DNS propagation check succeeds if any configured resolver succeeds (#274

) * Changed solver DNS propagation check to only check authoritative nameservers directly if there are no explicitly given resolvers. * Changed solver DNS propagation check to only succeed of any one of the checked nameservers has the required TXT entry
caddyserver · Mar 14, 2024 · c3c4a12 · c3c4a12
1 parent 7a2236b
commit c3c4a12
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 18 deletions.
diff --git a/dnsutil.go b/dnsutil.go
@@ -210,8 +210,10 @@ func populateNameserverPorts(servers []string) {
 	}
 }
 
-// checkDNSPropagation checks if the expected TXT record has been propagated to all authoritative nameservers.
-func checkDNSPropagation(fqdn, value string, resolvers []string) (bool, error) {
+// checkDNSPropagation checks if the expected TXT record has been propagated.
+// If checkAuthoritativeServers is true, the authoritative nameservers are checked directly,
+// otherwise only the given resolvers are checked.
+func checkDNSPropagation(fqdn, value string, resolvers []string, checkAuthoritativeServers bool) (bool, error) {
 	if !strings.HasSuffix(fqdn, ".") {
 		fqdn += "."
 	}
@@ -226,18 +228,22 @@ func checkDNSPropagation(fqdn, value string, resolvers []string) (bool, error) {
 		fqdn = updateDomainWithCName(r, fqdn)
 	}
 
-	authoritativeNss, err := lookupNameservers(fqdn, resolvers)
-	if err != nil {
-		return false, err
+	if checkAuthoritativeServers {
+		authoritativeServers, err := lookupNameservers(fqdn, resolvers)
+		if err != nil {
+			return false, err
+		}
+		populateNameserverPorts(authoritativeServers)
+		resolvers = authoritativeServers
 	}
 
-	return checkAuthoritativeNss(fqdn, value, authoritativeNss)
+	return checkNameservers(fqdn, value, resolvers)
 }
 
-// checkAuthoritativeNss queries each of the given nameservers for the expected TXT record.
-func checkAuthoritativeNss(fqdn, value string, nameservers []string) (bool, error) {
+// checkNameservers checks if any of the given nameservers has the expected TXT record.
+func checkNameservers(fqdn, value string, nameservers []string) (bool, error) {
 	for _, ns := range nameservers {
-		r, err := dnsQuery(fqdn, dns.TypeTXT, []string{net.JoinHostPort(ns, "53")}, true)
+		r, err := dnsQuery(fqdn, dns.TypeTXT, []string{ns}, true)
 		if err != nil {
 			return false, err
 		}
@@ -252,23 +258,17 @@ func checkAuthoritativeNss(fqdn, value string, nameservers []string) (bool, erro
 			return false, fmt.Errorf("NS %s returned %s for %s", ns, dns.RcodeToString[r.Rcode], fqdn)
 		}
 
-		var found bool
 		for _, rr := range r.Answer {
 			if txt, ok := rr.(*dns.TXT); ok {
 				record := strings.Join(txt.Txt, "")
 				if record == value {
-					found = true
-					break
+					return true, nil
 				}
 			}
 		}
-
-		if !found {
-			return false, nil
-		}
 	}
 
-	return true, nil
+	return false, nil
 }
 
 // lookupNameservers returns the authoritative nameservers for the given fqdn.

diff --git a/solvers.go b/solvers.go
@@ -361,6 +361,7 @@ func (s *DNS01Solver) Wait(ctx context.Context, challenge acme.Challenge) error
 	const interval = 2 * time.Second
 
 	// how we'll do the checks
+	checkAuthoritativeServers := len(s.Resolvers) == 0
 	resolvers := recursiveNameservers(s.Resolvers)
 
 	var err error
@@ -372,7 +373,7 @@ func (s *DNS01Solver) Wait(ctx context.Context, challenge acme.Challenge) error
 			return ctx.Err()
 		}
 		var ready bool
-		ready, err = checkDNSPropagation(dnsName, keyAuth, resolvers)
+		ready, err = checkDNSPropagation(dnsName, keyAuth, resolvers, checkAuthoritativeServers)
 		if err != nil {
 			return fmt.Errorf("checking DNS propagation of %q: %w", dnsName, err)
 		}