From 21cfca9b6eca3b140fa913a9571a6ae04900f081 Mon Sep 17 00:00:00 2001 From: "Jason A. Donenfeld" Date: Fri, 2 Apr 2021 20:19:38 -0600 Subject: Invert generate-domain-key relaxed semantics Signed-off-by: Jason A. Donenfeld --- README.md | 12 ++++++------ main.go | 29 +++++++++++++++-------------- 2 files changed, 21 insertions(+), 20 deletions(-) diff --git a/README.md b/README.md index fb1a942..d85b880 100644 --- a/README.md +++ b/README.md @@ -35,16 +35,16 @@ Finally, generate domain update keys using `ddns generate-domain-key`: ``` # . /etc/ddns.conf; export DDNS_UPDATE_DOMAIN DDNS_SECRET -# ddns generate-domain-key somesubdomain.dyn.example.org +# ddns generate-domain-key ~somesubdomain.dyn.example.org ... -# ddns generate-domain-key !restrictivesubdomain.dyn.example.org +# ddns generate-domain-key restrictivesubdomain.dyn.example.org ... ``` -If the provided subdomain does _not_ start with a `!`, then that key can be -used for that subdomain and all subdomains of it. Caution: this allows for an -unbounded quantity of entries! If the provided subdomain _does_ start with a -`!`, then that key can only be used for that exact subdomain. +If the provided subdomain starts with a `~`, then that key can be used for that +subdomain and all subdomains of it, but beware, this allows for an unbounded +quantity of entries. If the provided subdomain does not start with a `~`, then +that key can only be used for that exact subdomain. Updates can then be performed using any HTTPS utility: diff --git a/main.go b/main.go index 1124c07..05def3d 100644 --- a/main.go +++ b/main.go @@ -288,25 +288,26 @@ func newAutocertListener(tcp *os.File, cacheDir, domain string) net.Listener { func usage() { fmt.Fprintf(os.Stderr, `Usage: %s generate-secret - %s generate-domain-key [!]DOMAIN + %s generate-domain-key [~]DOMAIN %s serve -The generate-secret subcommand simply prints out a new random secret for use +The 'generate-secret' subcommand simply prints out a new random secret for use in the DDNS_SECRET environment variable. -The generate-domain-key subcommand generates a key to be used with the -Domain-Secret http header when making update requests. If DOMAIN begins -with a '!', the key may only be used for that exact domain. Otherwise the -key is usable for that domain and all subdomains of it; beware, there is no -limit on the number of entries such an unrestricted key can add. The -DDNS_SECRET environment variable must be set and of valid form. +The 'generate-domain-key' subcommand generates a key to be used with the +Domain-Secret http header when making update requests. If DOMAIN does not +begin with a '~', the key may only be used for that exact domain. Otherwise, +if DOMAIN does begin with a '~', the key is usable for that domain and all +subdomains of it; beware, there is no limit on the number of entries such an +unrestricted key can add. The DDNS_SECRET environment variable must be set +and of valid form. -The serve subcommand starts a DNS server and a HTTPS update server on the +The 'serve' subcommand starts a DNS server and an HTTPS update server on the domain specified by the DDNS_UPDATE_DOMAIN environment variable. Open file descriptors must be passed in with systemd socket-activation semantics, in order udp:53, tcp:53, tcp:443. The DDNS_SECRET environment variable must be -set and of valid form. The /update/{DOMAIN} http endpoint requires the -Domain-Secret http header to be set. Domains will be read from and stored +set and of valid form. The /update/{DOMAIN} HTTP endpoint requires the +Domain-Secret HTTP header to be set. Domains will be read from and stored to $STATE_DIRECTORY/domains.txt, and TLS certificates will be stored in $CACHE_DIRECTORY/ddns-certs. `, os.Args[0], os.Args[0], os.Args[0]) @@ -335,9 +336,9 @@ func main() { if len(os.Args) == 3 && os.Args[1] == "generate-domain-key" { domain := os.Args[2] var split []string - var exclusive string - if len(domain) > 0 && domain[0] == '!' { - exclusive = "!" + exclusive := "!" + if len(domain) > 0 && domain[0] == '~' { + exclusive = "" domain = domain[1:] } if domain != "" { -- cgit v1.2.3-59-g8ed1b