Azure DNS-01: allow supplying the ZONE name instead of gathering it from DNS

[fibbs]

• [ x] Yes, I've searched similar issues on GitHub and didn't find any.

Detailed Description

I am trying to build a setup where I want to use dns-01 challenges to generate certificates on a subdomain for fqdns that are not reachable from outside of the corporate network. Also, I don't want the public DNS to have any public records that might expose the corporate network internal structure. For this, I am using Corporate DNS to redirect *.dev.mycompany.org as a CNAME to my (Docker) server which runs a reverse proxy (traefik) which uses lego (lib) to auto-generate certs using dns-01 challenge. In external, public DNS I have an NS record delegating the subdomain dev.mycompany.org to an Azure DNS zone. This publicly available zone is empty, I want lego to update this zone with the appropriate TXT records for certificate validation.

Now, this fails due to the fact that the lego dns provider module for azure tries to gather the name of the zone by traversing through the DNS and finding the SOA record for the zone managing the host name for which I want to generate a certificate for, and uses this zone to instruct Azure API to create the TXT within.

Now, the server running lego on (in fact, the container) is inside my corporate environment, uses the internal DNS, thus does not have the NS record being available in the public DNS. This causes lego's dns01.FindZoneByFqdn function to not find this "sub domain" as the responsible zone but the "upper" zone, in my case "mycompany.org". This provokes an error at Microsoft Azure side:

Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '' with object id '' does not have authorization to perform action 'Microsoft.Network/dnsZones/read' over scope '/subscriptions//resourceGroups//providers/Microsoft.Network/dnsZones/mycompany.org' or the scope is invalid.

This is true, the zone is invalid, because it lego tries to instruct Azure to add a record into the zone "mycompany.org" instead of "dev.mycompany.org".

As a solution to this, I would wish to have an additional ENV variable, i. e. AZURE_ZONE which would skip the DNS resolve of the zone and just use the name I would supply.

I hope I was able to explain this request clearly.

[fibbs]

Pull request here: #1433

[dmke]

Side note:

I don't want the public DNS to have any public records that might expose the corporate network internal structure.

You should be aware that Let's Encrypt publishes Certificate Transparency logs (I believe this is now mandatory for any CA to be trusted by browser vendors). https://crt.sh is a convenient interface to query e.g. for a domain (try %.mycompany.org).

From an information gathering perspective, the CT logs are actually more attractive than DNS TXT entries, because there's no way to query a DNS server for all RRs (apart from zone transfers, which should require authorization).