Last active
March 26, 2025 18:05
Revisions
-
Integralist revised this gist
Mar 26, 2025 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,6 +2,8 @@ If a domain owner wants to use another company for handling DNS management over its domain, then they can update the "Name Servers" for their domain wherever DNS is currently managed, and set the Name Servers to a different DNS provider. This is known as DNS _delegation_. Once that Name Server change has propagated, the new DNS provider will be responsible for managing DNS records for the domain. ## CNAME redirection magic -
Mar 26, 2025 . 1 changed file with 7 additions and 1 deletion.There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,8 +1,14 @@ ## DNS Management and Delegation If a domain owner wants to use another company for handling DNS management over its domain, then they can update the "Name Servers" for their domain wherever DNS is currently managed, and set the Name Servers to a different DNS provider. Once that Name Server change has propagated, the new DNS provider will be responsible for managing DNS records for the domain. ## CNAME redirection magic Through a CNAME, a domain owner can delegate the DNS resolution for a specific hostname to another service, enabling that service to provide the necessary records (like TXT) for that name. ## Example So as an example, let's say I'm onboarding my domain `integralist.co.uk` with Fastly and Fastly is going to manage a TLS certificate for me using a popular Certificate Authority (CA) such as Let's Encrypt. -
Mar 26, 2025 . 1 changed file with 4 additions and 0 deletions.There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -30,6 +30,10 @@ This means, it'll restart the query for the TXT record but will look for `<uniqu The DNS will naturally follow the `<unique-id>.fastly-validations.com` to where Fastly controls the DNS, and Fastly has set-up that TXT record with the secret TXT value that the CA originally asked for. ## Diagram The following is a very rough proximation of steps... ```mermaid sequenceDiagram participant User -
Mar 26, 2025 . 1 changed file with 51 additions and 1 deletion.There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -28,4 +28,54 @@ Standard DNS resolver behavior dictates that when looking for a specific record This means, it'll restart the query for the TXT record but will look for `<unique-id>.fastly-validations.com` as the value. The DNS will naturally follow the `<unique-id>.fastly-validations.com` to where Fastly controls the DNS, and Fastly has set-up that TXT record with the secret TXT value that the CA originally asked for. ```mermaid sequenceDiagram participant User participant Fastly as Fastly Platform participant UserDNS as User's DNS Provider participant FastlyDNS as Fastly's DNS Provider participant AcmeCA as ACME CA Server participant AcmeResolver as ACME CA's DNS Resolver Note over User, FastlyDNS: Pre-requisite: User Configures DNS User->>UserDNS: Create CNAME record: _acme-challenge.integralist.co.uk -> <unique-id>.fastly-validations.com Note over User, Fastly: User Initiates Certificate Process User->>Fastly: Request TLS Certificate for integralist.co.uk Note over Fastly, AcmeCA: Fastly Starts ACME Order Fastly->>AcmeCA: Initiate certificate order (DNS-01 challenge) AcmeCA-->>Fastly: Respond with Challenge (Domain: _acme-challenge.integralist.co.uk, Token: TOKEN_VALUE) Note over Fastly, FastlyDNS: Fastly Prepares Validation Record Fastly->>FastlyDNS: Create TXT record for <unique-id>.fastly-validations.com with value "TOKEN_VALUE" FastlyDNS-->>Fastly: TXT record created/updated Note over Fastly, AcmeCA: Fastly Signals Readiness Fastly->>AcmeCA: Ready for challenge validation Note over AcmeCA, AcmeResolver: ACME CA Initiates Verification AcmeCA->>AcmeResolver: Verify domain control for integralist.co.uk (check TXT at _acme-challenge...) Note over AcmeResolver, UserDNS: Resolver Query 1 (Original Domain) AcmeResolver->>UserDNS: Query: TXT record for _acme-challenge.integralist.co.uk? UserDNS-->>AcmeResolver: Response: CNAME <unique-id>.fastly-validations.com Note over AcmeResolver, FastlyDNS: Resolver Query 2 (Following CNAME) AcmeResolver->>FastlyDNS: Query: TXT record for <unique-id>.fastly-validations.com? FastlyDNS-->>AcmeResolver: Response: TXT "TOKEN_VALUE" Note over AcmeResolver, AcmeCA: Resolver Reports Result AcmeResolver-->>AcmeCA: Found TXT record with value "TOKEN_VALUE" Note over AcmeCA, Fastly: ACME CA Validates and Issues AcmeCA->>AcmeCA: Compare found TOKEN_VALUE with expected TOKEN_VALUE alt Validation Successful AcmeCA-->>Fastly: Challenge successful, issuing certificate Fastly->>Fastly: Receive and deploy certificate else Validation Failed AcmeCA-->>Fastly: Challenge failed end ``` -
