@@ -360,6 +360,8 @@ HAS_AES128_GCM=false
360360HAS_AES256_GCM=false
361361HAS_ZLIB=false
362362HAS_DIG=false
363+ HAS_DIG_R=true
364+ DIG_R="-r"
363365HAS_HOST=false
364366HAS_DRILL=false
365367HAS_NSLOOKUP=false
@@ -17411,6 +17413,7 @@ HAS_IDN: $HAS_IDN
1741117413HAS_IDN2: $HAS_IDN2
1741217414HAS_AVAHIRESOLVE: $HAS_AVAHIRESOLVE
1741317415HAS_DIG_NOIDNOUT: $HAS_DIG_NOIDNOUT
17416+ HAS_DIG_R: $HAS_DIG_R
1741417417
1741517418PATH: $PATH
1741617419PROG_NAME: $PROG_NAME
@@ -17857,12 +17860,18 @@ check_resolver_bins() {
1785717860 type -p idn &>/dev/null && HAS_IDN=true
1785817861 type -p idn2 &>/dev/null && HAS_IDN2=true
1785917862
17863+ # Old dig versions don't have an option to ignore $HOME/.digrc
17864+ if dig -r 2>&1 | grep -qiE 'invalid|usage'; then
17865+ HAS_DIG_R=false
17866+ DIG_R=""
17867+ fi
17868+
1786017869 OPENSSL_CONF="" # see https://github.com/drwetter/testssl.sh/issues/134
1786117870 if ! "$HAS_DIG" && ! "$HAS_HOST" && ! "$HAS_DRILL" && ! "$HAS_NSLOOKUP"; then
1786217871 fatal "Neither \"dig\", \"host\", \"drill\" or \"nslookup\" is present" $ERR_DNSBIN
1786317872 fi
1786417873 if "$HAS_DIG"; then
17865- if dig +noidnout -t a 2>&1 | grep -Eq 'Invalid option: \+noidnout|IDN support not enabled'; then
17874+ if dig $DIG_R +noidnout -t a 2>&1 | grep -Eq 'Invalid option: \+noidnout|IDN support not enabled'; then
1786617875 :
1786717876 else
1786817877 HAS_DIG_NOIDNOUT=true
@@ -17896,20 +17905,20 @@ get_a_record() {
1789617905 if "$HAS_AVAHIRESOLVE"; then
1789717906 ip4=$(filter_ip4_address $(avahi-resolve -4 -n "$1" 2>/dev/null | awk '{ print $2 }'))
1789817907 elif "$HAS_DIG"; then
17899- ip4=$(filter_ip4_address $(dig @224.0.0.251 -p 5353 +short -t a +notcp "$1" 2>/dev/null | sed '/^;;/d'))
17908+ ip4=$(filter_ip4_address $(dig $DIG_R @224.0.0.251 -p 5353 +short -t a +notcp "$1" 2>/dev/null | sed '/^;;/d'))
1790017909 else
1790117910 fatal "Local hostname given but no 'avahi-resolve' or 'dig' available." $ERR_DNSBIN
1790217911 fi
1790317912 fi
17904- if [[ -z "$ip4" ]] && "$HAS_DIG"; then
17905- ip4=$(filter_ip4_address $(dig +short +timeout=2 +tries=2 $noidnout -t a "$1" 2>/dev/null | awk '/^[0-9]/ { print $1 }'))
17906- fi
1790717913 if [[ -z "$ip4" ]] && "$HAS_HOST"; then
1790817914 ip4=$(filter_ip4_address $(host -t a "$1" 2>/dev/null | awk '/address/ { print $NF }'))
1790917915 fi
1791017916 if [[ -z "$ip4" ]] && "$HAS_DRILL"; then
1791117917 ip4=$(filter_ip4_address $(drill a "$1" | awk '/ANSWER SECTION/,/AUTHORITY SECTION/ { print $NF }' | awk '/^[0-9]/'))
1791217918 fi
17919+ if [[ -z "$ip4" ]] && "$HAS_DIG"; then
17920+ ip4=$(filter_ip4_address $(dig $DIG_R +short +timeout=2 +tries=2 $noidnout -t a "$1" 2>/dev/null | awk '/^[0-9]/ { print $1 }'))
17921+ fi
1791317922 if [[ -z "$ip4" ]] && "$HAS_NSLOOKUP"; then
1791417923 ip4=$(filter_ip4_address $(strip_lf "$(nslookup -querytype=a "$1" 2>/dev/null | awk '/^Name/ { getline; print $NF }')"))
1791517924 fi
@@ -17940,16 +17949,16 @@ get_aaaa_record() {
1794017949 if "$HAS_AVAHIRESOLVE"; then
1794117950 ip6=$(filter_ip6_address $(avahi-resolve -6 -n "$1" 2>/dev/null | awk '{ print $2 }'))
1794217951 elif "$HAS_DIG"; then
17943- ip6=$(filter_ip6_address $(dig @ff02::fb -p 5353 -t aaaa +short +notcp "$NODE"))
17952+ ip6=$(filter_ip6_address $(dig $DIG_R @ff02::fb -p 5353 -t aaaa +short +notcp "$NODE"))
1794417953 else
1794517954 fatal "Local hostname given but no 'avahi-resolve' or 'dig' available." $ERR_DNSBIN
1794617955 fi
17947- elif "$HAS_DIG"; then
17948- ip6=$(filter_ip6_address $(dig +short +timeout=2 +tries=2 $noidnout -t aaaa "$1" 2>/dev/null | awk '/^[0-9]/ { print $1 }'))
1794917956 elif "$HAS_HOST"; then
1795017957 ip6=$(filter_ip6_address $(host -t aaaa "$1" | awk '/address/ { print $NF }'))
1795117958 elif "$HAS_DRILL"; then
1795217959 ip6=$(filter_ip6_address $(drill aaaa "$1" | awk '/ANSWER SECTION/,/AUTHORITY SECTION/ { print $NF }' | awk '/^[0-9]/'))
17960+ elif "$HAS_DIG"; then
17961+ ip6=$(filter_ip6_address $(dig $DIG_R +short +timeout=2 +tries=2 $noidnout -t aaaa "$1" 2>/dev/null | awk '/^[0-9]/ { print $1 }'))
1795317962 elif "$HAS_NSLOOKUP"; then
1795417963 ip6=$(filter_ip6_address $(strip_lf "$(nslookup -type=aaaa "$1" 2>/dev/null | awk '/'"^${a}"'.*AAAA/ { print $NF }')"))
1795517964 fi
@@ -17979,16 +17988,16 @@ get_caa_rr_record() {
1797917988 # for dig +short the output always starts with '0 issue [..]' or '\# 19 [..]' so we normalize thereto to keep caa_flag, caa_property
1798017989 # caa_property then has key/value pairs, see https://tools.ietf.org/html/rfc6844#section-3
1798117990 OPENSSL_CONF=""
17982- if "$HAS_DIG"; then
17983- raw_caa="$(dig +short +timeout=3 +tries=3 $noidnout type257 "$1" 2>/dev/null | awk '{ print $1" "$2" "$3 }')"
17984- # empty if no CAA record
17985- elif "$HAS_DRILL"; then
17991+ if "$HAS_DRILL"; then
1798617992 raw_caa="$(drill $1 type257 | awk '/'"^${1}"'.*CAA/ { print $5,$6,$7 }')"
1798717993 elif "$HAS_HOST"; then
1798817994 raw_caa="$(host -t type257 $1)"
1798917995 if grep -Ewvq "has no CAA|has no TYPE257" <<< "$raw_caa"; then
1799017996 raw_caa="$(sed -e 's/^.*has CAA record //' -e 's/^.*has TYPE257 record //' <<< "$raw_caa")"
1799117997 fi
17998+ elif "$HAS_DIG"; then
17999+ raw_caa="$(dig $DIG_R +short +timeout=3 +tries=3 $noidnout type257 "$1" 2>/dev/null | awk '{ print $1" "$2" "$3 }')"
18000+ # empty if no CAA record
1799218001 elif "$HAS_NSLOOKUP"; then
1799318002 raw_caa="$(strip_lf "$(nslookup -type=type257 $1 | grep -w rdata_257)")"
1799418003 if [[ -n "$raw_caa" ]]; then
@@ -18050,10 +18059,10 @@ get_mx_record() {
1805018059 # we need the last two columns here
1805118060 if "$HAS_HOST"; then
1805218061 mxs="$(host -t MX "$1" 2>/dev/null | awk '/is handled by/ { print $(NF-1), $NF }')"
18053- elif "$HAS_DIG"; then
18054- mxs="$(dig +short $noidnout -t MX "$1" 2>/dev/null | awk '/^[0-9]/ { print $1" "$2 }')"
1805518062 elif "$HAS_DRILL"; then
1805618063 mxs="$(drill mx $1 | awk '/IN[ \t]MX[ \t]+/ { print $(NF-1), $NF }')"
18064+ elif "$HAS_DIG"; then
18065+ mxs="$(dig $DIG_R +short $noidnout -t MX "$1" 2>/dev/null | awk '/^[0-9]/ { print $1" "$2 }')"
1805718066 elif "$HAS_NSLOOKUP"; then
1805818067 mxs="$(strip_lf "$(nslookup -type=MX "$1" 2>/dev/null | awk '/mail exchanger/ { print $(NF-1), $NF }')")"
1805918068 else
@@ -18150,15 +18159,15 @@ determine_rdns() {
1815018159 if "$HAS_AVAHIRESOLVE"; then
1815118160 rDNS=$(avahi-resolve -a $nodeip 2>/dev/null | awk '{ print $2 }')
1815218161 elif "$HAS_DIG"; then
18153- rDNS=$(dig -x $nodeip @224.0.0.251 -p 5353 +notcp +noall +answer +short | awk '{ print $1 }')
18162+ rDNS=$(dig $DIG_R -x $nodeip @224.0.0.251 -p 5353 +notcp +noall +answer +short | awk '{ print $1 }')
1815418163 fi
18155- elif "$HAS_DIG"; then
18156- # 1+2 should suffice. It's a compromise for if e.g. network is down but we have a docker/localhost server
18157- rDNS=$(dig -x $nodeip +timeout=1 +tries=2 +noall +answer +short | awk '{ print $1 }') # +short returns also CNAME, e.g. openssl.org
1815818164 elif "$HAS_HOST"; then
1815918165 rDNS=$(host -t PTR $nodeip 2>/dev/null | awk '/pointer/ { print $NF }')
1816018166 elif "$HAS_DRILL"; then
1816118167 rDNS=$(drill -x ptr $nodeip 2>/dev/null | awk '/ANSWER SECTION/ { getline; print $NF }')
18168+ elif "$HAS_DIG"; then
18169+ # 1+2 should suffice. It's a compromise for if e.g. network is down but we have a docker/localhost server
18170+ rDNS=$(dig $DIG_R -x $nodeip +timeout=1 +tries=2 +noall +answer +short | awk '{ print $1 }') # +short returns also CNAME, e.g. openssl.org
1816218171 elif "$HAS_NSLOOKUP"; then
1816318172 rDNS=$(strip_lf "$(nslookup -type=PTR $nodeip 2>/dev/null | grep -v 'canonical name =' | grep 'name = ' | awk '{ print $NF }' | sed 's/\.$//')")
1816418173 fi
0 commit comments