DNS propagation check succeeds if any configured resolver succeeds (#274)

pgeh · web-flow · commit c3c4a1263a0c · 2024-03-14T15:21:07.000-06:00
* Changed solver DNS propagation check to only check authoritative nameservers directly if there are no explicitly given resolvers.

* Changed solver DNS propagation check to only succeed of any one of the checked nameservers has the required TXT entry
diff --git a/dnsutil.go b/dnsutil.go
@@ -210,8 +210,10 @@ func populateNameserverPorts(servers []string) {
 	}
 }
 
-// checkDNSPropagation checks if the expected TXT record has been propagated to all authoritative nameservers.
-func checkDNSPropagation(fqdn, value string, resolvers []string) (bool, error) {
+// checkDNSPropagation checks if the expected TXT record has been propagated.
+// If checkAuthoritativeServers is true, the authoritative nameservers are checked directly,
+// otherwise only the given resolvers are checked.
+func checkDNSPropagation(fqdn, value string, resolvers []string, checkAuthoritativeServers bool) (bool, error) {
 	if !strings.HasSuffix(fqdn, ".") {
 		fqdn += "."
 	}
@@ -226,18 +228,22 @@ func checkDNSPropagation(fqdn, value string, resolvers []string) (bool, error) {
 		fqdn = updateDomainWithCName(r, fqdn)
 	}
 
-	authoritativeNss, err := lookupNameservers(fqdn, resolvers)
-	if err != nil {
-		return false, err
+	if checkAuthoritativeServers {
+		authoritativeServers, err := lookupNameservers(fqdn, resolvers)
+		if err != nil {
+			return false, err
+		}
+		populateNameserverPorts(authoritativeServers)
+		resolvers = authoritativeServers
 	}
 
-	return checkAuthoritativeNss(fqdn, value, authoritativeNss)
+	return checkNameservers(fqdn, value, resolvers)
 }
 
-// checkAuthoritativeNss queries each of the given nameservers for the expected TXT record.
-func checkAuthoritativeNss(fqdn, value string, nameservers []string) (bool, error) {
+// checkNameservers checks if any of the given nameservers has the expected TXT record.
+func checkNameservers(fqdn, value string, nameservers []string) (bool, error) {
 	for _, ns := range nameservers {
-		r, err := dnsQuery(fqdn, dns.TypeTXT, []string{net.JoinHostPort(ns, "53")}, true)
+		r, err := dnsQuery(fqdn, dns.TypeTXT, []string{ns}, true)
 		if err != nil {
 			return false, err
 		}
@@ -252,23 +258,17 @@ func checkAuthoritativeNss(fqdn, value string, nameservers []string) (bool, erro
 			return false, fmt.Errorf("NS %s returned %s for %s", ns, dns.RcodeToString[r.Rcode], fqdn)
 		}
 
-		var found bool
 		for _, rr := range r.Answer {
 			if txt, ok := rr.(*dns.TXT); ok {
 				record := strings.Join(txt.Txt, "")
 				if record == value {
-					found = true
-					break
+					return true, nil
 				}
 			}
 		}
-
-		if !found {
-			return false, nil
-		}
 	}
 
-	return true, nil
+	return false, nil
 }
 
 // lookupNameservers returns the authoritative nameservers for the given fqdn.
diff --git a/solvers.go b/solvers.go
@@ -361,6 +361,7 @@ func (s *DNS01Solver) Wait(ctx context.Context, challenge acme.Challenge) error
 	const interval = 2 * time.Second
 
 	// how we'll do the checks
+	checkAuthoritativeServers := len(s.Resolvers) == 0
 	resolvers := recursiveNameservers(s.Resolvers)
 
 	var err error
@@ -372,7 +373,7 @@ func (s *DNS01Solver) Wait(ctx context.Context, challenge acme.Challenge) error
 			return ctx.Err()
 		}
 		var ready bool
-		ready, err = checkDNSPropagation(dnsName, keyAuth, resolvers)
+		ready, err = checkDNSPropagation(dnsName, keyAuth, resolvers, checkAuthoritativeServers)
 		if err != nil {
 			return fmt.Errorf("checking DNS propagation of %q: %w", dnsName, err)
 		}

Original file line number	Diff line number	Diff line change
`@@ -210,8 +210,10 @@ func populateNameserverPorts(servers []string) {`
`210`	`210`	`}`
`211`	`211`	`}`
`212`	`212`
`213`		`-// checkDNSPropagation checks if the expected TXT record has been propagated to all authoritative nameservers.`
`214`		`-func checkDNSPropagation(fqdn, value string, resolvers []string) (bool, error) {`
	`213`	`+// checkDNSPropagation checks if the expected TXT record has been propagated.`
	`214`	`+// If checkAuthoritativeServers is true, the authoritative nameservers are checked directly,`
	`215`	`+// otherwise only the given resolvers are checked.`
	`216`	`+func checkDNSPropagation(fqdn, value string, resolvers []string, checkAuthoritativeServers bool) (bool, error) {`
`215`	`217`	`if !strings.HasSuffix(fqdn, ".") {`
`216`	`218`	`fqdn += "."`
`217`	`219`	`}`
`@@ -226,18 +228,22 @@ func checkDNSPropagation(fqdn, value string, resolvers []string) (bool, error) {`
`226`	`228`	`fqdn = updateDomainWithCName(r, fqdn)`
`227`	`229`	`}`
`228`	`230`
`229`		`- authoritativeNss, err := lookupNameservers(fqdn, resolvers)`
`230`		`- if err != nil {`
`231`		`- return false, err`
	`231`	`+ if checkAuthoritativeServers {`
	`232`	`+ authoritativeServers, err := lookupNameservers(fqdn, resolvers)`
	`233`	`+ if err != nil {`
	`234`	`+ return false, err`
	`235`	`+ }`
	`236`	`+ populateNameserverPorts(authoritativeServers)`
	`237`	`+ resolvers = authoritativeServers`
`232`	`238`	`}`
`233`	`239`
`234`		`- return checkAuthoritativeNss(fqdn, value, authoritativeNss)`
	`240`	`+ return checkNameservers(fqdn, value, resolvers)`
`235`	`241`	`}`
`236`	`242`
`237`		`-// checkAuthoritativeNss queries each of the given nameservers for the expected TXT record.`
`238`		`-func checkAuthoritativeNss(fqdn, value string, nameservers []string) (bool, error) {`
	`243`	`+// checkNameservers checks if any of the given nameservers has the expected TXT record.`
	`244`	`+func checkNameservers(fqdn, value string, nameservers []string) (bool, error) {`
`239`	`245`	`for _, ns := range nameservers {`
`240`		`- r, err := dnsQuery(fqdn, dns.TypeTXT, []string{net.JoinHostPort(ns, "53")}, true)`
	`246`	`+ r, err := dnsQuery(fqdn, dns.TypeTXT, []string{ns}, true)`
`241`	`247`	`if err != nil {`
`242`	`248`	`return false, err`
`243`	`249`	`}`
`@@ -252,23 +258,17 @@ func checkAuthoritativeNss(fqdn, value string, nameservers []string) (bool, erro`
`252`	`258`	`return false, fmt.Errorf("NS %s returned %s for %s", ns, dns.RcodeToString[r.Rcode], fqdn)`
`253`	`259`	`}`
`254`	`260`
`255`		`- var found bool`
`256`	`261`	`for _, rr := range r.Answer {`
`257`	`262`	`if txt, ok := rr.(*dns.TXT); ok {`
`258`	`263`	`record := strings.Join(txt.Txt, "")`
`259`	`264`	`if record == value {`
`260`		`- found = true`
`261`		`- break`
	`265`	`+ return true, nil`
`262`	`266`	`}`
`263`	`267`	`}`
`264`	`268`	`}`
`265`		`-`
`266`		`- if !found {`
`267`		`- return false, nil`
`268`		`- }`
`269`	`269`	`}`
`270`	`270`
`271`		`- return true, nil`
	`271`	`+ return false, nil`
`272`	`272`	`}`
`273`	`273`
`274`	`274`	`// lookupNameservers returns the authoritative nameservers for the given fqdn.`
Original file line number	Diff line number	Diff line change
`@@ -361,6 +361,7 @@ func (s *DNS01Solver) Wait(ctx context.Context, challenge acme.Challenge) error`
`361`	`361`	`const interval = 2 * time.Second`
`362`	`362`
`363`	`363`	`// how we'll do the checks`
	`364`	`+ checkAuthoritativeServers := len(s.Resolvers) == 0`
`364`	`365`	`resolvers := recursiveNameservers(s.Resolvers)`
`365`	`366`
`366`	`367`	`var err error`
`@@ -372,7 +373,7 @@ func (s *DNS01Solver) Wait(ctx context.Context, challenge acme.Challenge) error`
`372`	`373`	`return ctx.Err()`
`373`	`374`	`}`
`374`	`375`	`var ready bool`
`375`		`- ready, err = checkDNSPropagation(dnsName, keyAuth, resolvers)`
	`376`	`+ ready, err = checkDNSPropagation(dnsName, keyAuth, resolvers, checkAuthoritativeServers)`
`376`	`377`	`if err != nil {`
`377`	`378`	`return fmt.Errorf("checking DNS propagation of %q: %w", dnsName, err)`
`378`	`379`	`}`