diff --git a/Dockerfile b/Dockerfile index 35a3be4..36b5ba0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,6 +12,4 @@ FROM scratch COPY --from=builder /checker-dane /checker-dane USER 65534:65534 EXPOSE 8080 -HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \ - CMD ["/checker-dane", "-healthcheck"] ENTRYPOINT ["/checker-dane"] diff --git a/checker/collect_test.go b/checker/collect_test.go index 72c732d..ba81890 100644 --- a/checker/collect_test.go +++ b/checker/collect_test.go @@ -216,7 +216,7 @@ func TestCollect_DeterministicOutput(t *testing.T) { if err != nil { t.Fatal(err) } - // Compare only Targets: CollectedAt is a wall-clock timestamp. + // Compare only Targets — CollectedAt is a wall-clock timestamp. b, _ := json.Marshal(out.(*DANEData).Targets) if i > 0 && string(b) != string(prev) { t.Errorf("non-deterministic targets:\n%s\nvs\n%s", prev, b) diff --git a/checker/match_test.go b/checker/match_test.go index 281d203..0dc8383 100644 --- a/checker/match_test.go +++ b/checker/match_test.go @@ -295,7 +295,7 @@ func TestSummarizeMatches(t *testing.T) { func TestSummarizeMatches_BadFirstSlotDoesNotAbort(t *testing.T) { t.Parallel() // An undecodable Full record at slot 0 shouldn't prevent later valid - // records from matching: regression test for the per-slot continue. + // records from matching — regression test for the per-slot continue. leaf := fakeCert([]byte("leaf"), []byte("spki")) probe := &tls.TLSProbe{Chain: []tls.CertInfo{leaf}} bad := TargetResult{Records: []TLSARecord{ diff --git a/checker/report.go b/checker/report.go index 675388e..3dadaa1 100644 --- a/checker/report.go +++ b/checker/report.go @@ -194,7 +194,7 @@ func proposedTLSA(t TargetResult, p *tls.TLSProbe) string { tmpl.Selector = r.Selector tmpl.MatchingType = r.MatchingType // Suggesting Full (matching type 0) inline as a zone fragment is - // not useful: collapse to SHA-256 of the same selector, which is + // not useful — collapse to SHA-256 of the same selector, which is // what operators publish in practice. if tmpl.MatchingType == MatchingFull { tmpl.MatchingType = MatchingSHA256 diff --git a/checker/rules_records.go b/checker/rules_records.go index 0a4ba39..dfe8854 100644 --- a/checker/rules_records.go +++ b/checker/rules_records.go @@ -66,7 +66,7 @@ func (r *hasRecordsRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter // evaluating were fetched over a DNSSEC-validated path. Without DNSSEC, // DANE is a downgrade primitive: an on-path attacker can forge TLSA // answers and any "match" the rest of the rules report is meaningless. -// The rule only emits when the collector recorded a validation status: +// The rule only emits when the collector recorded a validation status — // in managed mode the records come from the user's authoritative zone // config and DNSSEC posture is checked by a different checker. type dnssecValidatedRule struct{} diff --git a/go.mod b/go.mod index 6c145b8..318b0a6 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module git.happydns.org/checker-dane go 1.25.0 require ( - git.happydns.org/checker-sdk-go v1.5.0 + git.happydns.org/checker-sdk-go v1.4.0 git.happydns.org/checker-tls v0.6.1 github.com/miekg/dns v1.1.72 ) diff --git a/go.sum b/go.sum index 5c2f154..f00160f 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,5 @@ -git.happydns.org/checker-sdk-go v1.5.0 h1:5uD5Cm6xJ+lwnhbJ09iCXGHbYS9zRh+Yh0NeBHkAPBY= -git.happydns.org/checker-sdk-go v1.5.0/go.mod h1:aNAcfYFfbhvH9kJhE0Njp5GX0dQbxdRB0rJ0KvSC5nI= +git.happydns.org/checker-sdk-go v1.4.0 h1:sO8EnF3suhNgYLRsbmCZWJOymH/oNMrOUqj3FEzJArs= +git.happydns.org/checker-sdk-go v1.4.0/go.mod h1:aNAcfYFfbhvH9kJhE0Njp5GX0dQbxdRB0rJ0KvSC5nI= git.happydns.org/checker-tls v0.6.1 h1:YJp9Q+1aJZ6wATyUZbRh67ZtERN6Mp4Sje8ld2dNFuo= git.happydns.org/checker-tls v0.6.1/go.mod h1:9tpnxg0iOwS+7If64DRG1jqYonUAgxOBuxwfF5mVkL4= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=