Support suffix for DNS server

docs/pages/deploy-to-prod.mdx

@@ -121,8 +121,9 @@ Obtaining a certificate involves proving to a third party that you control the d
 Plane implements the [ACME DNS-01](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge) challenge type to obtain a TLS
 certificate for each proxy. Each proxy generates its own private key, which never leaves that proxy.
 
-For this to work, the `NS` record for the `_acme-challenge.<cluster name>` subdomain needs to point to one or more Plane DNS servers.
-These are basic DNS servers that exist only to serve the ACME DNS-01 challenge.
-
-The DNS servers need to be able to accept incoming connections from the public internet on port 53 (both UDP and TCP).
+For this to work, the `CNAME` record for the `_acme-challenge.<cluster name>` subdomain needs to point to a domain like
+`<cluster name>.my-dns-acme-server.com`. The `A` record of `<cluster name>.my-dns-acme-server.com` needs to contain the public
+IP of a DNS server that is running the Plane ACME DNS-01 receiver, with port 53 (TCP and UDP) open to the public internet.
 
+These are basic DNS servers that exist only to serve the ACME DNS-01 challenge, which is required for proxies to update their
+certificates.

plane/plane-tests/tests/common/test_env.rs

@@ -125,7 +125,9 @@ impl TestEnvironment {
         let port = listener.local_addr().unwrap().port();
         let name = AcmeDnsServerName::new_random();
         let handle = tokio::spawn(async move {
-            run_dns_with_listener(name, client, listener).await.unwrap();
+            run_dns_with_listener(name, client, listener, None)
+                .await
+                .unwrap();
         });
 
         DnsServer {

plane/src/admin.rs

@@ -1,6 +1,7 @@
 use crate::{
     client::{PlaneClient, PlaneClientError},
-    names::{BackendName, DroneName},
+    names::{BackendName, DroneName, Name, ProxyName},
+    protocol::{CertManagerRequest, CertManagerResponse, MessageFromProxy, MessageToProxy},
     types::{BackendStatus, ClusterName, ConnectRequest, ExecutorConfig, KeyConfig, SpawnConfig},
     PLANE_GIT_HASH, PLANE_VERSION,
 };
@@ -94,6 +95,10 @@
         #[clap(long)]
         drone: DroneName,
     },
+    PutDummyDns {
+        #[clap(long)]
+        cluster: ClusterName,
+    },
     Status,
 }
 
@@ -222,6 +227,57 @@
                 client_hash
             );
         }
+        AdminCommand::PutDummyDns { cluster } => {
+            let connection = client.proxy_connection(&cluster);
+            let proxy_name = ProxyName::new_random();
+            let mut conn = connection.connect(&proxy_name).await.unwrap();
+
+            conn.send(MessageFromProxy::CertManagerRequest(
+                CertManagerRequest::CertLeaseRequest,
+            ))
+            .await
+            .unwrap();
+
+            let response = conn.recv().await.unwrap();
+
+            match response {
+                MessageToProxy::CertManagerResponse(CertManagerResponse::CertLeaseResponse {
+                    accepted,
+                }) => {
+                    if accepted {
+                        tracing::info!("Leased dummy DNS.");
+                    } else {
+                        tracing::error!("Failed to lease dummy DNS.");
+                    }
+                }
+                _ => panic!("Unexpected response"),
+            }
+
+            let message = format!("Dummy message from {}", proxy_name.to_string());
+
+            conn.send(MessageFromProxy::CertManagerRequest(
+                CertManagerRequest::SetTxtRecord {
+                    txt_value: message.clone(),
+                },
+            ))
+            .await
+            .unwrap();
+
+            let response = conn.recv().await.unwrap();
+
+            match response {
+                MessageToProxy::CertManagerResponse(
+                    CertManagerResponse::SetTxtRecordResponse { accepted },
+                ) => {
+                    if accepted {
+                        tracing::info!(?message, "Sent dummy DNS message.");
+                    } else {
+                        tracing::error!(?message, "Failed to set DNS message.");
+                    }
+                }
+                _ => panic!("Unexpected response"),
+            }
+        }
     };
 
