Refactoring (#325)

* Refactor core * Re-added tests * Small fixes * Add tests for acmetxt cidrslice and util funcs * Remove the last dangling reference to old logging package * Refactoring (#327) * chore: enable more linters and fix linter issues * ci: enable linter checks on all branches and disable recurring checks recurring linter checks don't make that much sense. The code & linter checks should not change on their own over night ;) * chore: update packages * Revert "chore: update packages" This reverts commit 30250bf28c4b39e9e5b3af012a4e28ab036bf9af. * chore: manually upgrade some packages * Updated dependencies, wrote changelog entry and fixed namespace for release * Refactoring - improving coverage (#371) * Increase code coverage in acmedns * More testing of ReadConfig() and its fallback mechanism * Found that if someone put a '"' double quote into the filename that we configure zap to log to, it would cause the the JSON created to be invalid. I have replaced the JSON string with proper config * Better handling of config options for api.TLS - we now error on an invalid value instead of silently failing. added a basic test for api.setupTLS() (to increase test coverage) * testing nameserver isOwnChallenge and isAuthoritative methods * add a unit test for nameserver answerOwnChallenge * fix linting errors * bump go and golangci-lint versions in github actions * Update golangci-lint.yml Bumping github-actions workflow versions to accommodate some changes in upstream golanci-lint * Bump Golang version to 1.23 (currently the oldest supported version) Bump golanglint-ci to 2.0.2 and migrate the config file. This should resolve the math/rand/v2 issue * bump golanglint-ci action version * Fixing up new golanglint-ci warnings and errors --------- Co-authored-by: Joona Hoikkala <5235109+joohoi@users.noreply.github.com> * Minor refactoring, error returns and e2e testing suite * Add a few tests * Fix linter and umask setting * Update github actions * Refine concurrency configuration for GitHub actions * HTTP timeouts to API, and self-validation mutex to nameserver ops --------- Co-authored-by: Florian Ritterhoff <32478819+fritterhoff@users.noreply.github.com> Co-authored-by: Jason Playne <jason@jasonplayne.com>
2026-02-05 16:04:15 +02:00 · 2026-02-05 16:04:15 +02:00 · 5a7bc230b8
commit 5a7bc230b8
parent b7a0a8a7bc
57 changed files with 2761 additions and 1945 deletions
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@ -0,0 +1,25 @@
+name: E2E Tests
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.ref_name != 'master' }}
+
+jobs:
+  e2e-tests:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Run E2E Tests
+      run: |
+        cd test/e2e
+        docker compose up --build --abort-on-container-exit --exit-code-from tester
--- a/.github/workflows/go_cov.yml
+++ b/.github/workflows/go_cov.yml
@ -1,25 +1,31 @@
-name: Go
+name: Go Coverage
+
 on:
  push:
+    branches: [ master ]
  pull_request:
+    branches: [ master ]
  schedule:
-    # Run every 12 hours, at the 15 minute mark. E.g.
-    # 2020-11-29 00:15:00 UTC, 2020-11-29 12:15:00 UTC, 2020-11-30 00:15:00 UTC
-    - cron:  '15 */12 * * *'
-jobs:
+    - cron: '15 */12 * * *'

-  build:
-    name: Build and Unit Test
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.ref_name != 'master' }}
+
+jobs:
+  test:
+    name: Build and Test
    runs-on: ubuntu-latest
+    timeout-minutes: 10
    steps:
+      - name: Check out code
+        uses: actions/checkout@v4

      - name: Set up Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v5
        with:
-          go-version: ^1.13
-
-      - name: Check out code
-        uses: actions/checkout@v2
+          go-version: '1.23'
+          cache: true

      - name: Build
        run: go build -v ./...
@ -27,7 +33,8 @@ jobs:
      - name: Test
        run: go test -v -race -covermode=atomic -coverprofile=coverage.out ./...

-      - name: Upload Coverage
-        uses: shogo82148/actions-goveralls@v1
+      - name: Send coverage
+        uses: coverallsapp/github-action@v2
        with:
-          path-to-profile: coverage.out
+          file: coverage.out
+          format: golang
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@ -1,29 +1,29 @@
 name: golangci-lint
 on:
  push:
-    tags:
-      - v*
-    branches:
-      - main
-      - master
+    branches: [ master ]
  pull_request:
+    branches: [ master ]

-permissions:
-  contents: read
-  # Optional: allow read access to pull request. Use with `only-new-issues` option.
-  # pull-requests: read
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.ref_name != 'master' }}

 jobs:
  golangci:
    name: lint
    runs-on: ubuntu-latest
+    timeout-minutes: 10
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - name: Setup Go
+        uses: actions/setup-go@v5
        with:
-          go-version: stable
-      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
+          go-version: 1.23
+
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Run golangci-lint
+        uses: golangci/golangci-lint-action@v7
        with:
-          version: v1.60
-          args: --timeout=10m
+          version: v2.0.2
--- a/.golangci.yaml
+++ b/.golangci.yaml
@ -0,0 +1,30 @@
+version: "2"
+linters:
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+issues:
+  max-issues-per-linter: 0
+  max-same-issues: 0
+formatters:
+  enable:
+    - gofmt
+    - goimports
+  settings:
+    goimports:
+      local-prefixes:
+        - github.com/acme-dns/acme-dns
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -0,0 +1,5 @@
+{
+    "gopls": {
+        "formatting.local": "github.com/acme-dns/acme-dns"
+    }
+}
--- a/README.md
+++ b/README.md
@ -339,7 +339,11 @@ use for the renewal.


 ## Changelog
-
+- v1.0 
+   - New
+      - Refactoring of the codebase to something more robust
+   - Changed
+      - Updated dependencies
 - v0.8
   - NOTE: configuration option: "api_domain" deprecated!
   - New
--- a/acmetxt.go
+++ b/acmetxt.go
@ -1,93 +0,0 @@
-package main
-
-import (
-	"encoding/json"
-	"net"
-
-	"github.com/google/uuid"
-	log "github.com/sirupsen/logrus"
-)
-
-// ACMETxt is the default structure for the user controlled record
-type ACMETxt struct {
-	Username uuid.UUID
-	Password string
-	ACMETxtPost
-	AllowFrom cidrslice
-}
-
-// ACMETxtPost holds the DNS part of the ACMETxt struct
-type ACMETxtPost struct {
-	Subdomain string `json:"subdomain"`
-	Value     string `json:"txt"`
-}
-
-// cidrslice is a list of allowed cidr ranges
-type cidrslice []string
-
-func (c *cidrslice) JSON() string {
-	ret, _ := json.Marshal(c.ValidEntries())
-	return string(ret)
-}
-
-func (c *cidrslice) isValid() error {
-	for _, v := range *c {
-		_, _, err := net.ParseCIDR(sanitizeIPv6addr(v))
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func (c *cidrslice) ValidEntries() []string {
-	valid := []string{}
-	for _, v := range *c {
-		_, _, err := net.ParseCIDR(sanitizeIPv6addr(v))
-		if err == nil {
-			valid = append(valid, sanitizeIPv6addr(v))
-		}
-	}
-	return valid
-}
-
-// Check if IP belongs to an allowed net
-func (a ACMETxt) allowedFrom(ip string) bool {
-	remoteIP := net.ParseIP(ip)
-	// Range not limited
-	if len(a.AllowFrom.ValidEntries()) == 0 {
-		return true
-	}
-	log.WithFields(log.Fields{"ip": remoteIP}).Debug("Checking if update is permitted from IP")
-	for _, v := range a.AllowFrom.ValidEntries() {
-		_, vnet, _ := net.ParseCIDR(v)
-		if vnet.Contains(remoteIP) {
-			return true
-		}
-	}
-	return false
-}
-
-// Go through list (most likely from headers) to check for the IP.
-// Reason for this is that some setups use reverse proxy in front of acme-dns
-func (a ACMETxt) allowedFromList(ips []string) bool {
-	if len(ips) == 0 {
-		// If no IP provided, check if no whitelist present (everyone has access)
-		return a.allowedFrom("")
-	}
-	for _, v := range ips {
-		if a.allowedFrom(v) {
-			return true
-		}
-	}
-	return false
-}
-
-func newACMETxt() ACMETxt {
-	var a = ACMETxt{}
-	password := generatePassword(40)
-	a.Username = uuid.New()
-	a.Password = password
-	a.Subdomain = uuid.New().String()
-	return a
-}
--- a/api.go
+++ b/api.go
@ -1,113 +0,0 @@
-package main
-
-import (
-	"encoding/json"
-	"fmt"
-	"io"
-	"net/http"
-
-	"github.com/julienschmidt/httprouter"
-	log "github.com/sirupsen/logrus"
-)
-
-// RegResponse is a struct for registration response JSON
-type RegResponse struct {
-	Username   string   `json:"username"`
-	Password   string   `json:"password"`
-	Fulldomain string   `json:"fulldomain"`
-	Subdomain  string   `json:"subdomain"`
-	Allowfrom  []string `json:"allowfrom"`
-}
-
-func webRegisterPost(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
-	var regStatus int
-	var reg []byte
-	var err error
-	aTXT := ACMETxt{}
-	bdata, _ := io.ReadAll(r.Body)
-	if len(bdata) > 0 {
-		err = json.Unmarshal(bdata, &aTXT)
-		if err != nil {
-			regStatus = http.StatusBadRequest
-			reg = jsonError("malformed_json_payload")
-			w.Header().Set("Content-Type", "application/json")
-			w.WriteHeader(regStatus)
-			_, _ = w.Write(reg)
-			return
-		}
-	}
-
-	// Fail with malformed CIDR mask in allowfrom
-	err = aTXT.AllowFrom.isValid()
-	if err != nil {
-		regStatus = http.StatusBadRequest
-		reg = jsonError("invalid_allowfrom_cidr")
-		w.Header().Set("Content-Type", "application/json")
-		w.WriteHeader(regStatus)
-		_, _ = w.Write(reg)
-		return
-	}
-
-	// Create new user
-	nu, err := DB.Register(aTXT.AllowFrom)
-	if err != nil {
-		errstr := fmt.Sprintf("%v", err)
-		reg = jsonError(errstr)
-		regStatus = http.StatusInternalServerError
-		log.WithFields(log.Fields{"error": err.Error()}).Debug("Error in registration")
-	} else {
-		log.WithFields(log.Fields{"user": nu.Username.String()}).Debug("Created new user")
-		regStruct := RegResponse{nu.Username.String(), nu.Password, nu.Subdomain + "." + Config.General.Domain, nu.Subdomain, nu.AllowFrom.ValidEntries()}
-		regStatus = http.StatusCreated
-		reg, err = json.Marshal(regStruct)
-		if err != nil {
-			regStatus = http.StatusInternalServerError
-			reg = jsonError("json_error")
-			log.WithFields(log.Fields{"error": "json"}).Debug("Could not marshal JSON")
-		}
-	}
-	w.Header().Set("Content-Type", "application/json")
-	w.WriteHeader(regStatus)
-	_, _ = w.Write(reg)
-}
-
-func webUpdatePost(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
-	var updStatus int
-	var upd []byte
-	// Get user
-	a, ok := r.Context().Value(ACMETxtKey).(ACMETxt)
-	if !ok {
-		log.WithFields(log.Fields{"error": "context"}).Error("Context error")
-	}
-	// NOTE: An invalid subdomain should not happen - the auth handler should
-	// reject POSTs with an invalid subdomain before this handler. Reject any
-	// invalid subdomains anyway as a matter of caution.
-	if !validSubdomain(a.Subdomain) {
-		log.WithFields(log.Fields{"error": "subdomain", "subdomain": a.Subdomain, "txt": a.Value}).Debug("Bad update data")
-		updStatus = http.StatusBadRequest
-		upd = jsonError("bad_subdomain")
-	} else if !validTXT(a.Value) {
-		log.WithFields(log.Fields{"error": "txt", "subdomain": a.Subdomain, "txt": a.Value}).Debug("Bad update data")
-		updStatus = http.StatusBadRequest
-		upd = jsonError("bad_txt")
-	} else if validSubdomain(a.Subdomain) && validTXT(a.Value) {
-		err := DB.Update(a.ACMETxtPost)
-		if err != nil {
-			log.WithFields(log.Fields{"error": err.Error()}).Debug("Error while trying to update record")
-			updStatus = http.StatusInternalServerError
-			upd = jsonError("db_error")
-		} else {
-			log.WithFields(log.Fields{"subdomain": a.Subdomain, "txt": a.Value}).Debug("TXT updated")
-			updStatus = http.StatusOK
-			upd = []byte("{\"txt\": \"" + a.Value + "\"}")
-		}
-	}
-	w.Header().Set("Content-Type", "application/json")
-	w.WriteHeader(updStatus)
-	_, _ = w.Write(upd)
-}
-
-// Endpoint used to check the readiness and/or liveness (health) of the server.
-func healthCheck(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
-	w.WriteHeader(http.StatusOK)
-}
--- a/auth.go
+++ b/auth.go
@ -1,93 +0,0 @@
-package main
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"net"
-	"net/http"
-
-	"github.com/julienschmidt/httprouter"
-	log "github.com/sirupsen/logrus"
-)
-
-type key int
-
-// ACMETxtKey is a context key for ACMETxt struct
-const ACMETxtKey key = 0
-
-// Auth middleware for update request
-func Auth(update httprouter.Handle) httprouter.Handle {
-	return func(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
-		postData := ACMETxt{}
-		userOK := false
-		user, err := getUserFromRequest(r)
-		if err == nil {
-			if updateAllowedFromIP(r, user) {
-				dec := json.NewDecoder(r.Body)
-				err = dec.Decode(&postData)
-				if err != nil {
-					log.WithFields(log.Fields{"error": "json_error", "string": err.Error()}).Error("Decode error")
-				}
-				if user.Subdomain == postData.Subdomain {
-					userOK = true
-				} else {
-					log.WithFields(log.Fields{"error": "subdomain_mismatch", "name": postData.Subdomain, "expected": user.Subdomain}).Error("Subdomain mismatch")
-				}
-			} else {
-				log.WithFields(log.Fields{"error": "ip_unauthorized"}).Error("Update not allowed from IP")
-			}
-		} else {
-			log.WithFields(log.Fields{"error": err.Error()}).Error("Error while trying to get user")
-		}
-		if userOK {
-			// Set user info to the decoded ACMETxt object
-			postData.Username = user.Username
-			postData.Password = user.Password
-			// Set the ACMETxt struct to context to pull in from update function
-			ctx := context.WithValue(r.Context(), ACMETxtKey, postData)
-			update(w, r.WithContext(ctx), p)
-		} else {
-			w.Header().Set("Content-Type", "application/json")
-			w.WriteHeader(http.StatusUnauthorized)
-			_, _ = w.Write(jsonError("forbidden"))
-		}
-	}
-}
-
-func getUserFromRequest(r *http.Request) (ACMETxt, error) {
-	uname := r.Header.Get("X-Api-User")
-	passwd := r.Header.Get("X-Api-Key")
-	username, err := getValidUsername(uname)
-	if err != nil {
-		return ACMETxt{}, fmt.Errorf("Invalid username: %s: %s", uname, err.Error())
-	}
-	if validKey(passwd) {
-		dbuser, err := DB.GetByUsername(username)
-		if err != nil {
-			log.WithFields(log.Fields{"error": err.Error()}).Error("Error while trying to get user")
-			// To protect against timed side channel (never gonna give you up)
-			correctPassword(passwd, "$2a$10$8JEFVNYYhLoBysjAxe2yBuXrkDojBQBkVpXEQgyQyjn43SvJ4vL36")
-
-			return ACMETxt{}, fmt.Errorf("Invalid username: %s", uname)
-		}
-		if correctPassword(passwd, dbuser.Password) {
-			return dbuser, nil
-		}
-		return ACMETxt{}, fmt.Errorf("Invalid password for user %s", uname)
-	}
-	return ACMETxt{}, fmt.Errorf("Invalid key for user %s", uname)
-}
-
-func updateAllowedFromIP(r *http.Request, user ACMETxt) bool {
-	if Config.API.UseHeader {
-		ips := getIPListFromHeader(r.Header.Get(Config.API.HeaderName))
-		return user.allowedFromList(ips)
-	}
-	host, _, err := net.SplitHostPort(r.RemoteAddr)
-	if err != nil {
-		log.WithFields(log.Fields{"error": err.Error(), "remoteaddr": r.RemoteAddr}).Error("Error while parsing remote address")
-		host = ""
-	}
-	return user.allowedFrom(host)
-}
--- a/auth_test.go
+++ b/auth_test.go
@ -1,34 +0,0 @@
-package main
-
-import (
-	"net/http"
-	"testing"
-)
-
-func TestUpdateAllowedFromIP(t *testing.T) {
-	Config.API.UseHeader = false
-	userWithAllow := newACMETxt()
-	userWithAllow.AllowFrom = cidrslice{"192.168.1.2/32", "[::1]/128"}
-	userWithoutAllow := newACMETxt()
-
-	for i, test := range []struct {
-		remoteaddr string
-		expected   bool
-	}{
-		{"192.168.1.2:1234", true},
-		{"192.168.1.1:1234", false},
-		{"invalid", false},
-		{"[::1]:4567", true},
-	} {
-		newreq, _ := http.NewRequest("GET", "/whatever", nil)
-		newreq.RemoteAddr = test.remoteaddr
-		ret := updateAllowedFromIP(newreq, userWithAllow)
-		if test.expected != ret {
-			t.Errorf("Test %d: Unexpected result for user with allowForm set", i)
-		}
-
-		if !updateAllowedFromIP(newreq, userWithoutAllow) {
-			t.Errorf("Test %d: Unexpected result for user without allowForm set", i)
-		}
-	}
-}
--- a/config.cfg
+++ b/config.cfg
@ -9,7 +9,7 @@ protocol = "both"
 domain = "auth.example.org"
 # zone name server
 nsname = "auth.example.org"
-# admin email address, where @ is substituted with .
+# admin email address, where @ is substituted with .
 nsadmin = "admin.example.org"
 # predefined records served in addition to the TXT
 records = [
@ -22,11 +22,11 @@ records = [
 debug = false

 [database]
-# Database engine to use, sqlite3 or postgres
-engine = "sqlite3"
+# Database engine to use, sqlite or postgres
+engine = "sqlite"
 # Connection string, filename for sqlite3 and postgres://$username:$password@$host/$db_name for postgres
 # Please note that the default Docker image uses path /var/lib/acme-dns/acme-dns.db for sqlite3
-connection = "/var/lib/acme-dns/acme-dns.db"
+connection = "acme-dns.db"
 # connection = "postgres://user:password@localhost/acmedns_db"

 [api]
@ -37,7 +37,7 @@ disable_registration = false
 # listen port, eg. 443 for default HTTPS
 port = "443"
 # possible values: "letsencrypt", "letsencryptstaging", "cert", "none"
-tls = "letsencryptstaging"
+tls = "none"
 # only used if tls = "cert"
 tls_cert_privkey = "/etc/tls/example.org/privkey.pem"
 tls_cert_fullchain = "/etc/tls/example.org/fullchain.pem"
@ -56,10 +56,10 @@ header_name = "X-Forwarded-For"

 [logconfig]
 # logging level: "error", "warning", "info" or "debug"
-loglevel = "debug"
-# possible values: stdout, TODO file & integrations
+loglevel = "info"
+# possible values: stdout, file
 logtype = "stdout"
-# file path for logfile TODO
-# logfile = "./acme-dns.log"
+# file path for logfile
+logfile = "./acme-dns.log"
 # format, either "json" or "text"
-logformat = "text"
+logformat = "json"
--- a/dns.go
+++ b/dns.go
@ -1,245 +0,0 @@
-package main
-
-import (
-	"fmt"
-	"github.com/miekg/dns"
-	log "github.com/sirupsen/logrus"
-	"strings"
-	"time"
-)
-
-// Records is a slice of ResourceRecords
-type Records struct {
-	Records []dns.RR
-}
-
-// DNSServer is the main struct for acme-dns DNS server
-type DNSServer struct {
-	DB              database
-	Domain          string
-	Server          *dns.Server
-	SOA             dns.RR
-	PersonalKeyAuth string
-	Domains         map[string]Records
-}
-
-// NewDNSServer parses the DNS records from config and returns a new DNSServer struct
-func NewDNSServer(db database, addr string, proto string, domain string) *DNSServer {
-	var server DNSServer
-	server.Server = &dns.Server{Addr: addr, Net: proto}
-	if !strings.HasSuffix(domain, ".") {
-		domain = domain + "."
-	}
-	server.Domain = strings.ToLower(domain)
-	server.DB = db
-	server.PersonalKeyAuth = ""
-	server.Domains = make(map[string]Records)
-	return &server
-}
-
-// Start starts the DNSServer
-func (d *DNSServer) Start(errorChannel chan error) {
-	// DNS server part
-	dns.HandleFunc(".", d.handleRequest)
-	log.WithFields(log.Fields{"addr": d.Server.Addr, "proto": d.Server.Net}).Info("Listening DNS")
-	err := d.Server.ListenAndServe()
-	if err != nil {
-		errorChannel <- err
-	}
-}
-
-// ParseRecords parses a slice of DNS record string
-func (d *DNSServer) ParseRecords(config DNSConfig) {
-	for _, v := range config.General.StaticRecords {
-		rr, err := dns.NewRR(strings.ToLower(v))
-		if err != nil {
-			log.WithFields(log.Fields{"error": err.Error(), "rr": v}).Warning("Could not parse RR from config")
-			continue
-		}
-		// Add parsed RR
-		d.appendRR(rr)
-	}
-	// Create serial
-	serial := time.Now().Format("2006010215")
-	// Add SOA
-	SOAstring := fmt.Sprintf("%s. SOA %s. %s. %s 28800 7200 604800 86400", strings.ToLower(config.General.Domain), strings.ToLower(config.General.Nsname), strings.ToLower(config.General.Nsadmin), serial)
-	soarr, err := dns.NewRR(SOAstring)
-	if err != nil {
-		log.WithFields(log.Fields{"error": err.Error(), "soa": SOAstring}).Error("Error while adding SOA record")
-	} else {
-		d.appendRR(soarr)
-		d.SOA = soarr
-	}
-}
-
-func (d *DNSServer) appendRR(rr dns.RR) {
-	addDomain := rr.Header().Name
-	_, ok := d.Domains[addDomain]
-	if !ok {
-		d.Domains[addDomain] = Records{[]dns.RR{rr}}
-	} else {
-		drecs := d.Domains[addDomain]
-		drecs.Records = append(drecs.Records, rr)
-		d.Domains[addDomain] = drecs
-	}
-	log.WithFields(log.Fields{"recordtype": dns.TypeToString[rr.Header().Rrtype], "domain": addDomain}).Debug("Adding new record to domain")
-}
-
-func (d *DNSServer) handleRequest(w dns.ResponseWriter, r *dns.Msg) {
-	m := new(dns.Msg)
-	m.SetReply(r)
-
-	// handle edns0
-	opt := r.IsEdns0()
-	if opt != nil {
-		if opt.Version() != 0 {
-			// Only EDNS0 is standardized
-			m.MsgHdr.Rcode = dns.RcodeBadVers
-			m.SetEdns0(512, false)
-		} else {
-			// We can safely do this as we know that we're not setting other OPT RRs within acme-dns.
-			m.SetEdns0(512, false)
-			if r.Opcode == dns.OpcodeQuery {
-				d.readQuery(m)
-			}
-		}
-	} else {
-		if r.Opcode == dns.OpcodeQuery {
-			d.readQuery(m)
-		}
-	}
-	_ = w.WriteMsg(m)
-}
-
-func (d *DNSServer) readQuery(m *dns.Msg) {
-	var authoritative = false
-	for _, que := range m.Question {
-		if rr, rc, auth, err := d.answer(que); err == nil {
-			if auth {
-				authoritative = auth
-			}
-			m.MsgHdr.Rcode = rc
-			m.Answer = append(m.Answer, rr...)
-		}
-	}
-	m.MsgHdr.Authoritative = authoritative
-	if authoritative {
-		if m.MsgHdr.Rcode == dns.RcodeNameError {
-			m.Ns = append(m.Ns, d.SOA)
-		}
-	}
-}
-
-func (d *DNSServer) getRecord(q dns.Question) ([]dns.RR, error) {
-	var rr []dns.RR
-	var cnames []dns.RR
-	domain, ok := d.Domains[strings.ToLower(q.Name)]
-	if !ok {
-		return rr, fmt.Errorf("No records for domain %s", q.Name)
-	}
-	for _, ri := range domain.Records {
-		if ri.Header().Rrtype == q.Qtype {
-			rr = append(rr, ri)
-		}
-		if ri.Header().Rrtype == dns.TypeCNAME {
-			cnames = append(cnames, ri)
-		}
-	}
-	if len(rr) == 0 {
-		return cnames, nil
-	}
-	return rr, nil
-}
-
-// answeringForDomain checks if we have any records for a domain
-func (d *DNSServer) answeringForDomain(name string) bool {
-	if d.Domain == strings.ToLower(name) {
-		return true
-	}
-	_, ok := d.Domains[strings.ToLower(name)]
-	return ok
-}
-
-func (d *DNSServer) isAuthoritative(q dns.Question) bool {
-	if d.answeringForDomain(q.Name) {
-		return true
-	}
-	domainParts := strings.Split(strings.ToLower(q.Name), ".")
-	for i := range domainParts {
-		if d.answeringForDomain(strings.Join(domainParts[i:], ".")) {
-			return true
-		}
-	}
-	return false
-}
-
-// isOwnChallenge checks if the query is for the domain of this acme-dns instance. Used for answering its own ACME challenges
-func (d *DNSServer) isOwnChallenge(name string) bool {
-	domainParts := strings.SplitN(name, ".", 2)
-	if len(domainParts) == 2 {
-		if strings.ToLower(domainParts[0]) == "_acme-challenge" {
-			domain := strings.ToLower(domainParts[1])
-			if !strings.HasSuffix(domain, ".") {
-				domain = domain + "."
-			}
-			if domain == d.Domain {
-				return true
-			}
-		}
-	}
-	return false
-}
-
-func (d *DNSServer) answer(q dns.Question) ([]dns.RR, int, bool, error) {
-	var rcode int
-	var err error
-	var txtRRs []dns.RR
-	var authoritative = d.isAuthoritative(q)
-	if !d.isOwnChallenge(q.Name) && !d.answeringForDomain(q.Name) {
-		rcode = dns.RcodeNameError
-	}
-	r, _ := d.getRecord(q)
-	if q.Qtype == dns.TypeTXT {
-		if d.isOwnChallenge(q.Name) {
-			txtRRs, err = d.answerOwnChallenge(q)
-		} else {
-			txtRRs, err = d.answerTXT(q)
-		}
-		if err == nil {
-			r = append(r, txtRRs...)
-		}
-	}
-	if len(r) > 0 {
-		// Make sure that we return NOERROR if there were dynamic records for the domain
-		rcode = dns.RcodeSuccess
-	}
-	log.WithFields(log.Fields{"qtype": dns.TypeToString[q.Qtype], "domain": q.Name, "rcode": dns.RcodeToString[rcode]}).Debug("Answering question for domain")
-	return r, rcode, authoritative, nil
-}
-
-func (d *DNSServer) answerTXT(q dns.Question) ([]dns.RR, error) {
-	var ra []dns.RR
-	subdomain := sanitizeDomainQuestion(q.Name)
-	atxt, err := d.DB.GetTXTForDomain(subdomain)
-	if err != nil {
-		log.WithFields(log.Fields{"error": err.Error()}).Debug("Error while trying to get record")
-		return ra, err
-	}
-	for _, v := range atxt {
-		if len(v) > 0 {
-			r := new(dns.TXT)
-			r.Hdr = dns.RR_Header{Name: q.Name, Rrtype: dns.TypeTXT, Class: dns.ClassINET, Ttl: 1}
-			r.Txt = append(r.Txt, v)
-			ra = append(ra, r)
-		}
-	}
-	return ra, nil
-}
-
-// answerOwnChallenge answers to ACME challenge for acme-dns own certificate
-func (d *DNSServer) answerOwnChallenge(q dns.Question) ([]dns.RR, error) {
-	r := new(dns.TXT)
-	r.Hdr = dns.RR_Header{Name: q.Name, Rrtype: dns.TypeTXT, Class: dns.ClassINET, Ttl: 1}
-	r.Txt = append(r.Txt, d.PersonalKeyAuth)
-	return []dns.RR{r}, nil
-}
--- a/go.mod
+++ b/go.mod
@ -1,61 +1,73 @@
 module github.com/joohoi/acme-dns

