bunny: Support delegated sub-domains

[JessThrysoee]

The splitDomain algorithm assumes the apex domain is of "length" 2 and disregards where the SOA is found. This might have been the only way this provider could work in the past, but at this time it seems bunny responds with a correct SOA-RR.

Virtual ( pseudo) sub-domain with A-RR continue to function.

[ldez]

The split was introduced in #2012 because of #2011

So theoretically, this PR will create a regression.

---

ping @TECHNOFAB11

[ldez]

To merge this PR I need something that confirms that Bunny has changed their SOA policy/bug. @JessThrysoee do you have some elements?

I take a look at https://github.com/JessThrysoee/synology-letsencrypt/issues/13 and the discussion seems unfinished.

[JessThrysoee]

It would be nice if someone would corroborate my tests, but it doesn't seem like the workaround is necessary. Perhaps I'm missing something?

Here is some staging output:

---

The subtest domain delegated from example.com:

```console $ dig subtest.example.com +all ; <<>> DiG 9.18.24 <<>> subtest.example.com +all ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13936 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (good) ;; QUESTION SECTION: ;subtest.example.com. IN A ;; AUTHORITY SECTION: subtest.example.com. 900 IN SOA kiki.bunny.net. hostmaster.bunny.net. 2020643963 7200 900 1209600 86400 ;; Query time: 215 msec ;; SERVER: 10.0.10.53#53(10.0.10.53) (UDP) ;; WHEN: Thu Feb 29 21:08:42 CET 2024 ;; MSG SIZE rcvd: 137 ``` ```console $ BUNNY_API_KEY=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \ /tmp/legorepo/main \ --server=https://acme-staging-v02.api.letsencrypt.org/directory \ --email postmaster@example.com --dns bunny --domains subtest.example.com run 2024/02/29 20:57:20 [INFO] [subtest.example.com] acme: Obtaining bundled SAN certificate 2024/02/29 20:57:20 [INFO] [subtest.example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11399874203 2024/02/29 20:57:20 [INFO] [subtest.example.com] acme: authorization already valid; skipping challenge 2024/02/29 20:57:20 [INFO] [subtest.example.com] acme: Validations succeeded; requesting certificates 2024/02/29 20:57:24 [INFO] Wait for certificate [timeout: 30s, interval: 500ms] 2024/02/29 20:57:25 [INFO] [subtest.example.com] Server responded with a certificate. ```

---

For a pseudo sub-domain b.sub.subtest.example.com:

```console $ dig b.sub.subtest.example.com +all ; <<>> DiG 9.18.24 <<>> b.sub.subtest.example.com +all ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9697 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (good) ;; QUESTION SECTION: ;b.sub.subtest.example.com. IN A ;; ANSWER SECTION: b.sub.subtest.example.com. 300 IN A 10.10.10.10 ;; Query time: 240 msec ;; SERVER: 10.0.10.53#53(10.0.10.53) (UDP) ;; WHEN: Thu Feb 29 21:09:50 CET 2024 ;; MSG SIZE rcvd: 98 ``` ```console $ BUNNY_API_KEY=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \ /tmp/legorepo/main \ --server=https://acme-staging-v02.api.letsencrypt.org/directory \ --email postmaster@example.com --dns bunny --domains b.sub.subtest.example.com run 2024/02/29 21:01:47 [INFO] [b.sub.subtest.example.com] acme: Obtaining bundled SAN certificate 2024/02/29 21:01:48 [INFO] [b.sub.subtest.example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11435783593 2024/02/29 21:01:48 [INFO] [b.sub.subtest.example.com] acme: Could not find solver for: tls-alpn-01 2024/02/29 21:01:48 [INFO] [b.sub.subtest.example.com] acme: Could not find solver for: http-01 2024/02/29 21:01:48 [INFO] [b.sub.subtest.example.com] acme: use dns-01 solver 2024/02/29 21:01:48 [INFO] [b.sub.subtest.example.com] acme: Preparing to solve DNS-01 2024/02/29 21:01:51 [INFO] [b.sub.subtest.example.com] acme: Trying to solve DNS-01 2024/02/29 21:01:51 [INFO] [b.sub.subtest.example.com] acme: Checking DNS record propagation. [nameservers=10.0.10.53:53,1.1.1.1:53,1.0.0.1:53] 2024/02/29 21:01:53 [INFO] Wait for propagation [timeout: 2m0s, interval: 2s] 2024/02/29 21:02:16 [INFO] [b.sub.subtest.example.com] The server validated our request 2024/02/29 21:02:16 [INFO] [b.sub.subtest.example.com] acme: Cleaning DNS-01 challenge 2024/02/29 21:02:17 [INFO] [b.sub.subtest.example.com] acme: Validations succeeded; requesting certificates 2024/02/29 21:02:17 [INFO] Wait for certificate [timeout: 30s, interval: 500ms] 2024/02/29 21:02:18 [INFO] [b.sub.subtest.example.com] Server responded with a certificate. ```

[ldez]

As you can see the previous behavior was unexpected: https://github.com/go-acme/lego/issues/2011#issuecomment-1704315078

The important information is the response to an SOA call, the authority section is not used.

[JessThrysoee]

@ldez I'm not sure I follow. I have delegated subtest to bunny and their SOA answer looks like the following. And I receive certificates.

$ dig subtest.example.com. SOA

; <<>> DiG 9.18.24 <<>> subtest.example.com. SOA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40666
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (good)
;; QUESTION SECTION:
;subtest.example.com.       IN  SOA

;; ANSWER SECTION:
subtest.example.com.    491 IN  SOA kiki.bunny.net. hostmaster.bunny.net. 2020032201 7200 900 1209600 86400

;; Query time: 39 msec
;; SERVER: 10.0.10.53#53(10.0.10.53) (UDP)
;; WHEN: Thu Feb 29 21:35:54 CET 2024
;; MSG SIZE  rcvd: 137

[ldez]

Sorry, I put the wrong link in my previous message (I edited it).

[ldez]

After re-reading, I think the split is useless, I think that the root of the problem was just a bad configuration of the domain.