kubernetes-letsencrypt icon indicating copy to clipboard operation
kubernetes-letsencrypt copied to clipboard

Published 20 hours ago verified publisher icon tazjin

Always determine authoritative NS from root

Open tazjin opened this issue 7 years ago • 0 comments

When validating updated DNS records the controller currently determines the authoritative nameservers for the zone via the DNS servers configured in the OS.

In case of something like a split-brain DNS setup with a public & private zone in Route53, the user could end up in a situation where the host running the controller is configured to resolve records from the private zone. In this case updates in the public zone will never become visible to the controller and the validation will fail.

Let's Encrypt always validates challenges starting from the root nameservers. To ensure that we actually go through the same path the controller should do the same thing.

See the discussion at the end of #61 for more information.

tazjin avatar Jul 07 '17 13:07 tazjin