# checker-alias CNAME / DNAME / ALIAS chain checker for [happyDomain](https://www.happydomain.org/). Walks the alias chain of a name, validates hop count, TTLs, target resolvability, apex coexistence (RFC 1912 §2.4, RFC 1034 §3.6.2, RFC 2181 §10.1), DNAME substitutions, and DNSSEC signing of the CNAME RRset. ## Usage ### Standalone HTTP server ```bash # Build and run make ./checker-alias -listen :8080 ``` The server exposes: - `GET /health`: health check - `POST /collect`: collect alias observations (happyDomain external checker protocol) ### Docker ```bash make docker docker run -p 8080:8080 happydomain/checker-alias ``` ### happyDomain plugin ```bash make plugin # produces checker-alias.so, loadable by happyDomain as a Go plugin ``` The plugin exposes a `NewCheckerPlugin` symbol returning the checker definition and observation provider, which happyDomain registers in its global registries at load time. ### Versioning The binary, plugin, and Docker image embed a version string overridable at build time: ```bash make CHECKER_VERSION=1.2.3 make plugin CHECKER_VERSION=1.2.3 make docker CHECKER_VERSION=1.2.3 ``` ### happyDomain remote endpoint Set the `endpoint` admin option for the alias checker to the URL of the running checker-alias server (e.g., `http://checker-alias:8080`). happyDomain will delegate observation collection to this endpoint. ## Options | Id | Type | Default | Description | |---------------------------|------|---------|-----------------------------------------------------------------------------| | `maxChainLength` | uint | `8` | Above this number of hops the chain is reported as critical. | | `minTargetTTL` | uint | `60` | Hops with a TTL below this threshold are flagged as a warning. | | `requireResolvableTarget` | bool | `true` | When enabled, a final target with no A/AAAA is critical (otherwise warning).| | `allowApexCNAME` | bool | `false` | When enabled, a CNAME at apex is only a warning (RFC 1912 forbids it). | | `recognizeApexFlattening` | bool | `true` | Recognize provider-side ALIAS/ANAME flattening as informational. | ## Rules Each rule emits a finding code. Severity can be affected by the options above. | Code | Default severity | Condition | |------|-----------------|-----------| | `apex_lookup` | critical | Zone apex (SOA) cannot be located for the queried name. | | `chain_loop` | critical | A CNAME/DNAME cycle is detected in the resolution chain. | | `chain_length` | critical | The chain exceeds `maxChainLength` hops. | | `chain_query_error` | warning | A DNS query fails while walking the chain (network error, timeout). | | `chain_rcode` | critical (mid-chain) / warning (final) | A non-NOERROR response code is encountered during chain resolution or the final A/AAAA lookup. | | `hop_ttl` | warning | A CNAME/DNAME hop has a TTL below `minTargetTTL`. | | `cname_at_apex` | critical / warning with `allowApexCNAME` | A CNAME exists at the zone apex, conflicting with SOA/NS (RFC 1912 §2.4). | | `apex_flattening` | info | A/AAAA records coexist with SOA/NS at the apex without a CNAME, provider-side ALIAS/ANAME flattening. Only reported when `recognizeApexFlattening` is enabled. | | `cname_coexistence` | critical / warning with `allowApexCNAME` at apex | Other RRsets (beyond A/AAAA) coexist at a CNAME owner, violating RFC 1034 §3.6.2 / RFC 2181 §10.1. | | `cname_dnssec` | critical | The zone is DNSSEC-signed but the CNAME RRset at the queried name lacks an RRSIG. | | `target_resolvable` | critical / warning with `requireResolvableTarget=false` | The final target of the chain has no A or AAAA record. | | `multiple_records` | critical | An owner in the chain carries more than one CNAME/DNAME record (malformed). | ## License Licensed under the **MIT License** (see `LICENSE`).