How to properly set-up ou DNS Zone delegation for the “_acme-challenge” subdomain

delegationdns-zonedomain-name-systemlets-encrypt

We have hard times setting up a DNS Zone Delegation for one of our subdomains.

We have one DNS record "_acme-challenge" that will change frequently, and this DNS record is defined directly on our server, which acts as a SECONDARY Name Server only for this record.

Our need is to have this record delegated to our SECONDARY Name Server, instead of having to change it manually in our MAIN DNS zone.

Please note that our SECONDARY Name Server is the same domain "example.com".

Our domain name is registered at OVH : example.com

Our MAIN DNS Servers are at OVH :

  • ns15.ovh.net
  • dns15.ovh.net

Our example.com content is hosted on a web server (not on OVH) having the following IP :
212.123.456.789

We do not have any problem with this DNS zone : our domain and emails are working correctly.

Our MAIN DNS zone is defined at OVH like this (shortened for brevity) :

$TTL 3600
@   IN SOA dns15.ovh.net. tech.ovh.net. (2019111705 86400 3600 3600000 300)
                       IN NS     ns15.ovh.net.
                       IN NS     dns15.ovh.net.
                       IN A      212.123.456.789
ftp                    IN CNAME  example.com.
mail                   IN A      212.123.456.789
www                    IN CNAME  example.com.

Our second DNS Server have these always existing records :

example.com.            NS      ns1.example.com.
ns1.example.com.        A       212.123.456.789
example.com.            NS      ns2.example.com.
ns2.example.com.        A       212.123.456.789

Our second DNS Server will regularly update the following record in its zone :

_acme-challenge.example.com     TXT     HereIsTheTextContent

We tried to add the following records to our MAIN DNS zone at OVH, in order to delegate this record to the SECONDARY Name Server, but had no success : _acme-challenge.example.com does not ping at all.

ns1                    IN A      212.123.456.789
ns2                    IN A      212.123.456.789
_acme-challenge        IN NS     ns1.example.com.
_acme-challenge        IN NS     ns2.example.com.

We guessed that some kind of records are missing, but where ?

  • Did we forget to add some records to ou MAIN DNS zone ? (defined at OVH)
  • Did we forget to add some records to ou SECONDARY DNS zone ? (defined on our "example.com" hosted on our server)

I would be happy if you could pinpoint the error, and give us a clue to make it work 🙂

Thanks

Best Answer

Thank you for your comments ! Here a re some answers, and the solution.

TL;DR : The initial DNS configuration posted in my question is fully functional. We were unduly thinking it was not functional because we forgot that TXT records cannot be pinged ! (Shame on us)

Detailed explanations and answers :

  • @Ryan Bolger : What we call our "MAIN DNS server" : ns15.ovh.net AND dns15.ovh.net. They are managed by a machine hosted on OVH.
  • @Ryan Bolger : What we call our "SECONDARY DNS server" : ns1.example.com AND ns2.example.com. They are managed by a machine hosted on our own infrastructure. The correct term for this seems to be "a subdelegate DNS zone".
  • @Ryan Bolger : These MAIN and SECONDARY Name Servers have different names because they are not managed by the same machine.
  • @Ryan Bolger : We did not choose to use AXFR/IFXR zone transfers without any manual intervention, because our knowledge to set them up properly is not enough.
  • @Harry Johnston : Yes, what we are trying to achieve is to set up a primary nameserver for a subdomain. This one is called our "SECONDARY DNS server". Sorry for the confusion and wording !
  • @Harry Johnston : No, we wera not using this "SECONDARY DNS server" before. We are only using it to contain, and supply the _acme-challenge record
  • @Harry Johnston : Sorry when we said that the _acme-challenge record "does not ping at all" : You are right, and we made a mistake, forgetting that TXT records cannot be pinged ! (Shame on us again)

So to wrap up all info about the current situation :

=> The _acme-challenge TXT record is defined on our "SECONDARY DNS server" (AKA. our subdelegate DNS Zone) (which, in fact, acts as a Primary Name Server as noted by @Harry Johnston). More information about this technique can be found in the Use a "Throwaway" Validation Domain section of this article : https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation

=> Our "MAIN DNS server", hosted at OVH, have the following zone :

$TTL 3600
@   IN SOA dns15.ovh.net. tech.ovh.net. (2019111705 86400 3600 3600000 300)
                       IN NS        ns15.ovh.net.
                       IN NS        dns15.ovh.net.
                       IN A         212.123.456.789
ftp                    IN CNAME     example.com.
mail                   IN A         212.123.456.789
www                    IN CNAME     example.com.
ns1                    IN A         212.123.456.789
ns2                    IN A         212.123.456.789
_acme-challenge        IN NS        ns1.example.com.
_acme-challenge        IN NS        ns2.example.com.

=> Our "SECONDARY DNS server", hosted on our own infrastructure, have the following zone, with a regularly changing _acme-challenge TXT record :

HOST                                Record Type         Value
example.com.                        NS                  ns1.example.com.
ns1.example.com.                    A                   212.123.456.789
example.com.                        NS                  ns2.example.com.
ns2.example.com.                    A                   212.123.456.789
_acme-challenge.example.com.        TXT                 k9ieQiTudAC7XydqdG7UIOtJn0PPC4brDK7e_zOC-7m

The conclusion is that it's working :

  • The _acme-challenge TXT record is correctly retrieved from our "SECONDARY DNS server", meaning that the zone delegation for the _acme-challenge subdomain is operational.

We do not see any error in this configuration : can you all confirm ?

Related Topic