Compare commits
No commits in common. "b0b894806ba5b23fc04d531b0546224b1a1c56a8" and "1cb7efbcce7c982dcbdb62eda075700af20fb2f7" have entirely different histories.
b0b894806b
...
1cb7efbcce
7 changed files with 9 additions and 7 deletions
|
|
@ -12,4 +12,6 @@ FROM scratch
|
||||||
COPY --from=builder /checker-dane /checker-dane
|
COPY --from=builder /checker-dane /checker-dane
|
||||||
USER 65534:65534
|
USER 65534:65534
|
||||||
EXPOSE 8080
|
EXPOSE 8080
|
||||||
|
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
|
||||||
|
CMD ["/checker-dane", "-healthcheck"]
|
||||||
ENTRYPOINT ["/checker-dane"]
|
ENTRYPOINT ["/checker-dane"]
|
||||||
|
|
|
||||||
|
|
@ -216,7 +216,7 @@ func TestCollect_DeterministicOutput(t *testing.T) {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
}
|
}
|
||||||
// Compare only Targets — CollectedAt is a wall-clock timestamp.
|
// Compare only Targets: CollectedAt is a wall-clock timestamp.
|
||||||
b, _ := json.Marshal(out.(*DANEData).Targets)
|
b, _ := json.Marshal(out.(*DANEData).Targets)
|
||||||
if i > 0 && string(b) != string(prev) {
|
if i > 0 && string(b) != string(prev) {
|
||||||
t.Errorf("non-deterministic targets:\n%s\nvs\n%s", prev, b)
|
t.Errorf("non-deterministic targets:\n%s\nvs\n%s", prev, b)
|
||||||
|
|
|
||||||
|
|
@ -295,7 +295,7 @@ func TestSummarizeMatches(t *testing.T) {
|
||||||
func TestSummarizeMatches_BadFirstSlotDoesNotAbort(t *testing.T) {
|
func TestSummarizeMatches_BadFirstSlotDoesNotAbort(t *testing.T) {
|
||||||
t.Parallel()
|
t.Parallel()
|
||||||
// An undecodable Full record at slot 0 shouldn't prevent later valid
|
// An undecodable Full record at slot 0 shouldn't prevent later valid
|
||||||
// records from matching — regression test for the per-slot continue.
|
// records from matching: regression test for the per-slot continue.
|
||||||
leaf := fakeCert([]byte("leaf"), []byte("spki"))
|
leaf := fakeCert([]byte("leaf"), []byte("spki"))
|
||||||
probe := &tls.TLSProbe{Chain: []tls.CertInfo{leaf}}
|
probe := &tls.TLSProbe{Chain: []tls.CertInfo{leaf}}
|
||||||
bad := TargetResult{Records: []TLSARecord{
|
bad := TargetResult{Records: []TLSARecord{
|
||||||
|
|
|
||||||
|
|
@ -194,7 +194,7 @@ func proposedTLSA(t TargetResult, p *tls.TLSProbe) string {
|
||||||
tmpl.Selector = r.Selector
|
tmpl.Selector = r.Selector
|
||||||
tmpl.MatchingType = r.MatchingType
|
tmpl.MatchingType = r.MatchingType
|
||||||
// Suggesting Full (matching type 0) inline as a zone fragment is
|
// Suggesting Full (matching type 0) inline as a zone fragment is
|
||||||
// not useful — collapse to SHA-256 of the same selector, which is
|
// not useful: collapse to SHA-256 of the same selector, which is
|
||||||
// what operators publish in practice.
|
// what operators publish in practice.
|
||||||
if tmpl.MatchingType == MatchingFull {
|
if tmpl.MatchingType == MatchingFull {
|
||||||
tmpl.MatchingType = MatchingSHA256
|
tmpl.MatchingType = MatchingSHA256
|
||||||
|
|
|
||||||
|
|
@ -66,7 +66,7 @@ func (r *hasRecordsRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter
|
||||||
// evaluating were fetched over a DNSSEC-validated path. Without DNSSEC,
|
// evaluating were fetched over a DNSSEC-validated path. Without DNSSEC,
|
||||||
// DANE is a downgrade primitive: an on-path attacker can forge TLSA
|
// DANE is a downgrade primitive: an on-path attacker can forge TLSA
|
||||||
// answers and any "match" the rest of the rules report is meaningless.
|
// answers and any "match" the rest of the rules report is meaningless.
|
||||||
// The rule only emits when the collector recorded a validation status —
|
// The rule only emits when the collector recorded a validation status:
|
||||||
// in managed mode the records come from the user's authoritative zone
|
// in managed mode the records come from the user's authoritative zone
|
||||||
// config and DNSSEC posture is checked by a different checker.
|
// config and DNSSEC posture is checked by a different checker.
|
||||||
type dnssecValidatedRule struct{}
|
type dnssecValidatedRule struct{}
|
||||||
|
|
|
||||||
2
go.mod
2
go.mod
|
|
@ -3,7 +3,7 @@ module git.happydns.org/checker-dane
|
||||||
go 1.25.0
|
go 1.25.0
|
||||||
|
|
||||||
require (
|
require (
|
||||||
git.happydns.org/checker-sdk-go v1.4.0
|
git.happydns.org/checker-sdk-go v1.5.0
|
||||||
git.happydns.org/checker-tls v0.6.1
|
git.happydns.org/checker-tls v0.6.1
|
||||||
github.com/miekg/dns v1.1.72
|
github.com/miekg/dns v1.1.72
|
||||||
)
|
)
|
||||||
|
|
|
||||||
4
go.sum
4
go.sum
|
|
@ -1,5 +1,5 @@
|
||||||
git.happydns.org/checker-sdk-go v1.4.0 h1:sO8EnF3suhNgYLRsbmCZWJOymH/oNMrOUqj3FEzJArs=
|
git.happydns.org/checker-sdk-go v1.5.0 h1:5uD5Cm6xJ+lwnhbJ09iCXGHbYS9zRh+Yh0NeBHkAPBY=
|
||||||
git.happydns.org/checker-sdk-go v1.4.0/go.mod h1:aNAcfYFfbhvH9kJhE0Njp5GX0dQbxdRB0rJ0KvSC5nI=
|
git.happydns.org/checker-sdk-go v1.5.0/go.mod h1:aNAcfYFfbhvH9kJhE0Njp5GX0dQbxdRB0rJ0KvSC5nI=
|
||||||
git.happydns.org/checker-tls v0.6.1 h1:YJp9Q+1aJZ6wATyUZbRh67ZtERN6Mp4Sje8ld2dNFuo=
|
git.happydns.org/checker-tls v0.6.1 h1:YJp9Q+1aJZ6wATyUZbRh67ZtERN6Mp4Sje8ld2dNFuo=
|
||||||
git.happydns.org/checker-tls v0.6.1/go.mod h1:9tpnxg0iOwS+7If64DRG1jqYonUAgxOBuxwfF5mVkL4=
|
git.happydns.org/checker-tls v0.6.1/go.mod h1:9tpnxg0iOwS+7If64DRG1jqYonUAgxOBuxwfF5mVkL4=
|
||||||
github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
|
github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue