mod_md icon indicating copy to clipboard operation
mod_md copied to clipboard

Published 20 hours ago verified publisher icon icing

MOD_MD and DNS-01 - TXT records cached in staging ?

Open macom2013 opened this issue 4 years ago • 2 comments

Hello,

i am using Apache 2.4.43 (from apachelounge) with mod_md and dns-01 challenge for a wildcard certificate.

TXT record is set by mod_md, i can verify that with dig.

But in staging i can see, that mod_md is not seeing the current TXT value, but always the previous one. Dig reports the correct TXT value.

Seems that apache / mod_md is requesting the TXT record once, and caches it until a restart.

It looks like a bug for me.

Any suggestions ?

macom2013 avatar Apr 25 '20 11:04 macom2013

Any suggestions ?

Provide some details:

  • Is this just an observation, or is something not working? If the latter, what exactly?
  • Is your DNS split view? Where are you running "dig"? It's important to check from the point of view of the CA. There are a lot of web-based tools for this, such as https://dnschecker.org/, https://mxtoolbox.com/,https://www.whatsmydns.net/, https://tools.dnsstuff.com/, and more. Pick one.
  • How are the DNS TXT records installed? Are they being removed?
  • What CA are you using? Let's Encrypt? Production or staging?
  • What's the exact sequence of events? Where are you looking in staging?
  • Provide a reproducer
  • Provide logs - LogLevel md:trace6

In general, the only thing that should matter is what the CA's validator sees. The TXT records should only be in the DNS briefly - the CA's validator issues a challenge, then mod_md triggers the setup program/script to install the record. If success is signaled, the validator is told to proceed; once it sees the record and the challenge is completed, mod_md triggers the teardown script to remove the TXT record. This sequence usually doesn't take very long...

I believe that mod_md checkpoints challenges in case of a crash. The checkpoint is unnecessary if the challenge passes (any subsequent challenge will be different). It's possible that mod_md isn't discarding it in this case. It also doesn't much matter in that a new challenge will be issued, so an error will cause delay, but not much else. In any case this report is lacking enough detail to be actionable...

FWIW: one comon issue is not allowing for propagation time when installing TXT records. If the CA's validator doesn't see the TXT record when told to proceed, it may cache the negative result for quite a long time. For that reason, I suggest that the setup program sleep after installing TXT records and before exiting. How long depends on your DNS propagation time. Typically sleeping 30-90 seconds can prevent a negative caching-induced delay of 10s of minutes... (RFC2308 describes negative caching; RFC 8198 allows it to be aggressive. At least one popular DNS resolver caches negative results for 15 mins.)

tlhackque avatar May 02 '20 17:05 tlhackque

Sorry about coming back to this late. I do not fully understand when you say "mod_md is requesting the TXT record once". Is this some confusion with DNS caching behaviour where you see a previous value cached at your local resolver, maybe?

It would be good to know details if this is still a problem or if it is no longer relevant. Thanks.

icing avatar Jan 12 '21 15:01 icing