Mar 26, 2025 . 1 changed file with 8 additions and 0 deletions.There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -18,6 +18,14 @@ Now remember, the CA itself is expecting a TXT record called `_acme-challenge.in Standard DNS resolver behavior dictates that when looking for a specific record type (like TXT) and encountering a CNAME, the resolver should restart the query for the original record type but using the target of the CNAME. > [!NOTE] > To be clear, the DNS resolver doesn't _choose_ to look at the CNAME instead of the TXT; rather, when it asks for the TXT record, the authoritative server responds with the CNAME because: > > a) The CNAME exists for that name.\ > b) The DNS rules forbid a TXT record (or most other types) from existing at the same name as the CNAME. > > Receiving the CNAME record triggers the standard resolver behavior to follow the alias and re-query for the original record type (TXT) at the target name. It "automatically sees the CNAME" because that's the data the authoritative server provides in response to its TXT query, due to the CNAME's exclusive nature. This means, it'll restart the query for the TXT record but will look for `<unique-id>.fastly-validations.com` as the value. The DNS will naturally follow the `<unique-id>.fastly-validations.com` to where Fastly controls the DNS, and Fastly has set-up that TXT record with the secret TXT value that the CA originally asked for. -
Mar 26, 2025 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -4,7 +4,7 @@ Once that Name Server change has propagated, the new DNS provider will be respon DNS Delegation is where a domain owner can _delegate_ the DNS control for a _specific_ 'record'. So as an example, let's say I'm onboarding my domain `integralist.co.uk` with Fastly and Fastly is going to manage a TLS certificate for me using a popular Certificate Authority (CA) such as Let's Encrypt. The CA (as part of `dns-01` ACME validation) needs to prove that I own the domain before it will issue a certificate. So it asks that the domain owner create a TXT record like `_acme-challenge.integralist.co.uk` with a specific value. It'll then check if that has been done, and if so, it'll issue a TLS certificate. -
Mar 26, 2025 . 1 changed file with 3 additions and 1 deletion.There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,4 +1,6 @@ If a domain owner wants to use another company for handling DNS management over its domain, then they can update the "Name Servers" for their domain wherever DNS is currently managed, and set the Name Servers to a different DNS provider. Once that Name Server change has propagated, the new DNS provider will be responsible for managing DNS records for the domain. DNS Delegation is where a domain owner can _delegate_ the DNS control for a _specific_ 'record'. -
Mar 26, 2025 . No changes.There are no files selected for viewing
-
Mar 26, 2025 .There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,21 @@ If a domain owner wants to use another company for handling DNS management over its domain, then they can update the "Name Servers" for their domain wherever DNS is currently managed, and set the Name Servers to a different DNS provider. Once that Name Server change has propagated, the new DNS provider will be responsible for managing DNS records for the domain. DNS Delegation is where a domain owner can _delegate_ the DNS control for a _specific_ 'record'. So as an example, let's say I'm onboarding my domain `integralist.co.uk` with Fastly and Fastly is going to manage a TLS certificate for me using a populate Certificate Authority (CA) such as Let's Encrypt. The CA (as part of `dns-01` ACME validation) needs to prove that I own the domain before it will issue a certificate. So it asks that the domain owner create a TXT record like `_acme-challenge.integralist.co.uk` with a specific value. It'll then check if that has been done, and if so, it'll issue a TLS certificate. Now I (as the domain owner) am not communicating with the CA. Fastly is. So Fastly is the one being given the information from the CA as to the TXT record that needs to be created. But Fastly doesn't show me that information. That's because Fastly wants to be responsible for managing TLS certificate _renewals_. It would be annoying if Fastly had to keep coming back to me (as the domain owner) every time the TLS certificate was going to expire and ask me to update my DNS each time with whatever new TXT challenge record the CA is asking to be created to verify domain ownership. So, Fastly instead asks me to create a CNAME record called `_acme-challenge.integralist.co.uk`. This record name is the same as the TXT record name the CA is expecting, but importantly, it's a CNAME record, not a TXT record. Fastly will ask me to create this CNAME record with a value like `<unique-id>.fastly-validations.com`. Now remember, the CA itself is expecting a TXT record called `_acme-challenge.integralist.co.uk` to be created. Standard DNS resolver behavior dictates that when looking for a specific record type (like TXT) and encountering a CNAME, the resolver should restart the query for the original record type but using the target of the CNAME. This means, it'll restart the query for the TXT record but will look for `<unique-id>.fastly-validations.com` as the value. The DNS will naturally follow the `<unique-id>.fastly-validations.com` to where Fastly controls the DNS, and Fastly has set-up that TXT record with the secret TXT value that the CA originally asked for.