diff --git a/acme/dns_challenge.go b/acme/dns_challenge.go index 13373974..d6844dcd 100644 --- a/acme/dns_challenge.go +++ b/acme/dns_challenge.go @@ -255,6 +255,13 @@ func FindZoneByFqdn(fqdn string, nameservers []string) (string, error) { // Check if we got a SOA RR in the answer section if in.Rcode == dns.RcodeSuccess { + + // CNAME records cannot/should not exist at the root of a zone. + // So we skip a domain when a CNAME is found. + if dnsMsgContainsCNAME(in) { + continue + } + for _, ans := range in.Answer { if soa, ok := ans.(*dns.SOA); ok { zone := soa.Hdr.Name @@ -268,6 +275,16 @@ func FindZoneByFqdn(fqdn string, nameservers []string) (string, error) { return "", fmt.Errorf("Could not find the start of authority") } +// dnsMsgContainsCNAME checks for a CNAME answer in msg +func dnsMsgContainsCNAME(msg *dns.Msg) bool { + for _, ans := range msg.Answer { + if _, ok := ans.(*dns.CNAME); ok { + return true + } + } + return false +} + // ClearFqdnCache clears the cache of fqdn to zone mappings. Primarily used in testing. func ClearFqdnCache() { fqdnToZone = map[string]string{} diff --git a/acme/dns_challenge_test.go b/acme/dns_challenge_test.go index 4a2a7fea..117ac303 100644 --- a/acme/dns_challenge_test.go +++ b/acme/dns_challenge_test.go @@ -43,9 +43,10 @@ var findZoneByFqdnTests = []struct { fqdn string zone string }{ - {"mail.google.com.", "google.com."}, // domain is a CNAME - {"foo.google.com.", "google.com."}, // domain is a non-existent subdomain - {"example.com.ac.", "ac."}, // domain is a eTLD + {"mail.google.com.", "google.com."}, // domain is a CNAME + {"foo.google.com.", "google.com."}, // domain is a non-existent subdomain + {"example.com.ac.", "ac."}, // domain is a eTLD + {"cross-zone-example.assets.sh.", "assets.sh."}, // domain is a cross-zone CNAME } var checkAuthoritativeNssTests = []struct {