happyDomain/checker-ptr
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: happyDomain:master
Branches Tags
happyDomain:master
happyDomain:v0.1.0
..
compare: happyDomain:v0.1.0
Branches Tags
happyDomain:master
happyDomain:v0.1.0

No commits in common. "master" and "v0.1.0" have entirely different histories.
master ... v0.1.0

3 changed files with 19 additions and 224 deletions
Download patch file Download diff file Expand all files Collapse all files

22
.drone-manifest.yml
View file

@ -1,22 +0,0 @@
image: happydomain/checker-ptr:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}}
{{#if build.tags}}
tags:
{{#each build.tags}}
- {{this}}
{{/each}}
{{/if}}
manifests:
- image: happydomain/checker-ptr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64
platform:
architecture: amd64
os: linux
- image: happydomain/checker-ptr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64
platform:
architecture: arm64
os: linux
variant: v8
- image: happydomain/checker-ptr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm
platform:
architecture: arm
os: linux
variant: v7

187
.drone.yml
View file

@ -1,187 +0,0 @@
---
kind: pipeline
type: docker
name: build-amd64
platform:
os: linux
arch: amd64
steps:
- name: checker build
image: golang:1-alpine
commands:
- apk add --no-cache git make
- make
environment:
CHECKER_VERSION: "${DRONE_BRANCH}-${DRONE_COMMIT}"
CGO_ENABLED: 0
when:
event:
exclude:
- tag
- name: checker build tag
image: golang:1-alpine
commands:
- apk add --no-cache git make
- make
environment:
CHECKER_VERSION: "${DRONE_SEMVER}"
CGO_ENABLED: 0
when:
event:
- tag
- name: publish on Docker Hub
image: plugins/docker
settings:
repo: happydomain/checker-ptr
auto_tag: true
auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH}
dockerfile: Dockerfile
build_args:
- CHECKER_VERSION=${DRONE_BRANCH}-${DRONE_COMMIT}
username:
from_secret: docker_username
password:
from_secret: docker_password
when:
event:
exclude:
- tag
- name: publish on Docker Hub (tag)
image: plugins/docker
settings:
repo: happydomain/checker-ptr
auto_tag: true
auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH}
dockerfile: Dockerfile
build_args:
- CHECKER_VERSION=${DRONE_SEMVER}
username:
from_secret: docker_username
password:
from_secret: docker_password
when:
event:
- tag
trigger:
branch:
exclude:
- renovate/*
event:
- cron
- push
- tag
---
kind: pipeline
type: docker
name: build-arm64
platform:
os: linux
arch: arm64
steps:
- name: checker build
image: golang:1-alpine
commands:
- apk add --no-cache git make
- make
environment:
CHECKER_VERSION: "${DRONE_BRANCH}-${DRONE_COMMIT}"
CGO_ENABLED: 0
when:
event:
exclude:
- tag
- name: checker build tag
image: golang:1-alpine
commands:
- apk add --no-cache git make
- make
environment:
CHECKER_VERSION: "${DRONE_SEMVER}"
CGO_ENABLED: 0
when:
event:
- tag
- name: publish on Docker Hub
image: plugins/docker
settings:
repo: happydomain/checker-ptr
auto_tag: true
auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH}
dockerfile: Dockerfile
build_args:
- CHECKER_VERSION=${DRONE_BRANCH}-${DRONE_COMMIT}
username:
from_secret: docker_username
password:
from_secret: docker_password
when:
event:
exclude:
- tag
- name: publish on Docker Hub (tag)
image: plugins/docker
settings:
repo: happydomain/checker-ptr
auto_tag: true
auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH}
dockerfile: Dockerfile
build_args:
- CHECKER_VERSION=${DRONE_SEMVER}
username:
from_secret: docker_username
password:
from_secret: docker_password
when:
event:
- tag
trigger:
event:
- cron
- push
- tag
---
kind: pipeline
name: docker-manifest
platform:
os: linux
arch: arm64
steps:
- name: publish on Docker Hub
image: plugins/manifest
settings:
auto_tag: true
ignore_missing: true
spec: .drone-manifest.yml
username:
from_secret: docker_username
password:
from_secret: docker_password
trigger:
branch:
exclude:
- renovate/*
event:
- cron
- push
- tag
depends_on:
- build-amd64
- build-arm64

34
README.md
View file

@ -71,21 +71,25 @@ happyDomain will delegate observation collection to this endpoint.
## Rules
| Code | Description | Severity |
|----------------------------|----------------------------------------------------------------------------------------------------|----------|
| `ptr.in_reverse_arpa` | Verifies the PTR owner lies under in-addr.arpa or ip6.arpa. | CRITICAL |
| `ptr.owner_decodable` | Verifies the reverse-arpa owner name decodes back to an IP address. | CRITICAL |
| `ptr.reverse_zone_located` | Verifies the reverse zone serving the PTR owner can be located (SOA found). | CRITICAL |
| `ptr.query_succeeded` | Verifies the PTR query returns NOERROR from the authoritative servers. | CRITICAL |
| `ptr.record_present` | Verifies at least one PTR record is served at the owner name. | CRITICAL |
| `ptr.single_record` | Flags multiple PTR records on the same IP (RFC 1912 §2.1 recommends exactly one). | WARNING |
| `ptr.declared_match` | Verifies the PTR target served by the authoritative servers matches the declared target. | CRITICAL |
| `ptr.target_syntax_valid` | Verifies the PTR target is a syntactically valid hostname (RFC 952/1123). | CRITICAL |
| `ptr.generic_hostname` | Flags PTR targets that embed the IP or match common ISP auto-generated patterns. | WARNING |
| `ptr.target_resolves` | Verifies the PTR target resolves to at least one A or AAAA record. | CRITICAL |
| `ptr.fcrdns_match` | Verifies the PTR target's A/AAAA resolves back to the original IP (Forward-Confirmed Reverse DNS). | CRITICAL |
| `ptr.ipv6` | Reports whether the PTR concerns an IPv6 (ip6.arpa) address. | CRITICAL |
| `ptr.ttl_hygiene` | Verifies the PTR TTL is at or above the configured minimum. | WARNING |
Each rule emits a finding code. Severity can be affected by the options above.
| Code | Default severity | Condition |
|------|-----------------|-----------|
| `ptr_not_in_reverse_zone` | critical | The PTR owner is not under `in-addr.arpa` or `ip6.arpa`. |
| `ptr_owner_malformed` | critical | The reverse-arpa owner cannot be decoded back to an IP address. |
| `ptr_no_reverse_zone` | critical | The reverse zone serving the owner cannot be located (no SOA). |
| `ptr_query_failed` | critical | The PTR query failed (network error, timeout, unreachable authoritative server). |
| `ptr_rcode` | critical | The authoritative server returned a non-NOERROR rcode (typically NXDOMAIN). |
| `ptr_missing` | critical | No PTR record is served at the owner name. |
| `ptr_multiple` | warning | More than one PTR record exists at the same owner (RFC 1912 §2.1). Suppressed when `allowMultiplePTR` is enabled. |
| `ptr_declared_mismatch` | critical | The authoritative PTR target differs from the target declared in happyDomain. |
| `ptr_target_invalid` | critical | The PTR target is not a syntactically valid hostname (RFC 952/1123). |
| `ptr_generic_hostname` | warning | The PTR target embeds the IP or matches a common ISP auto-generated pattern. Only reported when `flagGenericPTR` is enabled. |
| `ptr_target_unresolvable` | critical / warning with `requireForwardMatch=false` | The PTR target has no A or AAAA record. |
| `ptr_forward_mismatch` | critical / warning with `requireForwardMatch=false` | The PTR target's A/AAAA does not include the original IP (FCrDNS check failed). |
| `ptr_ipv6_missing` | critical | An `ip6.arpa` owner has no PTR record. |
| `ptr_low_ttl` | warning | The observed PTR TTL is below `minTTL`. |
| `ptr_declared_low_ttl` | info | The declared PTR TTL is below `minTTL`. |
## License