DNS Updates

bhillkeyfactor · bhillkeyfactor · commit 109b639e9658 · 2025-12-09T12:42:13.000-05:00
diff --git a/AcmeCaPlugin/AcmeCaPlugin.cs b/AcmeCaPlugin/AcmeCaPlugin.cs
@@ -345,7 +345,7 @@ private async Task ProcessAuthorizations(AcmeClient acmeClient, OrderDetails ord
                 throw new InvalidOperationException("Missing or invalid authorization list in order payload.");
             }
 
-            var dnsVerifier = new DnsVerificationHelper(_logger);
+            var dnsVerifier = new DnsVerificationHelper(_logger, config.DnsVerificationServer);
             var pendingChallenges = new List<(Authorization authz, Challenge challenge, Dns01ChallengeValidationDetails validation)>();
 
             // First pass: Create all DNS records
diff --git a/AcmeCaPlugin/AcmeCaPluginConfig.cs b/AcmeCaPlugin/AcmeCaPluginConfig.cs
@@ -202,6 +202,15 @@ public static Dictionary<string, PropertyConfigInfo> GetPluginAnnotations()
                     Hidden = true,
                     DefaultValue = "",
                     Type = "Secret"
+                },
+
+                // DNS Verification Settings
+                ["DnsVerificationServer"] = new PropertyConfigInfo()
+                {
+                    Comments = "DNS server to use for verifying TXT record propagation. For private/local DNS zones, set this to your authoritative DNS server IP (e.g., 10.3.10.37). Leave empty to use public DNS servers (Google, Cloudflare, etc.).",
+                    Hidden = false,
+                    DefaultValue = "",
+                    Type = "String"
                 }
 
             };
diff --git a/AcmeCaPlugin/AcmeClientConfig.cs b/AcmeCaPlugin/AcmeClientConfig.cs
@@ -48,5 +48,8 @@ public class AcmeClientConfig
         public string WindowsDns_Username { get; set; } = null;
         public string WindowsDns_Password { get; set; } = null;
 
+        // DNS Verification Settings
+        public string DnsVerificationServer { get; set; } = null;
+
     }
 }
diff --git a/AcmeCaPlugin/Clients/DNS/DnsVerificationHelper.cs b/AcmeCaPlugin/Clients/DNS/DnsVerificationHelper.cs
@@ -15,31 +15,51 @@ public class DnsVerificationHelper
     {
         private readonly ILogger _logger;
         private readonly List<IPAddress> _dnsServers;
+        private readonly bool _usePrivateDns;
         private const int MaxVerificationAttempts = 3;
         private const int VerificationDelaySeconds = 10;
 
-        public DnsVerificationHelper(ILogger logger)
+        /// <summary>
+        /// Creates a DNS verification helper.
+        /// </summary>
+        /// <param name="logger">Logger instance</param>
+        /// <param name="verificationServer">Optional DNS server IP for verification.
+        /// For private/local zones (e.g., .local), specify your authoritative DNS server.
+        /// Leave null/empty to use public DNS servers.</param>
+        public DnsVerificationHelper(ILogger logger, string verificationServer = null)
         {
             _logger = logger;
+            _dnsServers = new List<IPAddress>();
 
