lego/acme/dns_challenge_rfc2136.go

package acme

import (
	"fmt"
	"strings"
	"time"

	"github.com/miekg/dns"
)

// DNSProviderRFC2136 is an implementation of the ChallengeProvider interface that
// uses dynamic DNS updates (RFC 2136) to create TXT records on a nameserver.
type DNSProviderRFC2136 struct {
	nameserver    string
	tsigAlgorithm string
	tsigKey       string
	tsigSecret    string
	domain2zone   map[string]string
}

// NewDNSProviderRFC2136 returns a new DNSProviderRFC2136 instance.
// To disable TSIG authentication 'tsigAlgorithm, 'tsigKey' and 'tsigSecret' must be set to the empty string.
// 'nameserver' must be a network address in the the form "host" or "host:port".
func NewDNSProviderRFC2136(nameserver, tsigAlgorithm, tsigKey, tsigSecret string) (*DNSProviderRFC2136, error) {
	// Append the default DNS port if none is specified.
	if !strings.Contains(nameserver, ":") {
		nameserver += ":53"
	}
	d := &DNSProviderRFC2136{
		nameserver:  nameserver,
		domain2zone: make(map[string]string),
	}
	if tsigAlgorithm == "" {
		tsigAlgorithm = dns.HmacMD5
	}
	d.tsigAlgorithm = tsigAlgorithm
	if len(tsigKey) > 0 && len(tsigSecret) > 0 {
		d.tsigKey = tsigKey
		d.tsigSecret = tsigSecret
	}

	return d, nil
}

// Present creates a TXT record using the specified parameters
func (r *DNSProviderRFC2136) Present(domain, token, keyAuth string) error {
	fqdn, value, ttl := DNS01Record(domain, keyAuth)
	return r.changeRecord("INSERT", fqdn, value, ttl)
}

// CleanUp removes the TXT record matching the specified parameters
func (r *DNSProviderRFC2136) CleanUp(domain, token, keyAuth string) error {
	fqdn, value, ttl := DNS01Record(domain, keyAuth)
	return r.changeRecord("REMOVE", fqdn, value, ttl)
}

func (r *DNSProviderRFC2136) changeRecord(action, fqdn, value string, ttl int) error {
	zone, err := r.findZone(fqdn)
	if err != nil {
		return err
	}

	// Create RR
	rr := new(dns.TXT)
	rr.Hdr = dns.RR_Header{Name: fqdn, Rrtype: dns.TypeTXT, Class: dns.ClassINET, Ttl: uint32(ttl)}
	rr.Txt = []string{value}
	rrs := make([]dns.RR, 1)
	rrs[0] = rr

	// Create dynamic update packet
	m := new(dns.Msg)
	m.SetUpdate(zone)
	switch action {
	case "INSERT":
		// Always remove old challenge left over from who knows what.
		m.RemoveRRset(rrs)
		m.Insert(rrs)
	case "REMOVE":
		m.Remove(rrs)
	default:
		return fmt.Errorf("Unexpected action: %s", action)
	}

	// Setup client
	c := new(dns.Client)
	c.SingleInflight = true
	// TSIG authentication / msg signing
	if len(r.tsigKey) > 0 && len(r.tsigSecret) > 0 {
		m.SetTsig(dns.Fqdn(r.tsigKey), r.tsigAlgorithm, 300, time.Now().Unix())
		c.TsigSecret = map[string]string{dns.Fqdn(r.tsigKey): r.tsigSecret}
	}

	// Send the query
	reply, _, err := c.Exchange(m, r.nameserver)
	if err != nil {
		return fmt.Errorf("DNS update failed: %v", err)
	}
	if reply != nil && reply.Rcode != dns.RcodeSuccess {
		return fmt.Errorf("DNS update failed. Server replied: %s", dns.RcodeToString[reply.Rcode])
	}

	return nil
}

// findZone determines the zone of a qualifying cert DNSname
func (r *DNSProviderRFC2136) findZone(fqdn string) (string, error) {
	// Do we have it cached?
	if val, ok := r.domain2zone[fqdn]; ok {
		return val, nil
	}

