Wildcard TXT limitation


#1

Hi. I wanted to create a wildcard cert. So I used certbot with dns and the domain I used (just an example) was:
-d *.example.com -d example.com

Certbot wanted me to create two TXT records having the same key name however the value was different. I was lucky since I use Namecheap and Namecheap allows you to do anything. I added those two TXT records and got my certificate.

Now the problem is besides Namecheap registra and Bind application no other domain registra company allows you to create a TXT record with duplicate name. Not Amazon Route53, not Hostgator, not Bluehost, not GoDaddy (i think).

My proposal is can the two TXT key name be different?
Currently at my work I can’t use Let’s encript because of this. My work place uses AWS Route53.


#2

In Route 53, you can create one record set with two values. Just create or edit the record set and write them on two lines.

Almost all DNS services should let you create multiple TXT records – it’s a basic feature, and people need to do it quite frequently.

By the way, many ACME clients – including Certbot, on many OSes – support making automated changes to Route 53 DNS records.


#3

The confusion on this topic usually revolves around UI differences in the providers. Some refer to it as a single record with multiple values. Others refer to it as two records with the same name and differing values. But almost all of them support what you’re trying to do in some form.


#4

Au contraire; Cloudflare, at least, does. Knowing (even if incorrectly, as @mnordhoff notes) that three hosts don’t support something is a far cry from knowing that nobody supports it.


#5

Two examples of common non-Let’s Encrypt situations where people commonly create multiple DNS records with the same type and name:

  • having more than one NS server
example.com NS a.iana-servers.net.
example.com NS b.iana-servers.net.

Normally every domain has multiple name servers, so normally every domain has multiple NS records with the same record name.

  • load-balancing with multiple A records
microsoft.com A 13.77.161.179
microsoft.com A 40.112.72.205
microsoft.com A 104.215.148.63
microsoft.com A 40.76.4.15
microsoft.com A 40.113.200.201

In the same way, DNS software typically supports having multiple records of some other type (such as TXT) with the same name. Although some providers’ interfaces make it confusing (or occasionally even impossible) to do this, the impossibility isn’t as common as one might think, as some of the other replies in this thread demonstrate.

Probably the underlying DNS server software of all of these providers does support it, but they just may have made it tricky in their control panels or DNS APIs. But because of the very common other use cases for multiple records with the same name, it ought to be straightforward for most of them to address this.


#6

Although the RFC allows for “TXT-DATA One or more <character-string>s.”, over the years many systems have had trouble handling information in TXT records when multiple records where used (I recall SPF having such issues).
At some point, it seems that the general consensus was to merge all the TXT records into a single multi-line TXT record that could be easily parsed and searched as needed. This has worked well for quite some time.
Of course, the Internet being as it is, instead of creating a new DNS record type for this specific purpose, they chose to use an existing record type but since it is not based on the root domain it should not create a conflict.
And yet, the way it must be handled is (as are all TXT records) not ideally suited for all its’ uses with regards to certificates.
I don’t think there is a simple easy fix for this; as RFC changes can take a long time. Convincing enough people that there is a problem and then having them agree on the “best solution” to that problem can also take a long time.

I myself am guilty of “misusing” DNS records.
But we are sometimes pushed into finding immediate solutions, and once it is working, never circle back to do it the right/proper/correct way.
Case in point: I regularly use RP records to hold information completely unrelated to the original intent (also never on a base domain - so no harm = no foul).
(and even overload them - sometimes as many as six RP records for the same FQDN)
So, who am I to call the kettle black?


#7

Wow i never knew that txt records can be multi line. Its nice to have a room full of knowledgeable people around. I am going to use mnordhoff good idea of automating route53 with certbot. Thanks guys for the detailed explanation. You may choose this ticket.


#8

Pick a solution and this will automatically “close”.


#9

If anyone absolutely cannot set a TXT record with 2 values, (depending on the ACME client) you can begin a certificate order and let one of the domain challenges fail (and the other succeed). If you then try the order again you will only have to set the remaining challenge response. When that completes your order can proceed as normal.


#10

2 posts were split to a new topic: Two separate DNS challenges