IPv6-only support

[ghost]

Pending Let's Encrypts's IPv6 support (IPv6-only hosts), I guess bootstrapping off a magic IPv4 DNS forwarder is going to be a problem...

/*  .../lego/acme/dns_challenge.go */
func checkDNS(domain, fqdn string) bool {
    // check if the expected DNS entry was created. If not wait for some time and try again.
    m := new(dns.Msg)
    m.SetQuestion(domain+".", dns.TypeSOA)
    c := new(dns.Client)
    in, _, err := c.Exchange(m, "8.8.8.8:53")  // <= ouch
    if err != nil {
        return false
    }
    // ...

There are systems out there that let only certain DNS forwarders through their firewalls (to mitigate cache poison attacks etc), so maybe it would be an idea to provide a configurable forwarder?

[xenolf]

Yes, I agree that this may be a problem. My initial thought was to get the standard DNS resolver for the system and use that, but it didn't work out.

Making it configurable may be the best option.

[ghost]

Well, it can be that easy! I did not test it with an actual staging / live challenge, though. (It does not fix the fascist firewall problem, but that is an edge case.)

[xenolf]

I will leave this open to track the "fascist firewall" issue :P

[xenolf]

There is not really something we can do in a broad sense. We will handle the issues if any in relation to this on a case-by-case basis.