	// Query the authorative nameserver for a hopefully non-existing SOA record,
	// in the authority section of the reply it will have the SOA of the
	// containing zone. rfc2308 has this to say on the subject:
	//   Name servers authoritative for a zone MUST include the SOA record of
	//   the zone in the authority section of the response when reporting an
	//   NXDOMAIN or indicating that no data (NODATA) of the requested type exists
	m := new(dns.Msg)
	m.SetQuestion(fqdn, dns.TypeSOA)
	m.SetEdns0(4096, false)
	m.RecursionDesired = true
	m.Authoritative = true

	in, err := dns.Exchange(m, r.nameserver)
	if err == dns.ErrTruncated {
		tcp := &dns.Client{Net: "tcp"}
		in, _, err = tcp.Exchange(m, r.nameserver)
	}
	if err != nil {
		return "", err
	}
	if in.Rcode != dns.RcodeNameError {
		if in.Rcode != dns.RcodeSuccess {
			return "", fmt.Errorf("DNS Query for zone %q failed", fqdn)
		}
		// We have a success, so one of the answers has to be a SOA RR
		for _, ans := range in.Answer {
			if ans.Header().Rrtype == dns.TypeSOA {
				zone := ans.Header().Name
				r.domain2zone[fqdn] = zone
				return zone, nil
			}
		}
		// Or it is NODATA, fall through to NXDOMAIN
	}
	// Search the authority section for our precious SOA RR
	for _, ns := range in.Ns {
		if ns.Header().Rrtype == dns.TypeSOA {
			zone := ns.Header().Name
			r.domain2zone[fqdn] = zone
			return zone, nil
		}
	}
	return "", fmt.Errorf("Expected a SOA record in the authority section")
}
Modular DNS challenge - Manual provider - Dynamic DNS Update provider (RFC2136) - Route53 provider - CloudFlare provider 2015-12-03 20:01:46 +00:00			`package acme`

			`import (`
			`"fmt"`
Allow to specify RFC2136_NAMESERVER without the port. Append the default DNS port if the nameserver specification does not contain any. 2016-02-06 23:12:48 +00:00			`"strings"`
Modular DNS challenge - Manual provider - Dynamic DNS Update provider (RFC2136) - Route53 provider - CloudFlare provider 2015-12-03 20:01:46 +00:00			`"time"`
Allow to specify the TSIG algorithm for RFC2136 DNS-01 authentication. Add a new environment variable RFC2136_TSIG_ALGORITHM that accepts the TSIG algorithm pseudo-domain name. Let it default to "hmac-md5.sig-alg.reg.int." if unset. 2016-02-06 23:09:43 +00:00
			`"github.com/miekg/dns"`
Modular DNS challenge - Manual provider - Dynamic DNS Update provider (RFC2136) - Route53 provider - CloudFlare provider 2015-12-03 20:01:46 +00:00			`)`

Refactor challenge providers to new ChallengeProvider interface * new ChallengeProvider with Present and CleanUp methods * new Challenge type describing `http-01`, `tls-sni-01`, `dns-01` * new client.SetChallengeProvider to support custom implementations 2016-01-15 04:06:25 +00:00			`// DNSProviderRFC2136 is an implementation of the ChallengeProvider interface that`
Modular DNS challenge - Manual provider - Dynamic DNS Update provider (RFC2136) - Route53 provider - CloudFlare provider 2015-12-03 20:01:46 +00:00			`// uses dynamic DNS updates (RFC 2136) to create TXT records on a nameserver.`
			`type DNSProviderRFC2136 struct {`
Allow to specify the TSIG algorithm for RFC2136 DNS-01 authentication. Add a new environment variable RFC2136_TSIG_ALGORITHM that accepts the TSIG algorithm pseudo-domain name. Let it default to "hmac-md5.sig-alg.reg.int." if unset. 2016-02-06 23:09:43 +00:00			`nameserver string`
			`tsigAlgorithm string`
			`tsigKey string`
			`tsigSecret string`
Fix for issue/140: - Removal of RFC2136_ZONE from help text - Query nameserver directly to find zone we have to update - During insert, make sure the new record is the ONLY challence. (I had a few panics, hence 3 challences left. Not good.) 2016-02-27 22:50:42 +00:00			`domain2zone map[string]string`
Modular DNS challenge - Manual provider - Dynamic DNS Update provider (RFC2136) - Route53 provider - CloudFlare provider 2015-12-03 20:01:46 +00:00			`}`

