starred/acme-dns

Fork 0

mirror of https://github.com/acme-dns/acme-dns.git synced 2026-04-27 04:45:48 +03:00

[GH-ISSUE #200] Issues if acme-dns is configured as forwarder in main dns #89

New issue

Closed

opened 2026-03-13 15:44:41 +03:00 by kerem · 4 comments

kerem commented

2026-03-13 15:44:41 +03:00

Owner

Originally created by @oregano87 on GitHub (Dec 10, 2019).
Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/200

I'm not sure if I use the acme-dns application correctly. Maybe somebody can help me.

My environment:

DNS server with bind9
Another server with acme-dns
some webservers and a self-hosted ca (not using letsencrypt!)

In my bind configuration the acme-dns is configured as a forwarder.

forwarders {
     192.168.0.101; // this is acme-dns
     8.8.8.8;
};

Without the acme-dns forwarder entry my dns server is working fine. As soon as I add it to this list, I won't get any information about records from 8.8.8.8 anymore, only local and acme-dns is working fine. The acme-dns is answering for every domain and not only for the domain configured in the config file.

My config file (part of)

[general]
listen = "0.0.0.0:53"
protocol = "both"
domain = "ns1.acme-dns.test"
nsname = "ns1.acme-dns.test"
nsadmin = "admin.example.org"
records = [
    "ns1.acme-dns.test. A 10.9.6.42",
    "ns1.acme-dns.test. NS ns1.acme-dns.test.",
]
...

My log

INFO[0000] Using config file                             file=/etc/acme-dns/config.cfg
INFO[0000] Connected to database
DEBU[0000] Adding new record to domain                   domain=ns1.acme-dns.test. recordtype=A
DEBU[0000] Adding new record to domain                   domain=ns1.acme-dns.test. recordtype=NS
DEBU[0000] Adding new record to domain                   domain=ns1.acme-dns.test. recordtype=SOA
INFO[0000] Listening HTTP                                host="0.0.0.0:80"
INFO[0000] Listening DNS                                 addr="0.0.0.0:53" proto=udp
INFO[0000] Listening DNS                                 addr="0.0.0.0:53" proto=tcp
INFO[0000] 2019/12/10 13:52:07 [INFO][cache:0xc0000964b0] Started certificate maintenance routine
DEBU[0190] Answering question for domain                 domain=www.google.com. qtype=A rcode=NXDOMAIN

The last line in the log is added due to this command on my client

$ dig www.google.com

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19882
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 0bf4f829e9205c24b4f08ba95def95259af6a778dccb78e6 (good)
;; QUESTION SECTION:
;www.google.com.                        IN      A

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Dec 10 13:52:53 CET 2019
;; MSG SIZE  rcvd: 71

You can see, I will not get any information about google.com.

My question:
Is my way of setting up the environment wrong or is there a bug in the acme-dns application (ignoring the domain variable in the config file)? If it is wrong, how would you recommend to setup this environment?

Originally created by @oregano87 on GitHub (Dec 10, 2019). Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/200 I'm not sure if I use the acme-dns application correctly. Maybe somebody can help me. My environment: * DNS server with bind9 * Another server with acme-dns * some webservers and a self-hosted ca (not using letsencrypt!) In my bind configuration the acme-dns is configured as a forwarder. ``` forwarders { 192.168.0.101; // this is acme-dns 8.8.8.8; }; ``` Without the acme-dns forwarder entry my dns server is working fine. As soon as I add it to this list, I won't get any information about records from 8.8.8.8 anymore, only local and acme-dns is working fine. The acme-dns is answering for every domain and not only for the domain configured in the config file. My config file (part of) ``` [general] listen = "0.0.0.0:53" protocol = "both" domain = "ns1.acme-dns.test" nsname = "ns1.acme-dns.test" nsadmin = "admin.example.org" records = [ "ns1.acme-dns.test. A 10.9.6.42", "ns1.acme-dns.test. NS ns1.acme-dns.test.", ] ... ``` My log ``` INFO[0000] Using config file file=/etc/acme-dns/config.cfg INFO[0000] Connected to database DEBU[0000] Adding new record to domain domain=ns1.acme-dns.test. recordtype=A DEBU[0000] Adding new record to domain domain=ns1.acme-dns.test. recordtype=NS DEBU[0000] Adding new record to domain domain=ns1.acme-dns.test. recordtype=SOA INFO[0000] Listening HTTP host="0.0.0.0:80" INFO[0000] Listening DNS addr="0.0.0.0:53" proto=udp INFO[0000] Listening DNS addr="0.0.0.0:53" proto=tcp INFO[0000] 2019/12/10 13:52:07 [INFO][cache:0xc0000964b0] Started certificate maintenance routine DEBU[0190] Answering question for domain domain=www.google.com. qtype=A rcode=NXDOMAIN ``` The last line in the log is added due to this command on my client ``` $ dig www.google.com ; <<>> DiG 9.11.5-P4-5.1-Debian <<>> www.google.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19882 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 0bf4f829e9205c24b4f08ba95def95259af6a778dccb78e6 (good) ;; QUESTION SECTION: ;www.google.com. IN A ;; Query time: 2 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Dec 10 13:52:53 CET 2019 ;; MSG SIZE rcvd: 71 ``` You can see, I will not get any information about google.com. My question: Is my way of setting up the environment wrong or is there a bug in the acme-dns application (ignoring the domain variable in the config file)? If it is wrong, how would you recommend to setup this environment?

kerem closed this issue

2026-03-13 15:44:46 +03:00

kerem commented

2026-03-13 15:44:52 +03:00

Author

Owner

@joohoi commented on GitHub (Dec 10, 2019):

Hi!
I think the issue here is that forwarders in BIND configuration are supposed to be recursive resolvers, and acme-dns doesn't support recursion.

@joohoi commented on GitHub (Dec 10, 2019): Hi! I think the issue here is that `forwarders` in BIND configuration are supposed to be recursive resolvers, and `acme-dns` doesn't support recursion.

kerem commented

2026-03-13 15:44:57 +03:00

Author

Owner

@oregano87 commented on GitHub (Dec 10, 2019):

Thank you for your quick answer.
How would you recommend to configure BIND to avoid to add this DNS server in every client?

@oregano87 commented on GitHub (Dec 10, 2019): Thank you for your quick answer. How would you recommend to configure BIND to avoid to add this DNS server in every client?

kerem commented

2026-03-13 15:45:02 +03:00

Author

Owner

@joohoi commented on GitHub (Dec 10, 2019):

Hmm, there's no need to add acme-dns to the clients in any way. It's enough that the CA is able to find and access the acme-dns instance. This is done by delegation using NS records from the main zone.

@joohoi commented on GitHub (Dec 10, 2019): Hmm, there's no need to add `acme-dns` to the clients in any way. It's enough that the CA is able to find and access the `acme-dns` instance. This is done by delegation using `NS` records from the main zone.

kerem commented

2026-03-13 15:45:07 +03:00

Author

Owner

@oregano87 commented on GitHub (Dec 10, 2019):

Thanks, "Delegation" was the cue I needed. Now it works fine.

@oregano87 commented on GitHub (Dec 10, 2019): Thanks, "Delegation" was the cue I needed. Now it works fine.

kerem referenced this issue

2026-03-13 16:15:30 +03:00

[PR #89] [MERGED] Spelling #286