Initial commit

2026-04-26 18:56:19 +07:00 · 2026-04-26 18:56:19 +07:00 · 5a632a3b30
commit 5a632a3b30
24 changed files with 2901 additions and 0 deletions
--- a/checker/definition.go
+++ b/checker/definition.go
@ -0,0 +1,118 @@
+package checker
+
+import (
+	"time"
+
+	sdk "git.happydns.org/checker-sdk-go/checker"
+)
+
+var Version = "built-in"
+
+func Definition() *sdk.CheckerDefinition {
+	def := &sdk.CheckerDefinition{
+		ID:      "dnssec",
+		Name:    "DNSSEC operational hygiene",
+		Version: Version,
+		Availability: sdk.CheckerAvailability{
+			ApplyToDomain: true,
+		},
+		ObservationKeys: []sdk.ObservationKey{ObservationKeyDNSSEC},
+		Options: sdk.CheckerOptionsDocumentation{
+			AdminOpts: []sdk.CheckerOptionDocumentation{
+				{
+					Id:          "resolver",
+					Type:        "string",
+					Label:       "Bootstrap resolver (host:port)",
+					Description: "Recursive resolver used to discover the apex name servers and to look up the parent DS. Defaults to /etc/resolv.conf.",
+				},
+			},
+			UserOpts: []sdk.CheckerOptionDocumentation{
+				{
+					Id:          "nsec3IterationsMax",
+					Type:        "uint",
+					Label:       "Maximum NSEC3 iterations",
+					Description: "RFC 9276 §3.1 sets the recommended ceiling at 0. Increase only if your signer cannot publish 0 yet.",
+					Default:     defaultNSEC3IterationsMax,
+				},
+				{
+					Id:          "nsec3IterationsSeverity",
+					Type:        "choice",
+					Label:       "Severity when NSEC3 iterations exceed the ceiling",
+					Choices:     []string{"warn", "crit"},
+					Default:     defaultNSEC3IterationsSeverityWarn,
+					Description: "Use 'crit' to enforce RFC 9276 strictly.",
+				},
+				{
+					Id:          "signatureFreshness",
+					Type:        "uint",
+					Label:       "RRSIG freshness WARN threshold (days)",
+					Description: "Warn when the closest RRSIG expires in fewer than this many days.",
+					Default:     defaultSignatureFreshnessDays,
+				},
+				{
+					Id:          "signatureFreshnessCrit",
+					Type:        "uint",
+					Label:       "RRSIG freshness CRIT threshold (days)",
+					Default:     defaultSignatureFreshnessCrit,
+				},
+				{
+					Id:          "minRSAKeySize",
+					Type:        "uint",
+					Label:       "Minimum RSA modulus size (bits)",
+					Default:     defaultMinRSAKeySize,
+				},
+				{
+					Id:          "requireSEP",
+					Type:        "bool",
+					Label:       "Require a KSK (DNSKEY with SEP bit)",
+					Default:     defaultRequireSEP,
+				},
+				{
+					Id:          "dnskeyTTLMin",
+					Type:        "uint",
+					Label:       "Minimum DNSKEY TTL (seconds)",
+					Default:     defaultDNSKEYTTLMinSec,
+				},
+			},
+			DomainOpts: []sdk.CheckerOptionDocumentation{
+				{
+					Id:       "domain_name",
+					Label:    "Zone apex",
+					AutoFill: sdk.AutoFillDomainName,
+				},
+			},
+		},
+		Rules: []sdk.CheckRule{
+			zoneSignedRule{},
+			dnskeyConsistentRule{},
+			dnskeyQueryOKRule{},
+
+			algorithmAllowedRule{},
+			algorithmModernRule{},
+			rsaKeySizeRule{},
+			kskPresentRule{},
+			dnskeyCountRule{},
+
+			rrsigPresentDNSKEYRule{},
+			rrsigPresentSOARule{},
+			rrsigValidityWindowRule{},
+			rrsigFreshnessRule{},
+
+			denialUsesNSEC3Rule{},
+			nsec3IterationsRule{},
+			nsec3SaltEmptyRule{},
+			nsec3OptOutRule{},
+			denialConsistentRule{},
+
+			dnskeyTTLMinRule{},
+		},
+		HasHTMLReport: true,
+		Interval: &sdk.CheckIntervalSpec{
+			Min:     5 * time.Minute,
+			Max:     24 * time.Hour,
+			Default: 1 * time.Hour,
+		},
+	}
+	def.BuildRulesInfo()
+	return def
+}