Revert revert of CAA validation

Meldiron · Meldiron · commit 2d4e99cb1ac7 · 2025-08-05T13:44:06.000+02:00
diff --git a/.env b/.env
@@ -21,13 +21,15 @@ _APP_OPTIONS_ROUTER_PROTECTION=disabled
 _APP_OPTIONS_FORCE_HTTPS=disabled
 _APP_OPTIONS_ROUTER_FORCE_HTTPS=disabled
 _APP_OPENSSL_KEY_V1=your-secret-key
+_APP_DNS=8.8.8.8
 _APP_DOMAIN=traefik
 _APP_CONSOLE_DOMAIN=localhost
 _APP_DOMAIN_FUNCTIONS=functions.localhost
 _APP_DOMAIN_SITES=sites.localhost
 _APP_DOMAIN_TARGET_CNAME=test.localhost
 _APP_DOMAIN_TARGET_A=127.0.0.1
 _APP_DOMAIN_TARGET_AAAA=::1
+_APP_DOMAIN_TARGET_CAA=digicert.com
 _APP_RULES_FORMAT=md5
 _APP_REDIS_HOST=redis
 _APP_REDIS_PORT=6379
diff --git a/app/config/variables.php b/app/config/variables.php
@@ -151,6 +151,24 @@
                 'question' => '',
                 'filter' => ''
             ],
+            [
+                'name' => '_APP_DOMAIN_TARGET_CAA',
+                'description' => 'A CAA record domain that can be used to validate custom domains. Value should be domain\'s hostname.',
+                'introduction' => '',
+                'default' => '',
+                'required' => false,
+                'question' => '',
+                'filter' => ''
+            ],
+            [
+                'name' => '_APP_DNS',
+                'description' => 'DNS server to use for domain validation. Default: 8.8.8.8',
+                'introduction' => '',
+                'default' => '8.8.8.8',
+                'required' => false,
+                'question' => '',
+                'filter' => ''
+            ],
             [
                 'name' => '_APP_CONSOLE_WHITELIST_ROOT',
                 'description' => 'This option allows you to disable the creation of new users on the Appwrite console. When enabled only 1 user will be able to use the registration form. New users can be added by inviting them to your project. By default this option is enabled.',
diff --git a/app/controllers/api/console.php b/app/controllers/api/console.php
@@ -71,6 +71,8 @@
             '_APP_DOMAIN_TARGET_CNAME' => System::getEnv('_APP_DOMAIN_TARGET_CNAME'),
             '_APP_DOMAIN_TARGET_AAAA' => System::getEnv('_APP_DOMAIN_TARGET_AAAA'),
             '_APP_DOMAIN_TARGET_A' => System::getEnv('_APP_DOMAIN_TARGET_A'),
+            // Combine CAA domain with most common flags and tag (no parameters)
+            '_APP_DOMAIN_TARGET_CAA' => '0 issue "' . System::getEnv('_APP_DOMAIN_TARGET_CAA') . '"',
             '_APP_STORAGE_LIMIT' => +System::getEnv('_APP_STORAGE_LIMIT'),
             '_APP_COMPUTE_SIZE_LIMIT' => +System::getEnv('_APP_COMPUTE_SIZE_LIMIT'),
             '_APP_USAGE_STATS' => System::getEnv('_APP_USAGE_STATS'),
diff --git a/app/controllers/api/proxy.php b/app/controllers/api/proxy.php
@@ -286,6 +286,19 @@
             throw new Exception(Exception::RULE_VERIFICATION_FAILED);
         }
 
+        // Ensure CAA won't block certificate issuance
+        if (!empty(System::getEnv('_APP_DOMAIN_TARGET_CAA', ''))) {
+            $validationStart = \microtime(true);
+            $validator = new DNS(System::getEnv('_APP_DOMAIN_TARGET_CAA', ''), DNS::RECORD_CAA);
+            if (!$validator->isValid($domain->get())) {
+                $log->addExtra('dnsTimingCaa', \strval(\microtime(true) - $validationStart));
+                $log->addTag('dnsDomain', $domain->get());
+                $error = $validator->getDescription();
+                $log->addExtra('dnsResponse', \is_array($error) ? \json_encode($error) : \strval($error));
+                throw new Exception(Exception::RULE_VERIFICATION_FAILED, 'Domain verification failed because CAA records do not allow certainly.com to issue certificates.');
+            }
+        }
+
         $dbForPlatform->updateDocument('rules', $rule->getId(), $rule->setAttribute('status', 'verifying'));
 
         // Issue a TLS certificate when domain is verified
diff --git a/app/views/install/compose.phtml b/app/views/install/compose.phtml
@@ -95,6 +95,8 @@ $image = $this->getParam('image', '');
       - _APP_DOMAIN_TARGET_CNAME
       - _APP_DOMAIN_TARGET_AAAA
       - _APP_DOMAIN_TARGET_A
+      - _APP_DOMAIN_TARGET_CAA
+      - _APP_DOMAINS_DNS
       - _APP_DOMAIN_FUNCTIONS
       - _APP_REDIS_HOST
       - _APP_REDIS_PORT
@@ -472,6 +474,8 @@ $image = $this->getParam('image', '');
       - _APP_DOMAIN_TARGET_CNAME
       - _APP_DOMAIN_TARGET_AAAA
       - _APP_DOMAIN_TARGET_A
+      - _APP_DOMAIN_TARGET_CAA
+      - _APP_DOMAINS_DNS
       - _APP_DOMAIN_FUNCTIONS
       - _APP_EMAIL_CERTIFICATES
       - _APP_REDIS_HOST
@@ -629,6 +633,8 @@ $image = $this->getParam('image', '');
       - _APP_DOMAIN_TARGET_CNAME
       - _APP_DOMAIN_TARGET_AAAA
       - _APP_DOMAIN_TARGET_A
+      - _APP_DOMAIN_TARGET_CAA
+      - _APP_DOMAINS_DNS
       - _APP_EMAIL_SECURITY
       - _APP_REDIS_HOST
       - _APP_REDIS_PORT
@@ -660,6 +666,8 @@ $image = $this->getParam('image', '');
       - _APP_DOMAIN_TARGET_CNAME
       - _APP_DOMAIN_TARGET_AAAA
       - _APP_DOMAIN_TARGET_A
+      - _APP_DOMAIN_TARGET_CAA
+      - _APP_DOMAINS_DNS
       - _APP_DOMAIN_FUNCTIONS
       - _APP_OPENSSL_KEY_V1
       - _APP_REDIS_HOST
diff --git a/composer.json b/composer.json
@@ -55,6 +55,7 @@
         "utopia-php/database": "0.71.*",
         "utopia-php/detector": "0.1.*",
         "utopia-php/domains": "0.8.*",
+        "utopia-php/dns": "0.3.*",
         "utopia-php/dsn": "0.2.1",
         "utopia-php/framework": "0.33.*",
         "utopia-php/fetch": "0.4.*",
diff --git a/composer.lock b/composer.lock
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -120,6 +120,8 @@ services:
       - _APP_DOMAIN_TARGET_CNAME
       - _APP_DOMAIN_TARGET_AAAA
       - _APP_DOMAIN_TARGET_A
+      - _APP_DOMAIN_TARGET_CAA
+      - _APP_DNS
       - _APP_DOMAIN_FUNCTIONS
       - _APP_REDIS_HOST
       - _APP_REDIS_PORT
@@ -535,6 +537,8 @@ services:
       - _APP_DOMAIN_TARGET_CNAME
       - _APP_DOMAIN_TARGET_AAAA
       - _APP_DOMAIN_TARGET_A
+      - _APP_DOMAIN_TARGET_CAA
+      - _APP_DNS
       - _APP_DOMAIN_FUNCTIONS
       - _APP_EMAIL_CERTIFICATES
       - _APP_REDIS_HOST
@@ -704,6 +708,8 @@ services:
       - _APP_DOMAIN_TARGET_CNAME
       - _APP_DOMAIN_TARGET_AAAA
       - _APP_DOMAIN_TARGET_A
+      - _APP_DOMAIN_TARGET_CAA
+      - _APP_DNS
       - _APP_EMAIL_SECURITY
       - _APP_REDIS_HOST
       - _APP_REDIS_PORT
@@ -738,6 +744,8 @@ services:
       - _APP_DOMAIN_TARGET_CNAME
       - _APP_DOMAIN_TARGET_AAAA
       - _APP_DOMAIN_TARGET_A
+      - _APP_DOMAIN_TARGET_CAA
+      - _APP_DNS
       - _APP_DOMAIN_FUNCTIONS
       - _APP_OPENSSL_KEY_V1
       - _APP_REDIS_HOST
diff --git a/src/Appwrite/Network/Validator/DNS.php b/src/Appwrite/Network/Validator/DNS.php
@@ -2,13 +2,16 @@
 
