Add CHECK_PUBLIC_DNS_SERVER

getssl

@@ -239,6 +239,7 @@
 # 2020-09-01 Use RSA-PSS when checking remote for DUAL_RSA_ECDSA (#570)
 # 2020-09-02 Fix issue when SANS is space and comma separated (#579) (2.30)
 # 2020-10-02 Various fixes to get_auth_dns and changes to support unit tests (#308)
+# 2020-10-04 Add CHECK_PUBLIC_DNS_SERVER to check the DNS challenge has been updated there
 # ----------------------------------------------------------------------------------------
 
 PROGNAME=${0##*/}
@@ -272,6 +273,7 @@ ORIG_UMASK=$(umask)
 PREVIOUSLY_VALIDATED="true"
 PRIVATE_KEY_ALG="rsa"
 PUBLIC_DNS_SERVER=""
+CHECK_PUBLIC_DNS_SERVER="true"
 RELOAD_CMD=""
 RENEW_ALLOW="30"
 REUSE_PRIVATE_KEY="true"
@@ -1278,7 +1280,11 @@ get_auth_dns() { # get the authoritative dns server for a domain (sets primary_n
     if [[ -z "$all_auth_dns_servers" ]]; then
       error_exit "couldn't find primary DNS server - please set AUTH_DNS_SERVER in config"
     fi
-    primary_ns="$all_auth_dns_servers"
+    if [[ "$CHECK_PUBLIC_DNS_SERVER" == "true" ]]; then
+      primary_ns="$all_auth_dns_servers $PUBLIC_DNS_SERVER"
+    else
+      primary_ns="$all_auth_dns_servers"
+    fi
     return
   fi
 
@@ -1345,6 +1351,10 @@ get_auth_dns() { # get the authoritative dns server for a domain (sets primary_n
         primary_ns=$(echo "$all_auth_dns_servers" | awk '{print " " $1}')
       fi
 
+      if [[ "$CHECK_PUBLIC_DNS_SERVER" == "true" ]]; then
+        primary_ns="$primary_ns $PUBLIC_DNS_SERVER"
+      fi
+
       debug set primary_ns = "$primary_ns"
       test_output set primary_ns ="$primary_ns"
       return
@@ -1366,6 +1376,11 @@ get_auth_dns() { # get the authoritative dns server for a domain (sets primary_n
       else
         primary_ns=$(echo "$all_auth_dns_servers" | awk '{print $1}')
       fi
+
+      if [[ "$CHECK_PUBLIC_DNS_SERVER" == "true" ]]; then
+        primary_ns="$primary_ns $PUBLIC_DNS_SERVER"
+      fi
+
       return
     fi
   fi
@@ -1416,6 +1431,10 @@ get_auth_dns() { # get the authoritative dns server for a domain (sets primary_n
       else
         primary_ns=$(echo "$all_auth_dns_servers" | awk '{print $1}')
       fi
+
+      if [[ "$CHECK_PUBLIC_DNS_SERVER" == "true" ]]; then
+        primary_ns="$primary_ns $PUBLIC_DNS_SERVER"
+      fi
       return
     fi
   fi

test/u1-test-get_auth_dns-dig.bats

@@ -31,7 +31,7 @@ teardown() {
 }
 
 
- @test "Check get_auth_dns using dig NS" {
+@test "Check get_auth_dns using dig NS" {
     # Test that get_auth_dns() handles scenario where NS query returns Authority section
     #
     # ************** EXAMPLE DIG OUTPUT **************
@@ -53,6 +53,7 @@ teardown() {
     _TEST_SKIP_CNAME_CALL=1
 
     PUBLIC_DNS_SERVER=ns1.duckdns.org
+    CHECK_PUBLIC_DNS_SERVER=false
     CHECK_ALL_AUTH_DNS=false
 
     run get_auth_dns ubuntu-getssl.duckdns.org
@@ -79,6 +80,7 @@ teardown() {
 
     # DuckDNS server returns nothing for SOA, so use public dns instead
     PUBLIC_DNS_SERVER=1.0.0.1
+    CHECK_PUBLIC_DNS_SERVER=false
     CHECK_ALL_AUTH_DNS=false
 
     run get_auth_dns ubuntu-getssl.duckdns.org
@@ -94,6 +96,11 @@ teardown() {
     CHECK_ALL_AUTH_DNS=true
     run get_auth_dns ubuntu-getssl.duckdns.org
     assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org'
+
+    # Check that we also check the public DNS server if requested
+    CHECK_PUBLIC_DNS_SERVER=true
+    run get_auth_dns ubuntu-getssl.duckdns.org
+    assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org 1\.0\.0\.1'
 }
 
