infrastructure/mox
1
0
Fork 0
mirror of https://github.com/mjl-/mox.git synced 2025-07-12 17:44:35 +03:00
Code Issues Packages Projects Releases Wiki Activity

when suggesting CAA records for a domain, suggest variants that bind to the account id and with validation methods used by mox

Browse Source 
should prevent potential mitm attacks. especially when done close to the
machine itself (where a http/tls challenge is intercepted to get a valid
certificate), as seen on the internet last month.
This commit is contained in:
Mechiel Lukkien
2023-12-21 15:16:30 +01:00
parent ca97293cb2
commit db3fef4981
11 changed files with 123 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
webadmin/admin.go
View File

@ -1774,6 +1774,13 @@ func dnsblsStatus(ctx context.Context, log mlog.Log, resolver dns.Resolver) map[
// DomainRecords returns lines describing DNS records that should exist for the
// configured domain.
func (Admin) DomainRecords(ctx context.Context, domain string) []string {
log := pkglog.WithContext(ctx)
return DomainRecords(ctx, log, domain)
}
// DomainRecords is the implementation of API function Admin.DomainRecords, taking
// a logger.
func DomainRecords(ctx context.Context, log mlog.Log, domain string) []string {
d, err := dns.ParseDomain(domain)
xcheckuserf(ctx, err, "parsing domain")
dc, ok := mox.Conf.Domain(d)
@ -1785,7 +1792,22 @@ func (Admin) DomainRecords(ctx context.Context, domain string) []string {
if !dns.IsNotFound(err) {
xcheckf(ctx, err, "looking up record to determine if dnssec is implemented")
}
records, err := mox.DomainRecords(dc, d, result.Authentic)
var certIssuerDomainName, acmeAccountURI string
public := mox.Conf.Static.Listeners["public"]
if public.TLS != nil && public.TLS.ACME != "" {
acme, ok := mox.Conf.Static.ACME[public.TLS.ACME]
if ok && acme.Manager.Manager.Client != nil {
certIssuerDomainName = acme.IssuerDomainName
acc, err := acme.Manager.Manager.Client.GetReg(ctx, "")
log.Check(err, "get public acme account")
if err == nil {
acmeAccountURI = acc.URI
}
}
}
records, err := mox.DomainRecords(dc, d, result.Authentic, certIssuerDomainName, acmeAccountURI)
xcheckf(ctx, err, "dns records")
return records
}

2
webadmin/admin.html
View File

@ -914,7 +914,7 @@ const domainDNSRecords = async (d) => {
'DNS Records',
),
dom.h1('Required DNS records'),
dom('pre.literal', style({maxWidth: '70em'}), records.join('\n')),
dom('pre.literal', records.join('\n')),
dom.br(),
)
}