From 3af4543e802223f44b5e6815e0adadd65f7f3146 Mon Sep 17 00:00:00 2001 From: Alisdair MacLeod Date: Tue, 3 Feb 2026 12:50:25 +0000 Subject: [PATCH] check for domain ownership via subdomain rather than naked domain --- .../internals/modules/reverseproxy/domain/validator.go | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/management/internals/modules/reverseproxy/domain/validator.go b/management/internals/modules/reverseproxy/domain/validator.go index 6f9cb0813..7c491909b 100644 --- a/management/internals/modules/reverseproxy/domain/validator.go +++ b/management/internals/modules/reverseproxy/domain/validator.go @@ -25,8 +25,8 @@ func NewValidator(resolver resolver) *Validator { } } -// IsValid looks up the CNAME record for the passed domain and compares it -// against the acceptable domains. +// IsValid looks up the CNAME record for the passed domain with a prefix +// and compares it against the acceptable domains. // If the returned CNAME matches any accepted domain, it will return true, // otherwise, including in the event of a DNS error, it will return false. // The comparison is very simple, so wildcards will not match if included @@ -36,7 +36,10 @@ func (v *Validator) IsValid(ctx context.Context, domain string, accept []string) v.resolver = net.DefaultResolver } - cname, err := v.resolver.LookupCNAME(ctx, domain) + // Prepend subdomain for ownership validation because we want to check + // for the record being a wildcard ("*.example.com"), but you cannot + // look up a wildcard so we have to add a subdomain for the check. + cname, err := v.resolver.LookupCNAME(ctx, "validation."+domain) if err != nil { log.WithFields(log.Fields{ "domain": domain,