Derive probed record types from the working zone

Stop blindly probing a fixed list (which always included CAA): read the
auto-filled zone and only probe the RR types each owner actually has,
keeping SOA/NS at the apex. The recordTypes option still works as an
explicit override; missing zone falls back to the legacy default.

.drone-manifest.yml

@@ -0,0 +1,22 @@
+image: happydomain/checker-resolver-propagation:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}}
+{{#if build.tags}}
+tags:
+{{#each build.tags}}
+  - {{this}}
+{{/each}}
+{{/if}}
+manifests:
+  - image: happydomain/checker-resolver-propagation:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64
+    platform:
+      architecture: amd64
+      os: linux
+  - image: happydomain/checker-resolver-propagation:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64
+    platform:
+      architecture: arm64
+      os: linux
+      variant: v8
+  - image: happydomain/checker-resolver-propagation:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm
+    platform:
+      architecture: arm
+      os: linux
+      variant: v7

.drone.yml

@@ -0,0 +1,187 @@
+---
+kind: pipeline
+type: docker
+name: build-amd64
+
+platform:
+  os: linux
+  arch: amd64
+
+steps:
+  - name: checker build
+    image: golang:1-alpine
+    commands:
+      - apk add --no-cache git make
+      - make
+    environment:
+      CHECKER_VERSION: "${DRONE_BRANCH}-${DRONE_COMMIT}"
+      CGO_ENABLED: 0
+    when:
+      event:
+        exclude:
+          - tag
+
+  - name: checker build tag
+    image: golang:1-alpine
+    commands:
+      - apk add --no-cache git make
+      - make
+    environment:
+      CHECKER_VERSION: "${DRONE_SEMVER}"
+      CGO_ENABLED: 0
+    when:
+      event:
+        - tag
+
+  - name: publish on Docker Hub
+    image: plugins/docker
+    settings:
+      repo: happydomain/checker-resolver-propagation
+      auto_tag: true
+      auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH}
+      dockerfile: Dockerfile
+      build_args:
+        - CHECKER_VERSION=${DRONE_BRANCH}-${DRONE_COMMIT}
+      username:
+        from_secret: docker_username
+      password:
+        from_secret: docker_password
+    when:
+      event:
+        exclude:
+          - tag
+
+  - name: publish on Docker Hub (tag)
+    image: plugins/docker
+    settings:
+      repo: happydomain/checker-resolver-propagation
+      auto_tag: true
+      auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH}
+      dockerfile: Dockerfile
+      build_args:
+        - CHECKER_VERSION=${DRONE_SEMVER}
+      username:
+        from_secret: docker_username
+      password:
+        from_secret: docker_password
+    when:
+      event:
+        - tag
+
+trigger:
+  branch:
+    exclude:
+      - renovate/*
+  event:
+    - cron
+    - push
+    - tag
+
+---
+kind: pipeline
+type: docker
+name: build-arm64
+
+platform:
+  os: linux
+  arch: arm64
+
+steps:
+  - name: checker build
+    image: golang:1-alpine
+    commands:
+      - apk add --no-cache git make
+      - make
+    environment:
+      CHECKER_VERSION: "${DRONE_BRANCH}-${DRONE_COMMIT}"
+      CGO_ENABLED: 0
+    when:
+      event:
+        exclude:
+          - tag
+
+  - name: checker build tag
+    image: golang:1-alpine
+    commands:
+      - apk add --no-cache git make
+      - make
+    environment:
+      CHECKER_VERSION: "${DRONE_SEMVER}"
+      CGO_ENABLED: 0
+    when:
+      event:
+        - tag
+
+  - name: publish on Docker Hub
+    image: plugins/docker
+    settings:
+      repo: happydomain/checker-resolver-propagation
+      auto_tag: true
+      auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH}
+      dockerfile: Dockerfile
+      build_args:
+        - CHECKER_VERSION=${DRONE_BRANCH}-${DRONE_COMMIT}
+      username:
+        from_secret: docker_username
+      password:
+        from_secret: docker_password
+    when:
+      event:
+        exclude:
+          - tag
+
+  - name: publish on Docker Hub (tag)
+    image: plugins/docker
+    settings:
+      repo: happydomain/checker-resolver-propagation
+      auto_tag: true
+      auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH}
+      dockerfile: Dockerfile
+      build_args:
+        - CHECKER_VERSION=${DRONE_SEMVER}
+      username:
+        from_secret: docker_username
+      password:
+        from_secret: docker_password
+    when:
+      event:
+        - tag
+
+trigger:
+  event:
+    - cron
+    - push
+    - tag
+
+---
+kind: pipeline
+name: docker-manifest
+
+platform:
+  os: linux
+  arch: arm64
+
+steps:
+  - name: publish on Docker Hub
+    image: plugins/manifest
+    settings:
+      auto_tag: true
+      ignore_missing: true
+      spec: .drone-manifest.yml
+      username:
+        from_secret: docker_username
+      password:
+        from_secret: docker_password
+
+trigger:
+  branch:
+    exclude:
+      - renovate/*
+  event:
+    - cron
+    - push
+    - tag
+
+depends_on:
+  - build-amd64
+  - build-arm64

