search

letsencrypt / challtestsrv

Small TEST-ONLY server for mock DNS & responding to HTTP-01, DNS-01, and TLS-ALPN-01 ACME challenges.
Mozilla Public License 2.0
19 stars 21 forks source link

Support for SOA record types #9

Open munnerz opened 5 years ago

munnerz commented 5 years ago

As part of cert-manager, we perform SOA record lookups when 'presenting' DNS01 challenges in order to determine which DNS zone should be searched for when solving a challenge.

With challtestsrv, this is obviously not necessary, however in order to make testing my own application easier it would be really helpful if challtestsrv could support SOA record lookups.

This would allow me to run tests whereby cert-manager is pointed at challtestsrv to solve & to 'self check' challenges, before allowing Pebble to check the authorization.

On the other hand, if we aren't doing the expected/sensible thing here then please let me know so I can make appropriate changes in our own implementation!

For what it's worth, we also perform NS lookups in order to find the authority for the zone, so that we can query the authoritative nameservers. This behaviour can be toggled in our client however, so NS record support is not a blocker for us utilising challtestsrv 😄

/cc @cpu

cpu commented 5 years ago

:wave: @munnerz I think a PR that allows mocking SOA records would be an OK fit for challtestsrv. Do you want to take a crack at it? I'm unlikely to have cycles myself anytime soon.

munnerz commented 5 years ago

Sure thing, I'll try and find some time over the next few weeks 😄

vancluever commented 4 years ago

@munnerz @cpu do you mind if I take a crack at this? I actually need it for the TF ACME provider too (or, in turn, lego, where DNS propagation checks try SOA, and possibly others but I need to check on that. 🙂 )

munnerz commented 4 years ago

Go for it, a "few weeks" has definitely passed by now 😅

vancluever commented 3 years ago

Hey all, probably not going to do this after all, just on part of time and what not. I found a workaround in lego with the DisableCompletePropagationRequirement option which gets past all of the lego stuff for SOA/DNS propagation checks.

Here's what I did find though: looks like there is already mockSOA() for returning a mock SOA record as part of the authority section for all DNS responses. This could probably be re-purposed for just answering the SOA query proper. One other thing I did notice when testing this all in lego is that lego was looking for NS records too, so some NS mocking may need to be done too.

Hopefully this helps the next person that wants to give this a go!