when suggesting CAA records for a domain, suggest variants that bind to the account id and with validation methods used by mox

should prevent potential mitm attacks. especially when done close to the machine itself (where a http/tls challenge is intercepted to get a valid certificate), as seen on the internet last month.
2025-07-10 07:14:40 +03:00 · 2023-12-21 15:16:30 +01:00
parent ca97293cb2
commit db3fef4981
11 changed files with 123 additions and 28 deletions
--- a/main.go
+++ b/main.go
@ -792,7 +792,21 @@ configured.
 		xcheckf(err, "looking up record for dnssec-status")
 	}

-	records, err := mox.DomainRecords(domConf, d, result.Authentic)
+	var certIssuerDomainName, acmeAccountURI string
+	public := mox.Conf.Static.Listeners["public"]
+	if public.TLS != nil && public.TLS.ACME != "" {
+		acme, ok := mox.Conf.Static.ACME[public.TLS.ACME]
+		if ok && acme.Manager.Manager.Client != nil {
+			certIssuerDomainName = acme.IssuerDomainName
+			acc, err := acme.Manager.Manager.Client.GetReg(context.Background(), "")
+			c.log.Check(err, "get public acme account")
+			if err == nil {
+				acmeAccountURI = acc.URI
+			}
+		}
+	}
+
+	records, err := mox.DomainRecords(domConf, d, result.Authentic, certIssuerDomainName, acmeAccountURI)
 	xcheckf(err, "records")
 	fmt.Print(strings.Join(records, "\n") + "\n")
 }