Cutlery/caddy
1
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2025-10-31 10:37:24 -04:00
Code Issues Actions Packages Projects Releases Wiki Activity

caddytls: Don't publish HTTPS record for CNAME'd domain (fix #6922)

Browse Source
This commit is contained in:
Matthew Holt 2025-03-24 09:55:26 -06:00
parent 173573035c
commit 782a3c7ac6
No known key found for this signature in database
GPG Key ID: 2A349DD577D586A5
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
modules/caddytls/ech.go
View File

@ -630,6 +630,7 @@ func (dnsPub ECHDNSPublisher) PublisherKey() string {
func (dnsPub *ECHDNSPublisher) PublishECHConfigList(ctx context.Context, innerNames []string, configListBin []byte) error {
nameservers := certmagic.RecursiveNameservers(nil) // TODO: we could make resolvers configurable
nextName:
for _, domain := range innerNames {
zone, err := certmagic.FindZoneByFQDN(ctx, dnsPub.logger, domain, nameservers)
if err != nil {
@ -660,6 +661,14 @@ func (dnsPub *ECHDNSPublisher) PublishECHConfigList(ctx context.Context, innerNa
var nameHasExistingRecord bool
for _, rec := range recs {
if rec.Name == relName {
// CNAME records are exclusive of all other records, so we cannot publish an HTTPS
// record for a domain that is CNAME'd. See #6922.
if rec.Type == "CNAME" {
dnsPub.logger.Warn("domain has CNAME record, so unable to publish ECH data to HTTPS record",
zap.String("domain", domain),
zap.String("cname_value", rec.Value))
continue nextName
}
nameHasExistingRecord = true
if rec.Type == "HTTPS" && (rec.Target == "" || rec.Target == ".") {
httpsRec = rec