From 46d4bb2b4944bebecc383c8bd3f9eabc7279f7a0 Mon Sep 17 00:00:00 2001
From: Pierre-Olivier Mercier <nemunaire@nemunai.re>
Date: Thu, 30 Apr 2026 08:49:15 +0700
Subject: [PATCH] Update rules section

---
 README.md | 32 ++++++++++++++------------------
 1 file changed, 14 insertions(+), 18 deletions(-)

diff --git a/README.md b/README.md
index 66f6de4..ff5bf13 100644
--- a/README.md
+++ b/README.md
@@ -82,24 +82,20 @@ apex / NS configuration).
 
 ## Rules
 
-Each rule emits a finding code. Severity can be affected by the options above.
-
-| Code                          | Default severity | Condition |
-|-------------------------------|------------------|-----------|
-| `rprop_no_resolvers`          | critical         | The current option set selects no resolver from the catalog. |
-| `rprop_all_resolvers_down`    | critical         | Every selected resolver failed to answer (likely no DNS connectivity from the checker host). |
-| `rprop_resolver_unreachable`  | warning          | An individual resolver failed to answer within the run budget. |
-| `rprop_resolver_high_latency` | info             | A resolver's average response time exceeds `latencyThresholdMs`. |
-| `rprop_resolver_filtered_hit` | info             | A filtered resolver returned a different answer than the consensus (typical blocklist behaviour). Only when `includeFiltered` is enabled. |
-| `rprop_partial_propagation`   | warning          | Public resolvers disagree on the answer for a probed RRset. |
-| `rprop_answer_drift`          | critical         | The public consensus differs from the answer served by the zone's authoritative nameservers. |
-| `rprop_unexpected_nxdomain`   | critical         | Some resolvers return NXDOMAIN while others return NOERROR for the same RRset. |
-| `rprop_unexpected_servfail`   | critical         | A resolver returns SERVFAIL (usually a DNSSEC or reachability failure). |
-| `rprop_regional_split`        | warning          | Every resolver of a region agrees on an answer that differs from the global consensus. |
-| `rprop_serial_drift`          | warning          | Unfiltered resolvers disagree on the SOA serial. |
-| `rprop_stale_cache`           | info             | A resolver still serves an SOA serial below the one last observed by happyDomain. |
-| `rprop_dnssec_failure`        | critical         | A validating resolver fails to validate the zone's DNSSEC chain (returns SERVFAIL with AD/CD semantics). |
-| `rprop_dnssec_not_validated`  | info             | A validating resolver answered without setting AD on a signed zone. |
+| Code                                         | Description                                                                                                       | Severity            |
+|----------------------------------------------|-------------------------------------------------------------------------------------------------------------------|---------------------|
+| `resolver_propagation.selection`             | Checks that the current option set selects at least one public resolver.                                          | CRITICAL            |
+| `resolver_propagation.reachable`             | Checks that at least one selected resolver answered a query.                                                      | CRITICAL            |
+| `resolver_propagation.latency`               | Flags resolvers that are unreachable or whose average response time exceeds the configured threshold.             | WARNING             |
+| `resolver_propagation.filtered_hit`          | Reports filtered resolvers returning a different answer than the consensus (typical blocklist behaviour).         | INFO                |
+| `resolver_propagation.consensus`             | Checks that public resolvers agree on a single answer for each probed RRset.                                      | WARNING             |
+| `resolver_propagation.matches_authoritative` | Checks that the public consensus matches the answer served by the zone's authoritative nameservers.               | CRITICAL            |
+| `resolver_propagation.nxdomain`              | Flags RRsets for which some resolvers return NXDOMAIN while others return NOERROR.                                | CRITICAL            |
+| `resolver_propagation.servfail`              | Flags RRsets for which any resolver returns SERVFAIL (usually DNSSEC or reachability failure).                    | CRITICAL            |
+| `resolver_propagation.regional_split`        | Flags regions in which every resolver agrees on an answer that differs from the global consensus.                 | WARNING             |
+| `resolver_propagation.serial_drift`          | Flags disagreement on the SOA serial across unfiltered resolvers.                                                 | WARNING             |
+| `resolver_propagation.stale_cache`           | Flags resolvers still serving an SOA serial below the one saved by happyDomain.                                   | INFO                |
+| `resolver_propagation.dnssec`                | Checks that validating resolvers successfully validate the zone's DNSSEC chain.                                   | CRITICAL            |
 
 ## License