starred/acme-dns
1
0
Fork 0
mirror of https://github.com/acme-dns/acme-dns.git synced 2026-04-27 04:45:48 +03:00
Code Issues 178 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #246] Is the listen config parameter supposed to listen to localhost? #122

New issue
Open
opened 2026-03-13 15:50:26 +03:00 by kerem · 6 comments
kerem commented 2026-03-13 15:50:26 +03:00
Owner
Copy link

Originally created by @tal-zvon on GitHub (Oct 29, 2020).
Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/246

The sample config file says:

listen = "127.0.0.1:53"

Should that not be 0.0.0.0:53? Why does it only need to listen to requests on the local host? Am I missing something?
Or is that just an example, and you're meant to replace 127.0.0.1 with 0.0.0.0?

Originally created by @tal-zvon on GitHub (Oct 29, 2020). Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/246 The sample config file says: listen = "127.0.0.1:53" Should that not be `0.0.0.0:53`? Why does it only need to listen to requests on the local host? Am I missing something? Or is that just an example, and you're meant to replace `127.0.0.1` with `0.0.0.0`?
kerem commented 2026-03-13 15:50:32 +03:00
Author
Owner
Copy link

@HausnerR commented on GitHub (Dec 1, 2020):

IMHO it's a bug in README and example config.

I successfully configured acme-dns making DNS server listening on 0.0.0.0:53 and making API listen only in local subnet.

So only I have access to API to register new endpoints and Let's encrypt can reach DNS server to confirm domain owner.

<!-- gh-comment-id:736477199 --> @HausnerR commented on GitHub (Dec 1, 2020): IMHO it's a bug in README and example config. I successfully configured acme-dns making DNS server listening on `0.0.0.0:53` and making API listen only in local subnet. So only I have access to API to register new endpoints and Let's encrypt can reach DNS server to confirm domain owner.
kerem commented 2026-03-13 15:50:37 +03:00
Author
Owner
Copy link

@tal-zvon commented on GitHub (Dec 1, 2020):

IMHO it's a bug in README and example config.

I successfully configured acme-dns making DNS server listening on 0.0.0.0:53 and making API listen only in local subnet.

So only I have access to API to register new endpoints and Let's encrypt can reach DNS server to confirm domain owner.

That makes sense. The README and example config do not. Sounds like a documentation bug to me (or whatever that would be called).

<!-- gh-comment-id:736754799 --> @tal-zvon commented on GitHub (Dec 1, 2020): > IMHO it's a bug in README and example config. > > I successfully configured acme-dns making DNS server listening on `0.0.0.0:53` and making API listen only in local subnet. > > So only I have access to API to register new endpoints and Let's encrypt can reach DNS server to confirm domain owner. That makes sense. The README and example config do not. Sounds like a documentation bug to me (or whatever that would be called).
kerem commented 2026-03-13 15:50:42 +03:00
Author
Owner
Copy link

@joohoi commented on GitHub (Dec 1, 2020):

It’s actually intentional. On many configurations systemd resolved is
listening at 127.0.1.53:53 which makes acme-dns unable to bind to 0.0.0.0:53

On Tue 1. Dec 2020 at 21.02, terminator14 notifications@github.com wrote:

IMHO it's a bug in README and example config.

I successfully configured acme-dns making DNS server listening on
0.0.0.0:53 and making API listen only in local subnet.

So only I have access to API to register new endpoints and Let's encrypt
can reach DNS server to confirm domain owner.

That makes sense. The README and example config do not. Sounds like a
documentation bug to me (or whatever that would be called).


You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/joohoi/acme-dns/issues/246#issuecomment-736754799,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/ABH6DJMQNQ7IHPQ6PDZKBALSSU4WHANCNFSM4TEGS4QA
.

