New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot Specify Upstream for Domain with Underscore (for _acme-challenge) #4884
Comments
Hello. I was under the impression that underscores aren't normally supported in domain names, apart from service types in @EugeneOne1, we'll need to reinspect our validation. Perhaps, it's easier to just allow the leading underscore in all domain names. |
Thanks for taking a look. My specific case is for returning |
Just wanted to add my use case.
Prior to seeing this issue I didn't know I had to allow the challenge to go to the upstream DNS server, and since I use AGH>unbound to resolve things locally, caddy wasn't being able to renew the cert through AGH. So in the end the workaround I did was to bypass AGH in order for caddy to properly do the DNS challenge related: caddyserver/caddy#5082 so in my case I believe that what I need to configure for upstream server is this
However trying to set the above returns the errors reported by OP |
Merge in DNS/golibs from 4884-domain-validation to master Updates AdguardTeam/AdGuardHome#4884. Squashed commit of the following: commit 43263cb Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Fri Feb 17 17:23:37 2023 +0300 netutil: imp logic commit ce2b431 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Fri Feb 17 15:41:22 2023 +0300 netutil: imp code, errors commit d438e02 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Wed Feb 15 01:53:03 2023 +0300 netutil: fix doc commit ac849ae Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Feb 14 19:25:26 2023 +0300 netutil: validate tld stricter, imp errors commit 3b5c9a5 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Feb 14 15:35:46 2023 +0300 netutil: fix docs commit 3b40fa6 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Mon Feb 13 18:03:41 2023 +0300 netutil: imp names, code commit 46e5308 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Mon Feb 13 16:58:38 2023 +0300 netutil: align with rfc
Merge in DNS/dnsproxy from 4884-upd-golibs to master Updates AdguardTeam/AdGuardHome#4884. Squashed commit of the following: commit ecaf32c Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Fri Feb 17 18:57:00 2023 +0300 all: fix vendor commit 2cb6983 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Fri Feb 17 18:54:17 2023 +0300 all: fix go.mod commit 24bb50d Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Fri Feb 17 18:52:40 2023 +0300 all: upd golibs
Merge in DNS/adguard-home from 4884-upd-golibs to master Updates #4884. Squashed commit of the following: commit 4d07602 Merge: d780ad0 91dee09 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Feb 21 16:47:08 2023 +0300 Merge branch 'master' into 4884-upd-golibs commit d780ad0 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Feb 21 14:17:11 2023 +0300 dnsforward: imp tests commit ff9963d Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Feb 21 13:50:05 2023 +0300 all: log changes commit 5703f7a Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Feb 21 13:36:43 2023 +0300 all: upd golibs and fix breaking changes
@shbatm, hello again. We've finally pushed the edge build that should fix the issue for such domains, could you please check if it now works? FYI, these domains are now validated according to the 2nd section of RFC 3696. |
This is very exciting, I can combine the DNS of the domain server with AdGuardHome so that AdGuardHome can act as the primary DNS server.
I have used AdGuard Home v0.108.0-b.28 and it seems to be working fine, thank you for maintaining it! |
I've updated my docker instance of AGH to the edge and now I'm able to set this upstream dns server for my domain :)
the downside is that I just realized that the above won't actually solve my issue. My caddy instance still haven't been able to get a certificate when going through AGH. I even set the following server as the only dns server that AGH uses
but that didn't help either. I'd say this specific #4884 issue is now closed, but the problem I'm having is probably specific to my setup and environment. To be clear, I'm using caddy with the cloudflare plugin which does DNS acme challenge against cloudflare. If anyone is curious, I built the caddy-cloudflare image through this Dockerfile:
then also in the Caddyfile, this is the setting I'm using
I'll probably create a new issue with more details for trying to get cloudflare acme challenge to work through AGH (unless someone has any ideas to what's going on) |
Merge in DNS/adguard-home from 4884-upd-golibs to master Updates AdguardTeam#4884. Squashed commit of the following: commit 4d07602 Merge: d780ad0 91dee09 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Feb 21 16:47:08 2023 +0300 Merge branch 'master' into 4884-upd-golibs commit d780ad0 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Feb 21 14:17:11 2023 +0300 dnsforward: imp tests commit ff9963d Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Feb 21 13:50:05 2023 +0300 all: log changes commit 5703f7a Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Feb 21 13:36:43 2023 +0300 all: upd golibs and fix breaking changes
Prerequisites
I have checked the Wiki and Discussions and found no answer
I have searched other issues and found no duplicates
I want to report a bug and not ask a question
Operating system type
Linux, OpenWrt
CPU architecture
AMD64
Installation
GitHub releases or script from README
Setup
On a router, DHCP is handled by the router
AdGuard Home version
v0.108.0-a.261+1fb04376
Description
What did you do?
Attempted to add a specific subdomain to the Upstream DNS servers list with an "
_
" in the domain.Expected result
Expect to be able to redirect
_acme-challenge.zt.example.com
to the upstream servers.Per this documentation, I would like to send all subdomain queries to a specific upstream server, except
_acme-challenge.*
which needs to go to the upstream external server for external validation.Desired config in Upstream DNS Servers:
This is possible in dnsmasq using the
server=/_acme-challenge.zt.example.com/1.1.1.1
syntax.Actual result
Config validation fails on the
_
, also fails to start when added manually in configuration yaml file.Screenshots (if applicable)
Additional information
The text was updated successfully, but these errors were encountered: