feat: switch to case-insensitive compare for domains
This also moves the domain check before the type check. Domains need to be compared case-insensitively because resolvers will send sarcastic queries for improved security, see here: https://datatracker.ietf.org/doc/html/draft-vixie-dnsext-dns0x20-00 strings.EqualFold is maybe not perfectly correct because it does Unicode case-folding and we only need ASCII.
This commit is contained in:
xaos
parent
a4c5671266
commit
9e44cc2979
1 changed files with 6 additions and 3 deletions
9
stub.go
9
stub.go
|
|
@ -3,6 +3,7 @@ package stub
|
|||
import (
|
||||
"context"
|
||||
"net"
|
||||
"strings"
|
||||
|
||||
"github.com/caddyserver/caddy/v2"
|
||||
"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
|
||||
|
|
@ -202,15 +203,17 @@ func (s *StubDNS) make_handler(fqdn string, txt string) dns.HandlerFunc {
|
|||
reject_and_log(dns.RcodeRefused, "not a query")
|
||||
case !(q.Qclass == dns.ClassINET || q.Qclass == dns.ClassANY):
|
||||
reject_and_log(dns.RcodeNotImplemented, "invalid class")
|
||||
// queries may be wAcKY casE
|
||||
// https://datatracker.ietf.org/doc/html/draft-vixie-dnsext-dns0x20-00
|
||||
case !strings.EqualFold(domain, fqdn):
|
||||
reject_and_log(dns.RcodeNameError, "wrong domain")
|
||||
case q.Qtype != dns.TypeTXT:
|
||||
reject_and_log(dns.RcodeRefused, "invalid type")
|
||||
case domain != fqdn:
|
||||
reject_and_log(dns.RcodeNameError, "wrong domain")
|
||||
default:
|
||||
m.Authoritative = true
|
||||
rr := new(dns.TXT)
|
||||
rr.Hdr = dns.RR_Header{
|
||||
Name: domain,
|
||||
Name: fqdn, // only question section has to match wAcKY casE
|
||||
Rrtype: dns.TypeTXT,
|
||||
Class: dns.ClassINET,
|
||||
Ttl: uint32(challenge_ttl),
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue