From 847b7129e8e132ef5cf2334d1d652894c61628fd Mon Sep 17 00:00:00 2001
From: Andrew Ayer <agwa@andrewayer.name>
Date: Fri, 29 Apr 2016 09:02:03 -0700
Subject: [PATCH] Monitor for all DNS names that _might_ match a monitored
 domain

Wildcards, redacted labels, and unparseable labels.
---
 cmd/ctwatch/main.go | 23 +++++++++++++++++------
 identifiers.go      |  6 +++---
 2 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/cmd/ctwatch/main.go b/cmd/ctwatch/main.go
index fe2d9d2..b8a0fe3 100644
--- a/cmd/ctwatch/main.go
+++ b/cmd/ctwatch/main.go
@@ -26,6 +26,11 @@ var stateDir = flag.String("state_dir", DefaultStateDir(), "Directory for storin
 var watchDomains []string
 var watchDomainSuffixes []string
 
+func addWatchDomain (asciiDomain string) {
+	watchDomains = append(watchDomains, asciiDomain)
+	watchDomainSuffixes = append(watchDomainSuffixes, "." + asciiDomain)
+}
+
 func setWatchDomains (domains []string) error {
 	for _, domain := range domains {
 		if domain == "." { // "." as in root zone (matches everything)
@@ -38,15 +43,21 @@ func setWatchDomains (domains []string) error {
 				return fmt.Errorf("Invalid domain `%s': %s", domain, err)
 			}
 
-			watchDomains = append(watchDomains, asciiDomain)
-			watchDomainSuffixes = append(watchDomainSuffixes, "." + asciiDomain)
+			addWatchDomain(asciiDomain)
 
+			// Also monitor DNS names that _might_ match this domain (wildcards,
+			// label redactions, and unparseable labels).
+			// For example, if we're monitoring sub.example.com, also monitor:
+			//   *.example.com
+			//   ?.example.com
+			//   <invalid>.example.com
+			var parentDomain string
 			if dot := strings.IndexRune(asciiDomain, '.'); dot != -1 {
-				// also look for wildcard names that could match
-				// TODO: support exotic wildcards (wildcards besides "*.<DOMAIN>") in case there are CAs that issue them (there are) and clients that support them (less clear)
-				watchDomains = append(watchDomains, "*" + asciiDomain[dot:])
-				// TODO: optionally match ?.<DOMAIN> and <invalid>.<DOMAIN> also
+				parentDomain = asciiDomain[dot:]
 			}
+			addWatchDomain("*" + parentDomain)
+			addWatchDomain("?" + parentDomain)
+			addWatchDomain(ctwatch.InvalidDNSLabelPlaceholder + parentDomain)
 		}
 	}
 	return nil
diff --git a/identifiers.go b/identifiers.go
index 5109af3..d92c6b2 100644
--- a/identifiers.go
+++ b/identifiers.go
@@ -9,7 +9,7 @@ import (
 	"golang.org/x/net/idna"
 )
 
-const invalidDNSLabelPlaceholder = "<invalid>"
+const InvalidDNSLabelPlaceholder = "<invalid>"
 
 /*
 const (
@@ -93,7 +93,7 @@ func sanitizeDNSName (value string) string {
 	labels := strings.Split(value, ".")
 	for i, label := range labels {
 		if !isValidDNSLabel(label) {
-			labels[i] = invalidDNSLabelPlaceholder
+			labels[i] = InvalidDNSLabelPlaceholder
 		}
 	}
 	return strings.Join(labels, ".")
@@ -107,7 +107,7 @@ func sanitizeUnicodeDNSName (value string) string {
 		if asciiLabel, err := idna.ToASCII(label); err == nil && isValidDNSLabel(asciiLabel) {
 			labels[i] = asciiLabel
 		} else {
-			labels[i] = invalidDNSLabelPlaceholder
+			labels[i] = InvalidDNSLabelPlaceholder
 		}
 	}
 	return strings.Join(labels, ".")