     Ok(())

plane/src/dns/mod.rs

@@ -1,4 +1,4 @@
-use self::error::Result;
+use self::{error::Result, name_to_cluster::NameToCluster};
 use crate::{
     client::PlaneClient,
     dns::error::OrDnsError,
@@ -28,17 +28,23 @@ use trust_dns_server::{
 };
 
 mod error;
+mod name_to_cluster;
 
 const TCP_TIMEOUT_SECONDS: u64 = 10;
 
 struct AcmeDnsServer {
     loop_handle: Option<JoinHandle<()>>,
     send: Sender<MessageFromDns>,
     request_map: Arc<DashMap<ClusterName, Sender<Option<String>>>>,
+    name_to_cluster: NameToCluster,
 }
 
 impl AcmeDnsServer {
-    fn new(name: AcmeDnsServerName, mut client: TypedSocketConnector<MessageFromDns>) -> Self {
+    fn new(
+        name: AcmeDnsServerName,
+        mut client: TypedSocketConnector<MessageFromDns>,
+        zone: Option<String>,
+    ) -> Self {
         let (send, mut recv) = broadcast::channel::<MessageFromDns>(1);
         let request_map: Arc<DashMap<ClusterName, Sender<Option<String>>>> = Arc::default();
 
@@ -90,6 +96,7 @@ impl AcmeDnsServer {
             loop_handle: Some(loop_handle),
             send,
             request_map,
+            name_to_cluster: NameToCluster::new(zone),
         }
     }
 
@@ -115,19 +122,19 @@ impl AcmeDnsServer {
         match request.query().query_type() {
             RecordType::TXT => {
                 tracing::info!(?request, ?name, "TXT query.");
-                let name = name.strip_suffix('.').unwrap_or(&name);
-                let Some(name) = name.strip_prefix("_acme-challenge.") else {
-                    tracing::warn!(?request, ?name, "TXT query on non _acme-challenge domain.");
+
+                let Some(cluster) = self.name_to_cluster.cluster_name(&name) else {
+                    tracing::warn!(
+                        ?request,
+                        ?name,
+                        "TXT query for record that does not match configured zone."
+                    );
                     return Err(error::DnsError {
                         code: ResponseCode::FormErr,
                         message: format!("Invalid TXT query: {}", name),
                     });
                 };
 
-                let cluster: ClusterName =
-                    name.parse().or_dns_error(ResponseCode::ServFail, || {
-                        format!("No TXT record found for {}", name)
-                    })?;
                 let result = self
                     .request(cluster)
                     .await
@@ -203,8 +210,9 @@ pub async fn run_dns_with_listener(
     name: AcmeDnsServerName,
     client: PlaneClient,
     listener: TcpListener,
+    zone: Option<String>,
 ) -> std::result::Result<(), Box<dyn std::error::Error>> {
-    let mut fut = ServerFuture::new(AcmeDnsServer::new(name, client.dns_connection()));
+    let mut fut = ServerFuture::new(AcmeDnsServer::new(name, client.dns_connection(), zone));
 
     let addr = listener.local_addr()?;
 
@@ -233,10 +241,11 @@ pub async fn run_dns(
     name: AcmeDnsServerName,
     client: PlaneClient,
     port: u16,
+    zone: Option<String>,
 ) -> anyhow::Result<()> {
     let ip_port_pair = (Ipv4Addr::UNSPECIFIED, port);
     let listener = TcpListener::bind(ip_port_pair).await?;
-    run_dns_with_listener(name, client, listener)
+    run_dns_with_listener(name, client, listener, zone)
         .await
         .map_err(|err| anyhow!("Error running DNS server {:?}", err))
 }

plane/src/dns/name_to_cluster.rs

@@ -0,0 +1,94 @@
+use std::str::FromStr;
+
+use crate::types::ClusterName;
+
+/// Maps a requested domain name to a cluster name.
+///
+/// This can be configured to operate in two ways.
+///
+/// If the `cname_zone` is `None`, the server assumes that it is the authoritative
+/// DNS server for the cluster. It expects requests of the form
+/// _acme-challenge.<cluster name>, and will strip the _acme-challenge prefix.
+///
+/// If the `cname_zone` is `Some(_)`, the server will expect requests of the form
+/// <cluster name>.<cname_zone>, and will strip the <cname_zone> suffix.
+///
+/// Note that the _acme-challenge. prefix is not expected in the case where
+/// `cname_zone` is `Some(_)`. The _acme-challenge record should be pointed
+/// directly to the <cluster name>.<cname_zone> record via a CNAME record.
+///
+/// In production, the `cname_zone` should always be set (and the CLI enforces
+/// this), but for testing it is useful to be able to run without a `cnbame_zone`
+pub struct NameToCluster {
+    cname_zone: Option<String>,
+}
+
+impl NameToCluster {
+    pub fn new(cname_zone: Option<String>) -> Self {
+        Self { cname_zone }
+    }
+
+    pub fn cluster_name(&self, name: &str) -> Option<ClusterName> {
+        let name = name.strip_suffix('.').unwrap_or(name);
+
+        match &self.cname_zone {
+            Some(cname_zone) => {
+                let name = name.strip_suffix(cname_zone)?;
+                let name = name.strip_suffix('.').unwrap_or(name);
+                ClusterName::from_str(name).ok()
+            }
+            None => {
+                let name = name.strip_prefix("_acme-challenge.")?;
+                ClusterName::from_str(name).ok()
+            }
+        }
+    }
+}
+
+#[cfg(test)]
+mod test {
+    use crate::types::ClusterName;
+    use std::str::FromStr;
+
+    #[test]
+    fn test_no_cname_zone() {
+        let name_to_cluster = super::NameToCluster::new(None);
+
+        assert_eq!(
+            name_to_cluster.cluster_name("foo.bar.baz"),
+            None,
+            "No cluster name should be returned for a domain without a _acme-challenge prefix."
+        );
+
+        assert_eq!(
+            name_to_cluster.cluster_name("_acme-challenge.foo.bar.baz"),
+            Some(ClusterName::from_str("foo.bar.baz").unwrap())
+        );
+
+        assert_eq!(
+            name_to_cluster.cluster_name("_acme-challenge.foo.bar.baz."),
+            Some(ClusterName::from_str("foo.bar.baz").unwrap())
+        );
+    }
+
+    #[test]
+    fn test_cname_zone() {
+        let name_to_cluster = super::NameToCluster::new(Some("example.com".to_string()));
+
+        assert_eq!(
+            name_to_cluster.cluster_name("foo.bar.baz"),
+            None,
+            "No match for a domain that lacks the cname zone."
+        );
+
+        assert_eq!(
+            name_to_cluster.cluster_name("foo.bar.baz.example.com"),
+            Some(ClusterName::from_str("foo.bar.baz").unwrap())
+        );
+
+        assert_eq!(
+            name_to_cluster.cluster_name("foo.bar.baz.example.com."),
+            Some(ClusterName::from_str("foo.bar.baz").unwrap())
+        );
+    }
+}

plane/src/main.rs

@@ -98,6 +98,16 @@ enum Command {
         #[clap(long)]
         controller_url: Url,
 
+        /// Suffix to strip from requests before looking up TXT records.
+        /// E.g. if the zone is "example.com", a TXT record lookup
+        /// for foo.bar.baz.example.com
+        /// will return the TXT records for the cluster "foo.bar.baz".
+        ///
+        /// The DNS record for _acme-challenge.foo.bar.baz in this case
+        /// should have a CNAME record pointing to foo.bar.baz.example.com.
+        #[clap(long)]
+        zone: String,
+
         #[clap(long, default_value = "53")]
         port: u16,
     },
@@ -232,11 +242,12 @@ async fn run(opts: Opts) -> Result<()> {
             name,
             controller_url,
             port,
+            zone,
         } => {
             let name = name.or_random();
             tracing::info!("Starting DNS server");
             let client = PlaneClient::new(controller_url);
-            run_dns(name, client, port).await?;
+            run_dns(name, client, port, Some(zone)).await?;
         }
         Command::Admin(admin_opts) => {
             plane::admin::run_admin_command(admin_opts).await;