From b4629864ab71d77d8c2286d88201beb2454f8517 Mon Sep 17 00:00:00 2001
From: Mark Felder <feld@feld.me>
Date: Wed, 13 Oct 2021 11:11:38 -0500
Subject: [PATCH] Allow use of a more secure _acme-challenge.$h subzone in
 Route53 to limit scope of access if an attacker compromises your system
 running acme.sh

---
 dnsapi/dns_aws.sh | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/dnsapi/dns_aws.sh b/dnsapi/dns_aws.sh
index 14a4594d..25e3757e 100755
--- a/dnsapi/dns_aws.sh
+++ b/dnsapi/dns_aws.sh
@@ -178,7 +178,20 @@ _get_root() {
         return 1
       fi
 
-      if _contains "$response" "<Name>$h.</Name>"; then
+      if _contains "$response" "<Name>_acme-challenge.$h.</Name>"; then
+        hostedzone="$(echo "$response" | sed 's/<HostedZone>/#&/g' | tr '#' '\n' | _egrep_o "<HostedZone><Id>[^<]*<.Id><Name>_acme-challenge.$h.<.Name>.*<PrivateZone>false<.PrivateZone>.*<.HostedZone>")"
+        _debug hostedzone "$hostedzone"
+        if [ "$hostedzone" ]; then
+          _domain_id=$(printf "%s\n" "$hostedzone" | _egrep_o "<Id>.*<.Id>" | head -n 1 | _egrep_o ">.*<" | tr -d "<>")
+          if [ "$_domain_id" ]; then
+            _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+            _domain=_acme-challenge.$h
+            return 0
+          fi
+          _err "Can't find domain with id: _acme-challenge.$h"
+          return 1
+        fi
+      elif _contains "$response" "<Name>$h.</Name>"; then
         hostedzone="$(echo "$response" | sed 's/<HostedZone>/#&/g' | tr '#' '\n' | _egrep_o "<HostedZone><Id>[^<]*<.Id><Name>$h.<.Name>.*<PrivateZone>false<.PrivateZone>.*<.HostedZone>")"
         _debug hostedzone "$hostedzone"
         if [ "$hostedzone" ]; then