Implement OverrideDomain is DNS01Solver (#160)

* Add OverrideDomain option to DNS01Solver This is to delegate the challenge to a different domain. With this change, the solver no longer follows CNAME chain when checking for propagation as well. * Update solvers.go * Only check the authoritative NS when OverrideDomain is set and keep the old code path otherwise. Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
caddyserver · Mar 7, 2022 · f60ce01 · f60ce01
1 parent 797d29b
commit f60ce01
Showing 1 changed file with 16 additions and 1 deletion.
diff --git a/solvers.go b/solvers.go
@@ -252,13 +252,21 @@ type DNS01Solver struct {
 	// Preferred DNS resolver(s) to use when doing DNS lookups.
 	Resolvers []string
 
+	// Override the domain to set the TXT record on. This is
+	// to delegate the challenge to a different domain. Note
+	// that the solver doesn't follow CNAME/NS record.
+	OverrideDomain string
+
 	txtRecords   map[string]dnsPresentMemory // keyed by domain name
 	txtRecordsMu sync.Mutex
 }
 
 // Present creates the DNS TXT record for the given ACME challenge.
 func (s *DNS01Solver) Present(ctx context.Context, challenge acme.Challenge) error {
 	dnsName := challenge.DNS01TXTRecordName()
+	if s.OverrideDomain != "" {
+		dnsName = s.OverrideDomain
+	}
 	keyAuth := challenge.DNS01KeyAuthorization()
 
 	// multiple identifiers can have the same ACME challenge
@@ -304,6 +312,9 @@ func (s *DNS01Solver) Present(ctx context.Context, challenge acme.Challenge) err
 // timeout, whichever is first.
 func (s *DNS01Solver) Wait(ctx context.Context, challenge acme.Challenge) error {
 	dnsName := challenge.DNS01TXTRecordName()
+	if s.OverrideDomain != "" {
+		dnsName = s.OverrideDomain
+	}
 	keyAuth := challenge.DNS01KeyAuthorization()
 
 	timeout := s.PropagationTimeout
@@ -323,7 +334,11 @@ func (s *DNS01Solver) Wait(ctx context.Context, challenge acme.Challenge) error
 			return ctx.Err()
 		}
 		var ready bool
-		ready, err = checkDNSPropagation(dnsName, keyAuth, resolvers)
+		if s.OverrideDomain == "" {
+			ready, err = checkDNSPropagation(dnsName, keyAuth, resolvers)
+		} else {
+			ready, err = checkAuthoritativeNss(dnsName, keyAuth, resolvers)
+		}
 		if err != nil {
 			return fmt.Errorf("checking DNS propagation of %s: %w", dnsName, err)
 		}