DNS Challange failed sanity check


#1

Hello folks,

I am working on a ACME client and already got it working with the HTTP challange.

I am trying to make the DNS challange works as well but when I test with the staging server the error “Records for validation failed sanity check” pops out. The challange response comes with a validationRecord field in the json with the correct hostname but with the authorities field empty.

Looking through the boulder source code, it seems that the server was able to verify the TXT record in my domain correctly but failed when the sanity check verifies if the authorities field is not empty (objects.go:361).

Am i missing any other configuration in my DNS?

Best Regads.


#2

Our current implementation will fail if our DNS resolver doesn’t return a authority section for the hostname we are querying. Certain remote DNS server configurations can cause this to happen due to their strangeness, I have opened a Boulder issue to determine what we should do in these situations, most likely it’d be safe to just ignore an empty returned authority.


#3

Thank you for your reply roland.

I tried to figure out what should return as an authority (a SOA record or a NS record) but with no success. I’m using PowerDNS version 3.1 as DNS server.

I think that ignoring the empty returned authority will work well, since this validation fails after the success of the validation in the TXT record.

Keep up the good work!


#4

I’ve submitted a pull request for this https://github.com/letsencrypt/boulder/pull/1398


#5

From looking at that issue - looks like the PR was merged into master - is there some way for us to know the timeframe/status of master -> actual-production-servers?


#6

FYI - dnsimple.com and domains.google.com DNS servers both behave this way.


#7

Same error here with CloudFlare DNS.


#8

This thread is a year old and a request from DNSimple for a certificate failed. I had already noted that dig was returning Authority of 0 and raised that issue with them. Can anyone tell me the status of this problem? Thanks.


#9

Apologies for the bump. I discovered the referenced thread and patch and will attempt that. Thanks.


#10

FYI, I’ve been getting lots of certs via dns validation on a domain from dnsimple. If you’re seeing an issue, I don’t think it’s related to this.