https://pawal.codeberg.page/gonemaster/man/index.htmlThese are the gonemaster man pages in rendered form. The canonical format is the compiled man page installed with the binary.Hugoen-ushttps://pawal.codeberg.page/gonemaster/man/gonemaster-client.1/index.htmlMon, 01 Jan 0001 00:00:00 +0000https://pawal.codeberg.page/gonemaster/man/gonemaster-client.1/index.htmlNAME gonemaster-client - HTTP API client for gonemaster-server SYNOPSIS gonemaster-client [GLOBAL OPTIONS] COMMAND [COMMAND OPTIONS] DESCRIPTION gonemaster-client interacts with a running gonemaster-server instance via its REST API. It can submit test jobs, monitor progress, retrieve results, manage the job queue, and query the domain/tag/run/entry analysis APIs. GLOBAL OPTIONS –server URL Base API URL (default: http://localhost:8080/api/v1). –timeout DURATION HTTP request timeout (default: 30s). –format FORMAT Output format: pretty, json, or json-stream (default: pretty). –output PATH Write output to a file instead of stdout. –locale LOCALE Locale for translated messages (default: en). –no-color Disable ANSI colors in pretty output. –header NAME:VALUE Extra HTTP header (repeatable). –version Print version and exit. COMMANDS jobs create Submit a single test job.https://pawal.codeberg.page/gonemaster/man/gonemaster-nagios.1/index.htmlMon, 01 Jan 0001 00:00:00 +0000https://pawal.codeberg.page/gonemaster/man/gonemaster-nagios.1/index.htmlNAME gonemaster-nagios - Nagios/Icinga plugin for DNS zone testing SYNOPSIS gonemaster-nagios -H DOMAIN [OPTIONS] DESCRIPTION gonemaster-nagios wraps the gonemaster engine as a Nagios-compatible plugin. It maps DNS test severity levels to Nagios exit codes, making it suitable for use with Nagios, Icinga, Sensu, and similar monitoring systems. OPTIONS -H, –hostname DOMAIN Zone name to test (preferred). -d, –domain DOMAIN DNS-specific alias for the zone name. -w, –warning LEVEL Highest Gonemaster severity that should map to Nagios WARNING. Default: WARNING. -c, –critical LEVEL Highest Gonemaster severity that should map to Nagios CRITICAL. Default: ERROR. -t, –timeout SECONDS Plugin runtime deadline in seconds. A timeout returns UNKNOWN. –module MODULE Run only the named module. –testcase TESTCASE Run only the named testcase. May be repeated to run several testcases, optionally across modules: --testcase consistency04 --testcase delegation07. Names are case-insensitive. –profile PATH Load a custom profile from a JSON or YAML file. –no-ipv4 Disable IPv4 queries. –no-ipv6 Disable IPv6 queries. –force-ipv6 Force IPv6 queries. –source-addr4 IPADDR Source IPv4 address for outgoing queries. –source-addr6 IPADDR Source IPv6 address for outgoing queries. –grade-warning GRADE Grade that triggers Nagios WARNING. When the computed domain grade is at or worse than GRADE, the plugin exits with status 1 (WARNING). Valid values (best to worst): A+, A, B, C, D, F. When set, grade and score are appended to the output line. The grade check runs in addition to the severity check; the worst result wins. –grade-critical GRADE Grade that triggers Nagios CRITICAL. When the computed domain grade is at or worse than GRADE, the plugin exits with status 2 (CRITICAL). Must be a worse grade than –grade-warning when both are supplied. -v, –verbose Increase output verbosity (use -v, -vv, or -vvv). -V, –version Print version and exit. -h, –help Show help and exit. COMPATIBILITY ALIASES –ipv6 Alias for –force-ipv6. –disable-ipv4 Alias for –no-ipv4. –disable-ipv6 Alias for –no-ipv6. –sourceaddr4 Alias for –source-addr4. –sourceaddr6 Alias for –source-addr6. EXIT STATUS 0 (OK) Highest severity stayed below –warning. 1 (WARNING) Highest severity reached –warning but stayed below –critical. 2 (CRITICAL) Highest severity reached –critical. 3 (UNKNOWN) Runtime error, timeout, or missing/invalid required options. VERBOSITY LEVELS -v Show WARNING, ERROR, and CRITICAL results. -vv Also show NOTICE results. -vvv Also show INFO results. SEVERITY VALUES Valid threshold values for –warning and –critical are: DEBUG3, DEBUG2, DEBUG, INFO, NOTICE, WARNING, ERROR, and CRITICAL.https://pawal.codeberg.page/gonemaster/man/gonemaster-server.1/index.htmlMon, 01 Jan 0001 00:00:00 +0000https://pawal.codeberg.page/gonemaster/man/gonemaster-server.1/index.htmlNAME gonemaster-server - HTTP API server for DNS zone testing SYNOPSIS gonemaster-server [OPTIONS] DESCRIPTION gonemaster-server runs a persistent HTTP server that accepts DNS zone test requests via a REST API. It manages a job queue, worker pool, and optional persistent storage. A web UI is embedded by default. Configuration is resolved in order: defaults, JSON config file, environment variables, CLI flags. Later sources override earlier ones. OPTIONS General –config PATH Load configuration from a JSON file. –listen ADDR Address to listen on (default: 127.0.0.1:8080). –max-body-size BYTES Maximum request body size (default: 1048576). –debug Enable request/response logging. –shutdown-timeout DURATION Graceful shutdown timeout (default: 10s). –dump-config Print effective configuration as JSON and exit. –version Print version information and exit. Concurrency –workers N Number of worker goroutines (default: 4). –max-concurrent-jobs N Maximum concurrent engine runs (0 = unlimited). Resolver –profile PATH Load a custom profile from a JSON or YAML file. –timeout SECONDS Query timeout in seconds. –retry N Number of query retries. –retrans SECONDS Retransmission interval in seconds. –fallback Enable TCP fallback on UDP failure. –no-fallback Disable TCP fallback on UDP failure. –sourceaddr4 IPADDR Source IPv4 address for outgoing queries. –sourceaddr6 IPADDR Source IPv6 address for outgoing queries. –positive-cache-ttl SECONDS Cache positive DNS responses for this duration. –negative-cache-ttl SECONDS Cache negative DNS responses for this duration. Database –db-driver DRIVER Storage backend: memory (default), sqlite, postgres, or mariadb. –db-dsn DSN SQLite file path or database connection string. –db-retention-days N Delete completed jobs older than N days on an hourly schedule. 0 (default) disables automatic purging. Reverse proxy –trusted-proxy-cidrs LIST Comma-separated CIDRs (or bare IPs) of reverse proxies allowed to set X-Forwarded-For. Default empty: trust nothing, attribute every request to its RemoteAddr. Without this, a direct-exposed server (or one behind a proxy that does not strip incoming XFF) is vulnerable to XFF spoofing - an attacker rotates the header to bypass per-IP rate limits or pin them on a victim. Set to the CIDR of your reverse proxy when one is in front. Example: --trusted-proxy-cidrs 127.0.0.1/32,10.0.0.0/8. HTTP timeouts –read-timeout DURATION Per-connection read timeout (default: 30s). Caps slow / stalled request bodies (slowloris). –write-timeout DURATION Per-connection write timeout (default: 60s). Caps slow / stalled responses. Must exceed –public-api-analysis-request-timeout (default 10s) so legitimate long analysis responses can complete; widen if you have raised the analysis timeout. –idle-timeout DURATION Idle keep-alive timeout (default: 60s). Public API –public-api-rate-limit-enabled Enable per-IP rate limiting on POST /pub/api/v1/jobs (default: disabled). Required for internet-facing deployments: without it, anyone can fill the job queue from a single IP and starve legitimate users. –public-api-rate-limit-max N Maximum job submissions per IP per window (default: 10). –public-api-rate-limit-window DURATION Sliding window for rate limiting, e.g. 5m or 1h (default: 10m). –public-api-allow-private-undelegated-ip Allow undelegated nameserver IPs in loopback / link-local / private / CGNAT / multicast / broadcast ranges on POST /pub/api/v1/jobs (default: refused). Internet-facing deployments must leave this off so the public API cannot be used as an internal-network SSRF probe via the engine’s outbound DNS queries. Enable on private/internal deployments that legitimately need to test such targets. Output –min-level LEVEL Minimum result log level (default: INFO). ENVIRONMENT GONEMASTER_LISTEN Equivalent to –listen. GONEMASTER_WORKER_COUNT Equivalent to –workers. GONEMASTER_MAX_CONCURRENT_JOBS Equivalent