Patch release fixing a P0 regression in Azure DNS-01 alias mode.
Fix
- Azure alias mode against sub-delegated validation zones (#243) — issuance failed with "Resource group … does not contain the DNS zone" when the validation zone was a delegated subdomain (e.g.
acme-validation.example.comunderexample.com). Lexicon resolves the hosted zone with tldextract by default, collapsing any name to the registered domain, so the delegated zone was never matched — the v2.8.1/v2.8.2 attempt couldn't work for the same reason. CertMate now sets Lexicon'sresolve_zone_namefor Azure, resolving the real zone via a dnspython SOA lookup from the full alias FQDN.
Upgrade recommended for anyone using Azure DNS alias mode with a delegated validation zone. Thanks to @jensaops for the diagnosis and POC.