From 36289f7157c6df2c68b5fb62280e1a126867d48c Mon Sep 17 00:00:00 2001
From: Tom Limoncelli <tlimoncelli@stackoverflow.com>
Date: Fri, 5 Feb 2021 11:58:17 -0500
Subject: [PATCH] BUG: Labels that are FQDN can cause panics (#1040)

---
 pkg/normalize/validate.go | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/pkg/normalize/validate.go b/pkg/normalize/validate.go
index a3309cd30..1e9ca1f32 100644
--- a/pkg/normalize/validate.go
+++ b/pkg/normalize/validate.go
@@ -281,13 +281,29 @@ func ValidateAndNormalizeConfig(config *models.DNSConfig) (errs []error) {
 			if rec.TTL == 0 {
 				rec.TTL = models.DefaultTTL
 			}
+
+			// Canonicalize Label:
+			if rec.GetLabel() == (domain.Name + ".") {
+				// If label == ${domain}DOT, change to "@"
+				rec.SetLabel("@", domain.Name)
+			} else if lab, suf := rec.GetLabel(), "."+domain.Name+"."; strings.HasSuffix(lab, suf) {
+				// If label ends with DOT${domain}DOT, strip it to a short name.
+				rec.SetLabel(lab[:len(lab)-len(suf)], domain.Name)
+			}
+			// If label ends with dot, add to the list of errors.
+			if strings.HasSuffix(rec.GetLabel(), ".") {
+				errs = append(errs, fmt.Errorf("label %q does not match D(%q)", rec.GetLabel(), domain.Name))
+				return errs // Exit early.
+			}
+
 			// in-addr.arpa magic
 			if strings.HasSuffix(domain.Name, ".in-addr.arpa") || strings.HasSuffix(domain.Name, ".ip6.arpa") {
 				label := rec.GetLabel()
-				if label == domain.Name || strings.HasSuffix(label, "."+domain.Name) {
+				if strings.HasSuffix(label, "."+domain.Name) {
 					rec.SetLabel(label[0:(len(label)-len("."+domain.Name))], domain.Name)
 				}
 			}
+
 			// Validate the unmodified inputs:
 			if err := validateRecordTypes(rec, domain.Name, pTypes); err != nil {
 				errs = append(errs, err)