Implement MCNS v1: custom Go DNS server replacing CoreDNS

Replace the CoreDNS precursor with a purpose-built authoritative DNS
server. Zones and records (A, AAAA, CNAME) are stored in SQLite and
managed via synchronized gRPC + REST APIs authenticated through MCIAS.
Non-authoritative queries are forwarded to upstream resolvers with
in-memory caching.

Key components:
- DNS server (miekg/dns) with authoritative zone handling and forwarding
- gRPC + REST management APIs with MCIAS auth (mcdsl integration)
- SQLite storage with CNAME exclusivity enforcement and auto SOA serials
- 30 tests covering database CRUD, DNS resolution, and caching

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/server/auth.go

@@ -0,0 +1,62 @@
+package server
+
+import (
+	"encoding/json"
+	"errors"
+	"net/http"
+
+	mcdslauth "git.wntrmute.dev/kyle/mcdsl/auth"
+)
+
+type loginRequest struct {
+	Username string `json:"username"`
+	Password string `json:"password"`
+	TOTPCode string `json:"totp_code"`
+}
+
+type loginResponse struct {
+	Token string `json:"token"`
+}
+
+func loginHandler(auth *mcdslauth.Authenticator) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var req loginRequest
+		if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+			writeError(w, http.StatusBadRequest, "invalid request body")
+			return
+		}
+
+		token, _, err := auth.Login(req.Username, req.Password, req.TOTPCode)
+		if err != nil {
+			if errors.Is(err, mcdslauth.ErrInvalidCredentials) {
+				writeError(w, http.StatusUnauthorized, "invalid credentials")
+				return
+			}
+			if errors.Is(err, mcdslauth.ErrForbidden) {
+				writeError(w, http.StatusForbidden, "access denied by login policy")
+				return
+			}
+			writeError(w, http.StatusServiceUnavailable, "authentication service unavailable")
+			return
+		}
+
+		writeJSON(w, http.StatusOK, loginResponse{Token: token})
+	}
+}
+
+func logoutHandler(auth *mcdslauth.Authenticator) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		token := extractBearerToken(r)
+		if token == "" {
+			writeError(w, http.StatusUnauthorized, "authentication required")
+			return
+		}
+
+		if err := auth.Logout(token); err != nil {
+			writeError(w, http.StatusInternalServerError, "logout failed")
+			return
+		}
+
+		w.WriteHeader(http.StatusNoContent)
+	}
+}

internal/server/middleware.go

@@ -0,0 +1,96 @@
+package server
+
+import (
+	"context"
+	"log/slog"
+	"net/http"
+	"strings"
+	"time"
+
+	mcdslauth "git.wntrmute.dev/kyle/mcdsl/auth"
+)
+
+type contextKey string
+
+const tokenInfoKey contextKey = "tokenInfo"
+
+// requireAuth returns middleware that validates Bearer tokens via MCIAS.
+func requireAuth(auth *mcdslauth.Authenticator) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			token := extractBearerToken(r)
+			if token == "" {
+				writeError(w, http.StatusUnauthorized, "authentication required")
+				return
+			}
+
+			info, err := auth.ValidateToken(token)
+			if err != nil {
+				writeError(w, http.StatusUnauthorized, "invalid or expired token")
+				return
+			}
+
+			ctx := context.WithValue(r.Context(), tokenInfoKey, info)
+			next.ServeHTTP(w, r.WithContext(ctx))
+		})
+	}
+}
+
+// requireAdmin is middleware that checks the caller has the admin role.
+func requireAdmin(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		info := tokenInfoFromContext(r.Context())
+		if info == nil || !info.IsAdmin {
+			writeError(w, http.StatusForbidden, "admin role required")
+			return
+		}
+		next.ServeHTTP(w, r)
+	})
+}
+
+// tokenInfoFromContext extracts the TokenInfo from the request context.
+func tokenInfoFromContext(ctx context.Context) *mcdslauth.TokenInfo {
+	info, _ := ctx.Value(tokenInfoKey).(*mcdslauth.TokenInfo)
+	return info
+}
+
+// extractBearerToken extracts a bearer token from the Authorization header.
+func extractBearerToken(r *http.Request) string {
+	h := r.Header.Get("Authorization")
+	if h == "" {
+		return ""
+	}
+	const prefix = "Bearer "
+	if !strings.HasPrefix(h, prefix) {
+		return ""
+	}
+	return strings.TrimSpace(h[len(prefix):])
+}
+
+// loggingMiddleware logs HTTP requests.
+func loggingMiddleware(logger *slog.Logger) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			start := time.Now()
+			sw := &statusWriter{ResponseWriter: w, status: http.StatusOK}
+			next.ServeHTTP(sw, r)
+			logger.Info("http",
+				"method", r.Method,
+				"path", r.URL.Path,
+				"status", sw.status,
+				"duration", time.Since(start),
+				"remote", r.RemoteAddr,
+			)
+		})
+	}
+}
+
+type statusWriter struct {
+	http.ResponseWriter
+	status int
+}
+
+func (w *statusWriter) WriteHeader(code int) {
+	w.status = code
+	w.ResponseWriter.WriteHeader(code)
+}

internal/server/records.go

@@ -0,0 +1,174 @@
+package server
+
+import (
+	"encoding/json"
+	"errors"
+	"net/http"
+	"strconv"
+
+	"github.com/go-chi/chi/v5"
+
+	"git.wntrmute.dev/kyle/mcns/internal/db"
+)
+
+type createRecordRequest struct {
+	Name  string `json:"name"`
+	Type  string `json:"type"`
+	Value string `json:"value"`
+	TTL   int    `json:"ttl"`
+}
+
+func listRecordsHandler(database *db.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		zoneName := chi.URLParam(r, "zone")
+		nameFilter := r.URL.Query().Get("name")
+		typeFilter := r.URL.Query().Get("type")
+
+		records, err := database.ListRecords(zoneName, nameFilter, typeFilter)
+		if errors.Is(err, db.ErrNotFound) {
+			writeError(w, http.StatusNotFound, "zone not found")
+			return
+		}
+		if err != nil {
+			writeError(w, http.StatusInternalServerError, "failed to list records")
+			return
+		}
+		if records == nil {
+			records = []db.Record{}
+		}
+		writeJSON(w, http.StatusOK, map[string]any{"records": records})
+	}
+}
+
+func getRecordHandler(database *db.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		idStr := chi.URLParam(r, "id")
+		id, err := strconv.ParseInt(idStr, 10, 64)
+		if err != nil {
+			writeError(w, http.StatusBadRequest, "invalid record ID")
+			return
+		}
+
+		record, err := database.GetRecord(id)
+		if errors.Is(err, db.ErrNotFound) {
+			writeError(w, http.StatusNotFound, "record not found")
+			return
+		}
+		if err != nil {
+			writeError(w, http.StatusInternalServerError, "failed to get record")
+			return
+		}
+
+		writeJSON(w, http.StatusOK, record)
+	}
+}
+
+func createRecordHandler(database *db.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		zoneName := chi.URLParam(r, "zone")
+
+		var req createRecordRequest
+		if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+			writeError(w, http.StatusBadRequest, "invalid request body")
+			return
+		}
+
+		if req.Name == "" {
+			writeError(w, http.StatusBadRequest, "name is required")
+			return
+		}
+		if req.Type == "" {
+			writeError(w, http.StatusBadRequest, "type is required")
+			return
+		}
+		if req.Value == "" {
+			writeError(w, http.StatusBadRequest, "value is required")
+			return
+		}
+
+		record, err := database.CreateRecord(zoneName, req.Name, req.Type, req.Value, req.TTL)
+		if errors.Is(err, db.ErrNotFound) {
+			writeError(w, http.StatusNotFound, "zone not found")
+			return
+		}
+		if errors.Is(err, db.ErrConflict) {
+			writeError(w, http.StatusConflict, err.Error())
+			return
+		}
+		if err != nil {
+			writeError(w, http.StatusBadRequest, err.Error())
+			return
+		}
+
+		writeJSON(w, http.StatusCreated, record)
+	}
+}
+
+func updateRecordHandler(database *db.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		idStr := chi.URLParam(r, "id")
+		id, err := strconv.ParseInt(idStr, 10, 64)
+		if err != nil {
+			writeError(w, http.StatusBadRequest, "invalid record ID")
+			return
+		}
+
+		var req createRecordRequest
+		if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+			writeError(w, http.StatusBadRequest, "invalid request body")
+			return
+		}
+
+		if req.Name == "" {
+			writeError(w, http.StatusBadRequest, "name is required")
+			return
+		}
+		if req.Type == "" {
+			writeError(w, http.StatusBadRequest, "type is required")
+			return
+		}
+		if req.Value == "" {
+			writeError(w, http.StatusBadRequest, "value is required")
+			return
+		}
+
+		record, err := database.UpdateRecord(id, req.Name, req.Type, req.Value, req.TTL)
+		if errors.Is(err, db.ErrNotFound) {
+			writeError(w, http.StatusNotFound, "record not found")
+			return
+		}
+		if errors.Is(err, db.ErrConflict) {
+			writeError(w, http.StatusConflict, err.Error())
+			return
+		}
+		if err != nil {
+			writeError(w, http.StatusBadRequest, err.Error())
+			return
+		}
+
+		writeJSON(w, http.StatusOK, record)
+	}
+}
+
+func deleteRecordHandler(database *db.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		idStr := chi.URLParam(r, "id")
+		id, err := strconv.ParseInt(idStr, 10, 64)
+		if err != nil {
+			writeError(w, http.StatusBadRequest, "invalid record ID")
+			return
+		}
+
+		err = database.DeleteRecord(id)
+		if errors.Is(err, db.ErrNotFound) {
+			writeError(w, http.StatusNotFound, "record not found")
+			return
+		}
+		if err != nil {
+			writeError(w, http.StatusInternalServerError, "failed to delete record")
+			return
+		}
+
+		w.WriteHeader(http.StatusNoContent)
+	}
+}

internal/server/routes.go

@@ -0,0 +1,71 @@
+package server
+
+import (
+	"encoding/json"
+	"log/slog"
+	"net/http"
+
+	"github.com/go-chi/chi/v5"
+
+	mcdslauth "git.wntrmute.dev/kyle/mcdsl/auth"
+	"git.wntrmute.dev/kyle/mcdsl/health"
+
+	"git.wntrmute.dev/kyle/mcns/internal/db"
+)
+
+// Deps holds dependencies injected into the REST handlers.
+type Deps struct {
+	DB     *db.DB
+	Auth   *mcdslauth.Authenticator
+	Logger *slog.Logger
+}
+
+// NewRouter builds the chi router with all MCNS REST endpoints.
+func NewRouter(deps Deps) *chi.Mux {
+	r := chi.NewRouter()
+	r.Use(loggingMiddleware(deps.Logger))
+
+	// Public endpoints.
+	r.Post("/v1/auth/login", loginHandler(deps.Auth))
+	r.Get("/v1/health", health.Handler(deps.DB.DB))
+
+	// Authenticated endpoints.
+	r.Group(func(r chi.Router) {
+		r.Use(requireAuth(deps.Auth))
+
+		r.Post("/v1/auth/logout", logoutHandler(deps.Auth))
+
+		// Zone endpoints — reads for all authenticated users, writes for admin.
+		r.Get("/v1/zones", listZonesHandler(deps.DB))
+		r.Get("/v1/zones/{zone}", getZoneHandler(deps.DB))
+
+		// Admin-only zone mutations.
+		r.With(requireAdmin).Post("/v1/zones", createZoneHandler(deps.DB))
+		r.With(requireAdmin).Put("/v1/zones/{zone}", updateZoneHandler(deps.DB))
+		r.With(requireAdmin).Delete("/v1/zones/{zone}", deleteZoneHandler(deps.DB))
+
+		// Record endpoints — reads for all authenticated users, writes for admin.
+		r.Get("/v1/zones/{zone}/records", listRecordsHandler(deps.DB))
+		r.Get("/v1/zones/{zone}/records/{id}", getRecordHandler(deps.DB))
+
+		// Admin-only record mutations.
+		r.With(requireAdmin).Post("/v1/zones/{zone}/records", createRecordHandler(deps.DB))
+		r.With(requireAdmin).Put("/v1/zones/{zone}/records/{id}", updateRecordHandler(deps.DB))
+		r.With(requireAdmin).Delete("/v1/zones/{zone}/records/{id}", deleteRecordHandler(deps.DB))
+	})
+
+	return r
+}
+
+// writeJSON writes a JSON response with the given status code.
+func writeJSON(w http.ResponseWriter, status int, v any) {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(status)
+	_ = json.NewEncoder(w).Encode(v)
+}
+
+// writeError writes a standard error response.
+func writeError(w http.ResponseWriter, status int, message string) {
+	writeJSON(w, status, map[string]string{"error": message})
+}
+

internal/server/zones.go

@@ -0,0 +1,163 @@
+package server
+
+import (
+	"encoding/json"
+	"errors"
+	"net/http"
+
+	"github.com/go-chi/chi/v5"
+
+	"git.wntrmute.dev/kyle/mcns/internal/db"
+)
+
+type createZoneRequest struct {
+	Name       string `json:"name"`
+	PrimaryNS  string `json:"primary_ns"`
+	AdminEmail string `json:"admin_email"`
+	Refresh    int    `json:"refresh"`
+	Retry      int    `json:"retry"`
+	Expire     int    `json:"expire"`
+	MinimumTTL int    `json:"minimum_ttl"`
+}
+
+func listZonesHandler(database *db.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, _ *http.Request) {
+		zones, err := database.ListZones()
+		if err != nil {
+			writeError(w, http.StatusInternalServerError, "failed to list zones")
+			return
+		}
+		if zones == nil {
+			zones = []db.Zone{}
+		}
+		writeJSON(w, http.StatusOK, map[string]any{"zones": zones})
+	}
+}
+
+func getZoneHandler(database *db.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		name := chi.URLParam(r, "zone")
+		zone, err := database.GetZone(name)
+		if errors.Is(err, db.ErrNotFound) {
+			writeError(w, http.StatusNotFound, "zone not found")
+			return
+		}
+		if err != nil {
+			writeError(w, http.StatusInternalServerError, "failed to get zone")
+			return
+		}
+		writeJSON(w, http.StatusOK, zone)
+	}
+}
+
+func createZoneHandler(database *db.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var req createZoneRequest
+		if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+			writeError(w, http.StatusBadRequest, "invalid request body")
+			return
+		}
+
+		if req.Name == "" {
+			writeError(w, http.StatusBadRequest, "name is required")
+			return
+		}
+		if req.PrimaryNS == "" {
+			writeError(w, http.StatusBadRequest, "primary_ns is required")
+			return
+		}
+		if req.AdminEmail == "" {
+			writeError(w, http.StatusBadRequest, "admin_email is required")
+			return
+		}
+
+		// Apply defaults for SOA params.
+		if req.Refresh == 0 {
+			req.Refresh = 3600
+		}
+		if req.Retry == 0 {
+			req.Retry = 600
+		}
+		if req.Expire == 0 {
+			req.Expire = 86400
+		}
+		if req.MinimumTTL == 0 {
+			req.MinimumTTL = 300
+		}
+
+		zone, err := database.CreateZone(req.Name, req.PrimaryNS, req.AdminEmail, req.Refresh, req.Retry, req.Expire, req.MinimumTTL)
+		if errors.Is(err, db.ErrConflict) {
+			writeError(w, http.StatusConflict, err.Error())
+			return
+		}
+		if err != nil {
+			writeError(w, http.StatusInternalServerError, "failed to create zone")
+			return
+		}
+
+		writeJSON(w, http.StatusCreated, zone)
+	}
+}
+
+func updateZoneHandler(database *db.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		name := chi.URLParam(r, "zone")
+
+		var req createZoneRequest
+		if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+			writeError(w, http.StatusBadRequest, "invalid request body")
+			return
+		}
+
+		if req.PrimaryNS == "" {
+			writeError(w, http.StatusBadRequest, "primary_ns is required")
+			return
+		}
+		if req.AdminEmail == "" {
+			writeError(w, http.StatusBadRequest, "admin_email is required")
+			return
+		}
+		if req.Refresh == 0 {
+			req.Refresh = 3600
+		}
+		if req.Retry == 0 {
+			req.Retry = 600
+		}
+		if req.Expire == 0 {
+			req.Expire = 86400
+		}
+		if req.MinimumTTL == 0 {
+			req.MinimumTTL = 300
+		}
+
+		zone, err := database.UpdateZone(name, req.PrimaryNS, req.AdminEmail, req.Refresh, req.Retry, req.Expire, req.MinimumTTL)
+		if errors.Is(err, db.ErrNotFound) {
+			writeError(w, http.StatusNotFound, "zone not found")
+			return
+		}
+		if err != nil {
+			writeError(w, http.StatusInternalServerError, "failed to update zone")
+			return
+		}
+
+		writeJSON(w, http.StatusOK, zone)
+	}
+}
+
+func deleteZoneHandler(database *db.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		name := chi.URLParam(r, "zone")
+
+		err := database.DeleteZone(name)
+		if errors.Is(err, db.ErrNotFound) {
+			writeError(w, http.StatusNotFound, "zone not found")
+			return
+		}
+		if err != nil {
+			writeError(w, http.StatusInternalServerError, "failed to delete zone")
+			return
+		}
+
+		w.WriteHeader(http.StatusNoContent)
+	}
+}