Derive probed record types from the working zone

Stop blindly probing a fixed list (which always included CAA): read the
auto-filled zone and only probe the RR types each owner actually has,
keeping SOA/NS at the apex. The recordTypes option still works as an
explicit override; missing zone falls back to the legacy default.

README.md

@@ -71,7 +71,7 @@ apex / NS configuration).
 
 | Id                    | Type   | Default                       | Description                                                                                                            |
 |-----------------------|--------|-------------------------------|------------------------------------------------------------------------------------------------------------------------|
-| `recordTypes`         | string | `SOA,NS,A,AAAA,MX,TXT,CAA`    | Comma-separated list of RR types to probe at the apex (and at each `subdomains` entry).                                |
+| `recordTypes`         | string | _derived from zone_           | Comma-separated list of RR types to probe at every owner. Leave empty to derive the list from the working zone (SOA/NS at the apex plus whatever RR types are defined on each owner). |
 | `subdomains`          | string | `www`                         | Comma-separated list of owner names to probe in addition to the apex (e.g. `www,mail,@`). Empty = apex only.           |
 | `includeFiltered`     | bool   | `false`                       | Probe filtering resolvers (malware/family/adblock). Their answers routinely diverge by design.                         |
 | `region`              | string | `all`                         | Restrict to a region: `all`, `global`, `na`, `eu`, `asia`, `ru`, `me`.                                                 |

checker/collect.go

@@ -34,7 +34,7 @@ func (p *resolverPropagationProvider) Collect(ctx context.Context, opts sdk.Chec
 	includeFiltered := sdk.GetBoolOption(opts, "includeFiltered", false)
 	region := getStringOpt(opts, "region", "all")
 	transportsOpt := getStringOpt(opts, "transports", "udp")
-	recordTypesOpt := getStringOpt(opts, "recordTypes", "SOA,NS,A,AAAA,MX,TXT,CAA")
+	recordTypesOpt := getStringOpt(opts, "recordTypes", "")
 	subdomainsOpt := getStringOpt(opts, "subdomains", "")
 	runTimeoutS := sdk.GetIntOption(opts, "runTimeoutSeconds", 30)
 	allowlistOpt := getStringOpt(opts, "resolverAllowlist", "")
@@ -44,15 +44,12 @@ func (p *resolverPropagationProvider) Collect(ctx context.Context, opts sdk.Chec
 	if len(transports) == 0 {
 		transports = []string{string(TransportUDP)}
 	}
-	qtypes := parseQTypes(recordTypesOpt)
-	if len(qtypes) == 0 {
-		return nil, fmt.Errorf("no valid record types in %q", recordTypesOpt)
-	}
 	extraNames := parseCSV(subdomainsOpt)
 	allowlist := parseCSV(allowlistOpt)
 
 	// Build the list of owner names to probe.
-	names := []string{dns.Fqdn(zone)}
+	apex := dns.Fqdn(zone)
+	names := []string{apex}
 	seenName := map[string]bool{names[0]: true}
 	for _, sd := range extraNames {
 		full := joinSubdomain(sd, zone)
@@ -62,12 +59,20 @@ func (p *resolverPropagationProvider) Collect(ctx context.Context, opts sdk.Chec
 		}
 	}
 
+	// Pick the RR types to probe at each owner. An explicit recordTypes
+	// option overrides everything; otherwise we derive the per-owner type
+	// set from the working zone (when the host auto-filled it).
+	ownerQTypes, typeUnion, err := resolveQTypes(opts, recordTypesOpt, apex, names)
+	if err != nil {
+		return nil, err
+	}
+
 	resolvers := selectedResolvers(includeFiltered, region, allowlist)
 
 	data := &ResolverPropagationData{
 		Zone:      dns.Fqdn(zone),
 		Names:     names,
-		Types:     qtypeNames(qtypes),
+		Types:     qtypeNames(typeUnion),
 		Resolvers: map[string]*ResolverView{},
 		RRsets:    map[string]*RRsetView{},
 	}
@@ -88,10 +93,10 @@ func (p *resolverPropagationProvider) Collect(ctx context.Context, opts sdk.Chec
 	started := time.Now()
 
