Initial commit

checker/dns.go

@@ -0,0 +1,132 @@
+package checker
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"strings"
+	"time"
+
+	"github.com/miekg/dns"
+)
+
+// dnsTimeout is the per-query deadline used by every helper here.
+const dnsTimeout = 5 * time.Second
+
+// maxAnswerRecords caps how many answer RRs of the requested type are
+// retained from a single DNS response. A DANE owner serving more than a
+// handful of keys is already abnormal; bounding the count keeps later
+// per-record work (parsing, comparison) from blowing up if a zone (or a
+// hostile resolver) returns a pathological answer set.
+const maxAnswerRecords = 64
+
+// dnsLookupAnswer is the subset of a DNS answer this checker cares about.
+type dnsLookupAnswer struct {
+	// Records are the answer records of the requested type.
+	Records []dns.RR
+	// AD reports whether the response header has the Authenticated Data
+	// flag set, i.e. the validating resolver confirmed DNSSEC.
+	AD bool
+	// Rcode is the response code from the answering resolver.
+	Rcode int
+	// Server is the address of the resolver that answered.
+	Server string
+}
+
+// resolvers returns the list of resolver addresses to try. If resolverOpt
+// is non-empty it is parsed (comma-separated allowed) into a host:port
+// list. Otherwise /etc/resolv.conf is read; if that fails we fall back to
+// public validating resolvers.
+func resolvers(resolverOpt string) []string {
+	if s := strings.TrimSpace(resolverOpt); s != "" {
+		var out []string
+		for part := range strings.SplitSeq(s, ",") {
+			part = strings.TrimSpace(part)
+			if part == "" {
+				continue
+			}
+			if !strings.Contains(part, ":") {
+				part = net.JoinHostPort(part, "53")
+			}
+			out = append(out, part)
+		}
+		if len(out) > 0 {
+			return out
+		}
+	}
+
+	if cfg, err := dns.ClientConfigFromFile("/etc/resolv.conf"); err == nil && cfg != nil && len(cfg.Servers) > 0 {
+		out := make([]string, 0, len(cfg.Servers))
+		for _, s := range cfg.Servers {
+			out = append(out, net.JoinHostPort(s, cfg.Port))
+		}
+		return out
+	}
+
+	// Fall back to known validating resolvers.
+	return []string{"1.1.1.1:53", "9.9.9.9:53", "8.8.8.8:53"}
+}
+
+// lookup queries qtype at owner against each resolver in order until one
+// answers. The first resolver whose answer has a non-error Rcode wins.
+// DNSSEC validation is requested via EDNS0 DO=1; the AD flag is read back
+// from the response header.
+func lookup(ctx context.Context, servers []string, owner string, qtype uint16) (*dnsLookupAnswer, error) {
+	m := new(dns.Msg)
+	m.SetQuestion(dns.Fqdn(owner), qtype)
+	m.SetEdns0(4096, true)
+	m.RecursionDesired = true
+	m.AuthenticatedData = true
+
+	c := &dns.Client{Timeout: dnsTimeout}
+
+	var lastErr error
+	for _, srv := range servers {
+		in, _, err := c.ExchangeContext(ctx, m, srv)
+		if err != nil {
+			lastErr = err
+			continue
+		}
+		if in == nil {
+			lastErr = fmt.Errorf("nil response from %s", srv)
+			continue
+		}
+		ans := &dnsLookupAnswer{
+			Rcode:  in.Rcode,
+			AD:     in.AuthenticatedData,
+			Server: srv,
+		}
+		for _, rr := range in.Answer {
+			if rr.Header().Rrtype != qtype {
+				continue
+			}
+			if len(ans.Records) >= maxAnswerRecords {
+				break
+			}
+			ans.Records = append(ans.Records, rr)
+		}
+		if in.Rcode == dns.RcodeSuccess || in.Rcode == dns.RcodeNameError {
+			return ans, nil
+		}
+		lastErr = fmt.Errorf("rcode %s from %s", dns.RcodeToString[in.Rcode], srv)
+	}
+	if lastErr == nil {
+		lastErr = fmt.Errorf("no resolver available")
+	}
+	return nil, lastErr
+}
+
+// joinSubdomain composes the FQDN of a subdomain within a zone. Both
+// arguments are accepted in any of their canonical forms (trailing dot
+// optional, empty subdomain allowed).
+func joinSubdomain(subdomain, origin string) string {
+	origin = strings.TrimSuffix(origin, ".")
+	subdomain = strings.TrimSuffix(subdomain, ".")
+	if subdomain == "" || subdomain == "@" {
+		return dns.Fqdn(origin)
+	}
+	if strings.HasSuffix(subdomain, "."+origin) || subdomain == origin {
+		return dns.Fqdn(subdomain)
+	}
+	return dns.Fqdn(subdomain + "." + origin)
+}