Merge branch 'internetstandards:main' into main

Author: apio-sys

checks/caa/retrieval.py

@@ -12,7 +12,7 @@
 
 CAA_MSGID_INSUFFICIENT_POLICY = "missing-required-property-issue"
 CAA_TAGS_REQUIRED = {"issue"}
-CAA_MAX_RECORDS = 1000
+CAA_MAX_RECORDS = 100
 
 
 @dataclass

checks/resolver.py

@@ -68,7 +68,7 @@ def dns_resolve_tlsa(qname: str, allow_bogus=True) -> tuple[list[TLSA], DNSSECSt
 
 def dns_resolve_txt(qname: str, allow_bogus=True) -> list[str]:
     rrset, dnssec_status = dns_resolve(qname, RdataType.TXT, allow_bogus)
-    return [rr.to_text()[1:-1] for rr in rrset]
+    return ["".join([dns.rdata._escapify(s) for s in rr.strings]) for rr in rrset]
 
 
 def dns_resolve_spf(qname: str, allow_bogus=True) -> Optional[str]:

documentation/Docker-container-profiles.md

@@ -1,6 +1,6 @@
 # Docker container profiles overview
 
-This overview was last generated at 2025-02-09T23:19:39Z with `make update_container_documentation`.
+This overview was last generated at 2025-05-27T12:11:00Z with `make update_container_documentation`.
 
 
 | container             | profiles     | description                                                                                                                      |

documentation/caa.md

@@ -46,7 +46,7 @@ In all other cases, the status is bad (notice).
 * We do not check whether the current TLS certificate matches
   one or more of the `issue*` records, i.e. whether the current
   certificate could be re-issued.
-* We do not evaluate more than 1000 records.
+* We do not evaluate more than 100 records.
 * The API and database support a "recommendations" field for future use,
   but none are currently detected.
 * We do not accept HTTP URLs in iodef, which may be a slightly 

remote_data/certs/certdata.txt

@@ -1,9 +1,10 @@
 ; autotrust trust anchor file
 ;;id: . 1
-;;last_queried: 1736366165 ;;Wed Jan  8 20:56:05 2025
-;;last_success: 1736366165 ;;Wed Jan  8 20:56:05 2025
-;;next_probe_time: 1736408952 ;;Thu Jan  9 08:49:12 2025
+;;last_queried: 1748347868 ;;Tue May 27 14:11:08 2025
+;;last_success: 1748347868 ;;Tue May 27 14:11:08 2025
+;;next_probe_time: 1748388858 ;;Wed May 28 01:34:18 2025
 ;;query_failed: 0
 ;;query_interval: 43200
 ;;retry_time: 8640
+.	86400	IN	DNSKEY	257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ;{id = 38696 (ksk), size = 2048b} ;;state=1 [ ADDPEND ] ;;count=1 ;;lastchange=1748347868 ;;Tue May 27 14:11:08 2025
 .	172800	IN	DNSKEY	257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1519657238 ;;Mon Feb 26 16:00:38 2018

remote_data/dns/root.key

@@ -9,7 +9,7 @@ msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2015-02-16 23:27+0100\n"
-"PO-Revision-Date: 2025-01-28 12:01:21.412632\n"
+"PO-Revision-Date: 2025-05-27 12:27:29.821689\n"
 "Last-Translator: \n"
 "Language-Team: \n"
 "Language: \n"
@@ -35,7 +35,7 @@ msgstr ""
 "\n"
 "[PGP public key](/static/question@internet.nl_0x45028563.asc)  \n"
 "Fingerprint: ACB7 8829 4C7E 12BA E922 8C60 D894 E15F 4502 8563  \n"
-"Expiration date: 19th of March 2025"
+"Expiration date: 28th of March 2028"
 
 #, md-format
 msgid "about content"
@@ -1105,6 +1105,46 @@ msgstr ""
 "This subtest did *not* run, because *no* route announcement was available "
 "for any of the IP addresses."
 
