fix: correct CAA quoting and NXDOMAIN/NODATA distinction for managed records

probeRR and answerManaged were applying TXT-style double-quote wrapping to
CAA records. CAA wire format is "0 issue <value>" — wrapping the entire
value in quotes caused dns.NewRR to reject every CAA record. Remove CAA
from the quoting logic; only TXT needs it.

answerManaged now returns ([]dns.RR, bool) where the bool signals whether
the queried name exists at all (in any record type). answer() uses this to
set NOERROR when the name exists but no records match the queried type
(RFC 2308 NODATA), rather than leaving the rcode as NXDOMAIN.

Add TestAnswerManagedNODATA, TestAnswerManagedCAARecord (dns_test.go) and
TestAdminCreateCAARecord (api_test.go) to cover both fixes.

Author: ZPascal

api.go

@@ -25,7 +25,7 @@ func toFQDN(name string) string {
 	return name
 }
 
-// stripOuterQuotes removes a single layer of surrounding double-quotes from TXT/CAA values
+// stripOuterQuotes removes a single layer of surrounding double-quotes from TXT values
 // so the DB always stores the raw string content regardless of how the caller supplied it.
 func stripOuterQuotes(value string) string {
 	if len(value) >= 2 && value[0] == '"' && value[len(value)-1] == '"' {
@@ -36,7 +36,7 @@ func stripOuterQuotes(value string) string {
 
 // probeRR validates that rtype+value form a parseable DNS RR using a placeholder name and TTL.
 func probeRR(rtype, value string) bool {
-	if rtype == "TXT" || rtype == "CAA" {
+	if rtype == "TXT" {
 		value = `"` + strings.ReplaceAll(value, `"`, `\"`) + `"`
 	}
 	_, err := dns.NewRR(fmt.Sprintf("probe.invalid. 300 IN %s %s", rtype, value))

api_test.go

@@ -630,6 +630,20 @@ func TestAdminCreateRecordInvalidMXValue(t *testing.T) {
 		Expect().Status(http.StatusBadRequest)
 }
 
+func TestAdminCreateCAARecord(t *testing.T) {
+	_, e := setupAdminRouter(t, "test-token")
+	payload := map[string]interface{}{
+		"name":  "caa.example.com",
+		"type":  "CAA",
+		"value": `0 issue "letsencrypt.org"`,
+		"ttl":   300,
+	}
+	e.POST("/admin/records").
+		WithHeader("Authorization", "Bearer test-token").
+		WithJSON(payload).
+		Expect().Status(http.StatusCreated).JSON().Object().ContainsKey("id")
+}
+
 func TestAdminTXTValueQuoteStripping(t *testing.T) {
 	_, e := setupAdminRouter(t, "test-token")
 	// Value submitted with surrounding quotes should be stored and returned without them.

dns.go

@@ -211,10 +211,14 @@ func (d *DNSServer) answer(q dns.Question) ([]dns.RR, int, bool, error) {
 	}
 	// Fall through to managed dns_records if no static or ACME records matched
 	if len(r) == 0 {
-		managed := d.answerManaged(q)
+		managed, nameExists := d.answerManaged(q)
 		if len(managed) > 0 {
 			r = managed
 			authoritative = true
+		} else if nameExists {
+			// Name exists in dns_records but not for this type: NODATA (NOERROR, empty answer)
+			rcode = dns.RcodeSuccess
+			authoritative = true
 		}
 	}
 	if len(r) > 0 {
@@ -252,21 +256,28 @@ func (d *DNSServer) answerOwnChallenge(q dns.Question) ([]dns.RR, error) {
 	return []dns.RR{r}, nil
 }
 
-func (d *DNSServer) answerManaged(q dns.Question) []dns.RR {
+func (d *DNSServer) answerManaged(q dns.Question) ([]dns.RR, bool) {
 	qtype := dns.TypeToString[q.Qtype]
 	if qtype == "" {
-		return nil
+		return nil, false
 	}
 	name := strings.ToLower(q.Name)
-	records, err := d.DB.ListRecords(qtype, name)
+	// Check if the name exists at all (any type) to distinguish NXDOMAIN from NODATA.
+	allRecords, err := d.DB.ListRecords("", name)
 	if err != nil {
 		log.WithFields(log.Fields{"error": err.Error()}).Debug("Error querying managed records")
-		return nil
+		return nil, false
+	}
+	if len(allRecords) == 0 {
+		return nil, false
 	}
 	var rrs []dns.RR
-	for _, rec := range records {
+	for _, rec := range allRecords {
+		if rec.Type != qtype {
+			continue
+		}
 		value := rec.Value
-		if rec.Type == "TXT" || rec.Type == "CAA" {
+		if rec.Type == "TXT" {
 			value = `"` + strings.ReplaceAll(value, `"`, `\"`) + `"`
 		}
 		rrStr := fmt.Sprintf("%s %d IN %s %s", rec.Name, rec.TTL, rec.Type, value)
@@ -277,5 +288,5 @@ func (d *DNSServer) answerManaged(q dns.Question) []dns.RR {
 		}
 		rrs = append(rrs, rr)
 	}
-	return rrs
+	return rrs, true
 }

dns_test.go

@@ -302,3 +302,49 @@ func TestAnswerManagedARecord(t *testing.T) {
 		t.Fatal("expected at least one RR in answer")
 	}
 }
+
+func TestAnswerManagedNODATA(t *testing.T) {
+	// Name exists in dns_records as A, query for AAAA — must be NODATA (NOERROR, empty answer).
+	rec := DNSRecord{
+		ID: "nodata-test-1", Name: "nodata.auth.example.org.", Type: "A", Value: "1.2.3.4", TTL: 300, Created: 0,
+	}
+	if err := DB.CreateRecord(rec); err != nil {
+		t.Fatalf("CreateRecord: %v", err)
+	}
+	t.Cleanup(func() { _ = DB.DeleteRecord("nodata-test-1") })
+
+	q := dns.Question{Name: "nodata.auth.example.org.", Qtype: dns.TypeAAAA, Qclass: dns.ClassINET}
+	rrs, rcode, _, err := dnsserver.answer(q)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if rcode != dns.RcodeSuccess {
+		t.Fatalf("expected NOERROR (NODATA) for existing name with wrong type, got %s", dns.RcodeToString[rcode])
+	}
+	if len(rrs) != 0 {
+		t.Fatalf("expected empty answer section for NODATA, got %d records", len(rrs))
+	}
+}
+
+func TestAnswerManagedCAARecord(t *testing.T) {
+	// CAA value must not be quote-wrapped — it has its own tag-value structure.
+	rec := DNSRecord{
+		ID: "caa-test-1", Name: "caa.auth.example.org.", Type: "CAA", Value: `0 issue "letsencrypt.org"`, TTL: 300, Created: 0,
+	}
+	if err := DB.CreateRecord(rec); err != nil {
+		t.Fatalf("CreateRecord: %v", err)
+	}
+	t.Cleanup(func() { _ = DB.DeleteRecord("caa-test-1") })
+
+	q := dns.Question{Name: "caa.auth.example.org.", Qtype: dns.TypeCAA, Qclass: dns.ClassINET}
+	rrs, rcode, _, err := dnsserver.answer(q)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if rcode != dns.RcodeSuccess {
+		t.Fatalf("expected NOERROR for CAA query, got %s", dns.RcodeToString[rcode])
+	}
+	if len(rrs) == 0 {
+		t.Fatal("expected CAA record in answer, got none")
+	}
+}