[GH-ISSUE #211] clarification questions #95

New issue

Closed

opened 2026-03-13 15:45:54 +03:00 by kerem · 5 comments

kerem commented 2026-03-13 15:45:54 +03:00

Owner

Copy link

Originally created by @dresske on GitHub (Feb 27, 2020).
Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/211

Hi,
I'm interested a lot in testing this project. My primary DNS provider doesn't support API calls. That's why I want to use this approach for LE certificates. Before getting started some short questions from my side:

• why has the primary NS delegate record has to 'point to itself'? In the past it was handled for me a little bit more intuitively:
  old version
  auth.example.com NS ns1.auth.example.com
  current version
  auth.example.org NS auth.example.com
  Was there any change? I have to ask the primary DNS admins to create the NS record. Want to be sure in the first place.
  https://github.com/joohoi/acme-dns/issues/97
  https://github.com/gridworkz/kubernetes/wiki/Acme-DNS-Server
  https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_acme-dns
• does the guy in the link above explain the technique really correct? (chapter Background and Theory)

You'll add a CNAME record for _acme-challenge.example.com, pointing to the random hostname.

From my point of view everything should by modified under auth.example.com and not the level above or is this a missunderstanding? Because the level above has no API support.

Maybe the most general question:

• using this will only allow to create/renew certificates for a.auth.example.org, b.auth.example.org or wildcard *.auth.example.org because auth.example.org is the DNS level which is under control of the automated DNS server and not a.example.org or *.example.org

Thanks in advance for hints and comments :-)

Originally created by @dresske on GitHub (Feb 27, 2020). Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/211 Hi, I'm interested a lot in testing this project. My primary DNS provider doesn't support API calls. That's why I want to use this approach for LE certificates. Before getting started some short questions from my side: - why has the primary NS delegate record has to 'point to itself'? In the past it was handled for me a little bit more intuitively: old version `auth.example.com NS ns1.auth.example.com` current version `auth.example.org NS auth.example.com` Was there any change? I have to ask the primary DNS admins to create the NS record. Want to be sure in the first place. https://github.com/joohoi/acme-dns/issues/97 https://github.com/gridworkz/kubernetes/wiki/Acme-DNS-Server https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_acme-dns - does the guy in the link above explain the technique really correct? (chapter Background and Theory) > You'll add a CNAME record for _acme-challenge.example.com, pointing to the random hostname. From my point of view everything should by modified under auth.example.com and not the level above or is this a missunderstanding? Because the level above has no API support. Maybe the most general question: - using this will only allow to create/renew certificates for a.auth.example.org, b.auth.example.org or wildcard *.auth.example.org because auth.example.org is the DNS level which is under control of the automated DNS server and not a.example.org or *.example.org Thanks in advance for hints and comments :-)

kerem closed this issue 2026-03-13 15:45:59 +03:00

kerem commented 2026-03-13 15:46:05 +03:00

Author

Owner

Copy link

@webprofusion-chrisc commented on GitHub (Feb 27, 2020):

Hi, the DNS server configuration for the acme-dns server just affects your acme-dns servers own domain (e.g. auth.domain.com coming via domain.com).

Your acme-dns service itself can be used to validate any domain. The CNAME you are asked to create in _acme-challenge.anydomain.com in turn redirects to blah12346.auth.domain.com which then responds with the correct TXT value requires for your current validation.

<!-- gh-comment-id:592226097 --> @webprofusion-chrisc commented on GitHub (Feb 27, 2020): Hi, the DNS server configuration for the acme-dns server just affects your acme-dns servers own domain (e.g. auth.domain.com coming via domain.com). Your acme-dns service itself can be used to validate *any* domain. The CNAME you are asked to create in _acme-challenge.anydomain.com in turn redirects to blah12346.auth.domain.com which then responds with the correct TXT value requires for your current validation.

kerem commented 2026-03-13 15:46:10 +03:00

Author

Owner

Copy link

@dresske commented on GitHub (Feb 28, 2020):

Hi Chris,
thanks for your quick reply! And this cname to the generated subdomain (blah12346.auth.domain.com) is constant/stable for all renewals, right?

The only question left is this point with the "shortened" NS delegate record I have to set in my primary DNS to give acme-dns control over its subdomain
auth.example.com NS ns1.auth.example.com
ns1.auth.example.com A $EXTERNAL_IP
versus
auth.example.com NS auth.example.com
auth.example.com A $EXTERNAL_IP
Is there any advantage or downside doing one or the other?
Many thanks in advance!

