Giter VIP home page Giter VIP logo

caa's Introduction

caa

rfc6844-conform CAA record lookup and validation

Usage

import {caa, caaMatches} from "caa";

await caa("example.com");
// => [{flags: 0, tag: 'issue', value: 'letsencrypt.org', issuerCritical: false}]

await caa.matches("example.com", "letsencrypt.org");
// => true

API

caa(name, [options])

Retrieve the CAA records which apply to name. Returns a CAA object.

caaMatches(name, ca, [options])

Test if the CAA record for name matches for certificate authority ca.

options

  • servers: The DNS servers to use. Defaults to the system resolvers or ['8.8.8.8', '8.8.4.4'] if none are configured.
  • port: The port on the DNS server to use. Default 53.
  • recursions: How many recursions to follow. Default 50.
  • retries: How many retries to attempt. Default 12.
  • ignoreTLDs: Don't query top level domains like com in example.com. Default: false.
  • dnsSocket: A dns-socket instance, useful when doing a large amount of queries to re-use a single socket. Default: undefined.

License

© silverwind, distributed under BSD licence

caa's People

Contributors

kazzer avatar silverwind avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

n-johnson

caa's Issues

CAA unparsed plain text string?

Hi,
Great plugin! :) Any chance that I can return the plain text record as well? In addition to the parsed object. I'd like to use an option or something to acces for example string:

0 issuewild "letsencrypt.org" 0 issue "letsencrypt.org" 0 iodef "mailto:[email protected]"

in addition to the object.

CNAME CAA records not fully returned

I'm noticing some odd behaviour with the handling of CAA records for alias targets where only one of the records is returned instead of all of the records.

Given this hypothetical configuration:

alpha.domain.example
CNAME: bravo.example
CAA: (unset)

bravo.example
A: 1.2.3.4
CAA: issue "amazon.com"
CAA: issue "comodoca.com"
CAA: issue "letsencrypt.org"

Executing the following:

await caa.matches('alpha.domain.example', 'letsencrypt.org');

The library returns false, instead of true. Debugging a bit, executing:

await caa('alpha.domain.example');

returns [{flags: 0, tag: 'issue', value: 'amazon.com', issuerCritical: false}].

I believe this section of code (https://github.com/silverwind/caa/blob/master/index.js#L126-L130) returns too eagerly and just returns after one match instead of filtering the list to all matches.

CNAME CAA records handled incorrectly

There is some interesting behavior of how CNAME and CAA records can interact that I do not think is correctly handled in this library. This is made more confusing because this relationship was changed in an errata: https://www.rfc-editor.org/errata/eid5065

The relevant bit of that errata to this issue is:

  Thus, when a search at node X returns a CNAME record, the CA will
  follow the CNAME record chain to its target. If the target label 
  contains a CAA record, it is returned.

  Otherwise, the CA continues the search at the parent of node X. <----- This line

Given this hypothetical DNS setup:

hosting-provider.com
A: 1.2.3.4
CAA: (unset)

client-domain.com
A: 9.8.7.6
CAA: issue "pki.goog"

www.client-domain.com
CNAME: hosting-provider.com

If I use this library like this:

await caa.matches('www.client-domain.com', 'letsencrypt.org');

this library will return true - but it really should be returning false (Lets Encrypt, for example, will not issue a certificate for www.client-domain.com when the DNS setup is like this.)

What this library does:

  1. DNS lookup www.client-domain.com
  2. Follow CNAME to hosting-provider.com
  3. DNS CAA lookup of hosting-provider.com
  4. Sees empty results, uses those results for the overall results for www.client-domain.com
  5. Sees caas.length is empty, and returns true in caa.matches()

What I think the correct behavior is:

  1. DNS lookup www.client-domain.com
  2. Follow CNAME to hosting-provider.com
  3. DNS CAA lookup of hosting-provider.com
  4. Sees empty results, so return to parent node of original domain
  5. DNS CAA lookup of client-domain.com
  6. Sees issue "pki.goog" as CAA record
  7. In caa.matches() compares pki.goog against lets-encrypt.org and returns false.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.