Use a built-in DNS server to support wildcard certs

Author: pimterry

fly.toml

@@ -12,11 +12,14 @@ primary_region = 'cdg'
 
   # If deploying a separate instance and wanting real certificates, customize these:
   ROOT_DOMAIN = 'testserver.host'
-  PROACTIVE_CERT_DOMAINS = 'testserver.host,example.testserver.host,http1.testserver.host,http2.testserver.host'
+  PROACTIVE_CERT_DOMAINS = 'testserver.host,example.testserver.host,revoked.testserver.host,expired.testserver.host,expired--revoked.testserver.host'
 
   ACME_PROVIDER = 'google' # or 'letsencrypt', 'zerossl'
   # Set ACME_ACCOUNT_KEY secret (PEM format) - see src/tls-certificates/acme.ts for details
 
+  # Enable in-process DNS server on port 53 for wildcard certs via DNS-01 (requires NS delegation)
+  DNS_SERVER = 'true'
+
 [[services]]
   protocol = "tcp"
   internal = 8080
@@ -40,6 +43,14 @@ primary_region = 'cdg'
     tls_server_name = "testserver.host"
     tls_skip_verify = true # We don't verify by default, so this works for fresh empty-volume deploys
 
+# DNS server
+[[services]]
+  protocol = "udp"
+  internal_port = 53
+
+  [[services.ports]]
+    port = 53
+
 # If we want to scale out within a single region, where there's already an app in the same region
 # using this volume, we need to fork it and create another with the same name.
 [mounts]

package-lock.json

@@ -37,13 +37,15 @@
     "@peculiar/x509": "^1.14.3",
     "acme-client": "^5.4.0",
     "cookie": "^1.0.2",
+    "dns-packet": "^5.6.1",
     "lodash": "^4.17.23",
     "parse-multipart-data": "^1.5.0",
     "read-tls-client-hello": "^1.1.0",
     "tsx": "^4.19.3"
   },
   "devDependencies": {
     "@types/chai": "^4.3.14",
+    "@types/dns-packet": "^5.6.5",
     "@types/lodash": "^4.17.0",
     "@types/mocha": "^10.0.6",
     "@types/node": "^22.15.30",

package.json

@@ -0,0 +1,88 @@
+import * as dgram from 'dgram';
+import * as dnsPacket from 'dns-packet';
+
+/**
+ * Minimal authoritative DNS server for ACME DNS-01 challenges.
+ * Responds to TXT record queries with values set via setTxtRecord().
+ * All other queries receive an empty authoritative response.
+ */
+export class DnsServer {
+    private socket: dgram.Socket;
+    private txtRecords = new Map<string, Set<string>>();
+
+    constructor(private port = 53) {
+        this.socket = dgram.createSocket('udp4');
+        this.socket.on('message', (msg, rinfo) => this.handleQuery(msg, rinfo));
+        this.socket.on('error', (err) => {
+            console.error('DNS server error:', err);
+        });
+    }
+
+    setTxtRecord(fqdn: string, value: string) {
+        const key = fqdn.toLowerCase();
+        if (!this.txtRecords.has(key)) this.txtRecords.set(key, new Set());
+        this.txtRecords.get(key)!.add(value);
+        console.log(`DNS: Set TXT record for ${fqdn} = ${value}`);
+    }
+
+    removeTxtRecord(fqdn: string, value: string) {
+        const key = fqdn.toLowerCase();
+        this.txtRecords.get(key)?.delete(value);
+        if (this.txtRecords.get(key)?.size === 0) {
+            this.txtRecords.delete(key);
+        }
+        console.log(`DNS: Removed TXT record for ${fqdn}`);
+    }
+
+    private handleQuery(msg: Buffer, rinfo: dgram.RemoteInfo) {
+        try {
+            const query = dnsPacket.decode(msg);
+            const question = query.questions?.[0];
+            if (!question) return;
+
+            const name = question.name.toLowerCase();
+            const values = this.txtRecords.get(name);
+
+            const answers: dnsPacket.TxtAnswer[] =
+                (question.type === 'TXT' && values?.size)
+                    ? [...values].map(v => ({
+                        type: 'TXT' as const,
+                        class: 'IN' as const,
+                        name: question.name,
+                        ttl: 60,
+                        data: v
+                    }))
+                    : [];
+
+            const response = dnsPacket.encode({
+                type: 'response',
+                id: query.id,
+                flags: dnsPacket.AUTHORITATIVE_ANSWER,
+                questions: query.questions,
+                answers
+            });
+
+            this.socket.send(response, rinfo.port, rinfo.address);
+        } catch (err) {
+            console.error('DNS: Failed to handle query:', err);
+        }
+    }
+
+    listen(): Promise<void> {
+        return new Promise<void>((resolve, reject) => {
+            this.socket.once('error', reject);
+            this.socket.bind(this.port, '0.0.0.0', () => {
+                this.socket.removeListener('error', reject);
+                console.log(`DNS server listening on port ${this.port}`);
+                resolve();
+            });
+        });
+    }
+
+    close(): Promise<void> {
+        return new Promise<void>((resolve) => {
+            this.socket.close(() => resolve());
+        });
+    }
+
+}