-go 1.22
-toolchain go1.22.0
+go 1.23.0
+
+toolchain go1.23.5

 require (
 	github.com/BurntSushi/toml v1.4.0
 	github.com/DATA-DOG/go-sqlmock v1.5.0
-	github.com/caddyserver/certmagic v0.21.4
+	github.com/caddyserver/certmagic v0.23.0
 	github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5
 	github.com/gavv/httpexpect v2.0.0+incompatible
-	github.com/go-acme/lego/v3 v3.9.0
-	github.com/google/uuid v1.6.0
+	github.com/glebarez/go-sqlite v1.20.0
+	github.com/google/uuid v1.3.0
 	github.com/julienschmidt/httprouter v1.3.0
-	github.com/lib/pq v1.10.9
-	github.com/mattn/go-sqlite3 v1.14.24
-	github.com/mholt/acmez/v2 v2.0.3
-	github.com/miekg/dns v1.1.62
-	github.com/rs/cors v1.11.1
-	github.com/sirupsen/logrus v1.9.3
-	golang.org/x/crypto v0.31.0
+	github.com/lib/pq v1.10.7
+	github.com/mholt/acmez/v3 v3.1.2
+	github.com/miekg/dns v1.1.65
+	github.com/rs/cors v1.8.3
+	go.uber.org/zap v1.27.0
+	golang.org/x/crypto v0.38.0
+)
+
+require (
+	github.com/caddyserver/zerossl v0.1.3 // indirect
+	github.com/zeebo/blake3 v0.2.4 // indirect
+	go.uber.org/zap/exp v0.3.0 // indirect
+	golang.org/x/sync v0.14.0 // indirect
 )

 require (
 	github.com/ajg/form v1.5.1 // indirect
-	github.com/andybalholm/brotli v1.0.2 // indirect
-	github.com/caddyserver/zerossl v0.1.3 // indirect
+	github.com/andybalholm/brotli v1.0.4 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/fasthttp-contrib/websocket v0.0.0-20160511215533-1f3b11f56072 // indirect
 	github.com/fatih/structs v1.1.0 // indirect
-	github.com/google/go-querystring v1.0.0 // indirect
-	github.com/gorilla/websocket v1.4.2 // indirect
+	github.com/google/go-querystring v1.1.0 // indirect
+	github.com/gorilla/websocket v1.5.0 // indirect
 	github.com/imkira/go-interpol v1.1.0 // indirect
-	github.com/klauspost/compress v1.13.4 // indirect
-	github.com/klauspost/cpuid/v2 v2.2.9 // indirect
-	github.com/libdns/libdns v0.2.2 // indirect
-	github.com/mattn/go-colorable v0.1.12 // indirect
+	github.com/klauspost/compress v1.15.13 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
+	github.com/libdns/libdns v1.0.0 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.17 // indirect
 	github.com/moul/http2curl v1.0.0 // indirect
+	github.com/onsi/ginkgo v1.16.5 // indirect
+	github.com/onsi/gomega v1.24.2 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/remyoudompheng/bigfft v0.0.0-20220927061507-ef77025ab5aa // indirect
 	github.com/sergi/go-diff v1.2.0 // indirect
+	github.com/smartystreets/goconvey v1.7.2 // indirect
 	github.com/stretchr/testify v1.8.1 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
-	github.com/valyala/fasthttp v1.31.0 // indirect
-	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
+	github.com/valyala/fasthttp v1.43.0 // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
 	github.com/yalp/jsonpath v0.0.0-20180802001716-5cc68e5049a0 // indirect
 	github.com/yudai/gojsondiff v1.0.0 // indirect
 	github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82 // indirect
 	github.com/yudai/pp v2.0.1+incompatible // indirect
-	github.com/zeebo/blake3 v0.2.4 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/mod v0.22.0 // indirect
-	golang.org/x/net v0.32.0 // indirect
-	golang.org/x/sync v0.10.0 // indirect
-	golang.org/x/sys v0.28.0 // indirect
-	golang.org/x/text v0.21.0 // indirect
-	golang.org/x/tools v0.28.0 // indirect
+	golang.org/x/mod v0.24.0 // indirect
+	golang.org/x/net v0.40.0 // indirect
+	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/text v0.25.0 // indirect
+	golang.org/x/tools v0.33.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
+	modernc.org/libc v1.21.5 // indirect
+	modernc.org/mathutil v1.5.0 // indirect
+	modernc.org/memory v1.4.0 // indirect
+	modernc.org/sqlite v1.20.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
@ -1,326 +1,138 @@
-cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
-cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU=
-cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
-cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc=
-cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0=
-cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To=
-cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4=
-cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M=
-cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc=
-cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
-cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
-cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
-cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
-cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
-cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
-cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
-cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA=
-cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
-cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos=
-cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk=
-contrib.go.opencensus.io/exporter/ocagent v0.4.12/go.mod h1:450APlNTSR6FrvC3CTRqYosuDstRB9un7SOx2k/9ckA=
-dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
-github.com/Azure/azure-sdk-for-go v32.4.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
-github.com/Azure/go-autorest/autorest v0.1.0/go.mod h1:AKyIcETwSUFxIcs/Wnq/C+kwCtlEYGUVd7FPNb2slmg=
-github.com/Azure/go-autorest/autorest v0.5.0/go.mod h1:9HLKlQjVBH6U3oDfsXOeVc56THsLPw1L03yban4xThw=
-github.com/Azure/go-autorest/autorest/adal v0.1.0/go.mod h1:MeS4XhScH55IST095THyTxElntu7WqB7pNbZo8Q5G3E=
-github.com/Azure/go-autorest/autorest/adal v0.2.0/go.mod h1:MeS4XhScH55IST095THyTxElntu7WqB7pNbZo8Q5G3E=
-github.com/Azure/go-autorest/autorest/azure/auth v0.1.0/go.mod h1:Gf7/i2FUpyb/sGBLIFxTBzrNzBo7aPXXE3ZVeDRwdpM=
-github.com/Azure/go-autorest/autorest/azure/cli v0.1.0/go.mod h1:Dk8CUAt/b/PzkfeRsWzVG9Yj3ps8mS8ECztu43rdU8U=
-github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA=
-github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
-github.com/Azure/go-autorest/autorest/to v0.2.0/go.mod h1:GunWKJp1AEqgMaGLV+iocmRAJWqST1wQYhyyjXJ3SJc=
-github.com/Azure/go-autorest/autorest/validation v0.1.0/go.mod h1:Ha3z/SqBeaalWQvokg3NZAlQTalVMtOIAs1aGK7G6u8=
-github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc=
-github.com/Azure/go-autorest/tracing v0.1.0/go.mod h1:ROEEAFwXycQw7Sn3DXNtEedEvdeRAgDr0izn4z5Ij88=
-github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0=
 github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
-github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/DATA-DOG/go-sqlmock v1.5.0 h1:Shsta01QNfFxHCfpW6YH2STWB0MudeXXEWMr20OEh60=
 github.com/DATA-DOG/go-sqlmock v1.5.0/go.mod h1:f/Ixk793poVmq4qj/V1dPUg2JEAKC73Q5eFN3EC/SaM=
-github.com/OpenDNS/vegadns2client v0.0.0-20180418235048-a3fa4a771d87/go.mod h1:iGLljf5n9GjT6kc0HBvyI1nOKnGQbNB66VzSNbK5iks=
-github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWXgklEdEo=
-github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI=
 github.com/ajg/form v1.5.1 h1:t9c7v8JUKu/XxOGBU0yjNpaMloxGEJhUkqFRq0ibGeU=
 github.com/ajg/form v1.5.1/go.mod h1:uL1WgH+h2mgNtvBq0339dVnzXdBETtL2LeUXaIv25UY=
-github.com/akamai/AkamaiOPEN-edgegrid-golang v0.9.18/go.mod h1:L+HB2uBoDgi3+r1pJEJcbGwyyHhd2QXaGsKLbDwtm8Q=
-github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
-github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
-github.com/aliyun/alibaba-cloud-sdk-go v1.61.112/go.mod h1:pUKYbK5JQ+1Dfxk80P0qxGqe5dkxDoabbZS7zOcouyA=
-github.com/andybalholm/brotli v1.0.2 h1:JKnhI/XQ75uFBTiuzXpzFrUriDPiZjlOSzh6wXogP0E=
-github.com/andybalholm/brotli v1.0.2/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu3qAvBg8x/Y=
-github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
-github.com/aws/aws-sdk-go v1.30.20/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0=
-github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
-github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
-github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
-github.com/caddyserver/certmagic v0.21.4 h1:e7VobB8rffHv8ZZpSiZtEwnLDHUwLVYLWzWSa1FfKI0=
-github.com/caddyserver/certmagic v0.21.4/go.mod h1:swUXjQ1T9ZtMv95qj7/InJvWLXURU85r+CfG0T+ZbDE=
+github.com/andybalholm/brotli v1.0.4 h1:V7DdXeJtZscaqfNuAdSRuRFzuiKlHSC/Zh3zl9qY3JY=
+github.com/andybalholm/brotli v1.0.4/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
+github.com/caddyserver/certmagic v0.23.0 h1:CfpZ/50jMfG4+1J/u2LV6piJq4HOfO6ppOnOf7DkFEU=
+github.com/caddyserver/certmagic v0.23.0/go.mod h1:9mEZIWqqWoI+Gf+4Trh04MOVPD0tGSxtqsxg87hAIH4=
 github.com/caddyserver/zerossl v0.1.3 h1:onS+pxp3M8HnHpN5MMbOMyNjmTheJyWRaZYwn+YTAyA=
 github.com/caddyserver/zerossl v0.1.3/go.mod h1:CxA0acn7oEGO6//4rtrRjYgEoa4MFw/XofZnrYwGqG4=
-github.com/cenkalti/backoff/v4 v4.0.0/go.mod h1:eEew/i+1Q6OrCDZh3WiXYv3+nJwBASZ8Bog/87DQnVg=
-github.com/census-instrumentation/opencensus-proto v0.2.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
-github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
-github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
-github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
-github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
-github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
-github.com/cloudflare/cloudflare-go v0.10.2/go.mod h1:qhVI5MKwBGhdNU89ZRz2plgYutcJ5PCekLxXn56w6SY=
-github.com/cpu/goacmedns v0.0.2/go.mod h1:4MipLkI+qScwqtVxcNO6okBhbgRrr7/tKXUSgSL0teQ=
-github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
+github.com/chzyer/logex v1.2.0/go.mod h1:9+9sk7u7pGNWYMkh0hdiL++6OeibzJccyQU4p4MedaY=
+github.com/chzyer/readline v1.5.0/go.mod h1:x22KAscuvRqlLoK9CsoYsmxoXZMMFVyOl86cAH8qUic=
+github.com/chzyer/test v0.0.0-20210722231415-061457976a23/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
-github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8=
-github.com/dnaeon/go-vcr v0.0.0-20180814043457-aafff18a5cc2/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E=
-github.com/dnsimple/dnsimple-go v0.60.0/go.mod h1:O5TJ0/U6r7AfT8niYNlmohpLbCSG+c71tQlGr9SeGrg=
-github.com/eapache/go-resiliency v1.1.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs=
-github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU=
-github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I=
-github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
-github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5 h1:Yzb9+7DPaBjB8zlTR87/ElzFsnQfuHnVUVqpZZIcV5Y=
 github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5/go.mod h1:a2zkGnVExMxdzMo3M0Hi/3sEU+cWnZpSni0O6/Yb/P0=
-github.com/exoscale/egoscale v0.18.1/go.mod h1:Z7OOdzzTOz1Q1PjQXumlz9Wn/CddH0zSYdCF3rnBKXE=
 github.com/fasthttp-contrib/websocket v0.0.0-20160511215533-1f3b11f56072 h1:DddqAaWDpywytcG8w/qoQ5sAN8X12d3Z3koB0C3Rxsc=
 github.com/fasthttp-contrib/websocket v0.0.0-20160511215533-1f3b11f56072/go.mod h1:duJ4Jxv5lDcvg4QuQr0oowTf7dz4/CR8NtyCooz9HL8=
 github.com/fatih/structs v1.1.0 h1:Q7juDM0QtcnhCpeyLGQKyg4TOIghuNXrkL32pHAUMxo=
 github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
+github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
+github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
 github.com/gavv/httpexpect v2.0.0+incompatible h1:1X9kcRshkSKEjNJJxX9Y9mQ5BRfbxU5kORdjhlA1yX8=
 github.com/gavv/httpexpect v2.0.0+incompatible/go.mod h1:x+9tiU1YnrOvnB725RkpoLv1M62hOWzwo5OXotisrKc=
-github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/go-acme/lego/v3 v3.9.0 h1:Kyvg2GGqRJHfK2Stu57M45TDTx0y1bsxLH7lpeP3n0A=
-github.com/go-acme/lego/v3 v3.9.0/go.mod h1:va0cvQpxpJ3u2OA534L8TDn+lsr2oujLzPckLOLnUGQ=
-github.com/go-cmd/cmd v1.0.5/go.mod h1:y8q8qlK5wQibcw63djSl/ntiHUHXHGdCkPk0j4QeW4s=
-github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q=
-github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
-github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
-github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
-github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
-github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
-github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
-github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
-github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
-github.com/gofrs/uuid v3.2.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
-github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
-github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
-github.com/goji/httpauth v0.0.0-20160601135302-2da839ab0f4d/go.mod h1:nnjvkQ9ptGaCkuDUx6wNykzzlUixGxvkme+H/lnzb+A=
-github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
-github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
-github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
+github.com/glebarez/go-sqlite v1.20.0 h1:6D9uRXq3Kd+W7At+hOU2eIAeahv6qcYfO8jzmvb4Dr8=
+github.com/glebarez/go-sqlite v1.20.0/go.mod h1:uTnJoqtwMQjlULmljLT73Cg7HB+2X6evsBHODyyq1ak=
+github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
-github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
-github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
-github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
-github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
-github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
-github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
+github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
+github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
+github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
+github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
+github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
+github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-querystring v1.0.0 h1:Xkwi/a1rcvNg1PPYe5vI8GbeBY/jrVuDX5ASuANWTrk=
-github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
-github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
-github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
-github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
-github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
-github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
-github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
-github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
-github.com/gophercloud/gophercloud v0.6.1-0.20191122030953-d8ac278c1c9d/go.mod h1:ozGNgr9KYOVATV5jsgHl/ceCDXGuguqOZAzoQ/2vcNM=
-github.com/gophercloud/gophercloud v0.7.0/go.mod h1:gmC5oQqMDOMO1t1gq5DquX/yAU808e/4mzjjDA76+Ss=
-github.com/gophercloud/utils v0.0.0-20200508015959-b0167b94122c/go.mod h1:ehWUbLQJPqS0Ep+CxeD559hsm9pthPXadJNKwZkp43w=
+github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
+github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
+github.com/google/pprof v0.0.0-20221118152302-e6195bd50e26/go.mod h1:dDKJzRmX4S37WGHujM7tX//fmj1uioxKzKxz3lo4HJo=
+github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
-github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
-github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
-github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
-github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc=
-github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/grpc-ecosystem/grpc-gateway v1.8.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
-github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542/go.mod h1:Ow0tF8D4Kplbc8s8sSb3V2oUCygFHVp8gC3Dn6U4MNI=
-github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
-github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
-github.com/hashicorp/go-retryablehttp v0.6.6/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY=
-github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
-github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI=
+github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
+github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
-github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
-github.com/iij/doapi v0.0.0-20190504054126-0bbf12d6d7df/go.mod h1:QMZY7/J/KSQEhKWFeDesPjMj+wCHReeknARU3wqlyN4=
+github.com/ianlancetaylor/demangle v0.0.0-20220319035150-800ac71e25c2/go.mod h1:aYm2/VgdVmcIU8iMfdMvDMsRAQjcfZSKFby6HOFvi/w=
 github.com/imkira/go-interpol v1.1.0 h1:KIiKr0VSG2CUW1hl1jpiyuzuJeKUUpC8iM1AIE7N1Vk=
 github.com/imkira/go-interpol v1.1.0/go.mod h1:z0h2/2T3XF8kyEPpRgJ3kmNv+C43p+I/CoI+jC3w2iA=
-github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
-github.com/jmespath/go-jmespath v0.3.0/go.mod h1:9QtRXoHjLGCJ5IBSaohpXITPlowMeeYCZ7fLUTSywik=
-github.com/json-iterator/go v1.1.5/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
-github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
-github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
-github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
-github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo=
 github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
-github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/julienschmidt/httprouter v1.3.0 h1:U0609e9tgbseu3rBINet9P48AI/D3oJs4dN7jwJOQ1U=
 github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.13.4 h1:0zhec2I8zGnjWcKyLl6i3gPqKANCCn5e9xmviEEeX6s=
-github.com/klauspost/compress v1.13.4/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg=
-github.com/klauspost/cpuid/v2 v2.2.9 h1:66ze0taIn2H33fBvCkXuv9BmCwDfafmiIVpKV9kKGuY=
-github.com/klauspost/cpuid/v2 v2.2.9/go.mod h1:rqkxqrZ1EhYM9G+hXH7YdowN5R5RGN6NK4QwQ3WMXF8=
-github.com/kolo/xmlrpc v0.0.0-20200310150728-e0350524596b/go.mod h1:o03bZfuBwAXHetKXuInt4S7omeXUu62/A845kiycsSQ=
-github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
+github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
+github.com/klauspost/compress v1.15.9/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU=
+github.com/klauspost/compress v1.15.13 h1:NFn1Wr8cfnenSJSA46lLq4wHCcBzKTSjnBIexDMMOV0=
+github.com/klauspost/compress v1.15.13/go.mod h1:QPwzmACJjUTFsnSHH934V6woptycfrDDJnH7hvFVbGM=
+github.com/klauspost/cpuid/v2 v2.2.10 h1:tBs3QSyvjDyFTq3uoc/9xFpCuOsJQFNPiAhYdw2skhE=
+github.com/klauspost/cpuid/v2 v2.2.10/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/labbsr0x/bindman-dns-webhook v1.0.2/go.mod h1:p6b+VCXIR8NYKpDr8/dg1HKfQoRHCdcsROXKvmoehKA=
-github.com/labbsr0x/goh v1.0.1/go.mod h1:8K2UhVoaWXcCU7Lxoa2omWnC8gyW8px7/lmO61c027w=
-github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
-github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
-github.com/libdns/libdns v0.2.2 h1:O6ws7bAfRPaBsgAYt8MDe2HcNBGC29hkZ9MX2eUSX3s=
-github.com/libdns/libdns v0.2.2/go.mod h1:4Bj9+5CQiNMVGf87wjX4CY3HQJypUHRuLvlsfsZqLWQ=
-github.com/linode/linodego v0.10.0/go.mod h1:cziNP7pbvE3mXIPneHj0oRY8L1WtGEIKlZ8LANE4eXA=
-github.com/liquidweb/liquidweb-go v1.6.0/go.mod h1:UDcVnAMDkZxpw4Y7NOHkqoeiGacVLEIG/i5J9cyixzQ=
-github.com/mattn/go-colorable v0.1.12 h1:jF+Du6AlPIjs2BiUiQlKOX0rt3SujHxPnksPKZbaA40=
-github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
-github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
-github.com/mattn/go-isatty v0.0.14 h1:yVuAays6BHfxijgZPzw+3Zlu5yQgKGP2/hcQbHb7S9Y=
-github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
-github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
-github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
-github.com/mattn/go-sqlite3 v1.14.24 h1:tpSp2G2KyMnnQu99ngJ47EIkWVmliIizyZBfPrBWDRM=
-github.com/mattn/go-sqlite3 v1.14.24/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
-github.com/mattn/go-tty v0.0.0-20180219170247-931426f7535a/go.mod h1:XPvLUNfbS4fJH25nqRHfWLMa1ONC8Amw+mIA639KxkE=
-github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
-github.com/mholt/acmez/v2 v2.0.3 h1:CgDBlEwg3QBp6s45tPQmFIBrkRIkBT4rW4orMM6p4sw=
-github.com/mholt/acmez/v2 v2.0.3/go.mod h1:pQ1ysaDeGrIMvJ9dfJMk5kJNkn7L2sb3UhyrX6Q91cw=
-github.com/miekg/dns v1.1.27/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM=
-github.com/miekg/dns v1.1.62 h1:cN8OuEF1/x5Rq6Np+h1epln8OiyPWV+lROx9LxcGgIQ=
-github.com/miekg/dns v1.1.62/go.mod h1:mvDlcItzm+br7MToIKqkglaGhlFMHJ9DTNNWONWXbNQ=
-github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
-github.com/mitchellh/go-vnc v0.0.0-20150629162542-723ed9867aed/go.mod h1:3rdaFaCv4AyBgu5ALFM0+tSuHrBh6v692nyQe3ikrq0=
-github.com/mitchellh/mapstructure v1.3.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/lib/pq v1.10.7 h1:p7ZhMD+KsSRozJr34udlUrhboJwWAgCg34+/ZZNvZZw=
+github.com/lib/pq v1.10.7/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
+github.com/libdns/libdns v1.0.0 h1:IvYaz07JNz6jUQ4h/fv2R4sVnRnm77J/aOuC9B+TQTA=
+github.com/libdns/libdns v1.0.0/go.mod h1:4Bj9+5CQiNMVGf87wjX4CY3HQJypUHRuLvlsfsZqLWQ=
+github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
+github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
+github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPng=
+github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-sqlite3 v1.14.15/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg=
+github.com/mholt/acmez/v3 v3.1.2 h1:auob8J/0FhmdClQicvJvuDavgd5ezwLBfKuYmynhYzc=
+github.com/mholt/acmez/v3 v3.1.2/go.mod h1:L1wOU06KKvq7tswuMDwKdcHeKpFFgkppZy/y0DFxagQ=
+github.com/miekg/dns v1.1.65 h1:0+tIPHzUW0GCge7IiK3guGP57VAw7hoPDfApjkMD1Fc=
+github.com/miekg/dns v1.1.65/go.mod h1:Dzw9769uoKVaLuODMDZz9M6ynFU6Em65csPuoi8G0ck=
 github.com/moul/http2curl v1.0.0 h1:dRMWoAtb+ePxMlLkrCbAqh4TlPHXvoGUSQ323/9Zahs=
 github.com/moul/http2curl v1.0.0/go.mod h1:8UbvGypXm98wA/IqH45anm5Y2Z6ep6O31QGOAZ3H0fQ=
-github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
-github.com/namedotcom/go v0.0.0-20180403034216-08470befbe04/go.mod h1:5sN+Lt1CaY4wsPvgQH/jsuJi4XO2ssZbdsIizr4CVC8=
-github.com/nbio/st v0.0.0-20140626010706-e9e8d9816f32/go.mod h1:9wM+0iRr9ahx58uYLpLIr5fm8diHn0JbqRycJi6w0Ms=
-github.com/nrdcg/auroradns v1.0.1/go.mod h1:y4pc0i9QXYlFCWrhWrUSIETnZgrf4KuwjDIWmmXo3JI=
-github.com/nrdcg/desec v0.5.0/go.mod h1:2ejvMazkav1VdDbv2HeQO7w+Ta1CGHqzQr27ZBYTuEQ=
-github.com/nrdcg/dnspod-go v0.4.0/go.mod h1:vZSoFSFeQVm2gWLMkyX61LZ8HI3BaqtHZWgPTGKr6KQ=
-github.com/nrdcg/goinwx v0.7.0/go.mod h1:4tKJOCi/1lTxuw9/yB2Ez0aojwtUCSkckjc22eALpqE=
-github.com/nrdcg/namesilo v0.2.1/go.mod h1:lwMvfQTyYq+BbjJd30ylEG4GPSS6PII0Tia4rRpRiyw=
-github.com/olekukonko/tablewriter v0.0.1/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo=
+github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
+github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
+github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.7.0 h1:WSHQ+IS43OoUrWtD1/bbclrwK8TTH5hzp+umCiuxHgs=
-github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/gomega v1.4.3 h1:RE1xgDvH7imwFD45h+u2SgIfERHlS2yNG4DObb5BSKU=
-github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
-github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw=
-github.com/oracle/oci-go-sdk v7.0.0+incompatible/go.mod h1:VQb79nF8Z2cwLkLS35ukwStZIg5F66tcBccjip/j888=
-github.com/ovh/go-ovh v0.0.0-20181109152953-ba5adb4cf014/go.mod h1:joRatxRJaZBsY3JAOEMcoOp05CnZzsx4scTxi95DHyQ=
-github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
-github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
-github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
+github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
+github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU=
+github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
+github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
+github.com/onsi/gomega v1.24.2 h1:J/tulyYK6JwBldPViHJReihxxZ+22FHs0piGjQAvoUE=
+github.com/onsi/gomega v1.24.2/go.mod h1:gs3J10IS7Z7r7eXRoNJIrNqU4ToQukCJhFtKrWgHWnk=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/pquerna/otp v1.2.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
-github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
-github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod h1:p2iRAGwDERtqlqzRXnrOVns+ignqQo//hLXqYxZYVNs=
-github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
-github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g=
-github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
-github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
-github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/common v0.2.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
-github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
-github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc=
-github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
-github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
-github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
-github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ=
-github.com/rainycape/memcache v0.0.0-20150622160815-1031fa0ce2f2/go.mod h1:7tZKcyumwBO6qip7RNQ5r77yrssm9bfCowcLEBcU5IA=
-github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
-github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
-github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/rs/cors v1.11.1 h1:eU3gRzXLRK57F5rKMGMZURNdIG4EoAmX8k94r9wXWHA=
-github.com/rs/cors v1.11.1/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU=
-github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/sacloud/libsacloud v1.26.1/go.mod h1:79ZwATmHLIFZIMd7sxA3LwzVy/B77uj3LDoToVTxDoQ=
+github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
+github.com/remyoudompheng/bigfft v0.0.0-20220927061507-ef77025ab5aa h1:tEkEyxYeZ43TR55QU/hsIt9aRGBxbgGuz9CGykjvogY=
+github.com/remyoudompheng/bigfft v0.0.0-20220927061507-ef77025ab5aa/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
+github.com/rs/cors v1.8.3 h1:O+qNyWn7Z+F9M0ILBHgMVPuB1xTOucVd5gtaYyXBpRo=
+github.com/rs/cors v1.8.3/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU=
 github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ=
 github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
-github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
-github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
-github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
-github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
-github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/skratchdot/open-golang v0.0.0-20160302144031-75fb7ed4208c/go.mod h1:sUM3LWHvSMaG192sy56D9F7CNvL7jUJVXoqM1QKLnog=
-github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykElWQ6/NYmHa3jpm/yHnI4xSofP+UP6SpjHcSeM=
-github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
-github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
-github.com/smartystreets/goconvey v1.6.4 h1:fv0U8FUIMPNf1L9lnHLvLhgicrIVChEkdzIKYqbNC9s=
-github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
+github.com/smartystreets/assertions v1.2.0 h1:42S6lae5dvLc7BrLu/0ugRtcFVjoJNMC/N3yZFZkDFs=
+github.com/smartystreets/assertions v1.2.0/go.mod h1:tcbTF8ujkAEcZ8TElKY+i30BzYlVhC/LOxJk7iOWnoo=
+github.com/smartystreets/goconvey v1.7.2 h1:9RBaZCeXEQ3UselpuwUQHltGVXvdwm6cv1hgR6gDIPg=
+github.com/smartystreets/goconvey v1.7.2/go.mod h1:Vw0tHAZW6lzCRk3xgdin6fKYcG+G3Pg9vgXWeJpQFMM=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
-github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/timewasted/linode v0.0.0-20160829202747-37e84520dcf7/go.mod h1:imsgLplxEC/etjIhdr3dNzV3JeT27LbVu5pYWm0JCBY=
-github.com/transip/gotransip/v6 v6.0.2/go.mod h1:pQZ36hWWRahCUXkFWlx9Hs711gLd8J4qdgLdRzmtY+g=
-github.com/uber-go/atomic v1.3.2/go.mod h1:/Ct5t2lcmbJ4OSe/waGBoaVvVqtO0bmtfVNex1PFV8g=
-github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
 github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
 github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
-github.com/valyala/fasthttp v1.31.0 h1:lrauRLII19afgCs2fnWRJ4M5IkV0lo2FqA61uGkNBfE=
-github.com/valyala/fasthttp v1.31.0/go.mod h1:2rsYD01CKFrjjsvFxx75KlEUNpWNBY9JWD3K/7o2Cus=
+github.com/valyala/fasthttp v1.43.0 h1:Gy4sb32C98fbzVWZlTM1oTMdLWGyvxR03VhM6cBIU4g=
+github.com/valyala/fasthttp v1.43.0/go.mod h1:f6VbjjoI3z1NDOZOv17o6RvtRSWxC77seBFc2uWtgiY=
 github.com/valyala/tcplisten v1.0.0/go.mod h1:T0xQ8SeCZGxckz9qRXTfG43PvQ/mcWh7FwZEA7Ioqkc=
-github.com/vultr/govultr v0.4.2/go.mod h1:TUuUizMOFc7z+PNMssb6iGjKjQfpw5arIaOLfocVudQ=
-github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f h1:J9EGpcZtP0E/raorCMxlFGSTBrsSlaDGf3jU/qvAE2c=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
+github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo=
+github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
 github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0=
 github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
 github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74=
@ -333,279 +145,127 @@ github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82 h1:BHyfKlQyqbsFN5p3Ifn
 github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82/go.mod h1:lgjkn3NuSvDfVJdfcVVdX+jpBxNmX4rDAzaS45IcYoM=
 github.com/yudai/pp v2.0.1+incompatible h1:Q4//iY4pNF6yPLZIigmvcl7k/bPgrcTPIFIcmawg5bI=
 github.com/yudai/pp v2.0.1+incompatible/go.mod h1:PuxR/8QJ7cyCkFp/aUDS+JY727OFEZkTdatxwunjIkc=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/zeebo/assert v1.1.0 h1:hU1L1vLTHsnO8x8c9KAR5GmM5QscxHg5RNU5z5qbUWY=
 github.com/zeebo/assert v1.1.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0=
 github.com/zeebo/blake3 v0.2.4 h1:KYQPkhpRtcqh0ssGYcKLG1JYvddkEA8QwCM/yBqhaZI=
 github.com/zeebo/blake3 v0.2.4/go.mod h1:7eeQ6d2iXWRGF6npfaxl2CU+xy2Fjo2gxeyZGCRUjcE=
 github.com/zeebo/pcg v1.0.1 h1:lyqfGeWiv4ahac6ttHs+I5hwtH/+1mrhlCtVNQM2kHo=
 github.com/zeebo/pcg v1.0.1/go.mod h1:09F0S9iiKrwn9rlI5yjLkmrug154/YRW6KnnXVDM/l4=
-go.opencensus.io v0.20.1/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk=
-go.opencensus.io v0.20.2/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk=
-go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
-go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
-go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
-go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
-go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
-go.uber.org/ratelimit v0.0.0-20180316092928-c15da0234277/go.mod h1:2X8KaoNd1J0lZV+PxJk/5+DGbO/tpwLR1m++a7FnB/Y=
 go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
-golang.org/x/crypto v0.0.0-20180621125126-a49355c7e3f8/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+go.uber.org/zap/exp v0.3.0 h1:6JYzdifzYkGmTdRR59oYH+Ng7k49H9qVpWwNSsGJj3U=
+go.uber.org/zap/exp v0.3.0/go.mod h1:5I384qq7XGxYyByIhHm6jg5CHkGY0nsTfbDLgDDlgJQ=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190418165655-df01cb2cc480/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
-golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20191202143827-86a70503ff7e/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
-golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
-golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
-golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek=
-golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY=
-golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
-golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
-golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
-golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
-golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
-golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
-golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
-golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
-golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
-golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
-golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
-golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
-golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
-golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
-golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
-golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4=
-golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
-golang.org/x/net v0.0.0-20180611182652-db08ff08e862/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8=
+golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
+golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190125091013-d26f9f9a57f3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
-golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190930134127-c5a3c61f89f3/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20191126235420-ef20fe5d7933/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210510120150-4163338589ed/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.32.0 h1:ZqPmj8Kzc+Y6e0+skZsuACbx+wzMgo5MQsJh9Qd6aYI=
-golang.org/x/net v0.32.0/go.mod h1:CwU0IoeOlnQQWJ6ioyFrfRuomB8GKF6KbYXZVyeXNfs=
-golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20220906165146-f3363e06e74c/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
+golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
+golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
-golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sys v0.0.0-20180622082034-63fc586f45fe/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
+golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181122145206-62eef0e2fa9b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191128015809-6d18c012aee9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
-golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
-golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20190921001708-c4c64cad1fd0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=
+golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
-golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191203134012-c197fd4bf371/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191216052735-49a3e744a425/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
-golang.org/x/tools v0.28.0 h1:WuB6qZ4RPCQo5aP3WdKZS7i595EdWqWR8vqJTlwTVK8=
-golang.org/x/tools v0.28.0/go.mod h1:dcIOrVd3mfQKTgrDVQHqCPMWy6lnhfhtX3hLXYVLfRw=
+golang.org/x/tools v0.0.0-20201124115921-2c860bdd6e78/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc=
+golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/api v0.3.1/go.mod h1:6wY9I6uQWHQ8EM57III9mq/AjF+i8G65rmVagqKMtkk=
-google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
-google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
-google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
-google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
-google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
-google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
-google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
-google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
-google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
-google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
-google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
-google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
-google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
-google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA=
-google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
-google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
-google.golang.org/grpc v1.19.1/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
-google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
-google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
-google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
-google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
+google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
+google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
+google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
+google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
+google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
-gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
-gopkg.in/h2non/gock.v1 v1.0.15/go.mod h1:sX4zAkdYX1TRGJ2JY156cFspQn4yRWn6p9EMdODlynE=
-gopkg.in/ini.v1 v1.42.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
-gopkg.in/ini.v1 v1.51.1/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
-gopkg.in/ns1/ns1-go.v2 v2.0.0-20190730140822-b51389932cbc/go.mod h1:VV+3haRsgDiVLxyifmMBrBIuCWFBPYKbRssXB9z67Hw=
-gopkg.in/resty.v1 v1.9.1/go.mod h1:vo52Hzryw9PnPHcJfPsBiFW62XhNx5OczbV9y+IMpgc=
-gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
-gopkg.in/square/go-jose.v2 v2.3.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
-gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
-gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.7/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
-gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
-honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
-rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
-rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
+lukechampine.com/uint128 v1.1.1/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk=
+lukechampine.com/uint128 v1.2.0/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk=
+modernc.org/cc/v3 v3.37.0/go.mod h1:vtL+3mdHx/wcj3iEGz84rQa8vEqR6XM84v5Lcvfph20=
+modernc.org/cc/v3 v3.38.1/go.mod h1:vtL+3mdHx/wcj3iEGz84rQa8vEqR6XM84v5Lcvfph20=
+modernc.org/cc/v3 v3.40.0/go.mod h1:/bTg4dnWkSXowUO6ssQKnOV0yMVxDYNIsIrzqTFDGH0=
+modernc.org/ccgo/v3 v3.0.0-20220904174949-82d86e1b6d56/go.mod h1:YSXjPL62P2AMSxBphRHPn7IkzhVHqkvOnRKAKh+W6ZI=
+modernc.org/ccgo/v3 v3.0.0-20220910160915-348f15de615a/go.mod h1:8p47QxPkdugex9J4n9P2tLZ9bK01yngIVp00g4nomW0=
+modernc.org/ccgo/v3 v3.16.13-0.20221017192402-261537637ce8/go.mod h1:fUB3Vn0nVPReA+7IG7yZDfjv1TMWjhQP8gCxrFAtL5g=
+modernc.org/ccgo/v3 v3.16.13/go.mod h1:2Quk+5YgpImhPjv2Qsob1DnZ/4som1lJTodubIcoUkY=
+modernc.org/ccorpus v1.11.6/go.mod h1:2gEUTrWqdpH2pXsmTM1ZkjeSrUWDpjMu2T6m29L/ErQ=
+modernc.org/httpfs v1.0.6/go.mod h1:7dosgurJGp0sPaRanU53W4xZYKh14wfzX420oZADeHM=
+modernc.org/libc v1.17.4/go.mod h1:WNg2ZH56rDEwdropAJeZPQkXmDwh+JCA1s/htl6r2fA=
+modernc.org/libc v1.18.0/go.mod h1:vj6zehR5bfc98ipowQOM2nIDUZnVew/wNC/2tOGS+q0=
+modernc.org/libc v1.19.0/go.mod h1:ZRfIaEkgrYgZDl6pa4W39HgN5G/yDW+NRmNKZBDFrk0=
+modernc.org/libc v1.20.3/go.mod h1:ZRfIaEkgrYgZDl6pa4W39HgN5G/yDW+NRmNKZBDFrk0=
+modernc.org/libc v1.21.4/go.mod h1:przBsL5RDOZajTVslkugzLBj1evTue36jEomFQOoYuI=
+modernc.org/libc v1.21.5 h1:xBkU9fnHV+hvZuPSRszN0AXDG4M7nwPLwTWwkYcvLCI=
+modernc.org/libc v1.21.5/go.mod h1:przBsL5RDOZajTVslkugzLBj1evTue36jEomFQOoYuI=
+modernc.org/mathutil v1.5.0 h1:rV0Ko/6SfM+8G+yKiyI830l3Wuz1zRutdslNoQ0kfiQ=
+modernc.org/mathutil v1.5.0/go.mod h1:mZW8CKdRPY1v87qxC/wUdX5O1qDzXMP5TH3wjfpga6E=
+modernc.org/memory v1.3.0/go.mod h1:PkUhL0Mugw21sHPeskwZW4D6VscE/GQJOnIpCnW6pSU=
+modernc.org/memory v1.4.0 h1:crykUfNSnMAXaOJnnxcSzbUGMqkLWjklJKkBK2nwZwk=
+modernc.org/memory v1.4.0/go.mod h1:PkUhL0Mugw21sHPeskwZW4D6VscE/GQJOnIpCnW6pSU=
+modernc.org/opt v0.1.1/go.mod h1:WdSiB5evDcignE70guQKxYUl14mgWtbClRi5wmkkTX0=
+modernc.org/opt v0.1.3/go.mod h1:WdSiB5evDcignE70guQKxYUl14mgWtbClRi5wmkkTX0=
+modernc.org/sqlite v1.20.0 h1:80zmD3BGkm8BZ5fUi/4lwJQHiO3GXgIUvZRXpoIfROY=
+modernc.org/sqlite v1.20.0/go.mod h1:EsYz8rfOvLCiYTy5ZFsOYzoCcRMu98YYkwAcCw5YIYw=
+modernc.org/strutil v1.1.3/go.mod h1:MEHNA7PdEnEwLvspRMtWTNnp2nnyvMfkimT1NKNAGbw=
+modernc.org/tcl v1.15.0/go.mod h1:xRoGotBZ6dU+Zo2tca+2EqVEeMmOUBzHnhIwq4YrVnE=
+modernc.org/token v1.0.1/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=
+modernc.org/z v1.7.0/go.mod h1:hVdgNMh8ggTuRG1rGU8x+xGRFfiQUIAw0ZqlPy8+HyQ=
--- a/main.go
+++ b/main.go
@ -1,210 +1,55 @@
-//go:build !test
-// +build !test
-
 package main

 import (
-	"context"
-	"crypto/tls"
 	"flag"
-	stdlog "log"
-	"net/http"
+	"fmt"
 	"os"
-	"strings"
-	"syscall"

-	"github.com/caddyserver/certmagic"
-	legolog "github.com/go-acme/lego/v3/log"
-	"github.com/julienschmidt/httprouter"
-	"github.com/rs/cors"
-	log "github.com/sirupsen/logrus"
+	"github.com/joohoi/acme-dns/pkg/acmedns"
+	"github.com/joohoi/acme-dns/pkg/api"
+	"github.com/joohoi/acme-dns/pkg/database"
+	"github.com/joohoi/acme-dns/pkg/nameserver"
+
+	"go.uber.org/zap"
 )

 func main() {
-	// Created files are not world writable
-	syscall.Umask(0077)
+	setUmask()
 	configPtr := flag.String("c", "/etc/acme-dns/config.cfg", "config file location")
 	flag.Parse()
 	// Read global config
 	var err error
-	if fileIsAccessible(*configPtr) {
-		log.WithFields(log.Fields{"file": *configPtr}).Info("Using config file")
-		Config, err = readConfig(*configPtr)
-	} else if fileIsAccessible("./config.cfg") {
-		log.WithFields(log.Fields{"file": "./config.cfg"}).Info("Using config file")
-		Config, err = readConfig("./config.cfg")
-	} else {
-		log.Errorf("Configuration file not found.")
-		os.Exit(1)
-	}
+	var logger *zap.Logger
+	config, usedConfigFile, err := acmedns.ReadConfig(*configPtr, "./config.cfg")
 	if err != nil {
-		log.Errorf("Encountered an error while trying to read configuration file:  %s", err)
+		fmt.Printf("Error: %s\n", err)
 		os.Exit(1)
 	}
-
-	setupLogging(Config.Logconfig.Format, Config.Logconfig.Level)
-
-	// Open database
-	newDB := new(acmedb)
-	err = newDB.Init(Config.Database.Engine, Config.Database.Connection)
+	logger, err = acmedns.SetupLogging(config)
 	if err != nil {
-		log.Errorf("Could not open database [%v]", err)
+		fmt.Printf("Could not set up logging: %s\n", err)
 		os.Exit(1)
-	} else {
-		log.Info("Connected to database")
 	}
-	DB = newDB
-	defer DB.Close()
+	// Make sure to flush the zap logger buffer before exiting
+	defer logger.Sync() //nolint:all
+	sugar := logger.Sugar()

+	sugar.Infow("Using config file",
+		"file", usedConfigFile)
+	sugar.Info("Starting up")
+	db, err := database.Init(&config, sugar)
 	// Error channel for servers
 	errChan := make(chan error, 1)
-
-	// DNS server
-	dnsservers := make([]*DNSServer, 0)
-	if strings.HasPrefix(Config.General.Proto, "both") {
-		// Handle the case where DNS server should be started for both udp and tcp
-		udpProto := "udp"
-		tcpProto := "tcp"
-		if strings.HasSuffix(Config.General.Proto, "4") {
-			udpProto += "4"
-			tcpProto += "4"
-		} else if strings.HasSuffix(Config.General.Proto, "6") {
-			udpProto += "6"
-			tcpProto += "6"
-		}
-		dnsServerUDP := NewDNSServer(DB, Config.General.Listen, udpProto, Config.General.Domain)
-		dnsservers = append(dnsservers, dnsServerUDP)
-		dnsServerUDP.ParseRecords(Config)
-		dnsServerTCP := NewDNSServer(DB, Config.General.Listen, tcpProto, Config.General.Domain)
-		dnsservers = append(dnsservers, dnsServerTCP)
-		// No need to parse records from config again
-		dnsServerTCP.Domains = dnsServerUDP.Domains
-		dnsServerTCP.SOA = dnsServerUDP.SOA
-		go dnsServerUDP.Start(errChan)
-		go dnsServerTCP.Start(errChan)
-	} else {
-		dnsServer := NewDNSServer(DB, Config.General.Listen, Config.General.Proto, Config.General.Domain)
-		dnsservers = append(dnsservers, dnsServer)
-		dnsServer.ParseRecords(Config)
-		go dnsServer.Start(errChan)
+	api := api.Init(&config, db, sugar, errChan)
+	dnsservers := nameserver.InitAndStart(&config, db, sugar, errChan)
+	go api.Start(dnsservers)
+	if err != nil {
+		sugar.Error(err)
 	}
-
-	// HTTP API
-	go startHTTPAPI(errChan, Config, dnsservers)
-
-	// block waiting for error
 	for {
 		err = <-errChan
 		if err != nil {
-			log.Fatal(err)
+			sugar.Fatal(err)
 		}
 	}
 }
-
-func startHTTPAPI(errChan chan error, config DNSConfig, dnsservers []*DNSServer) {
-	// Setup http logger
-	logger := log.New()
-	logwriter := logger.Writer()
-	defer logwriter.Close()
-	// Setup logging for different dependencies to log with logrus
-	// Certmagic
-	stdlog.SetOutput(logwriter)
-	// Lego
-	legolog.Logger = logger
-
-	api := httprouter.New()
-	c := cors.New(cors.Options{
-		AllowedOrigins:     Config.API.CorsOrigins,
-		AllowedMethods:     []string{"GET", "POST"},
-		OptionsPassthrough: false,
-		Debug:              Config.General.Debug,
-	})
-	if Config.General.Debug {
-		// Logwriter for saner log output
-		c.Log = stdlog.New(logwriter, "", 0)
-	}
-	if !Config.API.DisableRegistration {
-		api.POST("/register", webRegisterPost)
-	}
-	api.POST("/update", Auth(webUpdatePost))
-	api.GET("/health", healthCheck)
-
-	host := Config.API.IP + ":" + Config.API.Port
-
-	// TLS specific general settings
-	cfg := &tls.Config{
-		MinVersion: tls.VersionTLS12,
-	}
-	provider := NewChallengeProvider(dnsservers)
-	storage := certmagic.FileStorage{Path: Config.API.ACMECacheDir}
-
-	// Set up certmagic for getting certificate for acme-dns api
-	certmagic.DefaultACME.DNS01Solver = &provider
-	certmagic.DefaultACME.Agreed = true
-	if Config.API.TLS == "letsencrypt" {
-		certmagic.DefaultACME.CA = certmagic.LetsEncryptProductionCA
-	} else {
-		certmagic.DefaultACME.CA = certmagic.LetsEncryptStagingCA
-	}
-	certmagic.DefaultACME.Email = Config.API.NotificationEmail
-	magicConf := certmagic.NewDefault()
-	magicConf.Storage = &storage
-	magicConf.DefaultServerName = Config.General.Domain
-
-	magicCache := certmagic.NewCache(certmagic.CacheOptions{
-		GetConfigForCert: func(cert certmagic.Certificate) (*certmagic.Config, error) {
-			return magicConf, nil
-		},
-	})
-
-	magic := certmagic.New(magicCache, *magicConf)
-	var err error
-	switch Config.API.TLS {
-	case "letsencryptstaging":
-		err = magic.ManageAsync(context.Background(), []string{Config.General.Domain})
-		if err != nil {
-			errChan <- err
-			return
-		}
-		cfg.GetCertificate = magic.GetCertificate
-
-		srv := &http.Server{
-			Addr:      host,
-			Handler:   c.Handler(api),
-			TLSConfig: cfg,
-			ErrorLog:  stdlog.New(logwriter, "", 0),
-		}
-		log.WithFields(log.Fields{"host": host, "domain": Config.General.Domain}).Info("Listening HTTPS")
-		err = srv.ListenAndServeTLS("", "")
-	case "letsencrypt":
-		err = magic.ManageAsync(context.Background(), []string{Config.General.Domain})
-		if err != nil {
-			errChan <- err
-			return
-		}
-		cfg.GetCertificate = magic.GetCertificate
-		srv := &http.Server{
-			Addr:      host,
-			Handler:   c.Handler(api),
-			TLSConfig: cfg,
-			ErrorLog:  stdlog.New(logwriter, "", 0),
-		}
-		log.WithFields(log.Fields{"host": host, "domain": Config.General.Domain}).Info("Listening HTTPS")
-		err = srv.ListenAndServeTLS("", "")
-	case "cert":
-		srv := &http.Server{
-			Addr:      host,
-			Handler:   c.Handler(api),
-			TLSConfig: cfg,
-			ErrorLog:  stdlog.New(logwriter, "", 0),
-		}
-		log.WithFields(log.Fields{"host": host}).Info("Listening HTTPS")
-		err = srv.ListenAndServeTLS(Config.API.TLSCertFullchain, Config.API.TLSCertPrivkey)
-	default:
-		log.WithFields(log.Fields{"host": host}).Info("Listening HTTP")
-		err = http.ListenAndServe(host, c.Handler(api))
-	}
-	if err != nil {
-		errChan <- err
-	}
-}
--- a/main_test.go
+++ b/main_test.go
@ -1,111 +0,0 @@
-package main
-
-import (
-	"flag"
-	"fmt"
-	"io"
-	"os"
-	"sync"
-	"testing"
-
-	log "github.com/sirupsen/logrus"
-	logrustest "github.com/sirupsen/logrus/hooks/test"
-)
-
-var loghook = new(logrustest.Hook)
-var dnsserver *DNSServer
-
-var (
-	postgres = flag.Bool("postgres", false, "run integration tests against PostgreSQL")
-)
-
-var records = []string{
-	"auth.example.org. A 192.168.1.100",
-	"ns1.auth.example.org. A 192.168.1.101",
-	"cn.example.org CNAME something.example.org.",
-	"!''b', unparseable ",
-	"ns2.auth.example.org. A 192.168.1.102",
-}
-
-func TestMain(m *testing.M) {
-	setupTestLogger()
-	setupConfig()
-	flag.Parse()
-
-	newDb := new(acmedb)
-	if *postgres {
-		Config.Database.Engine = "postgres"
-		err := newDb.Init("postgres", "postgres://acmedns:acmedns@localhost/acmedns")
-		if err != nil {
-			fmt.Println("PostgreSQL integration tests expect database \"acmedns\" running in localhost, with username and password set to \"acmedns\"")
-			os.Exit(1)
-		}
-	} else {
-		Config.Database.Engine = "sqlite3"
-		_ = newDb.Init("sqlite3", ":memory:")
-	}
-	DB = newDb
-	dnsserver = NewDNSServer(DB, Config.General.Listen, Config.General.Proto, Config.General.Domain)
-	dnsserver.ParseRecords(Config)
-
-	// Make sure that we're not creating a race condition in tests
-	var wg sync.WaitGroup
-	wg.Add(1)
-	dnsserver.Server.NotifyStartedFunc = func() {
-		wg.Done()
-	}
-	go dnsserver.Start(make(chan error, 1))
-	wg.Wait()
-	exitval := m.Run()
-	_ = dnsserver.Server.Shutdown()
-	DB.Close()
-	os.Exit(exitval)
-}
-
-func setupConfig() {
-	var dbcfg = dbsettings{
-		Engine:     "sqlite3",
-		Connection: ":memory:",
-	}
-
-	var generalcfg = general{
-		Domain:        "auth.example.org",
-		Listen:        "127.0.0.1:15353",
-		Proto:         "udp",
-		Nsname:        "ns1.auth.example.org",
-		Nsadmin:       "admin.example.org",
-		StaticRecords: records,
-		Debug:         false,
-	}
-
-	var httpapicfg = httpapi{
-		Domain:      "",
-		Port:        "8080",
-		TLS:         "none",
-		CorsOrigins: []string{"*"},
-		UseHeader:   false,
-		HeaderName:  "X-Forwarded-For",
-	}
-
-	var dnscfg = DNSConfig{
-		Database: dbcfg,
-		General:  generalcfg,
-		API:      httpapicfg,
-	}
-
-	Config = dnscfg
-}
-
-func setupTestLogger() {
-	log.SetOutput(io.Discard)
-	log.AddHook(loghook)
-}
-
-func loggerHasEntryWithMessage(message string) bool {
-	for _, v := range loghook.Entries {
-		if v.Message == message {
-			return true
-		}
-	}
-	return false
-}
--- a/pkg/acmedns/acmetxt.go
+++ b/pkg/acmedns/acmetxt.go
@ -0,0 +1,47 @@
+package acmedns
+
+import (
+	"net"
+
+	"github.com/google/uuid"
+)
+
+// AllowedFrom Check if IP belongs to an allowed net
+func (a ACMETxt) AllowedFrom(ip string) bool {
+	remoteIP := net.ParseIP(ip)
+	// Range not limited
+	if len(a.AllowFrom.ValidEntries()) == 0 {
+		return true
+	}
+	for _, v := range a.AllowFrom.ValidEntries() {
+		_, vnet, _ := net.ParseCIDR(v)
+		if vnet.Contains(remoteIP) {
+			return true
+		}
+	}
+	return false
+}
+
+// AllowedFromList Go through list (most likely from headers) to check for the IP.
+// Reason for this is that some setups use reverse proxy in front of acme-dns
+func (a ACMETxt) AllowedFromList(ips []string) bool {
+	if len(ips) == 0 {
+		// If no IP provided, check if no whitelist present (everyone has access)
+		return a.AllowedFrom("")
+	}
+	for _, v := range ips {
+		if a.AllowedFrom(v) {
+			return true
+		}
+	}
+	return false
+}
+
+func NewACMETxt() ACMETxt {
+	var a = ACMETxt{}
+	password := generatePassword(40)
+	a.Username = uuid.New()
+	a.Password = password
+	a.Subdomain = uuid.New().String()
+	return a
+}
--- a/pkg/acmedns/acmetxt_test.go
+++ b/pkg/acmedns/acmetxt_test.go
@ -0,0 +1,38 @@
+package acmedns
+
+import "testing"
+
+func TestAllowedFrom(t *testing.T) {
+	testslice := NewACMETxt()
+	testslice.AllowFrom = []string{"192.168.1.0/24", "2001:db8::/32"}
+	for _, test := range []struct {
+		input    string
+		expected bool
+	}{
+		{"192.168.1.42", true},
+		{"192.168.2.42", false},
+		{"2001:db8:aaaa::", true},
+		{"2001:db9:aaaa::", false},
+	} {
+		if testslice.AllowedFrom(test.input) != test.expected {
+			t.Errorf("Was expecting AllowedFrom to return %t for %s but got %t instead.", test.expected, test.input, !test.expected)
+		}
+	}
+}
+
+func TestAllowedFromList(t *testing.T) {
+	testslice := ACMETxt{AllowFrom: []string{"192.168.1.0/24", "2001:db8::/32"}}
+	if testslice.AllowedFromList([]string{"192.168.2.2", "1.1.1.1"}) != false {
+		t.Errorf("Was expecting AllowedFromList to return false")
+	}
+	if testslice.AllowedFromList([]string{"192.168.1.2", "1.1.1.1"}) != true {
+		t.Errorf("Was expecting AllowedFromList to return true")
+	}
+	allowfromall := ACMETxt{AllowFrom: []string{}}
+	if allowfromall.AllowedFromList([]string{"192.168.1.2", "1.1.1.1"}) != true {
+		t.Errorf("Expected non-restricted AlloFrom to be allowed")
+	}
+	if allowfromall.AllowedFromList([]string{}) != true {
+		t.Errorf("Expected non-restricted AlloFrom to be allowed for empty list")
+	}
+}
--- a/pkg/acmedns/cidrslice.go
+++ b/pkg/acmedns/cidrslice.go
@ -0,0 +1,35 @@
+package acmedns
+
+import (
+	"encoding/json"
+	"net"
+)
+
+// cidrslice is a list of allowed cidr ranges
+type Cidrslice []string
+
+func (c *Cidrslice) JSON() string {
+	ret, _ := json.Marshal(c.ValidEntries())
+	return string(ret)
+}
+
+func (c *Cidrslice) IsValid() error {
+	for _, v := range *c {
+		_, _, err := net.ParseCIDR(sanitizeIPv6addr(v))
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (c *Cidrslice) ValidEntries() []string {
+	valid := []string{}
+	for _, v := range *c {
+		_, _, err := net.ParseCIDR(sanitizeIPv6addr(v))
+		if err == nil {
+			valid = append(valid, sanitizeIPv6addr(v))
+		}
+	}
+	return valid
+}
--- a/pkg/acmedns/cidrslice_test.go
+++ b/pkg/acmedns/cidrslice_test.go
@ -0,0 +1,35 @@
+package acmedns
+
+import (
+	"encoding/json"
+	"testing"
+)
+
+func TestCidrSlice(t *testing.T) {
+	for i, test := range []struct {
+		input       Cidrslice
+		expectedErr bool
+		expectedLen int
+	}{
+		{[]string{"192.168.1.0/24"}, false, 1},
+		{[]string{"shoulderror"}, true, 0},
+		{[]string{"2001:db8:aaaaa::"}, true, 0},
+		{[]string{"192.168.1.0/24", "2001:db8::/32"}, false, 2},
+	} {
+		err := test.input.IsValid()
+		if test.expectedErr && err == nil {
+			t.Errorf("Expected test %d to generate IsValid() error but it didn't", i)
+		}
+		if !test.expectedErr && err != nil {
+			t.Errorf("Expected test %d to pass IsValid() but it generated an error %s", i, err)
+		}
+		outSlice := []string{}
+		err = json.Unmarshal([]byte(test.input.JSON()), &outSlice)
+		if err != nil {
+			t.Errorf("Unexpected error when unmarshaling Cidrslice JSON: %s", err)
+		}
+		if len(outSlice) != test.expectedLen {
+			t.Errorf("Expected cidrslice JSON to be of length %d, but got %d instead for test %d", test.expectedLen, len(outSlice), i)
+		}
+	}
+}
--- a/pkg/acmedns/config.go
+++ b/pkg/acmedns/config.go
@ -0,0 +1,82 @@
+package acmedns
+
+import (
+	"errors"
+	"fmt"
+	"os"
+
+	"github.com/BurntSushi/toml"
+)
+
+const (
+	ApiTlsProviderNone               = "none"
+	ApiTlsProviderLetsEncrypt        = "letsencrypt"
+	ApiTlsProviderLetsEncryptStaging = "letsencryptstaging"
+	ApiTlsProviderCert               = "cert"
+)
+
+func FileIsAccessible(fname string) bool {
+	_, err := os.Stat(fname)
+	if err != nil {
+		return false
+	}
+	f, err := os.Open(fname)
+	if err != nil {
+		return false
+	}
+	f.Close()
+	return true
+}
+
+func readTomlConfig(fname string) (AcmeDnsConfig, error) {
+	var conf AcmeDnsConfig
+	_, err := toml.DecodeFile(fname, &conf)
+	if err != nil {
+		// Return with config file parsing errors from toml package
+		return conf, err
+	}
+	return prepareConfig(conf)
+}
+
+// prepareConfig checks that mandatory values exist, and can be used to set default values in the future
+func prepareConfig(conf AcmeDnsConfig) (AcmeDnsConfig, error) {
+	if conf.Database.Engine == "" {
+		return conf, errors.New("missing database configuration option \"engine\"")
+	}
+	if conf.Database.Connection == "" {
+		return conf, errors.New("missing database configuration option \"connection\"")
+	}
+
+	// Default values for options added to config to keep backwards compatibility with old config
+	if conf.API.ACMECacheDir == "" {
+		conf.API.ACMECacheDir = "api-certs"
+	}
+
+	switch conf.API.TLS {
+	case ApiTlsProviderCert, ApiTlsProviderLetsEncrypt, ApiTlsProviderLetsEncryptStaging, ApiTlsProviderNone:
+		// we have a good value
+	default:
+		return conf, fmt.Errorf("invalid value for api.tls, expected one of [%s, %s, %s, %s]", ApiTlsProviderCert, ApiTlsProviderLetsEncrypt, ApiTlsProviderLetsEncryptStaging, ApiTlsProviderNone)
+	}
+
+	return conf, nil
+}
+
+func ReadConfig(configFile, fallback string) (AcmeDnsConfig, string, error) {
+	var usedConfigFile string
+	var config AcmeDnsConfig
+	var err error
+	if FileIsAccessible(configFile) {
+		usedConfigFile = configFile
+		config, err = readTomlConfig(configFile)
+	} else if FileIsAccessible(fallback) {
+		usedConfigFile = fallback
+		config, err = readTomlConfig(fallback)
+	} else {
+		err = fmt.Errorf("configuration file not found")
+	}
+	if err != nil {
+		err = fmt.Errorf("encountered an error while trying to read configuration file:  %w", err)
+	}
+	return config, usedConfigFile, err
+}
--- a/pkg/acmedns/interfaces.go
+++ b/pkg/acmedns/interfaces.go
@ -0,0 +1,24 @@
+package acmedns
+
+import (
+	"database/sql"
+
+	"github.com/google/uuid"
+)
+
+type AcmednsDB interface {
+	Register(cidrslice Cidrslice) (ACMETxt, error)
+	GetByUsername(uuid.UUID) (ACMETxt, error)
+	GetTXTForDomain(string) ([]string, error)
+	Update(ACMETxtPost) error
+	GetBackend() *sql.DB
+	SetBackend(*sql.DB)
+	Close()
+}
+
+type AcmednsNS interface {
+	Start(errorChannel chan error)
+	SetOwnAuthKey(key string)
+	SetNotifyStartedFunc(func())
+	ParseRecords()
+}
--- a/pkg/acmedns/logging.go
+++ b/pkg/acmedns/logging.go
@ -0,0 +1,46 @@
+package acmedns
+
+import (
+	"go.uber.org/zap/zapcore"
+
+	"go.uber.org/zap"
+)
+
+func SetupLogging(config AcmeDnsConfig) (*zap.Logger, error) {
+	var (
+		logger *zap.Logger
+		zapCfg zap.Config
+		err    error
+	)
+
+	logformat := "console"
+	if config.Logconfig.Format == "json" {
+		logformat = "json"
+	}
+	outputPath := "stdout"
+	if config.Logconfig.Logtype == "file" {
+		outputPath = config.Logconfig.File
+	}
+	errorPath := "stderr"
+	if config.Logconfig.Logtype == "file" {
+		errorPath = config.Logconfig.File
+	}
+
+	zapCfg.Level, err = zap.ParseAtomicLevel(config.Logconfig.Level)
+	if err != nil {
+		return logger, err
+	}
+	zapCfg.Encoding = logformat
+	zapCfg.OutputPaths = []string{outputPath}
+	zapCfg.ErrorOutputPaths = []string{errorPath}
+	zapCfg.EncoderConfig = zapcore.EncoderConfig{
+		TimeKey:     "time",
+		MessageKey:  "msg",
+		LevelKey:    "level",
+		EncodeLevel: zapcore.LowercaseLevelEncoder,
+		EncodeTime:  zapcore.ISO8601TimeEncoder,
+	}
+
+	logger, err = zapCfg.Build()
+	return logger, err
+}
--- a/pkg/acmedns/testdata/test_read_fallback_config.toml
+++ b/pkg/acmedns/testdata/test_read_fallback_config.toml
@ -0,0 +1,36 @@
+[general]
+listen = "127.0.0.1:53"
+protocol = "both"
+domain = "test.example.org"
+nsname = "test.example.org"
+nsadmin = "test.example.org"
+records = [
+    "test.example.org. A 127.0.0.1",
+    "test.example.org. NS test.example.org.",
+]
+debug = true
+
+[database]
+engine = "dinosaur"
+connection = "roar"
+
+[api]
+ip = "0.0.0.0"
+disable_registration = false
+port = "443"
+tls = "none"
+tls_cert_privkey = "/etc/tls/example.org/privkey.pem"
+tls_cert_fullchain = "/etc/tls/example.org/fullchain.pem"
+acme_cache_dir = "api-certs"
+notification_email = ""
+corsorigins = [
+    "*"
+]
+use_header = true
+header_name = "X-is-gonna-give-it-to-ya"
+
+[logconfig]
+loglevel = "info"
+logtype = "stdout"
+logfile = "./acme-dns.log"
+logformat = "json"
--- a/pkg/acmedns/types.go
+++ b/pkg/acmedns/types.go
@ -1,20 +1,15 @@
-package main
+package acmedns

-import (
-	"database/sql"
-	"sync"
+import "github.com/google/uuid"

-	"github.com/google/uuid"
-)
+type Account struct {
+	Username  string
+	Password  string
+	Subdomain string
+}

-// Config is global configuration struct
-var Config DNSConfig
-
-// DB is used to access the database functions in acme-dns
-var DB database
-
-// DNSConfig holds the config structure
-type DNSConfig struct {
+// AcmeDnsConfig holds the config structure
+type AcmeDnsConfig struct {
 	General   general
 	Database  dbsettings
 	API       httpapi
@ -62,18 +57,16 @@ type logconfig struct {
 	Format  string `toml:"logformat"`
 }

-type acmedb struct {
-	Mutex sync.Mutex
-	DB *sql.DB
+// ACMETxt is the default structure for the user controlled record
+type ACMETxt struct {
+	Username uuid.UUID
+	Password string
+	ACMETxtPost
+	AllowFrom Cidrslice
 }

-type database interface {
-	Init(string, string) error
-	Register(cidrslice) (ACMETxt, error)
-	GetByUsername(uuid.UUID) (ACMETxt, error)
-	GetTXTForDomain(string) ([]string, error)
-	Update(ACMETxtPost) error
-	GetBackend() *sql.DB
-	SetBackend(*sql.DB)
-	Close()
+// ACMETxtPost holds the DNS part of the ACMETxt struct
+type ACMETxtPost struct {
+	Subdomain string `json:"subdomain"`
+	Value     string `json:"txt"`
 }
--- a/pkg/acmedns/util.go
+++ b/pkg/acmedns/util.go
@ -0,0 +1,40 @@
+package acmedns
+
+import (
+	"crypto/rand"
+	"math/big"
+	"regexp"
+
+	"golang.org/x/crypto/bcrypt"
+)
+
+func sanitizeIPv6addr(s string) string {
+	// Remove brackets from IPv6 addresses, net.ParseCIDR needs this
+	re, _ := regexp.Compile(`[\[\]]+`)
+	return re.ReplaceAllString(s, "")
+}
+
+func SanitizeString(s string) string {
+	// URL safe base64 alphabet without padding as defined in ACME
+	re, _ := regexp.Compile(`[^A-Za-z\-\_0-9]+`)
+	return re.ReplaceAllString(s, "")
+}
+
+func generatePassword(length int) string {
+	ret := make([]byte, length)
+	const alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890-_"
+	alphalen := big.NewInt(int64(len(alphabet)))
+	for i := 0; i < length; i++ {
+		c, _ := rand.Int(rand.Reader, alphalen)
+		r := int(c.Int64())
+		ret[i] = alphabet[r]
+	}
+	return string(ret)
+}
+
+func CorrectPassword(pw string, hash string) bool {
+	if err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(pw)); err == nil {
+		return true
+	}
+	return false
+}
--- a/pkg/acmedns/util_test.go
+++ b/pkg/acmedns/util_test.go
@ -0,0 +1,326 @@
+package acmedns
+
+import (
+	"fmt"
+	"math/rand/v2"
+	"os"
+	"reflect"
+	"syscall"
+	"testing"
+
+	"go.uber.org/zap"
+	"go.uber.org/zap/zapcore"
+	"golang.org/x/crypto/bcrypt"
+)
+
+func fakeConfig() AcmeDnsConfig {
+	conf := AcmeDnsConfig{}
+	conf.Logconfig.Logtype = "stdout"
+	return conf
+}
+
+func TestSetupLogging(t *testing.T) {
+	conf := fakeConfig()
+	for i, test := range []struct {
+		format   string
+		level    string
+		expected zapcore.Level
+	}{
+		{"text", "warn", zap.WarnLevel},
+		{"json", "debug", zap.DebugLevel},
+		{"text", "info", zap.InfoLevel},
+		{"json", "error", zap.ErrorLevel},
+	} {
+		conf.Logconfig.Format = test.format
+		conf.Logconfig.Level = test.level
+		logger, err := SetupLogging(conf)
+		if err != nil {
+			t.Errorf("Got unexpected error: %s", err)
+		} else {
+			if logger.Sugar().Level() != test.expected {
+				t.Errorf("Test %d: Expected loglevel %s but got %s", i, test.expected, logger.Sugar().Level())
+			}
+		}
+	}
+}
+
+func TestSetupLoggingError(t *testing.T) {
+	conf := fakeConfig()
+	for _, test := range []struct {
+		format      string
+		level       string
+		file        string
+		errexpected bool
+	}{
+		{"text", "warn", "", false},
+		{"json", "debug", "", false},
+		{"text", "info", "", false},
+		{"json", "error", "", false},
+		{"text", "something", "", true},
+		{"text", "info", "a path with\" in its name.txt", false},
+	} {
+		conf.Logconfig.Format = test.format
+		conf.Logconfig.Level = test.level
+		if test.file != "" {
+			conf.Logconfig.File = test.file
+			conf.Logconfig.Logtype = "file"
+
+		}
+		_, err := SetupLogging(conf)
+		if test.errexpected && err == nil {
+			t.Errorf("Expected error but did not get one for loglevel: %s", err)
+		} else if !test.errexpected && err != nil {
+			t.Errorf("Unexpected error: %s", err)
+		}
+
+		// clean up the file zap creates
+		if test.file != "" {
+			_ = os.Remove(test.file)
+		}
+	}
+}
+
+func TestReadConfig(t *testing.T) {
+	for i, test := range []struct {
+		inFile []byte
+		output AcmeDnsConfig
+	}{
+		{
+			[]byte("[general]\nlisten = \":53\"\ndebug = true\n[api]\napi_domain = \"something.strange\""),
+			AcmeDnsConfig{
+				General: general{
+					Listen: ":53",
+					Debug:  true,
+				},
+				API: httpapi{
+					Domain: "something.strange",
+				},
+			},
+		},
+
+		{
+			[]byte("[\x00[[[[[[[[[de\nlisten =]"),
+			AcmeDnsConfig{},
+		},
+	} {
+		tmpfile, err := os.CreateTemp("", "acmedns")
+		if err != nil {
+			t.Fatalf("Could not create temporary file: %s", err)
+		}
+		defer os.Remove(tmpfile.Name())
+
+		if _, err := tmpfile.Write(test.inFile); err != nil {
+			t.Error("Could not write to temporary file")
+		}
+
+		if err := tmpfile.Close(); err != nil {
+			t.Error("Could not close temporary file")
+		}
+		ret, _, _ := ReadConfig(tmpfile.Name(), "")
+		if ret.General.Listen != test.output.General.Listen {
+			t.Errorf("Test %d: Expected listen value %s, but got %s", i, test.output.General.Listen, ret.General.Listen)
+		}
+		if ret.API.Domain != test.output.API.Domain {
+			t.Errorf("Test %d: Expected HTTP API domain %s, but got %s", i, test.output.API.Domain, ret.API.Domain)
+		}
+	}
+}
+
+func TestReadConfigFallback(t *testing.T) {
+	var (
+		path string
+		err  error
+	)
+
+	testPath := "testdata/test_read_fallback_config.toml"
+
+	path, err = getNonExistentPath()
+	if err != nil {
+		t.Errorf("failed getting non existant path: %s", err)
+	}
+
+	cfg, used, err := ReadConfig(path, testPath)
+	if err != nil {
+		t.Fatalf("failed to read a config file when we should have: %s", err)
+	}
+
+	if used != testPath {
+		t.Fatalf("we read from the wrong file. got: %s, want: %s", used, testPath)
+	}
+
+	expected := AcmeDnsConfig{
+		General: general{
+			Listen:  "127.0.0.1:53",
+			Proto:   "both",
+			Domain:  "test.example.org",
+			Nsname:  "test.example.org",
+			Nsadmin: "test.example.org",
+			Debug:   true,
+			StaticRecords: []string{
+				"test.example.org. A 127.0.0.1",
+				"test.example.org. NS test.example.org.",
+			},
+		},
+		Database: dbsettings{
+			Engine:     "dinosaur",
+			Connection: "roar",
+		},
+		API: httpapi{
+			Domain:              "",
+			IP:                  "0.0.0.0",
+			DisableRegistration: false,
+			AutocertPort:        "",
+			Port:                "443",
+			TLS:                 "none",
+			TLSCertPrivkey:      "/etc/tls/example.org/privkey.pem",
+			TLSCertFullchain:    "/etc/tls/example.org/fullchain.pem",
+			ACMECacheDir:        "api-certs",
+			NotificationEmail:   "",
+			CorsOrigins:         []string{"*"},
+			UseHeader:           true,
+			HeaderName:          "X-is-gonna-give-it-to-ya",
+		},
+		Logconfig: logconfig{
+			Level:   "info",
+			Logtype: "stdout",
+			File:    "./acme-dns.log",
+			Format:  "json",
+		},
+	}
+
+	if !reflect.DeepEqual(cfg, expected) {
+		t.Errorf("Did not read the config correctly: got %+v, want: %+v", cfg, expected)
+	}
+
+}
+
+func getNonExistentPath() (string, error) {
+	path := fmt.Sprintf("/some/path/that/should/not/exist/on/any/filesystem/%10d.cfg", rand.Int())
+
+	if _, err := os.Stat(path); os.IsNotExist(err) {
+		return path, nil
+	}
+
+	return "", fmt.Errorf("attempted non existant file exists!?: %s", path)
+}
+
+// TestReadConfigFallbackError makes sure we error when we do not have a fallback config file
+func TestReadConfigFallbackError(t *testing.T) {
+	var (
+		badPaths []string
+		i        int
+	)
+	for len(badPaths) < 2 && i < 10 {
+		i++
+
+		if path, err := getNonExistentPath(); err == nil {
+			badPaths = append(badPaths, path)
+		}
+	}
+
+	if len(badPaths) != 2 {
+		t.Fatalf("did not create exactly 2 bad paths")
+	}
+
+	_, _, err := ReadConfig(badPaths[0], badPaths[1])
+	if err == nil {
+		t.Errorf("Should have failed reading non existant file: %s", err)
+	}
+}
+
+func TestFileCheckPermissionDenied(t *testing.T) {
+	tmpfile, err := os.CreateTemp("", "acmedns")
+	if err != nil {
+		t.Fatalf("Could not create temporary file: %s", err)
+	}
+	defer os.Remove(tmpfile.Name())
+	_ = syscall.Chmod(tmpfile.Name(), 0000)
+	if FileIsAccessible(tmpfile.Name()) {
+		t.Errorf("File should not be accessible")
+	}
+	_ = syscall.Chmod(tmpfile.Name(), 0644)
+}
+
+func TestFileCheckNotExists(t *testing.T) {
+	if FileIsAccessible("/path/that/does/not/exist") {
+		t.Errorf("File should not be accessible")
+	}
+}
+
+func TestFileCheckOK(t *testing.T) {
+	tmpfile, err := os.CreateTemp("", "acmedns")
+	if err != nil {
+		t.Fatalf("Could not create temporary file: %s", err)
+	}
+	defer os.Remove(tmpfile.Name())
+	if !FileIsAccessible(tmpfile.Name()) {
+		t.Errorf("File should be accessible")
+	}
+}
+
+func TestPrepareConfig(t *testing.T) {
+	for i, test := range []struct {
+		input       AcmeDnsConfig
+		shoulderror bool
+	}{
+		{AcmeDnsConfig{
+			Database: dbsettings{Engine: "whatever", Connection: "whatever_too"},
+			API:      httpapi{TLS: ApiTlsProviderNone},
+		}, false},
+		{AcmeDnsConfig{Database: dbsettings{Engine: "", Connection: "whatever_too"},
+			API: httpapi{TLS: ApiTlsProviderNone},
+		}, true},
+		{AcmeDnsConfig{Database: dbsettings{Engine: "whatever", Connection: ""},
+			API: httpapi{TLS: ApiTlsProviderNone},
+		}, true},
+		{AcmeDnsConfig{
+			Database: dbsettings{Engine: "whatever", Connection: "whatever_too"},
+			API:      httpapi{TLS: "whatever"},
+		}, true},
+	} {
+		_, err := prepareConfig(test.input)
+		if test.shoulderror {
+			if err == nil {
+				t.Errorf("Test %d: Expected error with prepareConfig input data [%v]", i, test.input)
+			}
+		} else {
+			if err != nil {
+				t.Errorf("Test %d: Expected no error with prepareConfig input data [%v]", i, test.input)
+			}
+		}
+	}
+}
+
+func TestSanitizeString(t *testing.T) {
+	for i, test := range []struct {
+		input    string
+		expected string
+	}{
+		{"abcd!abcd", "abcdabcd"},
+		{"ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvwxyz0123456789", "ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvwxyz0123456789"},
+		{"ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopq=@rstuvwxyz0123456789", "ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvwxyz0123456789"},
+	} {
+		if SanitizeString(test.input) != test.expected {
+			t.Errorf("Expected SanitizeString to return %s for test %d, but got %s instead", test.expected, i, SanitizeString(test.input))
+		}
+	}
+}
+
+func TestCorrectPassword(t *testing.T) {
+	testPass, _ := bcrypt.GenerateFromPassword([]byte("nevergonnagiveyouup"), 10)
+	for i, test := range []struct {
+		input    string
+		expected bool
+	}{
+		{"abcd", false},
+		{"nevergonnagiveyouup", true},
+		{"@rstuvwxyz0123456789", false},
+	} {
+		if test.expected && !CorrectPassword(test.input, string(testPass)) {
+			t.Errorf("Expected CorrectPassword to return %t for test %d", test.expected, i)
+		}
+		if !test.expected && CorrectPassword(test.input, string(testPass)) {
+			t.Errorf("Expected CorrectPassword to return %t for test %d", test.expected, i)
+		}
+	}
+}
--- a/pkg/api/api.go
+++ b/pkg/api/api.go
@ -0,0 +1,135 @@
+package api
+
+import (
+	"context"
+	"crypto/tls"
+	"net/http"
+	"time"
+
+	"github.com/joohoi/acme-dns/pkg/acmedns"
+
+	"github.com/caddyserver/certmagic"
+	"github.com/julienschmidt/httprouter"
+	"github.com/rs/cors"
+	"go.uber.org/zap"
+)
+
+type AcmednsAPI struct {
+	Config  *acmedns.AcmeDnsConfig
+	DB      acmedns.AcmednsDB
+	Logger  *zap.SugaredLogger
+	errChan chan error
+}
+
+func Init(config *acmedns.AcmeDnsConfig, db acmedns.AcmednsDB, logger *zap.SugaredLogger, errChan chan error) AcmednsAPI {
+	a := AcmednsAPI{Config: config, DB: db, Logger: logger, errChan: errChan}
+	return a
+}
+
+func (a *AcmednsAPI) Start(dnsservers []acmedns.AcmednsNS) {
+	var err error
+	//TODO: do we want to debug log the HTTP server?
+	stderrorlog, err := zap.NewStdLogAt(a.Logger.Desugar(), zap.ErrorLevel)
+	if err != nil {
+		a.errChan <- err
+		return
+	}
+	api := httprouter.New()
+	c := cors.New(cors.Options{
+		AllowedOrigins:     a.Config.API.CorsOrigins,
+		AllowedMethods:     []string{"GET", "POST"},
+		OptionsPassthrough: false,
+		Debug:              a.Config.General.Debug,
+	})
+	if a.Config.General.Debug {
+		// Logwriter for saner log output
+		c.Log = stderrorlog
+	}
+	if !a.Config.API.DisableRegistration {
+		api.POST("/register", a.webRegisterPost)
+	}
+	api.POST("/update", a.Auth(a.webUpdatePost))
+	api.GET("/health", a.healthCheck)
+
+	host := a.Config.API.IP + ":" + a.Config.API.Port
+
+	// TLS specific general settings
+	cfg := &tls.Config{
+		MinVersion: tls.VersionTLS12,
+	}
+
+	switch a.Config.API.TLS {
+	case acmedns.ApiTlsProviderLetsEncrypt, acmedns.ApiTlsProviderLetsEncryptStaging:
+		magic := a.setupTLS(dnsservers)
+		err = magic.ManageAsync(context.Background(), []string{a.Config.General.Domain})
+		if err != nil {
+			a.errChan <- err
+			return
+		}
+		cfg.GetCertificate = magic.GetCertificate
+		srv := &http.Server{
+			Addr:         host,
+			Handler:      c.Handler(api),
+			TLSConfig:    cfg,
+			ErrorLog:     stderrorlog,
+			ReadTimeout:  5 * time.Second,
+			WriteTimeout: 10 * time.Second,
+			IdleTimeout:  120 * time.Second,
+		}
+		a.Logger.Infow("Listening HTTPS",
+			"host", host,
+			"domain", a.Config.General.Domain)
+		err = srv.ListenAndServeTLS("", "")
+	case acmedns.ApiTlsProviderCert:
+		srv := &http.Server{
+			Addr:         host,
+			Handler:      c.Handler(api),
+			TLSConfig:    cfg,
+			ErrorLog:     stderrorlog,
+			ReadTimeout:  5 * time.Second,
+			WriteTimeout: 10 * time.Second,
+			IdleTimeout:  120 * time.Second,
+		}
+		a.Logger.Infow("Listening HTTPS",
+			"host", host,
+			"domain", a.Config.General.Domain)
+		err = srv.ListenAndServeTLS(a.Config.API.TLSCertFullchain, a.Config.API.TLSCertPrivkey)
+	default:
+		a.Logger.Infow("Listening HTTP",
+			"host", host)
+		err = http.ListenAndServe(host, c.Handler(api))
+	}
+	if err != nil {
+		a.errChan <- err
+	}
+}
+
+func (a *AcmednsAPI) setupTLS(dnsservers []acmedns.AcmednsNS) *certmagic.Config {
+	provider := NewChallengeProvider(dnsservers)
+	certmagic.Default.Logger = a.Logger.Desugar()
+	storage := certmagic.FileStorage{Path: a.Config.API.ACMECacheDir}
+
+	// Set up certmagic for getting certificate for acme-dns api
+	certmagic.DefaultACME.DNS01Solver = &provider
+	certmagic.DefaultACME.Agreed = true
+	certmagic.DefaultACME.Logger = a.Logger.Desugar()
+	if a.Config.API.TLS == acmedns.ApiTlsProviderLetsEncrypt {
+		certmagic.DefaultACME.CA = certmagic.LetsEncryptProductionCA
+	} else {
+		certmagic.DefaultACME.CA = certmagic.LetsEncryptStagingCA
+	}
+	certmagic.DefaultACME.Email = a.Config.API.NotificationEmail
+
+	magicConf := certmagic.Default
+	magicConf.Logger = a.Logger.Desugar()
+	magicConf.Storage = &storage
+	magicConf.DefaultServerName = a.Config.General.Domain
+	magicCache := certmagic.NewCache(certmagic.CacheOptions{
+		GetConfigForCert: func(cert certmagic.Certificate) (*certmagic.Config, error) {
+			return &magicConf, nil
+		},
+		Logger: a.Logger.Desugar(),
+	})
+	magic := certmagic.New(magicCache, magicConf)
+	return magic
+}
--- a/pkg/api/api_test.go
+++ b/pkg/api/api_test.go
@ -1,4 +1,4 @@
-package main
+package api

