DNS propagation check succeeds if any configured resolver succeeds (#274)
* Changed solver DNS propagation check to only check authoritative nameservers directly if there are no explicitly given resolvers. * Changed solver DNS propagation check to only succeed of any one of the checked nameservers has the required TXT entry
This commit is contained in:
parent
7a2236bee7
commit
c3c4a1263a
34
dnsutil.go
34
dnsutil.go
@ -210,8 +210,10 @@ func populateNameserverPorts(servers []string) {
|
||||
}
|
||||
}
|
||||
|
||||
// checkDNSPropagation checks if the expected TXT record has been propagated to all authoritative nameservers.
|
||||
func checkDNSPropagation(fqdn, value string, resolvers []string) (bool, error) {
|
||||
// checkDNSPropagation checks if the expected TXT record has been propagated.
|
||||
// If checkAuthoritativeServers is true, the authoritative nameservers are checked directly,
|
||||
// otherwise only the given resolvers are checked.
|
||||
func checkDNSPropagation(fqdn, value string, resolvers []string, checkAuthoritativeServers bool) (bool, error) {
|
||||
if !strings.HasSuffix(fqdn, ".") {
|
||||
fqdn += "."
|
||||
}
|
||||
@ -226,18 +228,22 @@ func checkDNSPropagation(fqdn, value string, resolvers []string) (bool, error) {
|
||||
fqdn = updateDomainWithCName(r, fqdn)
|
||||
}
|
||||
|
||||
authoritativeNss, err := lookupNameservers(fqdn, resolvers)
|
||||
if err != nil {
|
||||
return false, err
|
||||
if checkAuthoritativeServers {
|
||||
authoritativeServers, err := lookupNameservers(fqdn, resolvers)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
populateNameserverPorts(authoritativeServers)
|
||||
resolvers = authoritativeServers
|
||||
}
|
||||
|
||||
return checkAuthoritativeNss(fqdn, value, authoritativeNss)
|
||||
return checkNameservers(fqdn, value, resolvers)
|
||||
}
|
||||
|
||||
// checkAuthoritativeNss queries each of the given nameservers for the expected TXT record.
|
||||
func checkAuthoritativeNss(fqdn, value string, nameservers []string) (bool, error) {
|
||||
// checkNameservers checks if any of the given nameservers has the expected TXT record.
|
||||
func checkNameservers(fqdn, value string, nameservers []string) (bool, error) {
|
||||
for _, ns := range nameservers {
|
||||
r, err := dnsQuery(fqdn, dns.TypeTXT, []string{net.JoinHostPort(ns, "53")}, true)
|
||||
r, err := dnsQuery(fqdn, dns.TypeTXT, []string{ns}, true)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
@ -252,23 +258,17 @@ func checkAuthoritativeNss(fqdn, value string, nameservers []string) (bool, erro
|
||||
return false, fmt.Errorf("NS %s returned %s for %s", ns, dns.RcodeToString[r.Rcode], fqdn)
|
||||
}
|
||||
|
||||
var found bool
|
||||
for _, rr := range r.Answer {
|
||||
if txt, ok := rr.(*dns.TXT); ok {
|
||||
record := strings.Join(txt.Txt, "")
|
||||
if record == value {
|
||||
found = true
|
||||
break
|
||||
return true, nil
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if !found {
|
||||
return false, nil
|
||||
}
|
||||
}
|
||||
|
||||
return true, nil
|
||||
return false, nil
|
||||
}
|
||||
|
||||
// lookupNameservers returns the authoritative nameservers for the given fqdn.
|
||||
|
@ -361,6 +361,7 @@ func (s *DNS01Solver) Wait(ctx context.Context, challenge acme.Challenge) error
|
||||
const interval = 2 * time.Second
|
||||
|
||||
// how we'll do the checks
|
||||
checkAuthoritativeServers := len(s.Resolvers) == 0
|
||||
resolvers := recursiveNameservers(s.Resolvers)
|
||||
|
||||
var err error
|
||||
@ -372,7 +373,7 @@ func (s *DNS01Solver) Wait(ctx context.Context, challenge acme.Challenge) error
|
||||
return ctx.Err()
|
||||
}
|
||||
var ready bool
|
||||
ready, err = checkDNSPropagation(dnsName, keyAuth, resolvers)
|
||||
ready, err = checkDNSPropagation(dnsName, keyAuth, resolvers, checkAuthoritativeServers)
|
||||
if err != nil {
|
||||
return fmt.Errorf("checking DNS propagation of %q: %w", dnsName, err)
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user