happyDomain/checker-srv
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Initial commit

Browse source 
Generic SRV records checker for happyDomain.

For each SRV record attached to an svcs.UnknownSRV service, the checker
resolves every target and probes reachability:

  - DNS resolution (A/AAAA), CNAME detection (RFC 2782 violation),
    null-target detection (RFC 2782 "service explicitly unavailable")
  - TCP connect to target:port for _tcp SRVs
  - UDP probe for _udp SRVs, using ICMP port-unreachable detection

The checker also publishes TLS endpoints (host, port, SNI) for every
SRV target hitting a well-known direct-TLS port (443, 465, 636, 853,
993, 995, 5061, 5223, …) via the EndpointDiscoverer SDK interface, so
a downstream TLS checker can pick them up.

The HTML report groups records as cards and surfaces the most common
failure scenarios (DNS failure, CNAME target, TCP unreachable,
null-target) at the top with remediation guidance.
This commit is contained in:
nemunaire 2026-04-19 10:28:39 +07:00
commit 9243551b58
15 changed files with 1362 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

210
checker/collect.go Normal file
View file

@ -0,0 +1,210 @@
package checker
import (
"context"
"encoding/json"
"fmt"
"net"
"strconv"
"strings"
"time"
sdk "git.happydns.org/checker-sdk-go/checker"
happydns "git.happydns.org/happyDomain/model"
)
// unknownSRVPayload mirrors svcs.UnknownSRV for JSON-decoding the service body.
// We decode SRV records by hand (instead of importing miekg/dns) so the
// checker stays light and its build surface minimal.
type unknownSRVPayload struct {
Records []struct {
Hdr struct {
Name string `json:"Name"`
} `json:"Hdr"`
Priority uint16 `json:"Priority"`
Weight uint16 `json:"Weight"`
Port uint16 `json:"Port"`
Target string `json:"Target"`
} `json:"srv"`
}
func (p *srvProvider) Collect(ctx context.Context, opts sdk.CheckerOptions) (any, error) {
svcMsg, ok := sdk.GetOption[happydns.ServiceMessage](opts, "service")
if !ok {
return nil, fmt.Errorf("service not provided")
}
if svcMsg.Type != "svcs.UnknownSRV" {
return nil, fmt.Errorf("service type is %q, expected svcs.UnknownSRV", svcMsg.Type)
}
var payload unknownSRVPayload
if err := json.Unmarshal(svcMsg.Service, &payload); err != nil {
return nil, fmt.Errorf("failed to decode UnknownSRV: %w", err)
}
if len(payload.Records) == 0 {
return nil, fmt.Errorf("service contains no SRV records")
}
subdomain, _ := opts["subdomain"].(string)
domain, _ := opts["domain"].(string)
// The service "address" (e.g. _sip._tcp.example.com) — used for reporting.
serviceDomain := strings.TrimSuffix(subdomain, ".")
if domain != "" {
if serviceDomain != "" {
serviceDomain += "." + strings.TrimSuffix(domain, ".")
} else {
serviceDomain = strings.TrimSuffix(domain, ".")
}
}
tcpTimeout := durationOpt(opts, "tcpTimeout", 3000)
udpTimeout := durationOpt(opts, "udpTimeout", 2000)
data := &SRVData{ServiceDomain: serviceDomain}
for _, r := range payload.Records {
owner := strings.TrimSuffix(r.Hdr.Name, ".")
svc, proto := parseOwner(owner, serviceDomain)
rec := SRVRecord{
Service: svc,
Proto: proto,
Owner: owner,
Target: strings.TrimSuffix(r.Target, "."),
Port: r.Port,
Priority: r.Priority,
Weight: r.Weight,
}
// RFC 2782: "." target means "service decidedly not available".
if rec.Target == "" || rec.Target == "." {
rec.IsNullTarget = true
data.Records = append(data.Records, rec)
continue
}
