Skip to content

For CNAME records pointing to username.github.io, skip CAA check #108

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Oct 26, 2018
Merged

For CNAME records pointing to username.github.io, skip CAA check #108

merged 5 commits into from
Oct 26, 2018

Conversation

parkr
Copy link
Contributor

@parkr parkr commented Oct 24, 2018

This PR attempts to fix a bug in our CAA checking.

  1. Where the domain in question is a CNAME to username.github.io, then only check the CAA records for that one domain. Its parent SHOULD NOT be checked.
  2. Where the domain in question uses A records to point to GitHub Pages IPs, then check the CAA records for both it and its parent domain.

Example:

  1. www.example.com is a CNAME to example.github.io. Check only CAA on www.example.com.
  2. foobar.example.com uses A records to point to GitHub Pages IPs. Check CAA for foobar.example.com AND example.com.

/cc @github/pages

@parkr parkr requested review from benbalter, snh and seveas October 24, 2018 15:30
@parkr parkr added the bug label Oct 24, 2018
@parkr parkr mentioned this pull request Oct 24, 2018
Closed
snh
snh requested changes Oct 25, 2018
View reviewed changes
lib/github-pages-health-check/domain.rb Outdated
# Must be a CNAME or point to our IPs.

# Only check the one domain if a CNAME. Don't check the parent domain.
return caa.lets_encrypt_allowed? if cname_to_github_user_domain?
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return caa.lets_encrypt_allowed? if cname_to_github_user_domain?
return cname_to_github_user_domain?

I don't think we even need to check the CAA record for the custom domain when it is a CNAME, as a CNAME can't co-exist with another record type.

This is why for example you can't use an CNAME at the apex of a domain, as it'd be co-existing with NS records at a minimum.

In this case, we only need to worry about CAA records when the custom domain is using A record(s), and can completely ignore CAA records when it is a CNAME once we have CAA records in place for *.github.io.

Ref: Section 3.6.2 in https://tools.ietf.org/html/rfc1034

tjanez added a commit to tjanez/site that referenced this pull request Oct 25, 2018
@tjanez
Revert "Change site's URL to https://tadej.ja.nez.si"
74a687b 
Temporarily revert the site to plain HTTP since GitHub is having issues
with checking CAA records for CNAME records. More details here:
github/pages-health-check#108.

This reverts commit 6db0db8.
snh
snh requested changes Oct 25, 2018
View reviewed changes
lib/github-pages-health-check/domain.rb Outdated
# Check CAA records for the full domain and its parent domain.
pointed_to_github_pages_ip? &&
caa.lets_encrypt_allowed? &&
caa.parent_domain_allows_lets_encrypt?
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this will quite work in this form, as we should only fall back to the parent's CAA records if there are no CAA records for the custom domain itself.

Copy link
Member

@snh snh Oct 25, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thinking about this more, now that we are skipping CAA completely for the CNAME case, we could probably just restore the previous logic for the A record case, which handled this correctly.

@snh
Copy link
Member

snh commented Oct 25, 2018
edited
Loading

Approving on the basis that we'll revert caa.lets_encrypt_allowed? back to its original logic and then just do pointed_to_github_pages_ip? && caa.lets_encrypt_allowed?.

@parkr
Copy link
Contributor Author

parkr commented Oct 25, 2018

@snh updated.

snh
snh approved these changes Oct 26, 2018
View reviewed changes
Copy link
Member

@snh snh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, thanks @parkr

@parkr parkr merged commit 1dc03c7 into master Oct 26, 2018
@parkr parkr deleted the short-circuit-caa-for-cname branch October 26, 2018 00:51
@parkr parkr changed the title For CNAME records, only check CAA records for the domain, not its parent For CNAME records pointing to username.github.io, skip CAA check Oct 26, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@snh snh snh approved these changes

@benbalter benbalter Awaiting requested review from benbalter

@seveas seveas Awaiting requested review from seveas

Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@parkr @snh