Skip to content

Commit 352b45b

Browse files
authored
Merge branch 'master' into gandi_v5-auth-changes
2 parents c1f10fa + edf0471 commit 352b45b

File tree

5 files changed

+117
-20
lines changed

5 files changed

+117
-20
lines changed

commands/types/dnscontrol.d.ts

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -398,7 +398,9 @@ declare function CAA(name: string, tag: "issue" | "issuewild" | "iodef", value:
398398
* * `iodef:` Report all violation to configured mail address.
399399
* * `iodef_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`)
400400
* * `issue:` An array of CAs which are allowed to issue certificates. (Use `"none"` to refuse all CAs)
401+
* * `issue_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`)
401402
* * `issuewild:` An array of CAs which are allowed to issue wildcard certificates. (Can be simply `"none"` to refuse issuing wildcard certificates for all CAs)
403+
* * `issuewild_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`)
402404
*
403405
* `CAA_BUILDER()` returns multiple records (when configured as example above):
404406
*
@@ -411,7 +413,7 @@ declare function CAA(name: string, tag: "issue" | "issuewild" | "iodef", value:
411413
*
412414
* @see https://docs.dnscontrol.org/language-reference/domain-modifiers/caa_builder
413415
*/
414-
declare function CAA_BUILDER(opts: { label?: string; iodef: string; iodef_critical?: boolean; issue: string[]; issuewild: string[] }): DomainModifier;
416+
declare function CAA_BUILDER(opts: { label?: string; iodef: string; iodef_critical?: boolean; issue: string[]; issue_critical?: boolean; issuewild: string[]; issuewild_critical?: boolean }): DomainModifier;
415417

416418
/**
417419
* `CF_REDIRECT` uses Cloudflare-specific features ("Forwarding URL" Page Rules) to

documentation/functions/domain/CAA_BUILDER.md

Lines changed: 67 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -5,14 +5,18 @@ parameters:
55
- iodef
66
- iodef_critical
77
- issue
8+
- issue_critical
89
- issuewild
10+
- issuewild_critical
911
parameters_object: true
1012
parameter_types:
1113
label: string?
1214
iodef: string
1315
iodef_critical: boolean?
1416
issue: string[]
17+
issue_critical: boolean?
1518
issuewild: string[]
19+
issuewild_critical: boolean?
1620
---
1721

1822
DNSControl contains a `CAA_BUILDER` which can be used to simply create
@@ -22,7 +26,7 @@ authorized certificate authorities and the builder cares about the rest.
2226

2327
## Example
2428

25-
For example you can use:
29+
### Simple example
2630

2731
{% code title="dnsconfig.js" %}
2832
```javascript
@@ -39,15 +43,7 @@ CAA_BUILDER({
3943
```
4044
{% endcode %}
4145

42-
The parameters are:
43-
44-
* `label:` The label of the CAA record. (Optional. Default: `"@"`)
45-
* `iodef:` Report all violation to configured mail address.
46-
* `iodef_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`)
47-
* `issue:` An array of CAs which are allowed to issue certificates. (Use `"none"` to refuse all CAs)
48-
* `issuewild:` An array of CAs which are allowed to issue wildcard certificates. (Can be simply `"none"` to refuse issuing wildcard certificates for all CAs)
49-
50-
`CAA_BUILDER()` returns multiple records (when configured as example above):
46+
`CAA_BUILDER()` builds multiple records:
5147

5248
{% code title="dnsconfig.js" %}
5349
```javascript
@@ -57,3 +53,64 @@ CAA("@", "issue", "comodoca.com")
5753
CAA("@", "issuewild", ";")
5854
```
5955
{% endcode %}
56+
57+
which in turns yield the following records:
58+
59+
```text
60+
@ 300 IN CAA 128 iodef "mailto:test@example.com"
61+
@ 300 IN CAA 0 issue "letsencrypt.org"
62+
@ 300 IN CAA 0 issue "comodoca.com"
63+
@ 300 IN CAA 0 issuewild ";"
64+
```
65+
66+
### Example with CAA_CRITICAL flag on all records
67+
68+
The same example can be enriched with CAA_CRITICAL on all records:
69+
70+
{% code title="dnsconfig.js" %}
71+
```javascript
72+
CAA_BUILDER({
73+
label: "@",
74+
iodef: "mailto:test@example.com",
75+
iodef_critical: true,
76+
issue: [
77+
"letsencrypt.org",
78+
"comodoca.com",
79+
],
80+
issue_critical: true,
81+
issuewild: "none",
82+
issuewild_critical: true,
83+
})
84+
```
85+
{% endcode %}
86+
87+
`CAA_BUILDER()` then builds (the same) multiple records - all with CAA_CRITICAL flag set:
88+
89+
{% code title="dnsconfig.js" %}
90+
```javascript
91+
CAA("@", "iodef", "mailto:test@example.com", CAA_CRITICAL)
92+
CAA("@", "issue", "letsencrypt.org", CAA_CRITICAL)
93+
CAA("@", "issue", "comodoca.com", CAA_CRITICAL)
94+
CAA("@", "issuewild", ";", CAA_CRITICAL)
95+
```
96+
{% endcode %}
97+
98+
which in turns yield the following records:
99+
100+
```text
101+
@ 300 IN CAA 128 iodef "mailto:test@example.com"
102+
@ 300 IN CAA 128 issue "letsencrypt.org"
103+
@ 300 IN CAA 128 issue "comodoca.com"
104+
@ 300 IN CAA 128 issuewild ";"
105+
```
106+
107+
108+
### Parameters
109+
110+
* `label:` The label of the CAA record. (Optional. Default: `"@"`)
111+
* `iodef:` Report all violation to configured mail address.
112+
* `iodef_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`)
113+
* `issue:` An array of CAs which are allowed to issue certificates. (Use `"none"` to refuse all CAs)
114+
* `issue_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`)
115+
* `issuewild:` An array of CAs which are allowed to issue wildcard certificates. (Can be simply `"none"` to refuse issuing wildcard certificates for all CAs)
116+
* `issuewild_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`)

