[SOLVED] Stale DNS records (it's always DNS)

I’ve been tearing my hair out trying to figure out why my ACME-DNS challenges weren’t working for just one of my domains (well, *.riff.cc)

Turns out

zorlin@durian ~ $ dig -t TXT _acme-challenge.riff.cc

; <<>> DiG 9.16.48 <<>> -t TXT _acme-challenge.riff.cc
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5823
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.riff.cc.       IN      TXT

;; ANSWER SECTION:
_acme-challenge.riff.cc. 207    IN      TXT     "ii9WIXF_GV0Er1U3mPWUavuCxJYOXfcTauVdbwKczFg"
_acme-challenge.riff.cc. 207    IN      TXT     "lc7b0j0Tcx8hd2UqjpuxEywDcFX1_mhwJfz4M6wCNnc"

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sat Feb 24 10:46:31 UTC 2024
;; MSG SIZE  rcvd: 164

zorlin@durian ~ $ dig -t TXT _acme-challenge.riff.cc

; <<>> DiG 9.16.48 <<>> -t TXT _acme-challenge.riff.cc
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5823
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.riff.cc.       IN      TXT

;; ANSWER SECTION:
_acme-challenge.riff.cc. 207    IN      TXT     "ii9WIXF_GV0Er1U3mPWUavuCxJYOXfcTauVdbwKczFg"
_acme-challenge.riff.cc. 207    IN      TXT     "lc7b0j0Tcx8hd2UqjpuxEywDcFX1_mhwJfz4M6wCNnc"

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sat Feb 24 10:46:31 UTC 2024
;; MSG SIZE  rcvd: 164

zorlin@durian ~ $ dig -t TXT _acme-challenge.riff.cc

; <<>> DiG 9.16.48 <<>> -t TXT _acme-challenge.riff.cc
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5823
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.riff.cc.       IN      TXT

;; ANSWER SECTION:
_acme-challenge.riff.cc. 207    IN      TXT     "ii9WIXF_GV0Er1U3mPWUavuCxJYOXfcTauVdbwKczFg"
_acme-challenge.riff.cc. 207    IN      TXT     "lc7b0j0Tcx8hd2UqjpuxEywDcFX1_mhwJfz4M6wCNnc"

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sat Feb 24 10:46:31 UTC 2024
;; MSG SIZE  rcvd: 164

zorlin@durian ~ $ dig -t TXT _acme-challenge.riff.cc

; <<>> DiG 9.16.48 <<>> -t TXT _acme-challenge.riff.cc
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5823
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.riff.cc.       IN      TXT

;; ANSWER SECTION:
_acme-challenge.riff.cc. 207    IN      TXT     "ii9WIXF_GV0Er1U3mPWUavuCxJYOXfcTauVdbwKczFg"
_acme-challenge.riff.cc. 207    IN      TXT     "lc7b0j0Tcx8hd2UqjpuxEywDcFX1_mhwJfz4M6wCNnc"

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sat Feb 24 10:46:31 UTC 2024
;; MSG SIZE  rcvd: 164

There are two “ghost” TXT records that are still being served even though they were deleted a long time ago.

If I add a new record to Cloudflare under that name:

zorlin@durian ~ $ dig -t TXT _acme-challenge.riff.cc @1.1.1.1

; <<>> DiG 9.16.48 <<>> -t TXT _acme-challenge.riff.cc @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41513
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_acme-challenge.riff.cc.       IN      TXT

;; ANSWER SECTION:
_acme-challenge.riff.cc. 300    IN      TXT     "TESTING"
_acme-challenge.riff.cc. 300    IN      TXT     "ii9WIXF_GV0Er1U3mPWUavuCxJYOXfcTauVdbwKczFg"
_acme-challenge.riff.cc. 300    IN      TXT     "lc7b0j0Tcx8hd2UqjpuxEywDcFX1_mhwJfz4M6wCNnc"

