From 9e44cc297953acba3146f5ac2700d0a6a2aedfcd Mon Sep 17 00:00:00 2001
From: xaos <xaos@xaos.tech>
Date: Mon, 27 Feb 2023 04:06:37 +0100
Subject: [PATCH] feat: switch to case-insensitive compare for domains

This also moves the domain check before the type check.

Domains need to be compared case-insensitively because resolvers will
send sarcastic queries for improved security, see here:
https://datatracker.ietf.org/doc/html/draft-vixie-dnsext-dns0x20-00

strings.EqualFold is maybe not perfectly correct because it does Unicode
case-folding and we only need ASCII.
---
 stub.go | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/stub.go b/stub.go
index 9a4eccf..4e86267 100644
--- a/stub.go
+++ b/stub.go
@@ -3,6 +3,7 @@ package stub
 import (
 	"context"
 	"net"
+	"strings"
 
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
@@ -202,15 +203,17 @@ func (s *StubDNS) make_handler(fqdn string, txt string) dns.HandlerFunc {
 			reject_and_log(dns.RcodeRefused, "not a query")
 		case !(q.Qclass == dns.ClassINET || q.Qclass == dns.ClassANY):
 			reject_and_log(dns.RcodeNotImplemented, "invalid class")
+		// queries may be wAcKY casE
+		// https://datatracker.ietf.org/doc/html/draft-vixie-dnsext-dns0x20-00
+		case !strings.EqualFold(domain, fqdn):
+			reject_and_log(dns.RcodeNameError, "wrong domain")
 		case q.Qtype != dns.TypeTXT:
 			reject_and_log(dns.RcodeRefused, "invalid type")
-		case domain != fqdn:
-			reject_and_log(dns.RcodeNameError, "wrong domain")
 		default:
 			m.Authoritative = true
 			rr := new(dns.TXT)
 			rr.Hdr = dns.RR_Header{
-				Name:   domain,
+				Name:   fqdn, // only question section has to match wAcKY casE
 				Rrtype: dns.TypeTXT,
 				Class:  dns.ClassINET,
 				Ttl:    uint32(challenge_ttl),