DNS-01 Challenge including more DNS Records than TXT

Bruce5051 · February 8, 2023, 12:17am

For the ACME v2 DNS-01 Challenge we all know " ACME client a token, your client will create a TXT record derived from that token and your account key, and put that record at _acme-challenge.<YOUR_DOMAIN> ."

But will the ACME v2 DNS-01 Challenge allow for more than just the DNS TXT record for _acme-challenge.<YOUR_DOMAIN>?

Can I have a DNS A Record and a DNS TXT Record for _acme-challenge.<YOUR_DOMAIN> without issue for the ACME v2 DNS-01 Challenge?

I have the Domain zjhzcrxvjcidp.ml, I have created both TXT and A records for _acme-challenge.zjhzcrxvjcidp.ml
I just pick Google's 8.8.8.8 IPv4 Address for the DNS A Record
And for the TXT Record the string _acme-challenge goes here

nslookup can query each of them successfully.

If I were to try a DNS-01 Challenge and update _acme-challenge.zjhzcrxvjcidp.ml TXT field with the Challenge Token should the challenge succeed?
Or am I violating ACME v2 DNS-01 Challenge requirements?
(if so, how? a description or a URL to a document, etc)

$ nslookup -q=a _acme-challenge.zjhzcrxvjcidp.ml ns1.he.net.
Server:         ns1.he.net.
Address:        216.218.130.2#53

Name:   _acme-challenge.zjhzcrxvjcidp.ml
Address: 8.8.8.8

$ nslookup -q=txt _acme-challenge.zjhzcrxvjcidp.ml ns1.he.net.
Server:         ns1.he.net.
Address:        216.218.130.2#53

_acme-challenge.zjhzcrxvjcidp.ml        text = "_acme-challenge goes here"

petercooperjr · February 8, 2023, 12:26am

I would expect so.

The spec says that the ACME server will "Query for TXT records for the validation domain name", so I don't see why other records for that name would be relevant, whether there or not.

Be aware that the concept of "v2" is just Let's Encrypt's API versioning due to them starting things before ACME was all standardized, by now there's just the relevant RFCs which don't really have version numbers in that way as best as I understand it.

Bruce5051 · February 8, 2023, 12:38am

Thanks @petercooperjr!

Well it worked using https://gethttpsforfree.com/ and manually editing the _acme-challenge.zjhzcrxvjcidp.ml TXT Record.

Here is the Precertificate https://crt.sh/?id=8601507005

petercooperjr · February 8, 2023, 12:44am

Yeah, I mean you could always try against LE Staging, Pebble, and maybe even some actual CAs if you want to see how it works in practice, rather than relying on my quick glancing through the spec.

Bruce5051 · February 8, 2023, 12:47am

I had asked due to this Help Topic Nextjs-nginx:No TXT record found at _acme-challenge.agoratsp.com - #30 by rg305

Bruce5051 · February 8, 2023, 12:52am

I would love to hear more thoughts and opinions on this Topic; even though @petercooperjr seems to have nailed it on Post #2.

jvanasco · February 8, 2023, 12:55am

I believe you can also have multiple completing TXT records as well. IIRC, LetsEncrypt will inspect all the DNS records for a match but some providers will only support one or their own maximum number of records.

Bruce5051 · February 8, 2023, 12:57am

Since I was doing it all manually with https://gethttpsforfree.com/ just had 1 TXT Record that I edited and updated (and wait for propagation), and for the second challenge just reedited the TXT Record again.

Bruce5051 · February 8, 2023, 1:01am

At this point I am not going to challenge fate by trying a DNS TXT Record and a DNS CNAME Record together; TXT & A are enough for me today.

petercooperjr · February 8, 2023, 1:05am

You can't have a CNAME at the same time as any other type of record for the same name, but that's nothing specific to ACME.

rg305 · February 8, 2023, 1:10am

That should fail big time.
Having the CNAME record should void all other records.
See:
CNAME record - Wikipedia

system · March 10, 2023, 1:10am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.