checker: require SOA owner to match candidate in findApex
A recursive resolver following a CNAME returns the target zone's SOA in the answer, which made findApex wrongly treat a CNAME owner as an apex. Only accept a SOA whose owner is the candidate itself.
This commit is contained in:
parent
c5c13960d5
commit
0becf6bc8c
1 changed files with 4 additions and 1 deletions
|
|
@ -73,7 +73,10 @@ func findApex(ctx context.Context, fqdn, resolver string) (apex string, servers
|
||||||
}
|
}
|
||||||
hasSOA := false
|
hasSOA := false
|
||||||
for _, rr := range r.Answer {
|
for _, rr := range r.Answer {
|
||||||
if _, ok := rr.(*dns.SOA); ok {
|
// Only accept a SOA whose owner is the candidate itself: when the
|
||||||
|
// candidate is a CNAME, the resolver returns the target zone's SOA,
|
||||||
|
// which is not evidence that the candidate is an apex.
|
||||||
|
if soa, ok := rr.(*dns.SOA); ok && lowerFQDN(soa.Header().Name) == lowerFQDN(candidate) {
|
||||||
hasSOA = true
|
hasSOA = true
|
||||||
break
|
break
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue