From 20fa5d9656889433be0c2f4e974565629d533ca6 Mon Sep 17 00:00:00 2001
From: link2xt <link2xt@testrun.org>
Date: Tue, 15 Oct 2024 21:47:13 +0000
Subject: [PATCH] Query autoritative nameserver directly to bypass DNS cache

unbound-control is not installed out of the box
and even once installed `flush_zone` does not seem
to work reliably.

Instead of trying to flush the cache from unbound,
we now query authoritative nameserver directly using `dig`.
---
 CHANGELOG.md                         |  3 +++
 cmdeploy/src/cmdeploy/remote/rdns.py | 18 ++++++++++++++----
 2 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 09ea6c83..032605a4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,9 @@
 
 ## untagged
 
+- query autoritative nameserver to bypass DNS cache
+  ([#424](https://github.com/deltachat/chatmail/pull/424))
+
 - add mtail support (new optional `mail_address` ini value)
   This defines the address on which [`mtail`](https://google.github.io/mtail/)
   exposes its metrics collected from the logs.
diff --git a/cmdeploy/src/cmdeploy/remote/rdns.py b/cmdeploy/src/cmdeploy/remote/rdns.py
index d378990a..77093503 100644
--- a/cmdeploy/src/cmdeploy/remote/rdns.py
+++ b/cmdeploy/src/cmdeploy/remote/rdns.py
@@ -20,7 +20,6 @@ def perform_initial_checks(mail_domain):
     assert mail_domain
     if not shell("dig", fail_ok=True):
         shell("apt-get install -y dnsutils")
-    shell(f"unbound-control flush_zone {mail_domain}", fail_ok=True)
     A = query_dns("A", mail_domain)
     AAAA = query_dns("AAAA", mail_domain)
     MTA_STS = query_dns("CNAME", f"mta-sts.{mail_domain}")
@@ -53,8 +52,20 @@ def get_dkim_entry(mail_domain, dkim_selector):
 
 
 def query_dns(typ, domain):
-    res = shell(f"dig -r -q {domain} -t {typ} +short")
-    print(res)
+    # Get autoritative nameserver from the SOA record.
+    soa_answers = [
+        x.split()
+        for x in shell(f"dig -r -q {domain} -t SOA +noall +authority +answer").split(
+            "\n"
+        )
+    ]
+    soa = [a for a in soa_answers if len(a) >= 3 and a[3] == "SOA"]
+    if not soa:
+        return
+    ns = soa[0][4]
+
+    # Query authoritative nameserver directly to bypass DNS cache.
+    res = shell(f"dig @{ns} -r -q {domain} -t {typ} +short")
     if res:
         return res.split("\n")[0]
     return ""
@@ -62,7 +73,6 @@ def query_dns(typ, domain):
 
 def check_zonefile(zonefile, mail_domain):
     """Check expected zone file entries."""
-    shell(f"unbound-control flush_zone {mail_domain}", fail_ok=True)
     required = True
     required_diff = []
     recommended_diff = []