Initial commit

checker/collect.go

@@ -0,0 +1,282 @@
+package checker
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"regexp"
+	"sort"
+	"strconv"
+	"strings"
+	"time"
+
+	sdk "git.happydns.org/checker-sdk-go/checker"
+	tlscontract "git.happydns.org/checker-tls/contract"
+)
+
+// tlsaOwner matches the "_<port>._<proto>.<base>" TLSA owner-name pattern.
+// The base group is whatever the happyDomain analyzer bucketed the TLSAs
+// under; when empty, the TLSAs live directly under the zone apex.
+var tlsaOwner = regexp.MustCompile(`^_(\d+)\._(tcp|udp)(?:\.(.*))?$`)
+
+// tlsaOwnerName builds the canonical "_<port>._<proto>.<base>" owner name.
+// When base is empty (TLSA records sit directly at the zone apex of an
+// otherwise-unspecified host), the trailing label is omitted so the result
+// is still a syntactically valid relative name rather than "_443._tcp.".
+func tlsaOwnerName(port uint16, proto, base string) string {
+	base = strings.TrimSuffix(base, ".")
+	if base == "" {
+		return fmt.Sprintf("_%d._%s", port, proto)
+	}
+	return fmt.Sprintf("_%d._%s.%s", port, proto, base)
+}
+
+// starttlsKey is the "<port>/<proto>" lookup key used in OptionSTARTTLS.
+func starttlsKey(port uint16, proto string) string {
+	return fmt.Sprintf("%d/%s", port, proto)
+}
+
+// serviceMessage mirrors the on-wire happydns.ServiceMessage shape, kept
+// local so this module does not depend on happyDomain core. Same pattern
+// as checker-caa/checker/collect.go.
+type serviceMessage struct {
+	Type    string          `json:"_svctype"`
+	Domain  string          `json:"_domain"`
+	Service json.RawMessage `json:"Service"`
+}
+
+// tlsasPayload mirrors the JSON shape of svcs.TLSAs (services/tlsa.go).
+type tlsasPayload struct {
+	Records []tlsaRecord `json:"tlsa"`
+}
+
+// tlsaRecord decodes one dns.TLSA as serialized by miekg/dns. The Hdr.Name
+// is how we learn which endpoint each record applies to; Certificate is
+// already a lowercase-hex string as miekg/dns emits it.
+type tlsaRecord struct {
+	Hdr struct {
+		Name string `json:"Name"`
+	} `json:"Hdr"`
+	Usage        uint8  `json:"Usage"`
+	Selector     uint8  `json:"Selector"`
+	MatchingType uint8  `json:"MatchingType"`
+	Certificate  string `json:"Certificate"`
+}
+
+// defaultSTARTTLS maps common ports to the STARTTLS service name checker-tls
+// expects. Endpoints not covered default to direct TLS; the user can override
+// explicitly via the OptionSTARTTLS map.
+var defaultSTARTTLS = map[uint16]string{
+	25:   "smtp",
+	110:  "pop3",
+	143:  "imap",
+	389:  "ldap",
+	587:  "submission",
+	5222: "xmpp-client",
+	5269: "xmpp-server",
+}
+
+// Collect walks the bound TLSAs service, groups records by (port, proto,
+// base), emits one tls.endpoint.v1 discovery entry per group so checker-tls
+// probes each of them, and returns DANEData with the user's TLSA records.
+// No TLSA matching happens here; that's the rule's job: it reads the TLS
+// chain via obs.GetRelated on the next evaluation.
+func (p *daneProvider) Collect(ctx context.Context, opts sdk.CheckerOptions) (any, error) {
+	if err := ctx.Err(); err != nil {
+		return nil, err
+	}
+	svc, err := serviceFromOptions(opts)
+	if err != nil {
+		return nil, err
+	}
+	if svc.Type != serviceType {
+		return nil, fmt.Errorf("service is %q, expected %q", svc.Type, serviceType)
+	}
+
+	var pl tlsasPayload
+	if err := json.Unmarshal(svc.Service, &pl); err != nil {
+		return nil, fmt.Errorf("decode TLSAs service: %w", err)
+	}
+
+	apex, _ := sdk.GetOption[string](opts, OptionDomain)
+	apex = strings.TrimSuffix(apex, ".")
+	subdomain, _ := sdk.GetOption[string](opts, OptionSubdomain)
+	subdomain = strings.TrimSuffix(subdomain, ".")
+
+	// STARTTLS overrides: map of "port/proto" → service name.
+	var starttlsOverride map[string]string
+	if v, ok := opts[OptionSTARTTLS]; ok {
+		raw, _ := json.Marshal(v)
+		_ = json.Unmarshal(raw, &starttlsOverride)
+	}
+
+	// Group records by endpoint key.
+	type key struct {
+		Port  uint16
+		Proto string
+		Base  string // base host, fully-qualified without trailing dot
+	}
+	groups := map[key][]TLSARecord{}
+	var invalid []InvalidRecord
+	for _, r := range pl.Records {
+		owner := strings.TrimSuffix(r.Hdr.Name, ".")
+		m := tlsaOwner.FindStringSubmatch(owner)
+		if len(m) != 4 {
+			invalid = append(invalid, InvalidRecord{
+				Owner:  owner,
+				Reason: "owner name does not match _<port>._<tcp|udp>[.<base>]",
+			})
+			continue
+		}
+		port64, err := strconv.ParseUint(m[1], 10, 16)
+		if err != nil || port64 == 0 {
+			invalid = append(invalid, InvalidRecord{
+				Owner:  owner,
+				Reason: fmt.Sprintf("port %q out of range (1-65535)", m[1]),
+			})
+			continue
+		}
+		base := m[3]
+		// Resolve base relative to the apex: TLSA owners in the service
+		// are typically stored relative to the service's subdomain
+		// bucket. Fall back to the apex when unspecified.
+		base = joinName(base, subdomain, apex)
+		if base == "" {
+			invalid = append(invalid, InvalidRecord{
+				Owner:  owner,
+				Reason: "could not resolve a host name (apex and subdomain both empty)",
+			})
+			continue
+		}
+
+		k := key{Port: uint16(port64), Proto: m[2], Base: base}
+		groups[k] = append(groups[k], TLSARecord{
+			Usage:        r.Usage,
+			Selector:     r.Selector,
+			MatchingType: r.MatchingType,
+			Certificate:  strings.ToLower(strings.TrimSpace(r.Certificate)),
+		})
+	}
+
+	// Deterministic output ordering keeps diffs quiet across runs.
+	keys := make([]key, 0, len(groups))
+	for k := range groups {
+		keys = append(keys, k)
+	}
+	sort.Slice(keys, func(i, j int) bool {
+		if keys[i].Base != keys[j].Base {
+			return keys[i].Base < keys[j].Base
+		}
+		if keys[i].Port != keys[j].Port {
+			return keys[i].Port < keys[j].Port
+		}
+		return keys[i].Proto < keys[j].Proto
+	})
+
+	targets := make([]TargetResult, 0, len(keys))
+	for _, k := range keys {
+		starttls := defaultSTARTTLS[k.Port]
+		if v, ok := starttlsOverride[starttlsKey(k.Port, k.Proto)]; ok {
+			starttls = v
+		}
+		t := TargetResult{
+			Owner:    tlsaOwnerName(k.Port, k.Proto, k.Base),
+			Host:     k.Base,
+			Port:     k.Port,
+			Proto:    k.Proto,
+			STARTTLS: starttls,
+			Records:  groups[k],
+		}
+		t.Ref = tlscontract.Ref(endpointFromTarget(t))
+		targets = append(targets, t)
+	}
+
+	data := &DANEData{
+		Targets:     targets,
+		Invalid:     invalid,
+		CollectedAt: time.Now().UTC(),
+	}
+	if v, ok := opts[OptionDNSSECValidated]; ok {
+		if b, ok := v.(bool); ok {
+			data.DNSSECValidated = &b
+		}
+	}
+	return data, nil
+}
+
+// endpointFromTarget builds the TLSEndpoint for a collected target.
+func endpointFromTarget(t TargetResult) tlscontract.TLSEndpoint {
+	return tlscontract.TLSEndpoint{
+		Host:     t.Host,
+		Port:     t.Port,
+		SNI:      t.Host,
+		STARTTLS: t.STARTTLS,
+		// RFC 7672 §2.2: when a TLSA record exists for an SMTP service, the
+		// receiving MTA MUST use STARTTLS. The whole point of DANE on port 25
+		// is to defeat STARTTLS-stripping downgrade attacks, so the presence
+		// of TLSA records here flips the connection from opportunistic to
+		// mandatory.
+		RequireSTARTTLS: t.STARTTLS != "",
+	}
+}
+
+// DiscoverEntries publishes one tls.endpoint.v1 entry per target so
+// checker-tls probes them in its next cycle. Implements sdk.DiscoveryPublisher.
+func (p *daneProvider) DiscoverEntries(data any) ([]sdk.DiscoveryEntry, error) {
+	d, ok := data.(*DANEData)
+	if !ok || d == nil {
+		return nil, nil
+	}
+	out := make([]sdk.DiscoveryEntry, 0, len(d.Targets))
+	for _, t := range d.Targets {
+		entry, err := tlscontract.NewEntry(endpointFromTarget(t))
+		if err != nil {
+			return nil, err
+		}
+		out = append(out, entry)
+	}
+	return out, nil
+}
+
+// serviceFromOptions extracts and decodes the happyDomain service payload.
+func serviceFromOptions(opts sdk.CheckerOptions) (*serviceMessage, error) {
+	v, ok := opts[OptionService]
+	if !ok {
+		return nil, fmt.Errorf("service option missing")
+	}
+	raw, err := json.Marshal(v)
+	if err != nil {
+		return nil, fmt.Errorf("marshal service option: %w", err)
+	}
+	var svc serviceMessage
+	if err := json.Unmarshal(raw, &svc); err != nil {
+		return nil, fmt.Errorf("decode service option: %w", err)
+	}
+	return &svc, nil
+}
+
+// joinName resolves a possibly-relative TLSA base name against the service's
+// subdomain bucket and the zone apex, returning a fully-qualified host name
+// without trailing dot. An empty base means "the subdomain/apex itself".
+func joinName(base, subdomain, apex string) string {
+	base = strings.TrimSuffix(base, ".")
+	// Absolute match to apex: return apex; otherwise treat as relative.
+	if base == "" {
+		if subdomain != "" {
+			return strings.TrimSuffix(subdomain+"."+apex, ".")
+		}
+		return apex
+	}
+	// If base already ends with apex (fully qualified), keep as-is.
+	if apex != "" && (base == apex || strings.HasSuffix(base, "."+apex)) {
+		return base
+	}
+	// Otherwise, base is relative to the subdomain bucket (or apex).
+	if subdomain != "" {
+		return strings.TrimSuffix(base+"."+subdomain+"."+apex, ".")
+	}
+	if apex != "" {
+		return base + "." + apex
+	}
+	return base
+}

checker/collect_test.go

@@ -0,0 +1,226 @@
+package checker
+
+import (
+	"context"
+	"encoding/json"
+	"testing"
+
+	sdk "git.happydns.org/checker-sdk-go/checker"
+)
+
+func makeOpts(t *testing.T, apex, subdomain string, records []map[string]any, starttls map[string]string) sdk.CheckerOptions {
+	t.Helper()
+	svc := map[string]any{
+		"_svctype": serviceType,
+		"_domain":  apex,
+		"Service":  map[string]any{"tlsa": records},
+	}
+	opts := sdk.CheckerOptions{
+		OptionDomain:  apex,
+		OptionService: svc,
+	}
+	if subdomain != "" {
+		opts[OptionSubdomain] = subdomain
+	}
+	if starttls != nil {
+		opts[OptionSTARTTLS] = starttls
+	}
+	return opts
+}
+
+func tlsaRR(owner string, usage, selector, mtype int, cert string) map[string]any {
+	return map[string]any{
+		"Hdr":          map[string]any{"Name": owner},
+		"Usage":        usage,
+		"Selector":     selector,
+		"MatchingType": mtype,
+		"Certificate":  cert,
+	}
+}
+
+func TestCollect_GroupsByEndpoint(t *testing.T) {
+	t.Parallel()
+	opts := makeOpts(t, "example.com.", "", []map[string]any{
+		tlsaRR("_443._tcp.example.com.", 3, 1, 1, "AABB"),
+		tlsaRR("_443._tcp.example.com.", 3, 1, 1, "CCDD"),
+		tlsaRR("_25._tcp.mail.example.com.", 3, 1, 1, "EEFF"),
+	}, nil)
+	p := &daneProvider{}
+	out, err := p.Collect(context.Background(), opts)
+	if err != nil {
+		t.Fatalf("err=%v", err)
+	}
+	d := out.(*DANEData)
+	if len(d.Targets) != 2 {
+		t.Fatalf("targets=%d want 2", len(d.Targets))
+	}
+	// Sorted by base alphabetically: example.com < mail.example.com.
+	if d.Targets[0].Host != "example.com" || d.Targets[0].Port != 443 {
+		t.Errorf("sort[0]: %+v", d.Targets[0])
+	}
+	if d.Targets[1].Host != "mail.example.com" || d.Targets[1].Port != 25 {
+		t.Errorf("sort[1]: %+v", d.Targets[1])
+	}
+	// Two records on the 443 endpoint
+	if len(d.Targets[0].Records) != 2 {
+		t.Errorf("443 records=%d want 2", len(d.Targets[0].Records))
+	}
+	// Certificate hex was lowercased
+	if d.Targets[0].Records[0].Certificate != "aabb" {
+		t.Errorf("expected lowercased cert, got %q", d.Targets[0].Records[0].Certificate)
+	}
+}
+
+func TestCollect_DefaultSTARTTLS(t *testing.T) {
+	t.Parallel()
+	opts := makeOpts(t, "example.com", "", []map[string]any{
+		tlsaRR("_25._tcp.mail.example.com", 3, 1, 1, "00"),
+		tlsaRR("_443._tcp.example.com", 3, 1, 1, "00"),
+		tlsaRR("_587._tcp.mail.example.com", 3, 1, 1, "00"),
+	}, nil)
+	out, err := (&daneProvider{}).Collect(context.Background(), opts)
+	if err != nil {
+		t.Fatal(err)
+	}
+	d := out.(*DANEData)
+	got := map[uint16]string{}
+	for _, t := range d.Targets {
+		got[t.Port] = t.STARTTLS
+	}
+	if got[25] != "smtp" {
+		t.Errorf("port 25 starttls=%q want smtp", got[25])
+	}
+	if got[443] != "" {
+		t.Errorf("port 443 starttls=%q want empty (direct TLS)", got[443])
+	}
+	if got[587] != "submission" {
+		t.Errorf("port 587 starttls=%q want submission", got[587])
+	}
+}
+
+func TestCollect_STARTTLSOverride(t *testing.T) {
+	t.Parallel()
+	opts := makeOpts(t, "example.com", "", []map[string]any{
+		tlsaRR("_25._tcp.mail.example.com", 3, 1, 1, "00"),
+	}, map[string]string{"25/tcp": "lmtp"})
+	out, err := (&daneProvider{}).Collect(context.Background(), opts)
+	if err != nil {
+		t.Fatal(err)
+	}
+	d := out.(*DANEData)
+	if d.Targets[0].STARTTLS != "lmtp" {
+		t.Errorf("override: starttls=%q want lmtp", d.Targets[0].STARTTLS)
+	}
+}
+
+func TestCollect_MalformedOwnerSurfaced(t *testing.T) {
+	t.Parallel()
+	opts := makeOpts(t, "example.com", "", []map[string]any{
+		tlsaRR("totally-invalid", 3, 1, 1, "00"),
+		tlsaRR("_99999._tcp.example.com", 3, 1, 1, "00"), // port > 65535
+		tlsaRR("_443._tcp.example.com", 3, 1, 1, "AA"),
+	}, nil)
+	out, err := (&daneProvider{}).Collect(context.Background(), opts)
+	if err != nil {
+		t.Fatal(err)
+	}
+	d := out.(*DANEData)
+	if len(d.Targets) != 1 {
+		t.Errorf("expected one well-formed target, got %d", len(d.Targets))
+	}
+	if len(d.Invalid) != 2 {
+		t.Errorf("expected 2 invalid entries, got %d (%+v)", len(d.Invalid), d.Invalid)
+	}
+}
+
+func TestCollect_BaseRelativeToSubdomain(t *testing.T) {
+	t.Parallel()
+	opts := makeOpts(t, "example.com", "mail", []map[string]any{
+		// Owner has no base, so the records live on the subdomain itself.
+		tlsaRR("_25._tcp", 3, 1, 1, "AA"),
+	}, nil)
+	out, err := (&daneProvider{}).Collect(context.Background(), opts)
+	if err != nil {
+		t.Fatal(err)
+	}
+	d := out.(*DANEData)
+	if len(d.Targets) != 1 {
+		t.Fatalf("targets=%d", len(d.Targets))
+	}
+	if d.Targets[0].Host != "mail.example.com" {
+		t.Errorf("host=%q want mail.example.com", d.Targets[0].Host)
+	}
+	if d.Targets[0].Owner != "_25._tcp.mail.example.com" {
+		t.Errorf("owner=%q", d.Targets[0].Owner)
+	}
+}
+
+func TestCollect_WrongServiceType(t *testing.T) {
+	t.Parallel()
+	svc := map[string]any{
+		"_svctype": "svcs.NotTLSAs",
+		"Service":  map[string]any{"tlsa": []any{}},
+	}
+	opts := sdk.CheckerOptions{OptionDomain: "example.com", OptionService: svc}
+	if _, err := (&daneProvider{}).Collect(context.Background(), opts); err == nil {
+		t.Error("expected error on wrong service type")
+	}
+}
+
+func TestCollect_MissingService(t *testing.T) {
+	t.Parallel()
+	opts := sdk.CheckerOptions{OptionDomain: "example.com"}
+	if _, err := (&daneProvider{}).Collect(context.Background(), opts); err == nil {
+		t.Error("expected error on missing service")
+	}
+}
+
+func TestCollect_DiscoverEntries(t *testing.T) {
+	t.Parallel()
+	opts := makeOpts(t, "example.com", "", []map[string]any{
+		tlsaRR("_443._tcp.example.com", 3, 1, 1, "AA"),
+		tlsaRR("_25._tcp.mail.example.com", 3, 1, 1, "BB"),
+	}, nil)
+	p := &daneProvider{}
+	data, err := p.Collect(context.Background(), opts)
+	if err != nil {
+		t.Fatal(err)
+	}
+	entries, err := p.DiscoverEntries(data)
+	if err != nil {
+		t.Fatalf("err=%v", err)
+	}
+	if len(entries) != 2 {
+		t.Errorf("entries=%d want 2", len(entries))
+	}
+
+	// Nil/wrong type returns nil, nil (defensive).
+	if got, err := p.DiscoverEntries(nil); err != nil || got != nil {
+		t.Errorf("nil: got=%v err=%v", got, err)
+	}
+	if got, err := p.DiscoverEntries("not a *DANEData"); err != nil || got != nil {
+		t.Errorf("wrong type: got=%v err=%v", got, err)
+	}
+}
+
+func TestCollect_DeterministicOutput(t *testing.T) {
+	t.Parallel()
+	opts := makeOpts(t, "example.com", "", []map[string]any{
+		tlsaRR("_25._tcp.b.example.com", 3, 1, 1, "AA"),
+		tlsaRR("_25._tcp.a.example.com", 3, 1, 1, "BB"),
+		tlsaRR("_443._tcp.a.example.com", 3, 1, 1, "CC"),
+	}, nil)
+	var prev []byte
+	for i := range 3 {
+		out, err := (&daneProvider{}).Collect(context.Background(), opts)
+		if err != nil {
+			t.Fatal(err)
+		}
+		// Compare only Targets: CollectedAt is a wall-clock timestamp.
+		b, _ := json.Marshal(out.(*DANEData).Targets)
+		if i > 0 && string(b) != string(prev) {
+			t.Errorf("non-deterministic targets:\n%s\nvs\n%s", prev, b)
+		}
+		prev = b
+	}
+}

checker/definition.go

@@ -0,0 +1,68 @@
+package checker
+
+import (
+	"time"
+
+	sdk "git.happydns.org/checker-sdk-go/checker"
+	tls "git.happydns.org/checker-tls/checker"
+)
+
+// Version defaults to "built-in"; standalone and plugin builds override it
+// via -ldflags "-X .../checker.Version=...".
+var Version = "built-in"
+
+// serviceType is the happyDomain service type this checker binds to.
+const serviceType = "svcs.TLSAs"
+
+// Definition satisfies sdk.CheckerDefinitionProvider.
+func (p *daneProvider) Definition() *sdk.CheckerDefinition {
+	return &sdk.CheckerDefinition{
+		ID:      "dane",
+		Name:    "DANE / TLSA",
+		Version: Version,
+		Availability: sdk.CheckerAvailability{
+			ApplyToService:  true,
+			LimitToServices: []string{serviceType},
+		},
+		ObservationKeys: []sdk.ObservationKey{ObservationKeyDANE},
+		HasHTMLReport:   true,
+		Options: sdk.CheckerOptionsDocumentation{
+			UserOpts: []sdk.CheckerOptionDocumentation{
+				{
+					Id:          OptionProbeTimeoutMs,
+					Type:        "number",
+					Label:       "Probe timeout (ms)",
+					Description: "Forwarded to checker-tls for each DANE endpoint.",
+					Default:     float64(tls.DefaultProbeTimeoutMs),
+				},
+			},
+			RunOpts: []sdk.CheckerOptionDocumentation{
+				{
+					Id:       OptionDomain,
+					Type:     "string",
+					Label:    "Domain",
+					AutoFill: sdk.AutoFillDomainName,
+					Required: true,
+				},
+				{
+					Id:       OptionSubdomain,
+					Type:     "string",
+					Label:    "Subdomain",
+					AutoFill: sdk.AutoFillSubdomain,
+				},
+				{
+					Id:       OptionService,
+					Label:    "TLSAs service",
+					AutoFill: sdk.AutoFillService,
+					Hide:     true,
+				},
+			},
+		},
+		Rules: Rules(),
+		Interval: &sdk.CheckIntervalSpec{
+			Min:     6 * time.Hour,
+			Max:     7 * 24 * time.Hour,
+			Default: 24 * time.Hour,
+		},
+	}
+}

checker/interactive.go

@@ -0,0 +1,211 @@
+//go:build standalone
+
+package checker
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net"
+	"net/http"
+	"os"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/miekg/dns"
+
+	sdk "git.happydns.org/checker-sdk-go/checker"
+	tls "git.happydns.org/checker-tls/checker"
+)
+
+// resolverEnvVar names the environment variable that points at the
+// DNSSEC-validating resolver this checker queries. The operator MUST point
+// this at a trusted, validating resolver (typically 127.0.0.1:53 backed by
+// Unbound, BIND, or Knot Resolver). DANE without DNSSEC validation is a
+// downgrade primitive: an on-path attacker can forge TLSA responses. To
+// fail loudly rather than silently insecure, lookupTLSA returns an error
+// when no validating resolver is configured.
+const resolverEnvVar = "DANE_CHECKER_RESOLVER"
+
+// dnsClientTimeout bounds each TLSA exchange so a black-holing resolver
+// cannot tie up server goroutines indefinitely on the public listener.
+const dnsClientTimeout = 5 * time.Second
+
+// tlsaLookup fetches TLSA records for owner via the system resolver and
+// reports whether the resolver cryptographically validated the answer
+// (AD bit set). It is a package variable so tests can swap it for a
+// fixture. The context bounds the underlying DNS exchange so a slow or
+// hung resolver cannot outlive the originating HTTP request on the
+// public listener.
+var tlsaLookup = lookupTLSA
+
+// RenderForm lets a human run this checker standalone. The form only
+// collects the endpoint coordinates; the expected TLSA records are read
+// from DNS by ParseForm and the live certificate is fetched in-process by
+// the SDK running checker-tls as a sibling (see RelatedProviders).
+func (p *daneProvider) RenderForm() []sdk.CheckerOptionField {
+	return []sdk.CheckerOptionField{
+		{Id: OptionDomain, Type: "string", Label: "Domain", Placeholder: "example.com", Required: true},
+		{Id: "port", Type: "uint", Label: "Port", Default: float64(443), Required: true},
+		{Id: "proto", Type: "string", Label: "Protocol", Choices: []string{"tcp", "udp"}, Default: "tcp"},
+		{
+			Id:          "starttls",
+			Type:        "string",
+			Label:       "STARTTLS override",
+			Description: "Leave empty to auto-derive from port (25→smtp, 587→submission, 143→imap, …).",
+		},
+		{
+			Id:          OptionProbeTimeoutMs,
+			Type:        "uint",
+			Label:       "Probe timeout (ms)",
+			Default:     float64(tls.DefaultProbeTimeoutMs),
+			Description: "Forwarded to checker-tls for the live probe.",
+		},
+	}
+}
+
+// ParseForm turns the submitted endpoint into the same CheckerOptions
+// shape happyDomain would feed Collect. The TLSA RRset expected by
+// Collect is resolved live from DNS at _<port>._<proto>.<domain>; if
+// nothing is published there, no validation is possible and the form is
+// re-rendered with the error.
+func (p *daneProvider) ParseForm(r *http.Request) (sdk.CheckerOptions, error) {
+	domain := strings.TrimSuffix(strings.TrimSpace(r.FormValue(OptionDomain)), ".")
+	if domain == "" {
+		return nil, errors.New("domain is required")
+	}
+	portStr := strings.TrimSpace(r.FormValue("port"))
+	if portStr == "" {
+		return nil, errors.New("port is required")
+	}
+	port64, err := strconv.ParseUint(portStr, 10, 16)
+	if err != nil || port64 == 0 {
+		return nil, fmt.Errorf("invalid port %q: must be 1-65535", portStr)
+	}
+	port := uint16(port64)
+	proto := strings.TrimSpace(r.FormValue("proto"))
+	if proto == "" {
+		proto = "tcp"
+	}
+	if proto != "tcp" && proto != "udp" {
+		return nil, fmt.Errorf("invalid protocol %q: must be tcp or udp", proto)
+	}
+
+	owner := tlsaOwnerName(port, proto, domain)
+	records, validated, err := tlsaLookup(r.Context(), owner)
+	if err != nil {
+		return nil, fmt.Errorf("TLSA lookup for %s: %w", owner, err)
+	}
+	if len(records) == 0 {
+		return nil, fmt.Errorf("no TLSA records found at %s", owner)
+	}
+
+	tlsaEntries := make([]map[string]any, 0, len(records))
+	for _, t := range records {
+		tlsaEntries = append(tlsaEntries, map[string]any{
+			"Hdr":          map[string]any{"Name": owner},
+			"Usage":        t.Usage,
+			"Selector":     t.Selector,
+			"MatchingType": t.MatchingType,
+			"Certificate":  strings.ToLower(t.Certificate),
+		})
+	}
+	body, err := json.Marshal(map[string]any{"tlsa": tlsaEntries})
+	if err != nil {
+		return nil, fmt.Errorf("marshal TLSAs service: %w", err)
+	}
+
+	opts := sdk.CheckerOptions{
+		OptionDomain: domain,
+		OptionService: serviceMessage{
+			Type:    serviceType,
+			Domain:  domain,
+			Service: body,
+		},
+	}
+
+	if s := strings.TrimSpace(r.FormValue("starttls")); s != "" {
+		opts[OptionSTARTTLS] = map[string]string{
+			starttlsKey(port, proto): s,
+		}
+	}
+	if v := strings.TrimSpace(r.FormValue(OptionProbeTimeoutMs)); v != "" {
+		if n, err := strconv.Atoi(v); err == nil && n > 0 {
+			opts[OptionProbeTimeoutMs] = float64(n)
+		}
+	}
+	opts[OptionDNSSECValidated] = validated
+	return opts, nil
+}
+
+// RelatedProviders declares checker-tls as the sibling the SDK should run
+// in-process during the interactive flow. The SDK harvests the discovery
+// entries this checker publishes via DiscoverEntries and auto-fills
+// checker-tls's OptionEndpoints (the option tagged
+// sdk.AutoFillDiscoveryEntries in its definition), so the probe map the
+// rule reads via GetRelated is populated with live data.
+func (p *daneProvider) RelatedProviders() []sdk.ObservationProvider {
+	return []sdk.ObservationProvider{tls.Provider()}
+}
+
+// lookupTLSA queries the configured DNSSEC-validating resolver for TLSA
+// records at owner. The second return reports whether the resolver
+// cryptographically validated the response (AD bit set). Callers must
+// treat unvalidated answers as untrusted: a DANE "match" against
+// records that lack DNSSEC protection is meaningless because an on-path
+// attacker could have injected them. The records are still returned so
+// the absence of validation surfaces as a check rule failure rather
+// than a hard error that aborts the whole evaluation.
+func lookupTLSA(ctx context.Context, owner string) ([]*dns.TLSA, bool, error) {
+	resolver, err := interactiveResolver()
+	if err != nil {
+		return nil, false, err
+	}
+	msg := new(dns.Msg)
+	msg.SetQuestion(dns.Fqdn(owner), dns.TypeTLSA)
+	msg.RecursionDesired = true
+	// AuthenticDataRequired = true asks the resolver to set AD on validated
+	// answers; SetEdns0 with do=true requests DNSSEC RRs.
+	msg.AuthenticatedData = true
+	msg.SetEdns0(4096, true)
+
+	c := &dns.Client{Timeout: dnsClientTimeout}
+	in, _, err := c.ExchangeContext(ctx, msg, resolver)
+	if err != nil {
+		return nil, false, err
+	}
+	if in.Rcode != dns.RcodeSuccess && in.Rcode != dns.RcodeNameError {
+		return nil, false, fmt.Errorf("rcode %s", dns.RcodeToString[in.Rcode])
+	}
+	var out []*dns.TLSA
+	for _, rr := range in.Answer {
+		if t, ok := rr.(*dns.TLSA); ok {
+			out = append(out, t)
+		}
+	}
+	return out, in.AuthenticatedData, nil
+}
+
+// interactiveResolver returns the address of the trusted, DNSSEC-validating
+// resolver this checker should use. It refuses to silently fall back to a
+// public plaintext resolver: that path is a downgrade vector and would make
+// every "validation" trivially spoofable on a hostile network. The operator
+// must opt in by setting DANE_CHECKER_RESOLVER (e.g. "127.0.0.1:53") or
+// providing an /etc/resolv.conf entry that explicitly points at a local
+// validating resolver.
+func interactiveResolver() (string, error) {
+	if v := strings.TrimSpace(os.Getenv(resolverEnvVar)); v != "" {
+		// Accept either "host" (port defaults to 53) or "host:port".
+		if _, _, err := net.SplitHostPort(v); err != nil {
+			v = net.JoinHostPort(v, "53")
+		}
+		return v, nil
+	}
+	cfg, err := dns.ClientConfigFromFile("/etc/resolv.conf")
+	if err != nil || len(cfg.Servers) == 0 {
+		return "", fmt.Errorf("no DNSSEC-validating resolver configured: set %s to a trusted validator (e.g. 127.0.0.1:53)", resolverEnvVar)
+	}
+	return net.JoinHostPort(cfg.Servers[0], cfg.Port), nil
+}

