Release: 1.2.0 (#12)

* Added RFC 2136 Dynamic DNS Provider Support (BIND with TSIG authentication)
* Added Infoblox DNS Provider Support
* Added configurable DNS verification server for private/local DNS zones
* Fixed issue with Multiple Sans in the CSR
* Infoblox NIOS DNS Provider Support Added 

---------

Signed-off-by: Morgan Gangwere <Morgan.gangwere@keyfactor.com>
Co-authored-by: Brian Hill <76450501+bhillkeyfactor@users.noreply.github.com>
Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: 4 people

AcmeCaPlugin/AcmeCaPlugin.cs

@@ -18,6 +18,10 @@
 using System.Text;
 using Keyfactor.Extensions.CAPlugin.Acme.Clients.DNS;
 using System.Text.RegularExpressions;
+using Org.BouncyCastle.Asn1;
+using Org.BouncyCastle.Asn1.Pkcs;
+using Org.BouncyCastle.Asn1.X509;
+using Org.BouncyCastle.Pkcs;
 
 namespace Keyfactor.Extensions.CAPlugin.Acme
 {
@@ -248,12 +252,12 @@ public async Task<EnrollmentResult> Enroll(
                 var acmeClient = new AcmeClient(_logger, config, httpClient, protocolClient.Directory,
                     new Clients.Acme.Account(accountDetails, signer));
 
-                // Extract domain
-                var cleanDomain = ExtractDomainFromSubject(subject);
-                var identifiers = new List<Identifier>
-        {
-            new Identifier { Type = "dns", Value = cleanDomain }
-        };
+                // Decode CSR first so we can extract all domains from it
+                var csrBytes = Convert.FromBase64String(csr);
+
+                // Extract all domains directly from CSR (CN + SANs) for the ACME order
+                // This ensures we authorize exactly what's in the CSR
+                var identifiers = ExtractDomainsFromCsr(csrBytes);
 
                 // Create order
                 var order = await acmeClient.CreateOrderAsync(identifiers, null);
@@ -264,8 +268,7 @@ public async Task<EnrollmentResult> Enroll(
                 // Process challenges
                 await ProcessAuthorizations(acmeClient, order, config);
 
-                // Finalize
-                var csrBytes = Convert.FromBase64String(csr);
+                // Finalize with original CSR bytes
                 order = await acmeClient.FinalizeOrderAsync(order, csrBytes);
 
                 // If order is valid immediately, download cert
@@ -331,6 +334,88 @@ private static string ExtractDomainFromSubject(string subject)
             throw new ArgumentException($"Could not extract CN from subject: {subject}", nameof(subject));
         }
 
+        /// <summary>
+        /// Extracts all DNS names (CN + SANs) directly from the CSR.
+        /// This ensures the ACME order authorizes exactly what's in the CSR.
+        /// </summary>
+        /// <param name="csrBytes">DER-encoded CSR bytes</param>
+        /// <returns>List of ACME identifiers for all domains in the CSR</returns>
+        private List<Identifier> ExtractDomainsFromCsr(byte[] csrBytes)
+        {
+            var domains = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+
+            try
+            {
+                // Parse the CSR using BouncyCastle
+                var pkcs10 = new Pkcs10CertificationRequest(csrBytes);
+                var csrInfo = pkcs10.GetCertificationRequestInfo();
+
+                // Extract CN from subject
+                var subject = csrInfo.Subject;
+                var cnValues = subject.GetValueList(X509Name.CN);
+                if (cnValues != null && cnValues.Count > 0)
+                {
+                    var cn = cnValues[0]?.ToString();
+                    if (!string.IsNullOrWhiteSpace(cn))
+                    {
+                        domains.Add(cn);
+                        _logger.LogDebug("Extracted CN from CSR: {Domain}", cn);
+                    }
+                }
+
+                // Extract SANs from CSR attributes
+                var attributes = csrInfo.Attributes;
+                if (attributes != null)
+                {
+                    foreach (var attr in attributes)
+                    {
+                        var attribute = Org.BouncyCastle.Asn1.Pkcs.AttributePkcs.GetInstance(attr);
+                        if (attribute.AttrType.Equals(PkcsObjectIdentifiers.Pkcs9AtExtensionRequest))
+                        {
+                            // This attribute contains extension requests
+                            var extensions = X509Extensions.GetInstance(attribute.AttrValues[0]);
+                            var sanExtension = extensions.GetExtension(X509Extensions.SubjectAlternativeName);
+
+                            if (sanExtension != null)
+                            {
+                                var sanNames = GeneralNames.GetInstance(sanExtension.GetParsedValue());
+                                foreach (var name in sanNames.GetNames())
+                                {
+                                    // TagNo 2 = dNSName
+                                    if (name.TagNo == GeneralName.DnsName)
+                                    {
+                                        var dnsName = name.Name.ToString();
+                                        if (!string.IsNullOrWhiteSpace(dnsName))
+                                        {
+                                            domains.Add(dnsName);
+                                            _logger.LogDebug("Extracted SAN from CSR: {Domain}", dnsName);
+                                        }
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+            catch (Exception ex)
+            {
+                _logger.LogError(ex, "Failed to parse CSR for domain extraction");
+                throw new InvalidOperationException("Failed to parse CSR to extract domains", ex);
+            }
+
+            if (domains.Count == 0)
+            {
+                _logger.LogError("No DNS names found in CSR. CSR may be malformed or missing CN/SANs.");
+                throw new InvalidOperationException("No DNS names found in CSR (neither CN nor SANs)");
+            }
+
+            var identifiers = domains.Select(d => new Identifier { Type = "dns", Value = d }).ToList();
+            _logger.LogInformation("CSR domain extraction complete. Creating ACME order for {Count} domain(s): [{Domains}]",
+                identifiers.Count, string.Join(", ", domains));
+
+            return identifiers;
+        }
+
         /// <summary>
         /// Processes ACME authorizations for domain validation
         /// Currently hardcoded to use DNS-01 challenge with Google DNS provider
@@ -345,7 +430,7 @@ private async Task ProcessAuthorizations(AcmeClient acmeClient, OrderDetails ord
                 throw new InvalidOperationException("Missing or invalid authorization list in order payload.");
             }
 
-            var dnsVerifier = new DnsVerificationHelper(_logger);
+            var dnsVerifier = new DnsVerificationHelper(_logger, config.DnsVerificationServer);
             var pendingChallenges = new List<(Authorization authz, Challenge challenge, Dns01ChallengeValidationDetails validation)>();
 
             // First pass: Create all DNS records

AcmeCaPlugin/AcmeCaPlugin.csproj

@@ -16,6 +16,7 @@
         <PackageReference Include="Azure.ResourceManager.Cdn" Version="1.4.0"/>
         <PackageReference Include="Azure.ResourceManager.Dns" Version="1.1.1"/>
         <PackageReference Include="DnsClient" Version="1.8.0"/>
+        <PackageReference Include="ARSoft.Tools.Net" Version="3.6.0"/>
         <PackageReference Include="Google.Apis.Dns.v1" Version="1.69.0.3753"/>
         <PackageReference Include="Keyfactor.AnyGateway.IAnyCAPlugin" Version="3.0.0"/>
         <PackageReference Include="Keyfactor.Logging" Version="1.1.1"/>

AcmeCaPlugin/AcmeCaPluginConfig.cs

@@ -46,7 +46,7 @@ public static Dictionary<string, PropertyConfigInfo> GetPluginAnnotations()
                 },
                 ["DnsProvider"] = new PropertyConfigInfo()
                 {
-                    Comments = "DNS Provider to use for ACME DNS-01 challenges (options Google, Cloudflare, AwsRoute53, Azure, Ns1, Infoblox)",
+                    Comments = "DNS Provider to use for ACME DNS-01 challenges (options: Google, Cloudflare, AwsRoute53, Azure, Ns1, Rfc2136, Infoblox)",
                     Hidden = false,
                     DefaultValue = "Google",
                     Type = "String"
@@ -128,6 +128,83 @@ public static Dictionary<string, PropertyConfigInfo> GetPluginAnnotations()
                     Hidden = true,
                     DefaultValue = "",
                     Type = "String"
+                },
+
+                // RFC 2136 Dynamic DNS (BIND/Microsoft DNS)
+                ["Rfc2136_Server"] = new PropertyConfigInfo()
+                {
+                    Comments = "RFC 2136 DNS: Server hostname or IP address (Optional)",
+                    Hidden = false,
+                    DefaultValue = "",
+                    Type = "String"
+                },
+                ["Rfc2136_Port"] = new PropertyConfigInfo()
+                {
+                    Comments = "RFC 2136 DNS: Server port (default 53) (Optional)",
+                    Hidden = false,
+                    DefaultValue = "53",
+                    Type = "Number"
+                },
+                ["Rfc2136_Zone"] = new PropertyConfigInfo()
+                {
+                    Comments = "RFC 2136 DNS: Zone name (e.g., example.com) (Optional)",
+                    Hidden = false,
+                    DefaultValue = "",
+                    Type = "String"
+                },
+                ["Rfc2136_TsigKeyName"] = new PropertyConfigInfo()
+                {
+                    Comments = "RFC 2136 DNS: TSIG key name for authentication (Optional)",
+                    Hidden = false,
+                    DefaultValue = "",
+                    Type = "String"
+                },
+                ["Rfc2136_TsigKey"] = new PropertyConfigInfo()
+                {
+                    Comments = "RFC 2136 DNS: TSIG key (base64 encoded) for authentication (Optional)",
+                    Hidden = true,
+                    DefaultValue = "",
+                    Type = "Secret"
+                },
+                ["Rfc2136_TsigAlgorithm"] = new PropertyConfigInfo()
+                {
+                    Comments = "RFC 2136 DNS: TSIG algorithm (default hmac-sha256) (Optional)",
+                    Hidden = false,
