docker: update alpine Docker tag to v3.23.0

Updates the requirements on [rubocop-rspec](https://github.com/rubocop/rubocop-rspec) to permit the latest version.
- [Release notes](https://github.com/rubocop/rubocop-rspec/releases)
- [Changelog](https://github.com/rubocop/rubocop-rspec/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rubocop/rubocop-rspec/compare/v3.7.0...v3.8.0)

---
updated-dependencies:
- dependency-name: rubocop-rspec
  dependency-version: 3.8.0
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/dependabot.yml

@@ -0,0 +1,13 @@
+---
+version: 2
+updates:
+  - package-ecosystem: "bundler"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "gems"
+    labels: ["dependabot"]
+    open-pull-requests-limit: 10
+    pull-request-branch-name:
+      separator: "-"

.github/renovate.json5

@@ -1,6 +1,6 @@
 {
   extends: [
-    "config:base",
+    "config:recommended",
     ":dependencyDashboard",
     ":prHourlyLimitNone",
     ":prConcurrentLimitNone",
@@ -20,6 +20,13 @@
       matchManagers: ["bundler"],
       enabled: false,
     },
+    // Only quarter update since noisy/stable tools
+    {
+      matchPackageNames: [
+        "aquasecurity/trivy",
+      ],
+      schedule: ["* 0-8 1 */3 *"],
+    },
     // Commit message formats
     {
       matchDatasources: ["docker"],
@@ -30,9 +37,10 @@
       commitMessagePrefix: "ci: ",
     },
   ],
-  regexManagers: [
+  customManagers: [
     {
-      fileMatch: ["\.rb$", "^Rakefile$"],
+      customType: "regex",
+      managerFilePatterns: ["/.rb$/", "/^Rakefile$/"],
       matchStrings: [
         "renovate: datasource=(?<datasource>.*?) depName=(?<depName>.*?)\\s.*_version = '(?<currentValue>.*)'\\s"
       ]

.github/workflows/cd.yml

@@ -11,7 +11,7 @@ jobs:
   release-dockerimage:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v6
 
     - name: Extract dyndnsd version from tag name
       run: |
@@ -33,16 +33,16 @@ jobs:
 
     # https://github.com/marketplace/actions/build-and-push-docker-images
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v2
+      uses: docker/setup-buildx-action@v3
 
     - name: Login to Docker Hub
-      uses: docker/login-action@v2
+      uses: docker/login-action@v3
       with:
         username: cmur2
         password: ${{ secrets.DOCKER_TOKEN }}
 
     - name: Build and push Docker image for dyndnsd ${{ env.DYNDNSD_VERSION }}
-      uses: docker/build-push-action@v3
+      uses: docker/build-push-action@v6
       with:
         context: docker
         build-args: |

.github/workflows/ci.yml

@@ -15,14 +15,15 @@ jobs:
   build:
     runs-on: ubuntu-latest
     strategy:
+      fail-fast: false
       matrix:
         ruby-version:
-        - '2.7'
-        - '3.0'
         - '3.1'
         - '3.2'
+        - '3.3'
+        - '3.4'
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v6
     - name: Set up Ruby ${{ matrix.ruby-version }}
       uses: ruby/setup-ruby@v1
       with:
@@ -36,9 +37,19 @@ jobs:
   actionlint:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v6
     - name: Check workflow files
       run: |
         echo "::add-matcher::.github/actionlint-matcher.json"
         bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
         ./actionlint
+
+  renovate-config-validator:
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/renovatebot/renovate
+      options: --user root
+    steps:
+    - uses: actions/checkout@v6
+    - name: Check Renovate config
+      run: renovate-config-validator --strict

.github/workflows/vulnscan.yml

@@ -1,10 +1,9 @@
-# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 ---
 name: vulnscan
 
 on:
   schedule:
-  - cron: '7 4 * * 4'  # weekly on thursday morning
+  - cron: '7 4 1 * *'  # monthly on first day's morning
   workflow_dispatch:
 
 jobs:
@@ -36,7 +35,7 @@ jobs:
           for image in $ALL_IMAGES; do
             if [[ "$image" = cmur2/dyndnsd:v$major_version.* ]]; then
               echo -e "\nScanning newest patch release $image of major v$major_version...\n"
-              if ! trivy image --skip-update --exit-code 1 "$image"; then
+              if ! trivy image --skip-db-update --scanners vuln --exit-code 1 "$image"; then
                 EXIT_CODE=1
               fi
               break

.rubocop.yml

@@ -1,11 +1,14 @@
-require:
+plugins:
 - rubocop-rake
 - rubocop-rspec
 
 AllCops:
-  TargetRubyVersion: '2.7'
+  TargetRubyVersion: '3.0'
   NewCops: enable
 
+Gemspec/DevelopmentDependencies:
+  EnforcedStyle: gemspec
+
 Gemspec/RequireMFA:
   Enabled: false
 

CHANGELOG.md

@@ -1,5 +1,58 @@
 # Changelog
 
+## 3.12.0 (December 4th, 2025)
+
+IMPROVEMENTS:
+
+- regex instead of hosts list can be used for hostname ownership
+
+## 3.11.0 (October 2nd, 2025)
+
+IMPROVEMENTS:
+
+- add Ruby 3.4 support
+- update base of Docker image to Alpine 3.22.1 (from 3.19.0 before)
+
+## 3.10.0 (January 18th, 2024)
+
+IMPROVEMENTS:
+
+- add Ruby 3.3 support
+
+OTHER:
+
+- update base of Docker image to Alpine 3.19.0 (from 3.18.3 before)
+
+## 3.9.2 (August 10th, 2023)
+
+OTHER:
+
+- update base of Docker image to Alpine 3.18.3 (from 3.18.2 before)
+
+## 3.9.1 (July 6, 2023)
+
+OTHER:
+
+- update base of Docker image to Alpine 3.18.2 (from 3.18.0 before)
+
+## 3.9.0 (June 8, 2023)
+
+IMPROVEMENTS:
+
+- Drop EOL Ruby 2.7 support, now minimum version supported is Ruby 3.0
+
+## 3.8.2 (April 1st, 2023)
+
+OTHER:
+
+- update base of Docker image to Alpine 3.17.3 (from 3.17.2 before)
+
+## 3.8.1 (March 2nd, 2023)
+
+OTHER:
+
+- update base of Docker image to Alpine 3.17.2 (from 3.17.1 before)
+
 ## 3.8.0 (January 13th, 2023)
 
 IMPROVEMENTS:

README.md

@@ -1,6 +1,6 @@
 # dyndnsd.rb
 
-![ci](https://github.com/cmur2/dyndnsd/workflows/ci/badge.svg) [![Dependencies](https://badges.depfu.com/badges/4f25da8493f7a29f652ac892fbf9227b/overview.svg)](https://depfu.com/github/cmur2/dyndnsd)
+![ci](https://github.com/cmur2/dyndnsd/workflows/ci/badge.svg)
 
 A small, lightweight and extensible DynDNS server written with Ruby and Rack.
 
@@ -307,6 +307,37 @@ users:
 ```
 
 
+### Matching with a regular expression
+
+Instead of relying on `hosts`, you can use `regex` to employ a regular expression, which is very useful for avoiding having to repeatedly edit the configuration file to register a new host name.
+
+```yaml
+host: "0.0.0.0"
+port: 5354
+username: "dyndnsd"
+group: "dyndnsd"
+db: "/dyndnsd/db.json"
+debug: false
+domain: "dyn.dc-air.home.arpa"
+updater:
+  name: "command_with_bind_zone"
+  params:
+    zone_file: "/nsd/zones/static/dyn.dc-air.home.arpa.zone"
+    command: "doas service nsd reload"
+    ttl: "5m"
+    dns: "ns.dc-air.home.arpa."
+    email_addr: "admin.example.org"
+users:
+  myuser:
+    password: "superhypermegas3kurepassword1234"
+    regex: '^[a-z][0-9]\.dyn\.dc\-air\.home\.arpa$'
+```
+
+However, when using `regex`, `hosts` is simply ignored if defined, so you must choose one or the other. Recommendation: use `regex` for scripts or programs and `hosts` for regular users.
+
+**Note**: Please note that when dyndnsd evaluates the regular expression, the `Regexp::EXTENDED` and `Regexp::IGNORECASE` options are used.
+
+
 ## License
 
 dyndnsd.rb is licensed under the Apache License, Version 2.0. See LICENSE for more information.

Rakefile

@@ -3,29 +3,20 @@
 require 'bundler/gem_tasks'
 require 'rspec/core/rake_task'
 require 'rubocop/rake_task'
-require 'bundler/audit/task'
 
 RSpec::Core::RakeTask.new(:spec)
 RuboCop::RakeTask.new
-Bundler::Audit::Task.new
 
 desc 'Run experimental solargraph type checker'
 task :solargraph do
   sh 'solargraph typecheck'
 end
 
-namespace :solargraph do
-  desc 'Should be run by developer once to prepare initial solargraph usage (fill caches etc.)'
-  task :init do
-    sh 'solargraph download-core'
-  end
-end
-
 # renovate: datasource=github-tags depName=hadolint/hadolint
-hadolint_version = 'v2.12.0'
+hadolint_version = 'v2.14.0'
 
 # renovate: datasource=github-tags depName=aquasecurity/trivy
-trivy_version = 'v0.36.1'
+trivy_version = 'v0.67.0'
 
 namespace :docker do
   ci_image = 'cmur2/dyndnsd:ci'
@@ -57,7 +48,7 @@ namespace :docker do
       chmod a+w e2e/db.json
     SCRIPT
     sh "docker run -d --name=dyndnsd-ci -v $(pwd)/e2e:/etc/dyndnsd -p 8080:8080 -p 5353:5353 #{ci_image}"
-    sh 'sleep 1'
+    sh 'sleep 5'
     puts '----------------------------------------'
     # `dig` needs `sudo apt-get install -y -q dnsutils`
     sh <<~SCRIPT
@@ -75,7 +66,14 @@ namespace :docker do
   end
 end
 
-task default: [:rubocop, :spec, 'bundle:audit', :solargraph]
+namespace :bundle do
+  desc 'Check for vulnerabilities with bundler-audit'
+  task :audit do
+    sh 'bundler-audit check --ignore GHSA-vvfq-8hwr-qm4m' if !RUBY_VERSION.start_with?('3.0')
+  end
+end
+
+task default: [:rubocop, :spec, 'bundle:audit']
 
 desc 'Run all tasks desired for CI'
-task ci: ['solargraph:init', :default, 'docker:lint', :build, 'docker:build', 'docker:e2e']
+task ci: [:default, 'docker:lint', :build, 'docker:build', 'docker:e2e']

docker/Dockerfile

@@ -1,11 +1,11 @@
-FROM alpine:3.17.1
+FROM alpine:3.23.0
 
 EXPOSE 5353 8080
 
 ARG DYNDNSD_VERSION
 
 RUN apk --no-cache add openssl ca-certificates && \
-    apk --no-cache add ruby ruby-etc ruby-io-console ruby-json ruby-webrick && \
+    apk --no-cache add ruby ruby-webrick && \
     apk --no-cache add --virtual .build-deps linux-headers ruby-dev build-base tzdata && \
     gem install --no-document dyndnsd -v ${DYNDNSD_VERSION} && \
     rm -rf /usr/lib/ruby/gems/*/cache/ && \

docker/ci/Dockerfile

@@ -1,11 +1,11 @@
-FROM alpine:3.17.1
+FROM alpine:3.23.0
 
 EXPOSE 5353 8080
 
 COPY pkg/dyndnsd-*.gem /tmp/dyndnsd.gem
 
 RUN apk --no-cache add openssl ca-certificates && \
-    apk --no-cache add ruby ruby-etc ruby-io-console ruby-json ruby-webrick && \
+    apk --no-cache add ruby ruby-webrick && \
     apk --no-cache add --virtual .build-deps linux-headers ruby-dev build-base tzdata && \
     gem install --no-document /tmp/dyndnsd.gem && \
     rm -rf /usr/lib/ruby/gems/*/cache/ && \

dyndnsd.gemspec

@@ -25,25 +25,27 @@ Gem::Specification.new do |s|
   s.executables = ['dyndnsd']
   s.extra_rdoc_files = Dir['README.md', 'CHANGELOG.md', 'LICENSE']
 
-  s.required_ruby_version = '>= 2.7'
+  s.required_ruby_version = '>= 3.0'
 
-  s.add_runtime_dependency 'async', '~> 1.30.0'
+  s.add_dependency 'async', '~> 1.31.0'
-  s.add_runtime_dependency 'async-dns', '~> 1.3.0'
+  s.add_dependency 'async-dns', '~> 1.3.0'
-  s.add_runtime_dependency 'metriks'
+  s.add_dependency 'base64', '~> 0.2.0' # needed for async
-  s.add_runtime_dependency 'opentelemetry-exporter-jaeger', '~> 0.22.0'
+  s.add_dependency 'logger', '>= 1.6', '< 1.8'
-  s.add_runtime_dependency 'opentelemetry-instrumentation-rack', '~> 0.22.0'
+  s.add_dependency 'metriks'
-  s.add_runtime_dependency 'opentelemetry-sdk', '~> 1.2.0'
+  s.add_dependency 'opentelemetry-exporter-jaeger', '~> 0.22.0'
-  s.add_runtime_dependency 'rack', '~> 3.0'
+  s.add_dependency 'opentelemetry-instrumentation-rack', '~> 0.22.0'
-  s.add_runtime_dependency 'rackup'
+  s.add_dependency 'opentelemetry-sdk', '~> 1.2.0'
-  s.add_runtime_dependency 'webrick', '>= 1.6.1'
+  s.add_dependency 'rack', '~> 3.0'
+  s.add_dependency 'rackup', '~> 2'
+  s.add_dependency 'webrick', '>= 1.6.1'
 
   s.add_development_dependency 'bundler'
   s.add_development_dependency 'bundler-audit', '~> 0.9.0'
   s.add_development_dependency 'rack-test'
   s.add_development_dependency 'rake'
   s.add_development_dependency 'rspec'
-  s.add_development_dependency 'rubocop', '~> 1.43.0'
+  s.add_development_dependency 'rubocop', '~> 1.81.1'
-  s.add_development_dependency 'rubocop-rake', '~> 0.6.0'
+  s.add_development_dependency 'rubocop-rake', '~> 0.7.1'
-  s.add_development_dependency 'rubocop-rspec', '~> 2.16.0'
+  s.add_development_dependency 'rubocop-rspec', '~> 3.8.0'
-  s.add_development_dependency 'solargraph', '~> 0.48.0'
+  s.add_development_dependency 'solargraph', '~> 0.55.0'
 end

lib/dyndnsd.rb

@@ -107,7 +107,7 @@ module Dyndnsd
       puts "DynDNSd version #{Dyndnsd::VERSION}"
       puts "Using config file #{config_file}"
 
-      config = YAML.safe_load(File.read(config_file))
+      config = YAML.safe_load_file(config_file)
 
       setup_logger(config)
 
@@ -138,7 +138,7 @@ module Dyndnsd
     # @param params [Hash{String => String}]
     # @return [Array<String>]
     def extract_v4_and_v6_address(params)
-      return [] if !(params['myip'])
+      return [] if !params['myip']
       begin
         IPAddr.new(params['myip'], Socket::AF_INET)
         IPAddr.new(params['myip6'], Socket::AF_INET6)
@@ -207,7 +207,7 @@ module Dyndnsd
       params = Rack::Utils.parse_query(env['QUERY_STRING'])
 
       # require hostname parameter
-      return [422, {'X-DynDNS-Response' => 'hostname_missing'}, []] if !(params['hostname'])
+      return [422, {'X-DynDNS-Response' => 'hostname_missing'}, []] if !params['hostname']
 
       hostnames = params['hostname'].split(',')
 
@@ -218,9 +218,22 @@ module Dyndnsd
       # we can trust this information since user was authorized by middleware
       user = env['REMOTE_USER']
 
-      # check for hostnames that the user does not own
+      if @users[user].key?('regex')
-      forbidden_hostnames = hostnames - @users[user].fetch('hosts', [])
+        pattern = @users[user].fetch('regex')
-      return [422, {'X-DynDNS-Response' => 'host_forbidden'}, []] if forbidden_hostnames.any?
+        begin
+          regex = Regexp.new(pattern, Regexp::IGNORECASE | Regexp::EXTENDED)
+        rescue RegexpError => e
+          Dyndnsd.logger.warn "Invalid regex pattern '#{pattern}': #{e.message}"
+          return [422, {'X-DynDNS-Response' => 'host_forbidden'}, []]
+        end
+        # check for hostnames that match the regex
+        matches = hostnames.any? { |str| regex.match?(str) }
+        return [422, {'X-DynDNS-Response' => 'host_forbidden'}, []] if !matches
+      else
+        # check for hostnames that the user does not own
+        forbidden_hostnames = hostnames - @users[user].fetch('hosts', [])
+        return [422, {'X-DynDNS-Response' => 'host_forbidden'}, []] if forbidden_hostnames.any?
+      end
 
       if params['offline'] == 'YES'
         myips = []

lib/dyndnsd/updater/zone_transfer_server.rb

@@ -89,7 +89,7 @@ module Dyndnsd
       # @return [Array{Array{Object}}]
       def self.parse_endpoints(endpoint_list)
         endpoint_list.map { |addr_string| addr_string.split('@') }
-                     .map { |addr_parts| [addr_parts[0], addr_parts[1].to_i || 53] }
+                     .map { |addr_parts| [addr_parts[0], addr_parts[1]&.to_i || 53] }
                      .map { |addr| [:tcp, :udp].map { |type| [type] + addr } }
                      .flatten(1)
       end

lib/dyndnsd/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Dyndnsd
-  VERSION = '3.8.0'
+  VERSION = '3.12.0'
 end

spec/dyndnsd/daemon_spec.rb

@@ -18,6 +18,10 @@ describe Dyndnsd::Daemon do
         },
         'test2' => {
           'password' => 'ihavenohosts'
+        },
+        'test3' => {
+          'password' => 'superhypermegas3kurepassword1234',
+          'regex' => '^[a-z0-9]+-test3\.example\.org$'
         }
       }
     }
@@ -74,6 +78,22 @@ describe Dyndnsd::Daemon do
     expect(last_response.body).to eq("good 2001:db8::1\ngood 2001:db8::1")
   end
 
+  it 'supports regex matches for hostnames' do
+    authorize 'test3', 'superhypermegas3kurepassword1234'
+
+    get '/nic/update?hostname=abc123-test3.example.org&myip=1.2.3.4'
+    expect(last_response).to be_ok
+    expect(last_response.body).to eq('good 1.2.3.4')
+
+    get '/nic/update?hostname=foo-test3.example.org,bar-test3.example.org&myip=2001:db8::1'
+    expect(last_response).to be_ok
+    expect(last_response.body).to eq("good 2001:db8::1\ngood 2001:db8::1")
+
+    get '/nic/update?hostname=abc123.example.org'
+    expect(last_response).to be_ok
+    expect(last_response.body).to eq('nohost')
+  end
+
   it 'rejects request if one hostname is invalid' do
     authorize 'test', 'secret'
 
@@ -120,6 +140,10 @@ describe Dyndnsd::Daemon do
     get '/nic/update?hostname=foo.example.org,notmyhost.example.org'
     expect(last_response).to be_ok
     expect(last_response.body).to eq('nohost')
+
+    get '/nic/update?hostname=abc123-test3.example.org'
+    expect(last_response).to be_ok
+    expect(last_response.body).to eq('nohost')
   end
 
   it 'updates a host on IP change' do