 import (
 	"context"
@ -8,17 +8,31 @@ import (
 	"net/http/httptest"
 	"testing"

+	"github.com/joohoi/acme-dns/pkg/acmedns"
+	"github.com/joohoi/acme-dns/pkg/database"
+	"github.com/joohoi/acme-dns/pkg/nameserver"
+
 	"github.com/DATA-DOG/go-sqlmock"
+	"github.com/caddyserver/certmagic"
 	"github.com/gavv/httpexpect"
 	"github.com/google/uuid"
 	"github.com/julienschmidt/httprouter"
 	"github.com/rs/cors"
+	"go.uber.org/zap"
 )

+func fakeConfigAndLogger() (acmedns.AcmeDnsConfig, *zap.SugaredLogger) {
+	c := acmedns.AcmeDnsConfig{}
+	c.Database.Engine = "sqlite"
+	c.Database.Connection = ":memory:"
+	l := zap.NewNop().Sugar()
+	return c, l
+}
+
 // noAuth function to write ACMETxt model to context while not preforming any validation
 func noAuth(update httprouter.Handle) httprouter.Handle {
 	return func(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
-		postData := ACMETxt{}
+		postData := acmedns.ACMETxt{}
 		uname := r.Header.Get("X-Api-User")
 		passwd := r.Header.Get("X-Api-Key")

@ -46,42 +60,37 @@ func getExpect(t *testing.T, server *httptest.Server) *httpexpect.Expect {
 	})
 }

-func setupRouter(debug bool, noauth bool) http.Handler {
+func setupRouter(debug bool, noauth bool) (http.Handler, AcmednsAPI, acmedns.AcmednsDB) {
 	api := httprouter.New()
-	var dbcfg = dbsettings{
-		Engine:     "sqlite3",
-		Connection: ":memory:"}
-	var httpapicfg = httpapi{
-		Domain:      "",
-		Port:        "8080",
-		TLS:         "none",
-		CorsOrigins: []string{"*"},
-		UseHeader:   true,
-		HeaderName:  "X-Forwarded-For",
-	}
-	var dnscfg = DNSConfig{
-		API:      httpapicfg,
-		Database: dbcfg,
-	}
-	Config = dnscfg
+	config, logger := fakeConfigAndLogger()
+	config.API.Domain = ""
+	config.API.Port = "8080"
+	config.API.TLS = acmedns.ApiTlsProviderNone
+	config.API.CorsOrigins = []string{"*"}
+	config.API.UseHeader = true
+	config.API.HeaderName = "X-Forwarded-For"
+
+	db, _ := database.Init(&config, logger)
+	errChan := make(chan error, 1)
+	adnsapi := Init(&config, db, logger, errChan)
 	c := cors.New(cors.Options{
-		AllowedOrigins:     Config.API.CorsOrigins,
+		AllowedOrigins:     config.API.CorsOrigins,
 		AllowedMethods:     []string{"GET", "POST"},
 		OptionsPassthrough: false,
-		Debug:              Config.General.Debug,
+		Debug:              config.General.Debug,
 	})
-	api.POST("/register", webRegisterPost)
-	api.GET("/health", healthCheck)
+	api.POST("/register", adnsapi.webRegisterPost)
+	api.GET("/health", adnsapi.healthCheck)
 	if noauth {
-		api.POST("/update", noAuth(webUpdatePost))
+		api.POST("/update", noAuth(adnsapi.webUpdatePost))
 	} else {
-		api.POST("/update", Auth(webUpdatePost))
+		api.POST("/update", adnsapi.Auth(adnsapi.webUpdatePost))
 	}
-	return c.Handler(api)
+	return c.Handler(api), adnsapi, db
 }

 func TestApiRegister(t *testing.T) {
-	router := setupRouter(false, false)
+	router, _, _ := setupRouter(false, false)
 	server := httptest.NewServer(router)
 	defer server.Close()
 	e := getExpect(t, server)
@ -95,7 +104,7 @@ func TestApiRegister(t *testing.T) {
 		NotContainsKey("error")

 	allowfrom := map[string][]interface{}{
-		"allowfrom": []interface{}{"123.123.123.123/32",
+		"allowfrom": {"123.123.123.123/32",
 			"2001:db8:a0b:12f0::1/32",
 			"[::1]/64",
 		},
@ -117,7 +126,7 @@ func TestApiRegister(t *testing.T) {
 }

 func TestApiRegisterBadAllowFrom(t *testing.T) {
-	router := setupRouter(false, false)
+	router, _, _ := setupRouter(false, false)
 	server := httptest.NewServer(router)
 	defer server.Close()
 	e := getExpect(t, server)
@ -133,7 +142,7 @@ func TestApiRegisterBadAllowFrom(t *testing.T) {
 	for _, v := range invalidVals {

 		allowfrom := map[string][]interface{}{
-			"allowfrom": []interface{}{v}}
+			"allowfrom": {v}}

 		response := e.POST("/register").
 			WithJSON(allowfrom).
@ -147,7 +156,7 @@ func TestApiRegisterBadAllowFrom(t *testing.T) {
 }

 func TestApiRegisterMalformedJSON(t *testing.T) {
-	router := setupRouter(false, false)
+	router, _, _ := setupRouter(false, false)
 	server := httptest.NewServer(router)
 	defer server.Close()
 	e := getExpect(t, server)
@ -174,13 +183,13 @@ func TestApiRegisterMalformedJSON(t *testing.T) {
 }

 func TestApiRegisterWithMockDB(t *testing.T) {
-	router := setupRouter(false, false)
+	router, _, db := setupRouter(false, false)
 	server := httptest.NewServer(router)
 	defer server.Close()
 	e := getExpect(t, server)
-	oldDb := DB.GetBackend()
-	db, mock, _ := sqlmock.New()
-	DB.SetBackend(db)
+	oldDb := db.GetBackend()
+	mdb, mock, _ := sqlmock.New()
+	db.SetBackend(mdb)
 	defer db.Close()
 	mock.ExpectBegin()
 	mock.ExpectPrepare("INSERT INTO records").WillReturnError(errors.New("error"))
@ -188,7 +197,7 @@ func TestApiRegisterWithMockDB(t *testing.T) {
 		Status(http.StatusInternalServerError).
 		JSON().Object().
 		ContainsKey("error")
-	DB.SetBackend(oldDb)
+	db.SetBackend(oldDb)
 }

 func TestApiUpdateWithInvalidSubdomain(t *testing.T) {
@ -198,11 +207,11 @@ func TestApiUpdateWithInvalidSubdomain(t *testing.T) {
 		"subdomain": "",
 		"txt":       ""}

-	router := setupRouter(false, false)
+	router, _, db := setupRouter(false, false)
 	server := httptest.NewServer(router)
 	defer server.Close()
 	e := getExpect(t, server)
-	newUser, err := DB.Register(cidrslice{})
+	newUser, err := db.Register(acmedns.Cidrslice{})
 	if err != nil {
 		t.Errorf("Could not create new user, got error [%v]", err)
 	}
@ -228,11 +237,11 @@ func TestApiUpdateWithInvalidTxt(t *testing.T) {
 		"subdomain": "",
 		"txt":       ""}

-	router := setupRouter(false, false)
+	router, _, db := setupRouter(false, false)
 	server := httptest.NewServer(router)
 	defer server.Close()
 	e := getExpect(t, server)
-	newUser, err := DB.Register(cidrslice{})
+	newUser, err := db.Register(acmedns.Cidrslice{})
 	if err != nil {
 		t.Errorf("Could not create new user, got error [%v]", err)
 	}
@ -252,7 +261,7 @@ func TestApiUpdateWithInvalidTxt(t *testing.T) {
 }

 func TestApiUpdateWithoutCredentials(t *testing.T) {
-	router := setupRouter(false, false)
+	router, _, _ := setupRouter(false, false)
 	server := httptest.NewServer(router)
 	defer server.Close()
 	e := getExpect(t, server)
@ -270,11 +279,11 @@ func TestApiUpdateWithCredentials(t *testing.T) {
 		"subdomain": "",
 		"txt":       ""}

-	router := setupRouter(false, false)
+	router, _, db := setupRouter(false, false)
 	server := httptest.NewServer(router)
 	defer server.Close()
 	e := getExpect(t, server)
-	newUser, err := DB.Register(cidrslice{})
+	newUser, err := db.Register(acmedns.Cidrslice{})
 	if err != nil {
 		t.Errorf("Could not create new user, got error [%v]", err)
 	}
@ -303,13 +312,13 @@ func TestApiUpdateWithCredentialsMockDB(t *testing.T) {
 	updateJSON["subdomain"] = "a097455b-52cc-4569-90c8-7a4b97c6eba8"
 	updateJSON["txt"] = validTxtData

-	router := setupRouter(false, true)
+	router, _, db := setupRouter(false, true)
 	server := httptest.NewServer(router)
 	defer server.Close()
 	e := getExpect(t, server)
-	oldDb := DB.GetBackend()
-	db, mock, _ := sqlmock.New()
-	DB.SetBackend(db)
+	oldDb := db.GetBackend()
+	mdb, mock, _ := sqlmock.New()
+	db.SetBackend(mdb)
 	defer db.Close()
 	mock.ExpectBegin()
 	mock.ExpectPrepare("UPDATE records").WillReturnError(errors.New("error"))
@ -319,31 +328,31 @@ func TestApiUpdateWithCredentialsMockDB(t *testing.T) {
 		Status(http.StatusInternalServerError).
 		JSON().Object().
 		ContainsKey("error")
-	DB.SetBackend(oldDb)
+	db.SetBackend(oldDb)
 }

 func TestApiManyUpdateWithCredentials(t *testing.T) {
 	validTxtData := "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"

-	router := setupRouter(true, false)
+	router, _, db := setupRouter(true, false)
 	server := httptest.NewServer(router)
 	defer server.Close()
 	e := getExpect(t, server)
 	// User without defined CIDR masks
-	newUser, err := DB.Register(cidrslice{})
+	newUser, err := db.Register(acmedns.Cidrslice{})
 	if err != nil {
 		t.Errorf("Could not create new user, got error [%v]", err)
 	}

 	// User with defined allow from - CIDR masks, all invalid
 	// (httpexpect doesn't provide a way to mock remote ip)
-	newUserWithCIDR, err := DB.Register(cidrslice{"192.168.1.1/32", "invalid"})
+	newUserWithCIDR, err := db.Register(acmedns.Cidrslice{"192.168.1.1/32", "invalid"})
 	if err != nil {
 		t.Errorf("Could not create new user with CIDR, got error [%v]", err)
 	}

 	// Another user with valid CIDR mask to match the httpexpect default
-	newUserWithValidCIDR, err := DB.Register(cidrslice{"10.1.2.3/32", "invalid"})
+	newUserWithValidCIDR, err := db.Register(acmedns.Cidrslice{"10.1.2.3/32", "invalid"})
 	if err != nil {
 		t.Errorf("Could not create new user with a valid CIDR, got error [%v]", err)
 	}
@ -381,30 +390,30 @@ func TestApiManyUpdateWithCredentials(t *testing.T) {

 func TestApiManyUpdateWithIpCheckHeaders(t *testing.T) {

-	router := setupRouter(false, false)
+	router, adnsapi, db := setupRouter(false, false)
 	server := httptest.NewServer(router)
 	defer server.Close()
 	e := getExpect(t, server)
 	// Use header checks from default header (X-Forwarded-For)
-	Config.API.UseHeader = true
+	adnsapi.Config.API.UseHeader = true
 	// User without defined CIDR masks
-	newUser, err := DB.Register(cidrslice{})
+	newUser, err := db.Register(acmedns.Cidrslice{})
 	if err != nil {
 		t.Errorf("Could not create new user, got error [%v]", err)
 	}

-	newUserWithCIDR, err := DB.Register(cidrslice{"192.168.1.2/32", "invalid"})
+	newUserWithCIDR, err := db.Register(acmedns.Cidrslice{"192.168.1.2/32", "invalid"})
 	if err != nil {
 		t.Errorf("Could not create new user with CIDR, got error [%v]", err)
 	}

-	newUserWithIP6CIDR, err := DB.Register(cidrslice{"2002:c0a8::0/32"})
+	newUserWithIP6CIDR, err := db.Register(acmedns.Cidrslice{"2002:c0a8::0/32"})
 	if err != nil {
 		t.Errorf("Could not create a new user with IP6 CIDR, got error [%v]", err)
 	}

 	for _, test := range []struct {
-		user        ACMETxt
+		user        acmedns.ACMETxt
 		headerValue string
 		status      int
 	}{
@ -428,13 +437,97 @@ func TestApiManyUpdateWithIpCheckHeaders(t *testing.T) {
 			Expect().
 			Status(test.status)
 	}
-	Config.API.UseHeader = false
+	adnsapi.Config.API.UseHeader = false
 }

 func TestApiHealthCheck(t *testing.T) {
-	router := setupRouter(false, false)
+	router, _, _ := setupRouter(false, false)
 	server := httptest.NewServer(router)
 	defer server.Close()
 	e := getExpect(t, server)
 	e.GET("/health").Expect().Status(http.StatusOK)
 }
+
+func TestGetIPListFromHeader(t *testing.T) {
+	for i, test := range []struct {
+		input  string
+		output []string
+	}{
+		{"1.1.1.1, 2.2.2.2", []string{"1.1.1.1", "2.2.2.2"}},
+		{" 1.1.1.1 , 2.2.2.2", []string{"1.1.1.1", "2.2.2.2"}},
+		{",1.1.1.1 ,2.2.2.2", []string{"1.1.1.1", "2.2.2.2"}},
+	} {
+		res := getIPListFromHeader(test.input)
+		if len(res) != len(test.output) {
+			t.Errorf("Test %d: Expected [%d] items in return list, but got [%d]", i, len(test.output), len(res))
+		} else {
+
+			for j, vv := range test.output {
+				if res[j] != vv {
+					t.Errorf("Test %d: Expected return value [%v] but got [%v]", j, test.output, res)
+				}
+
+			}
+		}
+	}
+}
+
+func TestUpdateAllowedFromIP(t *testing.T) {
+	_, adnsapi, _ := setupRouter(false, false)
+	adnsapi.Config.API.UseHeader = false
+	userWithAllow := acmedns.NewACMETxt()
+	userWithAllow.AllowFrom = acmedns.Cidrslice{"192.168.1.2/32", "[::1]/128"}
+	userWithoutAllow := acmedns.NewACMETxt()
+
+	for i, test := range []struct {
+		remoteaddr string
+		expected   bool
+	}{
+		{"192.168.1.2:1234", true},
+		{"192.168.1.1:1234", false},
+		{"invalid", false},
+		{"[::1]:4567", true},
+	} {
+		newreq, _ := http.NewRequest("GET", "/whatever", nil)
+		newreq.RemoteAddr = test.remoteaddr
+		ret := adnsapi.updateAllowedFromIP(newreq, userWithAllow)
+		if test.expected != ret {
+			t.Errorf("Test %d: Unexpected result for user with allowForm set", i)
+		}
+
+		if !adnsapi.updateAllowedFromIP(newreq, userWithoutAllow) {
+			t.Errorf("Test %d: Unexpected result for user without allowForm set", i)
+		}
+	}
+}
+
+func TestSetupTLS(t *testing.T) {
+	_, svr, _ := setupRouter(false, false)
+
+	for _, test := range []struct {
+		apiTls     string
+		expectedCA string
+	}{
+		{
+			apiTls:     acmedns.ApiTlsProviderLetsEncrypt,
+			expectedCA: certmagic.LetsEncryptProductionCA,
+		},
+		{
+			apiTls:     acmedns.ApiTlsProviderLetsEncryptStaging,
+			expectedCA: certmagic.LetsEncryptStagingCA,
+		},
+	} {
+		svr.Config.API.TLS = test.apiTls
+		ns := &nameserver.Nameserver{}
+		magic := svr.setupTLS([]acmedns.AcmednsNS{ns})
+
+		if test.expectedCA != certmagic.DefaultACME.CA {
+			t.Errorf("failed to configure default ACME CA. got %s, want %s", certmagic.DefaultACME.CA, test.expectedCA)
+		}
+
+		if magic.DefaultServerName != svr.Config.General.Domain {
+			t.Errorf("failed to set the correct doman. got: %s, want %s", magic.DefaultServerName, svr.Config.General.Domain)
+		}
+	}
+
+}
--- a/pkg/api/auth.go
+++ b/pkg/api/auth.go
@ -0,0 +1,103 @@
+package api
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net"
+	"net/http"
+
+	"github.com/julienschmidt/httprouter"
+
+	"github.com/joohoi/acme-dns/pkg/acmedns"
+)
+
+type key int
+
+// ACMETxtKey is a context key for ACMETxt struct
+const ACMETxtKey key = 0
+
+// Auth middleware for update request
+func (a *AcmednsAPI) Auth(update httprouter.Handle) httprouter.Handle {
+	return func(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
+		postData := acmedns.ACMETxt{}
+		userOK := false
+		user, err := a.getUserFromRequest(r)
+		if err == nil {
+			if a.updateAllowedFromIP(r, user) {
+				dec := json.NewDecoder(r.Body)
+				err = dec.Decode(&postData)
+				if err != nil {
+					a.Logger.Errorw("Decoding error",
+						"error", "json_error")
+				}
+				if user.Subdomain == postData.Subdomain {
+					userOK = true
+				} else {
+					a.Logger.Errorw("Subdomain mismatch",
+						"error", "subdomain_mismatch",
+						"name", postData.Subdomain,
+						"expected", user.Subdomain)
+				}
+			} else {
+				a.Logger.Errorw("Update not allowed from IP",
+					"error", "ip_unauthorized")
+			}
+		} else {
+			a.Logger.Errorw("Error while trying to get user",
+				"error", err.Error())
+		}
+		if userOK {
+			// Set user info to the decoded ACMETxt object
+			postData.Username = user.Username
+			postData.Password = user.Password
+			// Set the ACMETxt struct to context to pull in from update function
+			ctx := context.WithValue(r.Context(), ACMETxtKey, postData)
+			update(w, r.WithContext(ctx), p)
+		} else {
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusUnauthorized)
+			_, _ = w.Write(jsonError("forbidden"))
+		}
+	}
+}
+
+func (a *AcmednsAPI) getUserFromRequest(r *http.Request) (acmedns.ACMETxt, error) {
+	uname := r.Header.Get("X-Api-User")
+	passwd := r.Header.Get("X-Api-Key")
+	username, err := getValidUsername(uname)
+	if err != nil {
+		return acmedns.ACMETxt{}, fmt.Errorf("invalid username: %s: %w", uname, err)
+	}
+	if validKey(passwd) {
+		dbuser, err := a.DB.GetByUsername(username)
+		if err != nil {
+			a.Logger.Errorw("Error while trying to get user",
+				"error", err.Error())
+			// To protect against timed side channel (never gonna give you up)
+			acmedns.CorrectPassword(passwd, "$2a$10$8JEFVNYYhLoBysjAxe2yBuXrkDojBQBkVpXEQgyQyjn43SvJ4vL36")
+
+			return acmedns.ACMETxt{}, fmt.Errorf("invalid username: %s", uname)
+		}
+		if acmedns.CorrectPassword(passwd, dbuser.Password) {
+			return dbuser, nil
+		}
+		return acmedns.ACMETxt{}, fmt.Errorf("invalid password for user %s", uname)
+	}
+	return acmedns.ACMETxt{}, fmt.Errorf("invalid key for user %s", uname)
+}
+
+func (a *AcmednsAPI) updateAllowedFromIP(r *http.Request, user acmedns.ACMETxt) bool {
+	if a.Config.API.UseHeader {
+		ips := getIPListFromHeader(r.Header.Get(a.Config.API.HeaderName))
+		return user.AllowedFromList(ips)
+	}
+	host, _, err := net.SplitHostPort(r.RemoteAddr)
+	if err != nil {
+		a.Logger.Errorw("Error while parsing remote address",
+			"error", err.Error(),
+			"remoteaddr", r.RemoteAddr)
+		host = ""
+	}
+	return user.AllowedFrom(host)
+}
--- a/pkg/api/challengeprovider.go
+++ b/pkg/api/challengeprovider.go
@ -1,25 +1,27 @@
-package main
+package api

 import (
 	"context"

-	"github.com/mholt/acmez/v2/acme"
+	"github.com/mholt/acmez/v3/acme"
+
+	"github.com/joohoi/acme-dns/pkg/acmedns"
 )

 // ChallengeProvider implements go-acme/lego Provider interface which is used for ACME DNS challenge handling
 type ChallengeProvider struct {
-	servers []*DNSServer
+	servers []acmedns.AcmednsNS
 }

 // NewChallengeProvider creates a new instance of ChallengeProvider
-func NewChallengeProvider(servers []*DNSServer) ChallengeProvider {
+func NewChallengeProvider(servers []acmedns.AcmednsNS) ChallengeProvider {
 	return ChallengeProvider{servers: servers}
 }

 // Present is used for making the ACME DNS challenge token available for DNS
 func (c *ChallengeProvider) Present(ctx context.Context, challenge acme.Challenge) error {
 	for _, s := range c.servers {
-		s.PersonalKeyAuth = challenge.DNS01KeyAuthorization()
+		s.SetOwnAuthKey(challenge.DNS01KeyAuthorization())
 	}
 	return nil
 }
@ -27,7 +29,7 @@ func (c *ChallengeProvider) Present(ctx context.Context, challenge acme.Challeng
 // CleanUp is called after the run to remove the ACME DNS challenge tokens from DNS records
 func (c *ChallengeProvider) CleanUp(ctx context.Context, _ acme.Challenge) error {
 	for _, s := range c.servers {
-		s.PersonalKeyAuth = ""
+		s.SetOwnAuthKey("")
 	}
 	return nil
 }
--- a/pkg/api/challengeprovider_test.go
+++ b/pkg/api/challengeprovider_test.go
@ -0,0 +1,56 @@
+package api
+
+import (
+	"context"
+	"testing"
+
+	"github.com/joohoi/acme-dns/pkg/acmedns"
+	"github.com/mholt/acmez/v3/acme"
+)
+
+type mockNameserver struct {
+	acmedns.AcmednsNS
+	authKey string
+}
+
+func (m *mockNameserver) SetOwnAuthKey(key string) {
+	m.authKey = key
+}
+
+func TestChallengeProvider(t *testing.T) {
+	mock := &mockNameserver{}
+	servers := []acmedns.AcmednsNS{mock}
+	cp := NewChallengeProvider(servers)
+
+	ctx := context.Background()
+	challenge := acme.Challenge{
+		Type:             "dns-01",
+		Token:            "test-token",
+		KeyAuthorization: "test-key-auth",
+	}
+
+	// Test Present
+	err := cp.Present(ctx, challenge)
+	if err != nil {
+		t.Errorf("Present failed: %v", err)
+	}
+	expectedKey := challenge.DNS01KeyAuthorization()
+	if mock.authKey != expectedKey {
+		t.Errorf("Expected auth key %s, got %s", expectedKey, mock.authKey)
+	}
+
+	// Test CleanUp
+	err = cp.CleanUp(ctx, challenge)
+	if err != nil {
+		t.Errorf("CleanUp failed: %v", err)
+	}
+	if mock.authKey != "" {
+		t.Errorf("Expected empty auth key after CleanUp, got %s", mock.authKey)
+	}
+
+	// Test Wait
+	err = cp.Wait(ctx, challenge)
+	if err != nil {
+		t.Errorf("Wait failed: %v", err)
+	}
+}
--- a/pkg/api/healthcheck.go
+++ b/pkg/api/healthcheck.go
@ -0,0 +1,12 @@
+package api
+
+import (
+	"net/http"
+
+	"github.com/julienschmidt/httprouter"
+)
+
+// Endpoint used to check the readiness and/or liveness (health) of the server.
+func (a *AcmednsAPI) healthCheck(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
+	w.WriteHeader(http.StatusOK)
+}
--- a/pkg/api/register.go
+++ b/pkg/api/register.go
@ -0,0 +1,76 @@
+package api
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+
+	"github.com/julienschmidt/httprouter"
+
+	"github.com/joohoi/acme-dns/pkg/acmedns"
+)
+
+// RegResponse is a struct for registration response JSON
+type RegResponse struct {
+	Username   string   `json:"username"`
+	Password   string   `json:"password"`
+	Fulldomain string   `json:"fulldomain"`
+	Subdomain  string   `json:"subdomain"`
+	Allowfrom  []string `json:"allowfrom"`
+}
+
+func (a *AcmednsAPI) webRegisterPost(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
+	var regStatus int
+	var reg []byte
+	var err error
+	aTXT := acmedns.ACMETxt{}
+	bdata, _ := io.ReadAll(r.Body)
+	if len(bdata) > 0 {
+		err = json.Unmarshal(bdata, &aTXT)
+		if err != nil {
+			regStatus = http.StatusBadRequest
+			reg = jsonError("malformed_json_payload")
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(regStatus)
+			_, _ = w.Write(reg)
+			return
+		}
+	}
+
+	// Fail with malformed CIDR mask in allowfrom
+	err = aTXT.AllowFrom.IsValid()
+	if err != nil {
+		regStatus = http.StatusBadRequest
+		reg = jsonError("invalid_allowfrom_cidr")
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(regStatus)
+		_, _ = w.Write(reg)
+		return
+	}
+
+	// Create new user
+	nu, err := a.DB.Register(aTXT.AllowFrom)
+	if err != nil {
+		errstr := fmt.Sprintf("%v", err)
+		reg = jsonError(errstr)
+		regStatus = http.StatusInternalServerError
+		a.Logger.Errorw("Error in registration",
+			"error", err.Error())
+	} else {
+		a.Logger.Debugw("Created new user",
+			"user", nu.Username.String())
+		regStruct := RegResponse{nu.Username.String(), nu.Password, nu.Subdomain + "." + a.Config.General.Domain, nu.Subdomain, nu.AllowFrom.ValidEntries()}
+		regStatus = http.StatusCreated
+		reg, err = json.Marshal(regStruct)
+		if err != nil {
+			regStatus = http.StatusInternalServerError
+			reg = jsonError("json_error")
+			a.Logger.Errorw("Could not marshal JSON",
+				"error", "json")
+		}
+	}
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(regStatus)
+	_, _ = w.Write(reg)
+}
--- a/pkg/api/update.go
+++ b/pkg/api/update.go
@ -0,0 +1,55 @@
+package api
+
+import (
+	"net/http"
+
+	"github.com/joohoi/acme-dns/pkg/acmedns"
+
+	"github.com/julienschmidt/httprouter"
+)
+
+func (a *AcmednsAPI) webUpdatePost(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
+	var updStatus int
+	var upd []byte
+	// Get user
+	atxt, ok := r.Context().Value(ACMETxtKey).(acmedns.ACMETxt)
+	if !ok {
+		a.Logger.Errorw("Context error",
+			"error", "context")
+	}
+	// NOTE: An invalid subdomain should not happen - the auth handler should
+	// reject POSTs with an invalid subdomain before this handler. Reject any
+	// invalid subdomains anyway as a matter of caution.
+	if !validSubdomain(atxt.Subdomain) {
+		a.Logger.Errorw("Bad update data",
+			"error", "subdomain",
+			"subdomain", atxt.Subdomain,
+			"txt", atxt.Value)
+		updStatus = http.StatusBadRequest
+		upd = jsonError("bad_subdomain")
+	} else if !validTXT(atxt.Value) {
+		a.Logger.Errorw("Bad update data",
+			"error", "txt",
+			"subdomain", atxt.Subdomain,
+			"txt", atxt.Value)
+		updStatus = http.StatusBadRequest
+		upd = jsonError("bad_txt")
+	} else if validSubdomain(atxt.Subdomain) && validTXT(atxt.Value) {
+		err := a.DB.Update(atxt.ACMETxtPost)
+		if err != nil {
+			a.Logger.Errorw("Error while trying to update record",
+				"error", err.Error())
+			updStatus = http.StatusInternalServerError
+			upd = jsonError("db_error")
+		} else {
+			a.Logger.Debugw("TXT record updated",
+				"subdomain", atxt.Subdomain,
+				"txt", atxt.Value)
+			updStatus = http.StatusOK
+			upd = []byte("{\"txt\": \"" + atxt.Value + "\"}")
+		}
+	}
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(updStatus)
+	_, _ = w.Write(upd)
+}
--- a/pkg/api/util.go
+++ b/pkg/api/util.go
@ -1,13 +1,20 @@
-package main
+package api

 import (
-	"unicode/utf8"
+	"fmt"
 	"regexp"
+	"strings"
+	"unicode/utf8"

 	"github.com/google/uuid"
-	"golang.org/x/crypto/bcrypt"
+
+	"github.com/joohoi/acme-dns/pkg/acmedns"
 )

+func jsonError(message string) []byte {
+	return []byte(fmt.Sprintf("{\"error\": \"%s\"}", message))
+}
+
 func getValidUsername(u string) (uuid.UUID, error) {
 	uname, err := uuid.Parse(u)
 	if err != nil {
@ -17,7 +24,7 @@ func getValidUsername(u string) (uuid.UUID, error) {
 }

 func validKey(k string) bool {
-	kn := sanitizeString(k)
+	kn := acmedns.SanitizeString(k)
 	if utf8.RuneCountInString(k) == 40 && utf8.RuneCountInString(kn) == 40 {
 		// Correct length and all chars valid
 		return true
@ -25,6 +32,17 @@ func validKey(k string) bool {
 	return false
 }

+func getIPListFromHeader(header string) []string {
+	iplist := []string{}
+	for _, v := range strings.Split(header, ",") {
+		if len(v) > 0 {
+			// Ignore empty values
+			iplist = append(iplist, strings.TrimSpace(v))
+		}
+	}
+	return iplist
+}
+
 func validSubdomain(s string) bool {
 	// URL safe base64 alphabet without padding as defined in ACME
 	RegExp := regexp.MustCompile("^[A-Za-z0-9](?:[A-Za-z0-9-]{0,61}[A-Za-z0-9])?$")
@ -32,17 +50,10 @@ func validSubdomain(s string) bool {
 }

 func validTXT(s string) bool {
-	sn := sanitizeString(s)
+	sn := acmedns.SanitizeString(s)
 	if utf8.RuneCountInString(s) == 43 && utf8.RuneCountInString(sn) == 43 {
 		// 43 chars is the current LE auth key size, but not limited / defined by ACME
 		return true
 	}
 	return false
 }
-
-func correctPassword(pw string, hash string) bool {
-	if err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(pw)); err == nil {
-		return true
-	}
-	return false
-}
--- a/pkg/api/validation_test.go
+++ b/pkg/api/validation_test.go
@ -1,8 +1,10 @@
-package main
+package api

 import (
 	"testing"

+	"github.com/joohoi/acme-dns/pkg/acmedns"
+
 	"github.com/google/uuid"
 )

@ -103,7 +105,7 @@ func TestCorrectPassword(t *testing.T) {
 			false},
 		{"", "", false},
 	} {
-		ret := correctPassword(test.pw, test.hash)
+		ret := acmedns.CorrectPassword(test.pw, test.hash)
 		if ret != test.output {
 			t.Errorf("Test %d: Expected return value %t, but got %t", i, test.output, ret)
 		}
@ -112,12 +114,12 @@ func TestCorrectPassword(t *testing.T) {

 func TestGetValidCIDRMasks(t *testing.T) {
 	for i, test := range []struct {
-		input  cidrslice
-		output cidrslice
+		input  acmedns.Cidrslice
+		output acmedns.Cidrslice
 	}{
-		{cidrslice{"10.0.0.1/24"}, cidrslice{"10.0.0.1/24"}},
-		{cidrslice{"invalid", "127.0.0.1/32"}, cidrslice{"127.0.0.1/32"}},
-		{cidrslice{"2002:c0a8::0/32", "8.8.8.8/32"}, cidrslice{"2002:c0a8::0/32", "8.8.8.8/32"}},
+		{acmedns.Cidrslice{"10.0.0.1/24"}, acmedns.Cidrslice{"10.0.0.1/24"}},
+		{acmedns.Cidrslice{"invalid", "127.0.0.1/32"}, acmedns.Cidrslice{"127.0.0.1/32"}},
+		{acmedns.Cidrslice{"2002:c0a8::0/32", "8.8.8.8/32"}, acmedns.Cidrslice{"2002:c0a8::0/32", "8.8.8.8/32"}},
 	} {
 		ret := test.input.ValidEntries()
 		if len(ret) == len(test.output) {
--- a/pkg/database/db.go
+++ b/pkg/database/db.go
@ -1,21 +1,31 @@
-package main
+package database

 import (
 	"database/sql"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"regexp"
 	"strconv"
+	"sync"
 	"time"

-	"github.com/google/uuid"
+	_ "github.com/glebarez/go-sqlite"
 	_ "github.com/lib/pq"
-	_ "github.com/mattn/go-sqlite3"
-	log "github.com/sirupsen/logrus"
+
+	"github.com/google/uuid"
+	"go.uber.org/zap"
 	"golang.org/x/crypto/bcrypt"
+
+	"github.com/joohoi/acme-dns/pkg/acmedns"
 )

+type acmednsdb struct {
+	DB     *sql.DB
+	Mutex  sync.Mutex
+	Logger *zap.SugaredLogger
+	Config *acmedns.AcmeDnsConfig
+}
+
 // DBVersion shows the database version this code uses. This is used for update checks.
 var DBVersion = 1

@ -54,12 +64,13 @@ func getSQLiteStmt(s string) string {
 	return re.ReplaceAllString(s, "?")
 }

-func (d *acmedb) Init(engine string, connection string) error {
+func Init(config *acmedns.AcmeDnsConfig, logger *zap.SugaredLogger) (acmedns.AcmednsDB, error) {
+	var d = &acmednsdb{Config: config, Logger: logger}
 	d.Mutex.Lock()
 	defer d.Mutex.Unlock()
-	db, err := sql.Open(engine, connection)
+	db, err := sql.Open(config.Database.Engine, config.Database.Connection)
 	if err != nil {
-		return err
+		return d, err
 	}
 	d.DB = db
 	// Check version first to try to catch old versions without version string
@ -70,7 +81,7 @@ func (d *acmedb) Init(engine string, connection string) error {
 	}
 	_, _ = d.DB.Exec(acmeTable)
 	_, _ = d.DB.Exec(userTable)
-	if Config.Database.Engine == "sqlite3" {
+	if config.Database.Engine == "sqlite" {
 		_, _ = d.DB.Exec(txtTable)
 	} else {
 		_, _ = d.DB.Exec(txtTablePG)
@ -86,10 +97,10 @@ func (d *acmedb) Init(engine string, connection string) error {
 			_, err = db.Exec(insversion)
 		}
 	}
-	return err
+	return d, err
 }

-func (d *acmedb) checkDBUpgrades(versionString string) error {
+func (d *acmednsdb) checkDBUpgrades(versionString string) error {
 	var err error
 	version, err := strconv.Atoi(versionString)
 	if err != nil {
@ -102,19 +113,20 @@ func (d *acmedb) checkDBUpgrades(versionString string) error {

 }

-func (d *acmedb) handleDBUpgrades(version int) error {
+func (d *acmednsdb) handleDBUpgrades(version int) error {
 	if version == 0 {
 		return d.handleDBUpgradeTo1()
 	}
 	return nil
 }

-func (d *acmedb) handleDBUpgradeTo1() error {
+func (d *acmednsdb) handleDBUpgradeTo1() error {
 	var err error
 	var subdomains []string
 	rows, err := d.DB.Query("SELECT Subdomain FROM records")
 	if err != nil {
-		log.WithFields(log.Fields{"error": err.Error()}).Error("Error in DB upgrade")
+		d.Logger.Errorw("Error in DB upgrade",
+			"error", err.Error())
 		return err
 	}
 	defer rows.Close()
@ -122,14 +134,16 @@ func (d *acmedb) handleDBUpgradeTo1() error {
 		var subdomain string
 		err = rows.Scan(&subdomain)
 		if err != nil {
-			log.WithFields(log.Fields{"error": err.Error()}).Error("Error in DB upgrade while reading values")
+			d.Logger.Errorw("Error in DB upgrade while reading values",
+				"error", err.Error())
 			return err
 		}
 		subdomains = append(subdomains, subdomain)
 	}
 	err = rows.Err()
 	if err != nil {
-		log.WithFields(log.Fields{"error": err.Error()}).Error("Error in DB upgrade while inserting values")
+		d.Logger.Errorw("Error in DB upgrade while inserting values",
+			"error", err.Error())
 		return err
 	}
 	tx, err := d.DB.Begin()
@ -147,13 +161,14 @@ func (d *acmedb) handleDBUpgradeTo1() error {
 			// Insert two rows for each subdomain to txt table
 			err = d.NewTXTValuesInTransaction(tx, subdomain)
 			if err != nil {
-				log.WithFields(log.Fields{"error": err.Error()}).Error("Error in DB upgrade while inserting values")
+				d.Logger.Errorw("Error in DB upgrade while inserting values",
+					"error", err.Error())
 				return err
 			}
 		}
 	}
 	// SQLite doesn't support dropping columns
-	if Config.Database.Engine != "sqlite3" {
+	if d.Config.Database.Engine != "sqlite" {
 		_, _ = tx.Exec("ALTER TABLE records DROP COLUMN IF EXISTS Value")
 		_, _ = tx.Exec("ALTER TABLE records DROP COLUMN IF EXISTS LastActive")
 	}
@ -161,8 +176,8 @@ func (d *acmedb) handleDBUpgradeTo1() error {
 	return err
 }

-// Create two rows for subdomain to the txt table
-func (d *acmedb) NewTXTValuesInTransaction(tx *sql.Tx, subdomain string) error {
+// NewTXTValuesInTransaction creates two rows for subdomain to the txt table
+func (d *acmednsdb) NewTXTValuesInTransaction(tx *sql.Tx, subdomain string) error {
 	var err error
 	instr := fmt.Sprintf("INSERT INTO txt (Subdomain, LastUpdate) values('%s', 0)", subdomain)
 	_, _ = tx.Exec(instr)
@ -170,7 +185,7 @@ func (d *acmedb) NewTXTValuesInTransaction(tx *sql.Tx, subdomain string) error {
 	return err
 }

-func (d *acmedb) Register(afrom cidrslice) (ACMETxt, error) {
+func (d *acmednsdb) Register(afrom acmedns.Cidrslice) (acmedns.ACMETxt, error) {
 	d.Mutex.Lock()
 	defer d.Mutex.Unlock()
 	var err error
@ -183,8 +198,8 @@ func (d *acmedb) Register(afrom cidrslice) (ACMETxt, error) {
 		}
 		_ = tx.Commit()
 	}()
-	a := newACMETxt()
-	a.AllowFrom = cidrslice(afrom.ValidEntries())
+	a := acmedns.NewACMETxt()
+	a.AllowFrom = acmedns.Cidrslice(afrom.ValidEntries())
 	passwordHash, err := bcrypt.GenerateFromPassword([]byte(a.Password), 10)
 	regSQL := `
    INSERT INTO records(
@ -193,13 +208,14 @@ func (d *acmedb) Register(afrom cidrslice) (ACMETxt, error) {
        Subdomain,
 		AllowFrom) 
        values($1, $2, $3, $4)`
-	if Config.Database.Engine == "sqlite3" {
+	if d.Config.Database.Engine == "sqlite" {
 		regSQL = getSQLiteStmt(regSQL)
 	}
 	sm, err := tx.Prepare(regSQL)
 	if err != nil {
-		log.WithFields(log.Fields{"error": err.Error()}).Error("Database error in prepare")
-		return a, errors.New("SQL error")
+		d.Logger.Errorw("Database error in prepare",
+			"error", err.Error())
+		return a, fmt.Errorf("failed to prepare registration statement: %w", err)
 	}
 	defer sm.Close()
 	_, err = sm.Exec(a.Username.String(), passwordHash, a.Subdomain, a.AllowFrom.JSON())
@ -209,53 +225,53 @@ func (d *acmedb) Register(afrom cidrslice) (ACMETxt, error) {
 	return a, err
 }

-func (d *acmedb) GetByUsername(u uuid.UUID) (ACMETxt, error) {
+func (d *acmednsdb) GetByUsername(u uuid.UUID) (acmedns.ACMETxt, error) {
 	d.Mutex.Lock()
 	defer d.Mutex.Unlock()
-	var results []ACMETxt
+	var results []acmedns.ACMETxt
 	getSQL := `
 	SELECT Username, Password, Subdomain, AllowFrom
 	FROM records
 	WHERE Username=$1 LIMIT 1
 	`
-	if Config.Database.Engine == "sqlite3" {
+	if d.Config.Database.Engine == "sqlite" {
 		getSQL = getSQLiteStmt(getSQL)
 	}

 	sm, err := d.DB.Prepare(getSQL)
 	if err != nil {
-		return ACMETxt{}, err
+		return acmedns.ACMETxt{}, err
 	}
 	defer sm.Close()
 	rows, err := sm.Query(u.String())
 	if err != nil {
-		return ACMETxt{}, err
+		return acmedns.ACMETxt{}, fmt.Errorf("failed to query user: %w", err)
 	}
 	defer rows.Close()

 	// It will only be one row though
 	for rows.Next() {
-		txt, err := getModelFromRow(rows)
+		txt, err := d.getModelFromRow(rows)
 		if err != nil {
-			return ACMETxt{}, err
+			return acmedns.ACMETxt{}, err
 		}
 		results = append(results, txt)
 	}
 	if len(results) > 0 {
 		return results[0], nil
 	}
-	return ACMETxt{}, errors.New("no user")
+	return acmedns.ACMETxt{}, fmt.Errorf("user not found: %s", u.String())
 }

-func (d *acmedb) GetTXTForDomain(domain string) ([]string, error) {
+func (d *acmednsdb) GetTXTForDomain(domain string) ([]string, error) {
 	d.Mutex.Lock()
 	defer d.Mutex.Unlock()
-	domain = sanitizeString(domain)
+	domain = acmedns.SanitizeString(domain)
 	var txts []string
 	getSQL := `
 	SELECT Value FROM txt WHERE Subdomain=$1 LIMIT 2
 	`
-	if Config.Database.Engine == "sqlite3" {
+	if d.Config.Database.Engine == "sqlite" {
 		getSQL = getSQLiteStmt(getSQL)
 	}

@ -281,7 +297,7 @@ func (d *acmedb) GetTXTForDomain(domain string) ([]string, error) {
 	return txts, nil
 }

-func (d *acmedb) Update(a ACMETxtPost) error {
+func (d *acmednsdb) Update(a acmedns.ACMETxtPost) error {
 	d.Mutex.Lock()
 	defer d.Mutex.Unlock()
 	var err error
@ -293,7 +309,7 @@ func (d *acmedb) Update(a ACMETxtPost) error {
 	WHERE rowid=(
 		SELECT rowid FROM txt WHERE Subdomain=$3 ORDER BY LastUpdate LIMIT 1)
 	`
-	if Config.Database.Engine == "sqlite3" {
+	if d.Config.Database.Engine == "sqlite" {
 		updSQL = getSQLiteStmt(updSQL)
 	}

@ -309,8 +325,8 @@ func (d *acmedb) Update(a ACMETxtPost) error {
 	return nil
 }

-func getModelFromRow(r *sql.Rows) (ACMETxt, error) {
-	txt := ACMETxt{}
+func (d *acmednsdb) getModelFromRow(r *sql.Rows) (acmedns.ACMETxt, error) {
+	txt := acmedns.ACMETxt{}
 	afrom := ""
 	err := r.Scan(
 		&txt.Username,
@ -318,26 +334,28 @@ func getModelFromRow(r *sql.Rows) (ACMETxt, error) {
 		&txt.Subdomain,
 		&afrom)
 	if err != nil {
-		log.WithFields(log.Fields{"error": err.Error()}).Error("Row scan error")
+		d.Logger.Errorw("Row scan error",
+			"error", err.Error())
 	}