// CNAME detection (RFC 2782 §"Usage rules": target MUST be a name that
// resolves to A/AAAA records directly, not a CNAME).
if cname, err := net.DefaultResolver.LookupCNAME(ctx, rec.Target); err == nil {
canon := strings.TrimSuffix(cname, ".")
if canon != "" && !strings.EqualFold(canon, rec.Target) {
rec.IsCNAME = true
rec.CNAMEChain = []string{rec.Target, canon}
}
}
ips, err := net.DefaultResolver.LookupIPAddr(ctx, rec.Target)
if err != nil {
rec.ResolveError = err.Error()
data.Records = append(data.Records, rec)
continue
}
for _, ip := range ips {
rec.Addresses = append(rec.Addresses, ip.IP.String())
}
// Probe each resolved address.
for _, addr := range rec.Addresses {
hostport := net.JoinHostPort(addr, strconv.Itoa(int(rec.Port)))
switch proto {
case "udp":
rec.Probes = append(rec.Probes, probeUDP(ctx, hostport, udpTimeout))
default: // tcp (and anything else)
rec.Probes = append(rec.Probes, probeTCP(ctx, hostport, tcpTimeout))
}
}
data.Records = append(data.Records, rec)
}
return data, nil
}
func parseOwner(owner, serviceDomain string) (svc, proto string) {
// Owner of form _service._proto[.domain]
s := strings.TrimSuffix(owner, "."+serviceDomain)
parts := strings.Split(s, ".")
if len(parts) >= 2 && strings.HasPrefix(parts[0], "_") && strings.HasPrefix(parts[1], "_") {
return strings.TrimPrefix(parts[0], "_"), strings.TrimPrefix(parts[1], "_")
}
return "", "tcp"
}
func durationOpt(opts sdk.CheckerOptions, key string, defMs int) time.Duration {
ms := defMs
if v, ok := opts[key]; ok {
switch n := v.(type) {
case float64:
ms = int(n)
case int:
ms = n
}
}
if ms < 100 {
ms = 100
}
if ms > 60000 {
ms = 60000
}
return time.Duration(ms) * time.Millisecond
}
func probeTCP(ctx context.Context, hostport string, timeout time.Duration) ProbeResult {
pr := ProbeResult{Address: hostport, Proto: "tcp"}
dialer := net.Dialer{Timeout: timeout}
start := time.Now()
ctx, cancel := context.WithTimeout(ctx, timeout)
defer cancel()
conn, err := dialer.DialContext(ctx, "tcp", hostport)
pr.LatencyMs = float64(time.Since(start).Microseconds()) / 1000.0
if err != nil {
pr.Error = err.Error()
return pr
}
_ = conn.Close()
pr.Connected = true
return pr
}
func probeUDP(ctx context.Context, hostport string, timeout time.Duration) ProbeResult {
pr := ProbeResult{Address: hostport, Proto: "udp"}
dialer := net.Dialer{Timeout: timeout}
ctx2, cancel := context.WithTimeout(ctx, timeout)
defer cancel()
conn, err := dialer.DialContext(ctx2, "udp", hostport)
if err != nil {
pr.Error = err.Error()
return pr
}
defer conn.Close()
// Send a single zero byte. If the host has nothing listening and returns
// ICMP port-unreachable, a subsequent Read will fail with "connection
// refused". Silent drops (firewalled) remain indistinguishable from a
// working service — report as "reachable (no response)".
_ = conn.SetDeadline(time.Now().Add(timeout))
if _, err := conn.Write([]byte{0}); err != nil {
pr.Error = err.Error()
return pr
}
buf := make([]byte, 1)
_, err = conn.Read(buf)
if err != nil {
if ne, ok := err.(net.Error); ok && ne.Timeout() {
// No ICMP unreachable came back: host probably accepts UDP,
// or packets are silently dropped. Treat as "reachable".
pr.Connected = true
pr.Error = "no UDP response (host may still be reachable)"
return pr
}
if strings.Contains(err.Error(), "refused") {
pr.Error = err.Error()
return pr
}
pr.Error = err.Error()
return pr
}
pr.Connected = true
return pr
}

