Implement CNAME-based nsupdate validation

Implements validation using CNAMEs and RFC2138, as described in the
Let's Encrypt documentation.

For instance, if requesting the domain "test.net" with a CNAME from
"_acme-challenge.test.net" to "_acme-challenge.ledomain.net". As per the
spec this is fully supported, but using RFC2138 and nsupdate, acme.sh
did not support this properly, instead trying to add the record to the
original fulldomain unconditionally.

To implement this, this commit adds an additional environment variable,
NSUPDATE_CNAME_ZONE, which would contain the target zone, for instance
in the example above, "ledomain.net". If this variable is set, nsupdate
then adds/removes the _acme-validation TXT record to that zone instead
of the requested zone, as well as printing a helpful message mentioning
that the CNAME must exist for this to succeed.

dnsapi/dns_nsupdate.sh

@@ -10,6 +10,7 @@ dns_nsupdate_add() {
   NSUPDATE_SERVER_PORT="${NSUPDATE_SERVER_PORT:-$(_readaccountconf_mutable NSUPDATE_SERVER_PORT)}"
   NSUPDATE_KEY="${NSUPDATE_KEY:-$(_readaccountconf_mutable NSUPDATE_KEY)}"
   NSUPDATE_ZONE="${NSUPDATE_ZONE:-$(_readaccountconf_mutable NSUPDATE_ZONE)}"
+  NSUPDATE_CNAME_ZONE="${NSUPDATE_CNAME_ZONE:-$(_readaccountconf_mutable NSUPDATE_CNAME_ZONE)}"
 
   _checkKeyFile || return 1
 
@@ -18,14 +19,27 @@ dns_nsupdate_add() {
   _saveaccountconf_mutable NSUPDATE_SERVER_PORT "${NSUPDATE_SERVER_PORT}"
   _saveaccountconf_mutable NSUPDATE_KEY "${NSUPDATE_KEY}"
   _saveaccountconf_mutable NSUPDATE_ZONE "${NSUPDATE_ZONE}"
+  _saveaccountconf_mutable NSUPDATE_CNAME_ZONE "${NSUPDATE_CNAME_ZONE}"
 
   [ -n "${NSUPDATE_SERVER}" ] || NSUPDATE_SERVER="localhost"
   [ -n "${NSUPDATE_SERVER_PORT}" ] || NSUPDATE_SERVER_PORT=53
 
-  _info "adding ${fulldomain}. 60 in txt \"${txtvalue}\""
+  if [ -n "${NSUPDATE_CNAME_ZONE}" ]; then
+      _info "adding _acme-challenge.${NSUPDATE_CNAME_ZONE}. 60 in txt \"${txtvalue}\""
+      _info "the record ${fulldomain}. must be a CNAME to this record for validation to succeed"
+  else
+      _info "adding ${fulldomain}. 60 in txt \"${txtvalue}\""
+  fi
   [ -n "$DEBUG" ] && [ "$DEBUG" -ge "$DEBUG_LEVEL_1" ] && nsdebug="-d"
   [ -n "$DEBUG" ] && [ "$DEBUG" -ge "$DEBUG_LEVEL_2" ] && nsdebug="-D"
-  if [ -n "${NSUPDATE_ZONE}" ]; then
+  if [ -n "${NSUPDATE_CNAME_ZONE}" ]; then
+    nsupdate -k "${NSUPDATE_KEY}" $nsdebug <<EOF
+server ${NSUPDATE_SERVER}  ${NSUPDATE_SERVER_PORT} 
+zone ${NSUPDATE_CNAME_ZONE}.
+update add _acme-challenge.${NSUPDATE_CNAME_ZONE}. 60 in txt "${txtvalue}"
+send
+EOF
+  elif [ -n "${NSUPDATE_ZONE}" ]; then
     nsupdate -k "${NSUPDATE_KEY}" $nsdebug <<EOF
 server ${NSUPDATE_SERVER}  ${NSUPDATE_SERVER_PORT} 
 zone ${NSUPDATE_ZONE}.
@@ -59,10 +73,21 @@ dns_nsupdate_rm() {
   _checkKeyFile || return 1
   [ -n "${NSUPDATE_SERVER}" ] || NSUPDATE_SERVER="localhost"
   [ -n "${NSUPDATE_SERVER_PORT}" ] || NSUPDATE_SERVER_PORT=53
-  _info "removing ${fulldomain}. txt"
+  if [ -n "${NSUPDATE_CNAME_ZONE}" ]; then
+      _info "removing _acme-challenge.${NSUPDATE_CNAME_ZONE}. txt"
+  else
+      _info "removing ${fulldomain}. txt"
+  fi
   [ -n "$DEBUG" ] && [ "$DEBUG" -ge "$DEBUG_LEVEL_1" ] && nsdebug="-d"
   [ -n "$DEBUG" ] && [ "$DEBUG" -ge "$DEBUG_LEVEL_2" ] && nsdebug="-D"
-  if [ -n "${NSUPDATE_ZONE}" ]; then
+  if [ -n "${NSUPDATE_CNAME_ZONE}" ]; then
+    nsupdate -k "${NSUPDATE_KEY}" $nsdebug <<EOF
+server ${NSUPDATE_SERVER}  ${NSUPDATE_SERVER_PORT} 
+update delete _acme-challenge.${NSUPDATE_CNAME_ZONE}. txt
+zone ${NSUPDATE_CNAME_ZONE}.
+send
+EOF
+  elif [ -n "${NSUPDATE_ZONE}" ]; then
     nsupdate -k "${NSUPDATE_KEY}" $nsdebug <<EOF
 server ${NSUPDATE_SERVER}  ${NSUPDATE_SERVER_PORT} 
 update delete ${fulldomain}. txt