 	// Ground truth from the zone's own authoritative servers.
-	expected := collectExpected(runCtx, zone, svc, names, qtypes)
+	expected := collectExpectedPerOwner(runCtx, zone, svc, ownerQTypes)
 
 	for _, n := range names {
-		for _, qt := range qtypes {
+		for _, qt := range ownerQTypes[n] {
 			key := rrsetKey(n, dns.TypeToString[qt])
 			v := &RRsetView{
 				Name: strings.ToLower(dns.Fqdn(n)),
@@ -158,7 +163,7 @@ func (p *resolverPropagationProvider) Collect(ctx context.Context, opts sdk.Chec
 			}
 
 			for _, n := range names {
-				for _, qt := range qtypes {
+				for _, qt := range ownerQTypes[n] {
 					probe := runProbe(runCtx, job.r, job.tr, n, qt)
 					key := rrsetKey(n, dns.TypeToString[qt])
 					view.Probes[key] = probe
@@ -207,7 +212,7 @@ type expectedEntry struct {
 	records []string
 }
 
-func collectExpected(ctx context.Context, zone string, svc *originService, names []string, qtypes []uint16) map[string]*expectedEntry {
+func collectExpectedPerOwner(ctx context.Context, zone string, svc *originService, ownerQTypes map[string][]uint16) map[string]*expectedEntry {
 	out := map[string]*expectedEntry{}
 
 	var nsHosts []string
@@ -244,7 +249,7 @@ func collectExpected(ctx context.Context, zone string, svc *originService, names
 		return out
 	}
 
-	for _, n := range names {
+	for n, qtypes := range ownerQTypes {
 		for _, qt := range qtypes {
 			key := rrsetKey(n, dns.TypeToString[qt])
 			if e := queryAuthoritative(ctx, authAddrs, n, qt); e != nil {

checker/definition.go

@@ -32,8 +32,7 @@ func (p *resolverPropagationProvider) Definition() *sdk.CheckerDefinition {
 					Id:          "recordTypes",
 					Type:        "string",
 					Label:       "Record types to probe",
-					Description: "Comma-separated list of RR types. The checker probes every listed type at the zone apex (and at each 'subdomains' entry).",
-					Default:     "SOA,NS,A,AAAA,MX,TXT,CAA",
+					Description: "Comma-separated list of RR types to probe at every owner (apex + each 'subdomains' entry). Leave empty to derive the list from the working zone (SOA/NS at the apex plus whatever RR types are actually defined on each owner).",
 				},
 				{
 					Id:          "subdomains",
@@ -92,6 +91,12 @@ func (p *resolverPropagationProvider) Definition() *sdk.CheckerDefinition {
 					Label:    "Zone name",
 					AutoFill: sdk.AutoFillDomainName,
 				},
+				{
+					Id:       "zone",
+					Label:    "Zone",
+					AutoFill: sdk.AutoFillZone,
+					Hide:     true,
+				},
 			},
 			ServiceOpts: []sdk.CheckerOptionDocumentation{
 				{

checker/zone.go

@@ -0,0 +1,188 @@
+package checker
+
+import (
+	"encoding/json"
+	"sort"
+	"strings"
+
+	"github.com/miekg/dns"
+
+	sdk "git.happydns.org/checker-sdk-go/checker"
+)
+
+// rawZone is the minimal slice of happyDomain's Zone JSON we consume to
+// derive the RR types actually present at each owner. It mirrors the
+// shape used by sibling checkers (see checker-legacy-records).
+type rawZone struct {
+	DomainName string                  `json:"domain_name,omitempty"`
+	Services   map[string][]rawService `json:"services"`
+}
+
+type rawService struct {
+	Type    string          `json:"_svctype"`
+	Domain  string          `json:"_domain"`
+	Service json.RawMessage `json:"Service"`
+}
+
+// fallbackQTypes is the legacy default applied when no zone is available
+// and the user did not set recordTypes explicitly.
+var fallbackQTypes = []uint16{
+	dns.TypeSOA, dns.TypeNS, dns.TypeA, dns.TypeAAAA,
+	dns.TypeMX, dns.TypeTXT, dns.TypeCAA,
+}
+
+// resolveQTypes returns the RR types to probe at each owner name plus the
+// union across all owners (for reporting/metrics).
+//
+// Precedence:
+//  1. Explicit "recordTypes" option → apply that list to every owner.
+//  2. Auto-filled "zone" option → derive per-owner types from the zone's
+//     services. The apex always carries SOA+NS even if the zone payload
+//     omits them. Owners with no derivable types fall back to A,AAAA so
+//     the probe still surfaces NXDOMAIN drift for user-requested
+//     subdomains that are not present in the zone.
+//  3. Neither → use the legacy default at every owner.
+func resolveQTypes(opts sdk.CheckerOptions, recordTypesOpt, apex string, names []string) (map[string][]uint16, []uint16, error) {
+	if recordTypesOpt != "" {
+		qts := parseQTypes(recordTypesOpt)
+		if len(qts) == 0 {
+			return nil, nil, &invalidTypesError{raw: recordTypesOpt}
+		}
+		return uniformOwnerQTypes(names, qts), qts, nil
+	}
+
+	zone, _ := readWorkingZone(opts)
+	if zone == nil {
+		return uniformOwnerQTypes(names, fallbackQTypes), append([]uint16(nil), fallbackQTypes...), nil
+	}
+
+	owner := map[string]map[uint16]bool{}
+	for _, n := range names {
+		owner[n] = map[uint16]bool{}
+	}
+
+	for sub, services := range zone.Services {
+		full := joinSubdomain(sub, apex)
+		set, ok := owner[full]
+		if !ok {
+			continue
+		}
+		for _, svc := range services {
+			for _, qt := range typesFromService(svc) {
+				set[qt] = true
+			}
+		}
+	}
+
+	// SOA + NS at apex are foundational; the rules depend on them.
+	apexLower := strings.ToLower(dns.Fqdn(apex))
+	if set, ok := owner[apexLower]; ok {
+		set[dns.TypeSOA] = true
+		set[dns.TypeNS] = true
+	}
+
+	out := make(map[string][]uint16, len(names))
+	unionSet := map[uint16]bool{}
+	for _, n := range names {
+		set := owner[n]
+		if len(set) == 0 {
+			// Owner present in the probe list but unknown to the zone:
+			// keep a minimal probe so a missing-record finding can fire.
+			set = map[uint16]bool{dns.TypeA: true, dns.TypeAAAA: true}
+		}
+		qts := sortedTypes(set)
+		out[n] = qts
+		for _, qt := range qts {
+			unionSet[qt] = true
+		}
+	}
+	return out, sortedTypes(unionSet), nil
+}
+
+func uniformOwnerQTypes(names []string, qts []uint16) map[string][]uint16 {
+	out := make(map[string][]uint16, len(names))
+	for _, n := range names {
+		out[n] = qts
+	}
+	return out
+}
+
+func sortedTypes(set map[uint16]bool) []uint16 {
+	out := make([]uint16, 0, len(set))
+	for q := range set {
+		out = append(out, q)
+	}
+	sort.Slice(out, func(i, j int) bool { return out[i] < out[j] })
+	return out
+}
+
+// readWorkingZone parses the "zone" auto-fill option. The host may pass
+// the value either as a native struct (in-process plugin) or as a JSON
+// object (HTTP path); we round-trip through JSON in both cases for a
+// single decoding path. A missing zone is not an error — standalone /
+// HTTP callers may simply not provide one.
+func readWorkingZone(opts sdk.CheckerOptions) (*rawZone, error) {
+	v, ok := opts["zone"]
+	if !ok || v == nil {
+		return nil, nil
+	}
+	raw, err := json.Marshal(v)
+	if err != nil {
+		return nil, err
+	}
+	z := &rawZone{}
+	if err := json.Unmarshal(raw, z); err != nil {
+		return nil, err
+	}
+	return z, nil
+}
+
+// typesFromService extracts every RR type referenced by a service body.
+// happyDomain service envelopes are opaque to us (the registry is in the
+// host), so we scan the JSON for any nested "Rrtype": <number> field —
+// every dns.RR_Header instance carries one, which catches MX, CAA,
+// orphan, CNAME, SRV, … without needing a per-service decoder.
+func typesFromService(svc rawService) []uint16 {
+	if len(svc.Service) == 0 {
+		return nil
+	}
+	var v any
+	if err := json.Unmarshal(svc.Service, &v); err != nil {
+		return nil
+	}
+	seen := map[uint16]bool{}
+	collectRrtypes(v, seen)
+	if len(seen) == 0 {
+		return nil
+	}
+	out := make([]uint16, 0, len(seen))
+	for q := range seen {
+		out = append(out, q)
+	}
+	return out
+}
+
+func collectRrtypes(v any, out map[uint16]bool) {
+	switch x := v.(type) {
+	case map[string]any:
+		for k, vv := range x {
+			if k == "Rrtype" {
+				if n, ok := vv.(float64); ok && n > 0 && n < 65536 {
+					out[uint16(n)] = true
+				}
+				continue
+			}
+			collectRrtypes(vv, out)
+		}
+	case []any:
+		for _, vv := range x {
+			collectRrtypes(vv, out)
+		}
+	}
+}
+
+type invalidTypesError struct{ raw string }
+
+func (e *invalidTypesError) Error() string {
+	return "no valid record types in \"" + e.raw + "\""
+}

