fix: address PR review — CORS headers, FQDN normalization, TXT quoting, RR validation, DB index

- CORS: restore X-Api-User and X-Api-Key to AllowedHeaders (required by /update endpoint)
- api: normalize record names to FQDN (trailing dot) on create/update/list-filter so DNS
  lookups against q.Name (which always ends with dot) match stored records
- api: normalize type filter to uppercase for case-insensitive GET /admin/records?type=
- api: add probeRR helper — validates record value parses as a real DNS RR before storing,
  preventing values that are silently dropped at serve time
- dns: guard answerManaged against unknown QTYPEs (empty TypeToString result)
- dns: quote TXT and CAA values in RR string so values with spaces parse correctly
- db: add index on dns_records(name, type) to avoid full table scans on every DNS request

Author: ZPascal

api.go

@@ -15,13 +15,32 @@ import (
 
 	"github.com/google/uuid"
 	"github.com/julienschmidt/httprouter"
+	"github.com/miekg/dns"
 	log "github.com/sirupsen/logrus"
 	"io"
 )
 
 //go:embed openapi.json
 var openapiSpec []byte
 
+// toFQDN ensures a DNS name ends with a trailing dot for consistent storage and lookup.
+func toFQDN(name string) string {
+	name = strings.ToLower(name)
+	if !strings.HasSuffix(name, ".") {
+		name += "."
+	}
+	return name
+}
+
+// probeRR validates that rtype+value form a parseable DNS RR using a placeholder name and TTL.
+func probeRR(rtype, value string) bool {
+	if rtype == "TXT" || rtype == "CAA" {
+		value = `"` + strings.ReplaceAll(value, `"`, `\"`) + `"`
+	}
+	_, err := dns.NewRR(fmt.Sprintf("probe.invalid. 300 IN %s %s", rtype, value))
+	return err == nil
+}
+
 // RegResponse is a struct for registration response JSON
 type RegResponse struct {
 	Username   string   `json:"username"`
@@ -160,8 +179,11 @@ func adminBearerMiddleware(next httprouter.Handle) httprouter.Handle {
 }
 
 func adminListRecords(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
-	filterType := r.URL.Query().Get("type")
+	filterType := strings.ToUpper(r.URL.Query().Get("type"))
 	filterName := r.URL.Query().Get("name")
+	if filterName != "" {
+		filterName = toFQDN(filterName)
+	}
 	records, err := DB.ListRecords(filterType, filterName)
 	if err != nil {
 		log.WithFields(log.Fields{"error": err.Error()}).Error("Error in admin handler")
@@ -201,6 +223,12 @@ func adminCreateRecord(w http.ResponseWriter, r *http.Request, _ httprouter.Para
 		_, _ = w.Write(jsonError("invalid_record_value"))
 		return
 	}
+	if !probeRR(req.Type, req.Value) {
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusBadRequest)
+		_, _ = w.Write(jsonError("invalid_record_value"))
+		return
+	}
 	ttl := req.TTL
 	if ttl == 0 {
 		ttl = 300
@@ -213,7 +241,7 @@ func adminCreateRecord(w http.ResponseWriter, r *http.Request, _ httprouter.Para
 	}
 	rec := DNSRecord{
 		ID:      uuid.New().String(),
-		Name:    strings.ToLower(req.Name),
+		Name:    toFQDN(req.Name),
 		Type:    req.Type,
 		Value:   req.Value,
 		TTL:     ttl,
@@ -258,6 +286,12 @@ func adminUpdateRecord(w http.ResponseWriter, r *http.Request, ps httprouter.Par
 		_, _ = w.Write(jsonError("invalid_record_value"))
 		return
 	}
+	if !probeRR(req.Type, req.Value) {
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusBadRequest)
+		_, _ = w.Write(jsonError("invalid_record_value"))
+		return
+	}
 	if req.TTL != 0 && !validTTL(req.TTL) {
 		w.Header().Set("Content-Type", "application/json")
 		w.WriteHeader(http.StatusBadRequest)
@@ -268,7 +302,7 @@ func adminUpdateRecord(w http.ResponseWriter, r *http.Request, ps httprouter.Par
 	if ttl == 0 {
 		ttl = 300
 	}
-	rec := DNSRecord{ID: id, Name: strings.ToLower(req.Name), Type: req.Type, Value: req.Value, TTL: ttl}
+	rec := DNSRecord{ID: id, Name: toFQDN(req.Name), Type: req.Type, Value: req.Value, TTL: ttl}
 	if err := DB.UpdateRecord(rec); err != nil {
 		w.Header().Set("Content-Type", "application/json")
 		if errors.Is(err, sql.ErrNoRows) {

db.go

@@ -58,6 +58,9 @@ var dnsRecordsTable = `
 		created INTEGER NOT NULL
 	);`
 
+var dnsRecordsIndex = `
+	CREATE INDEX IF NOT EXISTS idx_dns_records_name_type ON dns_records (name, type);`
+
 // getSQLiteStmt replaces all PostgreSQL prepared statement placeholders (eg. $1, $2) with SQLite variant "?"
 func getSQLiteStmt(s string) string {
 	re, _ := regexp.Compile(`\$[0-9]`)
@@ -91,6 +94,7 @@ func (d *acmedb) Init(engine string, connection string) error {
 		_, _ = d.DB.Exec(txtTablePG)
 	}
 	_, _ = d.DB.Exec(dnsRecordsTable)
+	_, _ = d.DB.Exec(dnsRecordsIndex)
 	// If everything is fine, handle db upgrade tasks
 	if err == nil {
 		err = d.checkDBUpgrades(versionString)

dns.go

@@ -249,15 +249,23 @@ func (d *DNSServer) answerOwnChallenge(q dns.Question) ([]dns.RR, error) {
 }
 
 func (d *DNSServer) answerManaged(q dns.Question) []dns.RR {
+	qtype := dns.TypeToString[q.Qtype]
+	if qtype == "" {
+		return nil
+	}
 	name := strings.ToLower(q.Name)
-	records, err := d.DB.ListRecords(dns.TypeToString[q.Qtype], name)
+	records, err := d.DB.ListRecords(qtype, name)
 	if err != nil {
 		log.WithFields(log.Fields{"error": err.Error()}).Debug("Error querying managed records")
 		return nil
 	}
 	var rrs []dns.RR
 	for _, rec := range records {
-		rrStr := fmt.Sprintf("%s %d IN %s %s", rec.Name, rec.TTL, rec.Type, rec.Value)
+		value := rec.Value
+		if rec.Type == "TXT" || rec.Type == "CAA" {
+			value = `"` + strings.ReplaceAll(value, `"`, `\"`) + `"`
+		}
+		rrStr := fmt.Sprintf("%s %d IN %s %s", rec.Name, rec.TTL, rec.Type, value)
 		rr, err := dns.NewRR(rrStr)
 		if err != nil {
 			log.WithFields(log.Fields{"error": err.Error(), "record": rrStr}).Warning("Could not parse managed RR")

main.go

@@ -118,7 +118,7 @@ func startHTTPAPI(errChan chan error, config DNSConfig, dnsServers []*DNSServer)
 	c := cors.New(cors.Options{
 		AllowedOrigins:     config.API.CorsOrigins,
 		AllowedMethods:     []string{"GET", "POST", "PUT", "DELETE"},
-		AllowedHeaders:     []string{"Authorization", "Content-Type"},
+		AllowedHeaders:     []string{"Authorization", "Content-Type", "X-Api-User", "X-Api-Key"},
 		OptionsPassthrough: false,
 		Debug:              config.General.Debug,
 	})