+msgid "detail mail tls caa exp"
+msgstr ""
+"We check if the name servers of each of your receiving mail servers (MX) contain one or more CAA records, that are syntactically valid and sufficiently protective.\n"
+"\n"
+"Certification Authority Authorisation (CAA) allows you as a DNS domain name holder to specify one or more certificate authority authorised to issue certificates for your mail server domain names.\n"
+"A certificate authority must not issue a certificate unless the certificate authority determines that the certificate request is consistent with the applicable CAA records.\n"
+"\n"
+"Note that CAA records are located during validation by walking up the DNS hierarchy until one or more records are found.\n"
+"For example, if no CAA records are found on `sub.example.nl`, `example.nl` will be queried.\n"
+"The domain were the applicable CAA records are found is shown in the table with technical details below.\n"
+"\n"
+"The verdict is good if one or more CAA records were found that all have correct syntax, and at least one of these CAA records has the `issue` tag.\n"
+"In all other cases, the test will result in a fail.\n"
+"It is not checked whether the certificate authority of the current TLS certificate matches one or more of the `issue` and `issuewild` values, i.e., whether the current certificate could be reissued at this time.\n"
+"\n"
+"If your are using the Automatic Certificate Management Environment (ACME) standard and your certificate authority supports it, we recommend you to use the parameters `validationmethods` and `accounturi` to further restrict isssuance by the authorised certificate authority. Furthermore, it is recommended to add `issuemail` and `issuevmc` with an empty `;` if you do not use certificates for S/MIME and/or BIMI respectively. Otherwise, any certificate authority is still allowed to issue these certificates for your domain, since `issue` does not cover them.\n"
+"\n"
+"We expect URLs in `iodef` to be secure (i.e. use HTTPS scheme).\n"
+"Furthermore, to prevent suppression or spoofing of CAA records we strongly recommend you to use DNSSEC, although this CAA test does not specifically test for DNSSEC.\n"
+"\n"
+"*Requirement level: Recommended*"
+
+msgid "detail mail tls caa label"
+msgstr "CAA for mail server"
+
+msgid "detail mail tls caa tech table"
+msgstr "Mail server|Findings"
+
+msgid "detail mail tls caa verdict bad"
+msgstr "Your mail server does *not* have CAA."
+
+msgid "detail mail tls caa verdict good"
+msgstr "Your mail server has a valid, sufficiently protective CAA. "
+
+msgid "detail mail tls caa verdict insufficient"
+msgstr "Your mail server has a valid, but *unsufficiently* protective CAA."
+
+msgid "detail mail tls caa verdict syntax-error"
+msgstr "Your mail server has an *invalid* CAA."
+
 msgid "detail mail tls cert-hostmatch exp"
 msgstr ""
 "We check if the domain name of each of your receiving mail servers (MX) matches the domain name on the presented certificates. \n"
@@ -1859,6 +1899,86 @@ msgstr ""
 msgid "detail tech data bogus"
 msgstr "bogus"
 