README.md

@@ -71,7 +71,7 @@ apex / NS configuration).
 
 | Id                    | Type   | Default                       | Description                                                                                                            |
 |-----------------------|--------|-------------------------------|------------------------------------------------------------------------------------------------------------------------|
-| `recordTypes`         | string | `SOA,NS,A,AAAA,MX,TXT,CAA`    | Comma-separated list of RR types to probe at the apex (and at each `subdomains` entry).                                |
+| `recordTypes`         | string | _derived from zone_           | Comma-separated list of RR types to probe at every owner. Leave empty to derive the list from the working zone (SOA/NS at the apex plus whatever RR types are defined on each owner). |
 | `subdomains`          | string | `www`                         | Comma-separated list of owner names to probe in addition to the apex (e.g. `www,mail,@`). Empty = apex only.           |
 | `includeFiltered`     | bool   | `false`                       | Probe filtering resolvers (malware/family/adblock). Their answers routinely diverge by design.                         |
 | `region`              | string | `all`                         | Restrict to a region: `all`, `global`, `na`, `eu`, `asia`, `ru`, `me`.                                                 |
@@ -82,24 +82,20 @@ apex / NS configuration).
 
 ## Rules
 
-Each rule emits a finding code. Severity can be affected by the options above.
+| Code                                         | Description                                                                                                       | Severity            |
-
+|----------------------------------------------|-------------------------------------------------------------------------------------------------------------------|---------------------|
-| Code                          | Default severity | Condition |
+| `resolver_propagation.selection`             | Checks that the current option set selects at least one public resolver.                                          | CRITICAL            |
-|-------------------------------|------------------|-----------|
+| `resolver_propagation.reachable`             | Checks that at least one selected resolver answered a query.                                                      | CRITICAL            |
-| `rprop_no_resolvers`          | critical         | The current option set selects no resolver from the catalog. |
+| `resolver_propagation.latency`               | Flags resolvers that are unreachable or whose average response time exceeds the configured threshold.             | WARNING             |
-| `rprop_all_resolvers_down`    | critical         | Every selected resolver failed to answer (likely no DNS connectivity from the checker host). |
+| `resolver_propagation.filtered_hit`          | Reports filtered resolvers returning a different answer than the consensus (typical blocklist behaviour).         | INFO                |
-| `rprop_resolver_unreachable`  | warning          | An individual resolver failed to answer within the run budget. |
+| `resolver_propagation.consensus`             | Checks that public resolvers agree on a single answer for each probed RRset.                                      | WARNING             |
-| `rprop_resolver_high_latency` | info             | A resolver's average response time exceeds `latencyThresholdMs`. |
+| `resolver_propagation.matches_authoritative` | Checks that the public consensus matches the answer served by the zone's authoritative nameservers.               | CRITICAL            |
-| `rprop_resolver_filtered_hit` | info             | A filtered resolver returned a different answer than the consensus (typical blocklist behaviour). Only when `includeFiltered` is enabled. |
+| `resolver_propagation.nxdomain`              | Flags RRsets for which some resolvers return NXDOMAIN while others return NOERROR.                                | CRITICAL            |
-| `rprop_partial_propagation`   | warning          | Public resolvers disagree on the answer for a probed RRset. |
+| `resolver_propagation.servfail`              | Flags RRsets for which any resolver returns SERVFAIL (usually DNSSEC or reachability failure).                    | CRITICAL            |
-| `rprop_answer_drift`          | critical         | The public consensus differs from the answer served by the zone's authoritative nameservers. |
+| `resolver_propagation.regional_split`        | Flags regions in which every resolver agrees on an answer that differs from the global consensus.                 | WARNING             |
-| `rprop_unexpected_nxdomain`   | critical         | Some resolvers return NXDOMAIN while others return NOERROR for the same RRset. |
+| `resolver_propagation.serial_drift`          | Flags disagreement on the SOA serial across unfiltered resolvers.                                                 | WARNING             |
-| `rprop_unexpected_servfail`   | critical         | A resolver returns SERVFAIL (usually a DNSSEC or reachability failure). |
+| `resolver_propagation.stale_cache`           | Flags resolvers still serving an SOA serial below the one saved by happyDomain.                                   | INFO                |
-| `rprop_regional_split`        | warning          | Every resolver of a region agrees on an answer that differs from the global consensus. |
+| `resolver_propagation.dnssec`                | Checks that validating resolvers successfully validate the zone's DNSSEC chain.                                   | CRITICAL            |
-| `rprop_serial_drift`          | warning          | Unfiltered resolvers disagree on the SOA serial. |
-| `rprop_stale_cache`           | info             | A resolver still serves an SOA serial below the one last observed by happyDomain. |
-| `rprop_dnssec_failure`        | critical         | A validating resolver fails to validate the zone's DNSSEC chain (returns SERVFAIL with AD/CD semantics). |
-| `rprop_dnssec_not_validated`  | info             | A validating resolver answered without setting AD on a signed zone. |
 
 ## License
 

checker/collect.go

@@ -34,7 +34,7 @@ func (p *resolverPropagationProvider) Collect(ctx context.Context, opts sdk.Chec
 	includeFiltered := sdk.GetBoolOption(opts, "includeFiltered", false)
 	region := getStringOpt(opts, "region", "all")
 	transportsOpt := getStringOpt(opts, "transports", "udp")
-	recordTypesOpt := getStringOpt(opts, "recordTypes", "SOA,NS,A,AAAA,MX,TXT,CAA")
+	recordTypesOpt := getStringOpt(opts, "recordTypes", "")
 	subdomainsOpt := getStringOpt(opts, "subdomains", "")
 	runTimeoutS := sdk.GetIntOption(opts, "runTimeoutSeconds", 30)
 	allowlistOpt := getStringOpt(opts, "resolverAllowlist", "")
@@ -44,15 +44,12 @@ func (p *resolverPropagationProvider) Collect(ctx context.Context, opts sdk.Chec
 	if len(transports) == 0 {
 		transports = []string{string(TransportUDP)}
 	}
-	qtypes := parseQTypes(recordTypesOpt)
-	if len(qtypes) == 0 {
-		return nil, fmt.Errorf("no valid record types in %q", recordTypesOpt)
-	}
 	extraNames := parseCSV(subdomainsOpt)
 	allowlist := parseCSV(allowlistOpt)
 
 	// Build the list of owner names to probe.
-	names := []string{dns.Fqdn(zone)}
+	apex := dns.Fqdn(zone)
+	names := []string{apex}
 	seenName := map[string]bool{names[0]: true}
 	for _, sd := range extraNames {
 		full := joinSubdomain(sd, zone)
@@ -62,12 +59,20 @@ func (p *resolverPropagationProvider) Collect(ctx context.Context, opts sdk.Chec
 		}
 	}
 
+	// Pick the RR types to probe at each owner. An explicit recordTypes
+	// option overrides everything; otherwise we derive the per-owner type
+	// set from the working zone (when the host auto-filled it).
+	ownerQTypes, typeUnion, err := resolveQTypes(opts, recordTypesOpt, apex, names)
+	if err != nil {
+		return nil, err
+	}
+
 	resolvers := selectedResolvers(includeFiltered, region, allowlist)
 
 	data := &ResolverPropagationData{
 		Zone:      dns.Fqdn(zone),
 		Names:     names,
-		Types:     qtypeNames(qtypes),
+		Types:     qtypeNames(typeUnion),
 		Resolvers: map[string]*ResolverView{},
 		RRsets:    map[string]*RRsetView{},
 	}
@@ -88,10 +93,10 @@ func (p *resolverPropagationProvider) Collect(ctx context.Context, opts sdk.Chec
 	started := time.Now()
 
 	// Ground truth from the zone's own authoritative servers.
-	expected := collectExpected(runCtx, zone, svc, names, qtypes)
+	expected := collectExpectedPerOwner(runCtx, zone, svc, ownerQTypes)
 
 	for _, n := range names {
-		for _, qt := range qtypes {
+		for _, qt := range ownerQTypes[n] {
 			key := rrsetKey(n, dns.TypeToString[qt])
 			v := &RRsetView{
 				Name: strings.ToLower(dns.Fqdn(n)),
@@ -158,7 +163,7 @@ func (p *resolverPropagationProvider) Collect(ctx context.Context, opts sdk.Chec
 			}
 
 			for _, n := range names {
-				for _, qt := range qtypes {
+				for _, qt := range ownerQTypes[n] {
 					probe := runProbe(runCtx, job.r, job.tr, n, qt)
 					key := rrsetKey(n, dns.TypeToString[qt])
 					view.Probes[key] = probe
@@ -207,7 +212,7 @@ type expectedEntry struct {
 	records []string
 }
 
-func collectExpected(ctx context.Context, zone string, svc *originService, names []string, qtypes []uint16) map[string]*expectedEntry {
+func collectExpectedPerOwner(ctx context.Context, zone string, svc *originService, ownerQTypes map[string][]uint16) map[string]*expectedEntry {
 	out := map[string]*expectedEntry{}
 
 	var nsHosts []string
@@ -244,7 +249,7 @@ func collectExpected(ctx context.Context, zone string, svc *originService, names
 		return out
 	}
 
-	for _, n := range names {
+	for n, qtypes := range ownerQTypes {
 		for _, qt := range qtypes {
 			key := rrsetKey(n, dns.TypeToString[qt])
 			if e := queryAuthoritative(ctx, authAddrs, n, qt); e != nil {

checker/definition.go

@@ -32,8 +32,7 @@ func (p *resolverPropagationProvider) Definition() *sdk.CheckerDefinition {
 					Id:          "recordTypes",
 					Type:        "string",
 					Label:       "Record types to probe",
-					Description: "Comma-separated list of RR types. The checker probes every listed type at the zone apex (and at each 'subdomains' entry).",
+					Description: "Comma-separated list of RR types to probe at every owner (apex + each 'subdomains' entry). Leave empty to derive the list from the working zone (SOA/NS at the apex plus whatever RR types are actually defined on each owner).",
-					Default:     "SOA,NS,A,AAAA,MX,TXT,CAA",
 				},
 				{
 					Id:          "subdomains",
@@ -92,6 +91,12 @@ func (p *resolverPropagationProvider) Definition() *sdk.CheckerDefinition {
 					Label:    "Zone name",
 					AutoFill: sdk.AutoFillDomainName,
 				},
+				{
+					Id:       "zone",
+					Label:    "Zone",
+					AutoFill: sdk.AutoFillZone,
+					Hide:     true,
+				},
 			},
 			ServiceOpts: []sdk.CheckerOptionDocumentation{
 				{

checker/report.go

@@ -116,7 +116,7 @@ type regionRow struct {
 	Reachable   int
 	Agreeing    int
 	Disagreeing int
-	Errored     int
+	Unreachable int
 }
 
