Merge branch 'master' into gandi_v5-auth-changes

StackExchange · Dec 18, 2023 · 352b45b · 352b45b
2 parents c1f10fa + edf0471
commit 352b45b
Show file tree

Hide file tree

Showing 5 changed files with 117 additions and 20 deletions.
diff --git a/commands/types/dnscontrol.d.ts b/commands/types/dnscontrol.d.ts
@@ -398,7 +398,9 @@ declare function CAA(name: string, tag: "issue" | "issuewild" | "iodef", value:
  * * `iodef:` Report all violation to configured mail address.
  * * `iodef_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`)
  * * `issue:` An array of CAs which are allowed to issue certificates. (Use `"none"` to refuse all CAs)
+ * * `issue_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`)
  * * `issuewild:` An array of CAs which are allowed to issue wildcard certificates. (Can be simply `"none"` to refuse issuing wildcard certificates for all CAs)
+ * * `issuewild_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`)
  *
  * `CAA_BUILDER()` returns multiple records (when configured as example above):
  *
@@ -411,7 +413,7 @@ declare function CAA(name: string, tag: "issue" | "issuewild" | "iodef", value:
  *
  * @see https://docs.dnscontrol.org/language-reference/domain-modifiers/caa_builder
  */
-declare function CAA_BUILDER(opts: { label?: string; iodef: string; iodef_critical?: boolean; issue: string[]; issuewild: string[] }): DomainModifier;
+declare function CAA_BUILDER(opts: { label?: string; iodef: string; iodef_critical?: boolean; issue: string[]; issue_critical?: boolean; issuewild: string[]; issuewild_critical?: boolean }): DomainModifier;
 
 /**
  * `CF_REDIRECT` uses Cloudflare-specific features ("Forwarding URL" Page Rules) to

diff --git a/documentation/functions/domain/CAA_BUILDER.md b/documentation/functions/domain/CAA_BUILDER.md
@@ -5,14 +5,18 @@ parameters:
   - iodef
   - iodef_critical
   - issue
+  - issue_critical
   - issuewild
+  - issuewild_critical
 parameters_object: true
 parameter_types:
   label: string?
   iodef: string
   iodef_critical: boolean?
   issue: string[]
+  issue_critical: boolean?
   issuewild: string[]
+  issuewild_critical: boolean?
 ---
 
 DNSControl contains a `CAA_BUILDER` which can be used to simply create
@@ -22,7 +26,7 @@ authorized certificate authorities and the builder cares about the rest.
 
 ## Example
 
-For example you can use:
+### Simple example
 
 {% code title="dnsconfig.js" %}
 ```javascript
@@ -39,15 +43,7 @@ CAA_BUILDER({
 ```
 {% endcode %}
 
-The parameters are:
-
-* `label:` The label of the CAA record. (Optional. Default: `"@"`)
-* `iodef:` Report all violation to configured mail address.
-* `iodef_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`)
-* `issue:` An array of CAs which are allowed to issue certificates. (Use `"none"` to refuse all CAs)
-* `issuewild:` An array of CAs which are allowed to issue wildcard certificates. (Can be simply `"none"` to refuse issuing wildcard certificates for all CAs)
-
-`CAA_BUILDER()` returns multiple records (when configured as example above):
+`CAA_BUILDER()` builds multiple records:
 
