Maël Valais
Maël Valais
Hi! Thank you a lot for the very detailed description, that's very helpful! Not sure if that can be helpful or not: I looked at how the cert-manager computes the...
/area acme/dns01
After looking into the issue again, I realized that we don't follow `NS` records when looking for the zone apex with the RFC2136 DNS01 solver. Looking at [rfc2136/provider.go](https://github.com/jetstack/cert-manager/blob/dffbf391dbb0fc6c1cfea62e561a9c6f54362ab0/pkg/issuer/acme/dns/rfc2136/provider.go#L65-L77): ```go func...
Since `cnameStrategy: Follow` seems like a good way of working around the lack of "`NS` follow" support, I will close this issue. Feel free to re-open if you would like...
I agree, cert-manager should follow NS records. From the let's encrypt documentation: > Since Let’s Encrypt follows the DNS standards when looking up TXT records for DNS-01 validation, you can...
Hi! As part of the work on "self-check using DNS over HTTPS", we are realizing that we may not need the whole "finding the authoritative nameserver" at all, meaning that...
In the document [Problem exploration: DNS over HTTPS](https://hackmd.io/@maelvls/BkdL4jWVc), I suggested that we needed to drop our "custom DNS resolver" that we have in cert-manager. Up to today, my thought was:...
I asked on the [Kubernetes Slack](https://slack.k8s.io/) (channel `#cert-manager-dev`) for comments on this feature idea. The discussion on Slack is visible [here](https://kubernetes.slack.com/archives/CDEQJ0Q8M/p1655122448102909). I realized that this feature had to be discussed...
Let's separate the two moments where cert-manager does DNS calls while solving a DNS-01 challenge: - Before adding a `TXT` record, cert-manager calls [`FindZoneByFqdn`](https://github.com/cert-manager/cert-manager/blob/440da719a9b30d0d2c891b93b08d89bc09e637e2/pkg/issuer/acme/dns/util/wait.go#L324) to find the apex domain of...
@pstackle Do you think the [cert-manager/trust](https://github.com/cert-manager/trust) could help with your use-case? It introduces the "Bundle" cluster-wide resource, for example: ```yaml apiVersion: trust.cert-manager.io/v1alpha1 kind: Bundle metadata: name: trust-bundle spec: sources: -...