75
checker/definition.go Normal file
View file

@ -0,0 +1,75 @@
package checker
import (
"time"
sdk "git.happydns.org/checker-sdk-go/checker"
)
var Version = "built-in"
func Definition() *sdk.CheckerDefinition {
return &sdk.CheckerDefinition{
ID: "srv",
Name: "SRV Records Tester",
Version: Version,
Availability: sdk.CheckerAvailability{
ApplyToService: true,
LimitToServices: []string{"svcs.UnknownSRV"},
},
HasHTMLReport: true,
ObservationKeys: []sdk.ObservationKey{ObservationKeySRV},
Options: sdk.CheckerOptionsDocumentation{
UserOpts: []sdk.CheckerOptionDocumentation{
{
Id: "tcpTimeout",
Type: "number",
Label: "TCP connect timeout (ms)",
Default: float64(3000),
Description: "Max time to wait for a TCP handshake on each target.",
},
{
Id: "udpTimeout",
Type: "number",
Label: "UDP probe timeout (ms)",
Default: float64(2000),
Description: "Max time to wait for a UDP response or ICMP unreachable.",
},
},
ServiceOpts: []sdk.CheckerOptionDocumentation{
{
Id: "service",
Label: "Service",
AutoFill: sdk.AutoFillService,
Hide: true,
},
{
Id: "subdomain",
Label: "Subdomain",
AutoFill: sdk.AutoFillSubdomain,
Hide: true,
},
{
Id: "domain",
Label: "Domain",
AutoFill: sdk.AutoFillDomainName,
Hide: true,
},
},
},
Rules: []sdk.CheckRule{
RulePresent(),
RuleNullTarget(),
RuleTargetNotCNAME(),
RuleTargetsResolve(),
RuleTCPReachable(),
RuleUDPReachable(),
RuleRedundancy(),
},
Interval: &sdk.CheckIntervalSpec{
Min: 5 * time.Minute,
Max: 7 * 24 * time.Hour,
Default: 6 * time.Hour,
},
}
}

67
checker/discover.go Normal file
View file

@ -0,0 +1,67 @@
package checker
import (
"fmt"
sdk "git.happydns.org/checker-sdk-go/checker"
)
// directTLSServices enumerates SRV service names (the "service" part of
// _service._proto.domain) that by convention mean "direct TLS on connect",
// as opposed to STARTTLS or plaintext.
//
// Matching on the service name is more authoritative than matching on the
// port: port 636 could carry anything, but _ldaps._tcp unambiguously
// designates LDAP over TLS — even on a non-standard port. Conversely, a
// site may run HTTPS on a non-443 port and still want it probed.
//
// STARTTLS variants (_xmpp-client, _smtp, _submission, _imap, _pop3…) are
// intentionally excluded here; a dedicated endpoint type (e.g.
// "smtp-starttls") will be introduced when a TLS checker grows the
// capability to upgrade those protocols.
var directTLSServices = map[string]bool{
"https": true,
"ftps": true, // FTPS implicit
"smtps": true, // SMTP over TLS (legacy port 465 semantics)
"submissions": true, // RFC 8314: SMTP submission over TLS
"imaps": true,
"pop3s": true,
"nntps": true,
"ircs": true,
"telnets": true,
"ldaps": true,
"sips": true,
"ipps": true, // IPP over TLS (printing)
"xmpps-client": true, // XMPP client over direct TLS
"xmpps-server": true, // XMPP server-to-server over direct TLS
"mqtts": true,
"coaps": true,
"stuns": true,
"turns": true,
}
// DiscoverEndpoints is invoked right after Collect. It declares (host, port)
// pairs worth testing by other checkers — here: TLS endpoints whose SRV
// service name is a known direct-TLS protocol (see directTLSServices).
func (p *srvProvider) DiscoverEndpoints(data any) ([]sdk.DiscoveredEndpoint, error) {
d, ok := data.(*SRVData)
if !ok {
return nil, fmt.Errorf("unexpected data type %T", data)
}
var out []sdk.DiscoveredEndpoint
for _, r := range d.Records {
if r.IsNullTarget || r.Target == "" {
continue
}
if !directTLSServices[r.Service] {
continue
}
out = append(out, sdk.DiscoveredEndpoint{
Type: "tls",
Host: r.Target,
Port: r.Port,
SNI: r.Target,
})
}
return out, nil
}

19
checker/provider.go Normal file
View file

@ -0,0 +1,19 @@
package checker
import (
sdk "git.happydns.org/checker-sdk-go/checker"
)
func Provider() sdk.ObservationProvider {
return &srvProvider{}
}
type srvProvider struct{}
func (p *srvProvider) Key() sdk.ObservationKey {
return ObservationKeySRV
}
func (p *srvProvider) Definition() *sdk.CheckerDefinition {
return Definition()
}

