From 5a4028c763ab2dc20b53097679b689a5de85f800 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Zegan?= Date: Wed, 20 Sep 2017 20:29:48 +0200 Subject: [PATCH] fix dns-rfc2136 plugin not respecting cnames (#5101) * fix dns-rfc2136 plugin not respecting cnames The plugin does not work if the domain of a certificate is found to have a cname record in dns. That is because when plugin tries to find zone boundary, it searches from the domain up for the SOA record, and each DNS response is checked for the answer being empty, assuming that empty answer means no SOA record is present and the higher level domain has to be checked, and non empty answer section means that this domain is a zone root. However, if the initial domain, or any upper level domain except the zone root has a cname record pointing to the zone root, then the server will, instead of returning an empty answer, return one containing two records, first a cname pointing to the zone root, then the SOA record of zone root, and that will make the check fail and use a wrong domain as a zone name during update. Fix that by replacing a check for empty answer with explicitly searching in response's answer section for a SOA record matching the domain that is being checked. * dns-rfc2136: fix lint errors --- certbot-dns-rfc2136/certbot_dns_rfc2136/dns_rfc2136.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/certbot-dns-rfc2136/certbot_dns_rfc2136/dns_rfc2136.py b/certbot-dns-rfc2136/certbot_dns_rfc2136/dns_rfc2136.py index b4b71bb75..85a3bf9bb 100644 --- a/certbot-dns-rfc2136/certbot_dns_rfc2136/dns_rfc2136.py +++ b/certbot-dns-rfc2136/certbot_dns_rfc2136/dns_rfc2136.py @@ -208,8 +208,8 @@ class _RFC2136Client(object): rcode = response.rcode() # Authoritative Answer bit should be set - if (rcode == dns.rcode.NOERROR and len(response.answer) > 0 and - response.flags & dns.flags.AA): + if (rcode == dns.rcode.NOERROR and response.get_rrset(response.answer, + domain, dns.rdataclass.IN, dns.rdatatype.SOA) and response.flags & dns.flags.AA): logger.debug('Received authoritative SOA response for %s', domain_name) return True