<!-- gh-comment-id:736758498 --> @joohoi commented on GitHub (Dec 1, 2020): It’s actually intentional. On many configurations systemd resolved is listening at 127.0.1.53:53 which makes acme-dns unable to bind to 0.0.0.0:53 On Tue 1. Dec 2020 at 21.02, terminator14 <notifications@github.com> wrote: > IMHO it's a bug in README and example config. > > I successfully configured acme-dns making DNS server listening on > 0.0.0.0:53 and making API listen only in local subnet. > > So only I have access to API to register new endpoints and Let's encrypt > can reach DNS server to confirm domain owner. > > That makes sense. The README and example config do not. Sounds like a > documentation bug to me (or whatever that would be called). > > — > You are receiving this because you are subscribed to this thread. > Reply to this email directly, view it on GitHub > <https://github.com/joohoi/acme-dns/issues/246#issuecomment-736754799>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/ABH6DJMQNQ7IHPQ6PDZKBALSSU4WHANCNFSM4TEGS4QA> > . >
kerem commented 2026-03-13 15:50:47 +03:00
Author
Owner
Copy link

@tal-zvon commented on GitHub (Dec 1, 2020):

Would not binding to 127.0.0.1:53 (as the documentation suggests) be the equivalent to binding to any other random IP? Just like binding to 1.2.3.4:53, it would technically allow the program to start (since the binding would succeed), but wouldn't allow LetsEncrypt to reach it. As far as I can tell, there's no point in listening to 127.0.0.1:53 since LetsEncrypt requests will never come from localhost, and will never hit that. Am I wrong?

If that's true, you might as well say listen = "w.x.y.z:53", and just have a note to tell people to type in the IP of the interface they want to listen on. At least users would know that's something they need to figure out, rather than type in 127.0.0.1:53 as is and hope it works.

<!-- gh-comment-id:736761235 --> @tal-zvon commented on GitHub (Dec 1, 2020): Would not binding to 127.0.0.1:53 (as the documentation suggests) be the equivalent to binding to any other random IP? Just like binding to 1.2.3.4:53, it would technically allow the program to start (since the binding would succeed), but wouldn't allow LetsEncrypt to reach it. As far as I can tell, there's no point in listening to 127.0.0.1:53 since LetsEncrypt requests will never come from localhost, and will never hit that. Am I wrong? If that's true, you might as well say `listen = "w.x.y.z:53"`, and just have a note to tell people to type in the IP of the interface they want to listen on. At least users would know that's something they need to figure out, rather than type in 127.0.0.1:53 as is and hope it works.
kerem commented 2026-03-13 15:50:52 +03:00
Author
Owner
Copy link

@joohoi commented on GitHub (Dec 1, 2020):

Yeah, you are right. It would probably serve the users better as far as the documentation goes. Do you want to create a PR to fix it or should I do it?

<!-- gh-comment-id:736766642 --> @joohoi commented on GitHub (Dec 1, 2020): Yeah, you are right. It would probably serve the users better as far as the documentation goes. Do you want to create a PR to fix it or should I do it?
kerem commented 2026-03-13 15:50:57 +03:00
Author
Owner
Copy link

@tal-zvon commented on GitHub (Dec 1, 2020):

If you've got the time, go ahead.

Thanks

<!-- gh-comment-id:736773396 --> @tal-zvon commented on GitHub (Dec 1, 2020): If you've got the time, go ahead. Thanks
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
fix_dockerhub
dockerhub
readme2.0
goreleaser_action
refactoring
linter_update_config
update_deps_122
dependabot/go_modules/github.com/valyala/fasthttp-1.34.0
deps_bump
update_goreleaser
update_golint
deps_update
update_dockerfile
v2.0.2
v2.0.1
v2.0
v1.1
v1.0
v0.8
v0.7.2
v0.7.1
v0.7
v0.6
v0.5
v0.4
v0.3.2
v0.3.1
v0.3
v0.2
v0.1
Labels
Clear labels   
Documentation

   
Documentation

   
bug

   
enhancement

   
feature request

   
feature request

   
help wanted

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
security

   
security

   
testing
No labels
Documentation
Documentation
bug
enhancement
feature request
feature request
help wanted
pull-request
question
security
security
testing
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/acme-dns#122
No description provided.