Currently Boulder uses the DNS servers “dnsResolvers” configured in va.json to resolve the HTTP hostname (A Record) when doing http validations. Great!
Request: use the same dnsResolvers to resolve the DNS TXT Record when doing DNS validations.
Rationale: Our regression tests dynamically create domains and inject them into PowerDNS. This enables all of our internal systems to resolve the dynamic name to do various tasks (including a quick pre-Let’s Encrypt validation).
The regression tests work great end-end when we’re doing HTTP validations.
But because the Boulder server ignores our PowerDNS server when doing DNS validations we have to compensate by also injecting TXT records into the Boulder fake DNS server using set-txt.
Using set-txt works, but it’s more work in the different dev and qa environments (and languages and tools used). It would be nice if the Boulder server used va.json dnsServer when doing dns TXT validations too.
Hi @Orbital! Thanks for the feature request. What you’ve described is already the existing behavior - the VA will only ever do validation lookups to the dnsResolvers it has configured.
What are the current values in va.json? If you have 127.0.0.1, my guess is that your existing HTTP regression tests are using set-a somewhere. If you are using a recursive resolver that hits your PowerDNS server, perhaps you’re seeing some other issue preventing you from fetching the correct TXT records. Maybe there’s some caching happening? Keep in mind that for wildcard certificates in particular, you need to set two TXT records simultaneously, which throws some implementations for a loop.