- Go 98.6%
- Makefile 0.8%
- Dockerfile 0.6%
Pierre-Olivier Mercier
715af92c55
The SDK split the HTTP server scaffolding into the new checker-sdk-go/checker/server subpackage and CheckRule.Evaluate now returns []CheckState. Update main.go to import server and call server.New, switch the rule and the package-level Evaluate helper to the new slice return type, and isolate the interactive form code behind the standalone build tag so plugin/builtin builds skip net/http and html/template entirely. |
||
|---|---|---|
| checker | ||
| plugin | ||
| .gitignore | ||
| Dockerfile | ||
| go.mod | ||
| go.sum | ||
| LICENSE | ||
| main.go | ||
| Makefile | ||
| README.md | ||
checker-delegation
DNS delegation checker for happyDomain.
Audits the delegation of a zone: NS consistency between parent and child,
glue correctness, DS / DNSKEY hand-off, TCP reachability, SOA serial drift,
and authoritativeness of each delegated server. Applies to services of type
abstract.Delegation.
Usage
Standalone HTTP server
# Build and run
make
./checker-delegation -listen :8080
The server exposes:
GET /health, health checkPOST /collect, collect delegation observations (happyDomain external checker protocol)
Docker
make docker
docker run -p 8080:8080 happydomain/checker-delegation
happyDomain plugin
make plugin
# produces checker-delegation.so, loadable by happyDomain as a Go plugin
The plugin exposes a NewCheckerPlugin symbol returning the checker
definition and observation provider, which happyDomain registers in its
global registries at load time.
Versioning
The binary, plugin, and Docker image embed a version string overridable at build time:
make CHECKER_VERSION=1.2.3
make plugin CHECKER_VERSION=1.2.3
make docker CHECKER_VERSION=1.2.3
happyDomain remote endpoint
Set the endpoint admin option for the delegation checker to the URL of
the running checker-delegation server (e.g.,
http://checker-delegation:8080). happyDomain will delegate observation
collection to this endpoint.
Options
| Option | Type | Default | Description |
|---|---|---|---|
requireDS |
bool | false |
When enabled, missing DS records at the parent are treated as critical (otherwise informational). |
requireTCP |
bool | true |
When enabled, name servers that fail to answer over TCP are reported as critical (otherwise warning). |
minNameServers |
uint | 2 |
Below this count, the delegation is reported as a warning (RFC 1034 recommends at least 2). |
allowGlueMismatch |
bool | false |
When disabled, glue/address mismatches between parent and child are reported as critical. |
Protocol
POST /collect
Request:
{
"key": "delegation",
"target": {"userId": "...", "domainId": "..."},
"options": {
"domain_name": "example.com.",
"subdomain": "www",
"service": { "_svctype": "abstract.Delegation", "Service": { "ns": [...], "ds": [...] } }
}
}
Response:
{
"data": {
"delegated_fqdn": "www.example.com.",
"parent_zone": "example.com.",
"parent_ns": ["a.iana-servers.net.", "b.iana-servers.net."],
"advertised_ns": ["ns1.example.net.", "ns2.example.net."],
"advertised_glue": {},
"parent_ds": [],
"child_serials": {"ns1.example.net.:53": 2026042401},
"findings": [
{
"code": "delegation_ns_mismatch",
"severity": "crit",
"message": "NS RRset at parent does not match declared service: missing=[ns3.example.net] extra=[]",
"server": "a.iana-servers.net.:53"
}
]
}
}
Findings carry a stable code (e.g. delegation_lame,
delegation_missing_glue, delegation_ds_mismatch,
delegation_soa_serial_drift, delegation_dnskey_no_match, …) so that
downstream rules can match on them deterministically.
License
This project is licensed under the MIT License (see LICENSE), in
line with the rest of the happyDomain checker ecosystem.
The third-party Apache-2.0 attributions for checker-sdk-go are recorded
in NOTICE and must accompany any binary or source redistribution of this
project.