Bind9 gives me error 'There was a problem with a DNS query during identifier validation'. Where to look for a solution?
Mark Andrews
marka at isc.org
Thu Sep 18 20:25:28 UTC 2025
The rest of the world cannot resolve .home names. ACME does domain verification. If the name does not resolve for the rest of the world the process will fail.
--
Mark Andrews
> On 18 Sep 2025, at 21:48, P van Dijk <machlar at hotmail.com> wrote:
>
> Hi Mark,
>
> Thank you for your reply. Maybe I do not understand what you mean, but Step CA (https://smallstep.com/docs/step-ca/) which I self-host in my homelab is capable of issuing .home certificates via their cli and with their ACME http-01 challenge. Bind9 is not issuing the certificate. So, I do not expect any top level domain limitation on Bind9 (if any) with regards to this issue. Did I misinterpreted your reply?
>
> Warm regards
>
>
> -----Oorspronkelijk bericht-----
> Van: Mark Andrews <marka at isc.org>
> Verzonden: donderdag 18 september 2025 14:28
> Aan: P van Dijk <machlar at hotmail.com>
> CC: bind-users at lists.isc.org
> Onderwerp: Re: Bind9 gives me error 'There was a problem with a DNS query during identifier validation'. Where to look for a solution?
>
> .HOME does not exist so you will NEVER get a CERT for a .HOME name.
> Use registered names.
>
> Mark
>
>> On 18 Sep 2025, at 13:15, P van Dijk <machlar at hotmail.com> wrote:
>>
>> Dear All,
>> Has anyone encountered the error message 'There was a problem with a DNS query during identifier validation' while trying the complete a ACME dns-01 challenge? If so, could you help me by pointing me towards a solution. I have tried multiple things but I am completely lost where the issue might reside. Google and the GitLab issue page does not show me any results.
>> My setup is the following three machines:
>> * ns1; running Bind9
>> * certificates; running Step CA
>> * testhost; Debian 12 on which I am trying to get a TLS
>> certificate. (Once it works on the testhost, I would like to implement it on Truenas Scale. Meaning this Debian machine will be replaced by the machine running Truenas Scale.) I want to get a TLS certificate on the testhost. To achieve this, I ran acme.sh and cerbot on the testhost. Both result in the error message 'There was a problem with a DNS query during identifier validation'.
>> Please find below my configuration and commands run.
>> BIND9 configuration
>> named.conf.local
>> zone "myown.home" {
>> type primary;
>> file "/var/lib/bind/db.myown.home"; # Zone path file
>> inline-signing yes;
>> update-policy {
>> grant myown_wildcard. name _acme-challenge.testhost.myown.home. txt;
>> };
>> };
>> [redacted reversed-mapped zone] /var/lib/bind/db.myown.home
>> $ORIGIN .
>> $TTL 86400 ; 1 day
>> myown.home IN SOA ns1.myown.home. info.myown.home. (
>> 2025091716 ; serial
>> 43200 ; refresh (12 hours)
>> 900 ; retry (15 minutes)
>> 345600 ; expire (4 days)
>> 172800 ; minimum (2 days)
>> )
>> NS ns1.myown.home.
>> $ORIGIN myown.home.
>> testhost A [redacted].23
>> ns1 A [redacted].21
>> certificates A [redacted].22
>> Step CA configuration
>> [redacted step path]/config/ca.json
>> "root": "/[redacted step path]/certs/root_ca.crt",
>> "federatedRoots": null,
>> "crt": "/[redacted step path]/certs/intermediate_ca.crt",
>> "key": "/[redacted step path]/secrets/intermediate_ca_key",
>> "address": ":443",
>> "insecureAddress": "",
>> "dnsNames": [
>> "[redacted].22",
>> "certificates.myown.home"
>> ],
>> "logger": {
>> "format": "text"
>> },
>> "db": {
>> "type": "badgerv2",
>> "dataSource": "/etc/step-ca/db",
>> "badgerFileLoadingMode": ""
>> },
>> "authority": {
>> "provisioners": [
>> ...
>> {
>> "type": "ACME",
>> "name": "acme-dns",
>> "challenges": [
>> "dns-01"
>> ],
>> "claims": {
>> "enableSSHCA": false,
>> "disableRenewal": false,
>> "allowRenewalAfterExpiry": false,
>> "disableSmallstepExtensions": false
>> },
>> "options": {
>> "x509": {},
>> "ssh": {}
>> }
>> }
>> ...
>> WORKFLOW
>> On the testhost I ran (as root) the following command to start the flow.
>> .acme.sh/acme.sh --issue --dns dns_nsupdate -d 'testhost.myown.home'
>> --serverhttps://[redacted].22/acme/acme/directory --dnssleep 300
>> REQUESTS_CA_BUNDLE=/usr/local/share/ca-certificates/myown_root_ca.crt
>> certbot certonly --dns-rfc2136 --dns-rfc2136-credentials certbot.ini
>> -d testhost.myown.home
>> --serverhttps://[redacted].22/acme/acme/directory
>> This resulted in the following output (example for achme.sh).
>> [Wed Sep 17 12:49:03 PM CEST 2025] Using CA:
>> https://[redacted].22/acme/acme/directory
>> [Wed Sep 17 12:49:03 PM CEST 2025] Account key creation OK.
>> [Wed Sep 17 12:49:04 PM CEST 2025] Registering
>> account:https://[redacted].22/acme/acme/directory
>> [Wed Sep 17 12:49:04 PM CEST 2025] Registered [Wed Sep 17 12:49:04 PM
>> CEST 2025] ACCOUNT_THUMBPRINT='7juVi3uRQTaf2qUTEvOB9faQfCjoNUHUNj-VFxyC284'
>> [Wed Sep 17 12:49:04 PM CEST 2025] Creating domain key [Wed Sep 17
>> 12:49:04 PM CEST 2025] The domain key is here:
>> /root/.acme.sh/testhost.myown.home_ecc/testhost.myown.home.key
>> [Wed Sep 17 12:49:04 PM CEST 2025] Single domain='testhost.myown.home'
>> [Wed Sep 17 12:49:05 PM CEST 2025] Getting webroot for domain='testhost.myown.home'
>> [Wed Sep 17 12:49:05 PM CEST 2025] Adding TXT value:
>> JtLRfxGl3S0WZoYaVYJ3BWZCIk011AhHsu-WircaITk for domain:
>> _acme-challenge.testhost.myown.home
>> [Wed Sep 17 12:49:05 PM CEST 2025] adding _acme-challenge.testhost.myown.home. 600 in txt "JtLRfxGl3S0WZoYaVYJ3BWZCIk011AhHsu-WircaITk"
>> [Wed Sep 17 12:49:05 PM CEST 2025] The TXT record has been successfully added.
>> [Wed Sep 17 12:49:05 PM CEST 2025] Sleeping for 300 seconds to wait
>> for the the TXT records to take effect [Wed Sep 17 12:54:07 PM CEST
>> 2025] Verifying: testhost.myown.home [Wed Sep 17 12:54:07 PM CEST
>> 2025] Pending. The CA is processing your order, please wait. (1/30)
>> [Wed Sep 17 12:54:11 PM CEST 2025] Pending. The CA is processing your
>> order, please wait. (2/30) [Wed Sep 17 12:54:14 PM CEST 2025] Pending.
>> The CA is processing your order, please wait. (3/30) [Wed Sep 17
>> 12:54:17 PM CEST 2025] Pending. The CA is processing your order,
>> please wait. (4/30) [Wed Sep 17 12:54:21 PM CEST 2025] Pending. The CA
>> is processing your order, please wait. (5/30) [Wed Sep 17 12:54:24 PM
>> CEST 2025] Pending. The CA is processing your order, please wait.
>> (6/30) [Wed Sep 17 12:54:27 PM CEST 2025] Pending. The CA is
>> processing your order, please wait. (7/30) [Wed Sep 17 12:54:30 PM
>> CEST 2025] Pending. The CA is processing your order, please wait.
>> (8/30) [Wed Sep 17 12:54:34 PM CEST 2025] Pending. The CA is
>> processing your order, please wait. (9/30) [Wed Sep 17 12:54:37 PM
>> CEST 2025] Pending. The CA is processing your order, please wait.
>> (10/30) [Wed Sep 17 12:54:40 PM CEST 2025] Pending. The CA is
>> processing your order, please wait. (11/30) [Wed Sep 17 12:54:43 PM
>> CEST 2025] Pending. The CA is processing your order, please wait.
>> (12/30) [Wed Sep 17 12:54:47 PM CEST 2025] Pending. The CA is
>> processing your order, please wait. (13/30) [Wed Sep 17 12:54:50 PM
>> CEST 2025] Pending. The CA is processing your order, please wait.
>> (14/30) [Wed Sep 17 12:54:53 PM CEST 2025] Pending. The CA is
>> processing your order, please wait. (15/30) [Wed Sep 17 12:54:57 PM
>> CEST 2025] Pending. The CA is processing your order, please wait.
>> (16/30) [Wed Sep 17 12:55:00 PM CEST 2025] Pending. The CA is
>> processing your order, please wait. (17/30) [Wed Sep 17 12:55:03 PM
>> CEST 2025] Pending. The CA is processing your order, please wait.
>> (18/30) [Wed Sep 17 12:55:06 PM CEST 2025] Pending. The CA is
>> processing your order, please wait. (19/30) [Wed Sep 17 12:55:10 PM
>> CEST 2025] Pending. The CA is processing your order, please wait.
>> (20/30) [Wed Sep 17 12:55:13 PM CEST 2025] Pending. The CA is processing your order, please wait. (21/30) [Wed Sep 17 12:55:16 PM CEST 2025] Pending. The CA is processing your order, please wait. (22/30) [Wed Sep 17 12:55:20 PM CEST 2025] Pending. The CA is processing your order, please wait. (23/30) [Wed Sep 17 12:55:23 PM CEST 2025] Pending. The CA is processing your order, please wait. (24/30) [Wed Sep 17 12:55:26 PM CEST 2025] Pending. The CA is processing your order, please wait. (25/30) [Wed Sep 17 12:55:29 PM CEST 2025] Pending. The CA is processing your order, please wait. (26/30) [Wed Sep 17 12:55:33 PM CEST 2025] Pending. The CA is processing your order, please wait. (27/30) [Wed Sep 17 12:55:36 PM CEST 2025] Pending. The CA is processing your order, please wait. (28/30) [Wed Sep 17 12:55:39 PM CEST 2025] Pending. The CA is processing your order, please wait. (29/30) [Wed Sep 17 12:55:42 PM CEST 2025] testhost.myown.home: Timeout [Wed Sep 17 12:55:42 PM CEST 2025] Removing DNS records.
>> [Wed Sep 17 12:55:42 PM CEST 2025] Removing txt:
>> JtLRfxGl3S0WZoYaVYJ3BWZCIk011AhHsu-WircaITk for domain:
>> _acme-challenge.testhost.myown.home
>> [Wed Sep 17 12:55:43 PM CEST 2025] removing
>> _acme-challenge.testhost.myown.home. txt [Wed Sep 17 12:55:43 PM CEST
>> 2025] Successfully removed [Wed Sep 17 12:55:43 PM CEST 2025] Please add '--debug' or '--log' to see more information.
>> [Wed Sep 17 12:55:43 PM CEST 2025] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
>> During 12.49 PM when ACME.sh registered the account and added the TXT message, I got the following in the journalctl on the certificated.myown.home:
>> {
>> "__CURSOR" : "s=5819b12a49b64582a726181e92d271cb;i=10fb;b=013473d30295440782ff29490d3dc9fe;m=2d2ac928bed;t=63efcfc2c08c2;x=efdcb09f0f131d1e",
>> "_CMDLINE" : "/usr/bin/step-ca config/ca.json --password-file /[redacted step path]/secrets/password",
>> "_GID" : "996",
>> "_SYSTEMD_INVOCATION_ID" : "85c5974ec43b4e56b4b1c77cef15930e",
>> "_CAP_EFFECTIVE" : "400",
>> "__REALTIME_TIMESTAMP" : "1758106143688898",
>> "_STREAM_ID" : "56b55ea55fd84f62a58435206f03676e",
>> "_SYSTEMD_UNIT" : "step-ca.service",
>> "_UID" : "999",
>> "SYSLOG_IDENTIFIER" : "step-ca",
>> "_PID" : "2226",
>> "_BOOT_ID" : "013473d30295440782ff29490d3dc9fe",
>> "_SELINUX_CONTEXT" : "unconfined\n",
>> "SYSLOG_FACILITY" : "3",
>> "_MACHINE_ID" : "e3c0f10a80284f7fb1f3cd5ef5476c92",
>> "_EXE" : "/usr/bin/step-ca",
>> "_RUNTIME_SCOPE" : "system",
>> "_SYSTEMD_CGROUP" : "/system.slice/step-ca.service",
>> "_HOSTNAME" : "certificates",
>> "_COMM" : "step-ca",
>> "__MONOTONIC_TIMESTAMP" : "3103861672941",
>> "_SYSTEMD_SLICE" : "system.slice",
>> "MESSAGE" : "time=\"2025-09-17T12:49:03+02:00\" level=info duration=\"58.755µs\" duration-ns=58755 fields.time=\"2025-09-17T12:49:03+02:00\" method=GET name=ca path=/acme/acme/directory protocol=HTTP/2.0 referer= remote-address=[redacted].23 request-id=a4421749-4cbd-4128-a22a-3de5ce439a4e response=\"{\\\"newNonce\\\":\\\https://[redacted].22/acme/acme/new-nonce\\\,\\\"newAccount\\\":\\\https://[redacted].22/acme/acme/new-account\\\,\\\"newOrder\\\":\\\https://[redacted].22/acme/acme/new-order\\\,\\\"revokeCert\\\":\\\https://[redacted].22/acme/acme/revoke-cert\\\,\\\"keyChange\\\":\\\https://[redacted].22/acme/acme/key-change\\\}\" size=282 status=200 user-agent=\"acme.sh/3.1.2 (https://github.com/acmesh-official/acme.sh)\" user-id=",
>> "PRIORITY" : "6",
>> "_TRANSPORT" : "stdout"
>> }
>> {
>> "_PID" : "2226",
>> "_SYSTEMD_UNIT" : "step-ca.service",
>> "_COMM" : "step-ca",
>> "_GID" : "996",
>> "_CMDLINE" : "/usr/bin/step-ca config/ca.json --password-file /[redacted step path]/secrets/password",
>> "MESSAGE" : "time=\"2025-09-17T12:49:04+02:00\" level=info duration=3.178139ms duration-ns=3178139 fields.time=\"2025-09-17T12:49:04+02:00\" method=HEAD name=ca nonce=UzROdnlhVXc2SHVnbkZOV1YxTVFlamxzV3U3ZVhFa0I path=/acme/acme/new-nonce protocol=HTTP/2.0 referer= remote-address=[redacted].23 request-id=0063c780-2e22-4b3c-b0e3-e0a9e211619b size=0 status=200 user-agent=\"acme.sh/3.1.2 (https://github.com/acmesh-official/acme.sh)\" user-id=",
>> "__CURSOR" : "s=5819b12a49b64582a726181e92d271cb;i=10fc;b=013473d30295440782ff29490d3dc9fe;m=2d2ac998662;t=63efcfc330336;x=dab3e11aced4bad7",
>> "_UID" : "999",
>> "SYSLOG_FACILITY" : "3",
>> "_BOOT_ID" : "013473d30295440782ff29490d3dc9fe",
>> "SYSLOG_IDENTIFIER" : "step-ca",
>> "_CAP_EFFECTIVE" : "400",
>> "_SYSTEMD_SLICE" : "system.slice",
>> "_HOSTNAME" : "certificates",
>> "_EXE" : "/usr/bin/step-ca",
>> "_STREAM_ID" : "56b55ea55fd84f62a58435206f03676e",
>> "_RUNTIME_SCOPE" : "system",
>> "__REALTIME_TIMESTAMP" : "1758106144146230",
>> "__MONOTONIC_TIMESTAMP" : "3103862130274",
>> "_SYSTEMD_INVOCATION_ID" : "85c5974ec43b4e56b4b1c77cef15930e",
>> "PRIORITY" : "6",
>> "_SELINUX_CONTEXT" : "unconfined\n",
>> "_MACHINE_ID" : "e3c0f10a80284f7fb1f3cd5ef5476c92",
>> "_TRANSPORT" : "stdout",
>> "_SYSTEMD_CGROUP" : "/system.slice/step-ca.service"
>> }
>> {
>> "PRIORITY" : "6",
>> "_MACHINE_ID" : "e3c0f10a80284f7fb1f3cd5ef5476c92",
>> "_BOOT_ID" : "013473d30295440782ff29490d3dc9fe",
>> "SYSLOG_IDENTIFIER" : "step-ca",
>> "_EXE" : "/usr/bin/step-ca",
>> "_SYSTEMD_CGROUP" : "/system.slice/step-ca.service",
>> "__REALTIME_TIMESTAMP" : "1758106144332324",
>> "_SYSTEMD_SLICE" : "system.slice",
