* refactor: create log.Infof and log.Warnf
* refactor: review DNS providers.
- use one `http.Client` by provider instead of one client by request
- use the same receiver name `d` for all `DNSProvider`
- use `http.MethodXXX`
* refactor: logger init.
* Fix zone detection for cross-zone cnames
CNAMEs cannot co-exist with SOA records so responses with
a CNAME should be skipped.
The `cross-zone-example.assets.sh.` is currently hosted by
me (@fd) and will continue to exist for as long as the assets.sh
domain exists. (The assets.sh domain is used as a CDN and is unlikely
to go away.)
See #330
* Extracted CNAME checking to simplify the FindZoneByFqdn control flow.
They will not get anymore an error message saying
"Could not find the start of authority".
Finding the zone cut of a FQDN now only rely on the presence
of a SOA record. Indeed, in the context of an eTLD the
authority will be the eTLD itself so you need to continue
to recurse until you get an answer instead of cutting the search
when you find the public suffix of a domain.
Fixes#434
* Get better dns server defaults if available
if an /etc/resolv.conf file exists, then get the dns servers from there
* fix handwritten code...
* Make discovering system dns servers more testable
Allow specifying path to resolv.conf file to allow testing logic
* add tests
* Log which resolvers we are using
* move log statement for dns resolvers used
Added a slice of NS to be used when retrying queries. Also used with FindZoneByFqdn()
Adjusted 2 error messages given to better differentiate the returned error string
- Reworked the code in dns_challenge.go to not assume nameserver is
port-less or defaults to 53. (messes up testing)
- Updated nameserver test to clear the fqdn2zone cache and return a dummy
SOA RR to make initial findZoneByFqdn call happy.
- Used publicsuffix library to determine if the "authorative" zone we found
is a public registry, in that case error out. (Also used by boulder btw)
Prior to this commit, the checkDNSPropagation function was exiting
early if the TXT record could not be found on the recursive
nameserver, and thus the authoritative nameservers were not being
queried until after the record showed up on the recursive nameserver
causing a delay.
This commit changes that behaviour so that the authoritative
nameservers are queried on each execution of checkDNSPropagation when
possible.
This will prevent indefinitely-hanging requests in case some service or middle box is malfunctioning.
Fix vet errors and lint warnings
Add vet to CI check
Only get issuer certificate if it would be used
No need to make a GET request if the OCSP server is not specified in leaf certificate
Fix CI tests
Make tests verbose
* Gets a list of all authoritative nameservers by looking up the NS RRs for the root domain (zone apex)
* Verifies that the expected TXT record exists on all nameservers before sending off the challenge to ACME server
- InvalidTXTRDATA error when creating TXT record (closes#94)
- Present() should poll and wait until the status of the record change becomes INSYNC (thanks @oov)
Adds a retry/timeout utility function to dns_challenge.go that may be used in other places
We can ask the OS resolver for the IP of Google's public anycast DNS.
No need to "bootstrap" with literal IP address. The OS resolver knows
best about IPv4 ./. IPv6.
Mostly fixes#88.
* new ChallengeProvider with Present and CleanUp methods
* new Challenge type describing `http-01`, `tls-sni-01`, `dns-01`
* new client.SetChallengeProvider to support custom implementations