Opened 6 years ago

Last modified 10 hours ago

#72 new enhancement

Tighten CNAME validation to block cases that fail various validators

Reported by: Kris Deugau Owned by:
Priority: minor Milestone:
Version: Keywords:
Cc:

Description

Currently CNAMEs may be created in parallel with existing records. This can cause validation failures in external DNSSEC signing tools or lookup failures when the records are published.

Add checks for parallel records with options to:

  • warn and continue
  • suggest/coerce-to ALIAS (root domain only)
  • fail with error
  • remove the parallel record(s)

Change History (10)

comment:1 by Kris Deugau, 2 weeks ago

In 937:

/branches/cname-collision

First pass/chunk for a CNAME-collision sub
Comment much-simplified local check in CNAME validation sub, add prelimiary call to new sub
See #72.

comment:2 by Kris Deugau, 2 weeks ago

In 938:

/branches/cname-collision

Refine collision sub calling convention/arguments
Add preliminary call in A record validation
See #72.

comment:3 by Kris Deugau, 13 days ago

In 939:

/branches/cname-collision

Logic bug checking the CNAME record count
Fix up call to collision sub so it might actually run
See #72

comment:4 by Kris Deugau, 13 days ago

In 940:

/branches/cname-collision

Add calls to collision sub in AAAA, SRV, and CAA record validation subs
See #72

comment:5 by Kris Deugau, 13 days ago

In 941:

/branches/cname-collision

Correct "how did past me set up this hash anyway?"-ism
Move call to collision check sub to end of CNAME validator
See #72

comment:6 by Kris Deugau, 31 hours ago

In 942:

/branches/cname-collision

Move A record CNAME collision check to end of validator
Add CNAME collision check call to NS, PTR, MX, TXT. Calls also cover A+PTR,

AAAA+PTR, and RP types as those call the A, AAAA, and TXT validators respectively.

See #72

comment:7 by Kris Deugau, 10 hours ago

In 950:

/branches/cname-collision

Start adding actual tests. See #88.

First chunk, tests for CNAME collision checks. See #72.

comment:8 by Kris Deugau, 10 hours ago

In 951:

/branches/cname-collision

Add CNAME record-add tests for reverse zones. See #88, #72

comment:9 by Kris Deugau, 10 hours ago

In 952:

/branches/cname-collision

Add add-duplicate-CNAME test that got missed somehow when shuffling patches
Wrap domain and reverse zone groups of tests in their own blocks
See #88, #72

comment:10 by Kris Deugau, 10 hours ago

In 953:

/branches/cname-collision

Add domain record update tests
See #88, #72

Note: See TracTickets for help on using tickets.