 namespace Appwrite\Network\Validator;
 
+use Utopia\DNS\Client;
+use Utopia\System\System;
 use Utopia\Validator;
 
 class DNS extends Validator
 {
-    public const RECORD_A = 'a';
-    public const RECORD_AAAA = 'aaaa';
-    public const RECORD_CNAME = 'cname';
+    public const RECORD_A = 'A';
+    public const RECORD_AAAA = 'AAAA';
+    public const RECORD_CNAME = 'CNAME';
+    public const RECORD_CAA = 'CAA'; // You can provide domain only (as $target) for CAA validation
 
     /**
      * @var mixed
@@ -42,33 +45,22 @@ public function getLogs(): mixed
      * Check if DNS record value matches specific value
      *
      * @param mixed $domain
-     *
      * @return bool
      */
     public function isValid($value): bool
     {
-        $typeNative = match ($this->type) {
-            self::RECORD_A => DNS_A,
-            self::RECORD_AAAA => DNS_AAAA,
-            self::RECORD_CNAME => DNS_CNAME,
-            default => throw new \Exception('Record type not supported.')
-        };
-
-        $dnsKey = match ($this->type) {
-            self::RECORD_A => 'ip',
-            self::RECORD_AAAA => 'ipv6',
-            self::RECORD_CNAME => 'target',
-            default => throw new \Exception('Record type not supported.')
-        };
-
         if (!is_string($value)) {
             return false;
         }
 
+        $dnsServer = System::getEnv('_APP_DNS', '8.8.8.8');
+        $dns = new Client($dnsServer);
+
         try {
-            $records = \dns_get_record($value, $typeNative);
-            $this->logs = $records;
-        } catch (\Throwable $th) {
+            $query = $dns->query($value, $this->type);
+            $this->logs = $query;
+        } catch (\Exception $e) {
+            $this->logs = ['error' => $e->getMessage()];
             return false;
         }
 
@@ -90,8 +82,21 @@ public function isValid($value): bool
             return false;
         }
 
-        foreach ($records as $record) {
-            if (isset($record[$dnsKey]) && $record[$dnsKey] === $this->target) {
+        foreach ($query as $record) {
+            // CAA validation only needs to ensure domain
+            if ($this->type === self::RECORD_CAA) {
+                // Extract domain; comments showcase extraction steps in most complex scenario
+                $rdata = $record->getRdata(); // 255 issuewild "certainly.com;validationmethods=tls-alpn-01;retrytimeout=3600"
+                $rdata = \explode(' ', $rdata, 3)[2] ?? ''; // "certainly.com;validationmethods=tls-alpn-01;retrytimeout=3600"
+                $rdata = \trim($rdata, '"'); // certainly.com;validationmethods=tls-alpn-01;retrytimeout=3600
+                $rdata = \explode(';', $rdata, 2)[0] ?? ''; // certainly.com
+
+                if ($rdata === $this->target) {
+                    return true;
+                }
+            }
+
+            if ($record->getRdata() === $this->target) {
                 return true;
             }
         }
diff --git a/src/Appwrite/Platform/Workers/Certificates.php b/src/Appwrite/Platform/Workers/Certificates.php
@@ -337,6 +337,19 @@ private function validateDomain(Domain $domain, bool $isMainDomain, Log $log): v
 