+                    DefaultValue = "hmac-sha256",
+                    Type = "String"
+                },
+
+                // DNS Verification Settings
+                ["DnsVerificationServer"] = new PropertyConfigInfo()
+                {
+                    Comments = "DNS server to use for verifying TXT record propagation. For private/local DNS zones, set this to your authoritative DNS server IP (e.g., 10.3.10.37). Leave empty to use public DNS servers (Google, Cloudflare, etc.).",
+                    Hidden = false,
+                    DefaultValue = "",
+                    Type = "String"
+                }
+
+                //Infoblox DNS
+                ,
+                ["Infoblox_Host"] = new PropertyConfigInfo()
+                {
+                    Comments = "Infoblox DNS: API URL (e.g., https://infoblox.example.com/wapi/v2.12) only if using Infoblox DNS (Optional)",
+                    Hidden = false,
+                    DefaultValue = "",
+                    Type = "String"
+                },
+                ["Infoblox_Username"] = new PropertyConfigInfo()
+                {
+                    Comments = "Infoblox DNS: Username for authentication only if using Infoblox DNS (Optional)",
+                    Hidden = false,
+                    DefaultValue = "",
+                    Type = "String"
+                },
+                ["Infoblox_Password"] = new PropertyConfigInfo()
+                {
+                    Comments = "Infoblox DNS: Password for authentication only if using Infoblox DNS (Optional)",
+                    Hidden = true,
+                    DefaultValue = "",
+                    Type = "Secret"
                 }
 
                 //Infoblox DNS

AcmeCaPlugin/AcmeClientConfig.cs

@@ -34,12 +34,23 @@ public class AcmeClientConfig
         //IBM NS1 DNS Ns1_ApiKey
         public string Ns1_ApiKey { get; set; } = null;
 
+        // RFC 2136 Dynamic DNS (BIND)
+        public string Rfc2136_Server { get; set; } = null;
+        public int Rfc2136_Port { get; set; } = 53;
+        public string Rfc2136_Zone { get; set; } = null;
+        public string Rfc2136_TsigKeyName { get; set; } = null;
+        public string Rfc2136_TsigKey { get; set; } = null;
+        public string Rfc2136_TsigAlgorithm { get; set; } = "hmac-sha256";
+
         // Infoblox DNS
         public string Infoblox_Host { get; set; } = null;
         public string Infoblox_Username { get; set; } = null;
         public string Infoblox_Password { get; set; } = null;
         public string Infoblox_WapiVersion { get; set; } = "2.12";
         public bool Infoblox_IgnoreSslErrors { get; set; } = false;
 
+        // DNS Verification Settings
+        public string DnsVerificationServer { get; set; } = null;
+
     }
 }

AcmeCaPlugin/Clients/DNS/DnsProviderFactory.cs

@@ -39,6 +39,16 @@ public static IDnsProvider Create(AcmeClientConfig config, ILogger logger)
                     return new Ns1DnsProvider(
                         config.Ns1_ApiKey
                     );
+                case "rfc2136":
+                    return new Rfc2136DnsProvider(
+                        config.Rfc2136_Server,
+                        config.Rfc2136_Zone,
+                        config.Rfc2136_TsigKeyName,
+                        config.Rfc2136_TsigKey,
+                        config.Rfc2136_TsigAlgorithm,
+                        config.Rfc2136_Port,
+                        logger
+                    );
                 case "infoblox":
                     return new InfobloxDnsProvider(
                         config.Infoblox_Host,

AcmeCaPlugin/Clients/DNS/DnsVerificationHelper.cs

@@ -15,31 +15,51 @@ public class DnsVerificationHelper
     {
         private readonly ILogger _logger;
         private readonly List<IPAddress> _dnsServers;
+        private readonly bool _usePrivateDns;
         private const int MaxVerificationAttempts = 3;
         private const int VerificationDelaySeconds = 10;
 
-        public DnsVerificationHelper(ILogger logger)
+        /// <summary>
+        /// Creates a DNS verification helper.
+        /// </summary>
+        /// <param name="logger">Logger instance</param>
+        /// <param name="verificationServer">Optional DNS server IP for verification.
+        /// For private/local zones (e.g., .local), specify your authoritative DNS server.
+        /// Leave null/empty to use public DNS servers.</param>
+        public DnsVerificationHelper(ILogger logger, string verificationServer = null)
         {
             _logger = logger;
+            _dnsServers = new List<IPAddress>();
 
-            // Use multiple public DNS servers for verification
-            _dnsServers = new List<IPAddress>
+            // Check if a private DNS server was specified
+            if (!string.IsNullOrWhiteSpace(verificationServer) && IPAddress.TryParse(verificationServer, out var privateServer))
+            {
+                _usePrivateDns = true;
+                _dnsServers.Add(privateServer);
+                _logger.LogInformation("DNS verification will use private DNS server: {Server}", verificationServer);
+            }
+            else
             {
-                IPAddress.Parse("8.8.8.8"),       // Google Primary
-                IPAddress.Parse("8.8.4.4"),       // Google Secondary
-                IPAddress.Parse("1.1.1.1"),       // Cloudflare Primary
-                IPAddress.Parse("1.0.0.1"),       // Cloudflare Secondary
-                IPAddress.Parse("208.67.222.222"), // OpenDNS
-                IPAddress.Parse("9.9.9.9")        // Quad9
-            };
+                _usePrivateDns = false;
+                // Use multiple public DNS servers for verification
+                _dnsServers = new List<IPAddress>
+                {
+                    IPAddress.Parse("8.8.8.8"),       // Google Primary
+                    IPAddress.Parse("8.8.4.4"),       // Google Secondary
+                    IPAddress.Parse("1.1.1.1"),       // Cloudflare Primary
+                    IPAddress.Parse("1.0.0.1"),       // Cloudflare Secondary
+                    IPAddress.Parse("208.67.222.222"), // OpenDNS
+                    IPAddress.Parse("9.9.9.9")        // Quad9
+                };
+            }
         }
 
         /// <summary>
         /// Waits for DNS TXT record to propagate across multiple DNS servers
         /// </summary>
         /// <param name="recordName">DNS record name (e.g., _acme-challenge.example.com)</param>
         /// <param name="expectedValue">Expected TXT record value</param>
-        /// <param name="minimumServers">Minimum number of DNS servers that must see the record</param>
+        /// <param name="minimumServers">Minimum number of DNS servers that must see the record (ignored for private DNS)</param>
         /// <returns>True if record propagated successfully</returns>
         public async Task<bool> WaitForDnsPropagationAsync(
             string recordName,
@@ -48,6 +68,9 @@ public async Task<bool> WaitForDnsPropagationAsync(
         {
             _logger.LogInformation("Waiting for DNS propagation of {RecordName}", recordName);
 
+            // For private DNS, only require 1 server (the authoritative server)
+            var requiredServers = _usePrivateDns ? 1 : minimumServers;
+
             for (int attempt = 1; attempt <= MaxVerificationAttempts; attempt++)
             {
                 var successCount = 0;
@@ -79,7 +102,7 @@ public async Task<bool> WaitForDnsPropagationAsync(
                 _logger.LogDebug("DNS verification attempt {Attempt}/{MaxAttempts}: {SuccessCount}/{TotalServers} servers confirmed record. Results: {Results}",
                     attempt, MaxVerificationAttempts, successCount, _dnsServers.Count, string.Join(", ", results));
 
-                if (successCount >= minimumServers)
+                if (successCount >= requiredServers)
                 {
                     _logger.LogInformation("DNS record propagated successfully! {SuccessCount}/{TotalServers} servers confirmed record after {Attempt} attempts",
                         successCount, _dnsServers.Count, attempt);