42 lines
1.2 KiB
Go
42 lines
1.2 KiB
Go
package checker
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
|
|
sdk "git.happydns.org/checker-sdk-go/checker"
|
|
)
|
|
|
|
type cnameDnssecRule struct{}
|
|
|
|
func (cnameDnssecRule) Name() string { return "cname_dnssec" }
|
|
func (cnameDnssecRule) Description() string {
|
|
return "Verifies that, in a DNSSEC-signed zone, the CNAME at Owner carries an RRSIG."
|
|
}
|
|
|
|
func (cnameDnssecRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) []sdk.CheckState {
|
|
data, errState := loadAlias(ctx, obs)
|
|
if errState != nil {
|
|
return errState
|
|
}
|
|
if !apexKnown(data) {
|
|
return skipped("apex lookup failed")
|
|
}
|
|
if !data.ZoneSigned {
|
|
return skipped("zone not DNSSEC-signed")
|
|
}
|
|
if !data.OwnerHasCNAME {
|
|
return skipped("owner has no CNAME")
|
|
}
|
|
if !data.CNAMESigCheckDone {
|
|
return skipped("DO-bit CNAME probe did not complete")
|
|
}
|
|
if data.CNAMESigned {
|
|
return okState(data.Owner, fmt.Sprintf("CNAME at %s is DNSSEC-signed", data.Owner))
|
|
}
|
|
return []sdk.CheckState{withHint(sdk.CheckState{
|
|
Status: sdk.StatusCrit,
|
|
Subject: data.Owner,
|
|
Message: fmt.Sprintf("zone %s is DNSSEC-signed but CNAME at %s has no RRSIG", data.Apex, data.Owner),
|
|
}, "Re-sign the zone or verify your signer covers the alias RRset; unsigned answers in a signed zone SERVFAIL at validating resolvers.")}
|
|
}
|