2016-03-17 20:59:15 +00:00
|
|
|
// Package rfc2136 implements a DNS provider for solving the DNS-01 challenge
|
|
|
|
// using the rfc2136 dynamic update.
|
2016-02-29 02:48:41 +00:00
|
|
|
package rfc2136
|
2015-12-03 20:01:46 +00:00
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
2016-02-28 20:09:05 +00:00
|
|
|
"net"
|
2016-03-17 20:59:15 +00:00
|
|
|
"os"
|
2016-02-06 23:12:48 +00:00
|
|
|
"strings"
|
2015-12-03 20:01:46 +00:00
|
|
|
"time"
|
2016-02-06 23:09:43 +00:00
|
|
|
|
|
|
|
"github.com/miekg/dns"
|
2016-02-29 02:48:41 +00:00
|
|
|
"github.com/xenolf/lego/acme"
|
2015-12-03 20:01:46 +00:00
|
|
|
)
|
|
|
|
|
2016-03-11 02:46:09 +00:00
|
|
|
// DNSProvider is an implementation of the acme.ChallengeProvider interface that
|
2015-12-03 20:01:46 +00:00
|
|
|
// uses dynamic DNS updates (RFC 2136) to create TXT records on a nameserver.
|
2016-03-11 02:46:09 +00:00
|
|
|
type DNSProvider struct {
|
2016-02-06 23:09:43 +00:00
|
|
|
nameserver string
|
|
|
|
tsigAlgorithm string
|
|
|
|
tsigKey string
|
|
|
|
tsigSecret string
|
2015-12-03 20:01:46 +00:00
|
|
|
}
|
|
|
|
|
2016-03-17 20:59:15 +00:00
|
|
|
// NewDNSProvider returns a DNSProvider instance configured for rfc2136
|
|
|
|
// dynamic update. Credentials must be passed in the environment variables:
|
|
|
|
// RFC2136_NAMESERVER, RFC2136_TSIG_ALGORITHM, RFC2136_TSIG_KEY and
|
|
|
|
// RFC2136_TSIG_SECRET. To disable TSIG authentication, leave the TSIG
|
|
|
|
// variables unset. RFC2136_NAMESERVER must be a network address in the form
|
|
|
|
// "host" or "host:port".
|
|
|
|
func NewDNSProvider() (*DNSProvider, error) {
|
|
|
|
nameserver := os.Getenv("RFC2136_NAMESERVER")
|
|
|
|
tsigAlgorithm := os.Getenv("RFC2136_TSIG_ALGORITHM")
|
|
|
|
tsigKey := os.Getenv("RFC2136_TSIG_KEY")
|
|
|
|
tsigSecret := os.Getenv("RFC2136_TSIG_SECRET")
|
|
|
|
return NewDNSProviderCredentials(nameserver, tsigAlgorithm, tsigKey, tsigSecret)
|
|
|
|
}
|
|
|
|
|
|
|
|
// NewDNSProviderCredentials uses the supplied credentials to return a
|
|
|
|
// DNSProvider instance configured for rfc2136 dynamic update. To disable TSIG
|
|
|
|
// authentication, leave the TSIG parameters as empty strings.
|
|
|
|
// nameserver must be a network address in the form "host" or "host:port".
|
|
|
|
func NewDNSProviderCredentials(nameserver, tsigAlgorithm, tsigKey, tsigSecret string) (*DNSProvider, error) {
|
|
|
|
if nameserver == "" {
|
|
|
|
return nil, fmt.Errorf("RFC2136 nameserver missing")
|
|
|
|
}
|
|
|
|
|
2016-02-06 23:12:48 +00:00
|
|
|
// Append the default DNS port if none is specified.
|
2016-02-28 20:09:05 +00:00
|
|
|
if _, _, err := net.SplitHostPort(nameserver); err != nil {
|
|
|
|
if strings.Contains(err.Error(), "missing port") {
|
|
|
|
nameserver = net.JoinHostPort(nameserver, "53")
|
|
|
|
} else {
|
|
|
|
return nil, err
|
|
|
|
}
|
2016-02-06 23:12:48 +00:00
|
|
|
}
|
2016-03-11 02:46:09 +00:00
|
|
|
d := &DNSProvider{
|
2016-02-28 20:09:05 +00:00
|
|
|
nameserver: nameserver,
|
2015-12-03 20:01:46 +00:00
|
|
|
}
|
2016-02-06 23:09:43 +00:00
|
|
|
if tsigAlgorithm == "" {
|
|
|
|
tsigAlgorithm = dns.HmacMD5
|
|
|
|
}
|
|
|
|
d.tsigAlgorithm = tsigAlgorithm
|
2015-12-03 20:01:46 +00:00
|
|
|
if len(tsigKey) > 0 && len(tsigSecret) > 0 {
|
|
|
|
d.tsigKey = tsigKey
|
|
|
|
d.tsigSecret = tsigSecret
|
|
|
|
}
|
|
|
|
|
|
|
|
return d, nil
|
|
|
|
}
|
|
|
|
|
2016-01-15 04:06:25 +00:00
|
|
|
// Present creates a TXT record using the specified parameters
|
2016-03-11 02:46:09 +00:00
|
|
|
func (r *DNSProvider) Present(domain, token, keyAuth string) error {
|
2016-02-29 02:48:41 +00:00
|
|
|
fqdn, value, ttl := acme.DNS01Record(domain, keyAuth)
|
2015-12-03 20:01:46 +00:00
|
|
|
return r.changeRecord("INSERT", fqdn, value, ttl)
|
|
|
|
}
|
|
|
|
|
2016-01-15 04:06:25 +00:00
|
|
|
// CleanUp removes the TXT record matching the specified parameters
|
2016-03-11 02:46:09 +00:00
|
|
|
func (r *DNSProvider) CleanUp(domain, token, keyAuth string) error {
|
2016-02-29 02:48:41 +00:00
|
|
|
fqdn, value, ttl := acme.DNS01Record(domain, keyAuth)
|
2015-12-03 20:01:46 +00:00
|
|
|
return r.changeRecord("REMOVE", fqdn, value, ttl)
|
|
|
|
}
|
|
|
|
|
2016-03-11 02:46:09 +00:00
|
|
|
func (r *DNSProvider) changeRecord(action, fqdn, value string, ttl int) error {
|
2016-02-28 20:09:05 +00:00
|
|
|
// Find the zone for the given fqdn
|
2016-04-11 22:59:59 +00:00
|
|
|
zone, err := acme.FindZoneByFqdn(fqdn, []string{r.nameserver})
|
2016-02-27 22:50:42 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2015-12-03 20:01:46 +00:00
|
|
|
// Create RR
|
|
|
|
rr := new(dns.TXT)
|
|
|
|
rr.Hdr = dns.RR_Header{Name: fqdn, Rrtype: dns.TypeTXT, Class: dns.ClassINET, Ttl: uint32(ttl)}
|
|
|
|
rr.Txt = []string{value}
|
2016-02-28 20:09:05 +00:00
|
|
|
rrs := []dns.RR{rr}
|
2015-12-03 20:01:46 +00:00
|
|
|
|
|
|
|
// Create dynamic update packet
|
|
|
|
m := new(dns.Msg)
|
2016-02-27 22:50:42 +00:00
|
|
|
m.SetUpdate(zone)
|
2015-12-03 20:01:46 +00:00
|
|
|
switch action {
|
|
|
|
case "INSERT":
|
2016-02-27 22:50:42 +00:00
|
|
|
// Always remove old challenge left over from who knows what.
|
|
|
|
m.RemoveRRset(rrs)
|
2015-12-03 20:01:46 +00:00
|
|
|
m.Insert(rrs)
|
|
|
|
case "REMOVE":
|
|
|
|
m.Remove(rrs)
|
|
|
|
default:
|
|
|
|
return fmt.Errorf("Unexpected action: %s", action)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Setup client
|
|
|
|
c := new(dns.Client)
|
|
|
|
c.SingleInflight = true
|
|
|
|
// TSIG authentication / msg signing
|
|
|
|
if len(r.tsigKey) > 0 && len(r.tsigSecret) > 0 {
|
2016-02-06 23:09:43 +00:00
|
|
|
m.SetTsig(dns.Fqdn(r.tsigKey), r.tsigAlgorithm, 300, time.Now().Unix())
|
2015-12-03 20:01:46 +00:00
|
|
|
c.TsigSecret = map[string]string{dns.Fqdn(r.tsigKey): r.tsigSecret}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Send the query
|
|
|
|
reply, _, err := c.Exchange(m, r.nameserver)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("DNS update failed: %v", err)
|
|
|
|
}
|
|
|
|
if reply != nil && reply.Rcode != dns.RcodeSuccess {
|
|
|
|
return fmt.Errorf("DNS update failed. Server replied: %s", dns.RcodeToString[reply.Rcode])
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|