+msgid "detail tech data caa caa-record"
+msgstr "Record: {record}"
+
+msgid "detail tech data caa caa_record"
+msgstr "caa record found: {record}"
+
+msgid "detail tech data caa found-host"
+msgstr "CAA found on: {host}"
+
+msgid "detail tech data caa found_host"
+msgstr "found CAA on host {host}"
+
+msgid "detail tech data caa invalid-flags-reserved-bits"
+msgstr "Error: Invalid reserved flags \"{flags}\""
+
+msgid "detail tech data caa invalid-parameter-validation-methods"
+msgstr "Error: Invalid 'validationmethods' value \"{parameter_value}\""
+
+msgid "detail tech data caa invalid-property-contactemail-value"
+msgstr "Error: Invalid 'contactemail' value \"{property_value}\""
+
+msgid "detail tech data caa invalid-property-contactphone-value"
+msgstr "Error: Invalid 'contactphone' value \"{property_value}\""
+
+msgid "detail tech data caa invalid-property-iodef-value"
+msgstr "Error: Invalid 'iodef' value \"{property_value}\""
+
+msgid "detail tech data caa invalid-property-issuemail-value"
+msgstr "Error: Invalid 'issuemail' value \"{property_value}\""
+
+msgid "detail tech data caa invalid-property-syntax"
+msgstr ""
+"Error: Invalid \"{invalid_character}\" at position "
+"{invalid_character_position} in '{property_name}' value \"{property_value}\""
+" "
+
+msgid "detail tech data caa invalid-reserved-property"
+msgstr "Error: Invalid reserved property \"{property_tag}\""
+
+msgid "detail tech data caa invalid-unknown-property"
+msgstr "Error: Unknown property \"{property_tag}\""
+
+msgid "detail tech data caa invalid_flags_reserved_bits"
+msgstr "invalid_flags_reserved_bits {value}"
+
+msgid "detail tech data caa invalid_property_contactemail_value"
+msgstr "invalid_property_contactemail_value {value}"
+
+msgid "detail tech data caa invalid_property_contactphone_value"
+msgstr "invalid_property_contactphone_value {value}"
+
+msgid "detail tech data caa invalid_property_iodef_value"
+msgstr "invalid_property_iodef_value {value}"
+
+msgid "detail tech data caa invalid_property_issue_validation_method"
+msgstr "invalid_property_issue_validation_method {value}"
+
+msgid "detail tech data caa invalid_property_issuemail_value"
+msgstr "invalid_property_issuemail_value {value}"
+
+msgid "detail tech data caa invalid_property_syntax"
+msgstr ""
+"invalid_property_syntax name {property_name} value {property_value} invalid "
+"character {invalid_character} at pos {invalid_character_position}"
+
+msgid "detail tech data caa invalid_reserved_property"
+msgstr "invalid_reserved_property {value}"
+
+msgid "detail tech data caa invalid_unknown_property"
+msgstr "invalid_unknown_property {value}"
+
+msgid "detail tech data caa missing-required-property-issue"
+msgstr "Error: Required 'issue' property missing"
+
+msgid "detail tech data caa not-found"
+msgstr "Error: CAA not found"
+
+msgid "detail tech data caa not_found"
+msgstr "CAA not found"
+
 msgid "detail tech data good"
 msgstr "good"
 
@@ -2652,6 +2772,45 @@ msgstr ""
 "This subtest did *not* run, because *no* route announcement was available "
 "for any of the IP addresses."
 
+msgid "detail web tls caa exp"
+msgstr ""
+"We check if the name servers of your website domain contain one or more CAA records, that are syntactically valid and sufficiently protective.\n"
+"\n"
+"Certification Authority Authorisation (CAA) allows you as a DNS domain name holder to specify one or more certificate authorities authorised to issue certificates for your domain name.\n"
+"A certificate authority must not issue a certificate unless the CA determines that the certificate request is consistent with the applicable CAA records.\n"
+"\n"
+"Note that CAA records are located during validation by walking up the DNS hierarchy until one or more records are found.\n"
+"For example, if no CAA records are found on `sub.example.nl`, `example.nl` will be queried.\n"
+"The domain were the applicable CAA records are found is shown in the table with technical details below.\n"
+"\n"
+"The verdict is good if one or more CAA records were found that all have correct syntax, and at least one of these CAA records has the `issue` tag with a valid value.\n"
+"In all other cases, the test will result in a fail. It is not checked whether the certificate authority of the current certificate matches one or more of the `issue` and `issuewild` values, i.e., whether the current certificate could be reissued at this time.\n"
+"\n"
+"If your are using the Automatic Certificate Management Environment (ACME) standard and your certificate authority supports it, we recommend you to use the parameters `validationmethods` and `accounturi` to further restrict isssuance by the authorised certificate authority. Furthermore, it is recommended to add `issuemail` and `issuevmc` with an empty `;` if you do not use certificates for S/MIME and/or BIMI respectively. Otherwise, any certificate authority is still allowed to issue these certificates for your domain, since `issue` does not cover them.\n"
+"\n"
+"We expect URLs in `iodef` to be secure (i.e. use HTTPS scheme). \n"
+"Furthermore, to prevent suppression or spoofing of CAA records we strongly recommend you to use DNSSEC, although this CAA test does not specifically test for DNSSEC.\n"
+"\n"
+"*Requirement level: Recommended*"
+
+msgid "detail web tls caa label"
+msgstr "CAA for domain"
+
+msgid "detail web tls caa tech table"
+msgstr "Findings"
+
+msgid "detail web tls caa verdict bad"
+msgstr "Your domain does *not* have CAA."
+
+msgid "detail web tls caa verdict good"
+msgstr "Your domain has a valid, sufficiently protective CAA. "
+
+msgid "detail web tls caa verdict insufficient"
+msgstr "Your domain has a valid, but *unsufficiently* protective CAA."
+
+msgid "detail web tls caa verdict syntax-error"
+msgstr "Your domain has an *invalid* CAA."
+
 msgid "detail web tls cert-hostmatch exp"
 msgstr ""
 "We check if the domain name of your website matches the domain name on the certificate. \n"
@@ -3868,10 +4027,20 @@ msgstr ""
 "* [How HTTPS works](https://howhttps.works/)\n"
 "\n"
 "## Specifications\n"
+"### HTTPS\n"
 "* [RFC 9110: HTTP Semantics](https://www.rfc-editor.org/rfc/rfc9110)\n"
 "* [RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3](https://www.rfc-editor.org/rfc/rfc8446)\n"
 "* [RFC 5246: The Transport Layer Security (TLS) Protocol, Version 1.2](https://www.rfc-editor.org/rfc/rfc5246)\n"
+"* [RFC 9325:Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)](https://www.rfc-editor.org/rfc/rfc9325.html)\n"
 "* [RFC 6797: HTTP Strict Transport Security (HSTS)](https://www.rfc-editor.org/rfc/rfc6797)\n"
+"\n"
+"### CAA\n"
+"* [RFC8659: DNS Certification Authority Authorization (CAA) Resource Record](https://www.rfc-editor.org/rfc/rfc8659.html)\n"
+"* [RFC8657: Certification Authority Authorization (CAA) Record Extensions for Account URI and Automatic Certificate Management Environment (ACME) Method Binding](https://www.rfc-editor.org/rfc/rfc8657.html) \n"
+"* [Baseline Requirements by Certification Authority Browser Forum](https://cabforum.org/working-groups/server/baseline-requirements/requirements/)\n"
+"* [Certification Authority Restriction Properties by IANA](https://www.iana.org/assignments/pkix-parameters/pkix-parameters.xhtml#caa-properties)\n"
+"\n"
+"### DANE\n"
 "* [RFC 6698: The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA](https://www.rfc-editor.org/rfc/rfc6698)"
 
