Is there any chance to see somewhere in the docs if Traefik waits for a DNS sync between DNS servers when doing a DNS-01 challenge ?
I would like to know how Traefik handles the timeout on sync of the TXT between the DNS servers when you actually API to one of them.
Hello @Yamakasi ,
Traefik verifies that the txt record is created before allowing your CA to validate the record.
If you are encountering large propogation delays, you can also use the delayBeforeCheck
option that will allow you to delay before checking (Let's Encrypt - Traefik )
Hi @daniel.tomcej ,
Thank you for your reply, I hoped so, and this is good.
But does it check all DNS servers, can you confirm that ? How does that mechanism work?
Thanks for the delay tip!
Hello @Yamakasi ,
The lego client checks that the record has propogated to all authoritative nameservers:
func (p preCheck) call(domain, fqdn, value string) (bool, error) {
if p.checkFunc == nil {
return p.checkDNSPropagation(fqdn, value)
}
return p.checkFunc(domain, fqdn, value, p.checkDNSPropagation)
}
// checkDNSPropagation checks if the expected TXT record has been propagated to all authoritative nameservers.
func (p preCheck) checkDNSPropagation(fqdn, value string) (bool, error) {
// Initial attempt to resolve at the recursive NS
r, err := dnsQuery(fqdn, dns.TypeTXT, recursiveNameservers, true)
if err != nil {
return false, err
}
if !p.requireCompletePropagation {
return true, nil
}
and it is used here:
if p.DNSChallenge != nil && len(p.DNSChallenge.Provider) > 0 {
logger.Debugf("Using DNS Challenge provider: %s", p.DNSChallenge.Provider)
var provider challenge.Provider
provider, err = dns.NewDNSChallengeProviderByName(p.DNSChallenge.Provider)
if err != nil {
return nil, err
}
err = client.Challenge.SetDNS01Provider(provider,
dns01.CondOption(len(p.DNSChallenge.Resolvers) > 0, dns01.AddRecursiveNameservers(p.DNSChallenge.Resolvers)),
dns01.WrapPreCheck(func(domain, fqdn, value string, check dns01.PreCheckFunc) (bool, error) {
if p.DNSChallenge.DelayBeforeCheck > 0 {
logger.Debugf("Delaying %d rather than validating DNS propagation now.", p.DNSChallenge.DelayBeforeCheck)
time.Sleep(time.Duration(p.DNSChallenge.DelayBeforeCheck))
}
if p.DNSChallenge.DisablePropagationCheck {
return true, nil
}
Thanks a lot @daniel.tomcej !
No I'm wondering, would Traefik be able to write that record to multiple nameservers using an API instead of relying on master-slave replication while talking to the master only using the API ?
I can rely on master-slave but it's just a design thingy on my side.
Hello @Yamakasi ,
As Traefik just uses the lego
library, it relies on the functionality of lego, and does not modify it.
If you are looking for different propagation implementations, you would have to discuss that on the go-acme/lego
project.
Hi @daniel.tomcej ,
OK, if it relies on that I think its just good to stay that way, so thanks!
I'm also always trying to look beyond what is already there so that is why I asked, always good too see things from another perspective and you helped me out there!
Thanks again!
1 Like