Hello, I work on DNS-based validation using dynamic DNS on top of the Crypt::LE Perl client (https://metacpan.org/pod/Crypt::LE). It more or less works, but so far I ran into two issues:
after the first validation succeeds (be it with testing CA or live CA), the subsequent requests end up with “Received domain certificate, no validation required at this time.”. For how long the validation result remains valid? I would like to invalidate it in order to be able to test the DDNS records writing. The TTL of the TXT record itself was 300 seconds (further lowered to the 1 second), and the negative TTL in the SOA record of the DDNS zone was 60 seconds. I have been receiving this reply even for a hostname which I validated almost two days ago. The TXT record with the challenge itself has been NXDOMAIN in the authoritative DNS server for at least a day now, but the validation still succeeds.
after writing the TXT record to dynamic DNS zone and trying to get the certificate, it fails immediately (in about two seconds) with “All verifications failed”. However, when I re-run the verification process (after about 30 seconds or so), I immediately get the certificate with “no validation required at this time”. So in fact the previous validation did succeed somehow. I tried to add a 5-second sleep after the TXT record has successfully been written to the DDNS zone, but it did not help. Then I added a 60-second sleep instead, and it helped - the validation succeeded and I got the certificate. Could it be that the LE DNS01 validator tries to lookup the _acme-challenge TXT record first, and caches the resulting NXDOMAIN for a while? I use a single authoritative DNS server for the DDNS zone, there are no secondaries.
FWIW, I don’t set the
_acme-challenge TXT records directly, I use a separate DDNS domain
_le.example.org, and have the CNAME records mapping the hosts’
_acme-challenge to this subdomain, in the following style:
_acme-challenge.host.example.org. IN CNAME host.example.org._le.example.org.
I then create the
host.example.org._le.example.org TXT records with dynamic DNS update requests.
Are the validity periods and timeouts documented somewhere? Thanks,