diff --git a/checker/dns.go b/checker/dns.go index a31195d..7270da1 100644 --- a/checker/dns.go +++ b/checker/dns.go @@ -73,7 +73,10 @@ func findApex(ctx context.Context, fqdn, resolver string) (apex string, servers } hasSOA := false for _, rr := range r.Answer { - if _, ok := rr.(*dns.SOA); ok { + // Only accept a SOA whose owner is the candidate itself: when the + // candidate is a CNAME, the resolver returns the target zone's SOA, + // which is not evidence that the candidate is an apex. + if soa, ok := rr.(*dns.SOA); ok && lowerFQDN(soa.Header().Name) == lowerFQDN(candidate) { hasSOA = true break }