diff --git a/.drone-manifest.yml b/.drone-manifest.yml deleted file mode 100644 index 7abdc71..0000000 --- a/.drone-manifest.yml +++ /dev/null @@ -1,22 +0,0 @@ -image: happydomain/checker-delegation:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}} -{{#if build.tags}} -tags: -{{#each build.tags}} - - {{this}} -{{/each}} -{{/if}} -manifests: - - image: happydomain/checker-delegation:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64 - platform: - architecture: amd64 - os: linux - - image: happydomain/checker-delegation:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64 - platform: - architecture: arm64 - os: linux - variant: v8 - - image: happydomain/checker-delegation:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm - platform: - architecture: arm - os: linux - variant: v7 diff --git a/.drone.yml b/.drone.yml deleted file mode 100644 index 2a27a9e..0000000 --- a/.drone.yml +++ /dev/null @@ -1,187 +0,0 @@ ---- -kind: pipeline -type: docker -name: build-amd64 - -platform: - os: linux - arch: amd64 - -steps: - - name: checker build - image: golang:1-alpine - commands: - - apk add --no-cache git make - - make - environment: - CHECKER_VERSION: "${DRONE_BRANCH}-${DRONE_COMMIT}" - CGO_ENABLED: 0 - when: - event: - exclude: - - tag - - - name: checker build tag - image: golang:1-alpine - commands: - - apk add --no-cache git make - - make - environment: - CHECKER_VERSION: "${DRONE_SEMVER}" - CGO_ENABLED: 0 - when: - event: - - tag - - - name: publish on Docker Hub - image: plugins/docker - settings: - repo: happydomain/checker-delegation - auto_tag: true - auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH} - dockerfile: Dockerfile - build_args: - - CHECKER_VERSION=${DRONE_BRANCH}-${DRONE_COMMIT} - username: - from_secret: docker_username - password: - from_secret: docker_password - when: - event: - exclude: - - tag - - - name: publish on Docker Hub (tag) - image: plugins/docker - settings: - repo: happydomain/checker-delegation - auto_tag: true - auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH} - dockerfile: Dockerfile - build_args: - - CHECKER_VERSION=${DRONE_SEMVER} - username: - from_secret: docker_username - password: - from_secret: docker_password - when: - event: - - tag - -trigger: - branch: - exclude: - - renovate/* - event: - - cron - - push - - tag - ---- -kind: pipeline -type: docker -name: build-arm64 - -platform: - os: linux - arch: arm64 - -steps: - - name: checker build - image: golang:1-alpine - commands: - - apk add --no-cache git make - - make - environment: - CHECKER_VERSION: "${DRONE_BRANCH}-${DRONE_COMMIT}" - CGO_ENABLED: 0 - when: - event: - exclude: - - tag - - - name: checker build tag - image: golang:1-alpine - commands: - - apk add --no-cache git make - - make - environment: - CHECKER_VERSION: "${DRONE_SEMVER}" - CGO_ENABLED: 0 - when: - event: - - tag - - - name: publish on Docker Hub - image: plugins/docker - settings: - repo: happydomain/checker-delegation - auto_tag: true - auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH} - dockerfile: Dockerfile - build_args: - - CHECKER_VERSION=${DRONE_BRANCH}-${DRONE_COMMIT} - username: - from_secret: docker_username - password: - from_secret: docker_password - when: - event: - exclude: - - tag - - - name: publish on Docker Hub (tag) - image: plugins/docker - settings: - repo: happydomain/checker-delegation - auto_tag: true - auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH} - dockerfile: Dockerfile - build_args: - - CHECKER_VERSION=${DRONE_SEMVER} - username: - from_secret: docker_username - password: - from_secret: docker_password - when: - event: - - tag - -trigger: - event: - - cron - - push - - tag - ---- -kind: pipeline -name: docker-manifest - -platform: - os: linux - arch: arm64 - -steps: - - name: publish on Docker Hub - image: plugins/manifest - settings: - auto_tag: true - ignore_missing: true - spec: .drone-manifest.yml - username: - from_secret: docker_username - password: - from_secret: docker_password - -trigger: - branch: - exclude: - - renovate/* - event: - - cron - - push - - tag - -depends_on: - - build-amd64 - - build-arm64 diff --git a/README.md b/README.md index c834f46..db0667f 100644 --- a/README.md +++ b/README.md @@ -77,36 +77,56 @@ to the public internet. | `minNameServers` | uint | `2` | Below this count, the delegation is reported as a warning (RFC 1034 recommends at least 2). | | `allowGlueMismatch` | bool | `false` | When disabled, glue/address mismatches between parent and child are reported as critical. | -## Rules +## Protocol -Each rule emits findings with a stable `code` so downstream consumers -can match on them deterministically. +### POST /collect -| Rule | Finding code | What it checks | -|------------------------------------------|--------------------------------------|---------------------------------------------------------------------------------------| -| `delegation_min_name_servers` | `delegation_too_few_ns` | The zone declares at least `minNameServers` NS records (RFC 1034 recommends ≥ 2). | -| `delegation_parent_discovered` | `delegation_no_parent_ns` | The parent zone and its authoritative name servers can be discovered. | -| `delegation_parent_ns_query` | `delegation_parent_query_failed` | Each parent name server answers the NS query for the delegated zone. | -| `delegation_parent_tcp` | `delegation_parent_tcp_failed` | Each parent name server is reachable over TCP (RFC 7766). | -| `delegation_ns_matches_declared` | `delegation_ns_mismatch` | The NS RRset at the parent matches the NS set declared by the service. | -| `delegation_in_bailiwick_glue` | `delegation_missing_glue` | In-bailiwick name servers have glue (A/AAAA) records at the parent. | -| `delegation_unnecessary_glue` | `delegation_unnecessary_glue` | Out-of-bailiwick name servers do not carry unnecessary glue at the parent. | -| `delegation_ds_query` | `delegation_ds_query_failed` | The DS RRset can be queried from the parent name servers. | -| `delegation_ds_matches_declared` | `delegation_ds_mismatch` | The DS RRset at the parent matches the DS set declared by the service. | -| `delegation_ds_present_at_parent` | `delegation_ds_missing` | DS records are present at the parent when DNSSEC is expected (gated by `requireDS`). | -| `delegation_ds_rrsig_validity` | `delegation_ds_rrsig_invalid` | The DS RRset is covered by a valid RRSIG at the parent. | -| `delegation_ns_resolvable` | `delegation_ns_unresolvable` | Each declared name server name resolves to at least one address. | -| `delegation_child_reachable` | `delegation_unreachable` | Each child name server answers DNS queries on its advertised addresses. | -| `delegation_child_authoritative` | `delegation_lame` | Each child name server is authoritative for the delegated zone (no lame delegation). | -| `delegation_child_soa_serial_drift` | `delegation_soa_serial_drift` | The SOA serial is consistent across all child name servers. | -| `delegation_child_tcp` | `delegation_tcp_failed` | Each child name server answers over TCP (gated by `requireTCP`). | -| `delegation_child_ns_matches_parent` | `delegation_ns_drift` | The NS RRset returned by each child matches the NS RRset at the parent. | -| `delegation_child_glue_matches_parent` | `delegation_glue_mismatch` | Glue addresses at the child match those at the parent (gated by `allowGlueMismatch`). | -| `delegation_dnskey_query` | `delegation_dnskey_query_failed` | The DNSKEY RRset can be queried from each child name server. | -| `delegation_dnskey_matches_ds` | `delegation_dnskey_no_match` | At least one DNSKEY at the child matches a DS digest published at the parent. | -| `delegation_ns_has_authoritative_answer` | `delegation_no_authoritative_answer` | Each child name server sets the AA flag in its answers for the zone. | +Request: +```json +{ + "key": "delegation", + "target": {"userId": "...", "domainId": "..."}, + "options": { + "domain_name": "example.com.", + "subdomain": "www", + "service": { "_svctype": "abstract.Delegation", "Service": { "ns": [...], "ds": [...] } } + } +} +``` + +Response: +```json +{ + "data": { + "delegated_fqdn": "www.example.com.", + "parent_zone": "example.com.", + "parent_ns": ["a.iana-servers.net.", "b.iana-servers.net."], + "advertised_ns": ["ns1.example.net.", "ns2.example.net."], + "advertised_glue": {}, + "parent_ds": [], + "child_serials": {"ns1.example.net.:53": 2026042401}, + "findings": [ + { + "code": "delegation_ns_mismatch", + "severity": "crit", + "message": "NS RRset at parent does not match declared service: missing=[ns3.example.net] extra=[]", + "server": "a.iana-servers.net.:53" + } + ] + } +} +``` + +Findings carry a stable `code` (e.g. `delegation_lame`, +`delegation_missing_glue`, `delegation_ds_mismatch`, +`delegation_soa_serial_drift`, `delegation_dnskey_no_match`, …) so that +downstream rules can match on them deterministically. ## License This project is licensed under the **MIT License** (see `LICENSE`), in line with the rest of the happyDomain checker ecosystem. + +The third-party Apache-2.0 attributions for `checker-sdk-go` are recorded +in `NOTICE` and must accompany any binary or source redistribution of this +project.