From 7d23348098ecb0fbbfdb38e3619a855f40e0a74b Mon Sep 17 00:00:00 2001 From: Pierre-Olivier Mercier Date: Mon, 25 May 2026 18:22:09 +0800 Subject: [PATCH] Derive probed record types from the working zone Stop blindly probing a fixed list (which always included CAA): read the auto-filled zone and only probe the RR types each owner actually has, keeping SOA/NS at the apex. The recordTypes option still works as an explicit override; missing zone falls back to the legacy default. --- README.md | 2 +- checker/collect.go | 29 ++++--- checker/definition.go | 9 +- checker/zone.go | 188 ++++++++++++++++++++++++++++++++++++++++++ checker/zone_test.go | 154 ++++++++++++++++++++++++++++++++++ 5 files changed, 367 insertions(+), 15 deletions(-) create mode 100644 checker/zone.go create mode 100644 checker/zone_test.go diff --git a/README.md b/README.md index ff5bf13..6078f6f 100644 --- a/README.md +++ b/README.md @@ -71,7 +71,7 @@ apex / NS configuration). | Id | Type | Default | Description | |-----------------------|--------|-------------------------------|------------------------------------------------------------------------------------------------------------------------| -| `recordTypes` | string | `SOA,NS,A,AAAA,MX,TXT,CAA` | Comma-separated list of RR types to probe at the apex (and at each `subdomains` entry). | +| `recordTypes` | string | _derived from zone_ | Comma-separated list of RR types to probe at every owner. Leave empty to derive the list from the working zone (SOA/NS at the apex plus whatever RR types are defined on each owner). | | `subdomains` | string | `www` | Comma-separated list of owner names to probe in addition to the apex (e.g. `www,mail,@`). Empty = apex only. | | `includeFiltered` | bool | `false` | Probe filtering resolvers (malware/family/adblock). Their answers routinely diverge by design. | | `region` | string | `all` | Restrict to a region: `all`, `global`, `na`, `eu`, `asia`, `ru`, `me`. | diff --git a/checker/collect.go b/checker/collect.go index defe6dd..e635696 100644 --- a/checker/collect.go +++ b/checker/collect.go @@ -34,7 +34,7 @@ func (p *resolverPropagationProvider) Collect(ctx context.Context, opts sdk.Chec includeFiltered := sdk.GetBoolOption(opts, "includeFiltered", false) region := getStringOpt(opts, "region", "all") transportsOpt := getStringOpt(opts, "transports", "udp") - recordTypesOpt := getStringOpt(opts, "recordTypes", "SOA,NS,A,AAAA,MX,TXT,CAA") + recordTypesOpt := getStringOpt(opts, "recordTypes", "") subdomainsOpt := getStringOpt(opts, "subdomains", "") runTimeoutS := sdk.GetIntOption(opts, "runTimeoutSeconds", 30) allowlistOpt := getStringOpt(opts, "resolverAllowlist", "") @@ -44,15 +44,12 @@ func (p *resolverPropagationProvider) Collect(ctx context.Context, opts sdk.Chec if len(transports) == 0 { transports = []string{string(TransportUDP)} } - qtypes := parseQTypes(recordTypesOpt) - if len(qtypes) == 0 { - return nil, fmt.Errorf("no valid record types in %q", recordTypesOpt) - } extraNames := parseCSV(subdomainsOpt) allowlist := parseCSV(allowlistOpt) // Build the list of owner names to probe. - names := []string{dns.Fqdn(zone)} + apex := dns.Fqdn(zone) + names := []string{apex} seenName := map[string]bool{names[0]: true} for _, sd := range extraNames { full := joinSubdomain(sd, zone) @@ -62,12 +59,20 @@ func (p *resolverPropagationProvider) Collect(ctx context.Context, opts sdk.Chec } } + // Pick the RR types to probe at each owner. An explicit recordTypes + // option overrides everything; otherwise we derive the per-owner type + // set from the working zone (when the host auto-filled it). + ownerQTypes, typeUnion, err := resolveQTypes(opts, recordTypesOpt, apex, names) + if err != nil { + return nil, err + } + resolvers := selectedResolvers(includeFiltered, region, allowlist) data := &ResolverPropagationData{ Zone: dns.Fqdn(zone), Names: names, - Types: qtypeNames(qtypes), + Types: qtypeNames(typeUnion), Resolvers: map[string]*ResolverView{}, RRsets: map[string]*RRsetView{}, } @@ -88,10 +93,10 @@ func (p *resolverPropagationProvider) Collect(ctx context.Context, opts sdk.Chec started := time.Now() // Ground truth from the zone's own authoritative servers. - expected := collectExpected(runCtx, zone, svc, names, qtypes) + expected := collectExpectedPerOwner(runCtx, zone, svc, ownerQTypes) for _, n := range names { - for _, qt := range qtypes { + for _, qt := range ownerQTypes[n] { key := rrsetKey(n, dns.TypeToString[qt]) v := &RRsetView{ Name: strings.ToLower(dns.Fqdn(n)), @@ -158,7 +163,7 @@ func (p *resolverPropagationProvider) Collect(ctx context.Context, opts sdk.Chec } for _, n := range names { - for _, qt := range qtypes { + for _, qt := range ownerQTypes[n] { probe := runProbe(runCtx, job.r, job.tr, n, qt) key := rrsetKey(n, dns.TypeToString[qt]) view.Probes[key] = probe @@ -207,7 +212,7 @@ type expectedEntry struct { records []string } -func collectExpected(ctx context.Context, zone string, svc *originService, names []string, qtypes []uint16) map[string]*expectedEntry { +func collectExpectedPerOwner(ctx context.Context, zone string, svc *originService, ownerQTypes map[string][]uint16) map[string]*expectedEntry { out := map[string]*expectedEntry{} var nsHosts []string @@ -244,7 +249,7 @@ func collectExpected(ctx context.Context, zone string, svc *originService, names return out } - for _, n := range names { + for n, qtypes := range ownerQTypes { for _, qt := range qtypes { key := rrsetKey(n, dns.TypeToString[qt]) if e := queryAuthoritative(ctx, authAddrs, n, qt); e != nil { diff --git a/checker/definition.go b/checker/definition.go index 99376a0..dac7fb4 100644 --- a/checker/definition.go +++ b/checker/definition.go @@ -32,8 +32,7 @@ func (p *resolverPropagationProvider) Definition() *sdk.CheckerDefinition { Id: "recordTypes", Type: "string", Label: "Record types to probe", - Description: "Comma-separated list of RR types. The checker probes every listed type at the zone apex (and at each 'subdomains' entry).", - Default: "SOA,NS,A,AAAA,MX,TXT,CAA", + Description: "Comma-separated list of RR types to probe at every owner (apex + each 'subdomains' entry). Leave empty to derive the list from the working zone (SOA/NS at the apex plus whatever RR types are actually defined on each owner).", }, { Id: "subdomains", @@ -92,6 +91,12 @@ func (p *resolverPropagationProvider) Definition() *sdk.CheckerDefinition { Label: "Zone name", AutoFill: sdk.AutoFillDomainName, }, + { + Id: "zone", + Label: "Zone", + AutoFill: sdk.AutoFillZone, + Hide: true, + }, }, ServiceOpts: []sdk.CheckerOptionDocumentation{ { diff --git a/checker/zone.go b/checker/zone.go new file mode 100644 index 0000000..1e3e853 --- /dev/null +++ b/checker/zone.go @@ -0,0 +1,188 @@ +package checker + +import ( + "encoding/json" + "sort" + "strings" + + "github.com/miekg/dns" + + sdk "git.happydns.org/checker-sdk-go/checker" +) + +// rawZone is the minimal slice of happyDomain's Zone JSON we consume to +// derive the RR types actually present at each owner. It mirrors the +// shape used by sibling checkers (see checker-legacy-records). +type rawZone struct { + DomainName string `json:"domain_name,omitempty"` + Services map[string][]rawService `json:"services"` +} + +type rawService struct { + Type string `json:"_svctype"` + Domain string `json:"_domain"` + Service json.RawMessage `json:"Service"` +} + +// fallbackQTypes is the legacy default applied when no zone is available +// and the user did not set recordTypes explicitly. +var fallbackQTypes = []uint16{ + dns.TypeSOA, dns.TypeNS, dns.TypeA, dns.TypeAAAA, + dns.TypeMX, dns.TypeTXT, dns.TypeCAA, +} + +// resolveQTypes returns the RR types to probe at each owner name plus the +// union across all owners (for reporting/metrics). +// +// Precedence: +// 1. Explicit "recordTypes" option → apply that list to every owner. +// 2. Auto-filled "zone" option → derive per-owner types from the zone's +// services. The apex always carries SOA+NS even if the zone payload +// omits them. Owners with no derivable types fall back to A,AAAA so +// the probe still surfaces NXDOMAIN drift for user-requested +// subdomains that are not present in the zone. +// 3. Neither → use the legacy default at every owner. +func resolveQTypes(opts sdk.CheckerOptions, recordTypesOpt, apex string, names []string) (map[string][]uint16, []uint16, error) { + if recordTypesOpt != "" { + qts := parseQTypes(recordTypesOpt) + if len(qts) == 0 { + return nil, nil, &invalidTypesError{raw: recordTypesOpt} + } + return uniformOwnerQTypes(names, qts), qts, nil + } + + zone, _ := readWorkingZone(opts) + if zone == nil { + return uniformOwnerQTypes(names, fallbackQTypes), append([]uint16(nil), fallbackQTypes...), nil + } + + owner := map[string]map[uint16]bool{} + for _, n := range names { + owner[n] = map[uint16]bool{} + } + + for sub, services := range zone.Services { + full := joinSubdomain(sub, apex) + set, ok := owner[full] + if !ok { + continue + } + for _, svc := range services { + for _, qt := range typesFromService(svc) { + set[qt] = true + } + } + } + + // SOA + NS at apex are foundational; the rules depend on them. + apexLower := strings.ToLower(dns.Fqdn(apex)) + if set, ok := owner[apexLower]; ok { + set[dns.TypeSOA] = true + set[dns.TypeNS] = true + } + + out := make(map[string][]uint16, len(names)) + unionSet := map[uint16]bool{} + for _, n := range names { + set := owner[n] + if len(set) == 0 { + // Owner present in the probe list but unknown to the zone: + // keep a minimal probe so a missing-record finding can fire. + set = map[uint16]bool{dns.TypeA: true, dns.TypeAAAA: true} + } + qts := sortedTypes(set) + out[n] = qts + for _, qt := range qts { + unionSet[qt] = true + } + } + return out, sortedTypes(unionSet), nil +} + +func uniformOwnerQTypes(names []string, qts []uint16) map[string][]uint16 { + out := make(map[string][]uint16, len(names)) + for _, n := range names { + out[n] = qts + } + return out +} + +func sortedTypes(set map[uint16]bool) []uint16 { + out := make([]uint16, 0, len(set)) + for q := range set { + out = append(out, q) + } + sort.Slice(out, func(i, j int) bool { return out[i] < out[j] }) + return out +} + +// readWorkingZone parses the "zone" auto-fill option. The host may pass +// the value either as a native struct (in-process plugin) or as a JSON +// object (HTTP path); we round-trip through JSON in both cases for a +// single decoding path. A missing zone is not an error — standalone / +// HTTP callers may simply not provide one. +func readWorkingZone(opts sdk.CheckerOptions) (*rawZone, error) { + v, ok := opts["zone"] + if !ok || v == nil { + return nil, nil + } + raw, err := json.Marshal(v) + if err != nil { + return nil, err + } + z := &rawZone{} + if err := json.Unmarshal(raw, z); err != nil { + return nil, err + } + return z, nil +} + +// typesFromService extracts every RR type referenced by a service body. +// happyDomain service envelopes are opaque to us (the registry is in the +// host), so we scan the JSON for any nested "Rrtype": field — +// every dns.RR_Header instance carries one, which catches MX, CAA, +// orphan, CNAME, SRV, … without needing a per-service decoder. +func typesFromService(svc rawService) []uint16 { + if len(svc.Service) == 0 { + return nil + } + var v any + if err := json.Unmarshal(svc.Service, &v); err != nil { + return nil + } + seen := map[uint16]bool{} + collectRrtypes(v, seen) + if len(seen) == 0 { + return nil + } + out := make([]uint16, 0, len(seen)) + for q := range seen { + out = append(out, q) + } + return out +} + +func collectRrtypes(v any, out map[uint16]bool) { + switch x := v.(type) { + case map[string]any: + for k, vv := range x { + if k == "Rrtype" { + if n, ok := vv.