diff options
author | Ran Chen <crccw@google.com> | 2022-03-09 03:03:43 +0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-03-08 12:03:43 -0700 |
commit | d9b1d463259a6f8f520edd6659dac11218c82b4e (patch) | |
tree | a48f08560bf50c9b416b2858f1528422d52c2e8b /modules | |
parent | c8f2834b514f8bfb405c11be53d60a6cfc5228ca (diff) |
caddytls: dns_challenge_override_domain for challenge delegation (#4596)
* Add a override_domain option to allow DNS chanllenge delegation
CNAME can be used to delegate answering the chanllenge to another DNS
zone. One usage is to reduce the exposure of the DNS credential [1].
Based on the discussion in caddy/certmagic#160, we are adding an option
to allow the user explicitly specify the domain to delegate, instead of
following the CNAME chain.
This needs caddy/certmagic#160.
* rename override_domain to dns_challenge_override_domain
* Update CertMagic; fix spelling
Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
Diffstat (limited to 'modules')
-rw-r--r-- | modules/caddytls/acmeissuer.go | 14 | ||||
-rw-r--r-- | modules/caddytls/automation.go | 5 |
2 files changed, 19 insertions, 0 deletions
diff --git a/modules/caddytls/acmeissuer.go b/modules/caddytls/acmeissuer.go index 42cef02..48a961f 100644 --- a/modules/caddytls/acmeissuer.go +++ b/modules/caddytls/acmeissuer.go @@ -144,6 +144,7 @@ func (iss *ACMEIssuer) Provision(ctx caddy.Context) error { TTL: time.Duration(iss.Challenges.DNS.TTL), PropagationTimeout: time.Duration(iss.Challenges.DNS.PropagationTimeout), Resolvers: iss.Challenges.DNS.Resolvers, + OverrideDomain: iss.Challenges.DNS.OverrideDomain, } } } @@ -417,6 +418,19 @@ func (iss *ACMEIssuer) UnmarshalCaddyfile(d *caddyfile.Dispenser) error { return d.ArgErr() } + case "dns_challenge_override_domain": + arg := d.RemainingArgs() + if len(arg) != 1 { + return d.ArgErr() + } + if iss.Challenges == nil { + iss.Challenges = new(ChallengesConfig) + } + if iss.Challenges.DNS == nil { + iss.Challenges.DNS = new(DNSChallengeConfig) + } + iss.Challenges.DNS.OverrideDomain = arg[0] + case "preferred_chains": chainPref, err := ParseCaddyfilePreferredChainsOptions(d) if err != nil { diff --git a/modules/caddytls/automation.go b/modules/caddytls/automation.go index 95b1772..eb97c82 100644 --- a/modules/caddytls/automation.go +++ b/modules/caddytls/automation.go @@ -370,6 +370,11 @@ type DNSChallengeConfig struct { // Often necessary to configure when using split-horizon DNS. Resolvers []string `json:"resolvers,omitempty"` + // Override the domain to use for the DNS challenge. This + // is to delegate the challenge to a different domain, + // e.g. one that updates faster or one with a provider API. + OverrideDomain string `json:"override_domain,omitempty"` + solver acmez.Solver } |