checker: require SOA owner to match candidate in findApex
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/tag Build is passing

A recursive resolver following a CNAME returns the target zone's SOA in
the answer, which made findApex wrongly treat a CNAME owner as an apex.
Only accept a SOA whose owner is the candidate itself.
This commit is contained in:
nemunaire 2026-06-18 04:54:03 +09:00
commit 0becf6bc8c

View file

@ -73,7 +73,10 @@ func findApex(ctx context.Context, fqdn, resolver string) (apex string, servers
} }
hasSOA := false hasSOA := false
for _, rr := range r.Answer { for _, rr := range r.Answer {
if _, ok := rr.(*dns.SOA); ok { // Only accept a SOA whose owner is the candidate itself: when the
// candidate is a CNAME, the resolver returns the target zone's SOA,
// which is not evidence that the candidate is an apex.
if soa, ok := rr.(*dns.SOA); ok && lowerFQDN(soa.Header().Name) == lowerFQDN(candidate) {
hasSOA = true hasSOA = true
break break
} }