From 4544f0f300968d61e0b9eb73d91fbbd5564b910d Mon Sep 17 00:00:00 2001
From: Frank Breedijk <fbreedijk@schubergphilis.com>
Date: Wed, 18 Oct 2017 08:05:02 +0200
Subject: [PATCH] Make CAA record lookups resolve the entire DNS tree (Fixes
 #862)

---
 testssl.sh | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/testssl.sh b/testssl.sh
index 09a825c..5723492 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -5984,6 +5984,7 @@ certificate_info() {
      local days2warn2=$DAYS2WARN2
      local days2warn1=$DAYS2WARN1
      local provides_stapling=false
+     local caa_node=""
 
      if [[ $number_of_certificates -gt 1 ]]; then
           [[ $certificate_number -eq 1 ]] && outln
@@ -6567,7 +6568,13 @@ certificate_info() {
      must_staple "$json_prefix" "$provides_stapling"
 
      out "$indent"; pr_bold " DNS CAA RR"; out " (experimental)    "
-     caa="$(get_caa_rr_record $NODE)"
+
+     caa_node="$NODE."
+     caa=""
+     while ( [[ -z "$caa" ]] && [[ ! -z "$caa_node" ]] ); do
+          caa="$(get_caa_rr_record $caa_node)"
+          caa_node="$(echo "$caa_node."|cut -f 2- -d '.'|sed 's/\.$//')"
+     done
      if [[ -n "$caa" ]]; then
           pr_done_good "OK"; out " (" ; pr_italic "$caa"; out ")"
           fileout "${json_prefix}CAA_record" "OK" "DNS Certification Authority Authorization (CAA) Resource Record / RFC6844 : \"$caa\" "