From 0becf6bc8c79b63d03809816db7f24364d61a9f9 Mon Sep 17 00:00:00 2001 From: Pierre-Olivier Mercier Date: Thu, 18 Jun 2026 04:54:03 +0900 Subject: [PATCH] checker: require SOA owner to match candidate in findApex A recursive resolver following a CNAME returns the target zone's SOA in the answer, which made findApex wrongly treat a CNAME owner as an apex. Only accept a SOA whose owner is the candidate itself. --- checker/dns.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/checker/dns.go b/checker/dns.go index a31195d..7270da1 100644 --- a/checker/dns.go +++ b/checker/dns.go @@ -73,7 +73,10 @@ func findApex(ctx context.Context, fqdn, resolver string) (apex string, servers } hasSOA := false for _, rr := range r.Answer { - if _, ok := rr.(*dns.SOA); ok { + // Only accept a SOA whose owner is the candidate itself: when the + // candidate is a CNAME, the resolver returns the target zone's SOA, + // which is not evidence that the candidate is an apex. + if soa, ok := rr.(*dns.SOA); ok && lowerFQDN(soa.Header().Name) == lowerFQDN(candidate) { hasSOA = true break }