Pierre-Olivier Mercier
9f7b585517
Generic SRV records checker for happyDomain.
For each SRV record attached to an svcs.UnknownSRV service, the checker
resolves every target and probes reachability:
- DNS resolution (A/AAAA), CNAME detection (RFC 2782 violation),
null-target detection (RFC 2782 "service explicitly unavailable")
- TCP connect to target:port for _tcp SRVs
- UDP probe for _udp SRVs, using ICMP port-unreachable detection
The checker also publishes TLS endpoints (host, port, SNI) for every
SRV target hitting a well-known direct-TLS port (443, 465, 636, 853,
993, 995, 5061, 5223, …) via the EndpointDiscoverer SDK interface, so
a downstream TLS checker can pick them up.
The HTML report groups records as cards and surfaces the most common
failure scenarios (DNS failure, CNAME target, TCP unreachable,
null-target) at the top with remediation guidance.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
72 lines
1.9 KiB
Go
72 lines
1.9 KiB
Go
package checker
|
|
|
|
import (
|
|
"fmt"
|
|
|
|
sdk "git.happydns.org/checker-sdk-go/checker"
|
|
)
|
|
|
|
func Provider() sdk.ObservationProvider {
|
|
return &srvProvider{}
|
|
}
|
|
|
|
type srvProvider struct{}
|
|
|
|
func (p *srvProvider) Key() sdk.ObservationKey {
|
|
return ObservationKeySRV
|
|
}
|
|
|
|
func (p *srvProvider) Definition() *sdk.CheckerDefinition {
|
|
return Definition()
|
|
}
|
|
|
|
// directTLSPorts lists TCP ports where clients speak TLS immediately upon
|
|
// connection (as opposed to STARTTLS upgrades). A dedicated TLS checker
|
|
// consumes these endpoints to validate certificates.
|
|
var directTLSPorts = map[uint16]bool{
|
|
443: true, // HTTPS
|
|
465: true, // SMTPS
|
|
563: true, // NNTPS
|
|
636: true, // LDAPS
|
|
853: true, // DoT
|
|
989: true, // FTPS data
|
|
990: true, // FTPS control
|
|
992: true, // Telnet/TLS
|
|
993: true, // IMAPS
|
|
995: true, // POP3S
|
|
5061: true, // SIPS
|
|
5223: true, // XMPP client TLS
|
|
5349: true, // STUN/TURN/TLS
|
|
6697: true, // IRCS
|
|
8443: true, // HTTPS alt
|
|
}
|
|
|
|
// DiscoverEndpoints is invoked by the host right after Collect. It declares
|
|
// (host, port) pairs worth testing by other checkers — here: TLS endpoints
|
|
// whose SRV target points at a well-known direct-TLS port.
|
|
//
|
|
// STARTTLS SRVs (e.g. _xmpp-server._tcp on 5269, _sips._tcp notwithstanding)
|
|
// are intentionally not emitted yet: a dedicated "smtp-starttls" / "xmpp-starttls"
|
|
// endpoint type will be defined when the TLS checker grows that capability.
|
|
func (p *srvProvider) DiscoverEndpoints(data any) ([]sdk.DiscoveredEndpoint, error) {
|
|
d, ok := data.(*SRVData)
|
|
if !ok {
|
|
return nil, fmt.Errorf("unexpected data type %T", data)
|
|
}
|
|
var out []sdk.DiscoveredEndpoint
|
|
for _, r := range d.Records {
|
|
if r.IsNullTarget || r.Target == "" {
|
|
continue
|
|
}
|
|
if !directTLSPorts[r.Port] {
|
|
continue
|
|
}
|
|
out = append(out, sdk.DiscoveredEndpoint{
|
|
Type: "tls",
|
|
Host: r.Target,
|
|
Port: r.Port,
|
|
SNI: r.Target,
|
|
})
|
|
}
|
|
return out, nil
|
|
}
|