checker/interactive_test.go

@@ -0,0 +1,150 @@
+//go:build standalone
+
+package checker
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"strings"
+	"testing"
+
+	"github.com/miekg/dns"
+)
+
+// stubTLSA returns a synthetic TLSA RR with the given fields, avoiding the
+// textual-parse boilerplate of dns.NewRR.
+func stubTLSA(owner string, usage, selector, matching uint8, cert string) *dns.TLSA {
+	return &dns.TLSA{
+		Hdr:          dns.RR_Header{Name: dns.Fqdn(owner), Rrtype: dns.TypeTLSA, Class: dns.ClassINET, Ttl: 3600},
+		Usage:        usage,
+		Selector:     selector,
+		MatchingType: matching,
+		Certificate:  cert,
+	}
+}
+
+func withStubLookup(t *testing.T, records []*dns.TLSA, err error) {
+	t.Helper()
+	withStubLookupValidated(t, records, true, err)
+}
+
+func withStubLookupValidated(t *testing.T, records []*dns.TLSA, validated bool, err error) {
+	t.Helper()
+	prev := tlsaLookup
+	tlsaLookup = func(_ context.Context, _ string) ([]*dns.TLSA, bool, error) {
+		return records, validated, err
+	}
+	t.Cleanup(func() { tlsaLookup = prev })
+}
+
+func postForm(values url.Values) *http.Request {
+	req := httptest.NewRequest("POST", "/check", strings.NewReader(values.Encode()))
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	req.ParseForm()
+	return req
+}
+
+func TestParseForm_PopulatesServiceFromDNS(t *testing.T) {
+	withStubLookup(t, []*dns.TLSA{
+		stubTLSA("_443._tcp.example.com", 3, 1, 1, "DEADBEEF"),
+		stubTLSA("_443._tcp.example.com", 2, 0, 1, "cafebabe"),
+	}, nil)
+
+	p := &daneProvider{}
+	opts, err := p.ParseForm(postForm(url.Values{
+		"domain_name": {"example.com"},
+		"port":        {"443"},
+		"proto":       {"tcp"},
+	}))
+	if err != nil {
+		t.Fatalf("ParseForm: %v", err)
+	}
+	svc, ok := opts[OptionService].(serviceMessage)
+	if !ok {
+		t.Fatalf("service option has wrong type: %#v", opts[OptionService])
+	}
+	if svc.Type != serviceType {
+		t.Errorf("service type = %q, want %q", svc.Type, serviceType)
+	}
+	if svc.Domain != "example.com" {
+		t.Errorf("service domain = %q, want example.com", svc.Domain)
+	}
+
+	var body struct {
+		TLSA []struct {
+			Hdr struct {
+				Name string
+			}
+			Usage        uint8
+			Selector     uint8
+			MatchingType uint8
+			Certificate  string
+		} `json:"tlsa"`
+	}
+	if err := json.Unmarshal(svc.Service, &body); err != nil {
+		t.Fatalf("decode service body: %v", err)
+	}
+	if len(body.TLSA) != 2 {
+		t.Fatalf("got %d TLSA entries, want 2", len(body.TLSA))
+	}
+	if body.TLSA[0].Certificate != "deadbeef" {
+		t.Errorf("expected lowercased cert, got %q", body.TLSA[0].Certificate)
+	}
+	if body.TLSA[0].Hdr.Name != "_443._tcp.example.com" {
+		t.Errorf("owner = %q, want _443._tcp.example.com", body.TLSA[0].Hdr.Name)
+	}
+}
+
+func TestParseForm_NoRecordsIsError(t *testing.T) {
+	withStubLookup(t, nil, nil)
+
+	p := &daneProvider{}
+	_, err := p.ParseForm(postForm(url.Values{
+		"domain_name": {"example.com"},
+		"port":        {"443"},
+		"proto":       {"tcp"},
+	}))
+	if err == nil {
+		t.Fatal("expected error when no TLSA records found, got nil")
+	}
+	if !strings.Contains(err.Error(), "no TLSA records") {
+		t.Errorf("unexpected error %v", err)
+	}
+}
+
+func TestParseForm_StartTLSOverride(t *testing.T) {
+	withStubLookup(t, []*dns.TLSA{stubTLSA("_25._tcp.mail.example.com", 3, 1, 1, "aa")}, nil)
+
+	p := &daneProvider{}
+	opts, err := p.ParseForm(postForm(url.Values{
+		"domain_name": {"mail.example.com"},
+		"port":        {"25"},
+		"proto":       {"tcp"},
+		"starttls":    {"smtp"},
+	}))
+	if err != nil {
+		t.Fatalf("ParseForm: %v", err)
+	}
+	override, ok := opts[OptionSTARTTLS].(map[string]string)
+	if !ok {
+		t.Fatalf("starttls option type = %T", opts[OptionSTARTTLS])
+	}
+	if override["25/tcp"] != "smtp" {
+		t.Errorf("override[25/tcp] = %q, want smtp", override["25/tcp"])
+	}
+}
+
+func TestParseForm_InvalidPort(t *testing.T) {
+	p := &daneProvider{}
+	_, err := p.ParseForm(postForm(url.Values{
+		"domain_name": {"example.com"},
+		"port":        {"0"},
+		"proto":       {"tcp"},
+	}))
+	if err == nil {
+		t.Fatal("expected error for port 0")
+	}
+}

checker/match_test.go

@@ -0,0 +1,417 @@
+package checker
+
+import (
+	"crypto/sha256"
+	"crypto/sha512"
+	"encoding/base64"
+	"encoding/hex"
+	"strings"
+	"testing"
+
+	tls "git.happydns.org/checker-tls/checker"
+)
+
+// fakeCert builds a CertInfo whose hashes are precomputed from given
+// pseudo-DER and pseudo-SPKI byte slices. Real DER is unnecessary: the
+// matching logic only operates on bytes/hex.
+func fakeCert(der, spki []byte) tls.CertInfo {
+	cs256 := sha256.Sum256(der)
+	cs512 := sha512.Sum512(der)
+	ss256 := sha256.Sum256(spki)
+	ss512 := sha512.Sum512(spki)
+	return tls.CertInfo{
+		DERBase64:     base64.StdEncoding.EncodeToString(der),
+		SPKIDERBase64: base64.StdEncoding.EncodeToString(spki),
+		CertSHA256:    hex.EncodeToString(cs256[:]),
+		CertSHA512:    hex.EncodeToString(cs512[:]),
+		SPKISHA256:    hex.EncodeToString(ss256[:]),
+		SPKISHA512:    hex.EncodeToString(ss512[:]),
+	}
+}
+
+func TestTLSAOwnerRegex(t *testing.T) {
+	t.Parallel()
+	cases := []struct {
+		in              string
+		ok              bool
+		port, proto, bs string
+	}{
+		{"_443._tcp.example.com", true, "443", "tcp", "example.com"},
+		{"_25._tcp.mail.example.com", true, "25", "tcp", "mail.example.com"},
+		{"_853._udp", true, "853", "udp", ""},
+		{"_443._sctp.example.com", false, "", "", ""},
+		{"443._tcp.example.com", false, "", "", ""},
+		{"_abc._tcp.example.com", false, "", "", ""},
+		{"_443.tcp.example.com", false, "", "", ""},
+	}
+	for _, tc := range cases {
+		m := tlsaOwner.FindStringSubmatch(tc.in)
+		if (m != nil) != tc.ok {
+			t.Errorf("%q: match=%v want=%v", tc.in, m != nil, tc.ok)
+			continue
+		}
+		if !tc.ok {
+			continue
+		}
+		if m[1] != tc.port || m[2] != tc.proto || m[3] != tc.bs {
+			t.Errorf("%q: got (%q,%q,%q) want (%q,%q,%q)", tc.in, m[1], m[2], m[3], tc.port, tc.proto, tc.bs)
+		}
+	}
+}
+
+func TestTLSAOwnerName(t *testing.T) {
+	t.Parallel()
+	cases := []struct {
+		port  uint16
+		proto string
+		base  string
+		want  string
+	}{
+		{443, "tcp", "example.com", "_443._tcp.example.com"},
+		{25, "tcp", "mail.example.com", "_25._tcp.mail.example.com"},
+	}
+	for _, tc := range cases {
+		got := tlsaOwnerName(tc.port, tc.proto, tc.base)
+		if got != tc.want {
+			t.Errorf("tlsaOwnerName(%d,%q,%q)=%q want %q", tc.port, tc.proto, tc.base, got, tc.want)
+		}
+	}
+
+	// Empty base: trailing label is omitted so the result is still a
+	// syntactically valid relative name rather than "_443._tcp.".
+	if got := tlsaOwnerName(443, "tcp", ""); got != "_443._tcp" {
+		t.Errorf("empty base: got %q want %q", got, "_443._tcp")
+	}
+	if got := tlsaOwnerName(443, "tcp", "example.com."); got != "_443._tcp.example.com" {
+		t.Errorf("trailing dot stripped: got %q", got)
+	}
+}
+
+func TestStarttlsKey(t *testing.T) {
+	t.Parallel()
+	if got := starttlsKey(25, "tcp"); got != "25/tcp" {
+		t.Errorf("got %q want 25/tcp", got)
+	}
+}
+
+func TestJoinName(t *testing.T) {
+	t.Parallel()
+	cases := []struct {
+		name            string
+		base, sub, apex string
+		want            string
+	}{
+		{"empty base, no sub", "", "", "example.com", "example.com"},
+		{"empty base with sub", "", "mail", "example.com", "mail.example.com"},
+		{"absolute base equal apex", "example.com", "", "example.com", "example.com"},
+		{"absolute base ending in apex", "mail.example.com", "", "example.com", "mail.example.com"},
+		{"absolute base ending in apex with sub", "host.sub.example.com", "sub", "example.com", "host.sub.example.com"},
+		{"relative base with sub", "host", "sub", "example.com", "host.sub.example.com"},
+		{"relative base no sub", "host", "", "example.com", "host.example.com"},
+		{"trailing dot", "host.", "", "example.com", "host.example.com"},
+		{"empty everything", "", "", "", ""},
+		// Brittle short-apex case (the "com" apex). Pinned to current
+		// behaviour: HasSuffix(".com") makes "example.com" already
+		// fully-qualified, so it is returned unchanged.
+		{"short apex collision", "example.com", "", "com", "example.com"},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			got := joinName(tc.base, tc.sub, tc.apex)
+			if got != tc.want {
+				t.Errorf("got %q want %q", got, tc.want)
+			}
+		})
+	}
+}
+
+func TestRecordCandidate_Selectors(t *testing.T) {
+	t.Parallel()
+	der := []byte("der-bytes")
+	spki := []byte("spki-bytes")
+	c := fakeCert(der, spki)
+
+	derHex := hex.EncodeToString(der)
+	spkiHex := hex.EncodeToString(spki)
+
+	cases := []struct {
+		name string
+		rec  TLSARecord
+		want string
+	}{
+		{"cert/full", TLSARecord{Selector: SelectorCert, MatchingType: MatchingFull}, derHex},
+		{"cert/sha256", TLSARecord{Selector: SelectorCert, MatchingType: MatchingSHA256}, c.CertSHA256},
+		{"cert/sha512", TLSARecord{Selector: SelectorCert, MatchingType: MatchingSHA512}, c.CertSHA512},
+		{"spki/full", TLSARecord{Selector: SelectorSPKI, MatchingType: MatchingFull}, spkiHex},
+		{"spki/sha256", TLSARecord{Selector: SelectorSPKI, MatchingType: MatchingSHA256}, c.SPKISHA256},
+		{"spki/sha512", TLSARecord{Selector: SelectorSPKI, MatchingType: MatchingSHA512}, c.SPKISHA512},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			got, err := recordCandidate(tc.rec, c)
+			if err != nil {
+				t.Fatalf("err=%v", err)
+			}
+			if got != tc.want {
+				t.Errorf("got %q want %q", got, tc.want)
+			}
+		})
+	}
+}
+
+func TestRecordCandidate_Errors(t *testing.T) {
+	t.Parallel()
+	c := fakeCert([]byte("d"), []byte("s"))
+	if _, err := recordCandidate(TLSARecord{Selector: 9, MatchingType: MatchingSHA256}, c); err == nil {
+		t.Error("expected error on unknown selector")
+	}
+	if _, err := recordCandidate(TLSARecord{Selector: SelectorCert, MatchingType: 9}, c); err == nil {
+		t.Error("expected error on unknown matching type for cert")
+	}
+	if _, err := recordCandidate(TLSARecord{Selector: SelectorSPKI, MatchingType: 9}, c); err == nil {
+		t.Error("expected error on unknown matching type for spki")
+	}
+	bad := tls.CertInfo{DERBase64: "!!!not-base64!!!"}
+	if _, err := recordCandidate(TLSARecord{Selector: SelectorCert, MatchingType: MatchingFull}, bad); err == nil {
+		t.Error("expected base64 decode error")
+	}
+}
+
+func TestDecodeFullDER_SizeLimit(t *testing.T) {
+	t.Parallel()
+	huge := strings.Repeat("A", maxFullDERBytes+10) // base64; decoded is ~3/4 of len
+	if _, err := decodeFullDER(huge, "test"); err == nil {
+		t.Error("expected size-limit error")
+	}
+	small := base64.StdEncoding.EncodeToString([]byte("hello"))
+	got, err := decodeFullDER(small, "test")
+	if err != nil {
+		t.Fatalf("err=%v", err)
+	}
+	if string(got) != "hello" {
+		t.Errorf("got %q want hello", got)
+	}
+}
+
+func TestMatchRecord_LeafSelectsByUsage(t *testing.T) {
+	t.Parallel()
+	leaf := fakeCert([]byte("leaf-der"), []byte("leaf-spki"))
+	mid := fakeCert([]byte("mid-der"), []byte("mid-spki"))
+	probe := &tls.TLSProbe{Chain: []tls.CertInfo{leaf, mid}}
+
+	// usage 3 (DANE-EE) matches leaf SHA-256 SPKI
+	rec := TLSARecord{Usage: UsageDANEEE, Selector: SelectorSPKI, MatchingType: MatchingSHA256, Certificate: leaf.SPKISHA256}
+	if ok, why := matchRecord(rec, probe); !ok {
+		t.Errorf("DANE-EE leaf SPKI sha256: ok=false reason=%q", why)
+	}
+	// usage 3 with intermediate hash should NOT match (wrong slot)
+	rec.Certificate = mid.SPKISHA256
+	if ok, _ := matchRecord(rec, probe); ok {
+		t.Error("DANE-EE matching against intermediate SPKI should fail")
+	}
+
+	// usage 2 (DANE-TA) matches intermediate
+	rec = TLSARecord{Usage: UsageDANETA, Selector: SelectorCert, MatchingType: MatchingSHA256, Certificate: mid.CertSHA256}
+	if ok, why := matchRecord(rec, probe); !ok {
+		t.Errorf("DANE-TA intermediate cert sha256: ok=false reason=%q", why)
+	}
+
+	// usage 1 (PKIX-EE) matches leaf cert hash
+	rec = TLSARecord{Usage: UsagePKIXEE, Selector: SelectorCert, MatchingType: MatchingSHA256, Certificate: leaf.CertSHA256}
+	if ok, why := matchRecord(rec, probe); !ok {
+		t.Errorf("PKIX-EE leaf cert sha256: ok=false reason=%q", why)
+	}
+
+	// usage 0 (PKIX-TA) matches intermediate
+	rec = TLSARecord{Usage: UsagePKIXTA, Selector: SelectorSPKI, MatchingType: MatchingSHA256, Certificate: mid.SPKISHA256}
+	if ok, why := matchRecord(rec, probe); !ok {
+		t.Errorf("PKIX-TA intermediate spki sha256: ok=false reason=%q", why)
+	}
+}
+
+func TestMatchRecord_NoChain(t *testing.T) {
+	t.Parallel()
+	if ok, why := matchRecord(TLSARecord{Usage: UsageDANEEE}, &tls.TLSProbe{}); ok || why == "" {
+		t.Errorf("empty chain: ok=%v reason=%q", ok, why)
+	}
+}
+
+func TestMatchRecord_TASelfSignedFallback(t *testing.T) {
+	t.Parallel()
+	// When the chain has only a leaf, usage 0/2 falls back to matching the
+	// leaf as a degenerate TA so the user gets feedback.
+	leaf := fakeCert([]byte("leaf"), []byte("spki"))
+	probe := &tls.TLSProbe{Chain: []tls.CertInfo{leaf}}
+	rec := TLSARecord{Usage: UsageDANETA, Selector: SelectorSPKI, MatchingType: MatchingSHA256, Certificate: leaf.SPKISHA256}
+	if ok, why := matchRecord(rec, probe); !ok {
+		t.Errorf("self-signed TA fallback: ok=false reason=%q", why)
+	}
+}
+
+func TestMatchRecord_UnsupportedUsage(t *testing.T) {
+	t.Parallel()
+	leaf := fakeCert([]byte("leaf"), []byte("spki"))
+	probe := &tls.TLSProbe{Chain: []tls.CertInfo{leaf}}
+	if ok, why := matchRecord(TLSARecord{Usage: 9}, probe); ok || !strings.Contains(why, "unsupported") {
+		t.Errorf("usage 9: ok=%v reason=%q", ok, why)
+	}
+}
+
+func TestMatchRecord_FullDER(t *testing.T) {
+	t.Parallel()
+	der := []byte("the-actual-cert-der")
+	leaf := fakeCert(der, []byte("ignored"))
+	probe := &tls.TLSProbe{Chain: []tls.CertInfo{leaf}}
+	rec := TLSARecord{
+		Usage:        UsageDANEEE,
+		Selector:     SelectorCert,
+		MatchingType: MatchingFull,
+		Certificate:  hex.EncodeToString(der),
+	}
+	if ok, why := matchRecord(rec, probe); !ok {
+		t.Errorf("Full DER match failed: %q", why)
+	}
+}
+
+func TestSummarizeMatches(t *testing.T) {
+	t.Parallel()
+	leaf := fakeCert([]byte("leaf"), []byte("ls"))
+	probe := &tls.TLSProbe{Chain: []tls.CertInfo{leaf}}
+	t1 := TargetResult{Records: []TLSARecord{
+		{Usage: UsageDANEEE, Selector: SelectorSPKI, MatchingType: MatchingSHA256, Certificate: leaf.SPKISHA256}, // ok
+		{Usage: UsageDANEEE, Selector: SelectorSPKI, MatchingType: MatchingSHA256, Certificate: "deadbeef"},      // miss
+		{Usage: UsageDANEEE, Selector: SelectorCert, MatchingType: MatchingSHA256, Certificate: leaf.CertSHA256}, // ok
+	}}
+	s := summarizeMatches(t1, probe)
+	if s.matched != 2 || s.unmatched != 1 || s.firstUnmatchedIdx != 1 {
+		t.Errorf("got matched=%d unmatched=%d firstIdx=%d", s.matched, s.unmatched, s.firstUnmatchedIdx)
+	}
+
+	if got := summarizeMatches(t1, nil); got.matched != 0 || got.firstUnmatchedIdx != -1 {
+		t.Errorf("nil probe: %+v", got)
+	}
+}
+
+func TestSummarizeMatches_BadFirstSlotDoesNotAbort(t *testing.T) {
+	t.Parallel()
+	// An undecodable Full record at slot 0 shouldn't prevent later valid
+	// records from matching: regression test for the per-slot continue.
+	leaf := fakeCert([]byte("leaf"), []byte("spki"))
+	probe := &tls.TLSProbe{Chain: []tls.CertInfo{leaf}}
+	bad := TargetResult{Records: []TLSARecord{
+		{Usage: UsageDANEEE, Selector: SelectorCert, MatchingType: MatchingFull, Certificate: "00"}, // hex won't match decoded DER
+		{Usage: UsageDANEEE, Selector: SelectorSPKI, MatchingType: MatchingSHA256, Certificate: leaf.SPKISHA256},
+	}}
+	s := summarizeMatches(bad, probe)
+	if s.matched != 1 {
+		t.Errorf("expected 1 match (the second record), got %d (unmatched=%d)", s.matched, s.unmatched)
+	}
+}
+
+func TestHasPKIXUsage(t *testing.T) {
+	t.Parallel()
+	if hasPKIXUsage(TargetResult{Records: []TLSARecord{{Usage: UsageDANEEE}}}) {
+		t.Error("DANE-EE only: expected false")
+	}
+	if !hasPKIXUsage(TargetResult{Records: []TLSARecord{{Usage: UsagePKIXEE}}}) {
+		t.Error("PKIX-EE: expected true")
+	}
+	if !hasPKIXUsage(TargetResult{Records: []TLSARecord{{Usage: UsageDANETA}, {Usage: UsagePKIXTA}}}) {
+		t.Error("contains PKIX-TA: expected true")
+	}
+	if hasPKIXUsage(TargetResult{}) {
+		t.Error("empty: expected false")
+	}
+}
+
+func TestSuspiciousUsage(t *testing.T) {
+	t.Parallel()
+	leaf := fakeCert([]byte("leaf"), []byte("ls"))
+	mid := fakeCert([]byte("mid"), []byte("ms"))
+	probe := &tls.TLSProbe{Chain: []tls.CertInfo{leaf, mid}}
+
+	// Record declared as EE but hash matches intermediate => suspicious.
+	tgt := TargetResult{Records: []TLSARecord{{
+		Usage: UsageDANEEE, Selector: SelectorSPKI, MatchingType: MatchingSHA256,
+		Certificate: mid.SPKISHA256,
+	}}}
+	if got := suspiciousUsage(tgt, probe); got == "" {
+		t.Error("expected suspicious-usage warning")
+	}
+
+	// Record declared as EE matching the leaf is fine.
+	tgt.Records[0].Certificate = leaf.SPKISHA256
+	if got := suspiciousUsage(tgt, probe); got != "" {
+		t.Errorf("unexpected warning: %q", got)
+	}
+
+	// Single-cert chain: rule is silent.
+	if got := suspiciousUsage(tgt, &tls.TLSProbe{Chain: []tls.CertInfo{leaf}}); got != "" {
+		t.Errorf("single-cert chain should be silent, got %q", got)
+	}
+}
+
+func TestProposedTLSA(t *testing.T) {
+	t.Parallel()
+	leaf := fakeCert([]byte("leaf"), []byte("spki"))
+	probe := &tls.TLSProbe{Chain: []tls.CertInfo{leaf}}
+
+	// No record published: defaults to 3 1 1.
+	t1 := TargetResult{Owner: "_443._tcp.example.com", Records: nil}
+	got := proposedTLSA(t1, probe)
+	if !strings.Contains(got, "TLSA 3 1 1 ") || !strings.Contains(got, leaf.SPKISHA256) {
+		t.Errorf("default proposal: %q", got)
+	}
+
+	// Existing record uses Full → suggestion downgrades to SHA-256.
+	t2 := TargetResult{Owner: "_443._tcp.example.com", Records: []TLSARecord{{Usage: UsageDANEEE, Selector: SelectorCert, MatchingType: MatchingFull}}}
+	got = proposedTLSA(t2, probe)
+	if !strings.Contains(got, "TLSA 3 0 1 ") {
+		t.Errorf("Full→SHA256 collapse: %q", got)
+	}
+
+	// No probe: empty.
+	if got := proposedTLSA(t1, nil); got != "" {
+		t.Errorf("no probe: got %q", got)
+	}
+}
+
+func TestHandshakeFix(t *testing.T) {
+	t.Parallel()
+	got := handshakeFix(TargetResult{Host: "mail.example.com", Port: 25, STARTTLS: "smtp"})
+	if !strings.Contains(got, "-starttls smtp") || !strings.Contains(got, "-connect mail.example.com:25") {
+		t.Errorf("smtp fix: %q", got)
+	}
+	got = handshakeFix(TargetResult{Host: "example.com", Port: 443})
+	if strings.Contains(got, "-starttls") || !strings.Contains(got, "-connect example.com:443") {
+		t.Errorf("direct fix: %q", got)
+	}
+}
+
+func TestTruncHex(t *testing.T) {
+	t.Parallel()
+	if truncHex("abc") != "abc" {
+		t.Error("short")
+	}
+	long := strings.Repeat("a", 20)
+	if got := truncHex(long); got != "aaaaaaaaaaaa…" {
+		t.Errorf("long: %q", got)
+	}
+}
+
+func TestProbeUsable(t *testing.T) {
+	t.Parallel()
+	leaf := fakeCert([]byte("l"), []byte("s"))
+	if probeUsable(nil) {
+		t.Error("nil")
+	}
+	if probeUsable(&tls.TLSProbe{}) {
+		t.Error("empty chain")
+	}
+	if probeUsable(&tls.TLSProbe{Chain: []tls.CertInfo{leaf}, Error: "boom"}) {
+		t.Error("error set")
+	}
+	if !probeUsable(&tls.TLSProbe{Chain: []tls.CertInfo{leaf}}) {
+		t.Error("good probe")
+	}
+}

checker/provider.go

@@ -0,0 +1,14 @@
+package checker
+
+import sdk "git.happydns.org/checker-sdk-go/checker"
+
+// Provider returns a new DANE observation provider.
+func Provider() sdk.ObservationProvider {
+	return &daneProvider{}
+}
+
+type daneProvider struct{}
+
+func (p *daneProvider) Key() sdk.ObservationKey {
+	return ObservationKeyDANE
+}

checker/report.go

@@ -0,0 +1,292 @@
+package checker
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"html/template"
+	"sort"
+
+	sdk "git.happydns.org/checker-sdk-go/checker"
+	tls "git.happydns.org/checker-tls/checker"
+)
+
+// GetHTMLReport implements sdk.CheckerHTMLReporter. The report opens with a
+// diagnosis-first section that lists the most common DANE failure modes
+// actually detected on the user's targets, each with a one-shot remediation
+// snippet; a per-target table follows for reference.
+func (p *daneProvider) GetHTMLReport(ctx sdk.ReportContext) (string, error) {
+	var data DANEData
+	if err := json.Unmarshal(ctx.Data(), &data); err != nil {
+		return "", fmt.Errorf("decode DANE data: %w", err)
+	}
+
+	probes := indexProbes(ctx.Related(tls.ObservationKeyTLSProbes))
+
+	rows := make([]reportRow, 0, len(data.Targets))
+	for _, t := range data.Targets {
+		probe := probes[t.Ref]
+		status, cls := targetStatus(t, probe)
+		leaf := "—"
+		if probe != nil && len(probe.Chain) > 0 {
+			leaf = probe.Chain[0].Subject
+		} else if probe != nil && probe.Error != "" {
+			leaf = "handshake error"
+		}
+		rows = append(rows, reportRow{
+			Owner:       t.Owner,
+			Host:        t.Host,
+			Port:        t.Port,
+			Proto:       t.Proto,
+			STARTTLS:    t.STARTTLS,
+			RecordCount: len(t.Records),
+			StatusLabel: status,
+			StatusClass: cls,
+			Leaf:        leaf,
+		})
+	}
+
+	view := reportView{
+		CollectedAt: data.CollectedAt.Format("2006-01-02 15:04 MST"),
+		TargetCount: len(data.Targets),
+		Diagnoses:   diagnose(data, probes),
+		Rows:        rows,
+		CSS:         template.CSS(reportCSS),
+	}
+
+	var b bytes.Buffer
+	if err := reportTemplate.Execute(&b, view); err != nil {
+		return "", fmt.Errorf("render DANE report: %w", err)
+	}
+	return b.String(), nil
+}
+
+// reportView is the rendering payload passed to reportTemplate. Pre-computing
+// the per-row status label/class and leaf string keeps the template free of
+// branching beyond simple range/if.
+type reportView struct {
+	CollectedAt string
+	TargetCount int
+	Diagnoses   []diagnosis
+	Rows        []reportRow
+	CSS         template.CSS
+}
+
+type reportRow struct {
+	Owner       string
+	Host        string
+	Port        uint16
+	Proto       string
+	STARTTLS    string
+	RecordCount int
+	StatusLabel string
+	StatusClass string
+	Leaf        string
+}
+
+// diagnosis is a single actionable hint surfaced at the top of the report.
+type diagnosis struct {
+	Severity string // crit | warn | info
+	Title    string
+	Detail   string
+	Fix      string // ready-to-apply snippet (shell or zone fragment)
+}
+
+// diagnose scans every target and produces the minimum set of high-signal
+// cards users need to act on. Priority ordering (most-common first):
+//
+//  1. no_match: TLSA records do not cover the live cert (post-rotation miss).
+//  2. handshake_failed: endpoint unreachable or TLS broken, DANE can't be
+//     validated at all.
+//  3. pkix_chain_invalid: usage 0/1 published but public chain is broken.
+//  4. usage_3_matches_issuer: DANE-EE selector matches an intermediate
+//     the record is probably miscategorized (usage 2 was intended).
+//  5. no_probe_yet: quiet informational to avoid false alarms on first run.
+func diagnose(data DANEData, probes map[string]*tls.TLSProbe) []diagnosis {
+	var out []diagnosis
+
+	for _, t := range data.Targets {
+		probe := probes[t.Ref]
+		switch {
+		case probe == nil:
+			out = append(out, diagnosis{
+				Severity: SeverityInfo,
+				Title:    fmt.Sprintf("Waiting for first TLS probe on %s:%d", t.Host, t.Port),
+				Detail:   "checker-tls has not yet probed this endpoint. This is normal immediately after publishing a new TLSA record; status will clear on the next cycle.",
+			})
+		case !probeUsable(probe):
+			out = append(out, diagnosis{
+				Severity: SeverityCrit,
+				Title:    fmt.Sprintf("Cannot reach %s:%d to validate DANE", t.Host, t.Port),
+				Detail:   "TLS handshake failed, DANE publishes hashes for a certificate nobody can see. Either the service is down, the port is blocked, or STARTTLS negotiation is broken.",
+				Fix:      handshakeFix(t),
+			})
+		default:
+			if summarizeMatches(t, probe).matched == 0 && len(t.Records) > 0 {
+				out = append(out, diagnosis{
+					Severity: SeverityCrit,
+					Title:    fmt.Sprintf("No TLSA record matches the live certificate on %s:%d", t.Host, t.Port),
+					Detail:   "This is the most common DANE outage cause: the certificate was rotated without rolling over the TLSA RRset, and validating resolvers are now rejecting the connection. Publish a TLSA record for the new certificate before removing the old one.",
+					Fix:      proposedTLSA(t, probe),
+				})
+			}
+			if hasPKIXUsage(t) && (probe.ChainValid == nil || !*probe.ChainValid) {
+				out = append(out, diagnosis{
+					Severity: SeverityCrit,
+					Title:    fmt.Sprintf("Usage 0/1 needs a publicly-trusted chain on %s:%d", t.Host, t.Port),
+					Detail:   "TLSA usages 0 (PKIX-TA) and 1 (PKIX-EE) require the certificate chain to validate against system roots. Either re-issue through a publicly-trusted CA or switch to usage 2 / 3, which skip PKIX.",
+				})
+			}
+			if warn := suspiciousUsage(t, probe); warn != "" {
+				out = append(out, diagnosis{
+					Severity: SeverityWarn,
+					Title:    fmt.Sprintf("Suspicious TLSA usage on %s:%d", t.Host, t.Port),
+					Detail:   warn,
+				})
+			}
+		}
+	}
+
+	// Stable: crit first, then warn, then info; preserving encounter order
+	// within each group keeps the table and the cards aligned.
+	sort.SliceStable(out, func(i, j int) bool {
+		return sevRank(out[i].Severity) < sevRank(out[j].Severity)
+	})
+	return out
+}
+
+func sevRank(s string) int {
+	switch s {
+	case SeverityCrit:
+		return 0
+	case SeverityWarn:
+		return 1
+	default:
+		return 2
+	}
+}
+
+// hasPKIXUsage reports whether any TLSA record at this target demands PKIX
+// validation (usage 0 or 1).
+func hasPKIXUsage(t TargetResult) bool {
+	for _, r := range t.Records {
+		if r.Usage == UsagePKIXTA || r.Usage == UsagePKIXEE {
+			return true
+		}
+	}
+	return false
+}
+
+// proposedTLSA renders a ready-to-paste replacement RR computed from the
+// live chain. The (usage, selector, matching) triplet is taken from the
+// user's first existing record so the suggestion stays consistent with
+// their published profile (e.g. a deployment standardised on usage 2 keeps
+// usage 2). When no record is published yet, fall back to the DANE-EE +
+// SPKI + SHA-256 triplet most Let's Encrypt deployers settle on.
+func proposedTLSA(t TargetResult, p *tls.TLSProbe) string {
+	if p == nil || len(p.Chain) == 0 {
+		return ""
+	}
+	tmpl := TLSARecord{Usage: UsageDANEEE, Selector: SelectorSPKI, MatchingType: MatchingSHA256}
+	if len(t.Records) > 0 {
+		r := t.Records[0]
+		tmpl.Usage = r.Usage
+		tmpl.Selector = r.Selector
+		tmpl.MatchingType = r.MatchingType
+		// Suggesting Full (matching type 0) inline as a zone fragment is
+		// not useful: collapse to SHA-256 of the same selector, which is
+		// what operators publish in practice.
+		if tmpl.MatchingType == MatchingFull {
+			tmpl.MatchingType = MatchingSHA256
+		}
+	}
+
+	slot := p.Chain[0]
+	if (tmpl.Usage == UsagePKIXTA || tmpl.Usage == UsageDANETA) && len(p.Chain) > 1 {
+		slot = p.Chain[1]
+	}
+	hex, err := recordCandidate(tmpl, slot)
+	if err != nil || hex == "" {
+		return ""
+	}
+	return fmt.Sprintf("%s IN TLSA %d %d %d %s", t.Owner, tmpl.Usage, tmpl.Selector, tmpl.MatchingType, hex)
+}
+
+// handshakeFix proposes a STARTTLS-aware first step when the probe failed.
+func handshakeFix(t TargetResult) string {
+	if t.STARTTLS != "" {
+		return fmt.Sprintf("openssl s_client -connect %s:%d -starttls %s -servername %s", t.Host, t.Port, t.STARTTLS, t.Host)
+	}
+	return fmt.Sprintf("openssl s_client -connect %s:%d -servername %s", t.Host, t.Port, t.Host)
+}
+
+func targetStatus(t TargetResult, p *tls.TLSProbe) (label, class string) {
+	if p == nil {
+		return "Waiting for probe", "unknown"
+	}
+	if !probeUsable(p) {
+		return "Handshake failed", "crit"
+	}
+	if len(t.Records) == 0 {
+		return "No records", "info"
+	}
+	matched := summarizeMatches(t, p).matched
+	if matched == 0 {
+		return "No match", "crit"
+	}
+	return fmt.Sprintf("%d/%d match", matched, len(t.Records)), "ok"
+}
+
+var reportTemplate = template.Must(template.New("dane").Parse(`<!DOCTYPE html>
+<html>
+<head>
+<meta charset="utf-8">
+<title>DANE report</title>
+<style>{{.CSS}}</style>
+</head>
+<body><main>
+<h1>DANE / TLSA</h1>
+<p class="meta">Collected {{.CollectedAt}} · {{.TargetCount}} endpoint(s).</p>
+{{with .Diagnoses}}<section class="diagnosis">
+<h2>Action required</h2>
+{{range .}}<article class="finding sev-{{.Severity}}">
+<h3>{{.Title}}</h3>
+<p>{{.Detail}}</p>
+{{with .Fix}}<pre class="fix">{{.}}</pre>{{end}}
+</article>
+{{end}}</section>
+{{end}}<section class="targets">
+<h2>Endpoints</h2>
+<table>
+<thead><tr><th>Endpoint</th><th>Status</th><th>Records</th><th>Observed leaf</th></tr></thead>
+<tbody>
+{{range .Rows}}<tr class="status-{{.StatusClass}}">
+<td><code>{{.Owner}}</code><br><small>{{.Proto}} → {{.Host}}:{{.Port}}{{with .STARTTLS}} · STARTTLS {{.}}{{end}}</small></td>
+<td>{{.StatusLabel}}</td>
+<td>{{.RecordCount}}</td>
+<td>{{.Leaf}}</td>
+</tr>
+{{end}}</tbody>
+</table>
+</section>
+</main></body></html>`))
+
+const reportCSS = `body{font-family:system-ui,sans-serif;margin:0;background:#fafbfc;color:#1b1f23;}
+main{max-width:980px;margin:0 auto;padding:1.5rem;}
+h1{margin:0 0 .25rem 0;}
+.meta{color:#586069;margin:0 0 1.5rem 0;}
+section{margin-bottom:2rem;}
+h2{border-bottom:1px solid #e1e4e8;padding-bottom:.25rem;}
+.finding{border-left:4px solid;padding:.75rem 1rem;margin:.75rem 0;background:#fff;border-radius:4px;}
+.finding h3{margin:0 0 .25rem 0;font-size:1rem;}
+.finding.sev-crit{border-color:#d73a49;}
+.finding.sev-warn{border-color:#dbab09;}
+.finding.sev-info{border-color:#0366d6;}
+.fix{background:#1b1f23;color:#fafbfc;padding:.5rem .75rem;border-radius:4px;overflow-x:auto;font-size:.85rem;}
+table{width:100%;border-collapse:collapse;background:#fff;}
+th,td{padding:.5rem .75rem;border-bottom:1px solid #e1e4e8;text-align:left;vertical-align:top;}
+tr.status-crit td:nth-child(2){color:#d73a49;font-weight:600;}
+tr.status-ok td:nth-child(2){color:#22863a;font-weight:600;}
+tr.status-unknown td:nth-child(2){color:#586069;}
+code{font-size:.85rem;}
+small{color:#586069;}`

checker/rule.go

@@ -0,0 +1,277 @@
+package checker
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/hex"
+	"encoding/json"
+	"fmt"
+	"strings"
+
+	sdk "git.happydns.org/checker-sdk-go/checker"
+	tls "git.happydns.org/checker-tls/checker"
+)
+
+// Rules returns the full list of CheckRules exposed by the DANE checker.
+// Each rule covers exactly one concern so the UI can show per-concern
+// status rather than a single monolithic rule that multiplexes many codes.
+func Rules() []sdk.CheckRule {
+	return []sdk.CheckRule{
+		&hasRecordsRule{},
+		&dnssecValidatedRule{},
+		&probeAvailableRule{},
+		&handshakeOKRule{},
+		&recordsMatchChainRule{},
+		&pkixChainValidRule{},
+		&usageCoherentRule{},
+	}
+}
+
+// ruleContext bundles the data rules typically need: the checker's own
+// observation plus the map of related TLS probes keyed by endpoint Ref.
+type ruleContext struct {
+	data   DANEData
+	probes map[string]*tls.TLSProbe
+	// relatedErr is a non-fatal error encountered while loading related
+	// probes (e.g. the cross-checker lineage was unreachable). Rules
+	// surface it as an error state so operators can spot misconfiguration.
+	relatedErr error
+	// err is a fatal error loading the checker's own observation.
+	err error
+}
+
+// loadRuleContext fetches the DANE observation and the related TLS probes.
+// Rules call this once and then filter on the fields they care about.
+func loadRuleContext(ctx context.Context, obs sdk.ObservationGetter) *ruleContext {
+	rc := &ruleContext{}
+	if err := obs.Get(ctx, ObservationKeyDANE, &rc.data); err != nil {
+		rc.err = err
+		return rc
+	}
+	rc.probes, rc.relatedErr = relatedTLSProbes(ctx, obs)
+	return rc
+}
+
+// observationErrorState is the canonical short-circuit state emitted when a
+// rule cannot load the DANE observation at all.
+func observationErrorState(err error) sdk.CheckState {
+	return sdk.CheckState{
+		Status:  sdk.StatusError,
+		Message: fmt.Sprintf("Failed to read %s: %v", ObservationKeyDANE, err),
+		Code:    "dane_observation_error",
+	}
+}
+
+// targetMeta builds the common Meta map for per-endpoint states.
+func targetMeta(t TargetResult) map[string]any {
+	return map[string]any{
+		"host":     t.Host,
+		"port":     t.Port,
+		"proto":    t.Proto,
+		"owner":    t.Owner,
+		"starttls": t.STARTTLS,
+		"records":  len(t.Records),
+	}
+}
+
+// targetSubject is the human-readable subject tag used on per-endpoint states.
+func targetSubject(t TargetResult) string {
+	return fmt.Sprintf("%s:%d (%s)", t.Host, t.Port, t.Proto)
+}
+
+// probeUsable reports whether p carries a successfully-observed certificate
+// chain. Rules that need to compare against the chain skip endpoints where
+// this is false; the missing/failed cases are surfaced by probeAvailableRule
+// and handshakeOKRule respectively, so other rules stay focused.
+func probeUsable(p *tls.TLSProbe) bool {
+	return p != nil && p.Error == "" && len(p.Chain) > 0
+}
+
+// matchSummary aggregates per-target match outcomes so callers don't redo the
+// per-record loop. firstUnmatchedIdx is -1 when every record matched.
+type matchSummary struct {
+	matched, unmatched   int
+	firstUnmatchedIdx    int
+	firstUnmatchedReason string
+}
+
+// summarizeMatches walks t.Records once and reports how many matched p's
+// chain, plus the first unmatched index and reason for messaging.
+func summarizeMatches(t TargetResult, p *tls.TLSProbe) matchSummary {
+	s := matchSummary{firstUnmatchedIdx: -1}
+	if p == nil {
+		return s
+	}
+	for i, rec := range t.Records {
+		ok, reason := matchRecord(rec, p)
+		if ok {
+			s.matched++
+			continue
+		}
+		s.unmatched++
+		if s.firstUnmatchedIdx < 0 {
+			s.firstUnmatchedIdx = i
+			s.firstUnmatchedReason = reason
+		}
+	}
+	return s
+}
+
+// matchRecord returns true when rec matches some certificate at the chain
+// slot implied by rec.Usage. reason explains the miss on a false return.
+//
+// Slot selection:
+//
+//   - Usage 1 (PKIX-EE) and 3 (DANE-EE): leaf only.
+//   - Usage 0 (PKIX-TA) and 2 (DANE-TA): intermediates + the root the
+//     server presented (if any). We match against every non-leaf cert the
+//     server sent, because some deployments publish the root and some the
+//     intermediate; either is a valid TA reference for the connection's
+//     path.
+func matchRecord(rec TLSARecord, p *tls.TLSProbe) (bool, string) {
+	if len(p.Chain) == 0 {
+		return false, "no certificates observed on the endpoint"
+	}
+	var slots []tls.CertInfo
+	switch rec.Usage {
+	case UsagePKIXEE, UsageDANEEE:
+		slots = p.Chain[:1]
+	case UsagePKIXTA, UsageDANETA:
+		if len(p.Chain) > 1 {
+			slots = p.Chain[1:]
+		} else {
+			// Self-signed / bundle with only a leaf: allow matching against
+			// the leaf as a degenerate TA so the user gets a hash comparison
+			// rather than a silent "no slot".
+			slots = p.Chain[:1]
+		}
+	default:
+		return false, fmt.Sprintf("unsupported TLSA usage %d", rec.Usage)
+	}
+
+	var lastErr string
+	for _, c := range slots {
+		got, err := recordCandidate(rec, c)
+		if err != nil {
+			lastErr = err.Error()
+			continue
+		}
+		if strings.EqualFold(got, rec.Certificate) {
+			return true, ""
+		}
+	}
+	if lastErr != "" {
+		return false, lastErr
+	}
+	return false, fmt.Sprintf("expected %s, got none matching in chain", truncHex(rec.Certificate))
+}
+
+// maxFullDERBytes caps the size of a "Full" (MatchingType 0) DER payload
+// that this checker is willing to base64-decode and hex-encode. Real X.509
+// certificates rarely exceed 8 KiB; 64 KiB leaves comfortable headroom for
+// pathological-but-legitimate chains while preventing a hostile probe
+// payload from forcing arbitrary heap allocations during evaluation.
+const maxFullDERBytes = 64 * 1024
+
+// decodeFullDER base64-decodes b after rejecting payloads whose decoded size
+// would exceed maxFullDERBytes, so an attacker-controlled probe cannot make
+// the rule allocate unbounded memory before the hex comparison.
+func decodeFullDER(b string, what string) ([]byte, error) {
+	// base64 decoded length is at most ceil(len(b)/4)*3; bail out cheaply
+	// before allocating the destination buffer.
+	if len(b)/4*3 > maxFullDERBytes {
+		return nil, fmt.Errorf("%s exceeds %d bytes", what, maxFullDERBytes)
+	}
+	der, err := base64.StdEncoding.DecodeString(b)
+	if err != nil {
+		return nil, fmt.Errorf("decode %s: %w", what, err)
+	}
+	if len(der) > maxFullDERBytes {
+		return nil, fmt.Errorf("%s exceeds %d bytes", what, maxFullDERBytes)
+	}
+	return der, nil
+}
+
+// recordCandidate returns the hex value the TLSA record should match for
+// the (selector, matching_type) pair against this certificate slot. For
+// matching_type 0 (Full), both sides are compared as hex-encoded DER.
+func recordCandidate(rec TLSARecord, c tls.CertInfo) (string, error) {
+	var source string
+	switch rec.Selector {
+	case SelectorCert:
+		switch rec.MatchingType {
+		case MatchingFull:
+			der, err := decodeFullDER(c.DERBase64, "cert DER")
+			if err != nil {
+				return "", err
+			}
+			source = hex.EncodeToString(der)
+		case MatchingSHA256:
+			source = c.CertSHA256
+		case MatchingSHA512:
+			source = c.CertSHA512
+		default:
+			return "", fmt.Errorf("unsupported matching type %d", rec.MatchingType)
+		}
+	case SelectorSPKI:
+		switch rec.MatchingType {
+		case MatchingFull:
+			spki, err := decodeFullDER(c.SPKIDERBase64, "SPKI DER")
+			if err != nil {
+				return "", err
+			}
+			source = hex.EncodeToString(spki)
+		case MatchingSHA256:
+			source = c.SPKISHA256
+		case MatchingSHA512:
+			source = c.SPKISHA512
+		default:
+			return "", fmt.Errorf("unsupported matching type %d", rec.MatchingType)
+		}
+	default:
+		return "", fmt.Errorf("unsupported selector %d", rec.Selector)
+	}
+	return source, nil
+}
+
+// parseTLSProbeMap decodes one related-observation payload into its constituent
+// probes, keyed by endpoint Ref. Returns nil on decode error (caller skips).
+func parseTLSProbeMap(data []byte) map[string]tls.TLSProbe {
+	var payload struct {
+		Probes map[string]tls.TLSProbe `json:"probes"`
+	}
+	if err := json.Unmarshal(data, &payload); err != nil {
+		return nil
+	}
+	return payload.Probes
+}
+
+// relatedTLSProbes indexes TLS probes fetched via GetRelated by endpoint Ref.
+func relatedTLSProbes(ctx context.Context, obs sdk.ObservationGetter) (map[string]*tls.TLSProbe, error) {
+	related, err := obs.GetRelated(ctx, tls.ObservationKeyTLSProbes)
+	if err != nil {
+		return nil, fmt.Errorf("related TLS probes unavailable: %w", err)
+	}
+	return indexProbes(related), nil
+}
+
+// indexProbes flattens a slice of related TLS-probe observations into a probe
+// map keyed by endpoint Ref. Shared by the rule path (relatedTLSProbes) and
+// the report path (GetHTMLReport), which receive the same RelatedObservation
+// type from different SDK entry points.
+func indexProbes(related []sdk.RelatedObservation) map[string]*tls.TLSProbe {
+	out := map[string]*tls.TLSProbe{}
+	for _, ro := range related {
+		for k, v := range parseTLSProbeMap(ro.Data) {
+			out[k] = &v
+		}
+	}
+	return out
+}
+
+func truncHex(s string) string {
+	if len(s) > 12 {
+		return s[:12] + "…"
+	}
+	return s
+}

checker/rules_handshake.go

@@ -0,0 +1,57 @@
+package checker
+
+import (
+	"context"
+
+	sdk "git.happydns.org/checker-sdk-go/checker"
+)
+
+// handshakeOKRule reports whether the TLS handshake succeeded on every
+// endpoint that has been probed. A failing handshake means DANE cannot be
+// validated regardless of what TLSA records are published.
+type handshakeOKRule struct{}
+
+func (r *handshakeOKRule) Name() string { return "dane.handshake_ok" }
+func (r *handshakeOKRule) Description() string {
+	return "Verifies the TLS handshake succeeds on every DANE endpoint so the presented chain can be compared to TLSA records."
+}
+
+func (r *handshakeOKRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) []sdk.CheckState {
+	rc := loadRuleContext(ctx, obs)
+	if rc.err != nil {
+		return []sdk.CheckState{observationErrorState(rc.err)}
+	}
+	var out []sdk.CheckState
+	tested := 0
+	for _, t := range rc.data.Targets {
+		probe := rc.probes[t.Ref]
+		if probe == nil {
+			continue // covered by probeAvailableRule
+		}
+		tested++
+		if !probeUsable(probe) {
+			out = append(out, sdk.CheckState{
+				Status:  sdk.StatusCrit,
+				Code:    "dane_handshake_failed",
+				Subject: targetSubject(t),
+				Message: "TLS handshake failed, cannot validate DANE: " + probe.Error,
+				Meta:    targetMeta(t),
+			})
+		}
+	}
+	if len(out) == 0 {
+		if tested == 0 {
+			return []sdk.CheckState{{
+				Status:  sdk.StatusUnknown,
+				Code:    "dane_handshake_ok_skipped",
+				Message: "No probed endpoint to evaluate (waiting for checker-tls).",
+			}}
+		}
+		return []sdk.CheckState{{
+			Status:  sdk.StatusOK,
+			Code:    "dane_handshake_ok",
+			Message: "TLS handshake succeeds on every probed endpoint.",
+		}}
+	}
+	return out
+}

checker/rules_match.go

@@ -0,0 +1,80 @@
+package checker
+
+import (
+	"context"
+	"fmt"
+
+	sdk "git.happydns.org/checker-sdk-go/checker"
+)
+
+// recordsMatchChainRule is the core DANE check: for every endpoint whose
+// handshake succeeded, at least one declared TLSA record must match the
+// certificate chain presented by the server (RFC 6698 §2.1 OR semantics).
+//
+// This is the most common DANE outage vector, a certificate rotation
+// without a matching TLSA rollover, so it deserves its own rule and its
+// own per-endpoint states.
+type recordsMatchChainRule struct{}
+
+func (r *recordsMatchChainRule) Name() string { return "dane.records_match_chain" }
+func (r *recordsMatchChainRule) Description() string {
+	return "Verifies that at least one TLSA record matches the certificate chain presented by each endpoint."
+}
+
+func (r *recordsMatchChainRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) []sdk.CheckState {
+	rc := loadRuleContext(ctx, obs)
+	if rc.err != nil {
+		return []sdk.CheckState{observationErrorState(rc.err)}
+	}
+	var out []sdk.CheckState
+	tested := 0
+	for _, t := range rc.data.Targets {
+		probe := rc.probes[t.Ref]
+		if !probeUsable(probe) {
+			continue // covered by probeAvailableRule / handshakeOKRule
+		}
+		if len(t.Records) == 0 {
+			continue // covered by hasRecordsRule
+		}
+		tested++
+		subj := targetSubject(t)
+		meta := targetMeta(t)
+
+		s := summarizeMatches(t, probe)
+		meta["matched"] = s.matched
+		meta["unmatched"] = s.unmatched
+
+		if s.matched > 0 {
+			out = append(out, sdk.CheckState{
+				Status:  sdk.StatusOK,
+				Code:    "dane_match_ok",
+				Subject: subj,
+				Message: fmt.Sprintf("%d/%d TLSA record(s) match the presented certificate chain.", s.matched, s.matched+s.unmatched),
+				Meta:    meta,
+			})
+			continue
+		}
+		msg := "No TLSA record matches the presented certificate chain."
+		if s.firstUnmatchedReason != "" {
+			msg += " " + s.firstUnmatchedReason
+		}
+		meta["first_unmatched_index"] = s.firstUnmatchedIdx
+		out = append(out, sdk.CheckState{
+			Status:  sdk.StatusCrit,
+			Code:    "dane_no_match",
+			Subject: subj,
+			Message: msg,
+			Meta:    meta,
+		})
+	}
+	if len(out) == 0 {
+		if tested == 0 {
+			return []sdk.CheckState{{
+				Status:  sdk.StatusUnknown,
+				Code:    "dane_records_match_chain_skipped",
+				Message: "No usable probe/records pair to evaluate.",
+			}}
+		}
+	}
+	return out
+}

checker/rules_pkix.go

@@ -0,0 +1,61 @@
+package checker
+
+import (
+	"context"
+
+	sdk "git.happydns.org/checker-sdk-go/checker"
+)
+
+// pkixChainValidRule reports whether endpoints that publish PKIX-dependent
+// TLSA usages (0 or 1) also present a certificate chain that validates
+// against the system trust store. DANE usages 2/3 are unaffected and
+// skipped entirely by this rule.
+type pkixChainValidRule struct{}
+
+func (r *pkixChainValidRule) Name() string { return "dane.pkix_chain_valid" }
+func (r *pkixChainValidRule) Description() string {
+	return "When TLSA usages 0 or 1 are published, verifies the certificate chain also validates against system trust roots."
+}
+
+func (r *pkixChainValidRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) []sdk.CheckState {
+	rc := loadRuleContext(ctx, obs)
+	if rc.err != nil {
+		return []sdk.CheckState{observationErrorState(rc.err)}
+	}
+	var out []sdk.CheckState
+	tested := 0
+	for _, t := range rc.data.Targets {
+		probe := rc.probes[t.Ref]
+		if !probeUsable(probe) {
+			continue
+		}
+		if !hasPKIXUsage(t) {
+			continue
+		}
+		tested++
+		if probe.ChainValid == nil || !*probe.ChainValid {
+			out = append(out, sdk.CheckState{
+				Status:  sdk.StatusCrit,
+				Code:    "dane_pkix_chain_invalid",
+				Subject: targetSubject(t),
+				Message: "Usage 0/1 requires a publicly-trusted chain, but the certificate chain did not validate against system roots.",
+				Meta:    targetMeta(t),
+			})
+		}
+	}
+	if len(out) == 0 {
+		if tested == 0 {
+			return []sdk.CheckState{{
+				Status:  sdk.StatusUnknown,
+				Code:    "dane_pkix_chain_valid_skipped",
+				Message: "No endpoint publishes PKIX-dependent TLSA usages (0/1).",
+			}}
+		}
+		return []sdk.CheckState{{
+			Status:  sdk.StatusOK,
+			Code:    "dane_pkix_chain_valid_ok",
+			Message: "Every endpoint with PKIX-dependent usages presents a publicly-trusted chain.",
+		}}
+	}
+	return out
+}

checker/rules_probe.go

@@ -0,0 +1,61 @@
+package checker
+
+import (
+	"context"
+
+	sdk "git.happydns.org/checker-sdk-go/checker"
+)
+
+// probeAvailableRule reports whether the downstream TLS checker has probed
+// every endpoint we published. Absent probes are common immediately after a
+// new TLSA record is published and should not flap the service red.
+type probeAvailableRule struct{}
+
+func (r *probeAvailableRule) Name() string { return "dane.probe_available" }
+func (r *probeAvailableRule) Description() string {
+	return "Verifies a TLS probe is available for every DANE endpoint so the chain can be compared to TLSA records."
+}
+
+func (r *probeAvailableRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) []sdk.CheckState {
+	rc := loadRuleContext(ctx, obs)
+	if rc.err != nil {
+		return []sdk.CheckState{observationErrorState(rc.err)}
+	}
+	if rc.relatedErr != nil {
+		return []sdk.CheckState{{
+			Status:  sdk.StatusError,
+			Code:    "dane_observation_warning",
+			Message: rc.relatedErr.Error(),
+		}}
+	}
+	if len(rc.data.Targets) == 0 {
+		return []sdk.CheckState{{
+			Status:  sdk.StatusUnknown,
+			Code:    "dane_probe_available_skipped",
+			Message: "No DANE endpoints to probe.",
+		}}
+	}
+	out := make([]sdk.CheckState, 0, len(rc.data.Targets))
+	for _, t := range rc.data.Targets {
+		subj := targetSubject(t)
+		meta := targetMeta(t)
+		if rc.probes[t.Ref] == nil {
+			out = append(out, sdk.CheckState{
+				Status:  sdk.StatusUnknown,
+				Code:    "dane_no_probe",
+				Subject: subj,
+				Message: "No TLS probe available yet for this endpoint; re-evaluate after the next checker-tls cycle.",
+				Meta:    meta,
+			})
+			continue
+		}
+		out = append(out, sdk.CheckState{
+			Status:  sdk.StatusOK,
+			Code:    "dane_probe_available_ok",
+			Subject: subj,
+			Message: "TLS probe available for this endpoint.",
+			Meta:    meta,
+		})
+	}
+	return out
+}

checker/rules_records.go

@@ -0,0 +1,99 @@
+package checker
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	sdk "git.happydns.org/checker-sdk-go/checker"
+)
+
+// hasRecordsRule reports whether the TLSAs service declares any TLSA record
+// at all. Without records there is nothing for DANE to validate.
+type hasRecordsRule struct{}
+
+func (r *hasRecordsRule) Name() string { return "dane.has_records" }
+func (r *hasRecordsRule) Description() string {
+	return "Verifies that at least one TLSA record is declared on the service."
+}
+
+func (r *hasRecordsRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) []sdk.CheckState {
+	rc := loadRuleContext(ctx, obs)
+	if rc.err != nil {
+		return []sdk.CheckState{observationErrorState(rc.err)}
+	}
+	var states []sdk.CheckState
+	for _, inv := range rc.data.Invalid {
+		states = append(states, sdk.CheckState{
+			Status:  sdk.StatusError,
+			Code:    "dane_invalid_owner",
+			Subject: inv.Owner,
+			Message: fmt.Sprintf("TLSA record %q is unusable: %s", inv.Owner, inv.Reason),
+			Meta:    map[string]any{"owner": inv.Owner, "reason": inv.Reason},
+		})
+	}
+	if len(rc.data.Targets) == 0 {
+		if len(states) > 0 {
+			// Records exist but none are usable; flag the aggregate too so
+			// the UI doesn't only show per-record errors.
+			owners := make([]string, 0, len(rc.data.Invalid))
+			for _, inv := range rc.data.Invalid {
+				owners = append(owners, inv.Owner)
+			}
+			states = append(states, sdk.CheckState{
+				Status:  sdk.StatusError,
+				Code:    "dane_no_usable_records",
+				Message: fmt.Sprintf("No usable TLSA records (all %d declared records are malformed: %s).", len(rc.data.Invalid), strings.Join(owners, ", ")),
+			})
+			return states
+		}
+		return []sdk.CheckState{{
+			Status:  sdk.StatusUnknown,
+			Code:    "dane_no_records",
+			Message: "No TLSA records declared on this service.",
+		}}
+	}
+	states = append(states, sdk.CheckState{
+		Status:  sdk.StatusOK,
+		Code:    "dane_has_records_ok",
+		Message: "TLSA records are declared for all bound endpoints.",
+		Meta:    map[string]any{"endpoints": len(rc.data.Targets)},
+	})
+	return states
+}
+
+// dnssecValidatedRule reports whether the TLSA records this checker is
+// evaluating were fetched over a DNSSEC-validated path. Without DNSSEC,
+// DANE is a downgrade primitive: an on-path attacker can forge TLSA
+// answers and any "match" the rest of the rules report is meaningless.
+// The rule only emits when the collector recorded a validation status:
+// in managed mode the records come from the user's authoritative zone
+// config and DNSSEC posture is checked by a different checker.
+type dnssecValidatedRule struct{}
+
+func (r *dnssecValidatedRule) Name() string { return "dane.dnssec_validated" }
+func (r *dnssecValidatedRule) Description() string {
+	return "Verifies the TLSA records were fetched via a DNSSEC-validating resolver (AD bit set)."
+}
+
+func (r *dnssecValidatedRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) []sdk.CheckState {
+	rc := loadRuleContext(ctx, obs)
+	if rc.err != nil {
+		return []sdk.CheckState{observationErrorState(rc.err)}
+	}
+	if rc.data.DNSSECValidated == nil {
+		return nil
+	}
+	if *rc.data.DNSSECValidated {
+		return []sdk.CheckState{{
+			Status:  sdk.StatusOK,
+			Code:    "dane_dnssec_validated",
+			Message: "TLSA records were fetched over a DNSSEC-validated path (AD bit set).",
+		}}
+	}
+	return []sdk.CheckState{{
+		Status:  sdk.StatusError,
+		Code:    "dane_dnssec_unvalidated",
+		Message: "TLSA records were fetched without DNSSEC validation (resolver did not set the AD bit). DANE matches are not trustworthy without DNSSEC.",
+	}}
+}

checker/rules_test.go

@@ -0,0 +1,276 @@
+package checker
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"testing"
+
+	sdk "git.happydns.org/checker-sdk-go/checker"
+	tls "git.happydns.org/checker-tls/checker"
+	tlscontract "git.happydns.org/checker-tls/contract"
+)
+
+// mockObs is a lightweight ObservationGetter for rule unit tests.
+type mockObs struct {
+	dane       *DANEData
+	daneErr    error
+	probes     map[string]tls.TLSProbe
+	relatedErr error
+}
+
+func (m *mockObs) Get(_ context.Context, key sdk.ObservationKey, dest any) error {
+	if m.daneErr != nil {
+		return m.daneErr
+	}
+	if key != ObservationKeyDANE || m.dane == nil {
+		return errors.New("not found")
+	}
+	b, err := json.Marshal(m.dane)
+	if err != nil {
+		return err
+	}
+	return json.Unmarshal(b, dest)
+}
+
+func (m *mockObs) GetRelated(_ context.Context, key sdk.ObservationKey) ([]sdk.RelatedObservation, error) {
+	if m.relatedErr != nil {
+		return nil, m.relatedErr
+	}
+	if key != tls.ObservationKeyTLSProbes || m.probes == nil {
+		return nil, nil
+	}
+	payload := struct {
+		Probes map[string]tls.TLSProbe `json:"probes"`
+	}{Probes: m.probes}
+	b, _ := json.Marshal(payload)
+	return []sdk.RelatedObservation{{
+		CheckerID: "tls",
+		Key:       tls.ObservationKeyTLSProbes,
+		Data:      b,
+	}}, nil
+}
+
+func makeTarget(host string, port uint16, recs []TLSARecord) TargetResult {
+	t := TargetResult{
+		Owner:   tlsaOwnerName(port, "tcp", host),
+		Host:    host,
+		Port:    port,
+		Proto:   "tcp",
+		Records: recs,
+	}
+	t.Ref = tlscontract.Ref(tlscontract.TLSEndpoint{Host: host, Port: port, SNI: host})
+	return t
+}
+
+func TestHasRecordsRule(t *testing.T) {
+	t.Parallel()
+	r := &hasRecordsRule{}
+
+	// No records, no invalid → unknown
+	obs := &mockObs{dane: &DANEData{}}
+	st := r.Evaluate(context.Background(), obs, nil)
+	if len(st) != 1 || st[0].Code != "dane_no_records" {
+		t.Errorf("no records: %+v", st)
+	}
+
+	// Records present → ok
+	obs = &mockObs{dane: &DANEData{Targets: []TargetResult{makeTarget("a.example.com", 443, []TLSARecord{{}})}}}
+	st = r.Evaluate(context.Background(), obs, nil)
+	if len(st) != 1 || st[0].Code != "dane_has_records_ok" {
+		t.Errorf("ok: %+v", st)
+	}
+
+	// Invalid records, no targets → error states
+	obs = &mockObs{dane: &DANEData{Invalid: []InvalidRecord{{Owner: "_x._tcp", Reason: "bad port"}}}}
+	st = r.Evaluate(context.Background(), obs, nil)
+	if len(st) < 2 {
+		t.Fatalf("expected per-record + aggregate, got %+v", st)
+	}
+	if st[0].Code != "dane_invalid_owner" || st[len(st)-1].Code != "dane_no_usable_records" {
+		t.Errorf("invalid only: %+v", st)
+	}
+
+	// Observation read error
+	obs = &mockObs{daneErr: errors.New("boom")}
+	st = r.Evaluate(context.Background(), obs, nil)
+	if len(st) != 1 || st[0].Code != "dane_observation_error" {
+		t.Errorf("err: %+v", st)
+	}
+}
+
+func TestProbeAvailableRule(t *testing.T) {
+	t.Parallel()
+	r := &probeAvailableRule{}
+	tgt := makeTarget("a.example.com", 443, []TLSARecord{{Usage: UsageDANEEE}})
+
+	// Probe present
+	leaf := fakeCert([]byte("l"), []byte("s"))
+	obs := &mockObs{
+		dane:   &DANEData{Targets: []TargetResult{tgt}},
+		probes: map[string]tls.TLSProbe{tgt.Ref: {Chain: []tls.CertInfo{leaf}}},
+	}
+	st := r.Evaluate(context.Background(), obs, nil)
+	if len(st) != 1 || st[0].Code != "dane_probe_available_ok" {
+		t.Errorf("ok: %+v", st)
+	}
+
+	// Probe absent
+	obs.probes = map[string]tls.TLSProbe{}
+	st = r.Evaluate(context.Background(), obs, nil)
+	if len(st) != 1 || st[0].Code != "dane_no_probe" {
+		t.Errorf("missing: %+v", st)
+	}
+
+	// No targets at all
+	obs = &mockObs{dane: &DANEData{}}
+	st = r.Evaluate(context.Background(), obs, nil)
+	if len(st) != 1 || st[0].Code != "dane_probe_available_skipped" {
+		t.Errorf("empty: %+v", st)
+	}
+
+	// Related-fetch error surfaces as warning state.
+	obs = &mockObs{dane: &DANEData{Targets: []TargetResult{tgt}}, relatedErr: errors.New("upstream down")}
+	st = r.Evaluate(context.Background(), obs, nil)
+	if len(st) != 1 || st[0].Code != "dane_observation_warning" {
+		t.Errorf("relatedErr: %+v", st)
+	}
+}
+
+func TestHandshakeOKRule(t *testing.T) {
+	t.Parallel()
+	r := &handshakeOKRule{}
+	tgt := makeTarget("a.example.com", 443, []TLSARecord{{Usage: UsageDANEEE}})
+	leaf := fakeCert([]byte("l"), []byte("s"))
+
+	// All good.
+	obs := &mockObs{
+		dane:   &DANEData{Targets: []TargetResult{tgt}},
+		probes: map[string]tls.TLSProbe{tgt.Ref: {Chain: []tls.CertInfo{leaf}}},
+	}
+	st := r.Evaluate(context.Background(), obs, nil)
+	if len(st) != 1 || st[0].Code != "dane_handshake_ok" {
+		t.Errorf("ok: %+v", st)
+	}
+
+	// Handshake failed.
+	obs.probes = map[string]tls.TLSProbe{tgt.Ref: {Error: "tls: bad cert"}}
+	st = r.Evaluate(context.Background(), obs, nil)
+	if len(st) != 1 || st[0].Code != "dane_handshake_failed" {
+		t.Errorf("failed: %+v", st)
+	}
+}
+
+func TestRecordsMatchChainRule(t *testing.T) {
+	t.Parallel()
+	r := &recordsMatchChainRule{}
+	leaf := fakeCert([]byte("leaf"), []byte("ls"))
+
+	tgt := makeTarget("a.example.com", 443, []TLSARecord{
+		{Usage: UsageDANEEE, Selector: SelectorSPKI, MatchingType: MatchingSHA256, Certificate: leaf.SPKISHA256},
+	})
+	obs := &mockObs{
+		dane:   &DANEData{Targets: []TargetResult{tgt}},
+		probes: map[string]tls.TLSProbe{tgt.Ref: {Chain: []tls.CertInfo{leaf}}},
+	}
+	st := r.Evaluate(context.Background(), obs, nil)
+	if len(st) != 1 || st[0].Code != "dane_match_ok" {
+		t.Errorf("match ok: %+v", st)
+	}
+
+	// Same target, wrong cert hash → no match (crit).
+	tgt.Records[0].Certificate = "deadbeef"
+	obs.dane = &DANEData{Targets: []TargetResult{tgt}}
+	st = r.Evaluate(context.Background(), obs, nil)
+	if len(st) != 1 || st[0].Code != "dane_no_match" {
+		t.Errorf("no match: %+v", st)
+	}
+
+	// No probe usable → skipped.
+	obs.probes = map[string]tls.TLSProbe{}
+	st = r.Evaluate(context.Background(), obs, nil)
+	if len(st) != 1 || st[0].Code != "dane_records_match_chain_skipped" {
+		t.Errorf("skipped: %+v", st)
+	}
+}
+
+func TestPKIXChainValidRule(t *testing.T) {
+	t.Parallel()
+	r := &pkixChainValidRule{}
+	leaf := fakeCert([]byte("l"), []byte("s"))
+	bTrue, bFalse := true, false
+
+	// PKIX usage + valid chain → ok.
+	tgt := makeTarget("a.example.com", 443, []TLSARecord{{Usage: UsagePKIXEE}})
+	obs := &mockObs{
+		dane:   &DANEData{Targets: []TargetResult{tgt}},
+		probes: map[string]tls.TLSProbe{tgt.Ref: {Chain: []tls.CertInfo{leaf}, ChainValid: &bTrue}},
+	}
+	st := r.Evaluate(context.Background(), obs, nil)
+	if len(st) != 1 || st[0].Code != "dane_pkix_chain_valid_ok" {
+		t.Errorf("ok: %+v", st)
+	}
+
+	// PKIX usage + invalid chain → crit.
+	obs.probes = map[string]tls.TLSProbe{tgt.Ref: {Chain: []tls.CertInfo{leaf}, ChainValid: &bFalse}}
+	st = r.Evaluate(context.Background(), obs, nil)
+	if len(st) != 1 || st[0].Code != "dane_pkix_chain_invalid" {
+		t.Errorf("invalid: %+v", st)
+	}
+
+	// DANE-only usages → skipped (rule does not apply).
+	tgt.Records = []TLSARecord{{Usage: UsageDANEEE}}
+	obs.dane = &DANEData{Targets: []TargetResult{tgt}}
+	obs.probes = map[string]tls.TLSProbe{tgt.Ref: {Chain: []tls.CertInfo{leaf}}}
+	st = r.Evaluate(context.Background(), obs, nil)
+	if len(st) != 1 || st[0].Code != "dane_pkix_chain_valid_skipped" {
+		t.Errorf("skipped: %+v", st)
+	}
+}
+
+func TestUsageCoherentRule(t *testing.T) {
+	t.Parallel()
+	r := &usageCoherentRule{}
+	leaf := fakeCert([]byte("l"), []byte("ls"))
+	mid := fakeCert([]byte("m"), []byte("ms"))
+
+	// EE record whose hash matches the intermediate → warn.
+	tgt := makeTarget("a.example.com", 443, []TLSARecord{{
+		Usage: UsageDANEEE, Selector: SelectorSPKI, MatchingType: MatchingSHA256,
+		Certificate: mid.SPKISHA256,
+	}})
+	obs := &mockObs{
+		dane:   &DANEData{Targets: []TargetResult{tgt}},
+		probes: map[string]tls.TLSProbe{tgt.Ref: {Chain: []tls.CertInfo{leaf, mid}}},
+	}
+	st := r.Evaluate(context.Background(), obs, nil)
+	if len(st) != 1 || st[0].Code != "dane_usage_incoherent" {
+		t.Errorf("incoherent: %+v", st)
+	}
+
+	// EE matching leaf → ok.
+	tgt.Records[0].Certificate = leaf.SPKISHA256
+	obs.dane = &DANEData{Targets: []TargetResult{tgt}}
+	st = r.Evaluate(context.Background(), obs, nil)
+	if len(st) != 1 || st[0].Code != "dane_usage_coherent_ok" {
+		t.Errorf("coherent ok: %+v", st)
+	}
+
+	// Single-cert chain → skipped.
+	obs.probes = map[string]tls.TLSProbe{tgt.Ref: {Chain: []tls.CertInfo{leaf}}}
+	st = r.Evaluate(context.Background(), obs, nil)
+	if len(st) != 1 || st[0].Code != "dane_usage_coherent_skipped" {
+		t.Errorf("skipped: %+v", st)
+	}
+}
+
+func TestRules_ObservationError(t *testing.T) {
+	t.Parallel()
+	obs := &mockObs{daneErr: errors.New("read failed")}
+	for _, rule := range Rules() {
+		st := rule.Evaluate(context.Background(), obs, nil)
+		if len(st) == 0 || st[0].Code != "dane_observation_error" {
+			t.Errorf("%s: expected observation_error, got %+v", rule.Name(), st)
+		}
+	}
+}

checker/rules_usage.go

@@ -0,0 +1,86 @@
+package checker
+
+import (
+	"context"
+	"strings"
+
+	sdk "git.happydns.org/checker-sdk-go/checker"
+	tls "git.happydns.org/checker-tls/checker"
+)
+
+// usageCoherentRule flags TLSA records whose declared usage contradicts the
+// chain slot their hash actually matches, typically a record published as
+// usage 1 or 3 (end-entity) whose hash in fact matches an intermediate.
+// That is almost always a publisher error: the intended usage was 0 or 2.
+type usageCoherentRule struct{}
+
+func (r *usageCoherentRule) Name() string { return "dane.usage_coherent" }
+func (r *usageCoherentRule) Description() string {
+	return "Flags TLSA records whose declared usage does not match the chain slot they actually hash (e.g. usage 3 matching an intermediate)."
+}
+
+func (r *usageCoherentRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) []sdk.CheckState {
+	rc := loadRuleContext(ctx, obs)
+	if rc.err != nil {
+		return []sdk.CheckState{observationErrorState(rc.err)}
+	}
+	var out []sdk.CheckState
+	tested := 0
+	for _, t := range rc.data.Targets {
+		probe := rc.probes[t.Ref]
+		if !probeUsable(probe) || len(probe.Chain) < 2 {
+			continue
+		}
+		tested++
+		warn := suspiciousUsage(t, probe)
+		if warn != "" {
+			out = append(out, sdk.CheckState{
+				Status:  sdk.StatusWarn,
+				Code:    "dane_usage_incoherent",
+				Subject: targetSubject(t),
+				Message: warn,
+				Meta:    targetMeta(t),
+			})
+		}
+	}
+	if len(out) == 0 {
+		if tested == 0 {
+			return []sdk.CheckState{{
+				Status:  sdk.StatusUnknown,
+				Code:    "dane_usage_coherent_skipped",
+				Message: "No multi-cert chain probed yet; cannot assess usage coherence.",
+			}}
+		}
+		return []sdk.CheckState{{
+			Status:  sdk.StatusOK,
+			Code:    "dane_usage_coherent_ok",
+			Message: "End-entity TLSA records match end-entity certificates on every probed chain.",
+		}}
+	}
+	return out
+}
+
+// suspiciousUsage returns a human-readable hint when a record hash matches a
+// chain slot that contradicts its declared usage (e.g. usage 3 whose hash
+// actually matches the intermediate), almost always a publisher error. Used
+// by both usageCoherentRule and the HTML report.
+func suspiciousUsage(t TargetResult, p *tls.TLSProbe) string {
+	if p == nil || len(p.Chain) < 2 {
+		return ""
+	}
+	for _, r := range t.Records {
+		if r.Usage != UsageDANEEE && r.Usage != UsagePKIXEE {
+			continue
+		}
+		for _, c := range p.Chain[1:] {
+			cand, err := recordCandidate(r, c)
+			if err != nil {
+				continue
+			}
+			if strings.EqualFold(cand, r.Certificate) {
+				return "A record declared with usage 1/3 (end-entity) actually matches an intermediate certificate. It should probably use usage 0 or 2 (trust-anchor) instead."
+			}
+		}
+	}
+	return ""
+}

checker/types.go

@@ -0,0 +1,128 @@
+// Package checker implements the DANE/TLSA checker for happyDomain.
+//
+// This checker is bound to the svcs.TLSAs service. Collect takes the TLSA
+// records the user published (or plans to publish) for the service, derives
+// one TLS endpoint per distinct (port, proto, base name), and declares those
+// endpoints as tls.endpoint.v1 discovery entries. checker-tls then probes
+// them; on the next evaluation, this checker reads the related TLS probes
+// via obs.GetRelated and verifies each TLSA record matches the certificate
+// chain the probe observed.
+//
+// The user-visible contract matches what DANE deployers expect:
+//
+//   - Usage 0 (PKIX-TA) / 1 (PKIX-EE): also require the PKIX chain to be
+//     publicly trusted.
+//   - Usage 2 (DANE-TA) / 3 (DANE-EE): trust the TLSA as the anchor; PKIX
+//     validity is informational.
+//   - Selector 0 (Cert) / 1 (SPKI) and matching types 0/1/2 (Full/SHA-256/
+//     SHA-512) are matched against the chain slot implied by the usage.
+package checker
+
+import "time"
+
+// ObservationKeyDANE is the observation key this checker writes.
+const ObservationKeyDANE = "dane_checks"
+
+// Option ids on CheckerOptions.
+const (
+	// OptionService is auto-filled by the happyDomain host with the
+	// svcs.TLSAs service payload this checker is bound to.
+	OptionService = "service"
+
+	// OptionDomain is auto-filled with the domain apex. TLSA owner names
+	// in the service are relative to this apex.
+	OptionDomain = "domain_name"
+
+	// OptionSubdomain is the optional sub-zone under which the TLSAs
+	// service lives (matches the svcs.TLSAs analyzer's subdomain bucket).
+	OptionSubdomain = "subdomain"
+
+	// OptionProbeTimeoutMs is how long each underlying TLS probe is allowed.
+	// Passed through to checker-tls verbatim via the discovery entry options.
+	OptionProbeTimeoutMs = "probeTimeoutMs"
+
+	// OptionSTARTTLS is an optional per-endpoint STARTTLS hint keyed by
+	// "<port>/<proto>" → RFC 6335 service name (e.g. "25/tcp" → "smtp",
+	// "587/tcp" → "submission"). Common ports auto-map via a built-in table.
+	OptionSTARTTLS = "starttls"
+
+	// OptionDNSSECValidated reports whether the TLSA records the host
+	// submitted to this checker came from a DNSSEC-validated lookup.
+	// Only set by the standalone interactive flow; absent in managed mode
+	// where TLSA records come from the user's authoritative zone config.
+	OptionDNSSECValidated = "dnssec_validated"
+)
+
+// Severity constants mirror checker-tls.
+const (
+	SeverityCrit = "crit"
+	SeverityWarn = "warn"
+	SeverityInfo = "info"
+)
+
+// TLSA field enum constants (RFC 6698 §2.1).
+const (
+	UsagePKIXTA uint8 = 0
+	UsagePKIXEE uint8 = 1
+	UsageDANETA uint8 = 2
+	UsageDANEEE uint8 = 3
+
+	SelectorCert uint8 = 0
+	SelectorSPKI uint8 = 1
+
+	MatchingFull   uint8 = 0
+	MatchingSHA256 uint8 = 1
+	MatchingSHA512 uint8 = 2
+)
+
+// DANEData is the full payload the checker writes under ObservationKeyDANE.
+type DANEData struct {
+	// Targets is one entry per (port, proto, basename) triplet extracted
+	// from the TLSAs service.
+	Targets []TargetResult `json:"targets"`
+	// Invalid lists TLSA records that could not be parsed into a usable
+	// endpoint (malformed owner name, out-of-range port, etc.). They are
+	// surfaced by hasRecordsRule so a misconfigured zone fails loudly
+	// instead of silently passing as "no records".
+	Invalid []InvalidRecord `json:"invalid,omitempty"`
+	// DNSSECValidated reflects whether the resolver that fetched the TLSA
+	// records set the AD bit. Only populated by the standalone interactive
+	// flow (lookupTLSA); nil in managed mode where records come from the
+	// user's zone config and DNSSEC posture is checked elsewhere.
+	DNSSECValidated *bool     `json:"dnssec_validated,omitempty"`
+	CollectedAt     time.Time `json:"collected_at"`
+}
+
+// InvalidRecord describes a TLSA record dropped during Collect.
+type InvalidRecord struct {
+	Owner  string `json:"owner"`
+	Reason string `json:"reason"`
+}
+
+// TargetResult groups all TLSA records declared on a single endpoint and
+// carries enough context to render an actionable HTML row per endpoint.
+type TargetResult struct {
+	// Owner is the fully qualified DANE owner name (_<port>._<proto>.<host>).
+	Owner string `json:"owner"`
+	// Host is the connection target (typically the base name the TLSA
+	// records live under, or its MX/SRV target when relevant).
+	Host     string `json:"host"`
+	Port     uint16 `json:"port"`
+	Proto    string `json:"proto"`
+	STARTTLS string `json:"starttls,omitempty"`
+
+	// Ref ties this target to the tls.endpoint.v1 discovery entry the
+	// checker emitted, so the rule can pick the matching RelatedObservation.
+	Ref string `json:"ref"`
+
+	// Records are the TLSA records declared for this endpoint.
+	Records []TLSARecord `json:"records"`
+}
+
+// TLSARecord is a user-facing view of a single dns.TLSA record.
+type TLSARecord struct {
+	Usage        uint8  `json:"usage"`
+	Selector     uint8  `json:"selector"`
+	MatchingType uint8  `json:"matching_type"`
+	Certificate  string `json:"certificate"` // lowercase hex
+}