DNS-01 Challenge sync

Is there any chance to see somewhere in the docs if Traefik waits for a DNS sync between DNS servers when doing a DNS-01 challenge ?

I would like to know how Traefik handles the timeout on sync of the TXT between the DNS servers when you actually API to one of them.

Hello @Yamakasi,

Traefik verifies that the txt record is created before allowing your CA to validate the record.

If you are encountering large propogation delays, you can also use the delayBeforeCheck option that will allow you to delay before checking (Let's Encrypt - Traefik)

Hi @daniel.tomcej ,

Thank you for your reply, I hoped so, and this is good.

But does it check all DNS servers, can you confirm that ? How does that mechanism work?

Thanks for the delay tip!

Hello @Yamakasi,

The lego client checks that the record has propogated to all authoritative nameservers:

and it is used here:

Thanks a lot @daniel.tomcej !

No I'm wondering, would Traefik be able to write that record to multiple nameservers using an API instead of relying on master-slave replication while talking to the master only using the API ?

I can rely on master-slave but it's just a design thingy on my side.

Hello @Yamakasi,

As Traefik just uses the lego library, it relies on the functionality of lego, and does not modify it.

If you are looking for different propagation implementations, you would have to discuss that on the go-acme/lego project.

Hi @daniel.tomcej ,

OK, if it relies on that I think its just good to stay that way, so thanks!

I'm also always trying to look beyond what is already there so that is why I asked, always good too see things from another perspective and you helped me out there!

Thanks again!

1 Like