DNS Persistent DCV validation method #60
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was a problem hiding this comment.
Pull request overview
This pull request adds support for the DNS Persistent domain control validation (DCV) method in compliance with CA/Browser Forum Baseline Requirements section 3.2.2.4.22. The implementation includes new validation parameters, core validation logic, and comprehensive test coverage.
Key Changes
- Added
DcvDnsPersistentValidationParametersclass to handle persistent DNS TXT record validation with issuer domain names and account URI - Implemented
evaluate_persistent_dns_responsemethod to parse and validate DNS TXT records according to RFC 8659 syntax, checking issuer domain, account URI, and optional expiration timestamp - Updated test suite with comprehensive unit tests for the new validation method, including edge cases for malformed records, case insensitivity, and expiration handling
Reviewed changes
Copilot reviewed 14 out of 14 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| src/open_mpic_core/about.py | Bumped package version to 6.3.0 |
| pyproject.toml | Updated API spec version to 3.8.0 and removed unused pytest config options |
| src/open_mpic_core/common_domain/enum/dcv_validation_method.py | Added DNS_PERSISTENT and DNS_ACCOUNT_01 enum values with CABF references |
| src/open_mpic_core/common_domain/check_parameters.py | Added DcvDnsPersistentValidationParameters class and updated union type |
| src/open_mpic_core/common_domain/check_response_details.py | Extended DNS response details to support DNS_PERSISTENT and DNS_ACCOUNT_01 methods |
| src/open_mpic_core/mpic_dcv_checker/mpic_dcv_checker.py | Implemented ExpectedDnsRecordContent class and persistent DNS validation logic |
| src/open_mpic_core/init.py | Exported new DcvDnsPersistentValidationParameters class |
| tests/unit/test_util/valid_mpic_request_creator.py | Added test factory method for DNS_PERSISTENT validation |
| tests/unit/test_util/valid_check_creator.py | Added helper methods to create DNS persistent check requests |
| tests/unit/open_mpic_core/test_check_request_parameters.py | Added validation tests for new parameter class |
| tests/unit/open_mpic_core/test_mpic_dcv_request.py | Updated tests to use warnings=False in model_dump calls |
| tests/unit/open_mpic_core/test_mpic_caa_request.py | Updated tests to use warnings=False in model_dump calls |
| tests/unit/open_mpic_core/test_mpic_dcv_checker.py | Added comprehensive unit tests for persistent DNS validation logic |
| tests/unit/open_mpic_core/test_mpic_coordinator.py | Added integration test for DNS_PERSISTENT method and fixed typo in test name |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request adds support for a new DNS-based domain control validation (DCV) method, "DNS Persistent," in compliance with the latest CA/Browser Forum Baseline Requirements. The changes include updates to the core validation logic, new parameter and response classes, and enhancements to the test suite. The version is also bumped to reflect these new capabilities.
Support for DNS Persistent DCV (CABF 3.2.2.4.22):
DcvDnsPersistentValidationParametersclass to handle parameters for persistent DNS TXT record validation, including issuer domain names and account URI.DcvValidationMethod) to includeDNS_PERSISTENTandDNS_ACCOUNT_01, with CABF references and comments for clarity.MpicDcvChecker) to build and evaluate expected DNS record content for persistent validation, including a newevaluate_persistent_dns_responsemethod that parses TXT records according to CABF/RFC 8659 syntax and checks issuer, account URI, and expiration. [1] [2] [3] [4] [5]API and Model Updates:
3.8.0inpyproject.tomland bumped the package version to6.3.0. [1] [2]Testing Enhancements:
Minor Improvements and Refactoring:
These changes collectively enable persistent DNS validation, align with the latest industry standards, and improve the maintainability and clarity of the codebase.