Commit graph

11 commits

Author SHA1 Message Date
af0dceca6c checker: fail over to other auth servers on SERVFAIL/REFUSED
queryAtAuth already failed over on transport errors but treated any DNS
response as final, so a SERVFAIL from the first auth server terminated the
chain as Crit even when a sibling server would answer NOERROR. This made
the check flap against a flaky server. Treat SERVFAIL/REFUSED as transient
and try the remaining servers, returning a definitive answer when any
server gives one and only falling back to the transient response (or the
last transport error) when every server fails.
2026-06-18 09:47:28 +09:00
680a7735f0 checker: report chain transport errors as Unknown, not Warn
A transport-level query failure (connection refused, timeout, network
unreachable) means the alias state could not be observed, not that the
alias is misconfigured. Mapping it to Warn made the check flap whenever a
flaky auth server alternated between refusing connections (Warn) and
answering SERVFAIL (Crit). Report TermQueryErr as Unknown so only
definitive DNS evidence drives Warn/Crit.
2026-06-18 09:31:37 +09:00
0becf6bc8c checker: require SOA owner to match candidate in findApex
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/tag Build is passing
v0.3.1
A recursive resolver following a CNAME returns the target zone's SOA in
the answer, which made findApex wrongly treat a CNAME owner as an apex.
Only accept a SOA whose owner is the candidate itself.
2026-06-18 04:54:14 +09:00
c5c13960d5 checker: add dname_coexistence rule and refactor sibling probing
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/tag Build is passing
v0.3.0
Extract querySiblings from observeCoexistence so both CNAME and DNAME
coexistence checks share the same parallel RRset scan. Add
observeDNAMECoexistence (called from Collect) that populates
AliasData.DNAMECoexistence for each DNAME node in DNAMESubstitutions.
Add the dname_coexistence rule (RFC 6672 §2.3) that flags any sibling
RRsets at a DNAME owner as CRIT, with matching tests.
2026-05-16 21:36:20 +08:00
1493ef4d3f report: move synthetic ALIAS hop from collector to report view
All checks were successful
continuous-integration/drone/push Build is passing
2026-05-15 17:37:11 +08:00
52a3e56c4f checker: rework target_resolvable to check existence (NOERROR) instead of A/AAAA 2026-05-15 17:31:51 +08:00
56db4cc59d Go mod update
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/tag Build is passing
v0.2.0
2026-05-10 20:04:23 +08:00
fde892a958 Add CI/CD pipeline
Some checks failed
continuous-integration/drone/push Build is failing
2026-05-10 18:59:43 +08:00
23d2cafaad checker: build owner FQDN from subdomain + apex at service scope 2026-04-29 18:16:50 +07:00
496205e50e docker: add HEALTHCHECK probing /health v0.1.0
The binary doubles as its own healthcheck client via the SDK's
-healthcheck flag, so the probe works in the scratch image
(no shell, no curl, no wget).
2026-04-26 19:42:18 +07:00
eea7e4e459 Initial commit 2026-04-26 19:42:18 +07:00