Implement MCNS v1: custom Go DNS server replacing CoreDNS

Replace the CoreDNS precursor with a purpose-built authoritative DNS
server. Zones and records (A, AAAA, CNAME) are stored in SQLite and
managed via synchronized gRPC + REST APIs authenticated through MCIAS.
Non-authoritative queries are forwarded to upstream resolvers with
in-memory caching.

Key components:
- DNS server (miekg/dns) with authoritative zone handling and forwarding
- gRPC + REST management APIs with MCIAS auth (mcdsl integration)
- SQLite storage with CNAME exclusivity enforcement and auto SOA serials
- 30 tests covering database CRUD, DNS resolution, and caching

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/grpcserver/admin.go

@@ -0,0 +1,20 @@
+package grpcserver
+
+import (
+	"context"
+
+	pb "git.wntrmute.dev/kyle/mcns/gen/mcns/v1"
+	"git.wntrmute.dev/kyle/mcns/internal/db"
+)
+
+type adminService struct {
+	pb.UnimplementedAdminServiceServer
+	db *db.DB
+}
+
+func (s *adminService) Health(_ context.Context, _ *pb.HealthRequest) (*pb.HealthResponse, error) {
+	if err := s.db.Ping(); err != nil {
+		return &pb.HealthResponse{Status: "unhealthy"}, nil
+	}
+	return &pb.HealthResponse{Status: "ok"}, nil
+}

internal/grpcserver/auth_handler.go

@@ -0,0 +1,38 @@
+package grpcserver
+
+import (
+	"context"
+	"errors"
+
+	mcdslauth "git.wntrmute.dev/kyle/mcdsl/auth"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+
+	pb "git.wntrmute.dev/kyle/mcns/gen/mcns/v1"
+)
+
+type authService struct {
+	pb.UnimplementedAuthServiceServer
+	auth *mcdslauth.Authenticator
+}
+
+func (s *authService) Login(_ context.Context, req *pb.LoginRequest) (*pb.LoginResponse, error) {
+	token, _, err := s.auth.Login(req.Username, req.Password, req.TotpCode)
+	if err != nil {
+		if errors.Is(err, mcdslauth.ErrInvalidCredentials) {
+			return nil, status.Error(codes.Unauthenticated, "invalid credentials")
+		}
+		if errors.Is(err, mcdslauth.ErrForbidden) {
+			return nil, status.Error(codes.PermissionDenied, "access denied by login policy")
+		}
+		return nil, status.Error(codes.Unavailable, "authentication service unavailable")
+	}
+	return &pb.LoginResponse{Token: token}, nil
+}
+
+func (s *authService) Logout(_ context.Context, req *pb.LogoutRequest) (*pb.LogoutResponse, error) {
+	if err := s.auth.Logout(req.Token); err != nil {
+		return nil, status.Error(codes.Internal, "logout failed")
+	}
+	return &pb.LogoutResponse{}, nil
+}

internal/grpcserver/interceptors.go

@@ -0,0 +1,45 @@
+package grpcserver
+
+import (
+	mcdslgrpc "git.wntrmute.dev/kyle/mcdsl/grpcserver"
+)
+
+// methodMap builds the mcdsl grpcserver.MethodMap for MCNS.
+//
+// Adding a new RPC without adding it to the correct map is a security
+// defect — the mcdsl auth interceptor denies unmapped methods by default.
+func methodMap() mcdslgrpc.MethodMap {
+	return mcdslgrpc.MethodMap{
+		Public:        publicMethods(),
+		AuthRequired:  authRequiredMethods(),
+		AdminRequired: adminRequiredMethods(),
+	}
+}
+
+func publicMethods() map[string]bool {
+	return map[string]bool{
+		"/mcns.v1.AdminService/Health": true,
+		"/mcns.v1.AuthService/Login":   true,
+	}
+}
+
+func authRequiredMethods() map[string]bool {
+	return map[string]bool{
+		"/mcns.v1.AuthService/Logout":      true,
+		"/mcns.v1.ZoneService/ListZones":   true,
+		"/mcns.v1.ZoneService/GetZone":     true,
+		"/mcns.v1.RecordService/ListRecords": true,
+		"/mcns.v1.RecordService/GetRecord":   true,
+	}
+}
+
+func adminRequiredMethods() map[string]bool {
+	return map[string]bool{
+		"/mcns.v1.ZoneService/CreateZone": true,
+		"/mcns.v1.ZoneService/UpdateZone": true,
+		"/mcns.v1.ZoneService/DeleteZone": true,
+		"/mcns.v1.RecordService/CreateRecord": true,
+		"/mcns.v1.RecordService/UpdateRecord": true,
+		"/mcns.v1.RecordService/DeleteRecord": true,
+	}
+}

