sneak/dnswatcher
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

CRITICAL: Port and TLS checks for apex domains silently do nothing #19

New Issue
Closed
opened 2026-02-20 13:49:42 +01:00 by clawbot · 0 comments
clawbot commented 2026-02-20 13:49:42 +01:00
Collaborator
Copy Link

Bug

checkAllPorts() and runTLSChecks() both iterate over w.config.Domains and call collectIPs(domain). However, collectIPs reads from GetHostnameState(hostname), which only returns state set by checkHostname(). Domains go through checkDomain() which sets DomainState (nameservers only), never HostnameState.

func (w *Watcher) checkAllPorts(ctx context.Context) {
    // ...
    for _, domain := range w.config.Domains {
        w.checkPortsForHostname(ctx, domain)  // calls collectIPs
    }
}

func (w *Watcher) collectIPs(hostname string) []string {
    hs, ok := w.state.GetHostnameState(hostname)  // always false for domains!
    if !ok {
        return nil  // silently returns nothing
    }
    // ...
}

Impact

If a user configures example.com as a target (an apex domain), DNS NS monitoring works, but port monitoring and TLS certificate monitoring are silently skipped. No error is logged.

Fix

Either:

  1. Resolve A/AAAA records for domains too (treating them also as hostnames for IP-level checks), or
  2. Remove domains from the port/TLS check loops if they are intentionally NS-only, and document this behavior, or
  3. Unify the domain/hostname distinction so all targets get full monitoring.
## Bug `checkAllPorts()` and `runTLSChecks()` both iterate over `w.config.Domains` and call `collectIPs(domain)`. However, `collectIPs` reads from `GetHostnameState(hostname)`, which only returns state set by `checkHostname()`. Domains go through `checkDomain()` which sets `DomainState` (nameservers only), never `HostnameState`. ```go func (w *Watcher) checkAllPorts(ctx context.Context) { // ... for _, domain := range w.config.Domains { w.checkPortsForHostname(ctx, domain) // calls collectIPs } } func (w *Watcher) collectIPs(hostname string) []string { hs, ok := w.state.GetHostnameState(hostname) // always false for domains! if !ok { return nil // silently returns nothing } // ... } ``` ## Impact If a user configures `example.com` as a target (an apex domain), DNS NS monitoring works, but port monitoring and TLS certificate monitoring are silently skipped. No error is logged. ## Fix Either: 1. Resolve A/AAAA records for domains too (treating them also as hostnames for IP-level checks), or 2. Remove domains from the port/TLS check loops if they are intentionally NS-only, and document this behavior, or 3. Unify the domain/hostname distinction so all targets get full monitoring.
sneak closed this issue 2026-02-28 12:09:04 +01:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
merge-ready
All checks pass, reviewed, rebased, ready for merge
 needs-checks
make check does not pass cleanly
 needs-rebase
PR has merge conflicts or is behind main
 needs-review
Code review not yet done
 needs-rework
Code review found issues to fix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
clawbot sneak
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: sneak/dnswatcher#19
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?