>> "__MONOTONIC_TIMESTAMP" : "3103862316368",
>> "_GID" : "996",
>> "_STREAM_ID" : "56b55ea55fd84f62a58435206f03676e",
>> "_HOSTNAME" : "certificates",
>> "_COMM" : "step-ca",
>> "MESSAGE" : "time=\"2025-09-17T12:49:04+02:00\" level=info duration=10.229178ms duration-ns=10229178 fields.time=\"2025-09-17T12:49:04+02:00\" method=POST name=ca nonce=SWEwNVFNczcySlBlZUhwcFNpald0TmJrUEdEekh3V3g path=/acme/acme/new-account protocol=HTTP/2.0 referer= remote-address=[redacted].23 request-id=3be4d4bb-5479-4904-8b73-b53f0fbbb150 response=\"{\\\"contact\\\":[\\\mailto:test at test.com\\\],\\\"status\\\":\\\"valid\\\",\\\"orders\\\":\\\https://[redacted].22/acme/acme/account/6J2ZJJSxnYO27u6bpFUtBrJ1CCtHkfcA/orders\\\}\" size=144 status=201 user-agent=\"acme.sh/3.1.2 (https://github.com/acmesh-official/acme.sh)\" user-id=",
>> "_SYSTEMD_INVOCATION_ID" : "85c5974ec43b4e56b4b1c77cef15930e",
>> "_SELINUX_CONTEXT" : "unconfined\n",
>> "_CMDLINE" : "/usr/bin/step-ca config/ca.json --password-file /[redacted step path]/secrets/password",
>> "_RUNTIME_SCOPE" : "system",
>> "_CAP_EFFECTIVE" : "400",
>> "_TRANSPORT" : "stdout",
>> "_SYSTEMD_UNIT" : "step-ca.service",
>> "_UID" : "999",
>> "SYSLOG_FACILITY" : "3",
>> "_PID" : "2226",
>> "__CURSOR" : "s=5819b12a49b64582a726181e92d271cb;i=10fd;b=013473d30295440782ff29490d3dc9fe;m=2d2ac9c5d50;t=63efcfc35da24;x=8d727976330d3e21"
>> }
>> {
>> "_BOOT_ID" : "013473d30295440782ff29490d3dc9fe",
>> "_COMM" : "step-ca",
>> "_MACHINE_ID" : "e3c0f10a80284f7fb1f3cd5ef5476c92",
>> "_HOSTNAME" : "certificates",
>> "_TRANSPORT" : "stdout",
>> "_GID" : "996",
>> "_CMDLINE" : "/usr/bin/step-ca config/ca.json --password-file /[redacted step path]/secrets/password",
>> "_UID" : "999",
>> "SYSLOG_FACILITY" : "3",
>> "_SYSTEMD_UNIT" : "step-ca.service",
>> "_STREAM_ID" : "56b55ea55fd84f62a58435206f03676e",
>> "_PID" : "2226",
>> "PRIORITY" : "6",
>> "_SYSTEMD_CGROUP" : "/system.slice/step-ca.service",
>> "_CAP_EFFECTIVE" : "400",
>> "__MONOTONIC_TIMESTAMP" : "3103862794284",
>> "_SYSTEMD_INVOCATION_ID" : "85c5974ec43b4e56b4b1c77cef15930e",
>> "__REALTIME_TIMESTAMP" : "1758106144810241",
>> "_SYSTEMD_SLICE" : "system.slice",
>> "SYSLOG_IDENTIFIER" : "step-ca",
>> "_EXE" : "/usr/bin/step-ca",
>> "_SELINUX_CONTEXT" : "unconfined\n",
>> "__CURSOR" : "s=5819b12a49b64582a726181e92d271cb;i=10fe;b=013473d30295440782ff29490d3dc9fe;m=2d2aca3a82c;t=63efcfc3d2501;x=d6ac118a2c53c6a4",
>> "_RUNTIME_SCOPE" : "system",
>> "MESSAGE" : "time=\"2025-09-17T12:49:04+02:00\" level=info duration=17.863338ms duration-ns=17863338 fields.time=\"2025-09-17T12:49:04+02:00\" method=POST name=ca nonce=RmJ1Z0RkY0JXQk9LaEdLcU9PdDZId2NXUW5xcUdqekQ path=/acme/acme/new-order protocol=HTTP/2.0 referer= remote-address=[redacted].23 request-id=3f8bd00e-6c59-4de8-b5b4-2c51cf2f6bd8 