domain_dns_challenge() - nsupdate of external DNS zones needs additional options

[SDuesterhaupt]

'nsupdate' without further options can run only on the DNS directly. Update accesses from external networks are refused generally.

The following adaptions in the function 'domain_dns_challenge()' allow the 'DNS challenge' on an external DNS server:

# SDuesterhaupt: 2019-12-19 - 'nsupdate' without further options can run only on the DNS directly
#                             External accesses are refused generally.
#                             
#                             Additional options: File with TSIG key (DNS_TSIG)
#                                                 DNS server (DNS_SERVER)
#                                                 Zone which shall be updated (DNS_ZONE)
#printf 'update %s _acme-challenge.%s. 300 IN TXT "%s"\n\n' "$1" "$DOMAIN" "$DNS_CHALLENGE" |
    #nsupdate || die "Could not $1 $CHALLENGE_TYPE type challenge token with value $DNS_CHALLENGE for domain $DOMAIN via nsupdate"
MyDNSChallengeContent="server $DNS_SERVER"
#MyDNSChallengeContent="$MyDNSChallengeContent\ndebug yes"
MyDNSChallengeContent="$MyDNSChallengeContent\nzone $DNS_ZONE."
MyDNSChallengeContent="$MyDNSChallengeContent\nupdate $1 _acme-challenge.$DOMAIN. 300 IN TXT $DNS_CHALLENGE"
#MyDNSChallengeContent="$MyDNSChallengeContent\nshow"
MyDNSChallengeContent="$MyDNSChallengeContent\nsend\n\n"

#echo -e "$MyDNSChallengeContent" > nsupdate.txt
#nsupdate -k "$DNS_TSIG" -v nsupdate.txt || die "Could not $1 $CHALLENGE_TYPE type challenge token with value $DNS_CHALLENGE for domain $DOMAIN via nsupdate"

echo -e "$MyDNSChallengeContent" | nsupdate -k "$DNS_TSIG" || die "Could not $1 $CHALLENGE_TYPE type challenge token with value $DNS_CHALLENGE for domain $DOMAIN via nsupdate"

Additionally the following options have to be considered:

dns-server|d)
	DNS_SERVER="$OPTARG"
	;;
dns-tsig|t)
	DNS_TSIG="$OPTARG"
	;;
dns-zone|z)
	DNS_ZONE="$OPTARG"
	;;

Call sequence:

# Wildcard certificate, call with options
./letsencrypt_v2.sh sign -l dns-01 -d root-dns.example365.com -t tsig.key -z exampleABC.com -a letsencrypt_account.key -k abc.exampleABC.com.key.pem -w /var/www/default/.well-known/acme-challenge -c ./tmp/abc.exampleABC.com.cert.pem abc.exampleABC.com *.abc.exampleABC.com

[bruncsak]

Hi @SDuesterhaupt,
When I first implemented the dns-01 challenge I was concentrating on the external script which can be called with the -P flag. I put the 'nslookup' program in the code as a placeholder when the script is called without -P flag. (I did not even tested this code branch.)
The suggestion for the modification is logical, however it does not address possible different DNS update cases. I am thinking to put a call for a well-known update program having a well-defined generic DNS update API. That allows this ACME client script to be DNS provider agnostic. I see many other ACME clients is overwhelmed with lot of code to describe different DNS provider cases. I think that should be separated into a different program. In addition too, this other program could be used not only for DNS update generated via ACME client, but for any other DNS update function.

[SDuesterhaupt]

Hey @bruncsak,

Hm, okay... maybe let's take a look from this side - I prefer your script because it provides the fundamental basements of the ACME protocol without any ballast. One script for the most essential functions within the ACME protocol. Nice. It's easy to analyze the script concerning the safety. I just added my preferred configuration around your script. Other solutions want to be the Wolf in sheep's clothing like you mentioned.

The question is where you will see in the future the limits of your script concerning the functionality. In my opinion your script should just offer the basic functionality to fulfill the minimum requirements within a server environment. Therefore you need these three additional options 'Server', 'Zone' and optionally the 'TSIG key'. Optionally the script can provide an interface for a complexer DNS setup. Why not.

So the code snippets are simply designed to fulfill the mimimum requirements. Everything I've offered here it just runs in my productive environment. I just want to share the results with you.

[rdoeffinger]

My 2 cents, I suspect this will become a lot of code once you add in to not break things for anyone who does not need/have a tsig, does not need/want to set the zone etc.
Maybe this kind of functionality simply makes more sense as a -P script.
It's the same for the HTTP method, that only works when running on the same server as the web server.
And maybe there is an overlap with my issue #11 , maybe there should be just a couple of example -P scripts so not everyone in your situation has to implement and debug by themselves.
That keeps the main script small and simple without bloat that only a few users need, while making it easy to get common cases up and running.