Pierre-Olivier Mercier
81ca1810f1
Each of the seven user options was read by exactly one rule, so expose them via CheckRuleWithOptions instead of the checker-wide UserOpts list. This keeps each rule's configuration colocated with its evaluation logic.
70 lines
1.6 KiB
Go
70 lines
1.6 KiB
Go
package checker
|
|
|
|
import (
|
|
"time"
|
|
|
|
sdk "git.happydns.org/checker-sdk-go/checker"
|
|
)
|
|
|
|
var Version = "built-in"
|
|
|
|
func Definition() *sdk.CheckerDefinition {
|
|
def := &sdk.CheckerDefinition{
|
|
ID: "dnssec",
|
|
Name: "DNSSEC operational hygiene",
|
|
Version: Version,
|
|
Availability: sdk.CheckerAvailability{
|
|
ApplyToDomain: true,
|
|
},
|
|
ObservationKeys: []sdk.ObservationKey{ObservationKeyDNSSEC},
|
|
Options: sdk.CheckerOptionsDocumentation{
|
|
AdminOpts: []sdk.CheckerOptionDocumentation{
|
|
{
|
|
Id: "resolver",
|
|
Type: "string",
|
|
Label: "Bootstrap resolver (host:port)",
|
|
Description: "Recursive resolver used to discover the apex name servers and to look up the parent DS. Defaults to /etc/resolv.conf.",
|
|
},
|
|
},
|
|
DomainOpts: []sdk.CheckerOptionDocumentation{
|
|
{
|
|
Id: "domain_name",
|
|
Label: "Zone apex",
|
|
AutoFill: sdk.AutoFillDomainName,
|
|
},
|
|
},
|
|
},
|
|
Rules: []sdk.CheckRule{
|
|
zoneSignedRule{},
|
|
dnskeyConsistentRule{},
|
|
dnskeyQueryOKRule{},
|
|
|
|
algorithmAllowedRule{},
|
|
algorithmModernRule{},
|
|
rsaKeySizeRule{},
|
|
kskPresentRule{},
|
|
dnskeyCountRule{},
|
|
|
|
rrsigPresentDNSKEYRule{},
|
|
rrsigPresentSOARule{},
|
|
rrsigValidityWindowRule{},
|
|
rrsigFreshnessRule{},
|
|
|
|
denialUsesNSEC3Rule{},
|
|
nsec3IterationsRule{},
|
|
nsec3SaltEmptyRule{},
|
|
nsec3OptOutRule{},
|
|
denialConsistentRule{},
|
|
|
|
dnskeyTTLMinRule{},
|
|
},
|
|
HasHTMLReport: true,
|
|
Interval: &sdk.CheckIntervalSpec{
|
|
Min: 5 * time.Minute,
|
|
Max: 24 * time.Hour,
|
|
Default: 1 * time.Hour,
|
|
},
|
|
}
|
|
def.BuildRulesInfo()
|
|
return def
|
|
}
|