			`// NewDNSProviderRFC2136 returns a new DNSProviderRFC2136 instance.`
Allow to specify the TSIG algorithm for RFC2136 DNS-01 authentication. Add a new environment variable RFC2136_TSIG_ALGORITHM that accepts the TSIG algorithm pseudo-domain name. Let it default to "hmac-md5.sig-alg.reg.int." if unset. 2016-02-06 23:09:43 +00:00			`// To disable TSIG authentication 'tsigAlgorithm, 'tsigKey' and 'tsigSecret' must be set to the empty string.`
Fix for issue/140: - Removal of RFC2136_ZONE from help text - Query nameserver directly to find zone we have to update - During insert, make sure the new record is the ONLY challence. (I had a few panics, hence 3 challences left. Not good.) 2016-02-27 22:50:42 +00:00			`// 'nameserver' must be a network address in the the form "host" or "host:port".`
			`func NewDNSProviderRFC2136(nameserver, tsigAlgorithm, tsigKey, tsigSecret string) (*DNSProviderRFC2136, error) {`
Allow to specify RFC2136_NAMESERVER without the port. Append the default DNS port if the nameserver specification does not contain any. 2016-02-06 23:12:48 +00:00			`// Append the default DNS port if none is specified.`
			`if !strings.Contains(nameserver, ":") {`
			`nameserver += ":53"`
			`}`
Modular DNS challenge - Manual provider - Dynamic DNS Update provider (RFC2136) - Route53 provider - CloudFlare provider 2015-12-03 20:01:46 +00:00			`d := &DNSProviderRFC2136{`
Fix for issue/140: - Removal of RFC2136_ZONE from help text - Query nameserver directly to find zone we have to update - During insert, make sure the new record is the ONLY challence. (I had a few panics, hence 3 challences left. Not good.) 2016-02-27 22:50:42 +00:00			`nameserver: nameserver,`
			`domain2zone: make(map[string]string),`
Modular DNS challenge - Manual provider - Dynamic DNS Update provider (RFC2136) - Route53 provider - CloudFlare provider 2015-12-03 20:01:46 +00:00			`}`
Allow to specify the TSIG algorithm for RFC2136 DNS-01 authentication. Add a new environment variable RFC2136_TSIG_ALGORITHM that accepts the TSIG algorithm pseudo-domain name. Let it default to "hmac-md5.sig-alg.reg.int." if unset. 2016-02-06 23:09:43 +00:00			`if tsigAlgorithm == "" {`
			`tsigAlgorithm = dns.HmacMD5`
			`}`
			`d.tsigAlgorithm = tsigAlgorithm`
Modular DNS challenge - Manual provider - Dynamic DNS Update provider (RFC2136) - Route53 provider - CloudFlare provider 2015-12-03 20:01:46 +00:00			`if len(tsigKey) > 0 && len(tsigSecret) > 0 {`
			`d.tsigKey = tsigKey`
			`d.tsigSecret = tsigSecret`
			`}`