287
checker/report.go Normal file
View file

@ -0,0 +1,287 @@
package checker
import (
"encoding/json"
"fmt"
"html/template"
"strings"
)
// reportData is the view-model fed to the HTML template.
type reportData struct {
ServiceDomain string
Records []reportRecord
// Top-level alerts: the most common / most actionable failure scenarios,
// surfaced at the top of the report with remediation guidance.
Alerts []reportAlert
Totals reportTotals
}
type reportRecord struct {
Owner string
Service string
Proto string
Target string
Port uint16
Priority uint16
Weight uint16
IsNullTarget bool
IsCNAME bool
CNAMEChain string
Addresses []string
ResolveError string
Probes []reportProbe
}
type reportProbe struct {
Address string
Proto string
Connected bool
LatencyMs float64
Error string
StatusClass string
StatusLabel string
}
type reportAlert struct {
Severity string // "crit", "warn", "info"
Title string
Body template.HTML
}
type reportTotals struct {
Records int
OKProbes int
BadProbes int
}
var htmlTpl = template.Must(template.New("srv").Parse(`<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>SRV Records Report</title>
<style>
*,*::before,*::after{box-sizing:border-box}
:root{font-family:system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",sans-serif;font-size:14px;line-height:1.5;color:#1f2937;background:#f3f4f6}
body{margin:0;padding:1rem}
code{font-family:ui-monospace,monospace;font-size:.9em}
h1{margin:0 0 .4rem;font-size:1.15rem}
h2{font-size:1rem;margin:0 0 .6rem}
h3{font-size:.9rem;font-weight:600;margin:0 0 .4rem}
.hd,.section{background:#fff;border-radius:10px;padding:1rem 1.25rem;margin-bottom:.75rem;box-shadow:0 1px 3px rgba(0,0,0,.08)}
.section{border-radius:8px;padding:.85rem 1rem;margin-bottom:.6rem}
.badge{display:inline-flex;align-items:center;padding:.2em .65em;border-radius:9999px;font-size:.78rem;font-weight:700}
.ok{background:#d1fae5;color:#065f46}
.warn{background:#fef3c7;color:#92400e}
.crit{background:#fee2e2;color:#991b1b}
.info{background:#dbeafe;color:#1e40af}
.alert{border-left:4px solid #d1d5db;padding:.6rem .85rem;margin-bottom:.55rem;background:#fff;border-radius:6px;box-shadow:0 1px 3px rgba(0,0,0,.05)}
.alert.crit{border-left-color:#dc2626}
.alert.warn{border-left-color:#d97706}
.alert.info{border-left-color:#2563eb}
.alert .title{font-weight:600;margin-bottom:.2rem}
.alert .body{font-size:.88rem;color:#374151}
.alert .body code{background:#f3f4f6;padding:.05rem .3rem;border-radius:3px}
.rec{border:1px solid #e5e7eb;border-radius:8px;padding:.7rem .85rem;margin-bottom:.55rem;background:#fff}
.rec-hd{display:flex;flex-wrap:wrap;align-items:center;gap:.5rem;margin-bottom:.4rem}
.rec-hd .target{font-family:ui-monospace,monospace;font-weight:600}
.rec-hd .meta{color:#6b7280;font-size:.82rem}
table{border-collapse:collapse;width:100%;font-size:.85rem;margin-top:.25rem}
th,td{text-align:left;padding:.3rem .5rem;border-bottom:1px solid #f3f4f6}
th{font-weight:600;color:#6b7280;background:#f9fafb}
.errmsg{color:#b91c1c}
.note{color:#6b7280;font-size:.85rem}
.totals{display:flex;flex-wrap:wrap;gap:.5rem;margin-top:.25rem}
.tot{background:#f3f4f6;border-radius:6px;padding:.25rem .6rem;font-size:.8rem}
</style>
</head>
<body>
<div class="hd">
<h1>SRV Records &mdash; {{if .ServiceDomain}}<code>{{.ServiceDomain}}</code>{{else}}service{{end}}</h1>
<div class="totals">
<span class="tot">{{.Totals.Records}} record(s)</span>
<span class="tot">{{.Totals.OKProbes}} reachable probe(s)</span>
{{if .Totals.BadProbes}}<span class="tot" style="background:#fee2e2;color:#991b1b">{{.Totals.BadProbes}} failed probe(s)</span>{{end}}
</div>
</div>
{{if .Alerts}}
<div class="section">
<h2>What needs attention</h2>
{{range .Alerts}}
<div class="alert {{.Severity}}">
<div class="title">{{.Title}}</div>
<div class="body">{{.Body}}</div>
</div>
{{end}}
</div>
{{end}}
<div class="section">
<h2>Records</h2>
{{range .Records}}
<div class="rec">
<div class="rec-hd">
<span class="target">{{if .IsNullTarget}}<em>(null target)</em>{{else}}{{.Target}}{{end}}:{{.Port}}</span>
<span class="meta">prio {{.Priority}} &middot; weight {{.Weight}}</span>
{{if .Service}}<span class="meta">_{{.Service}}._{{.Proto}}</span>{{end}}
{{if .IsNullTarget}}<span class="badge warn">null target</span>{{end}}
{{if .IsCNAME}}<span class="badge warn">target is CNAME</span>{{end}}
{{if .ResolveError}}<span class="badge crit">DNS error</span>{{end}}
</div>
