We use DNS-Validation, with CNAMEs on the Domains to acme.neusta-is.de, where we can add and delete TXT Records with a hook.
It works fine, but now it fails if there are for example 22 TXT-Records or more. Maybe with less, but I have no example for that at the moment.
Previously everything works fine up to around 70 TXT-Records.
If there are to many TXT-Records present, I got
Detail: No TXT record found at sachsen-tourismus.de
for every Domain requested in the certificate.
Did something changed here?
Hi @43n12y, and welcome to the LE community forum
There are a couple of related topics recently opened.
Search results for 'unbound txt' - Let's Encrypt Community Support (letsencrypt.org)
Thanks for your reply. Don't know why I wasn't able to search it myself, maybe cause the year just started.
I could use your tip from here (DNS-01 challenge fails since unbound 1.18. TXT records can be fetch using unbound 1.16 but not 1.18 1.19 - #6 by rg305) as workaround.
It sounds like you've leveraged a bit of an anti-pattern here. You shouldn't have 70 or 22 txt records live.
Looks like they are a service provider and combine multiple domains on one cert. Were you thinking they just were not cleaning up obsolete TXT values?
Example: crt.sh | 10823447789
Update: Also see related thread with call-out to staff: DNS-01 challenge fails since unbound 1.18. TXT records can be fetch using unbound 1.16 but not 1.18 1.19 - #17 by petercooperjr
That (second bit) was my first thought, but then I reread and noticed the CNAME (and understood the first bit) and still thought it seemed to be an anti-pattern.
The consumption of TXT records has a long history of issues due to size. I know the recent unbound hiccup surfaced some new issues, but this has always been pretty fragile and this design pushes the limits a bit. It also complicates troubleshooting and cleanup. IMHO, every domain should CNAME onto it's own FQDN for TXT records - like the acme-dns model.
If only TXT records came with built-in expiration dates...
Considered dedicated CNAMES for each Domain as well. But until now we had no problems. I rethink that, cause it will complicate communication to the customer and the task for the customer to set DNS-entries.
It can be done in ways that don't complicate the messaging.
You could pre-assign each domain a unique code as part of your enrollment.
You can also use a templated naming system like:
So your clients would be told to cname:
Then you just have a page on your account dashboard that shows what each domain must be cnamed onto, instead of a single cname for everything.
yeah, came to the same approach, thumbs up
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.