[GH-ISSUE #390] Certificate issue #221

New issue

Open

opened 2026-03-13 16:11:27 +03:00 by kerem · 1 comment

kerem commented

2026-03-13 16:11:27 +03:00

Owner

Originally created by @hjrhnd on GitHub (Aug 6, 2025).
Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/390

Hello Dear joohoi
Thanks for your great project.. Last week I setup this project on docker. and all run correctly and certificate produced.
But now does not work.
$ dig -t txt @auth.example.org d420c923-bbd7-4056-ab64-c3ca54c9b3cf.auth.example.org works correctly
$ dig _acme-challenge.mydomain.com CNAME works correctly
but
$dig _acme-challenge.mydomain.com TXT return a TXT from primiry DNS not from Acme DNS
Could you please help me?

Best Regards

Originally created by @hjrhnd on GitHub (Aug 6, 2025). Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/390 Hello Dear joohoi Thanks for your great project.. Last week I setup this project on docker. and all run correctly and certificate produced. But now does not work. $ dig -t txt @auth.example.org d420c923-bbd7-4056-ab64-c3ca54c9b3cf.auth.example.org works correctly $ dig _acme-challenge.mydomain.com CNAME works correctly but $dig _acme-challenge.mydomain.com TXT return a TXT from primiry DNS not from Acme DNS Could you please help me? Best Regards

kerem commented

2026-03-13 16:11:33 +03:00

Author

Owner

@filimonic commented on GitHub (Jan 12, 2026):

This is totally correct, and you have misconfiguration in your DNS data.

You SHOULD NOT have both CNAME and TXT (or any other) records on same server for the same FQDN.
If you have CNAME, no other records SHOULD exist with same FQDN.

RFC 1034
If a CNAME RR is present at a node, no other data should be
present; this ensures that the data for a canonical name and its aliases
cannot be different.

For example, Windows Server DNS forbids creating new records of any type if record with requested name already exists as CNAME

BUT if you, despite the prohibition of such a configuration, have both CNAME and any other record with the same name on same DNS server for some reason, then server SHOULD serve the non-CNAME record first, and if it is not found, it should serve data using CNAME. And exactly this is happening in your case.

RFC 1034:
CNAME RRs cause special action in DNS software. When a name server
fails to find a desired RR in the resource set associated with the
domain name, it checks to see if the resource set consists of a CNAME
record with a matching class. If so, the name server includes the CNAME
record in the response and restarts the query at the domain name
specified in the data field of the CNAME record.

@filimonic commented on GitHub (Jan 12, 2026): This is totally correct, and you have misconfiguration in your DNS data. You **SHOULD NOT** have both `CNAME` and `TXT` (*or any other*) records on same server for the same FQDN. If you have `CNAME`, no other records **SHOULD** exist with same FQDN. > RFC 1034 > If a CNAME RR is present at a node, no other data should be > present; this ensures that the data for a canonical name and its aliases > cannot be different. For example, Windows Server DNS forbids creating new records of any type if record with requested name already exists as `CNAME` **BUT** if you, *despite the prohibition of such a configuration*, have both `CNAME` and any other record with the same name on same DNS server for some reason, then server SHOULD serve the non-CNAME record first, and if it is not found, it should serve data using CNAME. *And exactly this is happening in your case.* > RFC 1034: > CNAME RRs cause special action in DNS software. When a name server > fails to find a desired RR in the resource set associated with the > domain name, it checks to see if the resource set consists of a CNAME > record with a matching class. If so, the name server includes the CNAME > record in the response and restarts the query at the domain name > specified in the data field of the CNAME record.