{{if .CNAMEChain}}
<p class="note">CNAME chain: <code>{{.CNAMEChain}}</code> &mdash; RFC 2782 forbids a CNAME as SRV target.</p>
{{end}}
{{if .ResolveError}}
<p class="errmsg">Resolution failed: {{.ResolveError}}</p>
{{end}}
{{if .Addresses}}
<p class="note">Resolves to: {{range .Addresses}}<code>{{.}}</code> {{end}}</p>
{{end}}
{{if .Probes}}
<table>
<tr>
<th>Address</th><th>Proto</th><th>Status</th><th>Latency</th><th>Details</th>
</tr>
{{range .Probes}}
<tr>
<td><code>{{.Address}}</code></td>
<td>{{.Proto}}</td>
<td><span class="badge {{.StatusClass}}">{{.StatusLabel}}</span></td>
<td>{{if .LatencyMs}}{{printf "%.1f ms" .LatencyMs}}{{end}}</td>
<td>{{if .Error}}<span class="errmsg">{{.Error}}</span>{{end}}</td>
</tr>
{{end}}
</table>
{{end}}
</div>
{{end}}
</div>
</body>
</html>`))
func (p *srvProvider) GetHTMLReport(raw json.RawMessage) (string, error) {
var d SRVData
if err := json.Unmarshal(raw, &d); err != nil {
return "", fmt.Errorf("failed to unmarshal SRV report: %w", err)
}
rd := reportData{ServiceDomain: d.ServiceDomain}
rd.Totals.Records = len(d.Records)
var resolveFails, cnames, nulls []string
tcpDown := map[string]string{} // addr → err
for _, r := range d.Records {
rec := reportRecord{
Owner: r.Owner,
Service: r.Service,
Proto: r.Proto,
Target: r.Target,
Port: r.Port,
Priority: r.Priority,
Weight: r.Weight,
IsNullTarget: r.IsNullTarget,
IsCNAME: r.IsCNAME,
Addresses: r.Addresses,
ResolveError: r.ResolveError,
}
if len(r.CNAMEChain) > 0 {
rec.CNAMEChain = strings.Join(r.CNAMEChain, " → ")
}
if r.IsNullTarget {
nulls = append(nulls, r.Owner)
}
if r.IsCNAME {
cnames = append(cnames, r.Target)
}
if r.ResolveError != "" {
resolveFails = append(resolveFails, fmt.Sprintf("%s (%s)", r.Target, r.ResolveError))
}
for _, pr := range r.Probes {
rp := reportProbe{
Address: pr.Address,
Proto: pr.Proto,
Connected: pr.Connected,
LatencyMs: pr.LatencyMs,
Error: pr.Error,
}
switch {
case pr.Connected:
rp.StatusClass = "ok"
rp.StatusLabel = "reachable"
rd.Totals.OKProbes++
default:
rp.StatusClass = "crit"
rp.StatusLabel = "unreachable"
rd.Totals.BadProbes++
if pr.Proto == "tcp" {
tcpDown[pr.Address] = pr.Error
}
}
rec.Probes = append(rec.Probes, rp)
}
rd.Records = append(rd.Records, rec)
}
// ── Build actionable alerts for common failure scenarios ─────────────
if len(resolveFails) > 0 {
rd.Alerts = append(rd.Alerts, reportAlert{
Severity: "crit",
Title: fmt.Sprintf("DNS resolution failed for %d SRV target(s)", len(resolveFails)),
Body: template.HTML(fmt.Sprintf(
"%s<br>Clients will not be able to reach the service. Fix: either publish A/AAAA records for the target(s), or remove the broken SRV record.",
strings.Join(resolveFails, "<br>"))),
})
}
if len(cnames) > 0 {
rd.Alerts = append(rd.Alerts, reportAlert{
Severity: "warn",
Title: "SRV target is a CNAME (RFC 2782 violation)",
Body: template.HTML(fmt.Sprintf(
"Target(s): %s<br>RFC 2782 requires SRV targets to resolve directly to A/AAAA. "+
"Some clients will refuse to follow the CNAME. Fix: point the SRV record to a hostname with A/AAAA records, "+
"or replace the CNAME with an ALIAS/ANAME at the DNS provider.",
"<code>"+strings.Join(cnames, "</code>, <code>")+"</code>")),
})
}
if len(tcpDown) > 0 {
var items []string
for a, e := range tcpDown {
items = append(items, fmt.Sprintf("<code>%s</code>: %s", a, e))
}
rd.Alerts = append(rd.Alerts, reportAlert{
Severity: "crit",
Title: fmt.Sprintf("%d target(s) unreachable on their advertised TCP port", len(tcpDown)),
Body: template.HTML(strings.Join(items, "<br>") +
"<br>Check: (1) the server is running and bound to the right port; " +
"(2) firewall/security-group allows inbound TCP to that port; " +
"(3) the SRV record is not pointing at an old IP."),
})
}
if len(nulls) > 0 && len(nulls) == len(d.Records) {
rd.Alerts = append(rd.Alerts, reportAlert{
Severity: "warn",
Title: "All SRV records use the null target (\".\"): service is explicitly disabled",
Body: template.HTML(
"RFC 2782 defines a single SRV record with target <code>\".\"</code> to signal that the service is " +
"intentionally not available. If this is what you want, the configuration is correct. " +
"If you expected clients to reach this service, replace the null target with a real hostname."),
})
}
var buf strings.Builder
if err := htmlTpl.Execute(&buf, rd); err != nil {
return "", fmt.Errorf("failed to render SRV HTML report: %w", err)
}
return buf.String(), nil
}

