125 lines
3.1 KiB
Go
125 lines
3.1 KiB
Go
//go:build standalone
|
|
|
|
package checker
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"net"
|
|
"net/http"
|
|
"strings"
|
|
"time"
|
|
|
|
sdk "git.happydns.org/checker-sdk-go/checker"
|
|
"github.com/miekg/dns"
|
|
)
|
|
|
|
// dnsLookupTimeout caps a single CAA query so the standalone HTTP
|
|
// handler can't be hung by a slow or hostile resolver.
|
|
const dnsLookupTimeout = 5 * time.Second
|
|
|
|
func (p *caaProvider) RenderForm() []sdk.CheckerOptionField {
|
|
return []sdk.CheckerOptionField{
|
|
{
|
|
Id: "domain",
|
|
Type: "string",
|
|
Label: "Domain name",
|
|
Placeholder: "example.com",
|
|
Required: true,
|
|
},
|
|
}
|
|
}
|
|
|
|
// ParseForm resolves CAA records via direct DNS. TLS probes are not
|
|
// gathered here; the rule reports StatusUnknown for the cross-check
|
|
// when used standalone.
|
|
func (p *caaProvider) ParseForm(r *http.Request) (sdk.CheckerOptions, error) {
|
|
domain := strings.TrimSpace(r.FormValue("domain"))
|
|
if domain == "" {
|
|
return nil, errors.New("domain is required")
|
|
}
|
|
domain = dns.Fqdn(domain)
|
|
bare := strings.TrimSuffix(domain, ".")
|
|
|
|
records, err := lookupCAA(r.Context(), domain)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("CAA lookup for %s: %w", domain, err)
|
|
}
|
|
|
|
payload := caaPolicyPayload{Records: make([]caaRecordPayload, 0, len(records))}
|
|
for _, rec := range records {
|
|
payload.Records = append(payload.Records, caaRecordPayload{
|
|
Flag: rec.Flag, Tag: rec.Tag, Value: rec.Value,
|
|
})
|
|
}
|
|
svcBody, err := json.Marshal(payload)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("marshal CAA payload: %w", err)
|
|
}
|
|
|
|
svc := serviceMessage{
|
|
Type: serviceType,
|
|
Domain: bare,
|
|
Service: svcBody,
|
|
}
|
|
|
|
return sdk.CheckerOptions{
|
|
"domain": bare,
|
|
"service": svc,
|
|
}, nil
|
|
}
|
|
|
|
// lookupCAA queries CAA records for fqdn using the system resolver.
|
|
// Per RFC 8659 §3, climbing the label tree only continues on empty
|
|
// NOERROR; NXDOMAIN terminates the walk.
|
|
func lookupCAA(ctx context.Context, fqdn string) ([]CAARecord, error) {
|
|
resolver := systemResolver()
|
|
|
|
c := &dns.Client{Timeout: dnsLookupTimeout}
|
|
for name := fqdn; name != "" && name != "."; {
|
|
msg := new(dns.Msg)
|
|
msg.SetQuestion(name, dns.TypeCAA)
|
|
msg.RecursionDesired = true
|
|
|
|
in, _, err := c.ExchangeContext(ctx, msg, resolver)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if in.Rcode == dns.RcodeNameError {
|
|
return nil, nil
|
|
}
|
|
if in.Rcode != dns.RcodeSuccess {
|
|
return nil, fmt.Errorf("rcode %s", dns.RcodeToString[in.Rcode])
|
|
}
|
|
|
|
var out []CAARecord
|
|
for _, rr := range in.Answer {
|
|
if caa, ok := rr.(*dns.CAA); ok {
|
|
out = append(out, CAARecord{Flag: caa.Flag, Tag: caa.Tag, Value: caa.Value})
|
|
}
|
|
}
|
|
if len(out) > 0 {
|
|
return out, nil
|
|
}
|
|
|
|
i := strings.IndexByte(name, '.')
|
|
if i < 0 || i >= len(name)-1 {
|
|
break
|
|
}
|
|
name = name[i+1:]
|
|
}
|
|
return nil, nil
|
|
}
|
|
|
|
// systemResolver returns the first nameserver in /etc/resolv.conf as a
|
|
// host:port string suitable for dns.Client.Exchange. Falls back to
|
|
// 1.1.1.1:53 when resolv.conf is missing, unreadable, or empty.
|
|
func systemResolver() string {
|
|
cfg, err := dns.ClientConfigFromFile("/etc/resolv.conf")
|
|
if err != nil || len(cfg.Servers) == 0 {
|
|
return net.JoinHostPort("1.1.1.1", "53")
|
|
}
|
|
return net.JoinHostPort(cfg.Servers[0], cfg.Port)
|
|
}
|