response=\"{\\\"id\\\":\\\"OnEbnpn9KtE5yH27Oflg3BZwTBns4x7t\\\",\\\"status\\\":\\\"pending\\\",\\\"expires\\\":\\\"2025-09-18T10:49:04Z\\\",\\\"identifiers\\\":[{\\\"type\\\":\\\"dns\\\",\\\"value\\\":\\\"testhost.myown.home\\\"}],\\\"notBefore\\\":\\\"2025-09-17T10:48:04Z\\\",\\\"notAfter\\\":\\\"2025-09-18T10:49:04Z\\\",\\\"authorizations\\\":[\\\https://[redacted].22/acme/acme/authz/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7\\\],\\\"finalize\\\":\\\https://[redacted].22/acme/acme/order/OnEbnpn9KtE5yH27Oflg3BZwTBns4x7t/finalize\\\}\" size=414 status=201 user-agent=\"acme.sh/3.1.2 (https://github.com/acmesh-official/acme.sh)\" user-id="
>> }
>> {
>> "_EXE" : "/usr/bin/step-ca",
>> "_SELINUX_CONTEXT" : "unconfined\n",
>> "_MACHINE_ID" : "e3c0f10a80284f7fb1f3cd5ef5476c92",
>> "_CAP_EFFECTIVE" : "400",
>> "_PID" : "2226",
>> "SYSLOG_IDENTIFIER" : "step-ca",
>> "_GID" : "996",
>> "SYSLOG_FACILITY" : "3",
>> "_RUNTIME_SCOPE" : "system",
>> "__CURSOR" : "s=5819b12a49b64582a726181e92d271cb;i=10ff;b=013473d30295440782ff29490d3dc9fe;m=2d2aca7f1fb;t=63efcfc416ed0;x=8c246ed311a302e",
>> "_SYSTEMD_INVOCATION_ID" : "85c5974ec43b4e56b4b1c77cef15930e",
>> "_COMM" : "step-ca",
>> "MESSAGE" : "time=\"2025-09-17T12:49:05+02:00\" level=info duration=5.975201ms duration-ns=5975201 fields.time=\"2025-09-17T12:49:05+02:00\" method=POST name=ca nonce=R3JoSUljRVU0cU5HcGhQeDdwRWJvV2o0RG9EQnBWdlg path=/acme/acme/authz/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7 protocol=HTTP/2.0 referer= remote-address=[redacted].23 request-id=21a5b8f1-2e06-4270-9c78-36756eed0454 response=\"{\\\"identifier\\\":{\\\"type\\\":\\\"dns\\\",\\\"value\\\":\\\"testhost.myown.home\\\"},\\\"status\\\":\\\"pending\\\",\\\"challenges\\\":[{\\\"type\\\":\\\"dns-01\\\",\\\"status\\\":\\\"pending\\\",\\\"token\\\":\\\"MjJKsBOb7QhF8NLH9OUNgVzfNNXky6rh\\\",\\\"url\\\":\\\https://[redacted].22/acme/acme/challenge/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7/n5wxEJwQaiIUZVtShgqh9Tzu0ypHe92V\\\},{\\\"type\\\":\\\"http-01\\\",\\\"status\\\":\\\"pending\\\",\\\"token\\\":\\\"MjJKsBOb7QhF8NLH9OUNgVzfNNXky6rh\\\",\\\"url\\\":\\\https://[redacted].22/acme/acme/challenge/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7/zoCrJwaGduKM01OzNFwmk0pUate4MWpp\\\}],\\\"wildcard\\\":false,\\\"expires\\\":\\\"2025-09-18T10:49:04Z\\\"}\" size=542 status=200 user-agent=\"acme.sh/3.1.2 (https://github.com/acmesh-official/acme.sh)\" user-id=",
>> "__MONOTONIC_TIMESTAMP" : "3103863075323",
>> "_SYSTEMD_SLICE" : "system.slice",
>> "_HOSTNAME" : "certificates",
>> "_STREAM_ID" : "56b55ea55fd84f62a58435206f03676e",
>> "PRIORITY" : "6",
>> "_BOOT_ID" : "013473d30295440782ff29490d3dc9fe",
>> "_SYSTEMD_CGROUP" : "/system.slice/step-ca.service",
>> "__REALTIME_TIMESTAMP" : "1758106145091280",
>> "_TRANSPORT" : "stdout",
>> "_CMDLINE" : "/usr/bin/step-ca config/ca.json --password-file /[redacted step path]/secrets/password",
>> "_SYSTEMD_UNIT" : "step-ca.service",
>> "_UID" : "999"
>> }
>> While the ACME.sh script slept for 300 seconds, I ran on the DNS server: dig @192.168.2.21 TXT _acme-challenge.testhost.myown.home. Verifying that the TXT record was added correctly.
>> ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> @[redacted].21 TXT _acme-challenge.testhost.myown.home.
>> ; (1 server found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37924 ;; flags: qr
>> aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT
>> PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 1232
>> ; COOKIE: db03a0646b58f1cf0100000068ca92262d763b3f9b6e48a7 (good) ;;
>> QUESTION SECTION:
>> ;_acme-challenge.testhost.myown.home. IN TXT ;; ANSWER SECTION:
>> _acme-challenge.testhost.myown.home. 600 IN TXT "JtLRfxGl3S0WZoYaVYJ3BWZCIk011AhHsu-WircaITk"
>> ;; Query time: 0 msec
>> ;; SERVER: [redacted].21#53([redacted].21) (UDP) ;; WHEN: Wed Sep 17
>> 12:49:10 CEST 2025 ;; MSG SIZE rcvd: 155
>> From 12.54 PM when ACME.sh tried to verify the the FQDN testhost.myown.home, I got the following output in the journalctl of the PKI of each of the 30 attempts:
>> {
>> "_CAP_EFFECTIVE" : "400",
>> "__MONOTONIC_TIMESTAMP" : "3104165836085",
>> "_SYSTEMD_UNIT" : "step-ca.service",
>> "_MACHINE_ID" : "e3c0f10a80284f7fb1f3cd5ef5476c92",
>> "PRIORITY" : "6",
>> "_STREAM_ID" : "56b55ea55fd84f62a58435206f03676e",
>> "_SYSTEMD_CGROUP" : "/system.slice/step-ca.service",
>> "_PID" : "2226",
>> "__REALTIME_TIMESTAMP" : "1758106447852041",
>> "SYSLOG_FACILITY" : "3",
>> "_RUNTIME_SCOPE" : "system",
>> "_HOSTNAME" : "certificates",
>> "_CMDLINE" : "/usr/bin/step-ca config/ca.json --password-file /[redacted step path]/secrets/password",
>> "_TRANSPORT" : "stdout",
>> "_COMM" : "step-ca",
>> "MESSAGE" : "time=\"2025-09-17T12:54:07+02:00\" level=info duration=20.569994ms duration-ns=20569994 fields.time=\"2025-09-17T12:54:07+02:00\" method=POST name=ca nonce=M3dsVFlIV2dOR2ZNc0w4RlBkNjV4S3RxTGROMVdQZnE path=/acme/acme/challenge/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7/n5wxEJwQaiIUZVtShgqh9Tzu0ypHe92V protocol=HTTP/2.0 referer= remote-address=[redacted].23 request-id=cab15bca-630d-471e-953a-2e83afb36dfd response=\"{\\\"type\\\":\\\"dns-01\\\",\\\"status\\\":\\\"pending\\\",\\\"token\\\":\\\"MjJKsBOb7QhF8NLH9OUNgVzfNNXky6rh\\\",\\\"url\\\":\\\https://[redacted].22/acme/acme/challenge/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7/n5wxEJwQaiIUZVtShgqh9Tzu0ypHe92V\\\,\\\"error\\\":{\\\"type\\\":\\\"urn:ietf:params:acme:error:dns\\\",\\\"detail\\\":\\\"There was a problem with a DNS query during identifier validation\\\"}}\" size=322 status=200 user-agent=\"acme.sh/3.1.2 (https://github.com/acmesh-official/acme.sh)\" user-id=",
>> "_EXE" : "/usr/bin/step-ca",
>> "SYSLOG_IDENTIFIER" : "step-ca",
>> "_BOOT_ID" : "013473d30295440782ff29490d3dc9fe",
>> "_UID" : "999",
>> "_GID" : "996",
>> "_SYSTEMD_INVOCATION_ID" : "85c5974ec43b4e56b4b1c77cef15930e",
>> "_SELINUX_CONTEXT" : "unconfined\n",
>> "__CURSOR" : "s=5819b12a49b64582a726181e92d271cb;i=1100;b=013473d30295440782ff29490d3dc9fe;m=2d2beb3b535;t=63efd0e4d3209;x=4b57da03825cd994",
>> "_SYSTEMD_SLICE" : "system.slice"
>> }
>> {
>> "__CURSOR" : "s=5819b12a49b64582a726181e92d271cb;i=1101;b=013473d30295440782ff29490d3dc9fe;m=2d2bee58f91;t=63efd0e7f0c65;x=a9161de4e298eae5",
>> "_RUNTIME_SCOPE" : "system",
>> "_SYSTEMD_CGROUP" : "/system.slice/step-ca.service",
>> "SYSLOG_IDENTIFIER" : "step-ca",
>> "_COMM" : "step-ca",
>> "_SYSTEMD_SLICE" : "system.slice",
>> "_PID" : "2226",
>> "PRIORITY" : "6",
>> "_CMDLINE" : "/usr/bin/step-ca config/ca.json --password-file /[redacted step path]/secrets/password",
>> "_CAP_EFFECTIVE" : "400",
>> "__MONOTONIC_TIMESTAMP" : "3104169103249",
>> "_GID" : "996",
>> "SYSLOG_FACILITY" : "3",
>> "__REALTIME_TIMESTAMP" : "1758106451119205",
>> "_MACHINE_ID" : "e3c0f10a80284f7fb1f3cd5ef5476c92",
>> "_EXE" : "/usr/bin/step-ca",
>> "_UID" : "999",
>> "_SYSTEMD_UNIT" : "step-ca.service",
>> "_HOSTNAME" : "certificates",
>> "_SELINUX_CONTEXT" : "unconfined\n",
>> "_BOOT_ID" : "013473d30295440782ff29490d3dc9fe",
>> "_TRANSPORT" : "stdout",
>> "_SYSTEMD_INVOCATION_ID" : "85c5974ec43b4e56b4b1c77cef15930e",
>> "_STREAM_ID" : "56b55ea55fd84f62a58435206f03676e",
>> "MESSAGE" : "time=\"2025-09-17T12:54:11+02:00\" level=info duration=5.976054ms duration-ns=5976054 fields.time=\"2025-09-17T12:54:11+02:00\" method=POST name=ca nonce=aU9venZXaHJBOGNKRlBYcUU1WkM5U0NiUmVtczlwckk path=/acme/acme/authz/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7 protocol=HTTP/2.0 referer= remote-address=[redacted].23 request-id=97b6d3c0-7f70-4aec-a83a-8949c26617c6 response=\"{\\\"identifier\\\":{\\\"type\\\":\\\"dns\\\",\\\"value\\\":\\\"testhost.myown.home\\\"},\\\"status\\\":\\\"pending\\\",\\\"challenges\\\":[{\\\"type\\\":\\\"dns-01\\\",\\\"status\\\":\\\"pending\\\",\\\"token\\\":\\\"MjJKsBOb7QhF8NLH9OUNgVzfNNXky6rh\\\",\\\"url\\\":\\\https://[redacted].22/acme/acme/challenge/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7/n5wxEJwQaiIUZVtShgqh9Tzu0ypHe92V\\\,\\\"error\\\":{\\\"type\\\":\\\"urn:ietf:params:acme:error:dns\\\",\\\"detail\\\":\\\"There was a problem with a DNS query during identifier validation\\\"}},{\\\"type\\\":\\\"http-01\\\",\\\"status\\\":\\\"pending\\\",\\\"token\\\":\\\"MjJKsBOb7QhF8NLH9OUNgVzfNNXky6rh\\\",\\\"url\\\":\\\https://[redacted].22/acme/acme/challenge/KYqNFxZVSmSG33yfHbjs5pCqAIxeENm7/zoCrJwaGduKM01OzNFwmk0pUate4MWpp\\\}],\\\"wildcard\\\":false,\\\"expires\\\":\\\"2025-09-18T10:49:04Z\\\"}\" size=669 status=200 user-agent=\"acme.sh/3.1.2 (https://github.com/acmesh-official/acme.sh)\" user-id="
>> }
>> ...This last message is repeated 29 times, for attempt 2 till 30 as
>> shown in the output of the acme.sh... Kind regards, Vinvar
>> --
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
>
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
>
More information about the bind-users
mailing list