Max response size for DNS-01

sebastiannielsen · May 14, 2020, 9:33am

How many _acme-challenge TXT responses are allowed for a single name?

The DNS-01 explanation says:
“You can have multiple TXT records in place for the same name. For instance, this might happen if you are validating a challenge for a wildcard and a non-wildcard certificate at the same time. However, you should make sure to clean up old TXT records, because if the response size gets too big Let’s Encrypt will start rejecting it.”

After how many challenge records, will it start rejecting?

The reason I ask, is because I have made this client: https://github.com/sebastiannielsen/pdns-certbot which simply puts all challenges on all domain names, so validating for example 8 domain name would have it return 8 TXT records for each domain.

Would be nice for documentation to specify how many domain names it could handle at maximum given the constraints, and also improve my anti-sabotage security check in the script (as people expressed concerns of the challenge source file being chmod 0666 in issues)

JuergenAuer · May 14, 2020, 9:48am

Hi @sebastiannielsen

but these are different domain names. So different DNS queries are required, not one query with 8 answers.

So the maximum per domain name is two - if it is a wildcard and the main domain.

And RRSIG, if DNSSEC is used (curious forum formatting).

Checked with my own domain + dig:

:~$ dig TXT +dnssec _acme-challenge.server-daten.de.

; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> TXT +dnssec _acme-challenge.server-daten.de.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3105
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;_acme-challenge.server-daten.de. IN    TXT

;; ANSWER SECTION:
_acme-challenge.server-daten.de. 100 IN TXT     "WdQ71X1AFdPjvg9pwh6rhLerYXUIDsku-5TMKHLpN9M"
_acme-challenge.server-daten.de. 100 IN RRSIG   TXT 8 3 300 20200521000000 20200430000000 39483 server-daten.de. WSq/CYvPwQgBCAQe05cx2fNqgztEE19/IlKkiZQbXE6Z7byCw9qaXcaQ UBGzH29TME7zcCSlEVlCEcbT
HN35KRULS5XbbArQxdp2E3EqMLhp2lgF gS4N8/GNdPX73dTnKd6oAyQkOgv+OKx+/vAACc8DpObxG2BbklTZQaew 7LU=

;; Query time: 8 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Thu May 14 11:44:01 CEST 2020
;; MSG SIZE  rcvd: 291

291 Bytes, one entry. Two entries - max 400 bytes, so it’s ok. Without DNSSEC, only 116 bytes as answer.

sebastiannielsen · May 14, 2020, 10:44am

If you look on the source code, you will see it not domain name agnostic, so it will return ALL challenges for ALL domain names.

Basically, it will return ALL challenge responses it knows about, for all domain names that begin on _acme-challenge.*

check for example:
dig TXT _acme-challenge.sebbe.eu
dig TXT _acme-challenge.fuckthesystem.se

Thats why I want to know the limits.

mnordhoff · May 14, 2020, 10:30am

I emphasize that this is not guaranteed and is subject to change etc.

FYI, the current implementation is this: The DNS response from the recursive resolver must be smaller than 4097 bytes. It does not include DNSSEC records. It does include authority NS records, if your authoritative servers include them.

(I might be wrong about the authority part, if the implementation has changed recently.)

_az · May 14, 2020, 10:43am

Worth noting that it’s 4K after DNS compression, so you can fit a crapload of _acme-challenge records in there. Something like ~70.

To save someone trying, I setup two zones, one under 4K (under4k.foo.monkas.xyz), and one over (over4k.foo.monkas.xyz).

First gives:

Detail: Incorrect TXT record “5105jgUpOBEFaxu7MNo8ifu8zslVWRZJ9tuxH8kXA8k” (and 68 more) found
at _acme-challenge.under4k.foo.monkas.xyz

Second one:

Detail: No TXT record found at _acme-challenge.over4k.foo.monkas.xyz

sebastiannielsen · May 14, 2020, 10:31am

good. Calculated now, 277 bytes for 4 TXT’s, and 109 for a single, 165 for 2 TXTs, and 221 bytes for 3 TXTs

gives the linear equation 56x + 53

56x + 53 = 4097

about 72 domain names.

So it seems to not be something to worry about. And yes, I calculated and see that the length of the domain name is part of response, but it has only a single occurence in response traffic, so 4 records for the same domain name will still only take 1 instance of the query domain.

Tought the limit would be much lower, like about ten records or similiar.

mnordhoff · May 14, 2020, 10:33am

What’s critical is how the resolver compresses names in its own responses. I haven’t looked into that, but hopefully it’s fine.

system · June 13, 2020, 10:46am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.