to –max-concurrent-jobs. GONEMASTER_MIN_LEVEL Equivalent to –min-level. GONEMASTER_PROFILE Equivalent to –profile. GONEMASTER_DEBUG Equivalent to –debug. GONEMASTER_DB_DRIVER Equivalent to –db-driver. GONEMASTER_DB_DSN Equivalent to –db-dsn. GONEMASTER_DB_RETENTION_DAYS Equivalent to –db-retention-days. GONEMASTER_PUBLIC_API_RATE_LIMIT_ENABLED Equivalent to –public-api-rate-limit-enabled. GONEMASTER_PUBLIC_API_RATE_LIMIT_MAX Equivalent to –public-api-rate-limit-max. GONEMASTER_PUBLIC_API_RATE_LIMIT_WINDOW Equivalent to –public-api-rate-limit-window. GONEMASTER_PUBLIC_API_ALLOW_PRIVATE_UNDELEGATED_IP Equivalent to –public-api-allow-private-undelegated-ip. GONEMASTER_TRUSTED_PROXY_CIDRS Equivalent to –trusted-proxy-cidrs. GONEMASTER_READ_TIMEOUT Equivalent to –read-timeout. GONEMASTER_WRITE_TIMEOUT Equivalent to –write-timeout. GONEMASTER_IDLE_TIMEOUT Equivalent to –idle-timeout. CONFIG FILE The –config file is JSON with optional fields:https://pawal.codeberg.page/gonemaster/man/gonemaster.1/index.htmlMon, 01 Jan 0001 00:00:00 +0000https://pawal.codeberg.page/gonemaster/man/gonemaster.1/index.htmlNAME gonemaster - DNS zone testing engine SYNOPSIS gonemaster [OPTIONS] DOMAIN DESCRIPTION gonemaster runs a comprehensive suite of DNS tests against a domain zone, checking delegation, DNSSEC, nameserver behavior, zone configuration, and more. Results are printed with severity levels and can be output in several formats. OPTIONS Target –domain DOMAIN Zone name to test (also accepted as a positional argument). –module MODULE Run only the named module (e.g., dnssec, nameserver). –testcase TESTCASE Run only the named testcase (e.g., dnssec20). May be repeated to run several testcases, optionally across modules: --testcase consistency04 --testcase delegation07. Names are case-insensitive. –profile PATH Load a custom profile from a JSON or YAML file. Output –min-level LEVEL Minimum severity level to display (default: NOTICE). –stop-level LEVEL Stop after the first entry at or above this level. –locale LOCALE Locale for translated output messages. –output PATH Write output to a file instead of stdout. –raw Stream raw log entries. –json Print results as a JSON array. –json-stream Stream results as newline-delimited JSON. –count Print a summary count by level and message tag. –nstimes Print per-nameserver query timing statistics (max, min, avg, stddev, median, total, count), sorted by nameserver name, address, then median query time. When combined with –json, the output is wrapped as a JSON object with keys entries and nameserver_timings instead of a bare array. –no-progress Disable the progress indicator. Resolver –no-ipv4 Disable IPv4 queries. –no-ipv6 Disable IPv6 queries. –ipv6 Force IPv6 queries. –parallel N Number of parallel queries per nameserver. –timeout SECONDS Query timeout in seconds. –retry N Number of query retries. –retrans SECONDS Retransmission interval in seconds. –fallback Enable TCP fallback on UDP failure. –no-fallback Disable TCP fallback on UDP failure. –sourceaddr4 IPADDR Source IPv4 address for outgoing queries. –sourceaddr6 IPADDR Source IPv6 address for outgoing queries. Cache –save PATH Write DNS packet cache to file after the run. –restore PATH Prime DNS packet cache from file before the run. –error-cache-ttl SECONDS Skip query retry after network errors for this duration. –positive-cache-ttl SECONDS Cache positive DNS responses for this duration. –negative-cache-ttl SECONDS Cache negative DNS responses for this duration. Undelegated Testing –ns NAME[/IP] Specify an undelegated nameserver (repeatable). –ds KEYTAG,ALGORITHM,DIGTYPE,DIGEST Specify undelegated DS data (repeatable). Utility –badkeys-update Download the badkeys blocklist and exit. –badkeys-path PATH Override the badkeys blocklist directory. –dump-profile Print the effective profile as JSON and exit. –list-tests List all available test cases and exit. –version Print version information and exit. EXIT STATUS 0 All tests passed. 2 Usage or runtime error. 130 Interrupted (SIGINT/SIGTERM). EXAMPLES Test a domain with default settings: