My domain is:
I can login to a root shell on my machine (yes or no, or I don't know):
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot):
I have a rather curious problem. I've been running the following for quite a while now
Bind9 with a zone like:
... $ORIGIN upperpaste.com. * CNAME dd.home dd.home A 184.108.40.206 ...
On my kubernetes cluster I installed cert-manager using rfc2136 with above bind/zone, for at least one subdomain like, objects.upperpaste.com. Note, I rely on the dns wildcard above to resolve objects.upperpaste.com
Suddenly most of my subdomains were not working anymore. Investigation showed that due to an unrelated problem, all
_acme-challenges were in my zone file and were not removed. However because there were now resource records like,
_acme-challenge.objects.corp.worldstream.com TXT ...
my dns wildcard no longer hit. (which makes sense from BIND's perspective)
My question is, if you can't/won't make any subdomain A/CNAME records, but do want to have reliable DNS01 ACME challenging, without it possibly invalidating wildcards during challenges (just like in my above case), how would you proceed? *
I've started using external-dns1, but it seems heavy-handed just to remediate my above problem, in my opinion the wildcard should just stay working.
* you could argue that in a correct setting, the
_acme-challenge TXT record will only be there for mere seconds, however I think that still unacceptable as it leaves a window in which dns-clients might wrongfully get an NXDOMAIN for the intended subdomain which happens to be under ACME DNS01 challenge.
I think this is not intrinsic for cert-manager, but actually a more general problem to DNS01, that's why I posted here first, before asking at cert-manager's forums