internal/grpcserver/records.go

@@ -0,0 +1,110 @@
+package grpcserver
+
+import (
+	"context"
+	"errors"
+	"time"
+
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	pb "git.wntrmute.dev/kyle/mcns/gen/mcns/v1"
+	"git.wntrmute.dev/kyle/mcns/internal/db"
+)
+
+type recordService struct {
+	pb.UnimplementedRecordServiceServer
+	db *db.DB
+}
+
+func (s *recordService) ListRecords(_ context.Context, req *pb.ListRecordsRequest) (*pb.ListRecordsResponse, error) {
+	records, err := s.db.ListRecords(req.Zone, req.Name, req.Type)
+	if errors.Is(err, db.ErrNotFound) {
+		return nil, status.Error(codes.NotFound, "zone not found")
+	}
+	if err != nil {
+		return nil, status.Error(codes.Internal, "failed to list records")
+	}
+
+	resp := &pb.ListRecordsResponse{}
+	for _, r := range records {
+		resp.Records = append(resp.Records, recordToProto(r))
+	}
+	return resp, nil
+}
+
+func (s *recordService) GetRecord(_ context.Context, req *pb.GetRecordRequest) (*pb.Record, error) {
+	record, err := s.db.GetRecord(req.Id)
+	if errors.Is(err, db.ErrNotFound) {
+		return nil, status.Error(codes.NotFound, "record not found")
+	}
+	if err != nil {
+		return nil, status.Error(codes.Internal, "failed to get record")
+	}
+	return recordToProto(*record), nil
+}
+
+func (s *recordService) CreateRecord(_ context.Context, req *pb.CreateRecordRequest) (*pb.Record, error) {
+	record, err := s.db.CreateRecord(req.Zone, req.Name, req.Type, req.Value, int(req.Ttl))
+	if errors.Is(err, db.ErrNotFound) {
+		return nil, status.Error(codes.NotFound, "zone not found")
+	}
+	if errors.Is(err, db.ErrConflict) {
+		return nil, status.Error(codes.AlreadyExists, err.Error())
+	}
+	if err != nil {
+		return nil, status.Error(codes.InvalidArgument, err.Error())
+	}
+	return recordToProto(*record), nil
+}
+
+func (s *recordService) UpdateRecord(_ context.Context, req *pb.UpdateRecordRequest) (*pb.Record, error) {
+	record, err := s.db.UpdateRecord(req.Id, req.Name, req.Type, req.Value, int(req.Ttl))
+	if errors.Is(err, db.ErrNotFound) {
+		return nil, status.Error(codes.NotFound, "record not found")
+	}
+	if errors.Is(err, db.ErrConflict) {
+		return nil, status.Error(codes.AlreadyExists, err.Error())
+	}
+	if err != nil {
+		return nil, status.Error(codes.InvalidArgument, err.Error())
+	}
+	return recordToProto(*record), nil
+}
+
+func (s *recordService) DeleteRecord(_ context.Context, req *pb.DeleteRecordRequest) (*pb.DeleteRecordResponse, error) {
+	err := s.db.DeleteRecord(req.Id)
+	if errors.Is(err, db.ErrNotFound) {
+		return nil, status.Error(codes.NotFound, "record not found")
+	}
+	if err != nil {
+		return nil, status.Error(codes.Internal, "failed to delete record")
+	}
+	return &pb.DeleteRecordResponse{}, nil
+}
+
+func recordToProto(r db.Record) *pb.Record {
+	return &pb.Record{
+		Id:        r.ID,
+		Zone:      r.ZoneName,
+		Name:      r.Name,
+		Type:      r.Type,
+		Value:     r.Value,
+		Ttl:       int32(r.TTL),
+		CreatedAt: parseRecordTimestamp(r.CreatedAt),
+		UpdatedAt: parseRecordTimestamp(r.UpdatedAt),
+	}
+}
+
+func parseRecordTimestamp(s string) *timestamppb.Timestamp {
+	t, err := parseTime(s)
+	if err != nil {
+		return nil
+	}
+	return timestamppb.New(t)
+}
+
+func parseTime(s string) (time.Time, error) {
+	return time.Parse("2006-01-02T15:04:05Z", s)
+}

