Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix DNS local challenge to use the nameserver of the zone #41

Closed
robbinjanssen opened this issue Feb 7, 2024 · 5 comments · Fixed by #43 or #48
Closed

Fix DNS local challenge to use the nameserver of the zone #41

robbinjanssen opened this issue Feb 7, 2024 · 5 comments · Fixed by #43 or #48

Comments

@robbinjanssen
Copy link
Contributor

Hi,

I was wondering if you were open for a change to validate DNS locally.

Currently the code uses dns_get_record, the problem however is once this is triggered and the record does not exist, it can take quite a while before it is picked up again. My preference would be to use for example dig or another way to check the DNS locally.

I would like to change the code that the _acme-challenge.zone-name.com is checked agains the nameservers used by zone-name.com. Then use the dig command to get the data for the TXT records. An example of an existing package we can use is: https://github.com/bluelibraries/dns
@RogierW
Copy link
Owner

RogierW commented Feb 7, 2024

Hi Robbin,

Thanks for sharing your suggestion. I see the problem you’re facing, and I’m definitely open to change the way of checking DNS locally.

Personally I prefer the https://github.com/spatie/dns package. I worked with it before and I really like their packages. Would that work for you?

Unfortunately, I’m quite busy in the upcoming week(s). However, I’ll try to find some time to implement this.

@robbinjanssen
Copy link
Contributor Author

Didn't know that one, looks good (and love spatie)!

No worries, i'll see if I can wrap up a PR soon with a rewrite of the dns function.

@robbinjanssen
Copy link
Contributor Author

robbinjanssen commented Feb 12, 2024
edited
Loading

@RogierW got a little challenge, say we want to validate the domain test.acme-client.nl, to get the nameservers I need to know the zone name (acme-client.nl), to do this properly we need yet another package (because of all the TLDs that exist). Personally I prefer https://github.com/jeremykendall/php-domain-parser, do you have any alternatives? :)

Never mind, I can work around by requesting the SOA record first :-)

@robbinjanssen robbinjanssen mentioned this issue Feb 13, 2024
Merged
@robbinjanssen
Copy link
Contributor Author

@RogierW can you reopen this issue? I've stumbled upon a problem.

We use CNAME records where we ask our users to forward _acme-challenge.domain.nl to _acme-challenge.domain.nl.we-control-this-domain.nl

When we use dig txt _acme-challenge.domain.nl, it follows through to _acme-challenge.domain.nl.we-control-this-domain.nl and get's the TXT records from there.

When we use dig txt _acme-challenge.domain.nl @ns1.nameserver-of-domain.com it doesn't follow through, any suggestions?

@robbinjanssen
Copy link
Contributor Author

I'm currently testing this implementation: https://github.com/exonet/rw-acme-client/blob/nameserver-check/src/Support/LocalChallengeTest.php#L36-L54

(It's not ready for a PR yet as this is on the PHP 8.1 branch).

Basically:

  • Check for TXT value at the nameserver, nope?
  • Check for CNAME at the nameserver? Nope -> Exception
  • If CNAME, check for TXT at CNAME target at nameserver of target? Nope -> Exception
  • If another CNAME, follow and repeat.

@RogierW RogierW reopened this Mar 6, 2024
@robbinjanssen robbinjanssen mentioned this issue Apr 3, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@robbinjanssen @RogierW