-
Notifications
You must be signed in to change notification settings - Fork 240
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Resolution of domain names for sub domains seems to match erroneous DNS #147
Comments
@ivanr, please disable WWW resolution for subdomains. This behaviour looks illogical to me. |
@jonathanKingston I think you should be able to resolve this problem by examining the "delegation" field. First, you need to determine if the exact hostname you're interested in has the prefix. Then, you ignore all endpoints that don't match your case. In your example, there's no prefix, so you should ignore endpoints that don't have delegation bit 1 set. (In other words, delegation should be 1.) |
@selecadm If it's in DNS, I think it's fair to assess it :) |
@ivanr thanks for the delegation field help. I can get the IP sometimes will look further into the reliability of this; however not sure how much weight I want to give to it as load balanced servers won't always be the same IP. Out of interest is there a lot of cases where SSL Labs are unable to access IP addresses? |
The idea is that, if you know the IP address, SSL Labs will give you the configuration of the same server that the browser is connecting to. (Except when anycast is used, but that can't be avoided.) |
Hi Ivan, For me it looks also strange to look also for www.DOMAIN -- if just DOMAIN was supplied. Sounds to me machine wants to be smarter than my instruction. Not sure whether I like that (to be honest: no) Maybe it was common sense like 15 years ago that a domain (attention: sarcasm) "has to have www" otherwise this felt somehow wrong -- (attention: arrogance) at least for people just started using the internet. But nowadays? If there's no RFC or a draft I would rather stick on the input supplied instead of scanning other IPs too or stating "Prefix handling Not valid for "www.DOMAIN" CONFUSING. Cheers, Dirk |
@drwetter A-record for WWW seems to be needed only for housewives and elderlies who use Google to open Facebook. Good practice is either redirecting WWW.example.com to example.com or just not resolving WWW at all. Certificates for my sites are valid for WWW only if:
StartCom requires to submit a subdomain, so I have to use something like "secure" or "generic-san", so that the cert is not valid for WWW. Good:
Bad:
|
For example the domain:
https://www.ssllabs.com/ssltest/analyze.html?d=portal.cyber-ami.com&latest
There is a record for www.portal.cyber-ami.com which gets picked up by the DNS matching rules on the scan (Which in my opinion it shouldn't).
The API also never resolves a result for this subdomain and the subdomain isn't visible in the API response which the API consumer can only assume the site has broken DNS for one of its servers.
The text was updated successfully, but these errors were encountered: