From 03972dc56535d414e36c4d754a93d1d1fcc9b0da Mon Sep 17 00:00:00 2001 From: Brian Cunnie Date: Wed, 27 Apr 2022 16:41:51 -0700 Subject: [PATCH] Ensure `_acme-challenge` can't be set on k-v.io subdomains The integration tests confirm that a user can't set the TXT record of, say, `_acme-challenge.random-subdomain.k-v.io` --- src/sslip.io-dns-server/integration_test.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/sslip.io-dns-server/integration_test.go b/src/sslip.io-dns-server/integration_test.go index 0e33733..297447e 100644 --- a/src/sslip.io-dns-server/integration_test.go +++ b/src/sslip.io-dns-server/integration_test.go @@ -165,6 +165,14 @@ var _ = Describe("sslip.io-dns-server", func() { "@127.0.0.1 _acme-challenge.k-v.io txt +short", `Please don't try to procure a k-v.io cert via DNS-01 challenge`, `TypeTXT _acme-challenge.k-v.io. \? \["Please don't try to procure a k-v.io cert via DNS-01 challenge"\]`), + Entry(`setting a TXT for _acme-challenge.subdomain-key.k-v.io doesn't expose DNS-01 vulnerability because all keys are on the main domain'"`, + "@127.0.0.1 put.baffled-boy._acme-challenge.subdomain-key.k-v.io txt +short", + `baffled-boy`, + `TypeTXT put.baffled-boy._acme-challenge.subdomain-key.k-v.io. \? \["baffled-boy._acme-challenge"\]`), + Entry(`get a TXT for _acme-challenge.a.b.c.subdomain-key.k-v.io ignores labels between "get" and the key`, + "@127.0.0.1 get._acme-challenge.a.b.c.subdomain-key.k-v.io txt +short", + `baffled-boy._acme-challenge`, + `TypeTXT get._acme-challenge.a.b.c.subdomain-key.k-v.io. \? \["baffled-boy._acme-challenge"\]`), ) }) Describe("for more complex assertions", func() {