certbot-dns-rfc2136: catch error when a hostname is being used for dns_rfc2136_server (#8990)

* Raise separate error when a hostname is being used for `dns_rfc2136_server` * Explicitly say IP address instead of hostname in docs * Don't catch ValueError, but actually check the server value * Add tests * Add CHANGELOG entry
2026-06-03 13:59:02 -04:00 · 2021-08-23 01:38:14 +02:00 · 2021-08-23 01:38:14 +02:00 · 295dc5a2a9
commit 295dc5a2a9
parent a8a8a39ff1
4 changed files with 32 additions and 4 deletions
--- a/certbot-dns-rfc2136/certbot_dns_rfc2136/init.py
+++ b/certbot-dns-rfc2136/certbot_dns_rfc2136/init.py
@ -33,7 +33,7 @@ different to HMAC-MD5.
   :name: credentials.ini
   :caption: Example credentials file:

-   # Target DNS server
+   # Target DNS server (IPv4 or IPv6 address, not a hostname)
   dns_rfc2136_server = 192.0.2.1
   # Target DNS port
   dns_rfc2136_port = 53
--- a/certbot-dns-rfc2136/certbot_dns_rfc2136/_internal/dns_rfc2136.py
+++ b/certbot-dns-rfc2136/certbot_dns_rfc2136/_internal/dns_rfc2136.py
@ -3,6 +3,7 @@ import logging
 from typing import Optional

 import dns.flags
+from dns.inet import is_address
 import dns.message
 import dns.name
 import dns.query
@ -54,7 +55,11 @@ class Authenticator(dns_common.DNSAuthenticator):
        return 'This plugin configures a DNS TXT record to respond to a dns-01 challenge using ' + \
               'RFC 2136 Dynamic Updates.'

-    def _validate_algorithm(self, credentials):
+    def _validate_credentials(self, credentials):
+        server = credentials.conf('server')
+        if not is_address(server):
+            raise errors.PluginError("The configured target DNS server ({0}) is not a valid IPv4 "
+                                     "or IPv6 address. A hostname is not allowed.".format(server))
        algorithm = credentials.conf('algorithm')
        if algorithm:
            if not self.ALGORITHMS.get(algorithm.upper()):
@ -69,7 +74,7 @@ class Authenticator(dns_common.DNSAuthenticator):
                'secret': 'TSIG key secret',
                'server': 'The target DNS server'
            },
-            self._validate_algorithm
+            self._validate_credentials
        )

    def _perform(self, _domain, validation_name, validation):
--- a/certbot-dns-rfc2136/tests/dns_rfc2136_test.py
+++ b/certbot-dns-rfc2136/tests/dns_rfc2136_test.py
@ -74,6 +74,27 @@ class AuthenticatorTest(test_util.TempDirTestCase, dns_test_common.BaseAuthentic

        self.auth.perform([self.achall])

+    def test_invalid_server_raises(self):
+        config = VALID_CONFIG.copy()
+        config["rfc2136_server"] = "example.com"
+        dns_test_common.write(config, self.config.rfc2136_credentials)
+
+        self.assertRaises(errors.PluginError,
+                          self.auth.perform,
+                          [self.achall])
+
+    @test_util.patch_display_util()
+    def test_valid_server_passes(self, unused_mock_get_utility):
+        config = VALID_CONFIG.copy()
+        dns_test_common.write(config, self.config.rfc2136_credentials)
+
+        self.auth.perform([self.achall])
+
+        config["rfc2136_server"] = "2001:db8:3333:4444:cccc:dddd:eeee:ffff"
+        dns_test_common.write(config, self.config.rfc2136_credentials)
+
+        self.auth.perform([self.achall])
+

 class RFC2136ClientTest(unittest.TestCase):

--- a/certbot/CHANGELOG.md
+++ b/certbot/CHANGELOG.md
@ -6,7 +6,9 @@ Certbot adheres to [Semantic Versioning](https://semver.org/).

 ### Added

-*
+* The certbot-dns-rfc2136 plugin always assumed the use of an IP address as the
+  target server, but this was never checked. Until now. The plugin raises an error
+  if the configured target server is not a valid IPv4 or IPv6 address.

 ### Changed