internal/grpcserver/server.go

@@ -0,0 +1,50 @@
+package grpcserver
+
+import (
+	"log/slog"
+	"net"
+
+	mcdslauth "git.wntrmute.dev/kyle/mcdsl/auth"
+	mcdslgrpc "git.wntrmute.dev/kyle/mcdsl/grpcserver"
+
+	pb "git.wntrmute.dev/kyle/mcns/gen/mcns/v1"
+	"git.wntrmute.dev/kyle/mcns/internal/db"
+)
+
+// Deps holds the dependencies injected into the gRPC server.
+type Deps struct {
+	DB            *db.DB
+	Authenticator *mcdslauth.Authenticator
+}
+
+// Server wraps a mcdsl grpcserver.Server with MCNS-specific services.
+type Server struct {
+	srv *mcdslgrpc.Server
+}
+
+// New creates a configured gRPC server with MCNS services registered.
+func New(certFile, keyFile string, deps Deps, logger *slog.Logger) (*Server, error) {
+	srv, err := mcdslgrpc.New(certFile, keyFile, deps.Authenticator, methodMap(), logger)
+	if err != nil {
+		return nil, err
+	}
+
+	s := &Server{srv: srv}
+
+	pb.RegisterAdminServiceServer(srv.GRPCServer, &adminService{db: deps.DB})
+	pb.RegisterAuthServiceServer(srv.GRPCServer, &authService{auth: deps.Authenticator})
+	pb.RegisterZoneServiceServer(srv.GRPCServer, &zoneService{db: deps.DB})
+	pb.RegisterRecordServiceServer(srv.GRPCServer, &recordService{db: deps.DB})
+
+	return s, nil
+}
+
+// Serve starts the gRPC server on the given listener.
+func (s *Server) Serve(lis net.Listener) error {
+	return s.srv.GRPCServer.Serve(lis)
+}
+
+// GracefulStop gracefully stops the gRPC server.
+func (s *Server) GracefulStop() {
+	s.srv.Stop()
+}