			`return d, nil`
			`}`

Refactor challenge providers to new ChallengeProvider interface * new ChallengeProvider with Present and CleanUp methods * new Challenge type describing `http-01`, `tls-sni-01`, `dns-01` * new client.SetChallengeProvider to support custom implementations 2016-01-15 04:06:25 +00:00			`// Present creates a TXT record using the specified parameters`
			`func (r *DNSProviderRFC2136) Present(domain, token, keyAuth string) error {`
			`fqdn, value, ttl := DNS01Record(domain, keyAuth)`
Modular DNS challenge - Manual provider - Dynamic DNS Update provider (RFC2136) - Route53 provider - CloudFlare provider 2015-12-03 20:01:46 +00:00			`return r.changeRecord("INSERT", fqdn, value, ttl)`
			`}`

Refactor challenge providers to new ChallengeProvider interface * new ChallengeProvider with Present and CleanUp methods * new Challenge type describing `http-01`, `tls-sni-01`, `dns-01` * new client.SetChallengeProvider to support custom implementations 2016-01-15 04:06:25 +00:00			`// CleanUp removes the TXT record matching the specified parameters`
			`func (r *DNSProviderRFC2136) CleanUp(domain, token, keyAuth string) error {`
Fix for issue/140: - Removal of RFC2136_ZONE from help text - Query nameserver directly to find zone we have to update - During insert, make sure the new record is the ONLY challence. (I had a few panics, hence 3 challences left. Not good.) 2016-02-27 22:50:42 +00:00			`fqdn, value, ttl := DNS01Record(domain, keyAuth)`
Modular DNS challenge - Manual provider - Dynamic DNS Update provider (RFC2136) - Route53 provider - CloudFlare provider 2015-12-03 20:01:46 +00:00			`return r.changeRecord("REMOVE", fqdn, value, ttl)`
			`}`

			`func (r *DNSProviderRFC2136) changeRecord(action, fqdn, value string, ttl int) error {`
Fix for issue/140: - Removal of RFC2136_ZONE from help text - Query nameserver directly to find zone we have to update - During insert, make sure the new record is the ONLY challence. (I had a few panics, hence 3 challences left. Not good.) 2016-02-27 22:50:42 +00:00			`zone, err := r.findZone(fqdn)`
			`if err != nil {`
			`return err`
			`}`

Modular DNS challenge - Manual provider - Dynamic DNS Update provider (RFC2136) - Route53 provider - CloudFlare provider 2015-12-03 20:01:46 +00:00			`// Create RR`
			`rr := new(dns.TXT)`
			`rr.Hdr = dns.RR_Header{Name: fqdn, Rrtype: dns.TypeTXT, Class: dns.ClassINET, Ttl: uint32(ttl)}`
			`rr.Txt = []string{value}`
			`rrs := make([]dns.RR, 1)`
			`rrs[0] = rr`

			`// Create dynamic update packet`
			`m := new(dns.Msg)`
Fix for issue/140: - Removal of RFC2136_ZONE from help text - Query nameserver directly to find zone we have to update - During insert, make sure the new record is the ONLY challence. (I had a few panics, hence 3 challences left. Not good.) 2016-02-27 22:50:42 +00:00			`m.SetUpdate(zone)`
Modular DNS challenge - Manual provider - Dynamic DNS Update provider (RFC2136) - Route53 provider - CloudFlare provider 2015-12-03 20:01:46 +00:00			`switch action {`
			`case "INSERT":`
Fix for issue/140: - Removal of RFC2136_ZONE from help text - Query nameserver directly to find zone we have to update - During insert, make sure the new record is the ONLY challence. (I had a few panics, hence 3 challences left. Not good.) 2016-02-27 22:50:42 +00:00			`// Always remove old challenge left over from who knows what.`
			`m.RemoveRRset(rrs)`
Modular DNS challenge - Manual provider - Dynamic DNS Update provider (RFC2136) - Route53 provider - CloudFlare provider 2015-12-03 20:01:46 +00:00			`m.Insert(rrs)`
			`case "REMOVE":`
			`m.Remove(rrs)`
			`default:`
			`return fmt.Errorf("Unexpected action: %s", action)`
			`}`

