release: 3.1.1

- explicitly use webrick gem version with patch against CVE-2020-25613
- https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/
- webrick versions bundled with ruby are vulnerable at this point

.editorconfig

@@ -0,0 +1,9 @@
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true

.github/workflows/cd.yml

@@ -0,0 +1,26 @@
+---
+name: cd
+
+on:
+  push:
+    tags:
+    - 'v*.*.*'
+
+jobs:
+  release-dockerimage:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Extract dyndnsd version from tag name
+      run: |
+        echo ::set-env name=DYNDNSD_VERSION::${GITHUB_REF#refs/*/v}
+    # https://github.com/marketplace/actions/build-and-push-docker-images
+    - name: Build and push Docker image for dyndnsd ${{ env.DYNDNSD_VERSION }}
+      uses: docker/build-push-action@v1
+      with:
+        username: cmur2
+        password: ${{ secrets.DOCKER_TOKEN }}
+        repository: cmur2/dyndnsd
+        path: docker
+        build_args: DYNDNSD_VERSION=${{ env.DYNDNSD_VERSION }}
+        tag_with_ref: true

.github/workflows/vulnscan.yml

@@ -0,0 +1,46 @@
+---
+name: vulnscan
+
+on:
+  schedule:
+  - cron: '7 4 * * 4'  # weekly on thursday morning
+  workflow_dispatch:
+
+jobs:
+  scan-released-dockerimages:
+    runs-on: ubuntu-latest
+    env:
+      TRIVY_LIGHT: 'true'
+      TRIVY_IGNORE_UNFIXED: 'true'
+      TRIVY_REMOVED_PKGS: 'true'
+    steps:
+    - name: Install Trivy
+      run: |
+        mkdir -p $GITHUB_WORKSPACE/bin
+        echo "::add-path::$GITHUB_WORKSPACE/bin"
+        curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b $GITHUB_WORKSPACE/bin
+    - name: Download Trivy DB
+      run: |
+        trivy image --download-db-only
+    - name: Scan vulnerabilities using Trivy
+      env:
+        TRIVY_SKIP_DIRS: '/usr/lib/ruby/gems/2.7.0/gems/jaeger-client-0.10.0/crossdock,/usr/lib/ruby/gems/2.7.0/gems/jaeger-client-1.0.0/crossdock'
+      run: |
+        trivy --version
+
+        # semver sorting as per https://stackoverflow.com/a/40391207/2148786
+        ALL_IMAGES="$(curl -s https://hub.docker.com/v2/repositories/cmur2/dyndnsd/tags?page_size=1000 | jq -r '.results[].name | "cmur2/dyndnsd:" + .' | grep -e 'cmur2/dyndnsd:v' | sed '/-/!{s/$/_/}' | sort -r -V | sed 's/_$//')"
+        EXIT_CODE=0
+        set -e
+        for major_version in $(seq 1 10); do
+          for image in $ALL_IMAGES; do
+            if [[ "$image" = cmur2/dyndnsd:v$major_version.* ]]; then
+              echo -e "\nScanning newest patch release $image of major v$major_version...\n"
+              if ! trivy image --skip-update --exit-code 1 "$image"; then
+                EXIT_CODE=1
+              fi
+              break
+            fi
+          done
+        done
+        exit "$EXIT_CODE"

.gitignore

@@ -1,3 +1,4 @@
 .DS_Store
 *.lock
 pkg/*
+.yardoc

.rubocop.yml

@@ -0,0 +1,88 @@
+AllCops:
+  TargetRubyVersion: '2.5'
+  NewCops: enable
+
+Layout/EmptyLineAfterGuardClause:
+  Enabled: false
+
+# allows nicer usage of private_class_method
+Layout/EmptyLinesAroundArguments:
+  Enabled: false
+
+Layout/HashAlignment:
+  Enabled: false
+
+Layout/LeadingEmptyLines:
+  Enabled: false
+
+Layout/LineLength:
+  Max: 200
+
+Layout/SpaceInsideHashLiteralBraces:
+  Enabled: false
+
+Metrics/AbcSize:
+  Enabled: false
+
+Metrics/BlockLength:
+  Enabled: false
+
+Metrics/ClassLength:
+  Enabled: false
+
+Metrics/CyclomaticComplexity:
+  Enabled: false
+
+Metrics/MethodLength:
+  Enabled: false
+
+Metrics/PerceivedComplexity:
+  Enabled: false
+
+Naming/MethodParameterName:
+  Enabled: false
+
+Naming/MemoizedInstanceVariableName:
+  Enabled: false
+
+Style/ConditionalAssignment:
+  Enabled: false
+
+Style/Documentation:
+  Enabled: false
+
+Style/FormatStringToken:
+  Enabled: false
+
+Style/GuardClause:
+  Enabled: false
+
+Style/HashEachMethods:
+  Enabled: true
+
+Style/HashTransformKeys:
+  Enabled: true
+
+Style/HashTransformValues:
+  Enabled: true
+
+Style/IdenticalConditionalBranches:
+  Enabled: false
+
+Style/IfUnlessModifier:
+  Enabled: false
+
+Style/InverseMethods:
+  Enabled: false
+
+Style/NegatedIf:
+  Enabled: false
+
+Style/RescueModifier:
+  Enabled: false
+
+Style/SymbolArray:
+  Enabled: false
+
+Style/TrailingCommaInArrayLiteral:
+  Enabled: false

.solargraph.yml

@@ -0,0 +1,16 @@
+---
+include:
+- "**/*.rb"
+- "bin/dyndnsd"
+exclude:
+- spec/**/*
+- test/**/*
+- vendor/**/*
+- ".bundle/**/*"
+require: []
+domains: []
+reporters:
+- rubocop
+- require_not_found
+require_paths: []
+max_files: 5000

.travis.yml

@@ -1,9 +1,13 @@
+---
+os: linux
 language: ruby
-
 rvm:
-  - 2.0.0
-  - 1.9.3
-  - 1.8.7
+- 2.7
+- 2.6
+- 2.5
 
-gemfile:
-  - Gemfile
+services:
+- docker
+
+script:
+- bundle exec rake travis

CHANGELOG.md

@@ -0,0 +1,131 @@
+# Changelog
+
+## 3.1.1 (october 3, 2020)
+
+IMPROVEMENTS:
+
+- Use webrick gem which contains fixes against [CVE-2020-25613](https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/)
+
+## 3.1.0 (August 19, 2020)
+
+IMPROVEMENTS:
+
+- Add officially maintained [Docker image for dyndnsd](https://hub.docker.com/r/cmur2/dyndnsd)
+
+## 3.0.0 (July 29, 2020)
+
+IMPROVEMENTS:
+
+- Drop EOL Ruby 2.4 and lower support, now minimum version supported is Ruby 2.5
+
+## 2.3.1 (July 27, 2020)
+
+IMPROVEMENTS:
+
+- Fix annoying error message `log writing failed. can't be called from trap context` on shutdown by not attempting to log redundant information there
+
+## 2.3.0 (July 20, 2020)
+
+IMPROVEMENTS:
+
+- Allow enabling debug logging
+- Add updater that uses [DNS zone transfers via AXFR (RFC5936)](https://tools.ietf.org/html/rfc5936) to allow any secondary nameserver(s) to fetch the zone contents after (optionally) receiving a [DNS NOTIFY (RFC1996)](https://tools.ietf.org/html/rfc1996) request
+
+## 2.2.0 (March 6, 2020)
+
+IMPROVEMENTS:
+
+- Refactor gemspec based on [recommendations](https://piotrmurach.com/articles/writing-a-ruby-gem-specification/) so tests are now excluded from gem and binaries move to `./exe` directory
+- Adopt Ruby 2.3 frozen string literals for source code potentially reducing memory consumption
+
+## 2.1.1 (March 1, 2020)
+
+IMPROVEMENTS:
+
+- Fix potential `nil` cases detected by [Sorbet](https://sorbet.org) including refactorings
+
+## 2.1.0 (March 1, 2020)
+
+IMPROVEMENTS:
+
+- Add Ruby 2.7 support
+- Add [solargraph](https://github.com/castwide/solargraph) to dev tooling as Ruby Language Server usable e.g. for IDEs (used solargraph version not compatible with Ruby 2.7 as bundler-audit 0.6.x requires old `thor` gem)
+- Document code using YARD tags, e.g. for type information and better code completion
+
+## 2.0.0 (January 25, 2019)
+
+IMPROVEMENTS:
+
+- Drop Ruby 2.2 and lower support
+- Better protocol compliance by returning `badauth` in response body on HTTP 401 errors
+- Better code maintainability by refactorings
+- Update dependencies, mainly `rack` to new major version 2
+- Add Ruby 2.5 and Ruby 2.6 support
+- Add experimental [OpenTracing](https://opentracing.io/) support with [CNCF Jaeger](https://github.com/jaegertracing/jaeger)
+- Support host offlining by deleting the associated DNS records
+- Add textfile reporter to write Graphite-style metrics (also compatible with [Prometheus](https://prometheus.io/)) into a file
+
+## 1.6.1 (October 31, 2017)
+
+IMPROVEMENTS:
+
+- Fix broken password check affecting all previous releases
+
+## 1.6.0 (December 7, 2016)
+
+IMPROVEMENTS:
+
+- Support providing an IPv6 address in addition to a IPv4 for the same hostname
+
+## 1.5.0 (November 30, 2016)
+
+IMPROVEMENTS:
+
+- Drop Ruby 1.8.7 support
+- Pin `json` gem to allow supporting Ruby 1.9.3
+- Support determining effective client IP address also from `X-Real-IP` header
+
+## 1.4.0 (November 27, 2016)
+
+IMPROVEMENTS:
+
+- Pin `rack` gem to allow supporting Ruby versions < 2.2.2
+- Support IPv6 addresses
+
+## 1.3.0 (October 8, 2013)
+
+IMPROVEMENTS:
+
+- Handle `SIGTERM` \*nix signal properly and shutdown the daemon
+
+## 1.2.2 (June 8, 2013)
+
+IMPROVEMENTS:
+
+- Add proper logging to the provided init script for dyndnsd.rb
+
+## 1.2.1 (June 5, 2013)
+
+IMPROVEMENTS:
+
+- Fix bug in previous release related to metrics preventing startup
+
+## 1.2.0 (May 29, 2013)
+
+IMPROVEMENTS:
+
+- Support sending metrics to graphite via undocumented `graphite:` section in configuration file
+
+## 1.1.0 (April 30, 2013)
+
+IMPROVEMENTS:
+
+- Support dropping priviliges on startup, also affects external commands run
+- Add [metriks](https://github.com/eric/metriks) support for basic metrics in the process title
+- Detach from child processes running external commands to avoid zombie processes
+
+## 1.0.0 (April 28, 2013)
+
+NEW FEATURES:
+
+- Initial 1.0 release

Gemfile

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 source 'https://rubygems.org'
 
 gemspec

README.md

@@ -1,14 +1,22 @@
 # dyndnsd.rb
 
-[![Build Status](https://travis-ci.org/cmur2/dyndnsd.png)](https://travis-ci.org/cmur2/dyndnsd)
+[![Build Status](https://travis-ci.org/cmur2/dyndnsd.svg?branch=master)](https://travis-ci.org/cmur2/dyndnsd) [![Dependencies](https://badges.depfu.com/badges/4f25da8493f7a29f652ac892fbf9227b/overview.svg)](https://depfu.com/github/cmur2/dyndnsd)
 
 A small, lightweight and extensible DynDNS server written with Ruby and Rack.
 
+
 ## Description
 
-dyndnsd.rb is aimed to implement a small [DynDNS-compliant](http://dyn.com/support/developers/api/) server in Ruby. It has an integrated user and hostname database in it's configuration file that is used for authentication and authorization. Besides talking the DynDNS protocol it is able to invoke an so-called *updater*, a small Ruby module that takes care of supplying the current host => ip mapping to a DNS server.
+dyndnsd.rb aims to implement a small [DynDNS-compliant](https://help.dyn.com/remote-access-api/) server in Ruby supporting IPv4 and IPv6 addresses. It has an integrated user and hostname database in its configuration file that is used for authentication and authorization. Besides talking the DynDNS protocol it is able to invoke a so-called *updater*, a small Ruby module that takes care of supplying the current hostname => ip mapping to a DNS server.
+
+There are currently two updaters shipped with dyndnsd.rb:
+- `zone_transfer_server` that uses [DNS zone transfers via AXFR (RFC5936)](https://tools.ietf.org/html/rfc5936) to allow any secondary nameserver(s) to fetch the zone contents after (optionally) receiving a [DNS NOTIFY (RFC1996)](https://tools.ietf.org/html/rfc1996) request
+- `command_with_bind_zone` that writes out a zone file in BIND syntax onto the current system and invokes a user-supplied command afterwards that is assumed to trigger the DNS server (not necessarily BIND since its zone files are read by other DNS servers, too) to reload its zone configuration
+
+Because of the mechanisms used, dyndnsd.rb is known to work only on \*nix systems.
+
+See the [changelog](CHANGELOG.md) before upgrading. The older version 1.x of dyndnsd.rb is still available on [branch dyndnsd-1.x](https://github.com/cmur2/dyndnsd/tree/dyndnsd-1.x).
 
-The is currently one updater shipped with dyndnsd.rb `command_with_bind_zone` that writes out a zone file in BIND syntax onto the current system and invokes a user-supplied command afterwards that is assumed to trigger the DNS server (not necessarily BIND since it's zone files are read by other DNS servers too) to reload it's zone configuration.
 
 ## General Usage
 
@@ -16,18 +24,21 @@ Install the gem:
 
 	gem install dyndnsd
 
-(Optionally install the `json` gem too if you're on Ruby 1.8.)
-
 Create a configuration file in YAML format somewhere:
 
 ```yaml
 # listen address and port
 host: "0.0.0.0"
-port: "80"
-# logfile is optional, logs to STDOUT else
+port: 80
+# optional: drop privileges in case you want to but you may need sudo for external commands
+user: "nobody"
+group: "nogroup"
+# logfile is optional, logs to STDOUT otherwise
 logfile: "dyndnsd.log"
-# interal database file
+# internal database file
 db: "db.json"
+# enable debug mode?
+debug: false
 # all hostnames are required to be cool-name.example.org
 domain: "example.org"
 # configure the updater, here we use command_with_bind_zone, params are updater-specific
@@ -53,17 +64,98 @@ users:
 
 Run dyndnsd.rb by:
 
-	dyndnsd /path/to/config.yaml
+```bash
+dyndnsd /path/to/config.yml
+```
 
-## Using dyndnsd.rb with [NSD](https://www.nlnetlabs.nl/nsd/)
 
-NSD is a nice opensource, authoritative-only, low-memory DNS server that reads BIND-style zone files (and converts them into it's own database) and has a simple config file.
+### Docker image
 
-A feature NSD is lacking is the [Dynamic DNS update](https://tools.ietf.org/html/rfc2136) functionality BIND offers but one can fake it using the following dyndnsd.rb config:
+There is an officially maintained [Docker image for dyndnsd](https://hub.docker.com/r/cmur2/dyndnsd) available at Dockerhub. The goal is to have a minimal secured image available (currently based on Alpine) that works well for the `zone_transfer_server` updater use case.
+
+Users can make extensions by deriving from the official Docker image or building their own.
+
+The Docker image consumes the same configuration file in YAML format as the gem, inside the container it needs to be mounted/available as `/etc/dyndnsd/config.yml`. the following YAML should be used as a base and extended with user's settings:
 
 ```yaml
 host: "0.0.0.0"
-port: "8245" # the DynDNS.com alternative HTTP port
+port: 8080
+# omit the logfile: option so logging to STDOUT will happen automatically
+db: "/var/lib/dyndnsd/db.json"
+
+# User's settings for updater and permissions follow here!
+```
+
+more ports might be needed depending on if DNS zone transfer is needed
+
+Run the Docker image exposing the DynDNS-API on host port 8080 via:
+
+```bash
+docker run -d --name dyndnsd \
+           -p 8080:8080 \
+           -v /host/path/to/dyndnsd/config.yml:/etc/dyndnsd/config.yml \
+           -v /host/ptherpath/to/dyndnsd/datadir:/var/lib/dyndnsd \
+           cmur2/dyndnsd:vX.Y.Z
+```
+
+*Note*: You may need to expose more then just port 8080 e.g. if you use the `zone_transfer_server` which can be done by appending additional `-p 5353:5353` flags to the `docker run` command.
+
+
+
+## Using dyndnsd.rb with any nameserver via DNS zone transfers (AXFR)
+
+By using [DNS zone transfers via AXFR (RFC5936)](https://tools.ietf.org/html/rfc5936) any secondary nameserver can retrieve the DNS zone contents from dyndnsd.rb and serve them to clients.
+To speedup propagation after changes dyndnsd.rb can issue a [DNS NOTIFY (RFC1996)](https://tools.ietf.org/html/rfc1996) to inform the nameserver that the DNS zone contents changed and should be fetched even before the time indicated in the SOA record is up.
+Currently dyndnsd.rb does not support any authentication for incoming DNS zone transfer requests so it should be isolated from the internet on these ports.
+
+This approach has several advantages:
+- dyndnsd.rb can be used in *hidden primary* fashion isolated from client's DNS traffic and does not need to implement full nameserver features
+- any existing, production-grade, caching, geo-replicated nameserver setup can be used to pull DNS zone contents from the *hidden primary* dyndnsd.rb and serve it to clients
+- any nameserver(s) and dyndnsd.rb do not need to be located on the same host
+
+Example dyndnsd.rb configuration:
+
+```yaml
+host: "0.0.0.0"
+port: 8245 # the DynDNS.com alternative HTTP port
+db: "/opt/dyndnsd/db.json"
+domain: "dyn.example.org"
+updater:
+  name: "zone_transfer_server"
+  params:
+    # endpoint(s) to listen for incoming zone transfer (AXFR) requests, default 0.0.0.0@53
+    server_listens:
+    - 127.0.0.1@5300
+    # where to send DNS NOTIFY request(s) to on zone content change
+    send_notifies:
+    - '127.0.0.1'
+    # TTL for all records in the zone (in seconds)
+    zone_ttl: 300  # 5m
+    # zone's NS record(s) (at least one)
+    zone_nameservers:
+    - "dns.example.org."
+    # info for zone's SOA record
+    zone_email_address: "admin.example.org."
+    # zone's additional A/AAAA records
+    zone_additional_ips:
+    - "127.0.0.1"
+users:
+  foo:
+    password: "secret"
+    hosts:
+      - foo.example.org
+```
+
+
+## Using dyndnsd.rb with [NSD](https://www.nlnetlabs.nl/projects/nsd/about/)
+
+NSD is a nice, open source, authoritative-only, low-memory DNS server that reads BIND-style zone files (and converts them into its own database) and has a simple configuration file.
+
+A feature NSD is lacking is the [Dynamic DNS update (RFC2136)](https://tools.ietf.org/html/rfc2136) functionality BIND offers but one can fake it using the following dyndnsd.rb configuration:
+
+```yaml
+host: "0.0.0.0"
+port: 8245 # the DynDNS.com alternative HTTP port
 db: "/opt/dyndnsd/db.json"
 domain: "dyn.example.org"
 updater:
@@ -88,17 +180,20 @@ users:
 
 Start dyndnsd.rb before NSD to make sure the zone file exists else NSD complains.
 
+
 ## Using dyndnsd.rb with X
 
 Please provide ideas if you are using dyndnsd.rb with other DNS servers :)
 
+
 ## Advanced topics
 
+
 ### Update URL
 
 The update URL you want to tell your clients (humans or scripts ^^) consists of the following
 
-	http[s]://[USER]:[PASSWORD]@[DOMAIN]:[PORT]/nic/update?hostname=[HOSTNAMES]&myip=[MYIP]
+	http[s]://[USER]:[PASSWORD]@[DOMAIN]:[PORT]/nic/update?hostname=[HOSTNAMES]&myip=[MYIP]&myip6=[MYIP6]
 
 where:
 
@@ -106,16 +201,113 @@ where:
 * USER and PASSWORD are needed for HTTP Basic Auth and valid combinations are defined in your config.yaml
 * DOMAIN should match what you defined in your config.yaml as domain but may be anything else when using a webserver as proxy
 * PORT depends on your (webserver/proxy) settings
-* HOSTNAMES is a required list of comma separated FQDNs (they all have to end with your config.yaml domain) the user wants to update
-* MYIP is optional and the HTTP client's address will be used if missing
+* HOSTNAMES is a required list of comma-separated FQDNs (they all have to end with your config.yaml domain) the user wants to update
+* MYIP is optional and the HTTP client's IP address will be used if missing
+* MYIP6 is optional but if present also requires presence of MYIP
+
+
+### IP address determination
+
+The following rules apply:
+
+* use any IP address provided via the myip parameter when present, or
+* use any IP address provided via the X-Real-IP header e.g. when used behind HTTP reverse proxy such as nginx, or
+* use any IP address used by the connecting HTTP client
+
+If you want to provide an additional IPv6 address as myip6 parameter, the myip parameter containing an IPv4 address has to be present, too! No automatism is applied then.
+
 
 ### SSL, multiple listen ports
 
 Use a webserver as a proxy to handle SSL and/or multiple listen addresses and ports. DynDNS.com provides HTTP on port 80 and 8245 and HTTPS on port 443.
 
-### Init scripts
 
-The [Debian 6 init.d script](init.d/debian-6-dyndnsd) assumes that dyndnsd.rb is installed into the system ruby (no RVM support) and the config.yaml is at /opt/dyndnsd/config.yaml.
+### Startup
+
+There is a [Dockerfile](docs/Dockerfile) that can be used to build a Docker image for running dyndnsd.rb.
+
+The [Debian 6 init.d script](docs/debian-6-init-dyndnsd) assumes that dyndnsd.rb is installed into the system ruby (no RVM support) and the config.yaml is at /opt/dyndnsd/config.yaml. Modify to your needs.
+
+
+### Monitoring
+
+For monitoring dyndnsd.rb uses the [metriks](https://github.com/eric/metriks) framework and exposes several metrics like the number of unauthenticated requests, requests that did (not) update a hostname, etc. By default the most important metrics are shown in the [proctitle](https://github.com/eric/metriks#proc-title-reporter) but you can also configure a [Graphite](https://graphiteapp.org/) backend for central monitoring or the [textfile_reporter](https://github.com/prometheus/node_exporter/#textfile-collector) which outputs Graphite-style metrics that are also compatible with Prometheus to a file.
+
+```yaml
+host: "0.0.0.0"
+port: 8245 # the DynDNS.com alternative HTTP port
+db: "/opt/dyndnsd/db.json"
+domain: "dyn.example.org"
+# configure the Graphite backend to be used instead of proctitle
+graphite:
+  host: localhost # defaults for host and port of a carbon server
+  port: 2003
+  prefix: "my.graphite.metrics.naming.structure.dyndnsd"
+# OR configure the textfile reporter instead of Graphite/proctitle
+textfile:
+  file: /path/to/file.prom
+  prefix: "my.graphite.metrics.naming.structure.dyndnsd"
+# configure the updater, here we use command_with_bind_zone, params are updater-specific
+updater:
+  name: "command_with_bind_zone"
+  params:
+    zone_file: "dyn.zone"
+    command: "echo 'Hello'"
+    ttl: "5m"
+    dns: "dns.example.org."
+    email_addr: "admin.example.org."
+# user database with hostnames a user is allowed to update
+users:
+  # 'foo' is username, 'secret' the password
+  foo:
+    password: "secret"
+    hosts:
+      - foo.example.org
+      - bar.example.org
+  test:
+    password: "ihavenohosts"
+```
+
+
+### Tracing (experimental)
+
+For tracing, dyndnsd.rb is instrumented using the [OpenTracing](http://opentracing.io/) framework and will emit span tracing data for the most important operations happening during the request/response cycle. Using a middleware for Rack allows handling incoming OpenTracing span information properly.
+
+Currently only one OpenTracing-compatible tracer implementation named [CNCF Jaeger](https://github.com/jaegertracing/jaeger) can be configured to use with dyndnsd.rb.
+
+```yaml
+host: "0.0.0.0"
+port: 8245 # the DynDNS.com alternative HTTP port
+db: "/opt/dyndnsd/db.json"
+domain: "dyn.example.org"
+# enable and configure tracing using the (currently only) tracer jaeger
+tracing:
+  trust_incoming_span: false # default value, change to accept incoming OpenTracing spans as parents
+  jaeger:
+    host: 127.0.0.1 # defaults for host and port of local jaeger-agent
+    port: 6831
+    service_name: "my.dyndnsd.identifier"
+# configure the updater, here we use command_with_bind_zone, params are updater-specific
+updater:
+  name: "command_with_bind_zone"
+  params:
+    zone_file: "dyn.zone"
+    command: "echo 'Hello'"
+    ttl: "5m"
+    dns: "dns.example.org."
+    email_addr: "admin.example.org."
+# user database with hostnames a user is allowed to update
+users:
+  # 'foo' is username, 'secret' the password
+  foo:
+    password: "secret"
+    hosts:
+      - foo.example.org
+      - bar.example.org
+  test:
+    password: "ihavenohosts"
+```
+
 
 ## License
 

Rakefile

@@ -1,6 +1,31 @@
+# frozen_string_literal: true
+
 require 'bundler/gem_tasks'
 require 'rspec/core/rake_task'
+require 'rubocop/rake_task'
+require 'bundler/audit/task'
 
 RSpec::Core::RakeTask.new(:spec)
+RuboCop::RakeTask.new
+Bundler::Audit::Task.new
 
-task :default => :spec
+desc 'Run experimental solargraph type checker'
+task :solargraph do
+  sh 'solargraph typecheck'
+end
+
+namespace :solargraph do
+  desc 'Should be run by developer once to prepare initial solargraph usage (fill caches etc.)'
+  task :init do
+    sh 'solargraph download-core'
+  end
+end
+
+desc 'Run hadolint for Dockerfile linting'
+task :hadolint do
+  sh 'docker run --rm -i hadolint/hadolint:v1.18.0 hadolint --ignore DL3018 - < docker/Dockerfile'
+end
+
+task default: [:rubocop, :spec, 'bundle:audit', :solargraph]
+
+task travis: ['solargraph:init', :default, :hadolint]

bin/dyndnsd

@@ -1,4 +0,0 @@
-
-require 'dyndnsd'
-
-Dyndnsd::Daemon.run!

docker/Dockerfile

@@ -0,0 +1,15 @@
+FROM alpine:3.12
+
+EXPOSE 5353 8080
+
+ARG DYNDNSD_VERSION=3.0.0
+
+RUN apk --no-cache add openssl ca-certificates && \
+    apk --no-cache add ruby ruby-etc ruby-io-console ruby-json ruby-webrick && \
+    apk --no-cache add --virtual .build-deps ruby-dev build-base tzdata && \
+    gem install --no-document dyndnsd -v ${DYNDNSD_VERSION} && \
+    # set timezone to Berlin
+    cp /usr/share/zoneinfo/Europe/Berlin /etc/localtime && \
+    apk del .build-deps
+
+ENTRYPOINT ["dyndnsd", "/etc/dyndnsd/config.yml"]

docs/debian-6-init-dyndnsd

@@ -23,18 +23,21 @@ case "$1" in
   start)
     log_daemon_msg "Starting dyndnsd.rb" "dyndnsd"
     start-stop-daemon --start --quiet --oknodo --make-pidfile --pidfile "/var/run/dyndnsd.pid" --background --exec $DAEMON -- $DAEMON_OPTS
+    log_end_msg $?
     ;;
   stop)
     log_daemon_msg "Stopping dyndnsd.rb" "dyndnsd"
     start-stop-daemon --stop --quiet --oknodo --pidfile "/var/run/dyndnsd.pid"
+    log_end_msg $?
     ;;
   restart|force-reload)
     log_daemon_msg "Restarting dyndnsd.rb" "dyndnsd"
     start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile "/var/run/dyndsd.pid"
     start-stop-daemon --start --quiet --oknodo --make-pidfile --pidfile "/var/run/dyndnsd.pid" --background --exec $DAEMON -- $DAEMON_OPTS
+    log_end_msg $?
     ;;
   *)
-    echo "Usage: $0 {start|stop|restart|force-reload}" >&2
-    exit 1
+    log_action_msg "Usage: $0 {start|stop|restart|force-reload}"
+    exit 2
     ;;
 esac

dyndnsd.gemspec

@@ -1,7 +1,6 @@
+# frozen_string_literal: true
 
-$:.push File.expand_path("../lib", __FILE__)
-
-require 'dyndnsd/version'
+require_relative 'lib/dyndnsd/version'
 
 Gem::Specification.new do |s|
   s.name = 'dyndnsd'
@@ -9,22 +8,38 @@ Gem::Specification.new do |s|
   s.summary = 'dyndnsd.rb'
   s.description = 'A small, lightweight and extensible DynDNS server written with Ruby and Rack.'
   s.author = 'Christian Nicolai'
-  s.email = 'chrnicolai@gmail.com'
-  s.license = 'Apache License Version 2.0'
+
   s.homepage = 'https://github.com/cmur2/dyndnsd'
+  s.license = 'Apache-2.0'
+  s.metadata = {
+    'bug_tracker_uri' => "#{s.homepage}/issues",
+    'changelog_uri' => "#{s.homepage}/blob/master/CHANGELOG.md",
+    'source_code_uri' => s.homepage
+  }
 
-  s.files = `git ls-files`.split($/)
-  s.test_files = s.files.grep(%r{^(test|spec|features)/})
-
+  s.files = `git ls-files -z`.split("\x0").select do |f|
+    f.match(%r{^(init.d|lib)/})
+  end
   s.require_paths = ['lib']
-
+  s.bindir = 'exe'
   s.executables = ['dyndnsd']
+  s.extra_rdoc_files = Dir['README.md', 'CHANGELOG.md', 'LICENSE']
 
-  s.add_runtime_dependency 'rack'
-  s.add_runtime_dependency 'json'
+  s.required_ruby_version = '>= 2.5'
 
-  s.add_development_dependency 'bundler', '~> 1.3'
+  s.add_runtime_dependency 'async-dns', '~> 1.2.0'
+  s.add_runtime_dependency 'jaeger-client', '~> 1.1.0'
+  s.add_runtime_dependency 'metriks'
+  s.add_runtime_dependency 'opentracing', '~> 0.5.0'
+  s.add_runtime_dependency 'rack', '~> 2.0'
+  s.add_runtime_dependency 'rack-tracer', '~> 0.9.0'
+  s.add_runtime_dependency 'webrick', '>= 1.6.1'
+
+  s.add_development_dependency 'bundler'
+  s.add_development_dependency 'bundler-audit', '~> 0.7.0'
+  s.add_development_dependency 'rack-test'
   s.add_development_dependency 'rake'
   s.add_development_dependency 'rspec'
-  s.add_development_dependency 'rack-test'
+  s.add_development_dependency 'rubocop', '~> 0.92.0'
+  s.add_development_dependency 'solargraph'
 end

exe/dyndnsd

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'dyndnsd'
+
+Dyndnsd::Daemon.run!

lib/dyndnsd.rb

@@ -1,162 +1,340 @@
-#!/usr/bin/env ruby
+# frozen_string_literal: true
 
+require 'date'
+require 'etc'
 require 'logger'
 require 'ipaddr'
 require 'json'
 require 'yaml'
 require 'rack'
+require 'metriks'
+require 'metriks/reporter/graphite'
+require 'opentracing'
+require 'rack/tracer'
 
 require 'dyndnsd/generator/bind'
 require 'dyndnsd/updater/command_with_bind_zone'
+require 'dyndnsd/updater/zone_transfer_server'
 require 'dyndnsd/responder/dyndns_style'
 require 'dyndnsd/responder/rest_style'
 require 'dyndnsd/database'
+require 'dyndnsd/helper'
+require 'dyndnsd/textfile_reporter'
 require 'dyndnsd/version'
 
 module Dyndnsd
+  # @return [Logger]
   def self.logger
     @logger
   end
 
+  # @param logger [Logger]
+  # @return [Logger]
   def self.logger=(logger)
     @logger = logger
   end
 
   class LogFormatter
-    def call(lvl, time, progname, msg)
-      "[%s] %-5s %s\n" % [Time.now.strftime('%Y-%m-%d %H:%M:%S'), lvl, msg.to_s]
+    # @param lvl [Object]
+    # @param _time [DateTime]
+    # @param _progname [String]
+    # @param msg [Object]
+    # @return [String]
+    def call(lvl, _time, _progname, msg)
+      format("[%s] %-5s %s\n", Time.now.strftime('%Y-%m-%d %H:%M:%S'), lvl, msg.to_s)
     end
   end
 
   class Daemon
-    def initialize(config, db, updater, responder)
+    # @param config [Hash{String => Object}]
+    # @param db [Dyndnsd::Database]
+    # @param updater [#update]
+    def initialize(config, db, updater)
       @users = config['users']
       @domain = config['domain']
       @db = db
       @updater = updater
-      @responder = responder
 
       @db.load
       @db['serial'] ||= 1
       @db['hosts'] ||= {}
-      (@db.save; update) if @db.changed?
-    end
-    
-    def update
       @updater.update(@db)
-    end
-    
-    def is_fqdn_valid?(hostname)
-      return false if hostname.length < @domain.length + 2
-      return false if not hostname.end_with?(@domain)
-      name = hostname.chomp(@domain)
-      return false if not name.match(/^[a-zA-Z0-9_-]+\.$/)
-      true
-    end
-    
-    def call(env)
-      return @responder.response_for_error(:method_forbidden) if env["REQUEST_METHOD"] != "GET"
-      return @responder.response_for_error(:not_found) if env["PATH_INFO"] != "/nic/update"
-      
-      params = Rack::Utils.parse_query(env["QUERY_STRING"])
-      
-      return @responder.response_for_error(:hostname_missing) if not params["hostname"]
-      
-      hostnames = params["hostname"].split(',')
-      
-      # Check if hostname match rules
-      hostnames.each do |hostname|
-        return @responder.response_for_error(:hostname_malformed) if not is_fqdn_valid?(hostname)
-      end
-      
-      user = env["REMOTE_USER"]
-      
-      hostnames.each do |hostname|
-        return @responder.response_for_error(:host_forbidden) if not @users[user]['hosts'].include? hostname
-      end
-      
-      # no myip?
-      if not params["myip"]
-        params["myip"] = env["REMOTE_ADDR"]
-      end
-      
-      # malformed myip?
-      begin
-        IPAddr.new(params["myip"], Socket::AF_INET)
-      rescue ArgumentError
-        params["myip"] = env["REMOTE_ADDR"]
-      end
-      
-      myip = params["myip"]
-      
-      Dyndnsd.logger.info "Request to update #{hostnames} to #{myip} for user #{user}"
-      
-      changes = []
-      hostnames.each do |hostname|
-        if (not @db['hosts'].include? hostname) or (@db['hosts'][hostname] != myip)
-          changes << :good
-          @db['hosts'][hostname] = myip
-        else
-          changes << :nochg
-        end
-      end
-      
       if @db.changed?
-        @db['serial'] += 1
-        Dyndnsd.logger.info "Committing update ##{@db['serial']}"
         @db.save
-        update
+      end
     end
 
-      @responder.response_for_changes(changes, myip)
+    # @param username [String]
+    # @param password [String]
+    # @return [Boolean]
+    def authorized?(username, password)
+      Helper.span('check_authorized') do |span|
+        span.set_tag('dyndnsd.user', username)
+
+        allow = Helper.user_allowed?(username, password, @users)
+        if !allow
+          Dyndnsd.logger.warn "Login failed for #{username}"
+          Metriks.meter('requests.auth_failed').mark
+        end
+        allow
+      end
     end
 
+    # @param env [Hash{String => String}]
+    # @return [Array{Integer,Hash{String => String},Array<String>}]
+    def call(env)
+      return [422, {'X-DynDNS-Response' => 'method_forbidden'}, []] if env['REQUEST_METHOD'] != 'GET'
+      return [422, {'X-DynDNS-Response' => 'not_found'}, []] if env['PATH_INFO'] != '/nic/update'
+
+      handle_dyndns_request(env)
+    end
+
+    # @return [void]
     def self.run!
       if ARGV.length != 1
-        puts "Usage: dyndnsd config_file"
+        puts 'Usage: dyndnsd config_file'
         exit 1
       end
 
       config_file = ARGV[0]
 
-      if not File.file?(config_file)
-        puts "Config file not found!"
+      if !File.file?(config_file)
+        puts 'Config file not found!'
         exit 1
       end
 
       puts "DynDNSd version #{Dyndnsd::VERSION}"
       puts "Using config file #{config_file}"
 
-      config = YAML::load(File.open(config_file, 'r') { |f| f.read })
+      config = YAML.safe_load(File.open(config_file, 'r', &:read))
 
+      setup_logger(config)
+
+      Dyndnsd.logger.info 'Starting...'
+
+      # drop priviliges as soon as possible
+      # NOTE: first change group than user
+      if config['group']
+        group = Etc.getgrnam(config['group'])
+        Process::Sys.setgid(group.gid) if group
+      end
+      if config['user']
+        user = Etc.getpwnam(config['user'])
+        Process::Sys.setuid(user.uid) if user
+      end
+
+      setup_traps
+
+      setup_monitoring(config)
+
+      setup_tracing(config)
+
+      setup_rack(config)
+    end
+
+    private
+
+    # @param params [Hash{String => String}]
+    # @return [Array<String>]
+    def extract_v4_and_v6_address(params)
+      return [] if !(params['myip'])
+      begin
+        IPAddr.new(params['myip'], Socket::AF_INET)
+        IPAddr.new(params['myip6'], Socket::AF_INET6)
+        [params['myip'], params['myip6']]
+      rescue ArgumentError
+        []
+      end
+    end
+
+    # @param env [Hash{String => String}]
+    # @param params [Hash{String => String}]
+    # @return [Array<String>]
+    def extract_myips(env, params)
+      # require presence of myip parameter as valid IPAddr (v4) and valid myip6
+      return extract_v4_and_v6_address(params) if params.key?('myip6')
+
+      # check whether myip parameter has valid IPAddr
+      return [params['myip']] if params.key?('myip') && Helper.ip_valid?(params['myip'])
+
+      # check whether X-Real-IP header has valid IPAddr
+      return [env['HTTP_X_REAL_IP']] if env.key?('HTTP_X_REAL_IP') && Helper.ip_valid?(env['HTTP_X_REAL_IP'])
+
+      # fallback value, always present
+      [env['REMOTE_ADDR']]
+    end
+
+    # @param hostnames [String]
+    # @param myips [Array<String>]
+    # @return [Array<Symbol>]
+    def process_changes(hostnames, myips)
+      changes = []
+      Helper.span('process_changes') do |span|
+        span.set_tag('dyndnsd.hostnames', hostnames.join(','))
+
+        hostnames.each do |hostname|
+          # myips order is always deterministic
+          if myips.empty? && @db['hosts'].include?(hostname)
+            @db['hosts'].delete(hostname)
+            changes << :good
+            Metriks.meter('requests.good').mark
+          elsif Helper.changed?(hostname, myips, @db['hosts'])
+            @db['hosts'][hostname] = myips
+            changes << :good
+            Metriks.meter('requests.good').mark
+          else
+            changes << :nochg
+            Metriks.meter('requests.nochg').mark
+          end
+        end
+      end
+      changes
+    end
+
+    # @return [void]
+    def update_db
+      @db['serial'] += 1
+      Dyndnsd.logger.info "Committing update ##{@db['serial']}"
+      @updater.update(@db)
+      @db.save
+      Metriks.meter('updates.committed').mark
+    end
+
+    # @param env [Hash{String => String}]
+    # @return [Array{Integer,Hash{String => String},Array<String>}]
+    def handle_dyndns_request(env)
+      params = Rack::Utils.parse_query(env['QUERY_STRING'])
+
+      # require hostname parameter
+      return [422, {'X-DynDNS-Response' => 'hostname_missing'}, []] if !(params['hostname'])
+
+      hostnames = params['hostname'].split(',')
+
+      # check for invalid hostnames
+      invalid_hostnames = hostnames.select { |h| !Helper.fqdn_valid?(h, @domain) }
+      return [422, {'X-DynDNS-Response' => 'hostname_malformed'}, []] if invalid_hostnames.any?
+
+      user = env['REMOTE_USER']
+
+      # check for hostnames that the user does not own
+      forbidden_hostnames = hostnames - @users[user]['hosts']
+      return [422, {'X-DynDNS-Response' => 'host_forbidden'}, []] if forbidden_hostnames.any?
+
+      if params['offline'] == 'YES'
+        myips = []
+      else
+        myips = extract_myips(env, params)
+        # require at least one IP to update
+        return [422, {'X-DynDNS-Response' => 'host_forbidden'}, []] if myips.empty?
+      end
+
+      Metriks.meter('requests.valid').mark
+      Dyndnsd.logger.info "Request to update #{hostnames} to #{myips} for user #{user}"
+
+      changes = process_changes(hostnames, myips)
+
+      update_db if @db.changed?
+
+      [200, {'X-DynDNS-Response' => 'success'}, [changes, myips]]
+    end
+
+    # SETUP
+
+    # @param config [Hash{String => Object}]
+    # @return [void]
+    private_class_method def self.setup_logger(config)
       if config['logfile']
         Dyndnsd.logger = Logger.new(config['logfile'])
       else
-        Dyndnsd.logger = Logger.new(STDOUT)
+        Dyndnsd.logger = Logger.new($stdout)
       end
 
-      Dyndnsd.logger.progname = "dyndnsd"
+      Dyndnsd.logger.progname = 'dyndnsd'
       Dyndnsd.logger.formatter = LogFormatter.new
-
-      Dyndnsd.logger.info "Starting..."
-
-      db = Database.new(config['db'])
-      updater = Updater::CommandWithBindZone.new(config['domain'], config['updater']['params']) if config['updater']['name'] == 'command_with_bind_zone'
-      responder = Responder::DynDNSStyle.new
-      
-      app = Daemon.new(config, db, updater, responder)
-      app = Rack::Auth::Basic.new(app, "DynDNS") do |user,pass|
-        allow = (config['users'].has_key? user) and (config['users'][user]['password'] == pass)
-        Dyndnsd.logger.warn "Login failed for #{user}" if not allow
-        allow
+      Dyndnsd.logger.level = config['debug'] ? Logger::DEBUG : Logger::INFO
     end
 
+    # @return [void]
+    private_class_method def self.setup_traps
       Signal.trap('INT') do
-        Dyndnsd.logger.info "Quitting..."
         Rack::Handler::WEBrick.shutdown
       end
+      Signal.trap('TERM') do
+        Rack::Handler::WEBrick.shutdown
+      end
+    end
 
-      Rack::Handler::WEBrick.run app, :Host => config['host'], :Port => config['port']
+    # @param config [Hash{String => Object}]
+    # @return [void]
+    private_class_method def self.setup_monitoring(config)
+      # configure metriks
+      if config['graphite']
+        host = config['graphite']['host'] || 'localhost'
+        port = config['graphite']['port'] || 2003
+        options = {}
+        options[:prefix] = config['graphite']['prefix'] if config['graphite']['prefix']
+        reporter = Metriks::Reporter::Graphite.new(host, port, options)
+        reporter.start
+      elsif config['textfile']
+        file = config['textfile']['file'] || '/tmp/dyndnsd-metrics.prom'
+        options = {}
+        options[:prefix] = config['textfile']['prefix'] if config['textfile']['prefix']
+        reporter = Dyndnsd::TextfileReporter.new(file, options)
+        reporter.start
+      else
+        reporter = Metriks::Reporter::ProcTitle.new
+        reporter.add 'good', 'sec' do
+          Metriks.meter('requests.good').mean_rate
+        end
+        reporter.add 'nochg', 'sec' do
+          Metriks.meter('requests.nochg').mean_rate
+        end
+        reporter.start
+      end
+    end
+
+    # @param config [Hash{String => Object}]
+    # @return [void]
+    private_class_method def self.setup_tracing(config)
+      # configure OpenTracing
+      if config.dig('tracing', 'jaeger')
+        require 'jaeger/client'
+
+        host = config['tracing']['jaeger']['host'] || '127.0.0.1'
+        port = config['tracing']['jaeger']['port'] || 6831
+        service_name = config['tracing']['jaeger']['service_name'] || 'dyndnsd'
+        OpenTracing.global_tracer = Jaeger::Client.build(
+          host: host, port: port, service_name: service_name, flush_interval: 1
+        )
+      end
+    end
+
+    # @param config [Hash{String => Object}]
+    # @return [void]
+    private_class_method def self.setup_rack(config)
+      # configure daemon
+      db = Database.new(config['db'])
+      case config.dig('updater', 'name')
+      when 'command_with_bind_zone'
+        updater = Updater::CommandWithBindZone.new(config['domain'], config.dig('updater', 'params'))
+      when 'zone_transfer_server'
+        updater = Updater::ZoneTransferServer.new(config['domain'], config.dig('updater', 'params'))
+      end
+      daemon = Daemon.new(config, db, updater)
+
+      # configure rack
+      app = Rack::Auth::Basic.new(daemon, 'DynDNS', &daemon.method(:authorized?))
+
+      if config['responder'] == 'RestStyle'
+        app = Responder::RestStyle.new(app)
+      else
+        app = Responder::DynDNSStyle.new(app)
+      end
+
+      trust_incoming_span = config.dig('tracing', 'trust_incoming_span') || false
+      app = Rack::Tracer.new(app, trust_incoming_span: trust_incoming_span)
+
+      Rack::Handler::WEBrick.run app, Host: config['host'], Port: config['port']
     end
   end
 end

lib/dyndnsd/database.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 
 require 'forwardable'
 
@@ -7,24 +8,30 @@ module Dyndnsd
 
     def_delegators :@db, :[], :[]=, :each, :has_key?
 
+    # @param db_file [String]
     def initialize(db_file)
       @db_file = db_file
     end
 
+    # @return [void]
     def load
       if File.file?(@db_file)
-        @db = JSON.load(File.open(@db_file, 'r') { |f| f.read })
+        @db = JSON.parse(File.read(@db_file, mode: 'r'))
       else
         @db = {}
       end
       @db_hash = @db.hash
     end
 
+    # @return [void]
     def save
+      Helper.span('database_save') do |_span|
         File.open(@db_file, 'w') { |f| JSON.dump(@db, f) }
         @db_hash = @db.hash
       end
+    end
 
+    # @return [Boolean]
     def changed?
       @db_hash != @db.hash
     end

lib/dyndnsd/generator/bind.rb

@@ -1,30 +1,39 @@
+# frozen_string_literal: true
 
 module Dyndnsd
   module Generator
     class Bind
-      def initialize(domain, config)
+      # @param domain [String]
+      # @param updater_params [Hash{String => Object}]
+      def initialize(domain, updater_params)
         @domain = domain
-        @ttl = config['ttl']
-        @dns = config['dns']
-        @email_addr = config['email_addr']
-        @additional_zone_content = config['additional_zone_content']
+        @ttl = updater_params['ttl']
+        @dns = updater_params['dns']
+        @email_addr = updater_params['email_addr']
+        @additional_zone_content = updater_params['additional_zone_content']
       end
 
-      def generate(zone)
+      # @param db [Dyndnsd::Database]
+      # @return [String]
+      def generate(db)
         out = []
         out << "$TTL #{@ttl}"
         out << "$ORIGIN #{@domain}."
-        out << ""
-        out << "@ IN SOA #{@dns} #{@email_addr} ( #{zone['serial']} 3h 5m 1w 1h )"
+        out << ''
+        out << "@ IN SOA #{@dns} #{@email_addr} ( #{db['serial']} 3h 5m 1w 1h )"
         out << "@ IN NS #{@dns}"
-        out << ""
-        zone['hosts'].each do |hostname,ip|
-          name = hostname.chomp('.' + @domain)
-          out << "#{name} IN A #{ip}"
+        out << ''
+        db['hosts'].each do |hostname, ips|
+          ips.each do |ip|
+            ip = IPAddr.new(ip).native
+            type = ip.ipv6? ? 'AAAA' : 'A'
+            name = hostname.chomp(".#{@domain}")
+            out << "#{name} IN #{type} #{ip}"
           end
-        out << ""
+        end
+        out << ''
         out << @additional_zone_content
-        out << ""
+        out << ''
         out.join("\n")
       end
     end

lib/dyndnsd/helper.rb

@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+
+require 'ipaddr'
+
+module Dyndnsd
+  class Helper
+    # @param hostname [String]
+    # @param domain [String]
+    # @return [Boolean]
+    def self.fqdn_valid?(hostname, domain)
+      return false if hostname.length < domain.length + 2
+      return false if !hostname.end_with?(domain)
+      name = hostname.chomp(domain)
+      return false if !name.match(/^[a-zA-Z0-9_-]+\.$/)
+      true
+    end
+
+    # @param ip [String]
+    # @return [Boolean]
+    def self.ip_valid?(ip)
+      IPAddr.new(ip)
+      true
+    rescue ArgumentError
+      false
+    end
+
+    # @param username [String]
+    # @param password [String]
+    # @param users [Hash]
+    # @return [Boolean]
+    def self.user_allowed?(username, password, users)
+      (users.key? username) && (users[username]['password'] == password)
+    end
+
+    # @param hostname [String]
+    # @param myips [Array]
+    # @param hosts [Hash]
+    # @return [Boolean]
+    def self.changed?(hostname, myips, hosts)
+      # myips order is always deterministic
+      ((!hosts.include? hostname) || (hosts[hostname] != myips)) && !myips.empty?
+    end
+
+    # @param operation [String]
+    # @param block [Proc]
+    # @return [void]
+    def self.span(operation, &block)
+      scope = OpenTracing.start_active_span(operation)
+      span = scope.span
+      span.set_tag('component', 'dyndnsd')
+      span.set_tag('span.kind', 'server')
+      begin
+        block.call(span)
+      rescue StandardError => e
+        span.set_tag('error', true)
+        span.log_kv(
+          event: 'error',
+          'error.kind': e.class.to_s,
+          'error.object': e,
+          message: e.message,
+          stack: e.backtrace&.join("\n") || ''
+        )
+        raise
+      ensure
+        scope.close
+      end
+    end
+  end
+end

lib/dyndnsd/responder/dyndns_style.rb

@@ -1,20 +1,71 @@
+# frozen_string_literal: true
 
 module Dyndnsd
   module Responder
     class DynDNSStyle
-      def response_for_error(state)
-        # general http errors
-        return [405, {"Content-Type" => "text/plain"}, ["Method Not Allowed"]] if state == :method_forbidden
-        return [404, {"Content-Type" => "text/plain"}, ["Not Found"]] if state == :not_found
-        # specific errors
-        return [200, {"Content-Type" => "text/plain"}, ["notfqdn"]] if state == :hostname_missing
-        return [200, {"Content-Type" => "text/plain"}, ["nohost"]] if state == :host_forbidden
-        return [200, {"Content-Type" => "text/plain"}, ["notfqdn"]] if state == :hostname_malformed
+      # @param app [#call]
+      def initialize(app)
+        @app = app
       end
 
-      def response_for_changes(states, ip)
-        body = states.map { |state| "#{state} #{ip}" }.join("\n")
-        return [200, {"Content-Type" => "text/plain"}, [body]]
+      # @param env [Hash{String => String}]
+      # @return [Array{Integer,Hash{String => String},Array<String>}]
+      def call(env)
+        @app.call(env).tap do |status_code, headers, body|
+          if headers.key?('X-DynDNS-Response')
+            return decorate_dyndnsd_response(status_code, headers, body)
+          else
+            return decorate_other_response(status_code, headers, body)
+          end
+        end
+      end
+
+      private
+
+      # @param status_code [Integer]
+      # @param headers [Hash{String => String}]
+      # @param body [Array<String>]
+      # @return [Array{Integer,Hash{String => String},Array<String>}]
+      def decorate_dyndnsd_response(status_code, headers, body)
+        case status_code
+        when 200
+          [200, {'Content-Type' => 'text/plain'}, [get_success_body(body[0], body[1])]]
+        when 422
+          error_response_map[headers['X-DynDNS-Response']]
+        end
+      end
+
+      # @param status_code [Integer]
+      # @param headers [Hash{String => String}]
+      # @param _body [Array<String>]
+      # @return [Array{Integer,Hash{String => String},Array<String>}]
+      def decorate_other_response(status_code, headers, _body)
+        case status_code
+        when 400
+          [status_code, headers, ['Bad Request']]
+        when 401
+          [status_code, headers, ['badauth']]
+        end
+      end
+
+      # @param changes [Array<Symbol>]
+      # @param myips [Array<String>]
+      # @return [String]
+      def get_success_body(changes, myips)
+        changes.map { |change| "#{change} #{myips.join(' ')}" }.join("\n")
+      end
+
+      # @return [Hash{String => Object}]
+      def error_response_map
+        {
+          # general http errors
+          'method_forbidden'   => [405, {'Content-Type' => 'text/plain'}, ['Method Not Allowed']],
+          'not_found'          => [404, {'Content-Type' => 'text/plain'}, ['Not Found']],
+          # specific errors
+          'hostname_missing'   => [200, {'Content-Type' => 'text/plain'}, ['notfqdn']],
+          'hostname_malformed' => [200, {'Content-Type' => 'text/plain'}, ['notfqdn']],
+          'host_forbidden'     => [200, {'Content-Type' => 'text/plain'}, ['nohost']]
+        }
       end
     end
   end

lib/dyndnsd/responder/rest_style.rb

@@ -1,20 +1,71 @@
+# frozen_string_literal: true
 
 module Dyndnsd
   module Responder
     class RestStyle
-      def response_for_error(state)
-        # general http errors
-        return [405, {"Content-Type" => "text/plain"}, ["Method Not Allowed"]] if state == :method_forbidden
-        return [404, {"Content-Type" => "text/plain"}, ["Not Found"]] if state == :not_found
-        # specific errors
-        return [422, {"Content-Type" => "text/plain"}, ["Hostname missing"]] if state == :hostname_missing
-        return [403, {"Content-Type" => "text/plain"}, ["Forbidden"]] if state == :host_forbidden
-        return [422, {"Content-Type" => "text/plain"}, ["Hostname malformed"]] if state == :hostname_malformed
+      # @param app [#call]
+      def initialize(app)
+        @app = app
       end
 
-      def response_for_changes(states, ip)
-        body = states.map { |state| state == :good ? "Changed to #{ip}" : "No change needed for #{ip}" }.join("\n")
-        return [200, {"Content-Type" => "text/plain"}, [body]]
+      # @param env [Hash{String => String}]
+      # @return [Array{Integer,Hash{String => String},Array<String>}]
+      def call(env)
+        @app.call(env).tap do |status_code, headers, body|
+          if headers.key?('X-DynDNS-Response')
+            return decorate_dyndnsd_response(status_code, headers, body)
+          else
+            return decorate_other_response(status_code, headers, body)
+          end
+        end
+      end
+
+      private
+
+      # @param status_code [Integer]
+      # @param headers [Hash{String => String}]
+      # @param body [Array<String>]
+      # @return [Array{Integer,Hash{String => String},Array<String>}]
+      def decorate_dyndnsd_response(status_code, headers, body)
+        case status_code
+        when 200
+          [200, {'Content-Type' => 'text/plain'}, [get_success_body(body[0], body[1])]]
+        when 422
+          error_response_map[headers['X-DynDNS-Response']]
+        end
+      end
+
+      # @param status_code [Integer]
+      # @param headers [Hash{String => String}]
+      # @param _body [Array<String>]
+      # @return [Array{Integer,Hash{String => String},Array<String>}]
+      def decorate_other_response(status_code, headers, _body)
+        case status_code
+        when 400
+          [status_code, headers, ['Bad Request']]
+        when 401
+          [status_code, headers, ['Unauthorized']]
+        end
+      end
+
+      # @param changes [Array<Symbol>]
+      # @param myips [Array<String>]
+      # @return [String]
+      def get_success_body(changes, myips)
+        changes.map { |change| change == :good ? "Changed to #{myips.join(' ')}" : "No change needed for #{myips.join(' ')}" }.join("\n")
+      end
+
+      # @return [Hash{String => Object}]
+      def error_response_map
+        {
+          # general http errors
+          'method_forbidden'   => [405, {'Content-Type' => 'text/plain'}, ['Method Not Allowed']],
+          'not_found'          => [404, {'Content-Type' => 'text/plain'}, ['Not Found']],
+          # specific errors
+          'hostname_missing'   => [422, {'Content-Type' => 'text/plain'}, ['Hostname missing']],
+          'hostname_malformed' => [422, {'Content-Type' => 'text/plain'}, ['Hostname malformed']],
+          'host_forbidden'     => [403, {'Content-Type' => 'text/plain'}, ['Forbidden']]
+        }
       end
     end
   end

lib/dyndnsd/textfile_reporter.rb

@@ -0,0 +1,122 @@
+# frozen_string_literal: true
+
+# Adapted from https://github.com/eric/metriks-graphite/blob/master/lib/metriks/reporter/graphite.rb
+
+require 'metriks'
+
+module Dyndnsd
+  class TextfileReporter
+    # @return [String]
+    attr_reader :file
+
+    # @param file [String]
+    # @param options [Hash{Symbol => Object}]
+    def initialize(file, options = {})
+      @file = file
+
+      @prefix = options[:prefix]
+
+      @registry  = options[:registry] || Metriks::Registry.default
+      @interval  = options[:interval] || 60
+      @on_error  = options[:on_error] || proc { |ex| }
+    end
+
+    # @return [void]
+    def start
+      @thread ||= Thread.new do
+        loop do
+          sleep @interval
+
+          Thread.new do
+            write
+          rescue StandardError => e
+            @on_error[e] rescue nil
+          end
+        end
+      end
+    end
+
+    # @return [void]
+    def stop
+      @thread&.kill
+      @thread = nil
+    end
+
+    # @return [void]
+    def restart
+      stop
+      start
+    end
+
+    # @return [void]
+    def write
+      File.open(@file, 'w') do |f|
+        @registry.each do |name, metric|
+          case metric
+          when Metriks::Meter
+            write_metric f, name, metric, [
+              :count, :one_minute_rate, :five_minute_rate,
+              :fifteen_minute_rate, :mean_rate
+            ]
+          when Metriks::Counter
+            write_metric f, name, metric, [
+              :count
+            ]
+          when Metriks::UtilizationTimer
+            write_metric f, name, metric, [
+              :count, :one_minute_rate, :five_minute_rate,
+              :fifteen_minute_rate, :mean_rate,
+              :min, :max, :mean, :stddev,
+              :one_minute_utilization, :five_minute_utilization,
+              :fifteen_minute_utilization, :mean_utilization
+            ], [
+              :median, :get_95th_percentile
+            ]
+          when Metriks::Timer
+            write_metric f, name, metric, [
+              :count, :one_minute_rate, :five_minute_rate,
+              :fifteen_minute_rate, :mean_rate,
+              :min, :max, :mean, :stddev
+            ], [
+              :median, :get_95th_percentile
+            ]
+          when Metriks::Histogram
+            write_metric f, name, metric, [
+              :count, :min, :max, :mean, :stddev
+            ], [
+              :median, :get_95th_percentile
+            ]
+          end
+        end
+      end
+    end
+
+    # @param file [String]
+    # @param base_name [String]
+    # @param metric [Object]
+    # @param keys [Array<Symbol>]
+    # @param snapshot_keys [Array<Symbol>]
+    # @return [void]
+    def write_metric(file, base_name, metric, keys, snapshot_keys = [])
+      time = Time.now.to_i
+
+      base_name = base_name.to_s.gsub(/ +/, '_')
+      base_name = "#{@prefix}.#{base_name}" if @prefix
+
+      keys.flatten.each do |key|
+        name = key.to_s.gsub(/^get_/, '')
+        value = metric.send(key)
+        file.write("#{base_name}.#{name} #{value} #{time}\n")
+      end
+
+      unless snapshot_keys.empty?
+        snapshot = metric.snapshot
+        snapshot_keys.flatten.each do |key|
+          name = key.to_s.gsub(/^get_/, '')
+          value = snapshot.send(key)
+          file.write("#{base_name}.#{name} #{value} #{time}\n")
+        end
+      end
+    end
+  end
+end

lib/dyndnsd/updater/command_with_bind_zone.rb

@@ -1,20 +1,35 @@
+# frozen_string_literal: true
 
 module Dyndnsd
   module Updater
     class CommandWithBindZone
-      def initialize(domain, config)
-        @zone_file = config['zone_file']
-        @command = config['command']
-        @generator = Generator::Bind.new(domain, config)
+      # @param domain [String]
+      # @param updater_params [Hash{String => Object}]
+      def initialize(domain, updater_params)
+        @zone_file = updater_params['zone_file']
+        @command = updater_params['command']
+        @generator = Generator::Bind.new(domain, updater_params)
       end
 
-      def update(zone)
+      # @param db [Dyndnsd::Database]
+      # @return [void]
+      def update(db)
+        # do not regenerate zone file (assumed to be persistent) if DB did not change
+        return if !db.changed?
+
+        Helper.span('updater_update') do |span|
+          span.set_tag('dyndnsd.updater.name', self.class.name&.split('::')&.last || 'None')
+
           # write zone file in bind syntax
-        File.open(@zone_file, 'w') { |f| f.write(@generator.generate(zone)) }
+          File.open(@zone_file, 'w') { |f| f.write(@generator.generate(db)) }
           # call user-defined command
           pid = fork do
             exec @command
           end
+
+          # detach so children don't become zombies
+          Process.detach(pid) if pid
+        end
       end
     end
   end

lib/dyndnsd/updater/zone_transfer_server.rb

@@ -0,0 +1,158 @@
+# frozen_string_literal: true
+
+require 'resolv'
+require 'securerandom'
+
+require 'async/dns'
+
+module Dyndnsd
+  module Updater
+    class ZoneTransferServer
+      DEFAULT_SERVER_LISTENS = ['0.0.0.0@53'].freeze
+
+      # @param domain [String]
+      # @param updater_params [Hash{String => Object}]
+      def initialize(domain, updater_params)
+        @domain = domain
+
+        @server_listens = self.class.parse_endpoints(updater_params['server_listens'] || DEFAULT_SERVER_LISTENS)
+        @notify_targets = (updater_params['send_notifies'] || []).map { |e| self.class.parse_endpoints([e]) }
+
+        @zone_rr_ttl = updater_params['zone_ttl']
+        @zone_nameservers = updater_params['zone_nameservers'].map { |n| Resolv::DNS::Name.create(n) }
+        @zone_email_address = Resolv::DNS::Name.create(updater_params['zone_email_address'])
+        @zone_additional_ips = updater_params['zone_additional_ips'] || []
+
+        @server = ZoneTransferServerHelper.new(@server_listens, @domain)
+
+        # run Async::DNS server in background thread
+        Thread.new do
+          @server.run
+        end
+      end
+
+      # @param db [Dyndnsd::Database]
+      # @return [void]
+      def update(db)
+        Helper.span('updater_update') do |span|
+          span.set_tag('dyndnsd.updater.name', self.class.name&.split('::')&.last || 'None')
+
+          soa_rr = Resolv::DNS::Resource::IN::SOA.new(
+            @zone_nameservers[0], @zone_email_address,
+            db['serial'],
+            10_800,  # 3h
+            300,     # 5m
+            604_800, # 1w
+            3_600    # 1h
+          )
+
+          default_options = {ttl: @zone_rr_ttl}
+
+          # array containing all resource records for an AXFR request in the right order
+          rrs = []
+          # AXFR responses need to start with zone's SOA RR
+          rrs << [soa_rr, default_options]
+
+          # return RRs for all of the zone's nameservers
+          @zone_nameservers.each do |ns|
+            rrs << [Resolv::DNS::Resource::IN::NS.new(ns), default_options]
+          end
+
+          # return A/AAAA RRs for all additional IPv4s/IPv6s for the domain itself
+          @zone_additional_ips.each do |ip|
+            rrs << [create_addr_rr_for_ip(ip), default_options]
+          end
+
+          # return A/AAAA RRs for the dyndns hostnames
+          db['hosts'].each do |hostname, ips|
+            ips.each do |ip|
+              rrs << [create_addr_rr_for_ip(ip), default_options.merge({name: hostname})]
+            end
+          end
+
+          # AXFR responses need to end with zone's SOA RR again
+          rrs << [soa_rr, default_options]
+
+          # point Async::DNS server thread's variable to this new RR array
+          @server.axfr_rrs = rrs
+
+          # only send DNS NOTIFY if there really was a change
+          if db.changed?
+            send_dns_notify
+          end
+        end
+      end
+
+      # converts into suitable parameter form for Async::DNS::Resolver or Async::DNS::Server
+      #
+      # @param endpoint_list [Array<String>]
+      # @return [Array{Array{Object}}]
+      def self.parse_endpoints(endpoint_list)
+        endpoint_list.map { |addr_string| addr_string.split('@') }
+                     .map { |addr_parts| [addr_parts[0], addr_parts[1].to_i || 53] }
+                     .map { |addr| [:tcp, :udp].map { |type| [type] + addr } }
+                     .flatten(1)
+      end
+
+      private
+
+      # creates correct Resolv::DNS::Resource object for IP address type
+      #
+      # @param ip_string [String]
+      # @return [Resolv::DNS::Resource::IN::A,Resolv::DNS::Resource::IN::AAAA]
+      def create_addr_rr_for_ip(ip_string)
+        ip = IPAddr.new(ip_string).native
+
+        if ip.ipv6?
+          Resolv::DNS::Resource::IN::AAAA.new(ip.to_s)
+        else
+          Resolv::DNS::Resource::IN::A.new(ip.to_s)
+        end
+      end
+
+      # https://tools.ietf.org/html/rfc1996
+      #
+      # @return [void]
+      def send_dns_notify
+        Async::Reactor.run do
+          @notify_targets.each do |notify_target|
+            target = Async::DNS::Resolver.new(notify_target)
+
+            # assemble DNS NOTIFY message
+            request = Resolv::DNS::Message.new(SecureRandom.random_number(2**16))
+            request.opcode = Resolv::DNS::OpCode::Notify
+            request.add_question("#{@domain}.", Resolv::DNS::Resource::IN::SOA)
+
+            _response = target.dispatch_request(request)
+          end
+        end
+      end
+    end
+
+    class ZoneTransferServerHelper < Async::DNS::Server
+      attr_accessor :axfr_rrs
+
+      def initialize(endpoints, domain)
+        super(endpoints, logger: Dyndnsd.logger)
+        @domain = domain
+      end
+
+      # @param name [String]
+      # @param resource_class [Resolv::DNS::Resource]
+      # Since solargraph cannot parse this: param transaction [Async::DNS::Transaction]
+      # @return [void]
+      def process(name, resource_class, transaction)
+        if name != @domain || resource_class != Resolv::DNS::Resource::Generic::Type252_Class1
+          transaction.fail!(:NXDomain)
+          return
+        end
+
+        # https://tools.ietf.org/html/rfc5936
+        transaction.append_question!
+        @axfr_rrs.each do |rr|
+          transaction.add([rr[0]], rr[1])
+        end
+      end
+    end
+  end
+end

lib/dyndnsd/version.rb

@@ -1,4 +1,5 @@
+# frozen_string_literal: true
 
 module Dyndnsd
-  VERSION = "1.0.0"
+  VERSION = '3.1.1'
 end

spec/daemon_spec.rb

@@ -1,10 +1,12 @@
-require 'spec_helper'
+# frozen_string_literal: true
+
+require_relative 'spec_helper'
 
 describe Dyndnsd::Daemon do
   include Rack::Test::Methods
 
   def app
-    Dyndnsd.logger = Logger.new(STDOUT)
+    Dyndnsd.logger = Logger.new($stdout)
     Dyndnsd.logger.level = Logger::UNKNOWN
 
     config = {
@@ -18,125 +20,223 @@ describe Dyndnsd::Daemon do
     }
     db = Dyndnsd::DummyDatabase.new({})
     updater = Dyndnsd::Updater::Dummy.new
-    responder = Dyndnsd::Responder::DynDNSStyle.new
-    app = Dyndnsd::Daemon.new(config, db, updater, responder)
+    daemon = Dyndnsd::Daemon.new(config, db, updater)
 
-    Rack::Auth::Basic.new(app, "DynDNS") do |user,pass|
-      (config['users'].has_key? user) and (config['users'][user]['password'] == pass)
-    end
+    app = Rack::Auth::Basic.new(daemon, 'DynDNS', &daemon.method(:authorized?))
+
+    app = Dyndnsd::Responder::DynDNSStyle.new(app)
+
+    Rack::Tracer.new(app, trust_incoming_span: false)
   end
 
   it 'requires authentication' do
     get '/'
-    last_response.status.should == 401
+    expect(last_response.status).to eq(401)
+    expect(last_response.body).to eq('badauth')
+  end
 
-    pending 'Need to find a way to add custom body on 401 responses'
-    last_response.should be_ok 'badauth'
+  it 'requires configured correct credentials' do
+    authorize 'test', 'wrongsecret'
+    get '/'
+    expect(last_response.status).to eq(401)
+    expect(last_response.body).to eq('badauth')
   end
 
   it 'only supports GET requests' do
     authorize 'test', 'secret'
     post '/nic/update'
-    last_response.status.should == 405
+    expect(last_response.status).to eq(405)
   end
 
-  it 'provides only the /nic/update' do
+  it 'provides only the /nic/update URL' do
     authorize 'test', 'secret'
     get '/other/url'
-    last_response.status.should == 404
+    expect(last_response.status).to eq(404)
   end
 
   it 'requires the hostname query parameter' do
     authorize 'test', 'secret'
     get '/nic/update'
-    last_response.should be_ok
-    last_response.body.should == 'notfqdn'
+    expect(last_response).to be_ok
+    expect(last_response.body).to eq('notfqdn')
   end
 
   it 'supports multiple hostnames in request' do
     authorize 'test', 'secret'
+
     get '/nic/update?hostname=foo.example.org,bar.example.org&myip=1.2.3.4'
-    last_response.should be_ok
-    last_response.body.should == "good 1.2.3.4\ngood 1.2.3.4"
+    expect(last_response).to be_ok
+    expect(last_response.body).to eq("good 1.2.3.4\ngood 1.2.3.4")
+
+    get '/nic/update?hostname=foo.example.org,bar.example.org&myip=2001:db8::1'
+    expect(last_response).to be_ok
+    expect(last_response.body).to eq("good 2001:db8::1\ngood 2001:db8::1")
   end
 
   it 'rejects request if one hostname is invalid' do
     authorize 'test', 'secret'
 
     get '/nic/update?hostname=test'
-    last_response.should be_ok
-    last_response.body.should == 'notfqdn'
+    expect(last_response).to be_ok
+    expect(last_response.body).to eq('notfqdn')
 
     get '/nic/update?hostname=test.example.com'
-    last_response.should be_ok
-    last_response.body.should == 'notfqdn'
+    expect(last_response).to be_ok
+    expect(last_response.body).to eq('notfqdn')
 
     get '/nic/update?hostname=test.example.org.me'
-    last_response.should be_ok
-    last_response.body.should == 'notfqdn'
+    expect(last_response).to be_ok
+    expect(last_response.body).to eq('notfqdn')
 
     get '/nic/update?hostname=foo.test.example.org'
-    last_response.should be_ok
-    last_response.body.should == 'notfqdn'
+    expect(last_response).to be_ok
+    expect(last_response.body).to eq('notfqdn')
 
     get '/nic/update?hostname=in%20valid.example.org'
-    last_response.should be_ok
-    last_response.body.should == 'notfqdn'
+    expect(last_response).to be_ok
+    expect(last_response.body).to eq('notfqdn')
 
     get '/nic/update?hostname=valid.example.org,in.valid.example.org'
-    last_response.should be_ok
-    last_response.body.should == 'notfqdn'
+    expect(last_response).to be_ok
+    expect(last_response.body).to eq('notfqdn')
   end
 
   it 'rejects request if user does not own one hostname' do
     authorize 'test', 'secret'
+
     get '/nic/update?hostname=notmyhost.example.org'
-    last_response.should be_ok
-    last_response.body.should == 'nohost'
+    expect(last_response).to be_ok
+    expect(last_response.body).to eq('nohost')
 
     get '/nic/update?hostname=foo.example.org,notmyhost.example.org'
-    last_response.should be_ok
-    last_response.body.should == 'nohost'
+    expect(last_response).to be_ok
+    expect(last_response.body).to eq('nohost')
   end
 
-  it 'updates a host on change' do
+  it 'updates a host on IP change' do
     authorize 'test', 'secret'
 
     get '/nic/update?hostname=foo.example.org&myip=1.2.3.4'
-    last_response.should be_ok
+    expect(last_response).to be_ok
 
     get '/nic/update?hostname=foo.example.org&myip=1.2.3.40'
-    last_response.should be_ok
-    last_response.body.should == 'good 1.2.3.40'
+    expect(last_response).to be_ok
+    expect(last_response.body).to eq('good 1.2.3.40')
+
+    get '/nic/update?hostname=foo.example.org&myip=2001:db8::1'
+    expect(last_response).to be_ok
+
+    get '/nic/update?hostname=foo.example.org&myip=2001:db8::10'
+    expect(last_response).to be_ok
+    expect(last_response.body).to eq('good 2001:db8::10')
   end
 
-  it 'returns no change' do
+  it 'returns IP no change' do
     authorize 'test', 'secret'
 
     get '/nic/update?hostname=foo.example.org&myip=1.2.3.4'
-    last_response.should be_ok
+    expect(last_response).to be_ok
 
     get '/nic/update?hostname=foo.example.org&myip=1.2.3.4'
-    last_response.should be_ok
-    last_response.body.should == 'nochg 1.2.3.4'
+    expect(last_response).to be_ok
+    expect(last_response.body).to eq('nochg 1.2.3.4')
+
+    get '/nic/update?hostname=foo.example.org&myip=2001:db8::1'
+    expect(last_response).to be_ok
+
+    get '/nic/update?hostname=foo.example.org&myip=2001:db8::1'
+    expect(last_response).to be_ok
+    expect(last_response.body).to eq('nochg 2001:db8::1')
   end
 
-  it 'outputs status per hostname' do
+  it 'outputs IP status per hostname' do
     authorize 'test', 'secret'
 
     get '/nic/update?hostname=foo.example.org&myip=1.2.3.4'
-    last_response.should be_ok
-    last_response.body.should == 'good 1.2.3.4'
+    expect(last_response).to be_ok
+    expect(last_response.body).to eq('good 1.2.3.4')
 
     get '/nic/update?hostname=foo.example.org,bar.example.org&myip=1.2.3.4'
-    last_response.should be_ok
-    last_response.body.should == "nochg 1.2.3.4\ngood 1.2.3.4"
+    expect(last_response).to be_ok
+    expect(last_response.body).to eq("nochg 1.2.3.4\ngood 1.2.3.4")
+
+    get '/nic/update?hostname=foo.example.org&myip=2001:db8::1'
+    expect(last_response).to be_ok
+    expect(last_response.body).to eq('good 2001:db8::1')
+
+    get '/nic/update?hostname=foo.example.org,bar.example.org&myip=2001:db8::1'
+    expect(last_response).to be_ok
+    expect(last_response.body).to eq("nochg 2001:db8::1\ngood 2001:db8::1")
   end
 
-  it 'uses clients remote address if myip not specified' do
+  it 'offlines a host' do
+    authorize 'test', 'secret'
+
+    get '/nic/update?hostname=foo.example.org&myip=1.2.3.4'
+    expect(last_response).to be_ok
+    expect(last_response.body).to eq('good 1.2.3.4')
+
+    get '/nic/update?hostname=foo.example.org&offline=YES'
+    expect(last_response).to be_ok
+    expect(last_response.body).to eq('good ')
+
+    get '/nic/update?hostname=foo.example.org&offline=YES'
+    expect(last_response).to be_ok
+    expect(last_response.body).to eq('nochg ')
+
+    get '/nic/update?hostname=foo.example.org&myip=1.2.3.4'
+    expect(last_response).to be_ok
+    expect(last_response.body).to eq('good 1.2.3.4')
+
+    get '/nic/update?hostname=foo.example.org&myip=1.2.3.4&offline=YES'
+    expect(last_response).to be_ok
+    expect(last_response.body).to eq('good ')
+
+    get '/nic/update?hostname=foo.example.org&myip=1.2.3.4&offline=YES'
+    expect(last_response).to be_ok
+    expect(last_response.body).to eq('nochg ')
+  end
+
+  it 'uses clients remote IP address if myip not specified' do
     authorize 'test', 'secret'
     get '/nic/update?hostname=foo.example.org'
-    last_response.should be_ok
-    last_response.body.should == 'good 127.0.0.1'
+    expect(last_response).to be_ok
+    expect(last_response.body).to eq('good 127.0.0.1')
+  end
+
+  it 'uses clients remote IP address from X-Real-IP header if behind proxy' do
+    authorize 'test', 'secret'
+
+    get '/nic/update?hostname=foo.example.org', '', 'HTTP_X_REAL_IP' => '10.0.0.1'
+    expect(last_response).to be_ok
+    expect(last_response.body).to eq('good 10.0.0.1')
+
+    get '/nic/update?hostname=foo.example.org', '', 'HTTP_X_REAL_IP' => '2001:db8::1'
+    expect(last_response).to be_ok
+    expect(last_response.body).to eq('good 2001:db8::1')
+  end
+
+  it 'supports an IPv4 and an IPv6 address in one request' do
+    authorize 'test', 'secret'
+
+    get '/nic/update?hostname=foo.example.org&myip=1.2.3.4&myip6=2001:db8::1'
+    expect(last_response).to be_ok
+    expect(last_response.body).to eq('good 1.2.3.4 2001:db8::1')
+
+    get '/nic/update?hostname=foo.example.org&myip=BROKENIP&myip6=2001:db8::1'
+    expect(last_response).to be_ok
+    expect(last_response.body).to eq('nohost')
+
+    get '/nic/update?hostname=foo.example.org&myip=1.2.3.4&myip6=BROKENIP'
+    expect(last_response).to be_ok
+    expect(last_response.body).to eq('nohost')
+
+    get '/nic/update?hostname=foo.example.org&myip6=2001:db8::10'
+    expect(last_response).to be_ok
+    expect(last_response.body).to eq('nohost')
+
+    get '/nic/update?hostname=foo.example.org&myip=1.2.3.40'
+    expect(last_response).to be_ok
+    expect(last_response.body).to eq('good 1.2.3.40')
   end
 end

spec/spec_helper.rb

@@ -1,8 +1,10 @@
+# frozen_string_literal: true
 
 require 'rubygems'
 require 'bundler/setup'
 require 'rack/test'
 
 require 'dyndnsd'
-require 'support/dummy_database'
-require 'support/dummy_updater'
+
+require_relative 'support/dummy_database'
+require_relative 'support/dummy_updater'

spec/support/dummy_database.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 
 require 'forwardable'
 
@@ -25,5 +26,3 @@ module Dyndnsd
     end
   end
 end
-
-      

spec/support/dummy_updater.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 
 module Dyndnsd
   module Updater