如何關閉boulder假DNS功能

WongXX · May 2, 2023, 1:51pm

# Use consul as a backup to Docker's embedded DNS server. If there's a name
# Docker's DNS server doesn't know about, it will forward the query to this
# IP (running consul).
# (https://docs.docker.com/config/containers/container-networking/#dns-services).
# This is used to look up service names via A records (like ra.service.consul) that
# are configured via the ServerAddress field of cmd.GRPCClientConfig.
# TODO: Remove this when ServerAddress is deprecated in favor of SRV records
# and DNSAuthority.
dns: 10.55.55.10 <---這個被我改成1.1.1.1我就無法啟動了

orangepizza · May 2, 2023, 5:16pm

mcpherrinm · May 2, 2023, 5:19pm

Boulder is a little complicated: It uses DNS in two different ways.

Boulder has multiple components, and it uses DNS to locate the other components "locally".

For example, in configurations, you'll see entries like:

		"saService": {
			"serverAddress": "sa.service.consul:9095",

It will look up sa.service.consul in the DNS address specified in the resolver. You probably do not want to set that to 1.1.1.1 unless all hostnames in configurations are public.

The second way boulder uses DNS is for DNS-01 challenges, looking up external resources. It does this indirectly, by first doing a DNS lookup to find the DNS servers to use for external releases, using the internal DNS server. This is designed to allow different internal and external DNS servers. While posting this, orangepizza has linked a discussion above about how to configure the external DNS servers.

WongXX · May 3, 2023, 1:31am

那具體應該如何操作

mcpherrinm · May 5, 2023, 6:02pm

What is your goal with Boulder?

We can provide more advice based on what you're trying to do.

Do you intend to run a public Certificate Authority?
Do you intend to use boulder for testing ACME clients?

WongXX · May 7, 2023, 7:11am

to run a public and private Certificate Authority

mcpherrinm · May 8, 2023, 7:18pm

If you intend to run a public (compliant with browser root programs), the preferred deployment is to have your own recursive DNS servers which handle doing lookups.

The configuration for how to locate those DNS resolvers is about to change. The change has the most details about how the configuration will work:

Note that if you intend to deploy boulder, you should read all changes in each weekly release and deploy them promptly. In general we don't provide "stable" releases, and assume all users are deploying weekly.

WongXX · May 18, 2023, 1:04pm

不過我好像不太會操作，不過我會消化消化

WongXX · June 11, 2023, 12:09pm

那有沒有辦法直接關掉所有認證？
就是他會直接簽發證書

mcpherrinm · June 11, 2023, 2:50pm

No. That is not supported.

WongXX · June 16, 2023, 4:36pm

你上面所提供的教程對於我來說難以理解
能不能詳細說明一下？具體是怎麼操作的？又是什麼原理？

system · July 16, 2023, 4:37pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.