cert-manager: rfc2136 seems to not work with deep subdomains

Describe the bug: For zone foo.com I can create a cert for bar.foo.com but not baz.bar.foo.com. from what I can tell the zone update is going to bar.foo.com, not foo.com, so it’s rejected by the server.

Expected behaviour: the zone update sent to the server be sent for zone foo.com, NOT bar.foo.com

Steps to reproduce the bug:

  1. Have a working rfc2136 set up (preferably with bind)
  2. try to create a deeper subdomain certificate.
  3. watch as the server rejects the update with update failed: not authoritative for update zone (NOTAUTH)

Anything else we need to know?:

I have a tcpdump/pcap that I THINK shows the error, there’s no instance of foo.com on it’s own in the file, bar.foo.com and deeper only, so I think that means updates are being sent for the wrong zone.

/kind bug

About this issue

Most upvoted comments

ok, changed the cluster-domain and redeployed a bunch of stuff, it seems to be working.

I’d say this is an interaction with cluster-domain. It might not happen if --dns01-recursive-nameservers-only and --dns01-recursive-nameservers are set, not sure.

+1
prometheanfire on Jan 17, 2022
Read more comments on GitHub
← cert-manager: requestmanager_controller got stuck in a loop and stopped generating new certificates afterward
cert-manager: secret "cert-manager-webhook-webhook-tls" not found →