Hi,
I did in fact double check and create new keys, but I think it might be the soa lookup in the certmagic library.
I have an internal dns server setup that re-directs all my hostnames to my local ip, it has a capture on fremnet.net and is answering just fine, but apparently is returning nothing for soa lookups.
dig @10.0.0.3 soa fremnet.net
; <<>> DiG 9.16.15 <<>> @10.0.0.3 soa fremnet.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24824
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;fremnet.net. IN SOA
;; Query time: 0 msec
;; SERVER: 10.0.0.3#53(10.0.0.3)
;; WHEN: Tue Mar 07 17:00:10 AEST 2023
;; MSG SIZE rcvd: 29
vs
dig @1.1.1.1 soa fremnet.net
; <<>> DiG 9.16.15 <<>> @1.1.1.1 soa fremnet.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29374
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;fremnet.net. IN SOA
;; ANSWER SECTION:
fremnet.net. 3600 IN SOA aurora.ns.cloudflare.com. dns.cloudflare.com. 2303657986 10000 2400 604800 3600
;; Query time: 7 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Mar 07 17:01:02 AEST 2023
;; MSG SIZE rcvd: 104
Might be worth either trying to work around that… or documenting it… perhaps spitting out an error when it gets an empty soa…
Edit: I can work around it by specifyingtls.resolvers
Definitely still might be worth figuring out that a root zone soa might not be what someone’s looking for and spitting out a warning with the intent of informing the user something about that is borked (I saw a couple of other issues when I was searching between github repos that might be related)