270
checker/rule.go Normal file
View file

@ -0,0 +1,270 @@
package checker
import (
"context"
"fmt"
"strings"
sdk "git.happydns.org/checker-sdk-go/checker"
)
// getData is shared by every rule to pull the observation out of the store.
// Any error is surfaced as a StatusError CheckState with a uniform code.
func getData(ctx context.Context, obs sdk.ObservationGetter) (*SRVData, *sdk.CheckState) {
var d SRVData
if err := obs.Get(ctx, ObservationKeySRV, &d); err != nil {
return nil, &sdk.CheckState{
Status: sdk.StatusError,
Message: fmt.Sprintf("Failed to load SRV observation: %v", err),
Code: "srv_obs_error",
}
}
return &d, nil
}
// ── Rule: SRV records are present ─────────────────────────────────────────────
type rulePresent struct{}
func RulePresent() sdk.CheckRule { return &rulePresent{} }
func (rulePresent) Name() string { return "srv_records_present" }
func (rulePresent) Description() string {
return "At least one SRV record is published for this service."
}
func (rulePresent) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) sdk.CheckState {
d, cs := getData(ctx, obs)
if cs != nil {
return *cs
}
if len(d.Records) == 0 {
return sdk.CheckState{Status: sdk.StatusCrit, Code: "srv_missing",
Message: "No SRV records published."}
}
return sdk.CheckState{Status: sdk.StatusOK, Code: "srv_present",
Message: fmt.Sprintf("%d SRV record(s) published.", len(d.Records))}
}
// ── Rule: Null target ("." means service explicitly unavailable) ──────────────
type ruleNullTarget struct{}
func RuleNullTarget() sdk.CheckRule { return &ruleNullTarget{} }
func (ruleNullTarget) Name() string { return "srv_null_target" }
func (ruleNullTarget) Description() string {
return "Detects SRV records with target \".\", which signals the service is intentionally not available."
}
func (ruleNullTarget) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) sdk.CheckState {
d, cs := getData(ctx, obs)
if cs != nil {
return *cs
}
var nulls []string
for _, r := range d.Records {
if r.IsNullTarget {
nulls = append(nulls, r.Owner)
}
}
if len(nulls) == 0 {
return sdk.CheckState{Status: sdk.StatusOK, Code: "srv_no_null",
Message: "No null-target SRV records."}
}
if len(nulls) == len(d.Records) {
return sdk.CheckState{Status: sdk.StatusWarn, Code: "srv_all_null",
Message: fmt.Sprintf("All %d SRV records use null target (\".\"): service explicitly disabled.", len(nulls))}
}
return sdk.CheckState{Status: sdk.StatusInfo, Code: "srv_some_null",
Message: fmt.Sprintf("%d record(s) have null target: %s", len(nulls), strings.Join(nulls, ", "))}
}
// ── Rule: SRV target must not be a CNAME (RFC 2782) ───────────────────────────
type ruleTargetNotCNAME struct{}
func RuleTargetNotCNAME() sdk.CheckRule { return &ruleTargetNotCNAME{} }
func (ruleTargetNotCNAME) Name() string { return "srv_target_not_cname" }
func (ruleTargetNotCNAME) Description() string {
return "RFC 2782: SRV targets must resolve directly to A/AAAA, not through a CNAME."
}
func (ruleTargetNotCNAME) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) sdk.CheckState {
d, cs := getData(ctx, obs)
if cs != nil {
return *cs
}
var bad []string
for _, r := range d.Records {
if r.IsNullTarget {
continue
}
if r.IsCNAME {
bad = append(bad, r.Target)
}
}
if len(bad) == 0 {
return sdk.CheckState{Status: sdk.StatusOK, Code: "srv_targets_not_cname",
Message: "All SRV targets resolve directly (no CNAME)."}
}
return sdk.CheckState{Status: sdk.StatusWarn, Code: "srv_targets_are_cname",
Message: fmt.Sprintf("RFC 2782 violation — SRV target(s) are CNAMEs: %s", strings.Join(bad, ", "))}
}
// ── Rule: targets resolve to at least one IP ──────────────────────────────────
type ruleTargetsResolve struct{}
func RuleTargetsResolve() sdk.CheckRule { return &ruleTargetsResolve{} }
func (ruleTargetsResolve) Name() string { return "srv_targets_resolve" }
func (ruleTargetsResolve) Description() string {
return "Every SRV target resolves to at least one A/AAAA address."
}
func (ruleTargetsResolve) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) sdk.CheckState {
d, cs := getData(ctx, obs)
if cs != nil {
return *cs
}
var failed []string
var checked int
for _, r := range d.Records {
if r.IsNullTarget {
continue
}
checked++
if len(r.Addresses) == 0 {
failed = append(failed, fmt.Sprintf("%s (%s)", r.Target, r.ResolveError))
