checker: require SOA owner to match candidate in findApex
A recursive resolver following a CNAME returns the target zone's SOA in the answer, which made findApex wrongly treat a CNAME owner as an apex. Only accept a SOA whose owner is the candidate itself.
This commit is contained in:
parent
c5c13960d5
commit
0becf6bc8c
1 changed files with 4 additions and 1 deletions
|
|
@ -73,7 +73,10 @@ func findApex(ctx context.Context, fqdn, resolver string) (apex string, servers
|
|||
}
|
||||
hasSOA := false
|
||||
for _, rr := range r.Answer {
|
||||
if _, ok := rr.(*dns.SOA); ok {
|
||||
// Only accept a SOA whose owner is the candidate itself: when the
|
||||
// candidate is a CNAME, the resolver returns the target zone's SOA,
|
||||
// which is not evidence that the candidate is an apex.
|
||||
if soa, ok := rr.(*dns.SOA); ok && lowerFQDN(soa.Header().Name) == lowerFQDN(candidate) {
|
||||
hasSOA = true
|
||||
break
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue