Initial commit

2026-04-24 10:33:26 +07:00 · 2026-04-24 10:33:26 +07:00 · a6dbcef0f9
commit a6dbcef0f9
26 changed files with 2993 additions and 0 deletions
--- a/checker/rules_records.go
+++ b/checker/rules_records.go
@ -0,0 +1,99 @@
+package checker
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	sdk "git.happydns.org/checker-sdk-go/checker"
+)
+
+// hasRecordsRule reports whether the TLSAs service declares any TLSA record
+// at all. Without records there is nothing for DANE to validate.
+type hasRecordsRule struct{}
+
+func (r *hasRecordsRule) Name() string { return "dane.has_records" }
+func (r *hasRecordsRule) Description() string {
+	return "Verifies that at least one TLSA record is declared on the service."
+}
+
+func (r *hasRecordsRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) []sdk.CheckState {
+	rc := loadRuleContext(ctx, obs)
+	if rc.err != nil {
+		return []sdk.CheckState{observationErrorState(rc.err)}
+	}
+	var states []sdk.CheckState
+	for _, inv := range rc.data.Invalid {
+		states = append(states, sdk.CheckState{
+			Status:  sdk.StatusError,
+			Code:    "dane_invalid_owner",
+			Subject: inv.Owner,
+			Message: fmt.Sprintf("TLSA record %q is unusable: %s", inv.Owner, inv.Reason),
+			Meta:    map[string]any{"owner": inv.Owner, "reason": inv.Reason},
+		})
+	}
+	if len(rc.data.Targets) == 0 {
+		if len(states) > 0 {
+			// Records exist but none are usable; flag the aggregate too so
+			// the UI doesn't only show per-record errors.
+			owners := make([]string, 0, len(rc.data.Invalid))
+			for _, inv := range rc.data.Invalid {
+				owners = append(owners, inv.Owner)
+			}
+			states = append(states, sdk.CheckState{
+				Status:  sdk.StatusError,
+				Code:    "dane_no_usable_records",
+				Message: fmt.Sprintf("No usable TLSA records (all %d declared records are malformed: %s).", len(rc.data.Invalid), strings.Join(owners, ", ")),
+			})
+			return states
+		}
+		return []sdk.CheckState{{
+			Status:  sdk.StatusUnknown,
+			Code:    "dane_no_records",
+			Message: "No TLSA records declared on this service.",
+		}}
+	}
+	states = append(states, sdk.CheckState{
+		Status:  sdk.StatusOK,
+		Code:    "dane_has_records_ok",
+		Message: "TLSA records are declared for all bound endpoints.",
+		Meta:    map[string]any{"endpoints": len(rc.data.Targets)},
+	})
+	return states
+}
+
+// dnssecValidatedRule reports whether the TLSA records this checker is
+// evaluating were fetched over a DNSSEC-validated path. Without DNSSEC,
+// DANE is a downgrade primitive: an on-path attacker can forge TLSA
+// answers and any "match" the rest of the rules report is meaningless.
+// The rule only emits when the collector recorded a validation status:
+// in managed mode the records come from the user's authoritative zone
+// config and DNSSEC posture is checked by a different checker.
+type dnssecValidatedRule struct{}
+
+func (r *dnssecValidatedRule) Name() string { return "dane.dnssec_validated" }
+func (r *dnssecValidatedRule) Description() string {
+	return "Verifies the TLSA records were fetched via a DNSSEC-validating resolver (AD bit set)."
+}
+
+func (r *dnssecValidatedRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) []sdk.CheckState {
+	rc := loadRuleContext(ctx, obs)
+	if rc.err != nil {
+		return []sdk.CheckState{observationErrorState(rc.err)}
+	}
+	if rc.data.DNSSECValidated == nil {
+		return nil
+	}
+	if *rc.data.DNSSECValidated {
+		return []sdk.CheckState{{
+			Status:  sdk.StatusOK,
+			Code:    "dane_dnssec_validated",
+			Message: "TLSA records were fetched over a DNSSEC-validated path (AD bit set).",
+		}}
+	}
+	return []sdk.CheckState{{
+		Status:  sdk.StatusError,
+		Code:    "dane_dnssec_unvalidated",
+		Message: "TLSA records were fetched without DNSSEC validation (resolver did not set the AD bit). DANE matches are not trustworthy without DNSSEC.",
+	}}
+}