# Test stack — sandboxed CoreDNS + rfc2136 plugin

Brings up a parallel CoreDNS instance for smoke-testing the
`git.supported.systems/rsp2k/coredns-rfc2136` plugin without
touching the production stack on dell01.

## What this proves

- The custom CoreDNS image builds and links the plugin successfully.
- The plugin parses its Corefile directive at startup.
- Queries (SOA, A, TXT, etc.) flow through the `auto` plugin as
  normal (the rfc2136 plugin is transparent for non-UPDATE traffic).
- UPDATE messages signed with the configured TSIG key apply changes
  to the on-disk zone file.
- After an UPDATE, `dig` returns the new record (CoreDNS's `auto`
  plugin sees the mtime change and reloads within 5s).

## Quickstart

```bash
cd test/

# 1. Build + start. The build clones CoreDNS source and pulls the
#    plugin via `go get` -- expect ~2-3 min for the first build.
docker compose up -d --build

# 2. Sanity-check the apex SOA is served.
dig @127.0.0.1 -p 11053 test.example.com SOA +short

# 3. Push an UPDATE via nsupdate. The TSIG secret comes from .env.
nsupdate -y "hmac-sha256:acme-update-key.:$(grep ACME_TSIG_SECRET .env | cut -d= -f2)" <<'EOF'
server 127.0.0.1 11053
zone test.example.com
update add token.test.example.com 60 TXT "validation-token-1"
send
EOF

# 4. Wait ~5s for the auto plugin to reload, then verify.
sleep 6
dig @127.0.0.1 -p 11053 token.test.example.com TXT +short
# expected: "validation-token-1"

# 5. Inspect the updated zone file on disk.
cat zones/test.example.com.zone

# 6. Tear down when done.
docker compose down
```

## Files

| Path | Role |
|---|---|
| `Corefile` | Two plugins: `auto` (serves queries) + `rfc2136` (handles UPDATE) |
| `zones/test.example.com.zone` | The one test zone; rewritten by rfc2136 on UPDATE |
| `docker-compose.yml` | Standalone stack on ports 11053 / 19153 |
| `.env` | Isolated `COMPOSE_PROJECT_NAME` + a fixed throwaway TSIG secret |

## What this does NOT test

- TSIG cryptographic correctness against a malicious client. (Unit
  tests in the plugin's `tsig.go` + miekg/dns's own tests cover this.)
- Git auto-commit. We disable it here (`auto-commit false` in Corefile)
  because there's no git repo at `/zones` inside the container. That
  path gets exercised on dell01 in Phase 3.
- Caddy → caddy-dns/rfc2136 end-to-end cert issuance. (Phase 3.)

## Cleanup

```bash
docker compose down
git checkout -- zones/test.example.com.zone   # restore baseline
```