Select Git revision
dns_challenge.go
Forked from
ai3 / tools / acmeserver
Source project has a limited visibility.
-
ale authoredAdd dns-01 support, make the code more readable, add a testing mode that will generate self-signed certificates (for test environments that are not reachable from outside).
ale authoredAdd dns-01 support, make the code more readable, add a testing mode that will generate self-signed certificates (for test environments that are not reachable from outside).
dns_challenge.go 3.39 KiB
package acmeserver
import (
"context"
"errors"
"fmt"
"log"
"strings"
"time"
"github.com/miekg/dns"
"golang.org/x/crypto/acme"
)
const (
rfc2136Timeout = 600
tsigFudgeSeconds = 300
)
type dnsValidator struct {
nameservers []string
enableTSIG bool
keyName string
keyAlgo string
keySecret string
}
func newDNSValidator(config *Config) (*dnsValidator, error) {
if len(config.DNS.Nameservers) == 0 {
return nil, errors.New("no nameservers configured")
}
// Check that the TSIG parameters are consistent, if provided at all.
n := 0
if config.DNS.TSIGKeyName != "" {
n++
}
if config.DNS.TSIGKeyAlgo != "" {
n++
}
if config.DNS.TSIGKeySecret != "" {
n++
}
if n != 0 && n != 3 {
return nil, errors.New("either none or all of 'tsig_key_name', 'tsig_key_algo' and 'tsig_key_secret' must be set")
}
return &dnsValidator{
nameservers: config.DNS.Nameservers,
enableTSIG: n > 0,
keyName: dns.Fqdn(config.DNS.TSIGKeyName),
keyAlgo: config.DNS.TSIGKeyAlgo,
keySecret: config.DNS.TSIGKeySecret,
}, nil
}
func (d *dnsValidator) makeRR(fqdn, value string, ttl int) []dns.RR {
rr := new(dns.TXT)
rr.Hdr = dns.RR_Header{Name: fqdn, Rrtype: dns.TypeTXT, Class: dns.ClassINET, Ttl: uint32(ttl)}
rr.Txt = []string{value}
return []dns.RR{rr}
}
func (d *dnsValidator) makeMsg(zone string, rrs []dns.RR, remove bool) *dns.Msg {
m := new(dns.Msg)
m.SetUpdate(zone)
if remove {
m.Remove(rrs)
} else {
m.RemoveRRset(rrs)