checker/zone_test.go

@@ -0,0 +1,154 @@
+package checker
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/miekg/dns"
+
+	sdk "git.happydns.org/checker-sdk-go/checker"
+)
+
+func TestResolveQTypes_ExplicitOverride(t *testing.T) {
+	apex := "example.com."
+	names := []string{apex, "www.example.com."}
+
+	opts := sdk.CheckerOptions{
+		"zone": map[string]any{}, // ignored when recordTypes is set
+	}
+	owner, union, err := resolveQTypes(opts, "A,AAAA", apex, names)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	want := []uint16{dns.TypeA, dns.TypeAAAA}
+	for _, n := range names {
+		if !reflect.DeepEqual(owner[n], want) {
+			t.Errorf("owner[%s] = %v, want %v", n, owner[n], want)
+		}
+	}
+	if !reflect.DeepEqual(union, want) {
+		t.Errorf("union = %v, want %v", union, want)
+	}
+}
+
+func TestResolveQTypes_NoZoneNoOption(t *testing.T) {
+	apex := "example.com."
+	names := []string{apex}
+	owner, union, err := resolveQTypes(sdk.CheckerOptions{}, "", apex, names)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if !reflect.DeepEqual(owner[apex], fallbackQTypes) {
+		t.Errorf("apex types = %v, want fallback %v", owner[apex], fallbackQTypes)
+	}
+	if len(union) != len(fallbackQTypes) {
+		t.Errorf("union len = %d, want %d", len(union), len(fallbackQTypes))
+	}
+}
+
+func TestResolveQTypes_FromZone_NoCAA(t *testing.T) {
+	apex := "example.com."
+	names := []string{apex}
+
+	// A zone with MX + TXT services at the apex, but no CAA.
+	zone := map[string]any{
+		"domain_name": "example.com",
+		"services": map[string]any{
+			"": []any{
+				map[string]any{
+					"_svctype": "svcs.MXs",
+					"_domain":  "example.com",
+					"Service": map[string]any{
+						"mx": []any{
+							map[string]any{
+								"Hdr": map[string]any{
+									"Name":   "example.com.",
+									"Rrtype": float64(dns.TypeMX),
+								},
+								"Mx":         "mail.example.com.",
+								"Preference": float64(10),
+							},
+						},
+					},
+				},
+				map[string]any{
+					"_svctype": "svcs.TXT",
+					"_domain":  "example.com",
+					"Service": map[string]any{
+						"Hdr": map[string]any{
+							"Name":   "example.com.",
+							"Rrtype": float64(dns.TypeTXT),
+						},
+						"Txt": []any{"v=spf1 -all"},
+					},
+				},
+			},
+		},
+	}
+	opts := sdk.CheckerOptions{"zone": zone}
+	owner, union, err := resolveQTypes(opts, "", apex, names)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	got := map[uint16]bool{}
+	for _, qt := range owner[apex] {
+		got[qt] = true
+	}
+	// Must have MX, TXT, plus the always-on SOA/NS.
+	for _, qt := range []uint16{dns.TypeSOA, dns.TypeNS, dns.TypeMX, dns.TypeTXT} {
+		if !got[qt] {
+			t.Errorf("apex missing %s", dns.TypeToString[qt])
+		}
+	}
+	// Must NOT include CAA (not in zone).
+	if got[dns.TypeCAA] {
+		t.Errorf("apex unexpectedly includes CAA: %v", owner[apex])
+	}
+	// Union should match the apex set (single owner).
+	if !reflect.DeepEqual(owner[apex], union) {
+		t.Errorf("union %v != apex %v", union, owner[apex])
+	}
+}
+
+func TestResolveQTypes_UnknownOwnerFallback(t *testing.T) {
+	apex := "example.com."
+	unknown := "www.example.com."
+	names := []string{apex, unknown}
+
+	zone := map[string]any{
+		"services": map[string]any{
+			// only apex services
+			"": []any{
+				map[string]any{
+					"_svctype": "abstract.Origin",
+					"_domain":  "example.com",
+					"Service": map[string]any{
+						"soa": map[string]any{
+							"Hdr": map[string]any{
+								"Name":   "example.com.",
+								"Rrtype": float64(dns.TypeSOA),
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+	opts := sdk.CheckerOptions{"zone": zone}
+	owner, _, err := resolveQTypes(opts, "", apex, names)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	wantUnknown := []uint16{dns.TypeA, dns.TypeAAAA}
+	if !reflect.DeepEqual(owner[unknown], wantUnknown) {
+		t.Errorf("unknown owner types = %v, want %v", owner[unknown], wantUnknown)
+	}
+}
+
+func TestResolveQTypes_InvalidExplicit(t *testing.T) {
+	_, _, err := resolveQTypes(sdk.CheckerOptions{}, "nope,bogus", "example.com.", []string{"example.com."})
+	if err == nil {
+		t.Fatalf("expected error for invalid recordTypes")
+	}
+}