (good)
;; QUESTION SECTION:
;subtest.example.com. IN SOA
;; ANSWER SECTION:
subtest.example.com. 491 IN SOA kiki.bunny.net. hostmaster.bunny.net. 2020032201 7200 900 1209600 86400
;; Query time: 39 msec
;; SERVER: 10.0.10.53#53(10.0.10.53) (UDP)
;; WHEN: Thu Feb 29 21:35:54 CET 2024
;; MSG SIZE rcvd: 137
Sorry, I put the wrong link in my previous message (I edited it).
After re-reading, I think the split is useless, I think that the root of the problem was just a bad configuration of the domain.
The splitDomain algorithm assumes the apex domain is of "length" 2 and disregards where the SOA is found. This might have been the only way this provider could work in the past, but at this time it seems bunny responds with a correct SOA-RR.
Virtual ( pseudo) sub-domain with A-RR continue to function.