[zAy0LfpBZLC8mAC]

Erm ... you had people create TXT records? Why would you do that? Wouldn't people then have to manually update the TXT record on each certificate renew?!

Why not have them create a DNAME, a delegation, or just two CNAMEs?

[mrkurt]

txt records are the only way to do the dns-01 challenge with certbot/Let's Encrypt.

The http-01 challenge is simpler, we can get people setup with one CNAME/A-record.

Once we're serving traffic, we can do all renewals with an http challenge and they don't need to change DNS ever again.

[pfg]

This is an often overlooked option, but you can indeed solve the DNS challenge by having someone create a CNAME record for _acme-challenge.example.com that points to a domain under your control, and then serve the TXT record needed to verify the challenge from that domain. acme-dns[1] provides a nice implementation of this idea, as well as a more detailed explanation.

[1]: https://github.com/joohoi/acme-dns

[infogulch]

Whoa really? I didn't know this option existed. This would make these types of configurations a lot better.

[zAy0LfpBZLC8mAC]

Sorry, not trying to mock you, but I'm really curious how you (or anyone else on this thread who seems to be surprised by the possibility) managed to not know.

I mean, assuming you do know that CNAMEs are a thing, this reads to me like "well, yes, HTTP can do redirects, but I didn't know you could also redirect requests for images!" ...

I guess what I am wondering is: What is/was your mental model of CNAMEs that they could redirect DNS resolution, but then it's somehow surprising that they can redirect DNS resolution!?!

[mrkurt]

I don't think we'd considered a CNAME to redirect the specific txt records that Lets Encrypt requires. It's not intuitively obvious that they support redirects for those lookups.

[zAy0LfpBZLC8mAC]

But how is it not?! I mean, apart from the fact that you never know whether software is buggy, of course.

CNAMEs are not a feature of application software, but rather a mandatory part of the DNS specification that any standards-compliant resolver has to implement. As they claim to be using DNS, that obviously implies the claim that they implement what the DNS specification defines, and that would necessarily include following CNAMEs.

[toast0]

You could also have them delegate the _acme-challenge with an NS record

[zAy0LfpBZLC8mAC]

And A and AAAA records are the only way to do HTTP with web browsers ... so?!

What makes you think that CNAME or DNAME records are specific to A or AAAA records?!

[mrkurt]

I'm really struggling to understand what you're recommending. Will you explain how a DNAME works with the Lets Encrypt auth process in a way that makes it as simple as a single CNAME/a-record?

[zAy0LfpBZLC8mAC]

Well, you have them create a DNAME that maps theirhostname.theirdomain to yourhostidorsomething.yourdomain, and then you have in your nameserver A and AAAA records for yourhostidorsomething.yourdomain and a TXT record for _acme-challenge.yourhostidorsomething.yourdomain!?

(Obviously doesn't work if they are to keep control over other subdomains of theirhostname.theirdomain, and also, I haven't tried it with DNAMEs, so I don't know whether their implementation is buggy.)