                 throw new Exception('Failed to verify domain DNS records.');
             }
+
+            // Ensure CAA won't block certificate issuance
+            if (!empty(System::getEnv('_APP_DOMAIN_TARGET_CAA', ''))) {
+                $validationStart = \microtime(true);
+                $validator = new DNS(System::getEnv('_APP_DOMAIN_TARGET_CAA', ''), DNS::RECORD_CAA);
+                if (!$validator->isValid($domain->get())) {
+                    $log->addExtra('dnsTimingCaa', \strval(\microtime(true) - $validationStart));
+                    $log->addTag('dnsDomain', $domain->get());
+                    $error = $validator->getDescription();
+                    $log->addExtra('dnsResponse', \is_array($error) ? \json_encode($error) : \strval($error));
+                    throw new Exception('Failed to verify domain DNS records. CAA records do not allow certificates from certainly.com to issue certificates.');
+                }
+            }
         } else {
             // Main domain validation
             // TODO: Would be awesome to check A/AAAA record here. Maybe dry run?
diff --git a/src/Appwrite/Utopia/Response/Model/ConsoleVariables.php b/src/Appwrite/Utopia/Response/Model/ConsoleVariables.php
@@ -10,24 +10,30 @@ class ConsoleVariables extends Model
     public function __construct()
     {
         $this
-        ->addRule('_APP_DOMAIN_TARGET_CNAME', [
-            'type' => self::TYPE_STRING,
-            'description' => 'CNAME target for your Appwrite custom domains.',
-            'default' => '',
-            'example' => 'appwrite.io',
-        ])
-        ->addRule('_APP_DOMAIN_TARGET_A', [
-            'type' => self::TYPE_STRING,
-            'description' => 'A target for your Appwrite custom domains.',
-            'default' => '',
-            'example' => '127.0.0.1',
-        ])
-        ->addRule('_APP_DOMAIN_TARGET_AAAA', [
-            'type' => self::TYPE_STRING,
-            'description' => 'AAAA target for your Appwrite custom domains.',
-            'default' => '',
-            'example' => '::1',
-        ])
+            ->addRule('_APP_DOMAIN_TARGET_CNAME', [
+                'type' => self::TYPE_STRING,
+                'description' => 'CNAME target for your Appwrite custom domains.',
+                'default' => '',
+                'example' => 'appwrite.io',
+            ])
+            ->addRule('_APP_DOMAIN_TARGET_A', [
+                'type' => self::TYPE_STRING,
+                'description' => 'A target for your Appwrite custom domains.',
+                'default' => '',
+                'example' => '127.0.0.1',
+            ])
+            ->addRule('_APP_DOMAIN_TARGET_AAAA', [
+                'type' => self::TYPE_STRING,
+                'description' => 'AAAA target for your Appwrite custom domains.',
+                'default' => '',
+                'example' => '::1',
+            ])
+            ->addRule('_APP_DOMAIN_TARGET_CAA', [
+                'type' => self::TYPE_STRING,
+                'description' => 'CAA target for your Appwrite custom domains.',
+                'default' => '',
+                'example' => 'digicert.com',
+            ])
             ->addRule('_APP_STORAGE_LIMIT', [
                 'type' => self::TYPE_INTEGER,
                 'description' => 'Maximum file size allowed for file upload in bytes.',
diff --git a/tests/e2e/Services/Console/ConsoleConsoleClientTest.php b/tests/e2e/Services/Console/ConsoleConsoleClientTest.php
diff --git a/tests/unit/Network/Validators/DNSTest.php b/tests/unit/Network/Validators/DNSTest.php
