Initial commit

checker/rules_ttl.go

@@ -0,0 +1,41 @@
+package checker
+
+import (
+	"context"
+	"fmt"
+
+	sdk "git.happydns.org/checker-sdk-go/checker"
+)
+
+type dnskeyTTLMinRule struct{}
+
+func (dnskeyTTLMinRule) Name() string { return "dnssec_dnskey_ttl_min" }
+func (dnskeyTTLMinRule) Description() string {
+	return "Warns when the DNSKEY TTL is too short to be useful for caching."
+}
+
+func (dnskeyTTLMinRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, opts sdk.CheckerOptions) []sdk.CheckState {
+	data, errState := loadDNSSEC(ctx, obs)
+	if errState != nil {
+		return errState
+	}
+	if !hasAnyDNSKEY(data) {
+		return skipped("zone not signed")
+	}
+	minTTL := optionUint(opts, "dnskeyTTLMin", defaultDNSKEYTTLMinSec)
+
+	for _, name := range sortedServers(data) {
+		v := data.Servers[name]
+		if v.DNSKEYTTL == 0 {
+			continue
+		}
+		if uint(v.DNSKEYTTL) < minTTL {
+			return []sdk.CheckState{withMeta(sdk.CheckState{
+				Status:  sdk.StatusWarn,
+				Subject: name,
+				Message: fmt.Sprintf("DNSKEY TTL on %s = %ds (recommended ≥ %ds)", name, v.DNSKEYTTL, minTTL),
+			}, "Increase the DNSKEY TTL so resolvers cache the keys; short TTLs increase load and break key-rollover prepublish strategies.", "dnssec.dnskey_ttl_low")}
+		}
+	}
+	return okState(data.Domain, "DNSKEY TTL is at or above the recommended minimum")
+}