Introduce DNS Challenge

[tianyuan129]

Overview

PR to add the DNS challenge support. It contains two parts: the client implementation and certcli support.

Background

The DNS challenge spec tries to do things very similar to Let's Encrypt dns-01. Currently the testbed root CA already supports this challenge, feel free to test this code against it.

Comments

Semi-related implementation decisions I deliberately made:

• No corresponding PROBE: I believe the NDN names derived from DNS names should follow a uniform name convention
• When DNS challenge is chosen, certcli skips the PROBE and forces to append the domain name under the CA name (e.g., /ndn/example.org)
• Spec does not define the record TTL, so does implementation. Up to users, but be careful.

certcli Support

certcli usage to test the DNS challenge. It requires you to get the ndnd cert PEM for testbed root.

Hope the below can help you (assume you have curl and base64)

curl -s https://raw.githubusercontent.com/named-data/testbed/main/anchors/ndn-testbed-root.ndncert.2204.base64 | base64 -d | ./ndnd sec pem-encode > ca-cert.pem

Run the certificate client without specifying a challenge type to be prompted to choose:

./ndnd certcli ca-cert.pem

When prompted, select "3. dns" for DNS challenge.

Direct DNS Challenge

Specify the DNS challenge directly:

./ndnd certcli --challenge=dns ca-cert.pem

Pre-specify Domain

You can provide the domain name upfront to reduce prompts:

./ndnd certcli --challenge=dns --domain=example.org ca-cert.pem

Challenge Flow

Step 1: Domain Specification

• If --domain flag is not provided, you'll be prompted to enter the domain name
• The domain name must be valid according to RFC 1123 hostname format

Step 2: DNS Record Creation

The client will display instructions like:

=== DNS CHALLENGE SETUP ===
Please create the following DNS TXT record:

Record Name: _ndncert-challenge.example.org
Record Type: TXT  
Record Value: a1b2c3d4e5f6789012345678901234567890abcdef1234567890abcdef123456

Example DNS configuration:
_ndncert-challenge.example.org IN TXT "a1b2c3d4e5f6789012345678901234567890abcdef1234567890abcdef123456"

After creating the DNS TXT record, press ENTER to continue verification...

Step 3: DNS Record Creation (User Action)

Create the DNS TXT record using your DNS provider's interface

Step 4: Verification

• Press ENTER to proceed with verification
• The CA will perform DNS lookup to verify the TXT record
• If verification fails, you'll be prompted to check the record and retry

Step 5: Certificate Issuance

Same with the existing ndncert implementation

[a-thieme]

DNS and email challenges work with the testbed CA. Instructions worked as well but using ndnd instead of ./ndnd

using go version go1.25.1 X:nodwarf5 linux/amd64

[a-thieme]

changes worked for me. see my previous comment