}
}
if checked == 0 {
return sdk.CheckState{Status: sdk.StatusInfo, Code: "srv_no_targets",
Message: "No resolvable targets to test."}
}
if len(failed) == 0 {
return sdk.CheckState{Status: sdk.StatusOK, Code: "srv_all_resolve",
Message: fmt.Sprintf("All %d target(s) resolve.", checked)}
}
return sdk.CheckState{Status: sdk.StatusCrit, Code: "srv_resolve_fail",
Message: fmt.Sprintf("Target(s) failed DNS resolution: %s", strings.Join(failed, "; "))}
}
// ── Rule: TCP reachable ───────────────────────────────────────────────────────
type ruleTCPReachable struct{}
func RuleTCPReachable() sdk.CheckRule { return &ruleTCPReachable{} }
func (ruleTCPReachable) Name() string { return "srv_tcp_reachable" }
func (ruleTCPReachable) Description() string {
return "Every TCP SRV target:port accepts a TCP connection."
}
func (ruleTCPReachable) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) sdk.CheckState {
d, cs := getData(ctx, obs)
if cs != nil {
return *cs
}
var total, ok int
var failed []string
for _, r := range d.Records {
if r.IsNullTarget || r.Proto != "tcp" {
continue
}
for _, pr := range r.Probes {
if pr.Proto != "tcp" {
continue
}
total++
if pr.Connected {
ok++
} else {
failed = append(failed, fmt.Sprintf("%s: %s", pr.Address, pr.Error))
}
}
}
if total == 0 {
return sdk.CheckState{Status: sdk.StatusInfo, Code: "srv_tcp_na",
Message: "No TCP targets to test."}
}
if ok == total {
return sdk.CheckState{Status: sdk.StatusOK, Code: "srv_tcp_ok",
Message: fmt.Sprintf("All %d TCP target(s) reachable.", total)}
}
if ok == 0 {
return sdk.CheckState{Status: sdk.StatusCrit, Code: "srv_tcp_all_down",
Message: fmt.Sprintf("All %d TCP target(s) unreachable: %s", total, strings.Join(failed, "; "))}
}
return sdk.CheckState{Status: sdk.StatusWarn, Code: "srv_tcp_partial",
Message: fmt.Sprintf("%d/%d TCP target(s) unreachable: %s", total-ok, total, strings.Join(failed, "; "))}
}
// ── Rule: UDP reachable (best-effort) ─────────────────────────────────────────
type ruleUDPReachable struct{}
func RuleUDPReachable() sdk.CheckRule { return &ruleUDPReachable{} }
func (ruleUDPReachable) Name() string { return "srv_udp_reachable" }
func (ruleUDPReachable) Description() string {
return "UDP SRV targets do not return ICMP port-unreachable."
}
func (ruleUDPReachable) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) sdk.CheckState {
d, cs := getData(ctx, obs)
if cs != nil {
return *cs
}
var total, ok int
var failed []string
for _, r := range d.Records {
if r.IsNullTarget || r.Proto != "udp" {
continue
}
for _, pr := range r.Probes {
if pr.Proto != "udp" {
continue
}
total++
if pr.Connected {
ok++
} else {
failed = append(failed, fmt.Sprintf("%s: %s", pr.Address, pr.Error))
}
}
}
if total == 0 {
return sdk.CheckState{Status: sdk.StatusInfo, Code: "srv_udp_na",
Message: "No UDP targets to test."}
}
if ok == total {
return sdk.CheckState{Status: sdk.StatusOK, Code: "srv_udp_ok",
Message: fmt.Sprintf("All %d UDP target(s) reachable.", total)}
}
return sdk.CheckState{Status: sdk.StatusWarn, Code: "srv_udp_issue",
Message: fmt.Sprintf("%d/%d UDP target(s) reported port unreachable: %s", total-ok, total, strings.Join(failed, "; "))}
}
// ── Rule: redundancy (more than one usable target) ────────────────────────────
type ruleRedundancy struct{}
func RuleRedundancy() sdk.CheckRule { return &ruleRedundancy{} }
func (ruleRedundancy) Name() string { return "srv_redundancy" }
func (ruleRedundancy) Description() string {
return "At least two distinct SRV targets exist (avoids single point of failure)."
}
func (ruleRedundancy) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) sdk.CheckState {
d, cs := getData(ctx, obs)
if cs != nil {
return *cs
}
targets := map[string]bool{}
for _, r := range d.Records {
if r.IsNullTarget {
continue
}
targets[r.Target] = true
}
if len(targets) >= 2 {
return sdk.CheckState{Status: sdk.StatusOK, Code: "srv_redundant",
Message: fmt.Sprintf("%d distinct targets.", len(targets))}
}
if len(targets) == 1 {
return sdk.CheckState{Status: sdk.StatusInfo, Code: "srv_single_target",
Message: "Single SRV target: no redundancy at DNS level."}
}
return sdk.CheckState{Status: sdk.StatusInfo, Code: "srv_no_targets_redundancy",
Message: "No usable SRV targets."}
}