 type resolverRow struct {
@@ -283,28 +283,32 @@ func buildReportView(d *ResolverPropagationData, findings []Finding) *reportView
 		r.Resolvers++
 		if rv.Reachable {
 			r.Reachable++
+		} else {
+			r.Unreachable++
 		}
 		if rv.Reachable && !rv.Filtered {
-			ok := true
+			unreachableProbe := false
+			disagrees := false
 			for key, p := range rv.Probes {
 				if p == nil || p.Error != "" {
-					r.Errored++
+					unreachableProbe = true
-					ok = false
+					continue
-					break
 				}
 				cv := d.RRsets[key]
 				if cv == nil || cv.ConsensusSig == "" {
 					continue
 				}
 				if p.Signature != cv.ConsensusSig {
-					ok = false
+					disagrees = true
-					break
 				}
 			}
-			if ok {
+			switch {
-				r.Agreeing++
+			case disagrees:
-			} else {
 				r.Disagreeing++
+			case unreachableProbe:
+				r.Unreachable++
+			default:
+				r.Agreeing++
 			}
 		}
 	}
@@ -664,7 +668,7 @@ const reportTemplateHTML = `<!DOCTYPE html>
 
 <h2>Per-region view</h2>
 <table>
-<thead><tr><th>Region</th><th>Reachable</th><th>Agreeing</th><th>Disagreeing</th><th>Errored</th></tr></thead>
+<thead><tr><th>Region</th><th>Reachable</th><th>Agreeing</th><th>Disagreeing</th><th>Unreachable</th></tr></thead>
 <tbody>
 {{range .Regions}}
 <tr>
@@ -672,7 +676,7 @@ const reportTemplateHTML = `<!DOCTYPE html>
   <td>{{.Reachable}} / {{.Resolvers}}</td>
   <td><span class="ok">{{.Agreeing}}</span></td>
   <td>{{if .Disagreeing}}<span class="warn">{{.Disagreeing}}</span>{{else}}0{{end}}</td>
-  <td>{{if .Errored}}<span class="crit">{{.Errored}}</span>{{else}}0{{end}}</td>
+  <td>{{if .Unreachable}}<span class="muted">{{.Unreachable}}</span>{{else}}0{{end}}</td>
 </tr>
 {{end}}
 </tbody>
@@ -690,7 +694,7 @@ const reportTemplateHTML = `<!DOCTYPE html>
   </td>
   <td>{{.Region}}</td>
   <td>{{.Transport}}</td>
-  <td>{{if .Reachable}}{{.AvgMs}}{{else}}<span class="crit">unreachable</span>{{end}}</td>
+  <td>{{if .Reachable}}{{.AvgMs}}{{else}}<span class="muted">unreachable</span>{{end}}</td>
   <td>
     {{range .Probes}}
     <details>

checker/rules.go

@@ -57,3 +57,7 @@ func warnState(code, subject, message string) sdk.CheckState {
 func critState(code, subject, message string) sdk.CheckState {
 	return sdk.CheckState{Status: sdk.StatusCrit, Message: message, Code: code, Subject: subject}
 }
+
+func unknownState(code, subject, message string) sdk.CheckState {
+	return sdk.CheckState{Status: sdk.StatusUnknown, Message: message, Code: code, Subject: subject}
+}

checker/rules_consensus.go

@@ -91,8 +91,8 @@ func (r *authoritativeMatchRule) Evaluate(ctx context.Context, obs sdk.Observati
 		anyExpected = true
 		switch {
 		case v.ConsensusSig == "":
-			states = append(states, critState("resolver_propagation.matches_authoritative.no_consensus", key,
+			states = append(states, unknownState("resolver_propagation.matches_authoritative.no_consensus", key,
-				fmt.Sprintf("no public resolver returned a usable answer for %s (authoritative answer is known)", key)))
+				fmt.Sprintf("no public resolver returned a usable answer for %s (authoritative answer is known); resolvers unreachable from the checker", key)))
 		case !v.MatchesExpected:
 			states = append(states, critState(CodeAnswerDrift, key,
 				fmt.Sprintf("consensus of public resolvers for %s differs from the authoritative answer, wait for TTL expiry or force a flush", key)))

checker/rules_resolvers.go

@@ -71,7 +71,7 @@ func (r *resolverLatencyRule) Evaluate(ctx context.Context, obs sdk.ObservationG
 	var states []sdk.CheckState
 	for _, rv := range data.Resolvers {
 		if !rv.Reachable {
-			states = append(states, warnState(CodeResolverUnreachable, rv.ID,
+			states = append(states, unknownState(CodeResolverUnreachable, rv.ID,
 				fmt.Sprintf("resolver %s (%s, %s) did not answer any query", rv.Name, rv.IP, rv.Transport)))
 			continue
 		}

checker/rules_test.go

@@ -326,8 +326,11 @@ func TestResolverLatencyRule(t *testing.T) {
 	if _, ok := codes[CodeResolverHighLatency]; !ok {
 		t.Errorf("want high latency for 'slow', got %+v", st)
 	}
-	if _, ok := codes[CodeResolverUnreachable]; !ok {
+	unreach, ok := codes[CodeResolverUnreachable]
+	if !ok {
 		t.Errorf("want unreachable for 'absent', got %+v", st)
+	} else if unreach[0].Status != sdk.StatusUnknown {
+		t.Errorf("unreachable should be unknown (not a warning), got status %v", unreach[0].Status)
 	}
 }
 

checker/zone.go

@@ -0,0 +1,188 @@
+package checker
+
+import (
+	"encoding/json"
+	"sort"
+	"strings"
+
+	"github.com/miekg/dns"
+
+	sdk "git.happydns.org/checker-sdk-go/checker"
+)
+
+// rawZone is the minimal slice of happyDomain's Zone JSON we consume to
+// derive the RR types actually present at each owner. It mirrors the
+// shape used by sibling checkers (see checker-legacy-records).
+type rawZone struct {
+	DomainName string                  `json:"domain_name,omitempty"`
+	Services   map[string][]rawService `json:"services"`
+}
+
+type rawService struct {
+	Type    string          `json:"_svctype"`
+	Domain  string          `json:"_domain"`
+	Service json.RawMessage `json:"Service"`
+}
+
+// fallbackQTypes is the legacy default applied when no zone is available
+// and the user did not set recordTypes explicitly.
+var fallbackQTypes = []uint16{
+	dns.TypeSOA, dns.TypeNS, dns.TypeA, dns.TypeAAAA,
+	dns.TypeMX, dns.TypeTXT, dns.TypeCAA,
+}
+
+// resolveQTypes returns the RR types to probe at each owner name plus the
+// union across all owners (for reporting/metrics).
+//
+// Precedence:
+//  1. Explicit "recordTypes" option → apply that list to every owner.
+//  2. Auto-filled "zone" option → derive per-owner types from the zone's
+//     services. The apex always carries SOA+NS even if the zone payload
+//     omits them. Owners with no derivable types fall back to A,AAAA so
+//     the probe still surfaces NXDOMAIN drift for user-requested
+//     subdomains that are not present in the zone.
+//  3. Neither → use the legacy default at every owner.
+func resolveQTypes(opts sdk.CheckerOptions, recordTypesOpt, apex string, names []string) (map[string][]uint16, []uint16, error) {
+	if recordTypesOpt != "" {
+		qts := parseQTypes(recordTypesOpt)
+		if len(qts) == 0 {
+			return nil, nil, &invalidTypesError{raw: recordTypesOpt}
+		}
+		return uniformOwnerQTypes(names, qts), qts, nil
+	}
+
+	zone, _ := readWorkingZone(opts)
+	if zone == nil {
+		return uniformOwnerQTypes(names, fallbackQTypes), append([]uint16(nil), fallbackQTypes...), nil
+	}
+
+	owner := map[string]map[uint16]bool{}
+	for _, n := range names {
+		owner[n] = map[uint16]bool{}
+	}
+
+	for sub, services := range zone.Services {
+		full := joinSubdomain(sub, apex)
+		set, ok := owner[full]
+		if !ok {
+			continue
+		}
+		for _, svc := range services {
+			for _, qt := range typesFromService(svc) {
+				set[qt] = true
+			}
+		}
+	}
+
+	// SOA + NS at apex are foundational; the rules depend on them.
+	apexLower := strings.ToLower(dns.Fqdn(apex))
+	if set, ok := owner[apexLower]; ok {
+		set[dns.TypeSOA] = true
+		set[dns.TypeNS] = true
+	}
+
+	out := make(map[string][]uint16, len(names))
+	unionSet := map[uint16]bool{}
+	for _, n := range names {
+		set := owner[n]
+		if len(set) == 0 {
+			// Owner present in the probe list but unknown to the zone:
+			// keep a minimal probe so a missing-record finding can fire.
+			set = map[uint16]bool{dns.TypeA: true, dns.TypeAAAA: true}
+		}
+		qts := sortedTypes(set)
+		out[n] = qts
+		for _, qt := range qts {
+			unionSet[qt] = true
+		}
+	}
+	return out, sortedTypes(unionSet), nil
+}
+
+func uniformOwnerQTypes(names []string, qts []uint16) map[string][]uint16 {
+	out := make(map[string][]uint16, len(names))
+	for _, n := range names {
+		out[n] = qts
+	}
+	return out
+}
+
+func sortedTypes(set map[uint16]bool) []uint16 {
+	out := make([]uint16, 0, len(set))
+	for q := range set {
+		out = append(out, q)
+	}
+	sort.Slice(out, func(i, j int) bool { return out[i] < out[j] })
+	return out
+}
+
+// readWorkingZone parses the "zone" auto-fill option. The host may pass
+// the value either as a native struct (in-process plugin) or as a JSON
+// object (HTTP path); we round-trip through JSON in both cases for a
+// single decoding path. A missing zone is not an error — standalone /
+// HTTP callers may simply not provide one.
+func readWorkingZone(opts sdk.CheckerOptions) (*rawZone, error) {
+	v, ok := opts["zone"]
+	if !ok || v == nil {
+		return nil, nil
+	}
+	raw, err := json.Marshal(v)
+	if err != nil {
+		return nil, err
+	}
+	z := &rawZone{}
+	if err := json.Unmarshal(raw, z); err != nil {
+		return nil, err
+	}
+	return z, nil
+}
+
+// typesFromService extracts every RR type referenced by a service body.
+// happyDomain service envelopes are opaque to us (the registry is in the
+// host), so we scan the JSON for any nested "Rrtype": <number> field —
+// every dns.RR_Header instance carries one, which catches MX, CAA,
+// orphan, CNAME, SRV, … without needing a per-service decoder.
+func typesFromService(svc rawService) []uint16 {
+	if len(svc.Service) == 0 {
+		return nil
+	}
+	var v any
+	if err := json.Unmarshal(svc.Service, &v); err != nil {
+		return nil
+	}
+	seen := map[uint16]bool{}
+	collectRrtypes(v, seen)
+	if len(seen) == 0 {
+		return nil
+	}
+	out := make([]uint16, 0, len(seen))
+	for q := range seen {
+		out = append(out, q)
+	}
+	return out
+}
+
+func collectRrtypes(v any, out map[uint16]bool) {
+	switch x := v.(type) {
+	case map[string]any:
+		for k, vv := range x {
+			if k == "Rrtype" {
+				if n, ok := vv.(float64); ok && n > 0 && n < 65536 {
+					out[uint16(n)] = true
+				}
+				continue
+			}
+			collectRrtypes(vv, out)
+		}
+	case []any:
+		for _, vv := range x {
+			collectRrtypes(vv, out)
+		}
+	}
+}
+
+type invalidTypesError struct{ raw string }
+
+func (e *invalidTypesError) Error() string {
+	return "no valid record types in \"" + e.raw + "\""
+}

