sneak/dnswatcher
1
0
Atdalīts 0
Kods Problēmas 3 Izmaiņu pieprasījumi 1 Darbības Pakotnes Projekti Laidieni Vikivietne Aktivitāte

CRITICAL: Port and TLS checks for apex domains silently do nothing #19

Jauna problēma
Slēgta
clawbot atvēra 2026-02-20 13:49:42 +01:00 · 0 komentāri
clawbot komentēja 2026-02-20 13:49:42 +01:00
Līdzstrādnieks
Kopēt saiti

Bug

checkAllPorts() and runTLSChecks() both iterate over w.config.Domains and call collectIPs(domain). However, collectIPs reads from GetHostnameState(hostname), which only returns state set by checkHostname(). Domains go through checkDomain() which sets DomainState (nameservers only), never HostnameState.

func (w *Watcher) checkAllPorts(ctx context.Context) {
    // ...
    for _, domain := range w.config.Domains {
        w.checkPortsForHostname(ctx, domain)  // calls collectIPs
    }
}

func (w *Watcher) collectIPs(hostname string) []string {
    hs, ok := w.state.GetHostnameState(hostname)  // always false for domains!
    if !ok {
        return nil  // silently returns nothing
    }
    // ...
}

Impact

If a user configures example.com as a target (an apex domain), DNS NS monitoring works, but port monitoring and TLS certificate monitoring are silently skipped. No error is logged.

Fix

Either:

  1. Resolve A/AAAA records for domains too (treating them also as hostnames for IP-level checks), or
  2. Remove domains from the port/TLS check loops if they are intentionally NS-only, and document this behavior, or
  3. Unify the domain/hostname distinction so all targets get full monitoring.
## Bug `checkAllPorts()` and `runTLSChecks()` both iterate over `w.config.Domains` and call `collectIPs(domain)`. However, `collectIPs` reads from `GetHostnameState(hostname)`, which only returns state set by `checkHostname()`. Domains go through `checkDomain()` which sets `DomainState` (nameservers only), never `HostnameState`. ```go func (w *Watcher) checkAllPorts(ctx context.Context) { // ... for _, domain := range w.config.Domains { w.checkPortsForHostname(ctx, domain) // calls collectIPs } } func (w *Watcher) collectIPs(hostname string) []string { hs, ok := w.state.GetHostnameState(hostname) // always false for domains! if !ok { return nil // silently returns nothing } // ... } ``` ## Impact If a user configures `example.com` as a target (an apex domain), DNS NS monitoring works, but port monitoring and TLS certificate monitoring are silently skipped. No error is logged. ## Fix Either: 1. Resolve A/AAAA records for domains too (treating them also as hostnames for IP-level checks), or 2. Remove domains from the port/TLS check loops if they are intentionally NS-only, and document this behavior, or 3. Unify the domain/hostname distinction so all targets get full monitoring.
sneak slēdza šo problēmu 2026-02-28 12:09:04 +01:00
Nepieciešams pieteikties, lai pievienotos šai sarunai.
Nav norādīts atzars/tags
Atzari Tagi
Iezīmes
Noņemt iezīmes
bot
Agent's turn to work
 merge-ready
All checks pass, reviewed, rebased, ready for merge
 needs-checks
make check does not pass cleanly
 needs-rebase
PR has merge conflicts or is behind main
 needs-review
Code review not yet done
 needs-rework
Code review found issues to fix
Nav iezīmju
Atskaites punkts
Nav vienumu
Nav atskaites punktu
Projekti
Notīrīt projektus
Nav projektu
Atbildīgie
Noņemt atbildīgo
clawbot sneak
Nav atbildīgo
1 dalībnieki
Paziņojumi
Izpildes termiņš
Izpildes termiņš nav uzstādīts.
Atkarības

Nav atkarību.

Atsaucas uz: sneak/dnswatcher#19
Dzēst atzaru "%!s()"

Atzara dzēšana ir neatgriezeniska. Kaut arī izdzēstais zars neilgu laiku var turpināt pastāvēt, pirms tas tiešām tiek noņemts, to vairumā gadījumu NEVAR atsaukt. Vai turpināt?