We are trying to setup Lets Encrypt certificate issuance using cert-manager and dns01 solver. We are using Dreamhost as our DNS provider and we created glue component that bridges between RFC-2136 cert-manager and Dreamhost API.
We are experiencing issue that although the required (TXT) records are being added the authoritative DNS server are returning them at random - with two requests one after another one returning answer and other returning nothing. This causes cert-manager to wait unpredictable amount of time until by luck it is able confirm presence of TXT record and in some cases causes Lets Encrypt domain check to fail.
Is this something to be expected from DNS authoritative server? Or is that something we should raise with our DNS provider?
Bellow is example of such situation (for now the sepcific domain is retracted). As you can see
dig @ns1.dreamhost.com. _acme-challenge.keycloak.tenant-a.k8s-dev.redacted.redacted. TXT
; <<>> DiG 9.16.15-Ubuntu <<>> @ns1.dreamhost.com. _acme-challenge.keycloak.tenant-a.k8s-dev.redacted.redacted. TXT
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 38336
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_acme-challenge.keycloak.tenant-a.k8s-dev.redacted.redacted. IN TXT
;; AUTHORITY SECTION:
redacted. 300 IN SOA ns1.dreamhost.com. hostmaster.dreamhost.com. 2022060209 18661 600 1814400 300
;; Query time: 20 msec
;; SERVER: 162.159.26.14#53(162.159.26.14)
;; WHEN: czw cze 02 19:40:17 CEST 2022
;; MSG SIZE rcvd: 152
dig @ns1.dreamhost.com. _acme-challenge.keycloak.tenant-a.k8s-dev.redacted.redacted. TXT
; <<>> DiG 9.16.15-Ubuntu <<>> @ns1.dreamhost.com. _acme-challenge.keycloak.tenant-a.k8s-dev.redacted.redacted. TXT
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41439
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_acme-challenge.keycloak.tenant-a.k8s-dev.redacted.redacted. IN TXT
;; ANSWER SECTION:
_acme-challenge.keycloak.tenant-a.k8s-dev.redacted.redacted. 300 IN TXT "Uyr1nHC1CRWQcmOWDvObc4RMd-mNhKaE9bbNZTf3L2k"
;; Query time: 16 msec
;; SERVER: 162.159.26.14#53(162.159.26.14)
;; WHEN: czw cze 02 19:40:18 CEST 2022
;; MSG SIZE rcvd: 144
As You can see
- Timestamps of responses are lmost the same
- One response contains TXT records, other do not
- The same dns server (162.159.26.14 - ns1.dreamhost.com) is responding and I believe this is authoritative server