search

go-acme / lego

Let's Encrypt/ACME client and library written in Go
https://go-acme.github.io/lego/
MIT License
7.89k stars 1.01k forks source link

Allow use DNS over HTTPS (DoH) to #1276

Open karnauskas opened 3 years ago

karnauskas commented 3 years ago

Dns is waiting for TXT propagation while trying connect directly to authoritative name servers over port 53 which could be blocked. Allow use DoH to solve dns01 challenge.

Rough idea can be seen here: https://github.com/go-acme/lego/compare/master...karnauskas:doh

Collaboration how to integrate this properly are welcome.

ldez commented 3 years ago

Hello,

The idea of introducing DoH seems good, but I don't think that DoH must be use as a fallback when DNS queries fail.

I think the DoH must be introduced as a kind of optional replacement of the classic resolvers.

For now, I know neither what the options might look like nor the core implementation, I need to think about that.

If you have some ideas, please share it with us.

karnauskas commented 3 years ago

My code changes are just tiny bit of code which worked in my case. I don't see this working in generic situation. In my situation dns resolver address is on allow list, but auth name servers can't be reached directly via udp (who wants to expose dns queries to ISP, right?)

And yes, DoH should be configurable option. Perhaps each dns provider should have (un)supported fallback option, eg CloudFlare or Google providers, and perhaps some others.

Dns query failure over udp is also interesting, timeouts are reported just after 2min timeout, however they fail every attempt.

imho core/upstream dns library has options for using udp, tcp and tcp+tls for transport, I assume it would be easy to integrate DoH (well it's not always easy).