 
@@ -109,6 +116,7 @@ teardown() {
     _TEST_SKIP_SOA_CALL=1
 
     PUBLIC_DNS_SERVER=1.0.0.1
+    CHECK_PUBLIC_DNS_SERVER=false
     CHECK_ALL_AUTH_DNS=false
 
     run get_auth_dns www.duckdns.org
@@ -121,9 +129,14 @@ teardown() {
     assert_line --partial 'Using dig NS'
 
     # Check all Authoritive DNS servers are returned if requested
-    CHECK_ALL_AUTH_DNS=false
+    CHECK_ALL_AUTH_DNS=true
     run get_auth_dns www.duckdns.org
     assert_output --regexp 'set primary_ns = ns.*\.awsdns.*\.com'
+
+    # Check that we also check the public DNS server if requested
+    CHECK_PUBLIC_DNS_SERVER=true
+    run get_auth_dns www.duckdns.org
+    assert_output --regexp 'set primary_ns = ns.*\.awsdns.*\.com 1\.0\.0\.1'
 }
 
 
@@ -146,6 +159,7 @@ teardown() {
     # ns3.duckdns.org.        600     IN      A       52.26.169.94
 
     PUBLIC_DNS_SERVER=ns1.duckdns.org
+    CHECK_PUBLIC_DNS_SERVER=false
     CHECK_ALL_AUTH_DNS=false
 
     run get_auth_dns www.duckdns.org

test/u2-test-get_auth_dns-drill.bats

@@ -72,6 +72,7 @@ teardown() {
     _TEST_SKIP_SOA_CALL=1
 
     PUBLIC_DNS_SERVER=ns1.duckdns.org
+    CHECK_PUBLIC_DNS_SERVER=false
     CHECK_ALL_AUTH_DNS=false
 
     run get_auth_dns ubuntu-getssl.duckdns.org
@@ -103,6 +104,7 @@ teardown() {
 
     # DuckDNS server returns nothing for SOA, so use public dns instead
     PUBLIC_DNS_SERVER=1.0.0.1
+    CHECK_PUBLIC_DNS_SERVER=false
     CHECK_ALL_AUTH_DNS=false
 
     run get_auth_dns ubuntu-getssl.duckdns.org
@@ -118,6 +120,11 @@ teardown() {
     CHECK_ALL_AUTH_DNS=true
     run get_auth_dns ubuntu-getssl.duckdns.org
     assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org'
+
+    # Check that we also check the public DNS server if requested
+    CHECK_PUBLIC_DNS_SERVER=true
+    run get_auth_dns ubuntu-getssl.duckdns.org
+    assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org 1\.0\.0\.1'
 }
 
 
@@ -138,6 +145,7 @@ teardown() {
     _TEST_SKIP_SOA_CALL=1
 
     PUBLIC_DNS_SERVER=1.0.0.1
+    CHECK_PUBLIC_DNS_SERVER=false
     CHECK_ALL_AUTH_DNS=false
 
     run get_auth_dns www.duckdns.org
@@ -150,9 +158,14 @@ teardown() {
     assert_line --partial 'Using drill NS'
 
     # Check all Authoritive DNS servers are returned if requested
-    CHECK_ALL_AUTH_DNS=false
+    CHECK_ALL_AUTH_DNS=true
     run get_auth_dns www.duckdns.org
     assert_output --regexp 'set primary_ns = ns.*\.awsdns.*\.com'
+
+    # Check that we also check the public DNS server if requested
+    CHECK_PUBLIC_DNS_SERVER=true
+    run get_auth_dns www.duckdns.org
+    assert_output --regexp 'set primary_ns = ns.*\.awsdns.*\.com 1\.0\.0\.1'
 }
 
 
@@ -183,6 +196,7 @@ teardown() {
     _TEST_SKIP_SOA_CALL=1
 
     PUBLIC_DNS_SERVER=ns1.duckdns.org
+    CHECK_PUBLIC_DNS_SERVER=false
     CHECK_ALL_AUTH_DNS=false
 
     run get_auth_dns www.duckdns.org