yes

package
v0.6.46 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 6, 2026 License: BSD-3-Clause Imports: 13 Imported by: 0

README

Name

yes - always respond to positively to queries

Description

This is used to have an "empty" zone delegated to a server and have it positively answer to any query it gets, thereby not giving away your zone's content.

A major use case of this handler is to respond to queries from certificate authorities that want to perform a DNS lookup. Note this is different than the DNS-01 challenge that wants to resolve a TXT record with a specific value in it. The aim is to have the most minimal setup that makes this work for all potential names in the zone.

For A and AAAA queries it returns 198.51.100.1 and 2001:db8::1 (RFC 5737, RFC 5156) addresses for CAA queries it return whatever string is set in the configuration, with the Flag bit set to 1 (128 decimal) and the Tag set to "issue" with value set to caa's VALUE.

For NS and SOA queries the ns property is used, this must be an out of zone nameserver that serves the yes handler.

This handler handles A, AAAA, NS, SOA, TXT and CAA queries, all others will return a NODATA response.

Syntax

yes {
    caa VALUE
    ns NAMESERVER
}
  • caa hold CAA's record VALUE. This may be repeated and will result in multiple CAA records to be returned.
  • ns is the NAMESERVER to use, this must be a name, e.g. ns1.example.org. This should resolve back to the server hosting the yes handler.

Examples

example.org {
    log
    yes {
        caa letsencrypt.org
        ns ns1.example.org
    }
}

Allows names under example.org to have TLS certificates generated by Lets Encrypt. This will generate a record like so: www.example.org. IN CAA 128 issue "letsencrypt.org".

Notes

This handler came into existence because some certificate authorities want to query the DNS for private names for TLS certificate creation. It should be possible to recreate this with a split view and a wildcard CAA record. This is just easier.

After having a working setup in commit 6f870d4fe7ad5855f97f75f628839794d5c016ca, this was paired down again to give the most minimal DNS implementation that can be used successfully.

It was tested with the harica.gr TLS provider in 2025.

Bugs

DNSSEC is not implemented.

Dynamically updating a TXT record and thereby allowing to solve the DNS-01 challenge is also not implemented.

Also See

yes(1).

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Err 

func Err(err error) slog.Attr

Types

type Yes 

type Yes struct {
	Caa []string
	Ns  string
}

func (*Yes) Err 

func (y *Yes) Err(err error) error

func (*Yes) HandlerFunc 

func (y *Yes) HandlerFunc(next dns.HandlerFunc) dns.HandlerFunc

func (*Yes) Key 

func (y *Yes) Key() string

func (*Yes) Setup 

func (y *Yes) Setup(co *dnsserver.Controller) error

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.