checker: split monolithic rule into per-concern rules

checker/rules_ixfr.go

@@ -0,0 +1,57 @@
+package checker
+
+import (
+	"context"
+	"fmt"
+
+	sdk "git.happydns.org/checker-sdk-go/checker"
+)
+
+// ixfrRule flags nameservers that answer IXFR queries with records, which
+// leaks incremental zone content to arbitrary clients.
+type ixfrRule struct{}
+
+func (r *ixfrRule) Name() string { return "ns_ixfr_refused" }
+func (r *ixfrRule) Description() string {
+	return "Verifies that IXFR zone transfers are refused by every authoritative nameserver"
+}
+
+func (r *ixfrRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) []sdk.CheckState {
+	report, errSt := loadReport(ctx, obs, "ns_ixfr_error")
+	if errSt != nil {
+		return []sdk.CheckState{*errSt}
+	}
+
+	servers := probedServers(report)
+	if len(servers) == 0 {
+		return []sdk.CheckState{noProbesState("ns_ixfr_skipped")}
+	}
+
+	out := make([]sdk.CheckState, 0, len(servers))
+	for _, srv := range servers {
+		state := sdk.CheckState{
+			Subject: serverLabel(srv),
+			Meta:    serverMeta(srv),
+		}
+		switch {
+		case srv.IXFR.Error != "":
+			state.Status = sdk.StatusOK
+			state.Code = "ns_ixfr_ok"
+			state.Message = fmt.Sprintf("query failed: %s", srv.IXFR.Error)
+		case srv.IXFR.Rcode != "NOERROR":
+			state.Status = sdk.StatusOK
+			state.Code = "ns_ixfr_ok"
+			state.Message = fmt.Sprintf("IXFR refused (rcode=%s)", srv.IXFR.Rcode)
+		case srv.IXFR.AnswerCount > 0:
+			state.Status = sdk.StatusWarn
+			state.Code = "ns_ixfr_accepted"
+			state.Message = fmt.Sprintf("IXFR accepted with %d answer(s)", srv.IXFR.AnswerCount)
+		default:
+			state.Status = sdk.StatusOK
+			state.Code = "ns_ixfr_ok"
+			state.Message = "IXFR refused or empty"
+		}
+		out = append(out, state)
+	}
+	return out
+}