checker/zone_test.go

@@ -0,0 +1,154 @@
+package checker
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/miekg/dns"
+
+	sdk "git.happydns.org/checker-sdk-go/checker"
+)
+
+func TestResolveQTypes_ExplicitOverride(t *testing.T) {
+	apex := "example.com."
+	names := []string{apex, "www.example.com."}
+
+	opts := sdk.CheckerOptions{
+		"zone": map[string]any{}, // ignored when recordTypes is set
+	}
+	owner, union, err := resolveQTypes(opts, "A,AAAA", apex, names)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	want := []uint16{dns.TypeA, dns.TypeAAAA}
+	for _, n := range names {
+		if !reflect.DeepEqual(owner[n], want) {
+			t.Errorf("owner[%s] = %v, want %v", n, owner[n], want)
+		}
+	}
+	if !reflect.DeepEqual(union, want) {
+		t.Errorf("union = %v, want %v", union, want)
+	}
+}
+
+func TestResolveQTypes_NoZoneNoOption(t *testing.T) {
+	apex := "example.com."
+	names := []string{apex}
+	owner, union, err := resolveQTypes(sdk.CheckerOptions{}, "", apex, names)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if !reflect.DeepEqual(owner[apex], fallbackQTypes) {
+		t.Errorf("apex types = %v, want fallback %v", owner[apex], fallbackQTypes)
+	}
+	if len(union) != len(fallbackQTypes) {
+		t.Errorf("union len = %d, want %d", len(union), len(fallbackQTypes))
+	}
+}
+
+func TestResolveQTypes_FromZone_NoCAA(t *testing.T) {
+	apex := "example.com."
+	names := []string{apex}
+
+	// A zone with MX + TXT services at the apex, but no CAA.
+	zone := map[string]any{
+		"domain_name": "example.com",
+		"services": map[string]any{
+			"": []any{
+				map[string]any{
+					"_svctype": "svcs.MXs",
+					"_domain":  "example.com",
+					"Service": map[string]any{
+						"mx": []any{
+							map[string]any{
+								"Hdr": map[string]any{
+									"Name":   "example.com.",
+									"Rrtype": float64(dns.TypeMX),
+								},
+								"Mx":         "mail.example.com.",
+								"Preference": float64(10),
+							},
+						},
+					},
+				},
+				map[string]any{
+					"_svctype": "svcs.TXT",
+					"_domain":  "example.com",
+					"Service": map[string]any{
+						"Hdr": map[string]any{
+							"Name":   "example.com.",
+							"Rrtype": float64(dns.TypeTXT),
+						},
+						"Txt": []any{"v=spf1 -all"},
+					},
+				},
+			},
+		},
+	}
+	opts := sdk.CheckerOptions{"zone": zone}
+	owner, union, err := resolveQTypes(opts, "", apex, names)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	got := map[uint16]bool{}
+	for _, qt := range owner[apex] {
+		got[qt] = true
+	}
+	// Must have MX, TXT, plus the always-on SOA/NS.
+	for _, qt := range []uint16{dns.TypeSOA, dns.TypeNS, dns.TypeMX, dns.TypeTXT} {
+		if !got[qt] {
+			t.Errorf("apex missing %s", dns.TypeToString[qt])
+		}
+	}
+	// Must NOT include CAA (not in zone).
+	if got[dns.TypeCAA] {
+		t.Errorf("apex unexpectedly includes CAA: %v", owner[apex])
+	}
+	// Union should match the apex set (single owner).
+	if !reflect.DeepEqual(owner[apex], union) {
+		t.Errorf("union %v != apex %v", union, owner[apex])
+	}
+}
+
+func TestResolveQTypes_UnknownOwnerFallback(t *testing.T) {
+	apex := "example.com."
+	unknown := "www.example.com."
+	names := []string{apex, unknown}
+
+	zone := map[string]any{
+		"services": map[string]any{
+			// only apex services
+			"": []any{
+				map[string]any{
+					"_svctype": "abstract.Origin",
+					"_domain":  "example.com",
+					"Service": map[string]any{
+						"soa": map[string]any{
+							"Hdr": map[string]any{
+								"Name":   "example.com.",
+								"Rrtype": float64(dns.TypeSOA),
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+	opts := sdk.CheckerOptions{"zone": zone}
+	owner, _, err := resolveQTypes(opts, "", apex, names)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	wantUnknown := []uint16{dns.TypeA, dns.TypeAAAA}
+	if !reflect.DeepEqual(owner[unknown], wantUnknown) {
+		t.Errorf("unknown owner types = %v, want %v", owner[unknown], wantUnknown)
+	}
+}
+
+func TestResolveQTypes_InvalidExplicit(t *testing.T) {
+	_, _, err := resolveQTypes(sdk.CheckerOptions{}, "nope,bogus", "example.com.", []string{"example.com."})
+	if err == nil {
+		t.Fatalf("expected error for invalid recordTypes")
+	}
+}