bunny: Support delegated sub-domains

[JessThrysoee]

The splitDomain algorithm assumes the apex domain is of "length" 2 and disregards where the SOA is found. This might have been the only way this provider could work in the past, but at this time it seems bunny responds with a correct SOA-RR.

Virtual ( pseudo) sub-domain with A-RR continue to function.

[ldez]

The split was introduced in #2012 because of #2011

So theoretically, this PR will create a regression.

---

ping @TECHNOFAB11

[ldez]

To merge this PR I need something that confirms that Bunny has changed their SOA policy/bug.
@JessThrysoee do you have some elements?

I take a look at JessThrysoee/synology-letsencrypt#13 and the discussion seems unfinished.

[JessThrysoee]

It would be nice if someone would corroborate my tests, but it doesn't seem like the workaround is necessary. Perhaps I'm missing something?

Here is some staging output:

---

The subtest domain delegated from example.com:

$ dig subtest.example.com +all

; <<>> DiG 9.18.24 <<>> subtest.example.com +all
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13936
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (good)
;; QUESTION SECTION:
;subtest.example.com.		IN	A

;; AUTHORITY SECTION:
subtest.example.com.	900	IN	SOA	kiki.bunny.net. hostmaster.bunny.net. 2020643963 7200 900 1209600 86400

;; Query time: 215 msec
;; SERVER: 10.0.10.53#53(10.0.10.53) (UDP)
;; WHEN: Thu Feb 29 21:08:42 CET 2024
;; MSG SIZE  rcvd: 137

$ BUNNY_API_KEY=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
    /tmp/legorepo/main \
    --server=https://acme-staging-v02.api.letsencrypt.org/directory \
    --email postmaster@example.com --dns bunny --domains subtest.example.com run

2024/02/29 20:57:20 [INFO] [subtest.example.com] acme: Obtaining bundled SAN certificate
2024/02/29 20:57:20 [INFO] [subtest.example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11399874203
2024/02/29 20:57:20 [INFO] [subtest.example.com] acme: authorization already valid; skipping challenge
2024/02/29 20:57:20 [INFO] [subtest.example.com] acme: Validations succeeded; requesting certificates
2024/02/29 20:57:24 [INFO] Wait for certificate [timeout: 30s, interval: 500ms]
2024/02/29 20:57:25 [INFO] [subtest.example.com] Server responded with a certificate.

---

For a pseudo sub-domain b.sub.subtest.example.com:

$ dig b.sub.subtest.example.com +all

; <<>> DiG 9.18.24 <<>> b.sub.subtest.example.com +all
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9697
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (good)
;; QUESTION SECTION:
;b.sub.subtest.example.com.	IN	A

;; ANSWER SECTION:
b.sub.subtest.example.com. 300	IN	A	10.10.10.10

;; Query time: 240 msec
;; SERVER: 10.0.10.53#53(10.0.10.53) (UDP)
;; WHEN: Thu Feb 29 21:09:50 CET 2024
;; MSG SIZE  rcvd: 98

$ BUNNY_API_KEY=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
    /tmp/legorepo/main \
    --server=https://acme-staging-v02.api.letsencrypt.org/directory \
    --email postmaster@example.com --dns bunny --domains b.sub.subtest.example.com run

2024/02/29 21:01:47 [INFO] [b.sub.subtest.example.com] acme: Obtaining bundled SAN certificate
2024/02/29 21:01:48 [INFO] [b.sub.subtest.example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11435783593
2024/02/29 21:01:48 [INFO] [b.sub.subtest.example.com] acme: Could not find solver for: tls-alpn-01
2024/02/29 21:01:48 [INFO] [b.sub.subtest.example.com] acme: Could not find solver for: http-01
2024/02/29 21:01:48 [INFO] [b.sub.subtest.example.com] acme: use dns-01 solver
2024/02/29 21:01:48 [INFO] [b.sub.subtest.example.com] acme: Preparing to solve DNS-01
2024/02/29 21:01:51 [INFO] [b.sub.subtest.example.com] acme: Trying to solve DNS-01
2024/02/29 21:01:51 [INFO] [b.sub.subtest.example.com] acme: Checking DNS record propagation. [nameservers=10.0.10.53:53,1.1.1.1:53,1.0.0.1:53]
2024/02/29 21:01:53 [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]
2024/02/29 21:02:16 [INFO] [b.sub.subtest.example.com] The server validated our request
2024/02/29 21:02:16 [INFO] [b.sub.subtest.example.com] acme: Cleaning DNS-01 challenge
2024/02/29 21:02:17 [INFO] [b.sub.subtest.example.com] acme: Validations succeeded; requesting certificates
2024/02/29 21:02:17 [INFO] Wait for certificate [timeout: 30s, interval: 500ms]
2024/02/29 21:02:18 [INFO] [b.sub.subtest.example.com] Server responded with a certificate.

[ldez]

As you can see the previous behavior was unexpected:
#2011 (comment)

The important information is the response to an SOA call, the authority section is not used.

[JessThrysoee]

@ldez I'm not sure I follow. I have delegated subtest to bunny and their SOA answer looks like the following. And I receive certificates.

$ dig subtest.example.com. SOA

; <<>> DiG 9.18.24 <<>> subtest.example.com. SOA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40666
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (good)
;; QUESTION SECTION:
;subtest.example.com.		IN	SOA

;; ANSWER SECTION:
subtest.example.com.	491	IN	SOA	kiki.bunny.net. hostmaster.bunny.net. 2020032201 7200 900 1209600 86400

;; Query time: 39 msec
;; SERVER: 10.0.10.53#53(10.0.10.53) (UDP)
;; WHEN: Thu Feb 29 21:35:54 CET 2024
;; MSG SIZE  rcvd: 137

[ldez]

Sorry, I put the wrong link in my previous message (I edited it).

[ldez]

After re-reading, I think the split is useless, I think that the root of the problem was just a bad configuration of the domain.

[ldez]

LGTM