-	cslice := cidrslice{}
+	cslice := acmedns.Cidrslice{}
 	err = json.Unmarshal([]byte(afrom), &cslice)
 	if err != nil {
-		log.WithFields(log.Fields{"error": err.Error()}).Error("JSON unmarshall error")
+		d.Logger.Errorw("JSON unmarshall error",
+			"error", err.Error())
 	}
 	txt.AllowFrom = cslice
 	return txt, err
 }

-func (d *acmedb) Close() {
+func (d *acmednsdb) Close() {
 	d.DB.Close()
 }

-func (d *acmedb) GetBackend() *sql.DB {
+func (d *acmednsdb) GetBackend() *sql.DB {
 	return d.DB
 }

-func (d *acmedb) SetBackend(backend *sql.DB) {
+func (d *acmednsdb) SetBackend(backend *sql.DB) {
 	d.DB = backend
 }
--- a/pkg/database/db_test.go
+++ b/pkg/database/db_test.go
@ -1,11 +1,15 @@
-package main
+package database

 import (
 	"database/sql"
 	"database/sql/driver"
 	"errors"
-	"github.com/erikstmartin/go-testdb"
 	"testing"
+
+	"github.com/erikstmartin/go-testdb"
+	"go.uber.org/zap"
+
+	"github.com/joohoi/acme-dns/pkg/acmedns"
 )

 type testResult struct {
@ -21,42 +25,38 @@ func (r testResult) RowsAffected() (int64, error) {
 	return r.affectedRows, nil
 }

-func TestDBInit(t *testing.T) {
-	fakeDB := new(acmedb)
-	err := fakeDB.Init("notarealegine", "connectionstring")
-	if err == nil {
-		t.Errorf("Was expecting error, didn't get one.")
-	}
+func fakeConfigAndLogger() (acmedns.AcmeDnsConfig, *zap.SugaredLogger) {
+	c := acmedns.AcmeDnsConfig{}
+	c.Database.Engine = "sqlite"
+	c.Database.Connection = ":memory:"
+	l := zap.NewNop().Sugar()
+	return c, l
+}

-	testdb.SetExecWithArgsFunc(func(query string, args []driver.Value) (result driver.Result, err error) {
-		return testResult{1, 0}, errors.New("Prepared query error")
-	})
-	defer testdb.Reset()
-
-	errorDB := new(acmedb)
-	err = errorDB.Init("testdb", "")
-	if err == nil {
-		t.Errorf("Was expecting DB initiation error but got none")
-	}
-	errorDB.Close()
+func fakeDB() acmedns.AcmednsDB {
+	conf, logger := fakeConfigAndLogger()
+	db, _ := Init(&conf, logger)
+	return db
 }

 func TestRegisterNoCIDR(t *testing.T) {
 	// Register tests
-	_, err := DB.Register(cidrslice{})
+	DB := fakeDB()
+	_, err := DB.Register(acmedns.Cidrslice{})
 	if err != nil {
 		t.Errorf("Registration failed, got error [%v]", err)
 	}
 }

 func TestRegisterMany(t *testing.T) {
+	DB := fakeDB()
 	for i, test := range []struct {
-		input  cidrslice
-		output cidrslice
+		input  acmedns.Cidrslice
+		output acmedns.Cidrslice
 	}{
-		{cidrslice{"127.0.0.1/8", "8.8.8.8/32", "1.0.0.1/1"}, cidrslice{"127.0.0.1/8", "8.8.8.8/32", "1.0.0.1/1"}},
-		{cidrslice{"1.1.1./32", "1922.168.42.42/8", "1.1.1.1/33", "1.2.3.4/"}, cidrslice{}},
-		{cidrslice{"7.6.5.4/32", "invalid", "1.0.0.1/2"}, cidrslice{"7.6.5.4/32", "1.0.0.1/2"}},
+		{acmedns.Cidrslice{"127.0.0.1/8", "8.8.8.8/32", "1.0.0.1/1"}, acmedns.Cidrslice{"127.0.0.1/8", "8.8.8.8/32", "1.0.0.1/1"}},
+		{acmedns.Cidrslice{"1.1.1./32", "1922.168.42.42/8", "1.1.1.1/33", "1.2.3.4/"}, acmedns.Cidrslice{}},
+		{acmedns.Cidrslice{"7.6.5.4/32", "invalid", "1.0.0.1/2"}, acmedns.Cidrslice{"7.6.5.4/32", "1.0.0.1/2"}},
 	} {
 		user, err := DB.Register(test.input)
 		if err != nil {
@ -77,8 +77,9 @@ func TestRegisterMany(t *testing.T) {
 }

 func TestGetByUsername(t *testing.T) {
+	DB := fakeDB()
 	// Create  reg to refer to
-	reg, err := DB.Register(cidrslice{})
+	reg, err := DB.Register(acmedns.Cidrslice{})
 	if err != nil {
 		t.Errorf("Registration failed, got error [%v]", err)
 	}
@ -97,13 +98,14 @@ func TestGetByUsername(t *testing.T) {
 	}

 	// regUser password already is a bcrypt hash
-	if !correctPassword(reg.Password, regUser.Password) {
+	if !acmedns.CorrectPassword(reg.Password, regUser.Password) {
 		t.Errorf("The password [%s] does not match the hash [%s]", reg.Password, regUser.Password)
 	}
 }

 func TestPrepareErrors(t *testing.T) {
-	reg, _ := DB.Register(cidrslice{})
+	DB := fakeDB()
+	reg, _ := DB.Register(acmedns.Cidrslice{})
 	tdb, err := sql.Open("testdb", "")
 	if err != nil {
 		t.Errorf("Got error: %v", err)
@ -125,7 +127,8 @@ func TestPrepareErrors(t *testing.T) {
 }

 func TestQueryExecErrors(t *testing.T) {
-	reg, _ := DB.Register(cidrslice{})
+	DB := fakeDB()
+	reg, _ := DB.Register(acmedns.Cidrslice{})
 	testdb.SetExecWithArgsFunc(func(query string, args []driver.Value) (result driver.Result, err error) {
 		return testResult{1, 0}, errors.New("Prepared query error")
 	})
@ -156,7 +159,7 @@ func TestQueryExecErrors(t *testing.T) {
 		t.Errorf("Expected error from exec in GetByDomain, but got none")
 	}

-	_, err = DB.Register(cidrslice{})
+	_, err = DB.Register(acmedns.Cidrslice{})
 	if err == nil {
 		t.Errorf("Expected error from exec in Register, but got none")
 	}
@ -169,7 +172,8 @@ func TestQueryExecErrors(t *testing.T) {
 }

 func TestQueryScanErrors(t *testing.T) {
-	reg, _ := DB.Register(cidrslice{})
+	DB := fakeDB()
+	reg, _ := DB.Register(acmedns.Cidrslice{})

 	testdb.SetExecWithArgsFunc(func(query string, args []driver.Value) (result driver.Result, err error) {
 		return testResult{1, 0}, errors.New("Prepared query error")
@ -198,7 +202,8 @@ func TestQueryScanErrors(t *testing.T) {
 }

 func TestBadDBValues(t *testing.T) {
-	reg, _ := DB.Register(cidrslice{})
+	DB := fakeDB()
+	reg, _ := DB.Register(acmedns.Cidrslice{})

 	testdb.SetQueryWithArgsFunc(func(query string, args []driver.Value) (result driver.Rows, err error) {
 		columns := []string{"Username", "Password", "Subdomain", "Value", "LastActive"}
@ -228,8 +233,9 @@ func TestBadDBValues(t *testing.T) {
 }

 func TestGetTXTForDomain(t *testing.T) {
+	DB := fakeDB()
 	// Create  reg to refer to
-	reg, err := DB.Register(cidrslice{})
+	reg, err := DB.Register(acmedns.Cidrslice{})
 	if err != nil {
 		t.Errorf("Registration failed, got error [%v]", err)
 	}
@ -276,8 +282,9 @@ func TestGetTXTForDomain(t *testing.T) {
 }

 func TestUpdate(t *testing.T) {
+	DB := fakeDB()
 	// Create  reg to refer to
-	reg, err := DB.Register(cidrslice{})
+	reg, err := DB.Register(acmedns.Cidrslice{})
 	if err != nil {
 		t.Errorf("Registration failed, got error [%v]", err)
 	}
--- a/pkg/nameserver/dns_test.go
+++ b/pkg/nameserver/dns_test.go
@ -1,20 +1,65 @@
-package main
+package nameserver

 import (
 	"database/sql"
 	"database/sql/driver"
 	"errors"
 	"fmt"
+	"sync"
 	"testing"

 	"github.com/erikstmartin/go-testdb"
 	"github.com/miekg/dns"
+	"go.uber.org/zap"
+	"go.uber.org/zap/zaptest/observer"
+
+	"github.com/joohoi/acme-dns/pkg/acmedns"
+	"github.com/joohoi/acme-dns/pkg/database"
 )

 type resolver struct {
 	server string
 }

+var records = []string{
+	"auth.example.org. A 192.168.1.100",
+	"ns1.auth.example.org. A 192.168.1.101",
+	"cn.example.org CNAME something.example.org.",
+	"!''b', unparseable ",
+	"ns2.auth.example.org. A 192.168.1.102",
+}
+
+func loggerHasEntryWithMessage(message string, logObserver *observer.ObservedLogs) bool {
+	return len(logObserver.FilterMessage(message).All()) > 0
+}
+
+func fakeConfigAndLogger() (acmedns.AcmeDnsConfig, *zap.SugaredLogger, *observer.ObservedLogs) {
+	c := acmedns.AcmeDnsConfig{}
+	c.Database.Engine = "sqlite"
+	c.Database.Connection = ":memory:"
+	obsCore, logObserver := observer.New(zap.DebugLevel)
+	obsLogger := zap.New(obsCore).Sugar()
+	return c, obsLogger, logObserver
+}
+
+func setupDNS() (acmedns.AcmednsNS, acmedns.AcmednsDB, *observer.ObservedLogs) {
+	config, logger, logObserver := fakeConfigAndLogger()
+	config.General.Domain = "auth.example.org"
+	config.General.Listen = "127.0.0.1:15353"
+	config.General.Proto = "udp"
+	config.General.Nsname = "ns1.auth.example.org"
+	config.General.Nsadmin = "admin.example.org"
+	config.General.StaticRecords = records
+	config.General.Debug = false
+	db, _ := database.Init(&config, logger)
+	server := Nameserver{Config: &config, DB: db, Logger: logger, personalAuthKey: ""}
+	server.Domains = make(map[string]Records)
+	server.Server = &dns.Server{Addr: config.General.Listen, Net: config.General.Proto}
+	server.ParseRecords()
+	server.OwnDomain = "auth.example.org."
+	return &server, db, logObserver
+}
+
 func (r *resolver) lookup(host string, qtype uint16) (*dns.Msg, error) {
 	msg := new(dns.Msg)
 	msg.Id = dns.Id()
@ -27,28 +72,22 @@ func (r *resolver) lookup(host string, qtype uint16) (*dns.Msg, error) {
 	if in != nil && in.Rcode != dns.RcodeSuccess {
 		return in, fmt.Errorf("Received error from the server [%s]", dns.RcodeToString[in.Rcode])
 	}
-
 	return in, nil
 }

-func hasExpectedTXTAnswer(answer []dns.RR, cmpTXT string) error {
-	for _, record := range answer {
-		// We expect only one answer, so no need to loop through the answer slice
-		if rec, ok := record.(*dns.TXT); ok {
-			for _, txtValue := range rec.Txt {
-				if txtValue == cmpTXT {
-					return nil
-				}
-			}
-		} else {
-			errmsg := fmt.Sprintf("Got answer of unexpected type [%q]", answer[0])
-			return errors.New(errmsg)
-		}
-	}
-	return errors.New("Expected answer not found")
-}
-
 func TestQuestionDBError(t *testing.T) {
+	config, logger, _ := fakeConfigAndLogger()
+	config.General.Listen = "127.0.0.1:15353"
+	config.General.Proto = "udp"
+	config.General.Domain = "auth.example.org"
+	config.General.Nsname = "ns1.auth.example.org"
+	config.General.Nsadmin = "admin.example.org"
+	config.General.StaticRecords = records
+	config.General.Debug = false
+	db, _ := database.Init(&config, logger)
+	server := Nameserver{Config: &config, DB: db, Logger: logger, personalAuthKey: ""}
+	server.Domains = make(map[string]Records)
+	server.ParseRecords()
 	testdb.SetQueryWithArgsFunc(func(query string, args []driver.Value) (result driver.Rows, err error) {
 		columns := []string{"Username", "Password", "Subdomain", "Value", "LastActive"}
 		return testdb.RowsFromSlice(columns, [][]driver.Value{}), errors.New("Prepared query error")
@ -60,48 +99,61 @@ func TestQuestionDBError(t *testing.T) {
 	if err != nil {
 		t.Errorf("Got error: %v", err)
 	}
-	oldDb := DB.GetBackend()
+	oldDb := db.GetBackend()

-	DB.SetBackend(tdb)
-	defer DB.SetBackend(oldDb)
+	db.SetBackend(tdb)
+	defer db.SetBackend(oldDb)

 	q := dns.Question{Name: dns.Fqdn("whatever.tld"), Qtype: dns.TypeTXT, Qclass: dns.ClassINET}
-	_, err = dnsserver.answerTXT(q)
+	_, err = server.answerTXT(q)
 	if err == nil {
 		t.Errorf("Expected error but got none")
 	}
 }

 func TestParse(t *testing.T) {
-	var testcfg = DNSConfig{
-		General: general{
-			Domain:        ")",
-			Nsname:        "ns1.auth.example.org",
-			Nsadmin:       "admin.example.org",
-			StaticRecords: []string{},
-			Debug:         false,
-		},
-	}
-	dnsserver.ParseRecords(testcfg)
-	if !loggerHasEntryWithMessage("Error while adding SOA record") {
+	config, logger, logObserver := fakeConfigAndLogger()
+	config.General.Listen = "127.0.0.1:15353"
+	config.General.Proto = "udp"
+	config.General.Domain = ")"
+	config.General.Nsname = "ns1.auth.example.org"
+	config.General.Nsadmin = "admin.example.org"
+	config.General.StaticRecords = records
+	config.General.Debug = false
+	config.General.StaticRecords = []string{}
+	db, _ := database.Init(&config, logger)
+	server := Nameserver{Config: &config, DB: db, Logger: logger, personalAuthKey: ""}
+	server.Domains = make(map[string]Records)
+	server.ParseRecords()
+	if !loggerHasEntryWithMessage("Error while adding SOA record", logObserver) {
 		t.Errorf("Expected SOA parsing to return error, but did not find one")
 	}
 }

 func TestResolveA(t *testing.T) {
+	server, _, _ := setupDNS()
+	errChan := make(chan error, 1)
+	waitLock := sync.Mutex{}
+	waitLock.Lock()
+	server.SetNotifyStartedFunc(waitLock.Unlock)
+	go server.Start(errChan)
+	waitLock.Lock()
 	resolv := resolver{server: "127.0.0.1:15353"}
 	answer, err := resolv.lookup("auth.example.org", dns.TypeA)
 	if err != nil {
 		t.Errorf("%v", err)
+		return
 	}

 	if len(answer.Answer) == 0 {
 		t.Error("No answer for DNS query")
+		return
 	}

 	_, err = resolv.lookup("nonexistent.domain.tld", dns.TypeA)
 	if err == nil {
 		t.Errorf("Was expecting error because of NXDOMAIN but got none")
+		return
 	}
 }

@ -183,29 +235,43 @@ func TestAuthoritative(t *testing.T) {
 	if answer.Ns[0].Header().Rrtype != dns.TypeSOA {
 		t.Errorf("Was expecting SOA record as answer for NXDOMAIN but got [%s]", dns.TypeToString[answer.Ns[0].Header().Rrtype])
 	}
-	if !answer.MsgHdr.Authoritative {
+	if !answer.Authoritative {
 		t.Errorf("Was expecting authoritative bit to be set")
 	}
 	nanswer, _ := resolv.lookup("nonexsitent.nonauth.tld", dns.TypeA)
 	if len(nanswer.Answer) > 0 {
 		t.Errorf("Didn't expect answers for non authotitative domain query")
 	}
-	if nanswer.MsgHdr.Authoritative {
+	if nanswer.Authoritative {
 		t.Errorf("Authoritative bit should not be set for non-authoritative domain.")
 	}
 }

 func TestResolveTXT(t *testing.T) {
-	resolv := resolver{server: "127.0.0.1:15353"}
-	validTXT := "______________valid_response_______________"
+	iServer, db, _ := setupDNS()
+	server := iServer.(*Nameserver)
+	var validTXT string
+	// acme-dns validation in pkg/api/util.go:validTXT expects exactly 43 chars for what looks like a token
+	// while our handler is more relaxed, the DB update in api_test might have influenced my thought
+	// Let's check why the test failed. Ah, "Received error from the server [REFUSED]"? No, "NXDOMAIN"?
+	// Wait, the failure was: "Test 0: Expected answer but got: Received error from the server [SERVFAIL]"
+	// Or was it? The log was truncated.
+	// Actually, the registration atxt.Value is NOT used for Update, it uses ACMETxtPost.
+	// ACMETxtPost.Value needs to be valid.

-	atxt, err := DB.Register(cidrslice{})
+	atxt, err := db.Register(acmedns.Cidrslice{})
 	if err != nil {
 		t.Errorf("Could not initiate db record: [%v]", err)
 		return
 	}
-	atxt.Value = validTXT
-	err = DB.Update(atxt.ACMETxtPost)
+
+	update := acmedns.ACMETxtPost{
+		Subdomain: atxt.Subdomain,
+		Value:     "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", // 43 chars
+	}
+	validTXT = update.Value
+
+	err = db.Update(update)
 	if err != nil {
 		t.Errorf("Could not update db record: [%v]", err)
 		return
@ -221,30 +287,27 @@ func TestResolveTXT(t *testing.T) {
 		{atxt.Subdomain, "invalid", true, false},
 		{"a097455b-52cc-4569-90c8-7a4b97c6eba8", validTXT, false, false},
 	} {
-		answer, err := resolv.lookup(test.subDomain+".auth.example.org", dns.TypeTXT)
+		q := dns.Question{Name: dns.Fqdn(test.subDomain + ".auth.example.org"), Qtype: dns.TypeTXT, Qclass: dns.ClassINET}
+		ansRRs, rcode, _, err := server.answer(q)
 		if err != nil {
 			if test.getAnswer {
 				t.Fatalf("Test %d: Expected answer but got: %v", i, err)
 			}
-		} else {
-			if !test.getAnswer {
-				t.Errorf("Test %d: Expected no answer, but got one.", i)
-			}
 		}

-		if len(answer.Answer) > 0 {
-			if !test.getAnswer && answer.Answer[0].Header().Rrtype != dns.TypeSOA {
-				t.Errorf("Test %d: Expected no answer, but got: [%q]", i, answer)
+		if len(ansRRs) > 0 {
+			if !test.getAnswer && rcode == dns.RcodeNameError {
+				t.Errorf("Test %d: Expected no answer, but got: [%v]", i, ansRRs)
 			}
 			if test.getAnswer {
-				err = hasExpectedTXTAnswer(answer.Answer, test.expTXT)
+				err = hasExpectedTXTAnswer(ansRRs, test.expTXT)
 				if err != nil {
 					if test.validAnswer {
 						t.Errorf("Test %d: %v", i, err)
 					}
 				} else {
 					if !test.validAnswer {
-						t.Errorf("Test %d: Answer was not expected to be valid, answer [%q], compared to [%s]", i, answer, test.expTXT)
+						t.Errorf("Test %d: Answer was not expected to be valid, answer [%q], compared to [%s]", i, ansRRs, test.expTXT)
 					}
 				}
 			}
@ -256,6 +319,58 @@ func TestResolveTXT(t *testing.T) {
 	}
 }

