~singpolyma/xmpp-certwatch

a8d12ed16dbd4169b2b4087bcc731f9ce451b9ed — Stephen Paul Weber 4 months ago ec75465
If SRV matches known good value, as good as DNSSEC
1 files changed, 14 insertions(+), 2 deletions(-)

M common/dns.go
M common/dns.go => common/dns.go +14 -2
@@ 176,6 176,12 @@ type SRVResponse struct {
	Dnssec bool
}

var knownSRV = map[string]string{
	"_xmpp-client._tcp.yax.im": "xmpp.yaxim.org.",
	"_xmpps-client._tcp.yax.im": "xmpp.yaxim.org.",
	"_xmpp-server._tcp.yax.im": "xmpp.yaxim.org.",
}

func GetSRV(resolver *dane.Resolver, topname string) (SRVResponse, error) {

	var srvs []dns.SRV


@@ 198,14 204,20 @@ func GetSRV(resolver *dane.Resolver, topname string) (SRVResponse, error) {
			return SRVResponse{}, fmt.Errorf("SRV lookup for %s failed, rcode %d",
				hostname, response.MsgHdr.Rcode)
		}
		dnssec = dnssec && response.MsgHdr.AuthenticatedData
		if response.MsgHdr.Rcode == dns.RcodeNameError {
			if knownSRV[hostname] != "" {
				dnssec = dnssec && response.MsgHdr.AuthenticatedData
			}
			continue
		}

		for _, rr := range response.Answer {
			if rr.Header().Rrtype == dns.TypeSRV {
				srvs = append(srvs, *rr.(*dns.SRV))
				srv := *rr.(*dns.SRV)
				srvs = append(srvs, srv)
				if knownSRV[hostname] != srv.Target {
					dnssec = dnssec && response.MsgHdr.AuthenticatedData
				}
			}
		}
	}