src/dns-server.ts

@@ -15,6 +15,8 @@ import { ConnectionProcessor } from './process-connection.js';
 import { AcmeCA, AcmeProvider } from './tls-certificates/acme.js';
 import { LocalCA, generateCACertificate } from './tls-certificates/local-ca.js';
 import { PersistentCertCache } from './tls-certificates/cert-cache.js';
+import { DnsServer } from './dns-server.js';
+import { tlsEndpoints } from './endpoints/endpoint-index.js';
 
 declare module 'stream' {
     interface Duplex {
@@ -38,6 +40,13 @@ interface ServerOptions {
     certCacheDir?: string;
     localCaKey?: string;
     localCaCert?: string;
+    dnsServer?: boolean;
+}
+
+function isWildcardCoverable(domain: string, rootDomain: string): boolean {
+    if (!domain.endsWith(`.${rootDomain}`)) return false;
+    const prefix = domain.slice(0, -rootDomain.length - 1);
+    return !prefix.includes('.'); // Single-level subdomain only
 }
 
 async function generateTlsConfig(options: ServerOptions) {
@@ -58,7 +67,20 @@ async function generateTlsConfig(options: ServerOptions) {
     }
 
     if (certCache) {
-        await certCache.loadCache();
+        const validSniParts = new Set(tlsEndpoints.map(e => e.sniPart));
+        await certCache.loadCache((domain) => { // Temp logic to clean up old cached certs
+            // Root domain and wildcard are always valid
+            if (domain === rootDomain || domain === `*.${rootDomain}`) return true;
+
+            // Strip root domain suffix to get the prefix
+            if (!domain.endsWith(`.${rootDomain}`)) return false;
+            const prefix = domain.slice(0, -rootDomain.length - 1);
+            if (!prefix) return false;
+
+            // Split by -- or . (same logic as getSNIPrefixParts)
+            const parts = prefix.includes('--') ? prefix.split('--') : prefix.split('.');
+            return parts.every(part => validSniParts.has(part));
+        });
     }
 
     const localCA = await LocalCA.create(caCert);
@@ -95,7 +117,16 @@ async function generateTlsConfig(options: ServerOptions) {
         throw new Error(`Can't enable ACME without configuring an account key (via $ACME_ACCOUNT_KEY)`);
     }
 
-    const acmeCA = new AcmeCA(certCache!, options.acmeProvider, options.acmeAccountKey);
+    // Set up in-process DNS server for wildcard certs via DNS-01 (optional)
+    let dnsServer: DnsServer | undefined;
+
+    if (options.dnsServer) {
+        dnsServer = new DnsServer(53);
+        await dnsServer.listen();
+        console.log('Using in-process DNS server for wildcard certs');
+    }
+
+    const acmeCA = new AcmeCA(certCache!, options.acmeProvider, options.acmeAccountKey, dnsServer);
     acmeCA.tryGetCertificateSync(rootDomain, {}); // Preload the root domain every time
 
     return {
@@ -105,22 +136,29 @@ async function generateTlsConfig(options: ServerOptions) {
         cert: defaultCert.cert,
         ca: caCert.cert,
         localCA,
-        generateCertificate: async (domain: string, options: CertOptions) => {
-            if (options.requiredType === 'local') {
-                return await localCA.generateCertificate(domain, options);
+        generateCertificate: async (domain: string, certOptions: CertOptions) => {
+            if (certOptions.requiredType === 'local') {
+                return await localCA.generateCertificate(domain, certOptions);
             }
 
-            const cert = acmeCA.tryGetCertificateSync(domain, options);
+            // Use wildcard when: DNS server available, single-level subdomain, no overridePrefix
+            const useWildcard = dnsServer
+                && isWildcardCoverable(domain, rootDomain)
+                && !certOptions.overridePrefix;
+
+            const effectiveDomain = useWildcard ? `*.${rootDomain}` : domain;
+
+            const cert = acmeCA.tryGetCertificateSync(effectiveDomain, certOptions);
 
             if (cert) {
                 return cert;
             } else {
-                if (options.requiredType === 'acme') {
-                    return await acmeCA.waitForCertificate(domain, options);
+                if (certOptions.requiredType === 'acme') {
+                    return await acmeCA.waitForCertificate(effectiveDomain, certOptions);
                 }
                 // Local CA fallback while ACME cert is pending - mark as temporary
                 // so it gets a short cache time and ACME cert is used once available
-                const fallbackCert = await localCA.generateCertificate(domain, options);
+                const fallbackCert = await localCA.generateCertificate(domain, certOptions);
                 return { ...fallbackCert, isTemporary: true };
             }
         },
@@ -193,7 +231,8 @@ if (wasRunDirectly) {
         acmeAccountKey: process.env.ACME_ACCOUNT_KEY,
         certCacheDir: process.env.CERT_CACHE_DIR,
         localCaKey: process.env.LOCAL_CA_KEY,
-        localCaCert: process.env.LOCAL_CA_CERT
+        localCaCert: process.env.LOCAL_CA_CERT,
+        dnsServer: process.env.DNS_SERVER === 'true'
     }).then((tcpHandler) => {
         ports.forEach((port) => {
             const server = createTcpServer(tcpHandler);