diff --git a/Dockerfile b/Dockerfile index 36b5ba0..35a3be4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,4 +12,6 @@ FROM scratch COPY --from=builder /checker-dane /checker-dane USER 65534:65534 EXPOSE 8080 +HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \ + CMD ["/checker-dane", "-healthcheck"] ENTRYPOINT ["/checker-dane"] diff --git a/checker/collect_test.go b/checker/collect_test.go index ba81890..72c732d 100644 --- a/checker/collect_test.go +++ b/checker/collect_test.go @@ -216,7 +216,7 @@ func TestCollect_DeterministicOutput(t *testing.T) { if err != nil { t.Fatal(err) } - // Compare only Targets — CollectedAt is a wall-clock timestamp. + // Compare only Targets: CollectedAt is a wall-clock timestamp. b, _ := json.Marshal(out.(*DANEData).Targets) if i > 0 && string(b) != string(prev) { t.Errorf("non-deterministic targets:\n%s\nvs\n%s", prev, b) diff --git a/checker/match_test.go b/checker/match_test.go index 0dc8383..281d203 100644 --- a/checker/match_test.go +++ b/checker/match_test.go @@ -295,7 +295,7 @@ func TestSummarizeMatches(t *testing.T) { func TestSummarizeMatches_BadFirstSlotDoesNotAbort(t *testing.T) { t.Parallel() // An undecodable Full record at slot 0 shouldn't prevent later valid - // records from matching — regression test for the per-slot continue. + // records from matching: regression test for the per-slot continue. leaf := fakeCert([]byte("leaf"), []byte("spki")) probe := &tls.TLSProbe{Chain: []tls.CertInfo{leaf}} bad := TargetResult{Records: []TLSARecord{ diff --git a/checker/report.go b/checker/report.go index 3dadaa1..675388e 100644 --- a/checker/report.go +++ b/checker/report.go @@ -194,7 +194,7 @@ func proposedTLSA(t TargetResult, p *tls.TLSProbe) string { tmpl.Selector = r.Selector tmpl.MatchingType = r.MatchingType // Suggesting Full (matching type 0) inline as a zone fragment is - // not useful — collapse to SHA-256 of the same selector, which is + // not useful: collapse to SHA-256 of the same selector, which is // what operators publish in practice. if tmpl.MatchingType == MatchingFull { tmpl.MatchingType = MatchingSHA256 diff --git a/checker/rules_records.go b/checker/rules_records.go index dfe8854..0a4ba39 100644 --- a/checker/rules_records.go +++ b/checker/rules_records.go @@ -66,7 +66,7 @@ func (r *hasRecordsRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter // evaluating were fetched over a DNSSEC-validated path. Without DNSSEC, // DANE is a downgrade primitive: an on-path attacker can forge TLSA // answers and any "match" the rest of the rules report is meaningless. -// The rule only emits when the collector recorded a validation status — +// The rule only emits when the collector recorded a validation status: // in managed mode the records come from the user's authoritative zone // config and DNSSEC posture is checked by a different checker. type dnssecValidatedRule struct{} diff --git a/go.mod b/go.mod index 318b0a6..6c145b8 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module git.happydns.org/checker-dane go 1.25.0 require ( - git.happydns.org/checker-sdk-go v1.4.0 + git.happydns.org/checker-sdk-go v1.5.0 git.happydns.org/checker-tls v0.6.1 github.com/miekg/dns v1.1.72 ) diff --git a/go.sum b/go.sum index f00160f..5c2f154 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,5 @@ -git.happydns.org/checker-sdk-go v1.4.0 h1:sO8EnF3suhNgYLRsbmCZWJOymH/oNMrOUqj3FEzJArs= -git.happydns.org/checker-sdk-go v1.4.0/go.mod h1:aNAcfYFfbhvH9kJhE0Njp5GX0dQbxdRB0rJ0KvSC5nI= +git.happydns.org/checker-sdk-go v1.5.0 h1:5uD5Cm6xJ+lwnhbJ09iCXGHbYS9zRh+Yh0NeBHkAPBY= +git.happydns.org/checker-sdk-go v1.5.0/go.mod h1:aNAcfYFfbhvH9kJhE0Njp5GX0dQbxdRB0rJ0KvSC5nI= git.happydns.org/checker-tls v0.6.1 h1:YJp9Q+1aJZ6wATyUZbRh67ZtERN6Mp4Sje8ld2dNFuo= git.happydns.org/checker-tls v0.6.1/go.mod h1:9tpnxg0iOwS+7If64DRG1jqYonUAgxOBuxwfF5mVkL4= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=