Please fix the wildcard DNS validation requirements

This is a defect with DuckDNS.

Asking Let's Encrypt to change its behavior to accommodate DuckDNS would be the tail wagging the dog.

It doesn't work in the unique case of DuckDNS because they have chosen a very peculiar, non-standard concept about how DNS hosting works.

The problem that occurs is that the popular ACME clients tend to parallelize their challenge solvers: they create the TXT records, submit them as a batch to the ACME server, and then clean them all up.

This is a reasonable design because it is faster to quickly create all the records and wait for a single nameserver update at the end. Conversely, if you want to respond to one challenge at a time (as DuckDNS requires), you need to wait for N nameserver updates. Much, much slower, since the nameserver update is generally by far the slowest part of the process.

Luckily for you, lego is an ACME client which was designed in a thoughtful way where the implementation of any DNS provider can either respond to every challenges in one batch, or one by one. This makes it one of the few (maybe the only?) ACME client that supports DuckDNS with multiple domains:

export DUCKDNS_TOKEN=xxx
lego -a -m 'me@example.com' --dns duckdns \
-d example.duckdns.org -d "*.example.duckdns.org" run
6 Likes