Zion Boggan
repos/Oversight/commits/3b84915
zionboggan.com ↗
Code Commits Tags

Accept 503 as a valid fail-closed DNS event response

A registry that has no OVERSIGHT_DNS_EVENT_SECRET configured and
receives a non-loopback callback returns 503 with an explanatory
message, which is the documented fail-closed behavior from the
v0.4.4 hardening. The conformance check previously accepted only
200 or 401 and falsely flagged conforming deployments. Accept 503
as well; the invariant is that a wrong secret from a public IP
must not silently succeed.
3b84915   Zion Boggan committed on Apr 22, 2026 (2 months ago)
tests/test_registry_conformance.py +7 -4
@@ -267,12 +267,15 @@ def check_dns_event_requires_secret(cli: Client) -> None:
json={"token_id": token, "client_ip": "198.51.100.8", "qtype": "A", "qname": "x.example"},
headers={"X-Oversight-DNS-Secret": "wrong-secret"},
)
- # A registry with a configured secret must either require it (401) or
- # treat loopback-equivalent callers as trusted (200). Silent success with
- # a *wrong* secret and a *public* client_ip is a conformance failure.
+ # A conforming registry must fail closed on a non-loopback caller
+ # without valid auth. 401 means "secret configured but wrong", 503
+ # means "no secret configured and caller is non-loopback, refuse",
+ # 200 means "loopback-equivalent caller was trusted". Silent success
+ # with a wrong secret and a public client_ip is the only outcome that
+ # fails the spec.
check(
"dns-event-auth-enforced",
- r.status_code in (200, 401),
+ r.status_code in (200, 401, 503),
f"status={r.status_code}",
)