<!-- gh-comment-id:592336052 --> @dresske commented on GitHub (Feb 28, 2020): Hi Chris, thanks for your quick reply! And this cname to the generated subdomain (blah12346.auth.domain.com) is constant/stable for all renewals, right? The only question left is this point with the "shortened" NS delegate record I have to set in my primary DNS to give acme-dns control over its subdomain `auth.example.com NS ns1.auth.example.com` `ns1.auth.example.com A $EXTERNAL_IP` versus `auth.example.com NS auth.example.com` `auth.example.com A $EXTERNAL_IP` Is there any advantage or downside doing one or the other? Many thanks in advance!

kerem commented 2026-03-13 15:46:15 +03:00

Author

Owner

Copy link

@webprofusion-chrisc commented on GitHub (Feb 28, 2020):

I think the naming convention (ns1.) is just that and technically it still works but it implies the different roles. One is the API server for ACME and the other is the DNS server but really they're the same software just doing different jobs on different ports.

Yes the CNAME value stays stable, you'd only need to change it if your acme server lost its database (which holds those names and corresponding TXT response values), or if your acme server domain changed.

<!-- gh-comment-id:592390543 --> @webprofusion-chrisc commented on GitHub (Feb 28, 2020): I think the naming convention (ns1.) is just that and technically it still works but it implies the different roles. One is the API server for ACME and the other is the DNS server but really they're the same software just doing different jobs on different ports. Yes the CNAME value stays stable, you'd only need to change it if your acme server lost its database (which holds those names and corresponding TXT response values), or if your acme server domain changed.

kerem commented 2026-03-13 15:46:20 +03:00

Author

Owner

Copy link

@dresske commented on GitHub (Feb 28, 2020):

Thanks Chris!
...I had a typo in my question above. I will try to set up short version like it is descibed at the current readme
adns.mydomain.tld NS adns.mydomain.tld
adns.mydomain.tld A $EXTERNAL_IP

<!-- gh-comment-id:592407025 --> @dresske commented on GitHub (Feb 28, 2020): Thanks Chris! ...I had a typo in my question above. I will try to set up short version like it is descibed at the current readme `adns.mydomain.tld NS adns.mydomain.tld` `adns.mydomain.tld A $EXTERNAL_IP`

kerem commented 2026-03-13 15:46:25 +03:00

Author

Owner

Copy link

@AvverbioPronome commented on GitHub (Mar 20, 2020):

I suppose the proper short way it to add, in the example.com. zone, something like this:

auth 3600 IN A 192.0.2.53
auth 3600 IN NS auth

The A record there is known as a "glue record" -- it's not supposed to be there, but it's necessary to reach the authoritative nameserver for zone auth.example.com.

<!-- gh-comment-id:601595489 --> @AvverbioPronome commented on GitHub (Mar 20, 2020): I suppose the proper short way it to add, in the `example.com.` zone, something like this: ```pre auth 3600 IN A 192.0.2.53 auth 3600 IN NS auth ``` The A record there is known as a "glue record" -- it's not supposed to be there, but it's necessary to reach the authoritative nameserver for zone `auth.example.com.`

kerem referenced this issue 2026-03-13 16:15:45 +03:00

[PR #95] [CLOSED] Added supplementary error checking #287

kerem referenced this issue 2026-03-13 16:15:45 +03:00

[PR #99] [MERGED] Added supplementary error checking #290

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

fix_dockerhub

dockerhub

readme2.0

goreleaser_action

refactoring

linter_update_config

update_deps_122

dependabot/go_modules/github.com/valyala/fasthttp-1.34.0

deps_bump

update_goreleaser

update_golint

deps_update

update_dockerfile

v2.0.2

v2.0.1

v2.0

v1.1

v1.0

v0.8

v0.7.2

v0.7.1

v0.7

v0.6

v0.5

v0.4

v0.3.2

v0.3.1

v0.3

v0.2

v0.1

Labels

Clear labels   

Documentation

  

Documentation

  

bug

  

enhancement

  

feature request

  

feature request

  

help wanted

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

security

  

security

  

testing

No labels

Documentation

Documentation

bug

enhancement

feature request

feature request

help wanted

pull-request

question

security

security

testing

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/acme-dns#95

No description provided.