Monitor for all DNS names that _might_ match a monitored domain
Wildcards, redacted labels, and unparseable labels.
This commit is contained in:
Andrew Ayer
parent
ec68dde647
commit
847b7129e8
|
|
@ -26,6 +26,11 @@ var stateDir = flag.String("state_dir", DefaultStateDir(), "Directory for storin
|
|||
var watchDomains []string
|
||||
var watchDomainSuffixes []string
|
||||
|
||||
func addWatchDomain (asciiDomain string) {
|
||||
watchDomains = append(watchDomains, asciiDomain)
|
||||
watchDomainSuffixes = append(watchDomainSuffixes, "." + asciiDomain)
|
||||
}
|
||||
|
||||
func setWatchDomains (domains []string) error {
|
||||
for _, domain := range domains {
|
||||
if domain == "." { // "." as in root zone (matches everything)
|
||||
|
|
@ -38,15 +43,21 @@ func setWatchDomains (domains []string) error {
|
|||
return fmt.Errorf("Invalid domain `%s': %s", domain, err)
|
||||
}
|
||||
|
||||
watchDomains = append(watchDomains, asciiDomain)
|
||||
watchDomainSuffixes = append(watchDomainSuffixes, "." + asciiDomain)
|
||||
addWatchDomain(asciiDomain)
|
||||
|
||||
// Also monitor DNS names that _might_ match this domain (wildcards,
|
||||
// label redactions, and unparseable labels).
|
||||
// For example, if we're monitoring sub.example.com, also monitor:
|
||||
// *.example.com
|
||||
// ?.example.com
|
||||
// <invalid>.example.com
|
||||
var parentDomain string
|
||||
if dot := strings.IndexRune(asciiDomain, '.'); dot != -1 {
|
||||
// also look for wildcard names that could match
|
||||
// TODO: support exotic wildcards (wildcards besides "*.<DOMAIN>") in case there are CAs that issue them (there are) and clients that support them (less clear)
|
||||
watchDomains = append(watchDomains, "*" + asciiDomain[dot:])
|
||||
// TODO: optionally match ?.<DOMAIN> and <invalid>.<DOMAIN> also
|
||||
parentDomain = asciiDomain[dot:]
|
||||
}
|
||||
addWatchDomain("*" + parentDomain)
|
||||
addWatchDomain("?" + parentDomain)
|
||||
addWatchDomain(ctwatch.InvalidDNSLabelPlaceholder + parentDomain)
|
||||
}
|
||||
}
|
||||
return nil
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ import (
|
|||
"golang.org/x/net/idna"
|
||||
)
|
||||
|
||||
const invalidDNSLabelPlaceholder = "<invalid>"
|
||||
const InvalidDNSLabelPlaceholder = "<invalid>"
|
||||
|
||||
/*
|
||||
const (
|
||||
|
|
@ -93,7 +93,7 @@ func sanitizeDNSName (value string) string {
|
|||
labels := strings.Split(value, ".")
|
||||
for i, label := range labels {
|
||||
if !isValidDNSLabel(label) {
|
||||
labels[i] = invalidDNSLabelPlaceholder
|
||||
labels[i] = InvalidDNSLabelPlaceholder
|
||||
}
|
||||
}
|
||||
return strings.Join(labels, ".")
|
||||
|
|
@ -107,7 +107,7 @@ func sanitizeUnicodeDNSName (value string) string {
|
|||
if asciiLabel, err := idna.ToASCII(label); err == nil && isValidDNSLabel(asciiLabel) {
|
||||
labels[i] = asciiLabel
|
||||
} else {
|
||||
labels[i] = invalidDNSLabelPlaceholder
|
||||
labels[i] = InvalidDNSLabelPlaceholder
|
||||
}
|
||||
}
|
||||
return strings.Join(labels, ".")
|
||||
|
|
|
|||
Loading…
Reference in New Issue