starred/certera
1
0
Fork 0
mirror of https://github.com/certera-io/certera.git synced 2026-04-25 11:15:55 +03:00
Code Issues 16 Projects Releases Packages Wiki Activity

[GH-ISSUE #14] DNS Root Queries #15

New issue
Closed
opened 2026-02-25 21:30:49 +03:00 by kerem · 4 comments
kerem commented 2026-02-25 21:30:49 +03:00
Owner
Copy link

Originally created by @blastagator on GitHub (Oct 20, 2020).
Original GitHub issue: https://github.com/certera-io/certera/issues/14

Is there a reason the server is configured to require direct query of root servers for DNS validation? I edited the config file to only have my router IP address but validation still fails (status shows it is trying to query a root). I have my network configured to block all unencrypted DNS unless it is to my router which queries cloudflare through an encrypted connection.

I can make a firewall exception for the VM Certera is running on but would rather avoid it if possible. Thanks!

Originally created by @blastagator on GitHub (Oct 20, 2020). Original GitHub issue: https://github.com/certera-io/certera/issues/14 Is there a reason the server is configured to require direct query of root servers for DNS validation? I edited the config file to only have my router IP address but validation still fails (status shows it is trying to query a root). I have my network configured to block all unencrypted DNS unless it is to my router which queries cloudflare through an encrypted connection. I can make a firewall exception for the VM Certera is running on but would rather avoid it if possible. Thanks!
kerem closed this issue 2026-02-25 21:30:49 +03:00
kerem commented 2026-02-25 21:30:49 +03:00
Author
Owner
Copy link

@certeraio commented on GitHub (Oct 20, 2020):

The reason is because it increases the consistency of validation. If after setting the DNS entry and telling Let's Encrypt to validate it, it may fail if DNS hasn't sufficiently propagated. If other sources confirm the DNS entry exists, we can be more certain that the validation from LE will succeed. Should be easy to have a flag/config to disable this altogether. You may run across more failed DNS validation attempts, but I suppose that's up to you, right? (not trying to be pedantic, just realistic/honest).

<!-- gh-comment-id:713171297 --> @certeraio commented on GitHub (Oct 20, 2020): The reason is because it increases the consistency of validation. If after setting the DNS entry and telling Let's Encrypt to validate it, it may fail if DNS hasn't sufficiently propagated. If other sources confirm the DNS entry exists, we can be more certain that the validation from LE will succeed. Should be easy to have a flag/config to disable this altogether. You may run across more failed DNS validation attempts, but I suppose that's up to you, right? (not trying to be pedantic, just realistic/honest).
kerem commented 2026-02-25 21:30:49 +03:00
Author
Owner
Copy link

@blastagator commented on GitHub (Oct 20, 2020):

Ah. Is it setup to require multiple validations or does it move on to root if the initial query to the defined DNS fails? I was considering re-enabling my NAT rule that forces port 53 to my router to see if that works as a workaround.

Also, two thumbs up for making this. I'm still working through setup but this seems to do what I want. I'm trying to migrate a bunch of local resources to LE certs instead of a manually run private CA.

<!-- gh-comment-id:713172813 --> @blastagator commented on GitHub (Oct 20, 2020): Ah. Is it setup to require multiple validations or does it move on to root if the initial query to the defined DNS fails? I was considering re-enabling my NAT rule that forces port 53 to my router to see if that works as a workaround. Also, two thumbs up for making this. I'm still working through setup but this seems to do what I want. I'm trying to migrate a bunch of local resources to LE certs instead of a manually run private CA.
kerem commented 2026-02-25 21:30:49 +03:00
Author
Owner
Copy link

@certeraio commented on GitHub (Oct 20, 2020):

The DNS servers Certera uses are configured here in case you wish to change it: https://github.com/certera-io/certera/blob/master/src/Certera.Web/config.json#L16

If you remove the entire entry, I believe those same values are used by default in the code. I think you may be able to set it as "IPs": [] to truly skip the extra DNS validation step (though it may still have a delay in total time, which may help in allowing LE to have sufficient time for propagation).

The only validation that matters is LE's. The DNS servers in the config are there for increased "confidence" before telling LE to validate. If the first of the custom DNS checks passes, it goes on to tell LE to validate. It doesn't wait until all DNS servers have been checked.

I'm glad you've found it useful. I never did like having the obtain & apply cert as a single step like other LE clients do. I believe this makes LE much more useful for a wider range of things. I hope to find time one day to truly make Certera what it should be: a certificate exchange hub. That'd solve a lot of pain/challenges with certs when dealing with 3rd parties.

<!-- gh-comment-id:713180711 --> @certeraio commented on GitHub (Oct 20, 2020): The DNS servers Certera uses are configured here in case you wish to change it: https://github.com/certera-io/certera/blob/master/src/Certera.Web/config.json#L16 If you remove the entire entry, I believe those same values are used by default in the code. I think you may be able to set it as `"IPs": []` to truly skip the extra DNS validation step (though it may still have a delay in total time, which may help in allowing LE to have sufficient time for propagation). The only validation that matters is LE's. The DNS servers in the config are there for increased "confidence" before telling LE to validate. If the first of the custom DNS checks passes, it goes on to tell LE to validate. It doesn't wait until all DNS servers have been checked. I'm glad you've found it useful. I never did like having the obtain & apply cert as a single step like other LE clients do. I believe this makes LE much more useful for a wider range of things. I hope to find time one day to truly make Certera what it should be: a certificate exchange hub. That'd solve a lot of pain/challenges with certs when dealing with 3rd parties.
kerem commented 2026-02-25 21:30:49 +03:00
Author
Owner
Copy link

@blastagator commented on GitHub (Oct 20, 2020):

I adjusted https://github.com/certera-io/certera/blob/master/src/Certera.Web/config.json#L16 but it looks like I had a typo. I fixed the typo and everything seems to be working now as expected. How embarrassing!

Apologies for the issue, I hope the closed thread helps someone else who stumbles into the same silly mistake.

<!-- gh-comment-id:713183405 --> @blastagator commented on GitHub (Oct 20, 2020): I adjusted https://github.com/certera-io/certera/blob/master/src/Certera.Web/config.json#L16 but it looks like I had a typo. I fixed the typo and everything seems to be working now as expected. How embarrassing! Apologies for the issue, I hope the closed thread helps someone else who stumbles into the same silly mistake.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
dependabot/nuget/src/Certera.Core/MailKit-4.16.0
fix-env-vars
2.2.0-beta
2.1.5
2.1.4
2.1.3
2.1.1-beta
2.1.0-beta
2.0.2-beta
2.0.1-beta
2.0.0-beta
1.5.0
1.2.0
1.1.0-beta
1.0.0-beta
Labels
Clear labels   
bug

   
feature-request

   
feature-request

   
pull-request

Mirrored from GitHub Pull Request

No labels
bug
feature-request
feature-request
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/certera#15
No description provided.