And log it with CAA logs

aarongable · aarongable · commit 9cb7334f4470 · 2025-10-24T16:39:02.000-07:00
diff --git a/va/caa.go b/va/caa.go
@@ -154,13 +154,13 @@ func (va *ValidationAuthorityImpl) checkCAA(
 		return errors.New("expected validationMethod or accountURIID not provided to checkCAA")
 	}
 
-	foundAt, valid, response, err := va.checkCAARecords(ctx, ident, params)
+	foundAt, valid, response, ad, err := va.checkCAARecords(ctx, ident, params)
 	if err != nil {
 		return berrors.DNSError("%s", err)
 	}
 
-	va.log.AuditInfof("Checked CAA records for %s, [Present: %t, Account ID: %d, Challenge: %s, Valid for issuance: %t, Found at: %q] Response=%q",
-		ident.Value, foundAt != "", params.accountURIID, params.validationMethod, valid, foundAt, response)
+	va.log.AuditInfof("Checked CAA records for %s, [Present: %t, Account ID: %d, Challenge: %s, Valid for issuance: %t, Found at: %q, AD: %t] Response=%q",
+		ident.Value, foundAt != "", params.accountURIID, params.validationMethod, valid, foundAt, ad, response)
 	if !valid {
 		return berrors.CAAError("CAA record for %s prevents issuance", foundAt)
 	}
@@ -306,7 +306,7 @@ func (va *ValidationAuthorityImpl) getCAA(ctx context.Context, hostname string)
 func (va *ValidationAuthorityImpl) checkCAARecords(
 	ctx context.Context,
 	ident identifier.ACMEIdentifier,
-	params *caaParams) (string, bool, string, error) {
+	params *caaParams) (string, bool, string, bool, error) {
 	hostname := strings.ToLower(ident.Value)
 	// If this is a wildcard name, remove the prefix
 	var wildcard bool
@@ -316,14 +316,16 @@ func (va *ValidationAuthorityImpl) checkCAARecords(
 	}
 	caaSet, err := va.getCAA(ctx, hostname)
 	if err != nil {
-		return "", false, "", err
+		return "", false, "", false, err
 	}
 	raw := ""
+	ad := false
 	if caaSet != nil {
 		raw = caaSet.dig
+		ad = caaSet.ad
 	}
 	valid, foundAt := va.validateCAA(caaSet, wildcard, params)
-	return foundAt, valid, raw, nil
+	return foundAt, valid, raw, ad, nil
 }
 
 // validateCAA checks a provided *caaResult. When the wildcard argument is true
diff --git a/va/caa_test.go b/va/caa_test.go
@@ -424,7 +424,7 @@ func TestCAAChecking(t *testing.T) {
 		defer mockLog.Clear()
 		t.Run(caaTest.Name, func(t *testing.T) {
 			ident := identifier.NewDNS(caaTest.Domain)
-			foundAt, valid, _, err := va.checkCAARecords(ctx, ident, params)
+			foundAt, valid, _, _, err := va.checkCAARecords(ctx, ident, params)
 			if err != nil {
 				t.Errorf("checkCAARecords error for %s: %s", caaTest.Domain, err)
 			}

Original file line number	Diff line number	Diff line change
`@@ -424,7 +424,7 @@ func TestCAAChecking(t *testing.T) {`
`424`	`424`	`defer mockLog.Clear()`
`425`	`425`	`t.Run(caaTest.Name, func(t *testing.T) {`
`426`	`426`	`ident := identifier.NewDNS(caaTest.Domain)`
`427`		`- foundAt, valid, _, err := va.checkCAARecords(ctx, ident, params)`
	`427`	`+ foundAt, valid, _, _, err := va.checkCAARecords(ctx, ident, params)`
`428`	`428`	`if err != nil {`
`429`	`429`	`t.Errorf("checkCAARecords error for %s: %s", caaTest.Domain, err)`
`430`	`430`	`}`