happyDomain/checker-delegation
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: happyDomain:v0.1.0
Branches Tags
happyDomain:master
happyDomain:v0.1.0
..
compare: happyDomain:master
Branches Tags
happyDomain:master
happyDomain:v0.1.0

2 commits
v0.1.0 ... master

Author SHA1 Message Date
Pierre-Olivier Mercier
c884f3f80a Add CI/CD pipeline
All checks were successful
continuous-integration/drone/push Build is passing
Details
2026-05-10 19:05:03 +08:00
Pierre-Olivier Mercier
392023fc80 Include rules in README 2026-04-29 22:46:24 +07:00
3 changed files with 237 additions and 48 deletions
Download patch file Download diff file Expand all files Collapse all files

22
.drone-manifest.yml Normal file
View file

@ -0,0 +1,22 @@
image: happydomain/checker-delegation:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}}
{{#if build.tags}}
tags:
{{#each build.tags}}
- {{this}}
{{/each}}
{{/if}}
manifests:
- image: happydomain/checker-delegation:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64
platform:
architecture: amd64
os: linux
- image: happydomain/checker-delegation:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64
platform:
architecture: arm64
os: linux
variant: v8
- image: happydomain/checker-delegation:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm
platform:
architecture: arm
os: linux
variant: v7

187
.drone.yml Normal file
View file

@ -0,0 +1,187 @@
---
kind: pipeline
type: docker
name: build-amd64
platform:
os: linux
arch: amd64
steps:
- name: checker build
image: golang:1-alpine
commands:
- apk add --no-cache git make
- make
environment:
CHECKER_VERSION: "${DRONE_BRANCH}-${DRONE_COMMIT}"
CGO_ENABLED: 0
when:
event:
exclude:
- tag
- name: checker build tag
image: golang:1-alpine
commands:
- apk add --no-cache git make
- make
environment:
CHECKER_VERSION: "${DRONE_SEMVER}"
CGO_ENABLED: 0
when:
event:
- tag
- name: publish on Docker Hub
image: plugins/docker
settings:
repo: happydomain/checker-delegation
auto_tag: true
auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH}
dockerfile: Dockerfile
build_args:
- CHECKER_VERSION=${DRONE_BRANCH}-${DRONE_COMMIT}
username:
from_secret: docker_username
password:
from_secret: docker_password
when:
event:
exclude:
- tag
- name: publish on Docker Hub (tag)
image: plugins/docker
settings:
repo: happydomain/checker-delegation
auto_tag: true
auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH}
dockerfile: Dockerfile
build_args:
- CHECKER_VERSION=${DRONE_SEMVER}
username:
from_secret: docker_username
password:
from_secret: docker_password
when:
event:
- tag
trigger:
branch:
exclude:
- renovate/*
event:
- cron
- push
- tag
---
kind: pipeline
type: docker
name: build-arm64
platform:
os: linux
arch: arm64
steps:
- name: checker build
image: golang:1-alpine
commands:
- apk add --no-cache git make
- make
environment:
CHECKER_VERSION: "${DRONE_BRANCH}-${DRONE_COMMIT}"
CGO_ENABLED: 0
when:
event:
exclude:
- tag
- name: checker build tag
image: golang:1-alpine
commands:
- apk add --no-cache git make
- make
environment:
CHECKER_VERSION: "${DRONE_SEMVER}"
CGO_ENABLED: 0
when:
event:
- tag
- name: publish on Docker Hub
image: plugins/docker
settings:
repo: happydomain/checker-delegation
auto_tag: true
auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH}
dockerfile: Dockerfile
build_args:
- CHECKER_VERSION=${DRONE_BRANCH}-${DRONE_COMMIT}
username:
from_secret: docker_username
password:
from_secret: docker_password
when:
event:
exclude:
- tag
- name: publish on Docker Hub (tag)
image: plugins/docker
settings:
repo: happydomain/checker-delegation
auto_tag: true
auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH}
dockerfile: Dockerfile
build_args:
- CHECKER_VERSION=${DRONE_SEMVER}
username:
from_secret: docker_username
password:
from_secret: docker_password
when:
event:
- tag
trigger:
event:
- cron
- push
- tag
---
kind: pipeline
name: docker-manifest
platform:
os: linux
arch: arm64
steps:
- name: publish on Docker Hub
image: plugins/manifest
settings:
auto_tag: true
ignore_missing: true
spec: .drone-manifest.yml
username:
from_secret: docker_username
password:
from_secret: docker_password
trigger:
branch:
exclude:
- renovate/*
event:
- cron
- push
- tag
depends_on:
- build-amd64
- build-arm64

72
README.md
View file

@ -77,56 +77,36 @@ to the public internet.
| `minNameServers` | uint | `2` | Below this count, the delegation is reported as a warning (RFC 1034 recommends at least 2). | | `minNameServers` | uint | `2` | Below this count, the delegation is reported as a warning (RFC 1034 recommends at least 2). |
| `allowGlueMismatch` | bool | `false` | When disabled, glue/address mismatches between parent and child are reported as critical. | | `allowGlueMismatch` | bool | `false` | When disabled, glue/address mismatches between parent and child are reported as critical. |
## Protocol ## Rules
### POST /collect Each rule emits findings with a stable `code` so downstream consumers
can match on them deterministically.
Request: | Rule | Finding code | What it checks |
```json |------------------------------------------|--------------------------------------|---------------------------------------------------------------------------------------|
{ | `delegation_min_name_servers` | `delegation_too_few_ns` | The zone declares at least `minNameServers` NS records (RFC 1034 recommends ≥ 2). |
"key": "delegation", | `delegation_parent_discovered` | `delegation_no_parent_ns` | The parent zone and its authoritative name servers can be discovered. |
"target": {"userId": "...", "domainId": "..."}, | `delegation_parent_ns_query` | `delegation_parent_query_failed` | Each parent name server answers the NS query for the delegated zone. |
"options": { | `delegation_parent_tcp` | `delegation_parent_tcp_failed` | Each parent name server is reachable over TCP (RFC 7766). |
"domain_name": "example.com.", | `delegation_ns_matches_declared` | `delegation_ns_mismatch` | The NS RRset at the parent matches the NS set declared by the service. |
"subdomain": "www", | `delegation_in_bailiwick_glue` | `delegation_missing_glue` | In-bailiwick name servers have glue (A/AAAA) records at the parent. |
"service": { "_svctype": "abstract.Delegation", "Service": { "ns": [...], "ds": [...] } } | `delegation_unnecessary_glue` | `delegation_unnecessary_glue` | Out-of-bailiwick name servers do not carry unnecessary glue at the parent. |
} | `delegation_ds_query` | `delegation_ds_query_failed` | The DS RRset can be queried from the parent name servers. |
} | `delegation_ds_matches_declared` | `delegation_ds_mismatch` | The DS RRset at the parent matches the DS set declared by the service. |
``` | `delegation_ds_present_at_parent` | `delegation_ds_missing` | DS records are present at the parent when DNSSEC is expected (gated by `requireDS`). |
| `delegation_ds_rrsig_validity` | `delegation_ds_rrsig_invalid` | The DS RRset is covered by a valid RRSIG at the parent. |
Response: | `delegation_ns_resolvable` | `delegation_ns_unresolvable` | Each declared name server name resolves to at least one address. |
```json | `delegation_child_reachable` | `delegation_unreachable` | Each child name server answers DNS queries on its advertised addresses. |
{ | `delegation_child_authoritative` | `delegation_lame` | Each child name server is authoritative for the delegated zone (no lame delegation). |
"data": { | `delegation_child_soa_serial_drift` | `delegation_soa_serial_drift` | The SOA serial is consistent across all child name servers. |
"delegated_fqdn": "www.example.com.", | `delegation_child_tcp` | `delegation_tcp_failed` | Each child name server answers over TCP (gated by `requireTCP`). |
"parent_zone": "example.com.", | `delegation_child_ns_matches_parent` | `delegation_ns_drift` | The NS RRset returned by each child matches the NS RRset at the parent. |
"parent_ns": ["a.iana-servers.net.", "b.iana-servers.net."], | `delegation_child_glue_matches_parent` | `delegation_glue_mismatch` | Glue addresses at the child match those at the parent (gated by `allowGlueMismatch`). |
"advertised_ns": ["ns1.example.net.", "ns2.example.net."], | `delegation_dnskey_query` | `delegation_dnskey_query_failed` | The DNSKEY RRset can be queried from each child name server. |
"advertised_glue": {}, | `delegation_dnskey_matches_ds` | `delegation_dnskey_no_match` | At least one DNSKEY at the child matches a DS digest published at the parent. |
"parent_ds": [], | `delegation_ns_has_authoritative_answer` | `delegation_no_authoritative_answer` | Each child name server sets the AA flag in its answers for the zone. |
"child_serials": {"ns1.example.net.:53": 2026042401},
"findings": [
{
"code": "delegation_ns_mismatch",
"severity": "crit",
"message": "NS RRset at parent does not match declared service: missing=[ns3.example.net] extra=[]",
"server": "a.iana-servers.net.:53"
}
]
}
}
```
Findings carry a stable `code` (e.g. `delegation_lame`,
`delegation_missing_glue`, `delegation_ds_mismatch`,
`delegation_soa_serial_drift`, `delegation_dnskey_no_match`, …) so that
downstream rules can match on them deterministically.
## License ## License
This project is licensed under the **MIT License** (see `LICENSE`), in This project is licensed under the **MIT License** (see `LICENSE`), in
line with the rest of the happyDomain checker ecosystem. line with the rest of the happyDomain checker ecosystem.
The third-party Apache-2.0 attributions for `checker-sdk-go` are recorded
in `NOTICE` and must accompany any binary or source redistribution of this
project.