Only check the authoritative NS when OverrideDomain is set

and keep the old code path otherwise.
caddyserver · Mar 7, 2022 · 4be5af5 · 4be5af5
1 parent ba5037f
commit 4be5af5
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/dnsutil.go b/dnsutil.go
@@ -214,11 +214,21 @@ func checkDNSPropagation(fqdn, value string, resolvers []string) (bool, error) {
 		fqdn += "."
 	}
 
+	// Initial attempt to resolve at the recursive NS
+	r, err := dnsQuery(fqdn, dns.TypeTXT, resolvers, true)
+	if err != nil {
+		return false, err
+	}
+
 	// TODO: make this configurable, maybe
 	// if !p.requireCompletePropagation {
 	// 	return true, nil
 	// }
 
+	if r.Rcode == dns.RcodeSuccess {
+		fqdn = updateDomainWithCName(r, fqdn)
+	}
+
 	authoritativeNss, err := lookupNameservers(fqdn, resolvers)
 	if err != nil {
 		return false, err

diff --git a/solvers.go b/solvers.go
@@ -334,7 +334,11 @@ func (s *DNS01Solver) Wait(ctx context.Context, challenge acme.Challenge) error
 			return ctx.Err()
 		}
 		var ready bool
-		ready, err = checkDNSPropagation(dnsName, keyAuth, resolvers)
+		if s.OverrideDomain == "" {
+			ready, err = checkDNSPropagation(dnsName, keyAuth, resolvers)
+		} else {
+			ready, err = checkAuthoritativeNss(dnsName, keyAuth, resolvers)
+		}
 		if err != nil {
 			return fmt.Errorf("checking DNS propagation of %s: %w", dnsName, err)
 		}