diff --git a/.drone-manifest.yml b/.drone-manifest.yml new file mode 100644 index 0000000..9188a06 --- /dev/null +++ b/.drone-manifest.yml @@ -0,0 +1,22 @@ +image: happydomain/checker-ptr:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}} +{{#if build.tags}} +tags: +{{#each build.tags}} + - {{this}} +{{/each}} +{{/if}} +manifests: + - image: happydomain/checker-ptr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64 + platform: + architecture: amd64 + os: linux + - image: happydomain/checker-ptr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64 + platform: + architecture: arm64 + os: linux + variant: v8 + - image: happydomain/checker-ptr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm + platform: + architecture: arm + os: linux + variant: v7 diff --git a/.drone.yml b/.drone.yml new file mode 100644 index 0000000..e48d308 --- /dev/null +++ b/.drone.yml @@ -0,0 +1,187 @@ +--- +kind: pipeline +type: docker +name: build-amd64 + +platform: + os: linux + arch: amd64 + +steps: + - name: checker build + image: golang:1-alpine + commands: + - apk add --no-cache git make + - make + environment: + CHECKER_VERSION: "${DRONE_BRANCH}-${DRONE_COMMIT}" + CGO_ENABLED: 0 + when: + event: + exclude: + - tag + + - name: checker build tag + image: golang:1-alpine + commands: + - apk add --no-cache git make + - make + environment: + CHECKER_VERSION: "${DRONE_SEMVER}" + CGO_ENABLED: 0 + when: + event: + - tag + + - name: publish on Docker Hub + image: plugins/docker + settings: + repo: happydomain/checker-ptr + auto_tag: true + auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH} + dockerfile: Dockerfile + build_args: + - CHECKER_VERSION=${DRONE_BRANCH}-${DRONE_COMMIT} + username: + from_secret: docker_username + password: + from_secret: docker_password + when: + event: + exclude: + - tag + + - name: publish on Docker Hub (tag) + image: plugins/docker + settings: + repo: happydomain/checker-ptr + auto_tag: true + auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH} + dockerfile: Dockerfile + build_args: + - CHECKER_VERSION=${DRONE_SEMVER} + username: + from_secret: docker_username + password: + from_secret: docker_password + when: + event: + - tag + +trigger: + branch: + exclude: + - renovate/* + event: + - cron + - push + - tag + +--- +kind: pipeline +type: docker +name: build-arm64 + +platform: + os: linux + arch: arm64 + +steps: + - name: checker build + image: golang:1-alpine + commands: + - apk add --no-cache git make + - make + environment: + CHECKER_VERSION: "${DRONE_BRANCH}-${DRONE_COMMIT}" + CGO_ENABLED: 0 + when: + event: + exclude: + - tag + + - name: checker build tag + image: golang:1-alpine + commands: + - apk add --no-cache git make + - make + environment: + CHECKER_VERSION: "${DRONE_SEMVER}" + CGO_ENABLED: 0 + when: + event: + - tag + + - name: publish on Docker Hub + image: plugins/docker + settings: + repo: happydomain/checker-ptr + auto_tag: true + auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH} + dockerfile: Dockerfile + build_args: + - CHECKER_VERSION=${DRONE_BRANCH}-${DRONE_COMMIT} + username: + from_secret: docker_username + password: + from_secret: docker_password + when: + event: + exclude: + - tag + + - name: publish on Docker Hub (tag) + image: plugins/docker + settings: + repo: happydomain/checker-ptr + auto_tag: true + auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH} + dockerfile: Dockerfile + build_args: + - CHECKER_VERSION=${DRONE_SEMVER} + username: + from_secret: docker_username + password: + from_secret: docker_password + when: + event: + - tag + +trigger: + event: + - cron + - push + - tag + +--- +kind: pipeline +name: docker-manifest + +platform: + os: linux + arch: arm64 + +steps: + - name: publish on Docker Hub + image: plugins/manifest + settings: + auto_tag: true + ignore_missing: true + spec: .drone-manifest.yml + username: + from_secret: docker_username + password: + from_secret: docker_password + +trigger: + branch: + exclude: + - renovate/* + event: + - cron + - push + - tag + +depends_on: + - build-amd64 + - build-arm64 diff --git a/README.md b/README.md index 3211f18..2091f09 100644 --- a/README.md +++ b/README.md @@ -71,25 +71,21 @@ happyDomain will delegate observation collection to this endpoint. ## Rules -Each rule emits a finding code. Severity can be affected by the options above. - -| Code | Default severity | Condition | -|------|-----------------|-----------| -| `ptr_not_in_reverse_zone` | critical | The PTR owner is not under `in-addr.arpa` or `ip6.arpa`. | -| `ptr_owner_malformed` | critical | The reverse-arpa owner cannot be decoded back to an IP address. | -| `ptr_no_reverse_zone` | critical | The reverse zone serving the owner cannot be located (no SOA). | -| `ptr_query_failed` | critical | The PTR query failed (network error, timeout, unreachable authoritative server). | -| `ptr_rcode` | critical | The authoritative server returned a non-NOERROR rcode (typically NXDOMAIN). | -| `ptr_missing` | critical | No PTR record is served at the owner name. | -| `ptr_multiple` | warning | More than one PTR record exists at the same owner (RFC 1912 §2.1). Suppressed when `allowMultiplePTR` is enabled. | -| `ptr_declared_mismatch` | critical | The authoritative PTR target differs from the target declared in happyDomain. | -| `ptr_target_invalid` | critical | The PTR target is not a syntactically valid hostname (RFC 952/1123). | -| `ptr_generic_hostname` | warning | The PTR target embeds the IP or matches a common ISP auto-generated pattern. Only reported when `flagGenericPTR` is enabled. | -| `ptr_target_unresolvable` | critical / warning with `requireForwardMatch=false` | The PTR target has no A or AAAA record. | -| `ptr_forward_mismatch` | critical / warning with `requireForwardMatch=false` | The PTR target's A/AAAA does not include the original IP (FCrDNS check failed). | -| `ptr_ipv6_missing` | critical | An `ip6.arpa` owner has no PTR record. | -| `ptr_low_ttl` | warning | The observed PTR TTL is below `minTTL`. | -| `ptr_declared_low_ttl` | info | The declared PTR TTL is below `minTTL`. | +| Code | Description | Severity | +|----------------------------|----------------------------------------------------------------------------------------------------|----------| +| `ptr.in_reverse_arpa` | Verifies the PTR owner lies under in-addr.arpa or ip6.arpa. | CRITICAL | +| `ptr.owner_decodable` | Verifies the reverse-arpa owner name decodes back to an IP address. | CRITICAL | +| `ptr.reverse_zone_located` | Verifies the reverse zone serving the PTR owner can be located (SOA found). | CRITICAL | +| `ptr.query_succeeded` | Verifies the PTR query returns NOERROR from the authoritative servers. | CRITICAL | +| `ptr.record_present` | Verifies at least one PTR record is served at the owner name. | CRITICAL | +| `ptr.single_record` | Flags multiple PTR records on the same IP (RFC 1912 §2.1 recommends exactly one). | WARNING | +| `ptr.declared_match` | Verifies the PTR target served by the authoritative servers matches the declared target. | CRITICAL | +| `ptr.target_syntax_valid` | Verifies the PTR target is a syntactically valid hostname (RFC 952/1123). | CRITICAL | +| `ptr.generic_hostname` | Flags PTR targets that embed the IP or match common ISP auto-generated patterns. | WARNING | +| `ptr.target_resolves` | Verifies the PTR target resolves to at least one A or AAAA record. | CRITICAL | +| `ptr.fcrdns_match` | Verifies the PTR target's A/AAAA resolves back to the original IP (Forward-Confirmed Reverse DNS). | CRITICAL | +| `ptr.ipv6` | Reports whether the PTR concerns an IPv6 (ip6.arpa) address. | CRITICAL | +| `ptr.ttl_hygiene` | Verifies the PTR TTL is at or above the configured minimum. | WARNING | ## License