 {% code title="dnsconfig.js" %}
 ```javascript
@@ -57,3 +53,64 @@ CAA("@", "issue", "comodoca.com")
 CAA("@", "issuewild", ";")
 ```
 {% endcode %}
+
+which in turns yield the following records:
+
+```text
+@ 300 IN CAA 128 iodef "mailto:test@example.com"
+@ 300 IN CAA 0 issue "letsencrypt.org"
+@ 300 IN CAA 0 issue "comodoca.com"
+@ 300 IN CAA 0 issuewild ";"
+```
+
+### Example with CAA_CRITICAL flag on all records
+
+The same example can be enriched with CAA_CRITICAL on all records:
+
+{% code title="dnsconfig.js" %}
+```javascript
+CAA_BUILDER({
+  label: "@",
+  iodef: "mailto:test@example.com",
+  iodef_critical: true,
+  issue: [
+    "letsencrypt.org",
+    "comodoca.com",
+  ],
+  issue_critical: true,
+  issuewild: "none",
+  issuewild_critical: true,
+})
+```
+{% endcode %}
+
+`CAA_BUILDER()` then builds (the same) multiple records - all with CAA_CRITICAL flag set:
+
+{% code title="dnsconfig.js" %}
+```javascript
+CAA("@", "iodef", "mailto:test@example.com", CAA_CRITICAL)
+CAA("@", "issue", "letsencrypt.org", CAA_CRITICAL)
+CAA("@", "issue", "comodoca.com", CAA_CRITICAL)
+CAA("@", "issuewild", ";", CAA_CRITICAL)
+```
+{% endcode %}
+
+which in turns yield the following records:
+
+```text
+@ 300 IN CAA 128 iodef "mailto:test@example.com"
+@ 300 IN CAA 128 issue "letsencrypt.org"
+@ 300 IN CAA 128 issue "comodoca.com"
+@ 300 IN CAA 128 issuewild ";"
+```
+
+
+### Parameters
+
+* `label:` The label of the CAA record. (Optional. Default: `"@"`)
+* `iodef:` Report all violation to configured mail address.
+* `iodef_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`)
+* `issue:` An array of CAs which are allowed to issue certificates. (Use `"none"` to refuse all CAs)
+* `issue_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`)
+* `issuewild:` An array of CAs which are allowed to issue wildcard certificates. (Can be simply `"none"` to refuse issuing wildcard certificates for all CAs)
+* `issuewild_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`)
diff --git a/documentation/providers/axfrddns.md b/documentation/providers/axfrddns.md
@@ -98,7 +98,7 @@ var DSP_AXFRDDNS = NewDnsProvider("axfrddns", {
             "ns4.example.com."
         ]
     }
-}
+)
 ```
 {% endcode %}
 
@@ -107,7 +107,7 @@ var DSP_AXFRDDNS = NewDnsProvider("axfrddns", {
 {
   "axfrddns": {
     "TYPE": "AXFRDDNS",
-    "nameservers": "ns1.example.com.,ns2.example.com.,ns3.example.com.,ns4.example.com."
+    "nameservers": "ns1.example.com,ns2.example.com,ns3.example.com,ns4.example.com"
   }
 }
 ```
@@ -144,6 +144,24 @@ the following error message:
 Please consider adding default `nameservers` or an explicit `master` in `creds.json`.
 ```
 
+### Transfer/AXFR server
+
+As mentioned above, the AXFR+DDNS provider will send AXFR requests to the
+primary master for the zone. On some networks, the AXFR requests are handled
+by a separate server to DDNS requests. Use the `transfer-server` option in
+`creds.json`. If not specified, it falls back to the primary master.
+
+{% code title="creds.json" %}
+```json
+{
+  "axfrddns": {
+    "TYPE": "AXFRDDNS",
+    "transfer-server": "233.252.0.0"
+  }
+}
+```
+{% endcode %}
+
 ### Buggy DNS servers regarding CNAME updates
 
 When modifying a CNAME record, or when replacing an A record by a

diff --git a/pkg/js/helpers.js b/pkg/js/helpers.js
@@ -1478,13 +1478,23 @@ function CAA_BUILDER(value) {
         }
     }
 
-    if (value.issue)
+    if (value.issue) {
+        var flag = function() {};
+        if (value.issue_critical) {
+          flag = CAA_CRITICAL;
+        }
         for (var i = 0, len = value.issue.length; i < len; i++)
-            r.push(CAA(value.label, 'issue', value.issue[i]));
+            r.push(CAA(value.label, 'issue', value.issue[i], flag));
+    }
 
-    if (value.issuewild)
+    if (value.issuewild) {
+        var flag = function() {};
+        if (value.issuewild_critical) {
+          flag = CAA_CRITICAL;
+        }
         for (var i = 0, len = value.issuewild.length; i < len; i++)
-            r.push(CAA(value.label, 'issuewild', value.issuewild[i]));
+            r.push(CAA(value.label, 'issuewild', value.issuewild[i], flag));
+    }
 
     return r;
 }

diff --git a/providers/axfrddns/axfrddnsProvider.go b/providers/axfrddns/axfrddnsProvider.go
@@ -58,6 +58,7 @@ type axfrddnsProvider struct {
 	rand                *rand.Rand
 	master              string
 	updateMode          string
+	transferServer      string
 	transferMode        string
 	nameservers         []*models.Nameserver
 	transferKey         *Key
@@ -125,6 +126,14 @@ func initAxfrDdns(config map[string]string, providermeta json.RawMessage) (provi
 	} else {
 		return nil, fmt.Errorf("nameservers list is empty: creds.json needs a default `nameservers` or an explicit `master`")
 	}
+	if config["transfer-server"] != "" {
+		api.transferServer = config["transfer-server"]
+		if !strings.Contains(api.transferServer, ":") {
+			api.transferServer = api.transferServer + ":53"
+		}
+	} else {
+		api.transferServer = api.master
+	}
 	api.updateKey, err = readKey(config["update-key"], "update-key")
 	if err != nil {
 		return nil, err
@@ -145,6 +154,7 @@ func initAxfrDdns(config map[string]string, providermeta json.RawMessage) (provi
 			"nameservers",
 			"update-key",
 			"transfer-key",
+			"transfer-server",
 			"update-mode",
 			"transfer-mode",
 			"domain",
@@ -214,9 +224,9 @@ func (c *axfrddnsProvider) getAxfrConnection() (*dns.Transfer, error) {
 	var con net.Conn = nil
 	var err error = nil
 	if c.transferMode == "tcp-tls" {
-		con, err = tls.Dial("tcp", c.master, &tls.Config{})
+		con, err = tls.Dial("tcp", c.transferServer, &tls.Config{})
 	} else {
-		con, err = net.Dial("tcp", c.master)
+		con, err = net.Dial("tcp", c.transferServer)
 	}
 	if err != nil {
 		return nil, err
@@ -247,7 +257,7 @@ func (c *axfrddnsProvider) FetchZoneRecords(domain string) ([]dns.RR, error) {
 		}
 	}
 
-	envelope, err := transfer.In(request, c.master)
+	envelope, err := transfer.In(request, c.transferServer)
 	if err != nil {
 		return nil, err
 	}