The names of name servers need to follow the rules for hostnames. i.e. the labels are made up of letters, digits and hyphens (LDH). That means the name servers can’t live in the zone. There should be no A or AAAA records in the zone.
Similarly there can’t be MX records as they also are restricted to LDH. Let’s Encrypt isn’t asking for exceptions to the rules. Your assumptions in your question are wrong. Check-names just stops people breaking the rules accidentally. If you saw instructions to set ‘check-names no;’ please go back and correct the instructions to say to use a valid hostnames for the name servers. -- Mark Andrews > On 27 Jun 2022, at 06:15, Sandro <li...@penguinpee.nl> wrote: > > Hello, > > I recently ran into "bad [owner] name" errors trying to setup a > '_acme-challenge' subdomain. Yes, this is for Let's Encrypt domain validation. > > I wanted to use the dns-rfc2136 plugin [1], which, as the name suggests, does > dynamic zone updates for the authentication challenge. Since my registrar > does not support NOTIFY and Let's Encrypt queries all name servers for the > domain, I would need to set the propagation time in accordance with the TTL, > which my registrar uses for doing AXFRs, in order to make this work on the > main domain (penguinpee.nl). > > On the Let's Encrypt forum it was suggested to use a dedicated zone with only > a single name server, the one dns-rfc2136 is able to update dynamically. It > seems [2] that would only work with '_acme-challenge' as a delegated zone, > which named refuses unless I set 'check-names master ignore;'. > > But it seems common practice, at least in the Let's Encrypt community, to set > it up this way and they are planning on making it the default behavior for > DNS plugins [3]. > > tl;dr > > I was wondering what the opinion is of other DNS administrators regarding the > use of none-standard domain names in DNS. After all, there's probably a > reason for the default behavior of 'check-names' in BIND. > > -- Sandro > > [1] https://certbot-dns-rfc2136.readthedocs.io/en/stable/ > [2] > https://community.letsencrypt.org/t/domain-authentication-fails-with-dns-rfc2136-plugin/180103/8 > [3] https://github.com/certbot/certbot/issues/7701 > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
