diff --git a/CHANGELOG.md b/CHANGELOG.md index 95833ad7b..4daa6f928 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,23 @@ Certbot adheres to [Semantic Versioning](https://semver.org/). +## 0.35.1 - master + +### Fixed + +* Support for specifying an authoritative base domain in our dns-rfc2136 plugin + has been removed. This feature was added in our last release but had a bug + which caused the plugin to fail so the feature has been removed until it can + be added properly. + +Despite us having broken lockstep, we are continuing to release new versions of +all Certbot components during releases for the time being, however, the only +package with changes other than its version number was: + +* certbot-dns-rfc2136 + +More details about these changes can be found on our GitHub repo. + ## 0.35.0 - 2019-06-05 ### Added diff --git a/certbot-dns-rfc2136/certbot_dns_rfc2136/__init__.py b/certbot-dns-rfc2136/certbot_dns_rfc2136/__init__.py index cebff2841..12b360959 100644 --- a/certbot-dns-rfc2136/certbot_dns_rfc2136/__init__.py +++ b/certbot-dns-rfc2136/certbot_dns_rfc2136/__init__.py @@ -21,8 +21,8 @@ Credentials ----------- Use of this plugin requires a configuration file containing the target DNS -server, optional authorative domain and optional port that supports RFC 2136 Dynamic Updates, -the name of the TSIG key, the TSIG key secret itself and the algorithm used if it's +server and optional port that supports RFC 2136 Dynamic Updates, the name +of the TSIG key, the TSIG key secret itself and the algorithm used if it's different to HMAC-MD5. .. code-block:: ini @@ -33,8 +33,6 @@ different to HMAC-MD5. dns_rfc2136_server = 192.0.2.1 # Target DNS port dns_rfc2136_port = 53 - # Authorative domain (optional, will try to auto-detect if missing) - dns_rfc2136_base_domain = example.com # TSIG key name dns_rfc2136_name = keyname. # TSIG key secret diff --git a/certbot-dns-rfc2136/certbot_dns_rfc2136/dns_rfc2136.py b/certbot-dns-rfc2136/certbot_dns_rfc2136/dns_rfc2136.py index 5db8c3020..2061374e0 100644 --- a/certbot-dns-rfc2136/certbot_dns_rfc2136/dns_rfc2136.py +++ b/certbot-dns-rfc2136/certbot_dns_rfc2136/dns_rfc2136.py @@ -79,33 +79,25 @@ class Authenticator(dns_common.DNSAuthenticator): self._get_rfc2136_client().del_txt_record(validation_name, validation) def _get_rfc2136_client(self): - key = _RFC2136Key(self.credentials.conf('name'), - self.credentials.conf('secret'), - self.ALGORITHMS.get(self.credentials.conf('algorithm'), - dns.tsig.HMAC_MD5)) return _RFC2136Client(self.credentials.conf('server'), int(self.credentials.conf('port') or self.PORT), - key, - self.credentials.conf('base-domain')) + self.credentials.conf('name'), + self.credentials.conf('secret'), + self.ALGORITHMS.get(self.credentials.conf('algorithm'), + dns.tsig.HMAC_MD5)) -class _RFC2136Key(object): - def __init__(self, name, secret, algorithm): - self.name = name - self.secret = secret - self.algorithm = algorithm class _RFC2136Client(object): """ Encapsulates all communication with the target DNS server. """ - def __init__(self, server, port, base_domain, key): + def __init__(self, server, port, key_name, key_secret, key_algorithm): self.server = server self.port = port self.keyring = dns.tsigkeyring.from_text({ - key.name: key.secret + key_name: key_secret }) - self.algorithm = key.algorithm - self.base_domain = base_domain + self.algorithm = key_algorithm def add_txt_record(self, record_name, record_content, record_ttl): """ @@ -179,33 +171,23 @@ class _RFC2136Client(object): def _find_domain(self, record_name): """ - If 'base_domain' option is specified check if the requested domain matches this base domain - and return it. If not explicitly specified find the closest domain with an SOA record for - the given domain name. + Find the closest domain with an SOA record for a given domain name. - :param str record_name: The record name for which to find the base domain. + :param str record_name: The record name for which to find the closest SOA record. :returns: The domain, if found. :rtype: str :raises certbot.errors.PluginError: if no SOA record can be found. """ - if self.base_domain: - if not record_name.endswith(self.base_domain): - raise errors.PluginError('Requested domain {0} does not match specified base ' - 'domain {1}.' - .format(record_name, self.base_domain)) - else: - return self.base_domain - else: - domain_name_guesses = dns_common.base_domain_name_guesses(record_name) + domain_name_guesses = dns_common.base_domain_name_guesses(record_name) - # Loop through until we find an authoritative SOA record - for guess in domain_name_guesses: - if self._query_soa(guess): - return guess + # Loop through until we find an authoritative SOA record + for guess in domain_name_guesses: + if self._query_soa(guess): + return guess - raise errors.PluginError('Unable to determine base domain for {0} using names: {1}.' - .format(record_name, domain_name_guesses)) + raise errors.PluginError('Unable to determine base domain for {0} using names: {1}.' + .format(record_name, domain_name_guesses)) def _query_soa(self, domain_name): """ diff --git a/certbot-dns-rfc2136/certbot_dns_rfc2136/dns_rfc2136_test.py b/certbot-dns-rfc2136/certbot_dns_rfc2136/dns_rfc2136_test.py index bed3445b6..d800f1ec7 100644 --- a/certbot-dns-rfc2136/certbot_dns_rfc2136/dns_rfc2136_test.py +++ b/certbot-dns-rfc2136/certbot_dns_rfc2136/dns_rfc2136_test.py @@ -73,12 +73,9 @@ class AuthenticatorTest(test_util.TempDirTestCase, dns_test_common.BaseAuthentic class RFC2136ClientTest(unittest.TestCase): def setUp(self): - from certbot_dns_rfc2136.dns_rfc2136 import _RFC2136Client, _RFC2136Key + from certbot_dns_rfc2136.dns_rfc2136 import _RFC2136Client - self.rfc2136_client = _RFC2136Client(SERVER, - PORT, - None, - _RFC2136Key(NAME, SECRET, dns.tsig.HMAC_MD5)) + self.rfc2136_client = _RFC2136Client(SERVER, PORT, NAME, SECRET, dns.tsig.HMAC_MD5) @mock.patch("dns.query.tcp") def test_add_txt_record(self, query_mock): @@ -165,28 +162,6 @@ class RFC2136ClientTest(unittest.TestCase): self.rfc2136_client._find_domain, 'foo.bar.'+DOMAIN) - def test_find_domain_with_base(self): - # _query_soa | pylint: disable=protected-access - self.rfc2136_client._query_soa = mock.MagicMock(side_effect=[False, False, True]) - self.rfc2136_client.base_domain = 'bar.' + DOMAIN - - # _find_domain | pylint: disable=protected-access - domain = self.rfc2136_client._find_domain('foo.bar.' + DOMAIN) - - self.assertTrue(domain == 'bar.' + DOMAIN) - - def test_find_domain_with_wrong_base(self): - - # _query_soa | pylint: disable=protected-access - self.rfc2136_client._query_soa = mock.MagicMock(side_effect=[False, False, True]) - self.rfc2136_client.base_domain = 'wrong.' + DOMAIN - - self.assertRaises( - errors.PluginError, - # _find_domain | pylint: disable=protected-access - self.rfc2136_client._find_domain, - 'foo.bar.' + DOMAIN) - @mock.patch("dns.query.udp") def test_query_soa_found(self, query_mock): query_mock.return_value = mock.MagicMock(answer=[mock.MagicMock()], flags=dns.flags.AA)