From 782a3c7ac60c82311fe9fb8889dd843dfe26c0bc Mon Sep 17 00:00:00 2001
From: Matthew Holt <mholt@users.noreply.github.com>
Date: Mon, 24 Mar 2025 09:55:26 -0600
Subject: [PATCH] caddytls: Don't publish HTTPS record for CNAME'd domain (fix
 #6922)

---
 modules/caddytls/ech.go | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/modules/caddytls/ech.go b/modules/caddytls/ech.go
index a192c3390..142cf48d6 100644
--- a/modules/caddytls/ech.go
+++ b/modules/caddytls/ech.go
@@ -630,6 +630,7 @@ func (dnsPub ECHDNSPublisher) PublisherKey() string {
 func (dnsPub *ECHDNSPublisher) PublishECHConfigList(ctx context.Context, innerNames []string, configListBin []byte) error {
 	nameservers := certmagic.RecursiveNameservers(nil) // TODO: we could make resolvers configurable
 
+nextName:
 	for _, domain := range innerNames {
 		zone, err := certmagic.FindZoneByFQDN(ctx, dnsPub.logger, domain, nameservers)
 		if err != nil {
@@ -660,6 +661,14 @@ func (dnsPub *ECHDNSPublisher) PublishECHConfigList(ctx context.Context, innerNa
 		var nameHasExistingRecord bool
 		for _, rec := range recs {
 			if rec.Name == relName {
+				// CNAME records are exclusive of all other records, so we cannot publish an HTTPS
+				// record for a domain that is CNAME'd. See #6922.
+				if rec.Type == "CNAME" {
+					dnsPub.logger.Warn("domain has CNAME record, so unable to publish ECH data to HTTPS record",
+						zap.String("domain", domain),
+						zap.String("cname_value", rec.Value))
+					continue nextName
+				}
 				nameHasExistingRecord = true
 				if rec.Type == "HTTPS" && (rec.Target == "" || rec.Target == ".") {
 					httpsRec = rec