Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

googlecloud.getHostedZone doesn't work correctly for CNAMEs that cross zones #330

Closed
ixdy opened this issue Dec 7, 2016 · 5 comments
Closed

googlecloud.getHostedZone doesn't work correctly for CNAMEs that cross zones #330

ixdy opened this issue Dec 7, 2016 · 5 comments
Labels
area/cname area/dnsprovider

Comments

@ixdy
Copy link

ixdy commented Dec 7, 2016

In my Google cloud project, I have two domains and two zones:

  • example.com, with google cloud dns zone example-com-zone
  • example.net, with google cloud dns zone example-net-zone

Subdomains on example.com and example.net are synonyms of each other, so for simplicity, the A records are in example-com-zone, and example-net-zone just has CNAMEs to the equivalent domain in example-com-zone. So for example:

  • foo.example.com. A 1.2.3.4
  • foo.example.net. CNAME foo.example.com.

Unfortunately, when googlecloud.getHostedZone does a lookup of the SOA record (using acme.FindZoneByFqdn) for foo.example.net, the reported authority is example.com. I've confirmed this with dig -t soa.

As a result, we try to add the txt record in example-com-zone instead of example-net-zone, and the call fails.
@ixdy
Copy link
Author

ixdy commented Dec 7, 2016

This similarly affects lookupNameservers in acme/dns_challenge.go, which also uses FindZoneByFqdn:

2016/12/06 18:17:22 [foo.example.net] Could not obtain certificates
        Time limit exceeded. Last error: NS ns-cloud-b2.googledomains.com. returned REFUSED for _acme-challenge.foo.example.net.

In this case, ns-cloud-b2.googledomains.com. is the authoritative server for example.com, whereas ns-cloud-c2.googledomains.com is authoritative for example.net.

@ixdy ixdy mentioned this issue Dec 7, 2016
Closed
@tamalsaha tamalsaha mentioned this issue Dec 27, 2016
Closed
tamalsaha added a commit to gomodules/dns that referenced this issue Dec 27, 2016
@tamalsaha
Use our forked version of lego.
9d54636 
Fixes go-acme/lego#330
@tamalsaha
Copy link

@ixdy I have tried to address this issue here #336

@ixdy
Copy link
Author

ixdy commented Dec 29, 2016

@tamalsaha I tried your fix while working on kubernetes-retired/spartakus#16 and it seemed to work. Thanks!

@tamalsaha tamalsaha mentioned this issue Aug 11, 2017
Closed
@tamalsaha tamalsaha mentioned this issue Aug 22, 2017
Closed
@xi2 xi2 mentioned this issue Sep 11, 2017
Closed
fd added a commit to fd/lego that referenced this issue Nov 13, 2017
@fd
Fix zone detection for cross-zone cnames
dead71d 
When a SOA record's name is not a suffix of the domain it should be ignored.

See go-acme#330
This was referenced Nov 13, 2017
Closed
Merged
@fd
Copy link
Contributor

fd commented Nov 13, 2017

#449 Should resolve this issue. The idea is to ignore SOA records that are not a suffix of the domain.

fd added a commit to fd/lego that referenced this issue Nov 13, 2017
@fd
Fix zone detection for cross-zone cnames
db86f8c 
CNAMEs cannot co-exist with SOA records so responses with
a CNAME should be skipped.

The `cross-zone-example.assets.sh.` is currently hosted by
me (@fd) and will continue to exist for as long as the assets.sh
domain exists. (The assets.sh domain is used as a CDN and is unlikely
to go away.)

See go-acme#330
xenolf pushed a commit that referenced this issue Nov 15, 2017
@fd @xenolf
Fix zone detection for cross-zone cnames (#449)
b929aa5 
* Fix zone detection for cross-zone cnames

CNAMEs cannot co-exist with SOA records so responses with
a CNAME should be skipped.

The `cross-zone-example.assets.sh.` is currently hosted by
me (@fd) and will continue to exist for as long as the assets.sh
domain exists. (The assets.sh domain is used as a CDN and is unlikely
to go away.)

See #330

* Extracted CNAME checking to simplify the FindZoneByFqdn control flow.
@xenolf
Copy link
Member

xenolf commented Nov 15, 2017

Close via #449

@xenolf xenolf closed this as completed Nov 15, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/cname area/dnsprovider
Milestone
No milestone
Development

No branches or pull requests
5 participants
@fd @tamalsaha @xenolf @ldez @ixdy