How does DNS Validation work behind the scenes

JavaScriptDude · March 26, 2018, 3:26pm

When dns-01 Validation is done, how does Let’s Encrypt do the validation behind the scenes.

My assumption is that it does the following:

Query for list of Authoritative name servers using NS-Records
Poll Each of the servers given for an appropriately named TXT record
If challenge key is found on one or more of the authoritative servers, its considered validated

mnordhoff · March 26, 2018, 3:56pm

It uses an off-the-shelf recursive DNS server. To be more specific, Unbound. (With a particular configuration, with DNSSEC and so forth enabled, and caching minimized.)

The CA software, Boulder, doesn't do anything complicated. It just makes a TXT query to the resolver (using miekg's dns client).

github.com

letsencrypt/boulder/blob/main/bdns/dns.go

package bdns

import (
	"context"
	"encoding/base64"
	"errors"
	"fmt"
	"net"
	"strconv"
	"strings"
	"sync"
	"time"

	"github.com/jmhodges/clock"
	"github.com/miekg/dns"
	"github.com/prometheus/client_golang/prometheus"

	blog "github.com/letsencrypt/boulder/log"
	"github.com/letsencrypt/boulder/metrics"
)

This file has been truncated. show original

Boulder doesn't make its own NS query. Unbound, as currently designed, doesn't go out of its way to make unnecessary NS queries either. It just follows the NS records as given by the delegations (and the authority sections of other responses, I think).

Boulder makes one query to the resolver. If some of a zone's authoritative DNS servers are down or so forth, Unbound will query other ones, but a valid negative response from one server will be taken as definitive.

You have to ensure that all of the zone's authoritative DNS servers are serving the TXT record.

(CNAME records will be followed.)

JavaScriptDude · March 26, 2018, 4:20pm

Thanks @mnordhoff. Exactly the answer I was looking for.

system · April 25, 2018, 4:20pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.