xenolf
commented
8 years ago Yeah I agree that SOA is probably not the best bet here. I will do an implementation using NS records and see if that performs better.
Closed janeczku closed 8 years ago
xenolf
commented
8 years ago Yeah I agree that SOA is probably not the best bet here. I will do an implementation using NS records and see if that performs better.
xenolf
commented
8 years ago Closed per #116
Had to hardcode a 5 sec sleep after creating the TXT record because of frequent errors:
We need to tweak DNS check here a bit: https://github.com/xenolf/lego/blob/master/acme/dns_challenge.go#L70
We should not rely on the SOA record content. This gives us only the master server of the zone - which might not even be part of the NS record that recursive resolvers query to find the nameserers. Boulder uses unbound for that purpose (https://github.com/letsencrypt/boulder/issues/1112#issuecomment-171111436). So the record might well be available at the master server when we query it, but this does not mean that the record has (already) been propagated to the actual nameservers that Boulders recursive resolver will query. We should therefore lookup the NS record and use the nameservers listed therein. Maybe query them all.