Query DNS to Determine Apex Domains

lib/github-pages-health-check/domain.rb

@@ -85,7 +85,7 @@ class Domain < Checkable
         cname_to_fastly? pointed_to_github_pages_ip?
         non_github_pages_ip_present? pages_domain?
         served_by_pages? valid? reason valid_domain? https?
-        enforces_https? https_error https_eligible? caa_error dns_zone_soa?
+        enforces_https? https_error https_eligible? caa_error dns_zone_soa? dns_zone_ns?
       ].freeze
 
       def self.redundant(host)
@@ -165,7 +165,9 @@ def valid_domain?
       def apex_domain?
         return @apex_domain if defined?(@apex_domain)
 
-        return unless valid_domain?
+        return false unless valid_domain?
+
+        return true if dns_zone_soa? && dns_zone_ns?
 
         # PublicSuffix.domain pulls out the apex-level domain name.
         # E.g. PublicSuffix.domain("techblog.netflix.com") # => "netflix.com"
@@ -178,17 +180,27 @@ def apex_domain?
                             :ignore_private => true) == unicode_host
       end
 
-      # Does the domain have an SOA record published?
       #
-      # Callers should be aware that this can return truthy for domains that
-      # are not apex-level (i.e. subdomain.apex.com).
+      # Does the domain have an associated SOA record?
+      #
       def dns_zone_soa?
         return @soa_records if defined?(@soa_records)
         return false unless dns?
 
-        @soa_records = begin
-          soa_records = dns.select { |answer| answer.type == Dnsruby::Types::SOA }
-          soa_records.any?
+        @soa_records = dns.any? do |answer|
+          answer.type == Dnsruby::Types::SOA && answer.name.to_s == host
+        end
+      end
+
+      #
+      # Does the domain have assoicated NS records?
+      #
+      def dns_zone_ns?
+        return @ns_records if defined?(@ns_records)
+        return false unless dns?
+
+        @ns_records = dns.any? do |answer|
+          answer.type == Dnsruby::Types::NS && answer.name.to_s == host
         end
       end
 
@@ -294,6 +306,7 @@ def proxied?
         Dnsruby::Types::AAAA,
         Dnsruby::Types::CNAME,
         Dnsruby::Types::MX,
+        Dnsruby::Types::NS,
         Dnsruby::Types::SOA
       ].freeze
 

lib/github-pages-health-check/version.rb

@@ -2,6 +2,6 @@
 
 module GitHubPages
   module HealthCheck
-    VERSION = "1.17.5"
+    VERSION = "1.17.6"
   end
 end

spec/github_pages_health_check/domain_spec.rb

@@ -26,6 +26,9 @@
   let(:soa_packet) do
     Dnsruby::RR.create("#{domain}. 1000 IN SOA ns.example.com. #{domain.inspect}")
   end
+  let(:ns_packet) do
+    Dnsruby::RR.create("#{domain}. 1000 IN NS ns.example.com.")
+  end
 
   context "constructor" do
     it "can handle bare domains" do
@@ -239,8 +242,10 @@
     end
 
     context "apex records" do
-      ["parkermoore.de", "bbc.co.uk"].each do |apex_domain|
-        context "given #{apex_domain}" do
+      ["parkermoore.de", "bbc.co.uk", "techblog.netflix.com"].each do |apex_domain|
+        context "given domain: #{apex_domain} with SOA" do
+          before(:each) { allow(subject).to receive(:dns) { [soa_packet, ns_packet] } }
+
           let(:domain) { apex_domain }
 
           it "knows it should be an a record" do
@@ -262,11 +267,11 @@
 
       ["private.dns.zone"].each do |soa_domain|
         context "given #{soa_domain}" do
-          before(:each) { allow(subject).to receive(:dns) { [soa_packet] } }
+          before(:each) { allow(subject).to receive(:dns) { [soa_packet, ns_packet] } }
           let(:domain) { soa_domain }
 
-          it "disallows child zones with an SOA to be an Apex" do
-            expect(subject.should_be_a_record?).to be_falsy
+          it "allows child zones with an SOA to be an Apex" do
+            expect(subject.should_be_a_record?).to eq(true)
           end
 
           it "reports whether child zones publish an SOA record" do