-            // Use multiple public DNS servers for verification
-            _dnsServers = new List<IPAddress>
+            // Check if a private DNS server was specified
+            if (!string.IsNullOrWhiteSpace(verificationServer) && IPAddress.TryParse(verificationServer, out var privateServer))
+            {
+                _usePrivateDns = true;
+                _dnsServers.Add(privateServer);
+                _logger.LogInformation("DNS verification will use private DNS server: {Server}", verificationServer);
+            }
+            else
             {
-                IPAddress.Parse("8.8.8.8"),       // Google Primary
-                IPAddress.Parse("8.8.4.4"),       // Google Secondary
-                IPAddress.Parse("1.1.1.1"),       // Cloudflare Primary
-                IPAddress.Parse("1.0.0.1"),       // Cloudflare Secondary
-                IPAddress.Parse("208.67.222.222"), // OpenDNS
-                IPAddress.Parse("9.9.9.9")        // Quad9
-            };
+                _usePrivateDns = false;
+                // Use multiple public DNS servers for verification
+                _dnsServers = new List<IPAddress>
+                {
+                    IPAddress.Parse("8.8.8.8"),       // Google Primary
+                    IPAddress.Parse("8.8.4.4"),       // Google Secondary
+                    IPAddress.Parse("1.1.1.1"),       // Cloudflare Primary
+                    IPAddress.Parse("1.0.0.1"),       // Cloudflare Secondary
+                    IPAddress.Parse("208.67.222.222"), // OpenDNS
+                    IPAddress.Parse("9.9.9.9")        // Quad9
+                };
+            }
         }
 
         /// <summary>
         /// Waits for DNS TXT record to propagate across multiple DNS servers
         /// </summary>
         /// <param name="recordName">DNS record name (e.g., _acme-challenge.example.com)</param>
         /// <param name="expectedValue">Expected TXT record value</param>
-        /// <param name="minimumServers">Minimum number of DNS servers that must see the record</param>
+        /// <param name="minimumServers">Minimum number of DNS servers that must see the record (ignored for private DNS)</param>
         /// <returns>True if record propagated successfully</returns>
         public async Task<bool> WaitForDnsPropagationAsync(
             string recordName,
@@ -48,6 +68,9 @@ public async Task<bool> WaitForDnsPropagationAsync(
         {
             _logger.LogInformation("Waiting for DNS propagation of {RecordName}", recordName);
 
+            // For private DNS, only require 1 server (the authoritative server)
+            var requiredServers = _usePrivateDns ? 1 : minimumServers;
+
             for (int attempt = 1; attempt <= MaxVerificationAttempts; attempt++)
             {
                 var successCount = 0;
@@ -79,7 +102,7 @@ public async Task<bool> WaitForDnsPropagationAsync(
                 _logger.LogDebug("DNS verification attempt {Attempt}/{MaxAttempts}: {SuccessCount}/{TotalServers} servers confirmed record. Results: {Results}",
                     attempt, MaxVerificationAttempts, successCount, _dnsServers.Count, string.Join(", ", results));
 
-                if (successCount >= minimumServers)
+                if (successCount >= requiredServers)
                 {
                     _logger.LogInformation("DNS record propagated successfully! {SuccessCount}/{TotalServers} servers confirmed record after {Attempt} attempts",
                         successCount, _dnsServers.Count, attempt);

Original file line number	Diff line number	Diff line change
`@@ -345,7 +345,7 @@ private async Task ProcessAuthorizations(AcmeClient acmeClient, OrderDetails ord`
`345`	`345`	`throw new InvalidOperationException("Missing or invalid authorization list in order payload.");`
`346`	`346`	`}`
`347`	`347`
`348`		`- var dnsVerifier = new DnsVerificationHelper(_logger);`
	`348`	`+ var dnsVerifier = new DnsVerificationHelper(_logger, config.DnsVerificationServer);`
`349`	`349`	`var pendingChallenges = new List<(Authorization authz, Challenge challenge, Dns01ChallengeValidationDetails validation)>();`
`350`	`350`
`351`	`351`	`// First pass: Create all DNS records`
Original file line number	Diff line number	Diff line change
`@@ -48,5 +48,8 @@ public class AcmeClientConfig`
`48`	`48`	`public string WindowsDns_Username { get; set; } = null;`
`49`	`49`	`public string WindowsDns_Password { get; set; } = null;`
`50`	`50`
	`51`	`+ // DNS Verification Settings`
	`52`	`+ public string DnsVerificationServer { get; set; } = null;`
	`53`	`+`
`51`	`54`	`}`
`52`	`55`	`}`