documentation/providers/axfrddns.md

Lines changed: 20 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -98,7 +98,7 @@ var DSP_AXFRDDNS = NewDnsProvider("axfrddns", {
9898
"ns4.example.com."
9999
]
100100
}
101-
}
101+
)
102102
```
103103
{% endcode %}
104104

@@ -107,7 +107,7 @@ var DSP_AXFRDDNS = NewDnsProvider("axfrddns", {
107107
{
108108
"axfrddns": {
109109
"TYPE": "AXFRDDNS",
110-
"nameservers": "ns1.example.com.,ns2.example.com.,ns3.example.com.,ns4.example.com."
110+
"nameservers": "ns1.example.com,ns2.example.com,ns3.example.com,ns4.example.com"
111111
}
112112
}
113113
```
@@ -144,6 +144,24 @@ the following error message:
144144
Please consider adding default `nameservers` or an explicit `master` in `creds.json`.
145145
```
146146

147+
### Transfer/AXFR server
148+
149+
As mentioned above, the AXFR+DDNS provider will send AXFR requests to the
150+
primary master for the zone. On some networks, the AXFR requests are handled
151+
by a separate server to DDNS requests. Use the `transfer-server` option in
152+
`creds.json`. If not specified, it falls back to the primary master.
153+
154+
{% code title="creds.json" %}
155+
```json
156+
{
157+
"axfrddns": {
158+
"TYPE": "AXFRDDNS",
159+
"transfer-server": "233.252.0.0"
160+
}
161+
}
162+
```
163+
{% endcode %}
164+
147165
### Buggy DNS servers regarding CNAME updates
148166

149167
When modifying a CNAME record, or when replacing an A record by a

pkg/js/helpers.js

Lines changed: 14 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1478,13 +1478,23 @@ function CAA_BUILDER(value) {
14781478
}
14791479
}
14801480

1481-
if (value.issue)
1481+
if (value.issue) {
1482+
var flag = function() {};
1483+
if (value.issue_critical) {
1484+
flag = CAA_CRITICAL;
1485+
}
14821486
for (var i = 0, len = value.issue.length; i < len; i++)
1483-
r.push(CAA(value.label, 'issue', value.issue[i]));
1487+
r.push(CAA(value.label, 'issue', value.issue[i], flag));
1488+
}
14841489

1485-
if (value.issuewild)
1490+
if (value.issuewild) {
1491+
var flag = function() {};
1492+
if (value.issuewild_critical) {
1493+
flag = CAA_CRITICAL;
1494+
}
14861495
for (var i = 0, len = value.issuewild.length; i < len; i++)
1487-
r.push(CAA(value.label, 'issuewild', value.issuewild[i]));
1496+
r.push(CAA(value.label, 'issuewild', value.issuewild[i], flag));
1497+
}
14881498

14891499
return r;
14901500
}

providers/axfrddns/axfrddnsProvider.go

Lines changed: 13 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -58,6 +58,7 @@ type axfrddnsProvider struct {
5858
rand *rand.Rand
5959
master string
6060
updateMode string
61+
transferServer string
6162
transferMode string
6263
nameservers []*models.Nameserver
6364
transferKey *Key
@@ -125,6 +126,14 @@ func initAxfrDdns(config map[string]string, providermeta json.RawMessage) (provi
125126
} else {
126127
return nil, fmt.Errorf("nameservers list is empty: creds.json needs a default `nameservers` or an explicit `master`")
127128
}
129+
if config["transfer-server"] != "" {
130+
api.transferServer = config["transfer-server"]
131+
if !strings.Contains(api.transferServer, ":") {
132+
api.transferServer = api.transferServer + ":53"
133+
}
134+
} else {
135+
api.transferServer = api.master
136+
}
128137
api.updateKey, err = readKey(config["update-key"], "update-key")
129138
if err != nil {
130139
return nil, err
@@ -145,6 +154,7 @@ func initAxfrDdns(config map[string]string, providermeta json.RawMessage) (provi
145154
"nameservers",
146155
"update-key",
147156
"transfer-key",
157+
"transfer-server",
148158
"update-mode",
149159
"transfer-mode",
150160
"domain",
@@ -214,9 +224,9 @@ func (c *axfrddnsProvider) getAxfrConnection() (*dns.Transfer, error) {
214224
var con net.Conn = nil
215225
var err error = nil
216226
if c.transferMode == "tcp-tls" {
217-
con, err = tls.Dial("tcp", c.master, &tls.Config{})
227+
con, err = tls.Dial("tcp", c.transferServer, &tls.Config{})
218228
} else {
219-
con, err = net.Dial("tcp", c.master)
229+
con, err = net.Dial("tcp", c.transferServer)
220230
}
221231
if err != nil {
222232
return nil, err
@@ -247,7 +257,7 @@ func (c *axfrddnsProvider) FetchZoneRecords(domain string) ([]dns.RR, error) {
247257
}
248258
}
249259

250-
envelope, err := transfer.In(request, c.master)
260+
envelope, err := transfer.In(request, c.transferServer)
251261
if err != nil {
252262
return nil, err
253263
}

0 commit comments

Comments
 (0)