 #, md-format
@@ -5367,51 +5536,3 @@ msgstr ""
 "# Website test widget\n"
 "Would you like visitors of your website to be able to directly start a website test?  \n"
 "Copy the HTML and CSS code from the text fields below into the source code of your website."
-
-msgid "detail web tls caa label"
-msgstr "CAA web"
-
-msgid "detail mail tls caa label"
-msgstr "CAA mail"
-
-msgid "detail web tls caa tech table"
-msgstr "Findings"
-
-msgid "detail mail tls caa tech table"
-msgstr "Mail server|Findings"
-
-msgid "detail tech data caa caa_record"
-msgstr "caa record found: {record}"
-
-msgid "detail tech data caa invalid_property_syntax"
-msgstr "invalid_property_syntax name {property_name} value {property_value} invalid character {invalid_character} at pos {invalid_character_position}"
-
-msgid "detail tech data caa invalid_unknown_property"
-msgstr "invalid_unknown_property {value}"
-
-msgid "detail tech data caa invalid_reserved_property"
-msgstr "invalid_reserved_property {value}"
-
-msgid "detail tech data caa invalid_flags_reserved_bits"
-msgstr "invalid_flags_reserved_bits {value}"
-
-msgid "detail tech data caa invalid_property_issuemail_value"
-msgstr "invalid_property_issuemail_value {value}"
-
-msgid "detail tech data caa invalid_property_contactphone_value"
-msgstr "invalid_property_contactphone_value {value}"
-
-msgid "detail tech data caa invalid_property_contactemail_value"
-msgstr "invalid_property_contactemail_value {value}"
-
-msgid "detail tech data caa invalid_property_iodef_value"
-msgstr "invalid_property_iodef_value {value}"
-
-msgid "detail tech data caa invalid_property_issue_validation_method"
-msgstr "invalid_property_issue_validation_method {value}"
-
-msgid "detail tech data caa found_host"
-msgstr "found CAA on host {host}"
-
-msgid "detail tech data caa not_found"
-msgstr "CAA not found"