Adds DNS-01 challenge type support. #19
Conversation
This commit adds DNS-01 challenges as a supported challenge type for Pebble. The WFE is modified to construct a DNS-01 challenge along with the HTTP-01 and TLS-SNI-02 challenges for every new pending authz. A new configuration parameter is added to the config file for the upstream DNS resolvers to use. The validation implementation is very close to Boulder's VA & `bdns` implementation, but simplified for just TXT records & a simple DNS-01 challenge mechanism. Note: this commit adds a dependency on miekg/dns and you may need to `go get ./...` since we don't do any sort of godeps magic/vendoring at present.
va/va.go
Outdated
|
|
||
| m := new(dns.Msg) | ||
| m.SetQuestion(dns.Fqdn(hostname), qtype) | ||
| // Set DNSSEC OK bit for resolver |
There was a problem hiding this comment.
This is not accurate. The docs for this:
func (dns *Msg) SetEdns0(udpsize uint16, do bool) *Msg
SetEdns0 appends a EDNS0 OPT RR to the message. TSIG should always the
last RR in a message.
So this should be something like "accept large UDP replies." Also note that (a) we don't expect large replies because we don't evaluate DNS ourselves, and (b) if you're talking to 8.8.8.8, you're going over the public internet, which I think has a lower MTU than in-datacenter. So you'd expect IP fragmentation with a 4096-bit reply. I think let's delete this for now, and we can experiment with different settings if it causes real-world problems.
There was a problem hiding this comment.
Interesting! that will teach me to lift a comment without verifying. That came unedited from Boulder.
I will remove it. Thanks!
There was a problem hiding this comment.
Yeah, I remember being confused about this bit and this comment several times. I think probably part of the confusion is that the main reason to set this higher is because DNSSEC replies are large.
va/va.go
Outdated
| @@ -22,6 +24,7 @@ import ( | |||
| "github.com/letsencrypt/pebble/acme" | |||
| "github.com/letsencrypt/pebble/ca" | |||
| "github.com/letsencrypt/pebble/core" | |||
| "github.com/miekg/dns" | |||
There was a problem hiding this comment.
Is there a reason to use miekg/dns here instead of https://golang.org/pkg/net/#LookupTXT ?
There was a problem hiding this comment.
I didn't know it was available :-) I was following the Boulder VA which used this dep. I'll try to rework on top of net.LookupTXT
|
@jsha feedback addressed - thanks! |
This allows testing Boulder's code to log when old TLS versions are used.
This commit adds DNS-01 challenges as a supported challenge type for
Pebble. The WFE is modified to construct a DNS-01 challenge along with
the HTTP-01 and TLS-SNI-02 challenges for every new pending authz.
A new configuration parameter is added to the config file for the
upstream DNS resolvers to use.
The validation implementation is very close to Boulder's VA &
bdnsimplementation, but simplified for just TXT records & a simple DNS-01
challenge mechanism. Note: this commit adds a dependency on miekg/dns
and you may need to
go get ./...since we don't do any sort of godepsmagic/vendoring at present.