sslip.io

Our DNS-01 challenges were failing because we weren't prepared for mixed-case queries. Now we properly recognize them.

Below are snippets from our log files, where we can see the queries' random casing (e.g. _ACMe-cHalLeNGE.34-83-219-164.sSlip.Io.). Henceforth we will ignore casing when detecting DNS-01 challenges.

2021/01/20 20:15:40 3.123.253.205.45368 TypeTXT _ACMe-cHalLeNGE.34-83-219-164.sSlip.Io. ? nil, SOA _ACMe-cHalLeNGE.34-83-219-164.sSlip.Io. briancunnie.gmail.com. 2021011400 900 900 1800 300

2021/01/20 20:15:40 18.219.85.19.35164 TypeTXT _acMe-chaLlENGe.34-83-219-164.ssliP.Io. ? nil, SOA _acMe-chaLlENGe.34-83-219-164.ssliP.Io. briancunnie.gmail.com. 2021011400 900 900 1800 300

2021/01/20 20:15:40 66.133.109.36.11107 TypeTXT _aCme-chaLleNGe.34-83-219-164.sSLip.Io. ? nil, SOA _aCme-chaLleNGe.34-83-219-164.sSLip.Io. briancunnie.gmail.com. 2021011400 900 900 1800 300

We now delegate all types of records (e.g. SOA A, AAAA, MX, PTR) for queries of domains prefixed with "_acme-challenge." to the hostname with the "_acme-challenge." portion stripped. Previously we limited our delegation of "_acme-challenge." records to TXT & NS records.

For example, when queried for the MX record of _acme-challenge.52-0-56-137.sslip.io, we would send a reply that would delegate to the DNS server 52-0-56-137.sslip.io (whose IP address 52.0.56.137 would be supplied as well). In other words, we'd disable the authoritative flag, send an empty Answers section, an Authoritative section consisting of one record, 52-0-56-137.sslip.io, and an Additionals section consisting of the IP address 52.0.56.137.

We also rigorously disable the authoritative flag. Previously we played fast-and-loose with the authoritative flag.

Additional Notes

For every nameserver listed in either the Answers or Authorities section, we now include their respective IP addresses in the Additionals section.

We fixed a bug where ID would get corrupted. dig for example, would sometimes emit the warning, ";; Warning: ID mismatch: expected ID x, got y".

This is a bug fix to the previous release, which didn't delegate the subdomains properly.

Technical details:

When querying for a record with _acme-challenge. and an embedded IP address, we mistakenly responded with an answer with the authoritative flag set and the SOA record in the Authorities section. But that was wrong: we should NOT have set the authoritative flag, and we should have included the NS record, not the SOA record, in the Authorities section.

Additional Notes

Although it may seem incongruous to bump a major version for a bug fix, in this case it's appropriate, for it reflects a major re-write of the code (which had become too rigid to accommodate our requirements). We've also included a fairly rigorous set of integration tests, and deprectated some of the baroque and overly-complex unit tests.

_acme-challenge. in query triggers special NS record

Prior behavior was that the same trinity of NS records was returned for every NS query:

• ns-aws.nono.io.
• ns-azure.nono.io.
• ns-gce.nono.io.

This commit introduces a change in that behavior: IF the NS query includes the string _acme-challenge. AND the query has an embedded IP address THEN the NS record returned is the query with the _acme-challenge. stripped.

For example:

dig +short ns _acme-challenge.104.155.144.4.sslip.io

Would return:

104.155.144.4.sslip.io.

This is an attempt to enable DNS-01 challenge for wildcard certs from Let's Encrypt or other CAs (Certificate Authorities).

Note that the embedded IP address would need to be routable (NOT 10.x 172.16-31.x, or 192.168.x).

Note that you would also need to run a DNS server such as acme-dns at that address.

Thanks @normanr !

This release includes customized CNAME records for DKIM signing for the sslip.io domain.

The code now allows returning multiple A and AAAA records.

🐞 TXT Records: only ONE string per record

Previously we were returning one TXT record with multiple strings for sslip.io. That did not work for ProtonMail's domain verification.

It seems a convention that each TXT record has one string. google.com, for example, has a separate TXT record for each string.

It turns out I had misunderstood the StackExchange thread.

fixes (from ProtonMail domain verification):

Verification did not succeed, please try again in an hour.

This release has custom TXT records for the sslip.io domain. The motivating factor was to re-enable ProtonMail email service for sslip.io, which requires specific TXT records.

• 🐞 fix IPv6 resolution (double dashes were matched too short) :

2601-41d0-2-e01e--56dB-3598.sSLIP.io. → 2601:41d0:2:e01e::56db      (wrong)
                                      → 2601:41d0:2:e01e::56db:3598 (right)

• 🐞 fix IPv4 resolution (no longer mixes dashes and dots while parsing):

minio-01.192-168-1-100.sslip.io → 1.192.168.1   (wrong)
                                → 192.168.1.100 (right)

Thanks @pandaxin!

We broke our website; we forgot to add A records for it. This release has the A records.

fixes:

curl: (6) Could not resolve host: sslip.io

Fixes:

+ go build -o /var/vcap/packages/sslip.io-dns-server/bin/sslip.io-dns-server
main.go:7:2: package xip/xip is not in GOROOT (/var/vcap/data/packages/golang-1-linux/da1e0a99a1246edab92d9ffd0c4a2e7c3d5df83a/src/xip/xip)

Golang-based DNS server returns A records for our nameservers.

Some clients query us for the A records of our nameservers even though our nameservers aren't in our domain; the nameservers are in the nono.io domain, not in the sslip.io domain.

Our new code returns the A records of our nameservers:

previously:

2020/11/28 21:57:38 190.113.222.130.55236 TypeA ns-aws.nono.io. ? nil, SOA
2020/11/28 21:57:38 190.113.222.130.49919 TypeA ns-azure.nono.io. ? nil, SOA
2020/11/28 21:57:38 190.113.222.130.8090 TypeA ns-gce.nono.io. ? nil, SOA

now:

2020/11/30 13:20:10 127.0.0.1.58410 TypeA ns-aws.nono.io. ? 52.0.56.137
2020/11/30 13:20:20 127.0.0.1.54717 TypeA ns-azure.nono.io. ? 52.187.42.158
2020/11/30 13:20:28 127.0.0.1.62487 TypeA ns-gce.nono.io. ? 104.155.144.4

In the prior version, logs weren't generated. Now they are.

In the BOSH manifest, use this in the releases: section:

- name: sslip.io
  sha1: c24a2b1fef37c252fda54509ef5fd82f2367c04a
  url: https://github.com/cunnie/sslip.io/releases/download/1.0.1/sslip.io-release-1.0.1.tgz
  version: 1.0.1

In the BOSH manifest, use this in the releases: section:

- name: sslip.io
  sha1: 4247d6f491339ba5e1010625aa3e3ced1e8281e3
  url: https://github.com/cunnie/sslip.io/releases/download/1.0.0/sslip.io-release-1.0.0.tgz
  version: 1.0.0