(float64); ok && n > 0 && n < 65536 { + out[uint16(n)] = true + } + continue + } + collectRrtypes(vv, out) + } + case []any: + for _, vv := range x { + collectRrtypes(vv, out) + } + } +} + +type invalidTypesError struct{ raw string } + +func (e *invalidTypesError) Error() string { + return "no valid record types in \"" + e.raw + "\"" +} diff --git a/checker/zone_test.go b/checker/zone_test.go new file mode 100644 index 0000000..58b18d9 --- /dev/null +++ b/checker/zone_test.go @@ -0,0 +1,154 @@ +package checker + +import ( + "reflect" + "testing" + + "github.com/miekg/dns" + + sdk "git.happydns.org/checker-sdk-go/checker" +) + +func TestResolveQTypes_ExplicitOverride(t *testing.T) { + apex := "example.com." + names := []string{apex, "www.example.com."} + + opts := sdk.CheckerOptions{ + "zone": map[string]any{}, // ignored when recordTypes is set + } + owner, union, err := resolveQTypes(opts, "A,AAAA", apex, names) + if err != nil { + t.Fatalf("err: %v", err) + } + want := []uint16{dns.TypeA, dns.TypeAAAA} + for _, n := range names { + if !reflect.DeepEqual(owner[n], want) { + t.Errorf("owner[%s] = %v, want %v", n, owner[n], want) + } + } + if !reflect.DeepEqual(union, want) { + t.Errorf("union = %v, want %v", union, want) + } +} + +func TestResolveQTypes_NoZoneNoOption(t *testing.T) { + apex := "example.com." + names := []string{apex} + owner, union, err := resolveQTypes(sdk.CheckerOptions{}, "", apex, names) + if err != nil { + t.Fatalf("err: %v", err) + } + if !reflect.DeepEqual(owner[apex], fallbackQTypes) { + t.Errorf("apex types = %v, want fallback %v", owner[apex], fallbackQTypes) + } + if len(union) != len(fallbackQTypes) { + t.Errorf("union len = %d, want %d", len(union), len(fallbackQTypes)) + } +} + +func TestResolveQTypes_FromZone_NoCAA(t *testing.T) { + apex := "example.com." + names := []string{apex} + + // A zone with MX + TXT services at the apex, but no CAA. + zone := map[string]any{ + "domain_name": "example.com", + "services": map[string]any{ + "": []any{ + map[string]any{ + "_svctype": "svcs.MXs", + "_domain": "example.com", + "Service": map[string]any{ + "mx": []any{ + map[string]any{ + "Hdr": map[string]any{ + "Name": "example.com.", + "Rrtype": float64(dns.TypeMX), + }, + "Mx": "mail.example.com.", + "Preference": float64(10), + }, + }, + }, + }, + map[string]any{ + "_svctype": "svcs.TXT", + "_domain": "example.com", + "Service": map[string]any{ + "Hdr": map[string]any{ + "Name": "example.com.", + "Rrtype": float64(dns.TypeTXT), + }, + "Txt": []any{"v=spf1 -all"}, + }, + }, + }, + }, + } + opts := sdk.CheckerOptions{"zone": zone} + owner, union, err := resolveQTypes(opts, "", apex, names) + if err != nil { + t.Fatalf("err: %v", err) + } + + got := map[uint16]bool{} + for _, qt := range owner[apex] { + got[qt] = true + } + // Must have MX, TXT, plus the always-on SOA/NS. + for _, qt := range []uint16{dns.TypeSOA, dns.TypeNS, dns.TypeMX, dns.TypeTXT} { + if !got[qt] { + t.Errorf("apex missing %s", dns.TypeToString[qt]) + } + } + // Must NOT include CAA (not in zone). + if got[dns.TypeCAA] { + t.Errorf("apex unexpectedly includes CAA: %v", owner[apex]) + } + // Union should match the apex set (single owner). + if !reflect.DeepEqual(owner[apex], union) { + t.Errorf("union %v != apex %v", union, owner[apex]) + } +} + +func TestResolveQTypes_UnknownOwnerFallback(t *testing.T) { + apex := "example.com." + unknown := "www.example.com." + names := []string{apex, unknown} + + zone := map[string]any{ + "services": map[string]any{ + // only apex services + "": []any{ + map[string]any{ + "_svctype": "abstract.Origin", + "_domain": "example.com", + "Service": map[string]any{ + "soa": map[string]any{ + "Hdr": map[string]any{ + "Name": "example.com.", + "Rrtype": float64(dns.TypeSOA), + }, + }, + }, + }, + }, + }, + } + opts := sdk.CheckerOptions{"zone": zone} + owner, _, err := resolveQTypes(opts, "", apex, names) + if err != nil { + t.Fatalf("err: %v", err) + } + wantUnknown := []uint16{dns.TypeA, dns.TypeAAAA} + if !reflect.DeepEqual(owner[unknown], wantUnknown) { + t.Errorf("unknown owner types = %v, want %v", owner[unknown], wantUnknown) + } +} + +func TestResolveQTypes_InvalidExplicit(t *testing.T) { + _, _, err := resolveQTypes(sdk.CheckerOptions{}, "nope,bogus", "example.com.", []string{"example.com."}) + if err == nil { + t.Fatalf("expected error for invalid recordTypes") + } +}