From 46d4bb2b4944bebecc383c8bd3f9eabc7279f7a0 Mon Sep 17 00:00:00 2001 From: Pierre-Olivier Mercier Date: Thu, 30 Apr 2026 08:49:15 +0700 Subject: [PATCH 1/2] Update rules section --- README.md | 32 ++++++++++++++------------------ 1 file changed, 14 insertions(+), 18 deletions(-) diff --git a/README.md b/README.md index 66f6de4..ff5bf13 100644 --- a/README.md +++ b/README.md @@ -82,24 +82,20 @@ apex / NS configuration). ## Rules -Each rule emits a finding code. Severity can be affected by the options above. - -| Code | Default severity | Condition | -|-------------------------------|------------------|-----------| -| `rprop_no_resolvers` | critical | The current option set selects no resolver from the catalog. | -| `rprop_all_resolvers_down` | critical | Every selected resolver failed to answer (likely no DNS connectivity from the checker host). | -| `rprop_resolver_unreachable` | warning | An individual resolver failed to answer within the run budget. | -| `rprop_resolver_high_latency` | info | A resolver's average response time exceeds `latencyThresholdMs`. | -| `rprop_resolver_filtered_hit` | info | A filtered resolver returned a different answer than the consensus (typical blocklist behaviour). Only when `includeFiltered` is enabled. | -| `rprop_partial_propagation` | warning | Public resolvers disagree on the answer for a probed RRset. | -| `rprop_answer_drift` | critical | The public consensus differs from the answer served by the zone's authoritative nameservers. | -| `rprop_unexpected_nxdomain` | critical | Some resolvers return NXDOMAIN while others return NOERROR for the same RRset. | -| `rprop_unexpected_servfail` | critical | A resolver returns SERVFAIL (usually a DNSSEC or reachability failure). | -| `rprop_regional_split` | warning | Every resolver of a region agrees on an answer that differs from the global consensus. | -| `rprop_serial_drift` | warning | Unfiltered resolvers disagree on the SOA serial. | -| `rprop_stale_cache` | info | A resolver still serves an SOA serial below the one last observed by happyDomain. | -| `rprop_dnssec_failure` | critical | A validating resolver fails to validate the zone's DNSSEC chain (returns SERVFAIL with AD/CD semantics). | -| `rprop_dnssec_not_validated` | info | A validating resolver answered without setting AD on a signed zone. | +| Code | Description | Severity | +|----------------------------------------------|-------------------------------------------------------------------------------------------------------------------|---------------------| +| `resolver_propagation.selection` | Checks that the current option set selects at least one public resolver. | CRITICAL | +| `resolver_propagation.reachable` | Checks that at least one selected resolver answered a query. | CRITICAL | +| `resolver_propagation.latency` | Flags resolvers that are unreachable or whose average response time exceeds the configured threshold. | WARNING | +| `resolver_propagation.filtered_hit` | Reports filtered resolvers returning a different answer than the consensus (typical blocklist behaviour). | INFO | +| `resolver_propagation.consensus` | Checks that public resolvers agree on a single answer for each probed RRset. | WARNING | +| `resolver_propagation.matches_authoritative` | Checks that the public consensus matches the answer served by the zone's authoritative nameservers. | CRITICAL | +| `resolver_propagation.nxdomain` | Flags RRsets for which some resolvers return NXDOMAIN while others return NOERROR. | CRITICAL | +| `resolver_propagation.servfail` | Flags RRsets for which any resolver returns SERVFAIL (usually DNSSEC or reachability failure). | CRITICAL | +| `resolver_propagation.regional_split` | Flags regions in which every resolver agrees on an answer that differs from the global consensus. | WARNING | +| `resolver_propagation.serial_drift` | Flags disagreement on the SOA serial across unfiltered resolvers. | WARNING | +| `resolver_propagation.stale_cache` | Flags resolvers still serving an SOA serial below the one saved by happyDomain. | INFO | +| `resolver_propagation.dnssec` | Checks that validating resolvers successfully validate the zone's DNSSEC chain. | CRITICAL | ## License From 30cc586f343f1346a02112933fb4e44defe6dc98 Mon Sep 17 00:00:00 2001 From: Pierre-Olivier Mercier Date: Sun, 10 May 2026 19:03:59 +0800 Subject: [PATCH 2/2] Add CI/CD pipeline --- .drone-manifest.yml | 22 ++++++ .drone.yml | 187 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 209 insertions(+) create mode 100644 .drone-manifest.yml create mode 100644 .drone.yml diff --git a/.drone-manifest.yml b/.drone-manifest.yml new file mode 100644 index 0000000..3fd8f9c --- /dev/null +++ b/.drone-manifest.yml @@ -0,0 +1,22 @@ +image: happydomain/checker-resolver-propagation:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}} +{{#if build.tags}} +tags: +{{#each build.tags}} + - {{this}} +{{/each}} +{{/if}} +manifests: + - image: happydomain/checker-resolver-propagation:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64 + platform: + architecture: amd64 + os: linux + - image: happydomain/checker-resolver-propagation:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64 + platform: + architecture: arm64 + os: linux + variant: v8 + - image: happydomain/checker-resolver-propagation:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm + platform: + architecture: arm + os: linux + variant: v7 diff --git a/.drone.yml b/.drone.yml new file mode 100644 index 0000000..c6dcce9 --- /dev/null +++ b/.drone.yml @@ -0,0 +1,187 @@ +--- +kind: pipeline +type: docker +name: build-amd64 + +platform: + os: linux + arch: amd64 + +steps: + - name: checker build + image: golang:1-alpine + commands: + - apk add --no-cache git make + - make + environment: + CHECKER_VERSION: "${DRONE_BRANCH}-${DRONE_COMMIT}" + CGO_ENABLED: 0 + when: + event: + exclude: + - tag + + - name: checker build tag + image: golang:1-alpine + commands: + - apk add --no-cache git make + - make + environment: + CHECKER_VERSION: "${DRONE_SEMVER}" + CGO_ENABLED: 0 + when: + event: + - tag + + - name: publish on Docker Hub + image: plugins/docker + settings: + repo: happydomain/checker-resolver-propagation + auto_tag: true + auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH} + dockerfile: Dockerfile + build_args: + - CHECKER_VERSION=${DRONE_BRANCH}-${DRONE_COMMIT} + username: + from_secret: docker_username + password: + from_secret: docker_password + when: + event: + exclude: + - tag + + - name: publish on Docker Hub (tag) + image: plugins/docker + settings: + repo: happydomain/checker-resolver-propagation + auto_tag: true + auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH} + dockerfile: Dockerfile + build_args: + - CHECKER_VERSION=${DRONE_SEMVER} + username: + from_secret: docker_username + password: + from_secret: docker_password + when: + event: + - tag + +trigger: + branch: + exclude: + - renovate/* + event: + - cron + - push + - tag + +--- +kind: pipeline +type: docker +name: build-arm64 + +platform: + os: linux + arch: arm64 + +steps: + - name: checker build + image: golang:1-alpine + commands: + - apk add --no-cache git make + - make + environment: + CHECKER_VERSION: "${DRONE_BRANCH}-${DRONE_COMMIT}" + CGO_ENABLED: 0 + when: + event: + exclude: + - tag + + - name: checker build tag + image: golang:1-alpine + commands: + - apk add --no-cache git make + - make + environment: + CHECKER_VERSION: "${DRONE_SEMVER}" + CGO_ENABLED: 0 + when: + event: + - tag + + - name: publish on Docker Hub + image: plugins/docker + settings: + repo: happydomain/checker-resolver-propagation + auto_tag: true + auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH} + dockerfile: Dockerfile + build_args: + - CHECKER_VERSION=${DRONE_BRANCH}-${DRONE_COMMIT} + username: + from_secret: docker_username + password: + from_secret: docker_password + when: + event: + exclude: + - tag + + - name: publish on Docker Hub (tag) + image: plugins/docker + settings: + repo: happydomain/checker-resolver-propagation + auto_tag: true + auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH} + dockerfile: Dockerfile + build_args: + - CHECKER_VERSION=${DRONE_SEMVER} + username: + from_secret: docker_username + password: + from_secret: docker_password + when: + event: + - tag + +trigger: + event: + - cron + - push + - tag + +--- +kind: pipeline +name: docker-manifest + +platform: + os: linux + arch: arm64 + +steps: + - name: publish on Docker Hub + image: plugins/manifest + settings: + auto_tag: true + ignore_missing: true + spec: .drone-manifest.yml + username: + from_secret: docker_username + password: + from_secret: docker_password + +trigger: + branch: + exclude: + - renovate/* + event: + - cron + - push + - tag + +depends_on: + - build-amd64 + - build-arm64