54
checker/types.go Normal file
View file

@ -0,0 +1,54 @@
// Package checker implements the generic SRV records checker for happyDomain.
//
// For each SRV record attached to the target service it performs:
//
// - DNS resolution of every SRV target (A/AAAA, CNAME detection)
// - TCP connectivity test on target:port (_tcp SRVs)
// - UDP probe on target:port (_udp SRVs)
//
// TLS/certificate testing is intentionally out of scope: it is handled by a
// dedicated TLS checker.
//
// Checks are performed natively using the Go standard library (no external
// testsuite).
package checker
import (
sdk "git.happydns.org/checker-sdk-go/checker"
)
const ObservationKeySRV sdk.ObservationKey = "srv_records"
type SRVRecord struct {
Service string `json:"service"`
Proto string `json:"proto"`
Owner string `json:"owner"`
Target string `json:"target"`
Port uint16 `json:"port"`
Priority uint16 `json:"priority"`
Weight uint16 `json:"weight"`
// DNS resolution results
IsNullTarget bool `json:"isNullTarget,omitempty"` // target == "." means "no service"
IsCNAME bool `json:"isCNAME,omitempty"` // RFC 2782: MUST NOT be CNAME
CNAMEChain []string `json:"cnameChain,omitempty"`
Addresses []string `json:"addresses,omitempty"`
ResolveError string `json:"resolveError,omitempty"`
// Reachability checks per address
Probes []ProbeResult `json:"probes,omitempty"`
}
type ProbeResult struct {
Address string `json:"address"`
Proto string `json:"proto"` // "tcp" or "udp"
Connected bool `json:"connected"`
LatencyMs float64 `json:"latencyMs,omitempty"`
Error string `json:"error,omitempty"`
}
type SRVData struct {
ServiceDomain string `json:"serviceDomain"` // e.g. _sip._tcp.example.com
Records []SRVRecord `json:"records"`
CollectError string `json:"collectError,omitempty"`
}