From 4db1f5593ca7b448bcaf82314373186c79137df8 Mon Sep 17 00:00:00 2001
From: Mechiel Lukkien <mechiel@ueber.net>
Date: Thu, 7 Mar 2024 10:34:13 +0100
Subject: [PATCH] better check for dnssec-verifying resolver

check the authentic data bit for the NS records of "com.", not for ".": some
dnssec-verifying resolvers return unauthentic data for ".".

for issue #139 by triatic, thanks!
---
 quickstart.go     | 3 ++-
 webadmin/admin.go | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/quickstart.go b/quickstart.go
index 1276b50..b90ae83 100644
--- a/quickstart.go
+++ b/quickstart.go
@@ -162,8 +162,9 @@ logging in with IMAP.
 	resolveCtx, resolveCancel := context.WithTimeout(context.Background(), 10*time.Second)
 	defer resolveCancel()
 
+	// Some DNSSEC-verifying resolvers return unauthentic data for ".", so we check "com".
 	fmt.Printf("Checking if DNS resolvers are DNSSEC-verifying...")
-	_, resolverDNSSECResult, err := resolver.LookupNS(resolveCtx, ".")
+	_, resolverDNSSECResult, err := resolver.LookupNS(resolveCtx, "com.")
 	if err != nil {
 		fmt.Println("")
 		fatalf("checking dnssec support in resolver: %v", err)
diff --git a/webadmin/admin.go b/webadmin/admin.go
index 46a2119..213a6da 100644
--- a/webadmin/admin.go
+++ b/webadmin/admin.go
@@ -529,7 +529,8 @@ func checkDomain(ctx context.Context, resolver dns.Resolver, dialer *net.Dialer,
 		defer logPanic(ctx)
 		defer wg.Done()
 
-		_, result, err := resolver.LookupNS(ctx, ".")
+		// Some DNSSEC-verifying resolvers return unauthentic data for ".", so we check "com".
+		_, result, err := resolver.LookupNS(ctx, "com.")
 		if err != nil {
 			addf(&r.DNSSEC.Errors, "Looking up NS for DNS root (.) to check support in resolver for DNSSEC-verification: %s", err)
 		} else if !result.Authentic {