Skip to content

"_acme-challenge" subdomains have special NS records
Compare
Choose a tag to compare
@cunnie cunnie released this 24 Dec 20:22
1.3.1
01a14f4

_acme-challenge. in query triggers special NS record

Prior behavior was that the same trinity of NS records was returned for every NS query:

  • ns-aws.nono.io.
  • ns-azure.nono.io.
  • ns-gce.nono.io.

This commit introduces a change in that behavior: IF the NS query includes the string _acme-challenge. AND the query has an embedded IP address THEN the NS record returned is the query with the _acme-challenge. stripped.

For example:

dig +short ns _acme-challenge.104.155.144.4.sslip.io

Would return:

104.155.144.4.sslip.io.

This is an attempt to enable DNS-01 challenge for wildcard certs from Let's Encrypt or other CAs (Certificate Authorities).

Note that the embedded IP address would need to be routable (NOT 10.x 172.16-31.x, or 192.168.x).

Note that you would also need to run a DNS server such as acme-dns at that address.

Thanks @normanr !

Assets 7