			`// Setup client`
			`c := new(dns.Client)`
			`c.SingleInflight = true`
			`// TSIG authentication / msg signing`
			`if len(r.tsigKey) > 0 && len(r.tsigSecret) > 0 {`
Allow to specify the TSIG algorithm for RFC2136 DNS-01 authentication. Add a new environment variable RFC2136_TSIG_ALGORITHM that accepts the TSIG algorithm pseudo-domain name. Let it default to "hmac-md5.sig-alg.reg.int." if unset. 2016-02-06 23:09:43 +00:00			`m.SetTsig(dns.Fqdn(r.tsigKey), r.tsigAlgorithm, 300, time.Now().Unix())`
Modular DNS challenge - Manual provider - Dynamic DNS Update provider (RFC2136) - Route53 provider - CloudFlare provider 2015-12-03 20:01:46 +00:00			`c.TsigSecret = map[string]string{dns.Fqdn(r.tsigKey): r.tsigSecret}`
			`}`

			`// Send the query`
			`reply, _, err := c.Exchange(m, r.nameserver)`
			`if err != nil {`
			`return fmt.Errorf("DNS update failed: %v", err)`
			`}`
			`if reply != nil && reply.Rcode != dns.RcodeSuccess {`
			`return fmt.Errorf("DNS update failed. Server replied: %s", dns.RcodeToString[reply.Rcode])`
			`}`

			`return nil`
			`}`
Fix for issue/140: - Removal of RFC2136_ZONE from help text - Query nameserver directly to find zone we have to update - During insert, make sure the new record is the ONLY challence. (I had a few panics, hence 3 challences left. Not good.) 2016-02-27 22:50:42 +00:00
			`// findZone determines the zone of a qualifying cert DNSname`
			`func (r *DNSProviderRFC2136) findZone(fqdn string) (string, error) {`
			`// Do we have it cached?`
			`if val, ok := r.domain2zone[fqdn]; ok {`
			`return val, nil`
			`}`

			`// Query the authorative nameserver for a hopefully non-existing SOA record,`
			`// in the authority section of the reply it will have the SOA of the`
			`// containing zone. rfc2308 has this to say on the subject:`
			`// Name servers authoritative for a zone MUST include the SOA record of`
			`// the zone in the authority section of the response when reporting an`
			`// NXDOMAIN or indicating that no data (NODATA) of the requested type exists`
			`m := new(dns.Msg)`
			`m.SetQuestion(fqdn, dns.TypeSOA)`
			`m.SetEdns0(4096, false)`
			`m.RecursionDesired = true`
			`m.Authoritative = true`

			`in, err := dns.Exchange(m, r.nameserver)`
			`if err == dns.ErrTruncated {`
			`tcp := &dns.Client{Net: "tcp"}`
			`in, _, err = tcp.Exchange(m, r.nameserver)`
			`}`
			`if err != nil {`
			`return "", err`
			`}`
			`if in.Rcode != dns.RcodeNameError {`
			`if in.Rcode != dns.RcodeSuccess {`
			`return "", fmt.Errorf("DNS Query for zone %q failed", fqdn)`
			`}`
			`// We have a success, so one of the answers has to be a SOA RR`
			`for _, ans := range in.Answer {`
			`if ans.Header().Rrtype == dns.TypeSOA {`
			`zone := ans.Header().Name`
			`r.domain2zone[fqdn] = zone`
			`return zone, nil`
			`}`
			`}`
			`// Or it is NODATA, fall through to NXDOMAIN`
			`}`
			`// Search the authority section for our precious SOA RR`
			`for _, ns := range in.Ns {`
			`if ns.Header().Rrtype == dns.TypeSOA {`
			`zone := ns.Header().Name`
			`r.domain2zone[fqdn] = zone`
			`return zone, nil`
			`}`
			`}`
			`return "", fmt.Errorf("Expected a SOA record in the authority section")`
			`}`