On 3/25/23 11:44, Christoph wrote:
>> However, I doubt this is a reasonable approach for your ACME
>> client.
Sounds like a simple enough solution to me, can you elaborate why
you doubt it is reasonable?
My understanding is that ACME is about whether there is a TXT RRset with the
challenge record; if it is not there, it's irrelevant whether the outcome is
NXDOMAIN or NODATA/NOERROR.
If the software's behavior depends on that detail, it doesn't seem like it is
doing a reasonable thing. It should not need to know / care about the specific
circumstances of the challenge record's absence.
It would be a weird workaround, when the better approach is to make
the ACME client just understand rcodes correctly :)
My understanding was that simply looking at the rcode only
without Peter Thomassen's workaround is not enough
because both cases (existing and not existing) both result in
an NXDOMAIN rcode?
That's right, but I don't see why the ACME client should investigate whether
there is a CNAME present. Can you name a reason why it should?
Thanks,
Peter
--
https://desec.io/
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
