Hacker News new | past | comments | ask | show | jobs | submit login

Whoa really? I didn't know this option existed. This would make these types of configurations a lot better.



Sorry, not trying to mock you, but I'm really curious how you (or anyone else on this thread who seems to be surprised by the possibility) managed to not know.

I mean, assuming you do know that CNAMEs are a thing, this reads to me like "well, yes, HTTP can do redirects, but I didn't know you could also redirect requests for images!" ...

I guess what I am wondering is: What is/was your mental model of CNAMEs that they could redirect DNS resolution, but then it's somehow surprising that they can redirect DNS resolution!?!


I don't think we'd considered a CNAME to redirect the specific txt records that Lets Encrypt requires. It's not intuitively obvious that they support redirects for those lookups.


But how is it not?! I mean, apart from the fact that you never know whether software is buggy, of course.

CNAMEs are not a feature of application software, but rather a mandatory part of the DNS specification that any standards-compliant resolver has to implement. As they claim to be using DNS, that obviously implies the claim that they implement what the DNS specification defines, and that would necessarily include following CNAMEs.


Part of it was that I'm not very familiar with the internals of the challenges and I didn't know that `_acme-challenge` was the record name for the dns-01 challenge. (I probably could have put 2+2 together if I realized this much.)

Another part was that I've never read the dns rfc and honestly I've only ever spent enough time messing with dns until it worked. And I've never seen a CNAME for a record that's resolves to anything but A (or AAAA or another CNAME). So I suppose it was a combination of a failure of imagination, lack of knowledge, and lack of experience. Or maybe, "I dunno I never thought about it".

But now I know! CNAMEs work for all records regardless of type, forwarding the entire lookup elsewhere, which I guess is why they require no other records exist with that name. Pretty cool.

I suppose I could have learned that with a bit less incredulity but hey, it got me here in the end. I guess a link to the RFC might be relevant here [CNAME 1]. I'll probably look through it later, maybe there's some other cool features I didn't know about.

[1]: https://tools.ietf.org/html/rfc1034




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: