Compare commits
No commits in common. "7b1eeb38dbea011e07304f4f19e99a3820565e7c" and "294a92619df0624bd3d9b0d5b647884ebfb169a7" have entirely different histories.
7b1eeb38db
...
294a92619d
8 changed files with 16 additions and 29 deletions
|
|
@ -12,6 +12,4 @@ FROM scratch
|
||||||
COPY --from=builder /checker-delegation /checker-delegation
|
COPY --from=builder /checker-delegation /checker-delegation
|
||||||
USER 65534:65534
|
USER 65534:65534
|
||||||
EXPOSE 8080
|
EXPOSE 8080
|
||||||
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
|
|
||||||
CMD ["/checker-delegation", "-healthcheck"]
|
|
||||||
ENTRYPOINT ["/checker-delegation"]
|
ENTRYPOINT ["/checker-delegation"]
|
||||||
|
|
|
||||||
|
|
@ -65,7 +65,7 @@ DNS queries to whatever name servers (and glue addresses) the parent
|
||||||
zone advertises for the target. It is meant to run on a trusted network,
|
zone advertises for the target. It is meant to run on a trusted network,
|
||||||
reachable only by the happyDomain instance that drives it. Restrict
|
reachable only by the happyDomain instance that drives it. Restrict
|
||||||
access via a reverse proxy with authentication, a network ACL, or by
|
access via a reverse proxy with authentication, a network ACL, or by
|
||||||
binding the listener to a private interface; do not expose it directly
|
binding the listener to a private interface — do not expose it directly
|
||||||
to the public internet.
|
to the public internet.
|
||||||
|
|
||||||
## Options
|
## Options
|
||||||
|
|
|
||||||
|
|
@ -248,3 +248,4 @@ func dsEqual(a, b *dns.DS) bool {
|
||||||
a.DigestType == b.DigestType &&
|
a.DigestType == b.DigestType &&
|
||||||
strings.EqualFold(a.Digest, b.Digest)
|
strings.EqualFold(a.Digest, b.Digest)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -9,9 +9,9 @@ import (
|
||||||
|
|
||||||
func TestDiffStringSets(t *testing.T) {
|
func TestDiffStringSets(t *testing.T) {
|
||||||
cases := []struct {
|
cases := []struct {
|
||||||
name string
|
name string
|
||||||
want, got []string
|
want, got []string
|
||||||
missing, extra []string
|
missing, extra []string
|
||||||
}{
|
}{
|
||||||
{
|
{
|
||||||
name: "identical",
|
name: "identical",
|
||||||
|
|
|
||||||
|
|
@ -248,13 +248,6 @@ func (r *inBailiwickGlueRule) Evaluate(ctx context.Context, obs sdk.ObservationG
|
||||||
if errState != nil {
|
if errState != nil {
|
||||||
return errState
|
return errState
|
||||||
}
|
}
|
||||||
if len(data.ParentViews) == 0 {
|
|
||||||
return []sdk.CheckState{{
|
|
||||||
Status: sdk.StatusUnknown,
|
|
||||||
Code: "delegation_missing_glue",
|
|
||||||
Message: "no parent server was queried",
|
|
||||||
}}
|
|
||||||
}
|
|
||||||
var out []sdk.CheckState
|
var out []sdk.CheckState
|
||||||
for _, v := range data.ParentViews {
|
for _, v := range data.ParentViews {
|
||||||
if v.UDPNSError != "" {
|
if v.UDPNSError != "" {
|
||||||
|
|
@ -282,13 +275,8 @@ func (r *inBailiwickGlueRule) Evaluate(ctx context.Context, obs sdk.ObservationG
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if len(out) == 0 {
|
// No in-bailiwick NS means glue is not mandatory; stay silent rather
|
||||||
return []sdk.CheckState{{
|
// than advertising a check that doesn't apply.
|
||||||
Status: sdk.StatusOK,
|
|
||||||
Code: "delegation_missing_glue",
|
|
||||||
Message: "no in-bailiwick NS, glue not required",
|
|
||||||
}}
|
|
||||||
}
|
|
||||||
return out
|
return out
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -109,9 +109,9 @@ func TestNSMatchesDeclaredRule(t *testing.T) {
|
||||||
DelegatedFQDN: "www.example.com.",
|
DelegatedFQDN: "www.example.com.",
|
||||||
DeclaredNS: []string{"ns1.example.net.", "ns2.example.net."},
|
DeclaredNS: []string{"ns1.example.net.", "ns2.example.net."},
|
||||||
ParentViews: []ParentView{
|
ParentViews: []ParentView{
|
||||||
{Server: "p1:53", NS: []string{"ns1.example.net.", "ns2.example.net."}}, // match
|
{Server: "p1:53", NS: []string{"ns1.example.net.", "ns2.example.net."}}, // match
|
||||||
{Server: "p2:53", NS: []string{"ns1.example.net.", "ns3.example.net."}}, // mismatch
|
{Server: "p2:53", NS: []string{"ns1.example.net.", "ns3.example.net."}}, // mismatch
|
||||||
{Server: "p3:53", UDPNSError: "timeout"}, // skipped
|
{Server: "p3:53", UDPNSError: "timeout"}, // skipped
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
states := evalRule(t, r, data, nil)
|
states := evalRule(t, r, data, nil)
|
||||||
|
|
@ -185,7 +185,7 @@ func TestUnnecessaryGlueRule(t *testing.T) {
|
||||||
func TestDSPresentAtParentRule_RequireDS(t *testing.T) {
|
func TestDSPresentAtParentRule_RequireDS(t *testing.T) {
|
||||||
r := &dsPresentAtParentRule{}
|
r := &dsPresentAtParentRule{}
|
||||||
data := &DelegationData{
|
data := &DelegationData{
|
||||||
DeclaredDS: []DSRecord{{KeyTag: 1, Algorithm: 8, DigestType: 2, Digest: "AAAA"}},
|
DeclaredDS: []DSRecord{{KeyTag: 1, Algorithm: 8, DigestType: 2, Digest: "AAAA"}},
|
||||||
ParentViews: []ParentView{{Server: "p:53"}}, // no DS at parent
|
ParentViews: []ParentView{{Server: "p:53"}}, // no DS at parent
|
||||||
}
|
}
|
||||||
t.Run("default is informational", func(t *testing.T) {
|
t.Run("default is informational", func(t *testing.T) {
|
||||||
|
|
@ -382,8 +382,8 @@ func TestDNSKEYMatchesDSRule_Match(t *testing.T) {
|
||||||
|
|
||||||
func TestDNSKEYMatchesDSRule_NoMatch(t *testing.T) {
|
func TestDNSKEYMatchesDSRule_NoMatch(t *testing.T) {
|
||||||
key := &dns.DNSKEY{
|
key := &dns.DNSKEY{
|
||||||
Hdr: dns.RR_Header{Name: "example.com.", Rrtype: dns.TypeDNSKEY, Class: dns.ClassINET},
|
Hdr: dns.RR_Header{Name: "example.com.", Rrtype: dns.TypeDNSKEY, Class: dns.ClassINET},
|
||||||
Flags: 257, Protocol: 3, Algorithm: dns.RSASHA256,
|
Flags: 257, Protocol: 3, Algorithm: dns.RSASHA256,
|
||||||
PublicKey: "AwEAAcMnWBKLuvG/LwnPVykcmpvnntwxfshHlHRhlY0F3oz8AMcuF8gw" +
|
PublicKey: "AwEAAcMnWBKLuvG/LwnPVykcmpvnntwxfshHlHRhlY0F3oz8AMcuF8gw" +
|
||||||
"2Ge56vG9oqVxTzHl4Ss2dEqCQOjFlOVo+pa3JwIO1lUzbQ==",
|
"2Ge56vG9oqVxTzHl4Ss2dEqCQOjFlOVo+pa3JwIO1lUzbQ==",
|
||||||
}
|
}
|
||||||
|
|
|
||||||
2
go.mod
2
go.mod
|
|
@ -3,7 +3,7 @@ module git.happydns.org/checker-delegation
|
||||||
go 1.25.0
|
go 1.25.0
|
||||||
|
|
||||||
require (
|
require (
|
||||||
git.happydns.org/checker-sdk-go v1.5.0
|
git.happydns.org/checker-sdk-go v1.4.0
|
||||||
github.com/miekg/dns v1.1.72
|
github.com/miekg/dns v1.1.72
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
|
||||||
4
go.sum
4
go.sum
|
|
@ -1,5 +1,5 @@
|
||||||
git.happydns.org/checker-sdk-go v1.5.0 h1:5uD5Cm6xJ+lwnhbJ09iCXGHbYS9zRh+Yh0NeBHkAPBY=
|
git.happydns.org/checker-sdk-go v1.4.0 h1:sO8EnF3suhNgYLRsbmCZWJOymH/oNMrOUqj3FEzJArs=
|
||||||
git.happydns.org/checker-sdk-go v1.5.0/go.mod h1:aNAcfYFfbhvH9kJhE0Njp5GX0dQbxdRB0rJ0KvSC5nI=
|
git.happydns.org/checker-sdk-go v1.4.0/go.mod h1:aNAcfYFfbhvH9kJhE0Njp5GX0dQbxdRB0rJ0KvSC5nI=
|
||||||
github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
|
github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
|
||||||
github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
|
github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
|
||||||
github.com/miekg/dns v1.1.72 h1:vhmr+TF2A3tuoGNkLDFK9zi36F2LS+hKTRW0Uf8kbzI=
|
github.com/miekg/dns v1.1.72 h1:vhmr+TF2A3tuoGNkLDFK9zi36F2LS+hKTRW0Uf8kbzI=
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue