From 631af55ec6f6caf5571b1c8ee9388a42eff2d5e9 Mon Sep 17 00:00:00 2001
From: Ran Chen <crccw@moonux.org>
Date: Sun, 20 Feb 2022 18:34:55 +0800
Subject: [PATCH 1/3] Add OverrideDomain option to DNS01Solver

This is to delegate the chanllenge to a different domain. With this
change, the solver no longer follows CNAME chain when checking for
propagation as well.
---
 dnsutil.go | 10 ----------
 solvers.go | 11 +++++++++++
 2 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/dnsutil.go b/dnsutil.go
index 2573cb96..1fe7911b 100644
--- a/dnsutil.go
+++ b/dnsutil.go
@@ -214,21 +214,11 @@ func checkDNSPropagation(fqdn, value string, resolvers []string) (bool, error) {
 		fqdn += "."
 	}
 
-	// Initial attempt to resolve at the recursive NS
-	r, err := dnsQuery(fqdn, dns.TypeTXT, resolvers, true)
-	if err != nil {
-		return false, err
-	}
-
 	// TODO: make this configurable, maybe
 	// if !p.requireCompletePropagation {
 	// 	return true, nil
 	// }
 
-	if r.Rcode == dns.RcodeSuccess {
-		fqdn = updateDomainWithCName(r, fqdn)
-	}
-
 	authoritativeNss, err := lookupNameservers(fqdn, resolvers)
 	if err != nil {
 		return false, err
diff --git a/solvers.go b/solvers.go
index 8cdaeaf8..fff27fb1 100644
--- a/solvers.go
+++ b/solvers.go
@@ -252,6 +252,11 @@ type DNS01Solver struct {
 	// Preferred DNS resolver(s) to use when doing DNS lookups.
 	Resolvers []string
 
+	// Override the domain to set the TXT record on. This is
+	// to delegate the chanllenge to a different domain. Note
+	// that the solver doesn't follow CNAME/NS record.
+	OverrideDomain string
+
 	txtRecords   map[string]dnsPresentMemory // keyed by domain name
 	txtRecordsMu sync.Mutex
 }
@@ -259,6 +264,9 @@ type DNS01Solver struct {
 // Present creates the DNS TXT record for the given ACME challenge.
 func (s *DNS01Solver) Present(ctx context.Context, challenge acme.Challenge) error {
 	dnsName := challenge.DNS01TXTRecordName()
+	if s.OverrideDomain != "" {
+		dnsName = s.OverrideDomain
+	}
 	keyAuth := challenge.DNS01KeyAuthorization()
 
 	// multiple identifiers can have the same ACME challenge
@@ -304,6 +312,9 @@ func (s *DNS01Solver) Present(ctx context.Context, challenge acme.Challenge) err
 // timeout, whichever is first.
 func (s *DNS01Solver) Wait(ctx context.Context, challenge acme.Challenge) error {
 	dnsName := challenge.DNS01TXTRecordName()
+	if s.OverrideDomain != "" {
+		dnsName = s.OverrideDomain
+	}
 	keyAuth := challenge.DNS01KeyAuthorization()
 
 	timeout := s.PropagationTimeout

From ba5037f9a7e62edeff37e77852a6c3302f151556 Mon Sep 17 00:00:00 2001
From: Matt Holt <mholt@users.noreply.github.com>
Date: Fri, 4 Mar 2022 21:02:14 -0700
Subject: [PATCH 2/3] Update solvers.go

---
 solvers.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/solvers.go b/solvers.go
index fff27fb1..409e5741 100644
--- a/solvers.go
+++ b/solvers.go
@@ -253,7 +253,7 @@ type DNS01Solver struct {
 	Resolvers []string
 
 	// Override the domain to set the TXT record on. This is
-	// to delegate the chanllenge to a different domain. Note
+	// to delegate the challenge to a different domain. Note
 	// that the solver doesn't follow CNAME/NS record.
 	OverrideDomain string
 

From 4be5af51f6ace5aeb48d33af9200c10569208be4 Mon Sep 17 00:00:00 2001
From: Ran Chen <crccw@moonux.org>
Date: Mon, 7 Mar 2022 22:25:59 +0800
Subject: [PATCH 3/3] Only check the authoritative NS when OverrideDomain is
 set

and keep the old code path otherwise.
---
 dnsutil.go | 10 ++++++++++
 solvers.go |  6 +++++-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/dnsutil.go b/dnsutil.go
index 1fe7911b..2573cb96 100644
--- a/dnsutil.go
+++ b/dnsutil.go
@@ -214,11 +214,21 @@ func checkDNSPropagation(fqdn, value string, resolvers []string) (bool, error) {
 		fqdn += "."
 	}
 
+	// Initial attempt to resolve at the recursive NS
+	r, err := dnsQuery(fqdn, dns.TypeTXT, resolvers, true)
+	if err != nil {
+		return false, err
+	}
+
 	// TODO: make this configurable, maybe
 	// if !p.requireCompletePropagation {
 	// 	return true, nil
 	// }
 
+	if r.Rcode == dns.RcodeSuccess {
+		fqdn = updateDomainWithCName(r, fqdn)
+	}
+
 	authoritativeNss, err := lookupNameservers(fqdn, resolvers)
 	if err != nil {
 		return false, err
diff --git a/solvers.go b/solvers.go
index 409e5741..287d2be6 100644
--- a/solvers.go
+++ b/solvers.go
@@ -334,7 +334,11 @@ func (s *DNS01Solver) Wait(ctx context.Context, challenge acme.Challenge) error
 			return ctx.Err()
 		}
 		var ready bool
-		ready, err = checkDNSPropagation(dnsName, keyAuth, resolvers)
+		if s.OverrideDomain == "" {
+			ready, err = checkDNSPropagation(dnsName, keyAuth, resolvers)
+		} else {
+			ready, err = checkAuthoritativeNss(dnsName, keyAuth, resolvers)
+		}
 		if err != nil {
 			return fmt.Errorf("checking DNS propagation of %s: %w", dnsName, err)
 		}