Updates existing TXT records

[robkermit]

This is excellent code, but I have identified an issue. Based on the code in dns_ispconfig.py (lines 145-157), it checks for existing TXT records and "updates" them if one exists. This is improper behavior for the ACME DNS challenge. The code should only be adding new TXT records and then deleting the TXT records it creates.

The update TXT record procedure causes a problem for certificate requests that includes a hostname and a wildcard of the same hostname.

For example, a new certificate is requested for the following hostnames:

xyz.tld *.xyz.tld

would require two unique valued TXT records be created for _acme-challenge.xyz.tld in DNS.

Based on the code, the first challenge MAY create the first TXT record (or update an existing TXT record that may exist), then the second challenge will UPDATE the value of the TXT record of the first challenge, which ultimately will result in a failed request.

There are other instances where updating an existing TXT records could cause problems, such as when two separate servers performing ACME DNS requests use the same DNS server at the same time.

[m42e]

Hi @robkermit,

Thank you for looking through the code. Oh, I see that I may have there some code in which could not be called at any time. Updating the txt record is one. I ran exactly into the issue you describe then I changed the get_existing_txt (https://github.com/m42e/certbot-dns-ispconfig/blob/master/certbot_dns_ispconfig/dns_ispconfig.py) to also check for the content. So update will actually never be called and could be removed.

Do you agree?