;; Query time: 10 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sat Feb 24 10:50:54 UTC 2024
;; MSG SIZE  rcvd: 184

zorlin@durian ~ $ dig -t TXT _acme-challenge.riff.cc @1.1.1.1

; <<>> DiG 9.16.48 <<>> -t TXT _acme-challenge.riff.cc @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41513
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_acme-challenge.riff.cc.       IN      TXT

;; ANSWER SECTION:
_acme-challenge.riff.cc. 300    IN      TXT     "TESTING"
_acme-challenge.riff.cc. 300    IN      TXT     "ii9WIXF_GV0Er1U3mPWUavuCxJYOXfcTauVdbwKczFg"
_acme-challenge.riff.cc. 300    IN      TXT     "lc7b0j0Tcx8hd2UqjpuxEywDcFX1_mhwJfz4M6wCNnc"

;; Query time: 10 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sat Feb 24 10:50:54 UTC 2024
;; MSG SIZE  rcvd: 184

zorlin@durian ~ $ dig -t TXT _acme-challenge.riff.cc @1.1.1.1

; <<>> DiG 9.16.48 <<>> -t TXT _acme-challenge.riff.cc @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41513
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_acme-challenge.riff.cc.       IN      TXT

;; ANSWER SECTION:
_acme-challenge.riff.cc. 300    IN      TXT     "TESTING"
_acme-challenge.riff.cc. 300    IN      TXT     "ii9WIXF_GV0Er1U3mPWUavuCxJYOXfcTauVdbwKczFg"
_acme-challenge.riff.cc. 300    IN      TXT     "lc7b0j0Tcx8hd2UqjpuxEywDcFX1_mhwJfz4M6wCNnc"

;; Query time: 10 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sat Feb 24 10:50:54 UTC 2024
;; MSG SIZE  rcvd: 184

zorlin@durian ~ $ dig -t TXT _acme-challenge.riff.cc @1.1.1.1

; <<>> DiG 9.16.48 <<>> -t TXT _acme-challenge.riff.cc @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41513
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_acme-challenge.riff.cc.       IN      TXT

;; ANSWER SECTION:
_acme-challenge.riff.cc. 300    IN      TXT     "TESTING"
_acme-challenge.riff.cc. 300    IN      TXT     "ii9WIXF_GV0Er1U3mPWUavuCxJYOXfcTauVdbwKczFg"
_acme-challenge.riff.cc. 300    IN      TXT     "lc7b0j0Tcx8hd2UqjpuxEywDcFX1_mhwJfz4M6wCNnc"

;; Query time: 10 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sat Feb 24 10:50:54 UTC 2024
;; MSG SIZE  rcvd: 184

It shows up. If I remove that record, it goes back to the “ghost two”.

How the heck do I get rid of the bad records?

Erisa•2/24/24, 11:03 AM

On SSL/TLS > Edge certificates, there are no pending certificates, they're all active?

Erisa•2/24/24, 11:04 AM

_acme-challenge is used by Cloudflare to issue edge certificates but typically we would clean up the records after issuance is complete

WingsOP•2/24/24, 11:06 AM

These records had been there for at least 12 hours

WingsOP•2/24/24, 11:06 AM

There's an Active certificate that expires on 2024-05-15

WingsOP•2/24/24, 11:07 AM

I disabled Universal SSL to "fix" it which works, but as soon as I re-enable it new records appear that do not go away (even after 5-10 minutes)

WingsOP•2/24/24, 11:12 AM

Waited 5 minutes and that Active certificate is completely gone now... going to wait the full 10 and re-enable Universal

WingsOP•2/24/24, 11:17 AM

Oh thank god. Turned everything back on and the ghost records are still gone.

Erisa•2/24/24, 11:38 AM

Phew

Erisa•2/24/24, 11:39 AM

That must have kicked the process to clean them up

WingsOP•2/24/24, 3:39 PM

Thanks for the help!

Gustavo Hellwig•2/29/24, 11:57 AM

hey, I have the same issue as this. Is anyone with an answer?

[SOLVED] Stale DNS records (it's always DNS)

Similar Threads

Similar Threads

Similar Threads