search

caddyserver / certmagic

Automatic HTTPS for any Go program: fully-managed TLS certificate issuance and renewal
https://pkg.go.dev/github.com/caddyserver/certmagic?tab=doc
Apache License 2.0
5.03k stars 293 forks source link

for CNAME pointing into a different zone, SOA doesn't contain correct zone apex #117

Closed xiruizhao closed 3 years ago

xiruizhao commented 3 years ago

What version of the package are you using?

v0.12.1-0.20201215190346-201f83a06067

What are you trying to do?

I was using acme DNS challenge to obtain TLS certificates on caddy v2.3.0 for a domain which has a CNAME record pointing to another domain in a different zone. It kept failing. [The cause is misconfigured namerserver.]

What steps did you take?

For demonstration, I configured a subdomain aliasing to another zone root. Querying a DNS resolver will return a CNAME record and an SOA record for the other zone in the ANSWER section.

What did you expect to happen, and what actually happened instead?

How do you think this should be fixed?

~If a domain has a CNAME record pointing to a different zone root, DNS resolvers will return an SOA answer for the other zone, which will generate an incorrect zone apex by this function~. https://github.com/caddyserver/certmagic/blob/81657a23377cad89ed4c08d3741b40b3cda055c5/dnsutil.go#L20-L32

Please link to any related issues, pull requests, and/or discussion

Bonus: What do you use CertMagic for, and do you find it useful?

xiruizhao commented 3 years ago

The issue is fixed by https://github.com/caddyserver/certmagic/blob/81657a23377cad89ed4c08d3741b40b3cda055c5/dnsutil.go#L88-L92 But the comment is not clear. A CNAME record in the ANSWER section indicates that this is a subdomain aliased to another zone root and should be continued.