internal/grpcserver/zones.go

@@ -0,0 +1,134 @@
+package grpcserver
+
+import (
+	"context"
+	"errors"
+
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	pb "git.wntrmute.dev/kyle/mcns/gen/mcns/v1"
+	"git.wntrmute.dev/kyle/mcns/internal/db"
+)
+
+type zoneService struct {
+	pb.UnimplementedZoneServiceServer
+	db *db.DB
+}
+
+func (s *zoneService) ListZones(_ context.Context, _ *pb.ListZonesRequest) (*pb.ListZonesResponse, error) {
+	zones, err := s.db.ListZones()
+	if err != nil {
+		return nil, status.Error(codes.Internal, "failed to list zones")
+	}
+
+	resp := &pb.ListZonesResponse{}
+	for _, z := range zones {
+		resp.Zones = append(resp.Zones, zoneToProto(z))
+	}
+	return resp, nil
+}
+
+func (s *zoneService) GetZone(_ context.Context, req *pb.GetZoneRequest) (*pb.Zone, error) {
+	zone, err := s.db.GetZone(req.Name)
+	if errors.Is(err, db.ErrNotFound) {
+		return nil, status.Error(codes.NotFound, "zone not found")
+	}
+	if err != nil {
+		return nil, status.Error(codes.Internal, "failed to get zone")
+	}
+	return zoneToProto(*zone), nil
+}
+
+func (s *zoneService) CreateZone(_ context.Context, req *pb.CreateZoneRequest) (*pb.Zone, error) {
+	refresh := int(req.Refresh)
+	if refresh == 0 {
+		refresh = 3600
+	}
+	retry := int(req.Retry)
+	if retry == 0 {
+		retry = 600
+	}
+	expire := int(req.Expire)
+	if expire == 0 {
+		expire = 86400
+	}
+	minTTL := int(req.MinimumTtl)
+	if minTTL == 0 {
+		minTTL = 300
+	}
+
+	zone, err := s.db.CreateZone(req.Name, req.PrimaryNs, req.AdminEmail, refresh, retry, expire, minTTL)
+	if errors.Is(err, db.ErrConflict) {
+		return nil, status.Error(codes.AlreadyExists, err.Error())
+	}
+	if err != nil {
+		return nil, status.Error(codes.Internal, "failed to create zone")
+	}
+	return zoneToProto(*zone), nil
+}
+
+func (s *zoneService) UpdateZone(_ context.Context, req *pb.UpdateZoneRequest) (*pb.Zone, error) {
+	refresh := int(req.Refresh)
+	if refresh == 0 {
+		refresh = 3600
+	}
+	retry := int(req.Retry)
+	if retry == 0 {
+		retry = 600
+	}
+	expire := int(req.Expire)
+	if expire == 0 {
+		expire = 86400
+	}
+	minTTL := int(req.MinimumTtl)
+	if minTTL == 0 {
+		minTTL = 300
+	}
+
+	zone, err := s.db.UpdateZone(req.Name, req.PrimaryNs, req.AdminEmail, refresh, retry, expire, minTTL)
+	if errors.Is(err, db.ErrNotFound) {
+		return nil, status.Error(codes.NotFound, "zone not found")
+	}
+	if err != nil {
+		return nil, status.Error(codes.Internal, "failed to update zone")
+	}
+	return zoneToProto(*zone), nil
+}
+
+func (s *zoneService) DeleteZone(_ context.Context, req *pb.DeleteZoneRequest) (*pb.DeleteZoneResponse, error) {
+	err := s.db.DeleteZone(req.Name)
+	if errors.Is(err, db.ErrNotFound) {
+		return nil, status.Error(codes.NotFound, "zone not found")
+	}
+	if err != nil {
+		return nil, status.Error(codes.Internal, "failed to delete zone")
+	}
+	return &pb.DeleteZoneResponse{}, nil
+}
+
+func zoneToProto(z db.Zone) *pb.Zone {
+	return &pb.Zone{
+		Id:         z.ID,
+		Name:       z.Name,
+		PrimaryNs:  z.PrimaryNS,
+		AdminEmail: z.AdminEmail,
+		Refresh:    int32(z.Refresh),
+		Retry:      int32(z.Retry),
+		Expire:     int32(z.Expire),
+		MinimumTtl: int32(z.MinimumTTL),
+		Serial:     z.Serial,
+		CreatedAt:  parseTimestamp(z.CreatedAt),
+		UpdatedAt:  parseTimestamp(z.UpdatedAt),
+	}
+}
+
+func parseTimestamp(s string) *timestamppb.Timestamp {
+	// SQLite stores as "2006-01-02T15:04:05Z".
+	t, err := parseTime(s)
+	if err != nil {
+		return nil
+	}
+	return timestamppb.New(t)
+}