Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2026-06-02 22:48:49 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix DNS CAA check for IP scans and subdomains

Browse Source 
- Skip CAA lookup entirely when NODE is an IP address; show
  "not checked (IP address scan)" instead of spuriously querying
  IP octets as domain labels and reporting "not offered"
- Force FQDN (trailing dot) on the initial caa_node before the
  walk loop so dig does not apply the resolv.conf search domain
  to the first query, which could return a false result
- Add a visible warning in the scan header when scanning by IP
  address, noting that trust/CAA and other domain-specific checks
  may be unreliable and the user should rescan with the hostname
This commit is contained in:
Raymond Huygen
2026-05-21 15:29:50 +02:00
parent 2f51cff728
commit d4f1b31f0d
1 changed files with 41 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files
testssl.sh
+10 -1
View File
@@ -10268,13 +10268,17 @@ certificate_info() {
out "$indent"; pr_bold " DNS CAA RR"; out " (experimental) " out "$indent"; pr_bold " DNS CAA RR"; out " (experimental) "
jsonID="DNS_CAArecord" jsonID="DNS_CAArecord"
if is_ipv4addr "$NODE" || is_ipv6addr "$NODE"; then
out "not checked (IP address scan -- no domain to query)"
fileout "${jsonID}${json_postfix}" "INFO" "not checked (IP address scan)"
else
caa_node="$NODE" caa_node="$NODE"
[[ $caa_node =~ '.'$ ]] || caa_node+="." # force FQDN to prevent dig search-domain expansion
caa="" caa=""
while [[ -z "$caa" ]] && [[ -n "$caa_node" ]]; do while [[ -z "$caa" ]] && [[ -n "$caa_node" ]]; do
caa="$(get_caa_rr_record $caa_node)" caa="$(get_caa_rr_record $caa_node)"
tmp=${PIPESTATUS[@]} tmp=${PIPESTATUS[@]}
[[ $DEBUG -ge 4 ]] && echo "get_caa_rr_record: $tmp" [[ $DEBUG -ge 4 ]] && echo "get_caa_rr_record: $tmp"
[[ $caa_node =~ '.'$ ]] || caa_node+="."
caa_node=${caa_node#*.} caa_node=${caa_node#*.}
done done
if [[ -n "$caa" ]]; then if [[ -n "$caa" ]]; then
@@ -10302,6 +10306,7 @@ certificate_info() {
pr_svrty_low "not offered" pr_svrty_low "not offered"
fileout "${jsonID}${json_postfix}" "LOW" "--" fileout "${jsonID}${json_postfix}" "LOW" "--"
fi fi
fi
outln outln
out "$indent"; pr_bold " Certificate Transparency "; out "$indent"; pr_bold " Certificate Transparency ";
@@ -23606,6 +23611,10 @@ display_rdns_etc() {
outln " A record via: $CORRECT_SPACES supplied IP \"$CMDLINE_IP\"" outln " A record via: $CORRECT_SPACES supplied IP \"$CMDLINE_IP\""
fi fi
fi fi
if is_ipv4addr "$NODE" || is_ipv6addr "$NODE"; then
prln_warning " Warning: IP scan -- Trust, CAA and SNI-dependent checks may be unreliable. Rescan with hostname for accurate results."
fileout "ip_scan_warning" "WARN" "Scanning by IP address: Trust, CAA and SNI-dependent checks may be unreliable"
fi
if [[ "$rDNS" =~ instructed ]]; then if [[ "$rDNS" =~ instructed ]]; then
out "$(printf " %-23s " "rDNS ($nodeip):")" out "$(printf " %-23s " "rDNS ($nodeip):")"
out "$rDNS" out "$rDNS"