starred/acme-dns
1
0
Fork 0
mirror of https://github.com/acme-dns/acme-dns.git synced 2026-04-27 12:55:48 +03:00
Code Issues 178 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #373] DNS server returns NXDOMAIN when it should not - preventing cache DNS from resolving the challenge #213

New issue
Open
opened 2026-03-13 16:10:03 +03:00 by kerem · 2 comments
kerem commented 2026-03-13 16:10:03 +03:00
Owner
Copy link

Originally created by @lbauer13 on GitHub (Feb 19, 2025).
Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/373

Usecase : traefik with DNS challenge, a local ACME (step-ca), acme-dns, and a local DNS resolver.

Problem : traefik initially checks for DNS propagation querying the SOA and CNAME records for the challenge (not the TXT). As acme-dns returns NXDOMAIN, the nonexistence is cached by the local resolver with the default "minimum" value set in acme-dns zone (86400). Further queries for the same challenge, even with the correct type TXT fail because of this negative cache, preventing the ACME from issuing the certificate.

How to reproduce :

acme-dns config (DNS section) :

records = [
    "acme-dns.example.zone. A 10.0.0.1",
    "acme-dns.example.zone. NS acme-dns.example.zone.",
]

Configure traefik with an ACME certificate resolver, and a DNS challenge (ACME_DNS_API_BASE environment var to the acme-dns server)

Traefik will request a certificate for myapp.zone and *.myapp.zone, and register a subdomain via acme-dns API ; say d8659307-a365-4973-855e-13fb1508e4ab.

Manually create the CNAME with the registered subdomain as its rdata :

_acme-challenge.myapp.zone. CNAME d8659307-a365-4973-855e-13fb1508e4ab.acme-dns.example.zone.

Restart traefik to tell the ACME to check the challenge.

Traefik will first check DNS propagation by following the CNAME and querying types SOA and CNAME :

DEBU[0202] Answering question for domain                 domain=d8659307-a365-4973-855e-13fb1508e4ab.acme-dns.example.zone. qtype=CNAME rcode=**NXDOMAIN**
DEBU[0202] Answering question for domain                 domain=d8659307-a365-4973-855e-13fb1508e4ab.acme-dns.example.zone. qtype=SOA rcode=**NXDOMAIN**
DEBU[0202] Answering question for domain                 domain=d8659307-a365-4973-855e-13fb1508e4ab.acme-dns.example.zone. qtype=TXT rcode=NOERROR

Because of the NXDOMAIN response code, the resolver will then cache the whole domain as nonexistent with a TTL value of 86400.

Any further request to the resolver, even type=TXT, will fail with the same NXDOMAIN.

Expected behaviour :

As per RFC 2308 section 5, these answers should be NODATA, that is NOERROR with an empty response (except for the existing TXT), as the name exists with another type. This would prevent a resolver from caching the domain as nonexistent :

DEBU[0202] Answering question for domain                 domain=d8659307-a365-4973-855e-13fb1508e4ab.acme-dns.example.zone. qtype=CNAME rcode=**NOERROR**
DEBU[0202] Answering question for domain                 domain=d8659307-a365-4973-855e-13fb1508e4ab.acme-dns.example.zone. qtype=SOA rcode=**NOERROR**
DEBU[0202] Answering question for domain                 domain=d8659307-a365-4973-855e-13fb1508e4ab.acme-dns.example.zone. qtype=TXT rcode=NOERROR

Should the query target a nonexisting domain, acme-dns would still return a NXDOMAIN :

DEBU[0202] Answering question for domain                 domain=nonexisting-label.acme-dns.example.zone. qtype=CNAME rcode=NXDOMAIN
DEBU[0202] Answering question for domain                 domain=nonexisting-label.acme-dns.example.zone. qtype=SOA rcode=NXDOMAIN
DEBU[0202] Answering question for domain                 domain=nonexisting-label.acme-dns.example.zone. qtype=TXT rcode=NXDOMAIN
Originally created by @lbauer13 on GitHub (Feb 19, 2025). Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/373 **Usecase** : traefik with DNS challenge, a local ACME (step-ca), acme-dns, and a local DNS resolver. **Problem** : traefik initially checks for DNS propagation querying the SOA and CNAME records for the challenge (not the TXT). As acme-dns returns NXDOMAIN, the nonexistence is cached by the local resolver with the default "minimum" value set in acme-dns zone (86400). Further queries for the same challenge, even with the correct type TXT fail because of this negative cache, preventing the ACME from issuing the certificate. **How to reproduce** : acme-dns config (DNS section) : ``` records = [ "acme-dns.example.zone. A 10.0.0.1", "acme-dns.example.zone. NS acme-dns.example.zone.", ] ``` Configure traefik with an ACME certificate resolver, and a DNS challenge (`ACME_DNS_API_BASE` environment var to the acme-dns server) Traefik will request a certificate for `myapp.zone` and `*.myapp.zone`, and register a subdomain via acme-dns API ; say `d8659307-a365-4973-855e-13fb1508e4ab`. Manually create the CNAME with the registered subdomain as its rdata : ``` _acme-challenge.myapp.zone. CNAME d8659307-a365-4973-855e-13fb1508e4ab.acme-dns.example.zone. ``` Restart traefik to tell the ACME to check the challenge. Traefik will first check DNS propagation by following the CNAME and querying types SOA and CNAME : ``` DEBU[0202] Answering question for domain domain=d8659307-a365-4973-855e-13fb1508e4ab.acme-dns.example.zone. qtype=CNAME rcode=**NXDOMAIN** DEBU[0202] Answering question for domain domain=d8659307-a365-4973-855e-13fb1508e4ab.acme-dns.example.zone. qtype=SOA rcode=**NXDOMAIN** DEBU[0202] Answering question for domain domain=d8659307-a365-4973-855e-13fb1508e4ab.acme-dns.example.zone. qtype=TXT rcode=NOERROR ``` Because of the NXDOMAIN response code, the resolver will then cache the whole domain as nonexistent with a TTL value of 86400. Any further request to the resolver, even type=TXT, will fail with the same NXDOMAIN. **Expected behaviour** : As per RFC 2308 section 5, these answers should be NODATA, that is NOERROR with an empty response (except for the existing TXT), as the name exists with another type. This would prevent a resolver from caching the domain as nonexistent : ``` DEBU[0202] Answering question for domain domain=d8659307-a365-4973-855e-13fb1508e4ab.acme-dns.example.zone. qtype=CNAME rcode=**NOERROR** DEBU[0202] Answering question for domain domain=d8659307-a365-4973-855e-13fb1508e4ab.acme-dns.example.zone. qtype=SOA rcode=**NOERROR** DEBU[0202] Answering question for domain domain=d8659307-a365-4973-855e-13fb1508e4ab.acme-dns.example.zone. qtype=TXT rcode=NOERROR ``` Should the query target a nonexisting domain, acme-dns would still return a NXDOMAIN : ``` DEBU[0202] Answering question for domain domain=nonexisting-label.acme-dns.example.zone. qtype=CNAME rcode=NXDOMAIN DEBU[0202] Answering question for domain domain=nonexisting-label.acme-dns.example.zone. qtype=SOA rcode=NXDOMAIN DEBU[0202] Answering question for domain domain=nonexisting-label.acme-dns.example.zone. qtype=TXT rcode=NXDOMAIN ```
kerem commented 2026-03-13 16:10:09 +03:00
Author
Owner
Copy link

@lbauer13 commented on GitHub (Feb 19, 2025):

I made a PR here :
https://github.com/joohoi/acme-dns/pull/374

I will try to add tests later. Meanwhile, please feel free to comment, as I am new to golang.

<!-- gh-comment-id:2669182584 --> @lbauer13 commented on GitHub (Feb 19, 2025): I made a PR here : https://github.com/joohoi/acme-dns/pull/374 I will try to add tests later. Meanwhile, please feel free to comment, as I am new to golang.
kerem commented 2026-03-13 16:10:14 +03:00
Author
Owner
Copy link

@lbauer13 commented on GitHub (Mar 7, 2025):

Duplicates https://github.com/joohoi/acme-dns/issues/257

<!-- gh-comment-id:2705973862 --> @lbauer13 commented on GitHub (Mar 7, 2025): Duplicates https://github.com/joohoi/acme-dns/issues/257
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
fix_dockerhub
dockerhub
readme2.0
goreleaser_action
refactoring
linter_update_config
update_deps_122
dependabot/go_modules/github.com/valyala/fasthttp-1.34.0
deps_bump
update_goreleaser
update_golint
deps_update
update_dockerfile
v2.0.2
v2.0.1
v2.0
v1.1
v1.0
v0.8
v0.7.2
v0.7.1
v0.7
v0.6
v0.5
v0.4
v0.3.2
v0.3.1
v0.3
v0.2
v0.1
Labels
Clear labels   
Documentation

   
Documentation

   
bug

   
enhancement

   
feature request

   
feature request

   
help wanted

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
security

   
security

   
testing
No labels
Documentation
Documentation
bug
enhancement
feature request
feature request
help wanted
pull-request
question
security
security
testing
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/acme-dns#213
No description provided.