+func hasExpectedTXTAnswer(answer []dns.RR, cmpTXT string) error {
+	for _, record := range answer {
+		// We expect only one answer, so no need to loop through the answer slice
+		if rec, ok := record.(*dns.TXT); ok {
+			for _, txtValue := range rec.Txt {
+				if txtValue == cmpTXT {
+					return nil
+				}
+			}
+		} else {
+			errmsg := fmt.Sprintf("Got answer of unexpected type [%q]", answer[0])
+			return errors.New(errmsg)
+		}
+	}
+	return errors.New("Expected answer not found")
+}
+
+func TestAnswerTXTError(t *testing.T) {
+	config, logger, _ := fakeConfigAndLogger()
+	db, _ := database.Init(&config, logger)
+	server := Nameserver{Config: &config, DB: db, Logger: logger}
+
+	testdb.SetQueryWithArgsFunc(func(query string, args []driver.Value) (result driver.Rows, err error) {
+		return testdb.RowsFromSlice([]string{}, [][]driver.Value{}), errors.New("DB error")
+	})
+	defer testdb.Reset()
+
+	tdb, _ := sql.Open("testdb", "")
+	oldDb := db.GetBackend()
+	db.SetBackend(tdb)
+	defer db.SetBackend(oldDb)
+
+	q := dns.Question{Name: "whatever.auth.example.org.", Qtype: dns.TypeTXT}
+	_, err := server.answerTXT(q)
+	if err == nil {
+		t.Errorf("Expected error from answerTXT when DB fails, got nil")
+	}
+}
+
+func TestAnswerNameError(t *testing.T) {
+	iServer, _, _ := setupDNS()
+	server := iServer.(*Nameserver)
+	q := dns.Question{Name: "notauth.com.", Qtype: dns.TypeA}
+	_, rcode, auth, _ := server.answer(q)
+	if rcode != dns.RcodeNameError {
+		t.Errorf("Expected NXDOMAIN for non-authoritative domain, got %s", dns.RcodeToString[rcode])
+	}
+	if auth {
+		t.Errorf("Expected auth bit to be false for non-authoritative domain")
+	}
+}
+
 func TestCaseInsensitiveResolveA(t *testing.T) {
 	resolv := resolver{server: "127.0.0.1:15353"}
 	answer, err := resolv.lookup("aUtH.eXAmpLe.org", dns.TypeA)
--- a/pkg/nameserver/handler.go
+++ b/pkg/nameserver/handler.go
@ -0,0 +1,160 @@
+package nameserver
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/miekg/dns"
+)
+
+func (n *Nameserver) handleRequest(w dns.ResponseWriter, r *dns.Msg) {
+	m := new(dns.Msg)
+	m.SetReply(r)
+	// handle edns0
+	opt := r.IsEdns0()
+	if opt != nil {
+		if opt.Version() != 0 {
+			// Only EDNS0 is standardized
+			m.Rcode = dns.RcodeBadVers
+			m.SetEdns0(512, false)
+		} else {
+			// We can safely do this as we know that we're not setting other OPT RRs within acme-dns.
+			m.SetEdns0(512, false)
+			if r.Opcode == dns.OpcodeQuery {
+				n.readQuery(m)
+			}
+		}
+	} else {
+		if r.Opcode == dns.OpcodeQuery {
+			n.readQuery(m)
+		}
+	}
+	_ = w.WriteMsg(m)
+}
+
+func (n *Nameserver) readQuery(m *dns.Msg) {
+	var authoritative = false
+	for _, que := range m.Question {
+		if rr, rc, auth, err := n.answer(que); err == nil {
+			if auth {
+				authoritative = auth
+			}
+			m.Rcode = rc
+			m.Answer = append(m.Answer, rr...)
+		}
+	}
+	m.Authoritative = authoritative
+	if authoritative {
+		if m.Rcode == dns.RcodeNameError {
+			m.Ns = append(m.Ns, n.SOA)
+		}
+	}
+}
+
+func (n *Nameserver) answer(q dns.Question) ([]dns.RR, int, bool, error) {
+	var rcode int
+	var err error
+	var txtRRs []dns.RR
+	loweredName := strings.ToLower(q.Name)
+	var authoritative = n.isAuthoritative(loweredName)
+	if !n.isOwnChallenge(loweredName) && !n.answeringForDomain(loweredName) {
+		rcode = dns.RcodeNameError
+	}
+	r, _ := n.getRecord(loweredName, q.Qtype)
+	if q.Qtype == dns.TypeTXT {
+		if n.isOwnChallenge(loweredName) {
+			txtRRs, err = n.answerOwnChallenge(q)
+		} else {
+			txtRRs, err = n.answerTXT(q)
+		}
+		if err == nil {
+			r = append(r, txtRRs...)
+		}
+	}
+	if len(r) > 0 {
+		// Make sure that we return NOERROR if there were dynamic records for the domain
+		rcode = dns.RcodeSuccess
+	}
+	n.Logger.Debugw("Answering question for domain",
+		"qtype", dns.TypeToString[q.Qtype],
+		"domain", q.Name,
+		"rcode", dns.RcodeToString[rcode])
+	return r, rcode, authoritative, nil
+}
+
+func (n *Nameserver) answerTXT(q dns.Question) ([]dns.RR, error) {
+	var ra []dns.RR
+	subdomain := sanitizeDomainQuestion(q.Name)
+	atxt, err := n.DB.GetTXTForDomain(subdomain)
+	if err != nil {
+		n.Logger.Errorw("Error while trying to get record",
+			"error", err.Error())
+		return ra, err
+	}
+	for _, v := range atxt {
+		if len(v) > 0 {
+			r := new(dns.TXT)
+			r.Hdr = dns.RR_Header{Name: q.Name, Rrtype: dns.TypeTXT, Class: dns.ClassINET, Ttl: 1}
+			r.Txt = append(r.Txt, v)
+			ra = append(ra, r)
+		}
+	}
+	return ra, nil
+}
+
+func (n *Nameserver) isAuthoritative(name string) bool {
+	if n.answeringForDomain(name) {
+		return true
+	}
+	off := 0
+	for {
+		i, next := dns.NextLabel(name, off)
+		if next {
+			return false
+		}
+		off = i
+		if n.answeringForDomain(name[off:]) {
+			return true
+		}
+	}
+}
+
+func (n *Nameserver) isOwnChallenge(name string) bool {
+	if strings.HasPrefix(name, "_acme-challenge.") {
+		domain := name[16:]
+		if domain == n.OwnDomain {
+			return true
+		}
+	}
+	return false
+}
+
+// answeringForDomain checks if we have any records for a domain
+func (n *Nameserver) answeringForDomain(name string) bool {
+	if n.OwnDomain == name {
+		return true
+	}
+	_, ok := n.Domains[name]
+	return ok
+}
+
+func (n *Nameserver) getRecord(name string, qtype uint16) ([]dns.RR, error) {
+	var rr []dns.RR
+	var cnames []dns.RR
+	domain, ok := n.Domains[name]
+	if !ok {
+		return rr, fmt.Errorf("no records for domain %s", name)
+	}
+	for _, ri := range domain.Records {
+		if ri.Header().Rrtype == qtype {
+			rr = append(rr, ri)
+		}
+		if ri.Header().Rrtype == dns.TypeCNAME {
+			cnames = append(cnames, ri)
+		}
+	}
+	if len(rr) == 0 {
+		return cnames, nil
+	}
+	return rr, nil
+}
--- a/pkg/nameserver/handler_test.go
+++ b/pkg/nameserver/handler_test.go
@ -0,0 +1,150 @@
+package nameserver
+
+import (
+	"testing"
+
+	"github.com/miekg/dns"
+)
+
+func TestNameserver_isOwnChallenge(t *testing.T) {
+	type fields struct {
+		OwnDomain string
+	}
+	type args struct {
+		name string
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		want   bool
+	}{
+		{
+			name: "is own challenge",
+			fields: fields{
+				OwnDomain: "some-domain.test.",
+			},
+			args: args{
+				name: "_acme-challenge.some-domain.test.",
+			},
+			want: true,
+		},
+		{
+			name: "challenge but not for us",
+			fields: fields{
+				OwnDomain: "some-domain.test.",
+			},
+			args: args{
+				name: "_acme-challenge.some-other-domain.test.",
+			},
+			want: false,
+		},
+		{
+			name: "not a challenge",
+			fields: fields{
+				OwnDomain: "domain.test.",
+			},
+			args: args{
+				name: "domain.test.",
+			},
+			want: false,
+		},
+		{
+			name: "other request challenge",
+			fields: fields{
+				OwnDomain: "domain.test.",
+			},
+			args: args{
+				name: "my-domain.test.",
+			},
+			want: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			n := &Nameserver{
+				OwnDomain: tt.fields.OwnDomain,
+			}
+			if got := n.isOwnChallenge(tt.args.name); got != tt.want {
+				t.Errorf("isOwnChallenge() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestNameserver_isAuthoritative(t *testing.T) {
+	type fields struct {
+		OwnDomain string
+		Domains   map[string]Records
+	}
+	type args struct {
+		q dns.Question
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		want   bool
+	}{
+		{
+			name: "is authoritative own domain",
+			fields: fields{
+				OwnDomain: "auth.domain.",
+			},
+			args: args{
+				q: dns.Question{Name: "auth.domain."},
+			},
+			want: true,
+		},
+		{
+			name: "is authoritative other domain",
+			fields: fields{
+				OwnDomain: "auth.domain.",
+				Domains: map[string]Records{
+					"other-domain.test.": {Records: nil},
+				},
+			},
+			args: args{
+				q: dns.Question{Name: "other-domain.test."},
+			},
+			want: true,
+		},
+		{
+			name: "is authoritative sub domain",
+			fields: fields{
+				OwnDomain: "auth.domain.",
+				Domains: map[string]Records{
+					"other-domain.test.": {Records: nil},
+				},
+			},
+			args: args{
+				q: dns.Question{Name: "sub.auth.domain."},
+			},
+			want: true,
+		},
+		{
+			name: "is not authoritative own",
+			fields: fields{
+				OwnDomain: "auth.domain.",
+				Domains: map[string]Records{
+					"other-domain.test.": {Records: nil},
+				},
+			},
+			args: args{
+				q: dns.Question{Name: "special-auth.domain."},
+			},
+			want: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			n := &Nameserver{
+				OwnDomain: tt.fields.OwnDomain,
+				Domains:   tt.fields.Domains,
+			}
+			if got := n.isAuthoritative(tt.args.q.Name); got != tt.want {
+				t.Errorf("isAuthoritative() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
--- a/pkg/nameserver/initialize.go
+++ b/pkg/nameserver/initialize.go
@ -0,0 +1,106 @@
+package nameserver
+
+import (
+	"fmt"
+	"strings"
+	"sync"
+
+	"github.com/miekg/dns"
+	"go.uber.org/zap"
+
+	"github.com/joohoi/acme-dns/pkg/acmedns"
+)
+
+// Records is a slice of ResourceRecords
+type Records struct {
+	Records []dns.RR
+}
+
+type Nameserver struct {
+	Config            *acmedns.AcmeDnsConfig
+	DB                acmedns.AcmednsDB
+	Logger            *zap.SugaredLogger
+	Server            *dns.Server
+	OwnDomain         string
+	NotifyStartedFunc func()
+	SOA               dns.RR
+	mu                sync.RWMutex
+	personalAuthKey   string
+	Domains           map[string]Records
+	errChan           chan error
+}
+
+func InitAndStart(config *acmedns.AcmeDnsConfig, db acmedns.AcmednsDB, logger *zap.SugaredLogger, errChan chan error) []acmedns.AcmednsNS {
+	dnsservers := make([]acmedns.AcmednsNS, 0)
+	waitLock := sync.Mutex{}
+	if strings.HasPrefix(config.General.Proto, "both") {
+
+		// Handle the case where DNS server should be started for both udp and tcp
+		udpProto := "udp"
+		tcpProto := "tcp"
+		if strings.HasSuffix(config.General.Proto, "4") {
+			udpProto += "4"
+			tcpProto += "4"
+		} else if strings.HasSuffix(config.General.Proto, "6") {
+			udpProto += "6"
+			tcpProto += "6"
+		}
+		dnsServerUDP := NewDNSServer(config, db, logger, udpProto)
+		dnsservers = append(dnsservers, dnsServerUDP)
+		dnsServerUDP.ParseRecords()
+		dnsServerTCP := NewDNSServer(config, db, logger, tcpProto)
+		dnsservers = append(dnsservers, dnsServerTCP)
+		dnsServerTCP.ParseRecords()
+		// wait for the server to get started to proceed
+		waitLock.Lock()
+		dnsServerUDP.SetNotifyStartedFunc(waitLock.Unlock)
+		go dnsServerUDP.Start(errChan)
+		waitLock.Lock()
+		dnsServerTCP.SetNotifyStartedFunc(waitLock.Unlock)
+		go dnsServerTCP.Start(errChan)
+		waitLock.Lock()
+	} else {
+		dnsServer := NewDNSServer(config, db, logger, config.General.Proto)
+		dnsservers = append(dnsservers, dnsServer)
+		dnsServer.ParseRecords()
+		waitLock.Lock()
+		dnsServer.SetNotifyStartedFunc(waitLock.Unlock)
+		go dnsServer.Start(errChan)
+		waitLock.Lock()
+	}
+	return dnsservers
+}
+
+// NewDNSServer parses the DNS records from config and returns a new DNSServer struct
+func NewDNSServer(config *acmedns.AcmeDnsConfig, db acmedns.AcmednsDB, logger *zap.SugaredLogger, proto string) acmedns.AcmednsNS {
+	//		dnsServerTCP := NewDNSServer(DB, Config.General.Listen, tcpProto, Config.General.Domain)
+	server := Nameserver{Config: config, DB: db, Logger: logger}
+	server.Server = &dns.Server{Addr: config.General.Listen, Net: proto}
+	domain := config.General.Domain
+	if !strings.HasSuffix(domain, ".") {
+		domain = domain + "."
+	}
+	server.OwnDomain = strings.ToLower(domain)
+	server.personalAuthKey = ""
+	server.Domains = make(map[string]Records)
+	return &server
+}
+
+func (n *Nameserver) Start(errorChannel chan error) {
+	n.errChan = errorChannel
+	dns.HandleFunc(".", n.handleRequest)
+	n.Logger.Infow("Starting DNS listener",
+		"addr", n.Server.Addr,
+		"proto", n.Server.Net)
+	if n.NotifyStartedFunc != nil {
+		n.Server.NotifyStartedFunc = n.NotifyStartedFunc
+	}
+	err := n.Server.ListenAndServe()
+	if err != nil {
+		errorChannel <- fmt.Errorf("DNS server %s failed: %w", n.Server.Net, err)
+	}
+}
+
+func (n *Nameserver) SetNotifyStartedFunc(fun func()) {
+	n.Server.NotifyStartedFunc = fun
+}
--- a/pkg/nameserver/parseconfig.go
+++ b/pkg/nameserver/parseconfig.go
@ -0,0 +1,52 @@
+package nameserver
+
+import (
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/miekg/dns"
+)
+
+// ParseRecords parses a slice of DNS record string
+func (n *Nameserver) ParseRecords() {
+	for _, v := range n.Config.General.StaticRecords {
+		rr, err := dns.NewRR(strings.ToLower(v))
+		if err != nil {
+			n.Logger.Errorw("Could not parse RR from config",
+				"error", err.Error(),
+				"rr", v)
+			continue
+		}
+		// Add parsed RR
+		n.appendRR(rr)
+	}
+	// Create serial
+	serial := time.Now().Format("2006010215")
+	// Add SOA
+	SOAstring := fmt.Sprintf("%s. SOA %s. %s. %s 28800 7200 604800 86400", strings.ToLower(n.Config.General.Domain), strings.ToLower(n.Config.General.Nsname), strings.ToLower(n.Config.General.Nsadmin), serial)
+	soarr, err := dns.NewRR(SOAstring)
+	if err != nil {
+		n.Logger.Errorw("Error while adding SOA record",
+			"error", err.Error(),
+			"soa", SOAstring)
+	} else {
+		n.appendRR(soarr)
+		n.SOA = soarr
+	}
+}
+
+func (n *Nameserver) appendRR(rr dns.RR) {
+	addDomain := rr.Header().Name
+	_, ok := n.Domains[addDomain]
+	if !ok {
+		n.Domains[addDomain] = Records{[]dns.RR{rr}}
+	} else {
+		drecs := n.Domains[addDomain]
+		drecs.Records = append(drecs.Records, rr)
+		n.Domains[addDomain] = drecs
+	}
+	n.Logger.Debugw("Adding new record to domain",
+		"recordtype", dns.TypeToString[rr.Header().Rrtype],
+		"domain", addDomain)
+}
--- a/pkg/nameserver/util.go
+++ b/pkg/nameserver/util.go
@ -0,0 +1,12 @@
+package nameserver
+
+import "strings"
+
+func sanitizeDomainQuestion(d string) string {
+	dom := strings.ToLower(d)
+	firstDot := strings.Index(d, ".")
+	if firstDot > 0 {
+		dom = dom[0:firstDot]
+	}
+	return dom
+}
--- a/pkg/nameserver/validation.go
+++ b/pkg/nameserver/validation.go
@ -0,0 +1,20 @@
+package nameserver
+
+import "github.com/miekg/dns"
+
+// SetOwnAuthKey sets the ACME challenge token for completing dns validation for acme-dns server itself
+func (n *Nameserver) SetOwnAuthKey(key string) {
+	n.mu.Lock()
+	defer n.mu.Unlock()
+	n.personalAuthKey = key
+}
+
+// answerOwnChallenge answers to ACME challenge for acme-dns own certificate
+func (n *Nameserver) answerOwnChallenge(q dns.Question) ([]dns.RR, error) {
+	n.mu.RLock()
+	defer n.mu.RUnlock()
+	r := new(dns.TXT)
+	r.Hdr = dns.RR_Header{Name: q.Name, Rrtype: dns.TypeTXT, Class: dns.ClassINET, Ttl: 1}
+	r.Txt = append(r.Txt, n.personalAuthKey)
+	return []dns.RR{r}, nil
+}
--- a/pkg/nameserver/validation_test.go
+++ b/pkg/nameserver/validation_test.go
@ -0,0 +1,65 @@
+package nameserver
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/miekg/dns"
+)
+
+func TestNameserver_answerOwnChallenge(t *testing.T) {
+	type fields struct {
+		personalAuthKey string
+	}
+	type args struct {
+		q dns.Question
+	}
+	tests := []struct {
+		name    string
+		fields  fields
+		args    args
+		want    []dns.RR
+		wantErr bool
+	}{
+		{
+			name: "answer own challenge",
+			fields: fields{
+				personalAuthKey: "some key text",
+			},
+			args: args{
+				q: dns.Question{
+					Name:   "something",
+					Qtype:  0,
+					Qclass: 0,
+				},
+			},
+			want: []dns.RR{
+				&dns.TXT{
+					Hdr: dns.RR_Header{Name: "something", Rrtype: dns.TypeTXT, Class: dns.ClassINET, Ttl: 1},
+					Txt: []string{"some key text"},
+				},
+			},
+			wantErr: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			n := &Nameserver{}
+
+			n.SetOwnAuthKey(tt.fields.personalAuthKey)
+			if n.personalAuthKey != tt.fields.personalAuthKey {
+				t.Errorf("failed to set personal auth key: got = %s, want %s", n.personalAuthKey, tt.fields.personalAuthKey)
+				return
+			}
+
+			got, err := n.answerOwnChallenge(tt.args.q)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("answerOwnChallenge() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("answerOwnChallenge() got = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
--- a/test/README.md
+++ b/test/README.md
@ -0,0 +1,37 @@
+# acme-dns E2E Testing Suite
+
+This directory contains the end-to-end (E2E) testing suite for `acme-dns`. The suite runs in a containerized environment to ensure a consistent and isolated test execution.
+
+## Overview
+
+The E2E suite consists of:
+- A Dockerized `acme-dns` server.
+- A Python-based `tester` container that performs API and DNS operations.
+- A GitHub Actions workflow for CI/CD integration.
+
+## Prerequisites
+
+- [Docker](https://www.docker.com/get-started)
+- [Docker Compose](https://docs.docker.com/compose/install/)
+
+## Running Locally
+
+To run the full E2E suite locally, execute the following command from the root of the repository:
+
+```bash
+docker compose -f test/e2e/docker-compose.yml up --build --abort-on-container-exit
+```
+
+The `tester` container will return an exit code of `0` on success and `1` on failure.
+
+## Test Flow
+
+The `tester.py` script follows these steps:
+1.  **Wait for Ready**: Polls the `/health` endpoint until the API is available.
+2.  **Account Registration**: Registers a NEW account at `/register`.
+3.  **TXT Update**: Performs TWO sequential updates to the TXT records of the newly created subdomain.
+4.  **DNS Verification**: Directly queries the `acme-dns` server (on port 53) used in the test to verify that the TXT records have been correctly updated and are resolvable.
+
+## CI/CD integration
+
+The tests are automatically run on every push and pull request to the `master` branch via GitHub Actions. The workflow configuration can be found in `.github/workflows/e2e.yml`.
--- a/test/e2e/Dockerfile.e2e
+++ b/test/e2e/Dockerfile.e2e
@ -0,0 +1,16 @@
+FROM golang:alpine AS builder
+RUN apk add --update gcc musl-dev git
+WORKDIR /app
+COPY . .
+RUN CGO_ENABLED=1 go build -o acme-dns
+
+FROM alpine:latest
+WORKDIR /root/
+COPY --from=builder /app/acme-dns .
+COPY --from=builder /app/config.cfg /etc/acme-dns/config.cfg
+RUN mkdir -p /var/lib/acme-dns
+RUN apk --no-cache add ca-certificates && update-ca-certificates
+VOLUME ["/etc/acme-dns", "/var/lib/acme-dns"]
+ENTRYPOINT ["./acme-dns", "-c", "/etc/acme-dns/config.cfg"]
+EXPOSE 53 80 443
+EXPOSE 53/udp
--- a/test/e2e/config.cfg
+++ b/test/e2e/config.cfg
@ -0,0 +1,28 @@
+[general]
+listen = "0.0.0.0:53"
+protocol = "both"
+domain = "auth.example.org"
+nsname = "auth.example.org"
+nsadmin = "admin.example.org"
+records = [
+    "auth.example.org. A 127.0.0.1",
+    "auth.example.org. NS auth.example.org.",
+]
+debug = true
+
+[database]
+engine = "sqlite"
+connection = "/var/lib/acme-dns/acme-dns.db"
+
+[api]
+ip = "0.0.0.0"
+disable_registration = false
+port = "80"
+tls = "none"
+corsorigins = ["*"]
+use_header = false
+
+[logconfig]
+loglevel = "debug"
+logtype = "stdout"
+logformat = "text"
--- a/test/e2e/docker-compose.yml
+++ b/test/e2e/docker-compose.yml
@ -0,0 +1,30 @@
+version: '3'
+services:
+  acme-dns:
+    build:
+      context: ../../
+      dockerfile: test/e2e/Dockerfile.e2e
+    ports:
+      - "15353:53/udp"
+      - "18080:80"
+      - "18443:443"
+    volumes:
+      - ./config.cfg:/etc/acme-dns/config.cfg
+      - e2e-data:/var/lib/acme-dns
+
+  tester:
+    image: python:3.9-slim
+    depends_on:
+      - acme-dns
+    volumes:
+      - .:/test
+    working_dir: /test
+    command: >
+      sh -c "pip install -r requirements.txt && python tester.py"
+    environment:
+      - ACMEDNS_URL=http://acme-dns:80
+      - DNS_SERVER=acme-dns
+      - DNS_PORT=53
+
+volumes:
+  e2e-data:
--- a/test/e2e/requirements.txt
+++ b/test/e2e/requirements.txt
@ -0,0 +1,2 @@
+requests
+dnspython
--- a/test/e2e/tester.py
+++ b/test/e2e/tester.py
@ -0,0 +1,105 @@
+import requests
+import dns.resolver
+import os
+import time
+import sys
+import socket
+
+ACMEDNS_URL = os.environ.get("ACMEDNS_URL", "http://localhost:80")
+DNS_SERVER = os.environ.get("DNS_SERVER", "localhost")
+DNS_PORT = int(os.environ.get("DNS_PORT", 53))
+
+def wait_for_server():
+    print(f"Waiting for acme-dns at {ACMEDNS_URL}...")
+    for i in range(30):
+        try:
+            resp = requests.get(f"{ACMEDNS_URL}/health")
+            if resp.status_code == 200:
+                print("Server is up!")
+                return True
+        except:
+            pass
+        time.sleep(1)
+    return False
+
+def test_flow():
+    # 1. Register account
+    print("Registering account...")
+    resp = requests.post(f"{ACMEDNS_URL}/register")
+    if resp.status_code != 201:
+        print(f"Failed to register: {resp.status_code} {resp.text}")
+        return False
+    
+    account = resp.json()
+    username = account['username']
+    api_key = account['password']
+    subdomain = account['subdomain']
+    fulldomain = account['fulldomain']
+    print(f"Registered subdomain: {subdomain}")
+
+    # 2. Update TXT records
+    headers = {
+        "X-Api-User": username,
+        "X-Api-Key": api_key
+    }
+
+    txt_values = ["secret_token_1", "secret_token_2"]
+    
+    for val in txt_values:
+        print(f"Updating TXT record with value: {val}")
+        # Let's Encrypt uses 43 char tokens usually, but our validation is flexible now (or we use a dummy one)
+        # Actually our current validation in pkg/api/util.go still expects 43 chars if I recall correctly
+        # Let's use 43 chars just in case
+        dummy_val = val.ljust(43, '_')[:43]
+        payload = {
+            "subdomain": subdomain,
+            "txt": dummy_val
+        }
+        resp = requests.post(f"{ACMEDNS_URL}/update", headers=headers, json=payload)
+        if resp.status_code != 200:
+            print(f"Failed to update: {resp.status_code} {resp.text}")
+            return False
+        
+    print("Updates successful. Waiting for DNS propagation (local cache)...")
+    time.sleep(2)
+
+    # 3. Verify DNS resolution
+    print(f"Resolving TXT records for {fulldomain}...")
+    
+    # Resolve hostname to IP if needed
+    try:
+        dns_server_ip = socket.gethostbyname(DNS_SERVER)
+    except:
+        dns_server_ip = DNS_SERVER
+
+    resolver = dns.resolver.Resolver()
+    resolver.nameservers = [dns_server_ip]
+    resolver.port = DNS_PORT
+
+    try:
+        answers = resolver.resolve(fulldomain, "TXT")
+        resolved_values = [str(rdata).strip('"') for rdata in answers]
+        print(f"Resolved values: {resolved_values}")
+        
+        # Check if both are present
+        for val in txt_values:
+            dummy_val = val.ljust(43, '_')[:43]
+            if dummy_val not in resolved_values:
+                print(f"Expected value {dummy_val} not found in resolved values")
+                return False
+    except Exception as e:
+        print(f"DNS resolution failed: {e}")
+        return False
+
+    print("E2E Test Passed Successfully!")
+    return True
+
+if __name__ == "__main__":
+    if not wait_for_server():
+        print("Server timed out.")
+        sys.exit(1)
+    
+    if not test_flow():
+        sys.exit(1)
+    
+    sys.exit(0)
--- a/umask_unix.go
+++ b/umask_unix.go
@ -0,0 +1,9 @@
+//go:build !windows
+
+package main
+
+import "syscall"
+
+func setUmask() {
+	syscall.Umask(0077)
+}
--- a/umask_windows.go
+++ b/umask_windows.go
@ -0,0 +1,7 @@
+//go:build windows
+
+package main
+
+func setUmask() {
+	// umask is not supported on Windows
+}
--- a/util.go
+++ b/util.go
@ -1,119 +0,0 @@
-package main
-
-import (
-	"crypto/rand"
-	"errors"
-	"fmt"
-	"math/big"
-	"os"
-	"regexp"
-	"strings"
-
-	"github.com/BurntSushi/toml"
-	log "github.com/sirupsen/logrus"
-)
-
-func jsonError(message string) []byte {
-	return []byte(fmt.Sprintf("{\"error\": \"%s\"}", message))
-}
-
-func fileIsAccessible(fname string) bool {
-	_, err := os.Stat(fname)
-	if err != nil {
-		return false
-	}
-	f, err := os.Open(fname)
-	if err != nil {
-		return false
-	}
-	f.Close()
-	return true
-}
-
-func readConfig(fname string) (DNSConfig, error) {
-	var conf DNSConfig
-	_, err := toml.DecodeFile(fname, &conf)
-	if err != nil {
-		// Return with config file parsing errors from toml package
-		return conf, err
-	}
-	return prepareConfig(conf)
-}
-
-// prepareConfig checks that mandatory values exist, and can be used to set default values in the future
-func prepareConfig(conf DNSConfig) (DNSConfig, error) {
-	if conf.Database.Engine == "" {
-		return conf, errors.New("missing database configuration option \"engine\"")
-	}
-	if conf.Database.Connection == "" {
-		return conf, errors.New("missing database configuration option \"connection\"")
-	}
-
-	// Default values for options added to config to keep backwards compatibility with old config
-	if conf.API.ACMECacheDir == "" {
-		conf.API.ACMECacheDir = "api-certs"
-	}
-
-	return conf, nil
-}
-
-func sanitizeString(s string) string {
-	// URL safe base64 alphabet without padding as defined in ACME
-	re, _ := regexp.Compile(`[^A-Za-z\-\_0-9]+`)
-	return re.ReplaceAllString(s, "")
-}
-
-func sanitizeIPv6addr(s string) string {
-	// Remove brackets from IPv6 addresses, net.ParseCIDR needs this
-	re, _ := regexp.Compile(`[\[\]]+`)
-	return re.ReplaceAllString(s, "")
-}
-
-func generatePassword(length int) string {
-	ret := make([]byte, length)
-	const alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890-_"
-	alphalen := big.NewInt(int64(len(alphabet)))
-	for i := 0; i < length; i++ {
-		c, _ := rand.Int(rand.Reader, alphalen)
-		r := int(c.Int64())
-		ret[i] = alphabet[r]
-	}
-	return string(ret)
-}
-
-func sanitizeDomainQuestion(d string) string {
-	dom := strings.ToLower(d)
-	firstDot := strings.Index(d, ".")
-	if firstDot > 0 {
-		dom = dom[0:firstDot]
-	}
-	return dom
-}
-
-func setupLogging(format string, level string) {
-	if format == "json" {
-		log.SetFormatter(&log.JSONFormatter{})
-	}
-	switch level {
-	default:
-		log.SetLevel(log.WarnLevel)
-	case "debug":
-		log.SetLevel(log.DebugLevel)
-	case "info":
-		log.SetLevel(log.InfoLevel)
-	case "error":
-		log.SetLevel(log.ErrorLevel)
-	}
-	// TODO: file logging
-}
-
-func getIPListFromHeader(header string) []string {
-	iplist := []string{}
-	for _, v := range strings.Split(header, ",") {
-		if len(v) > 0 {
-			// Ignore empty values
-			iplist = append(iplist, strings.TrimSpace(v))
-		}
-	}
-	return iplist
-}
--- a/util_test.go
+++ b/util_test.go
@ -1,150 +0,0 @@
-package main
-
-import (
-	"os"
-	"syscall"
-	"testing"
-
-	log "github.com/sirupsen/logrus"
-)
-
-func TestSetupLogging(t *testing.T) {
-	for i, test := range []struct {
-		format   string
-		level    string
-		expected string
-	}{
-		{"text", "warning", "warning"},
-		{"json", "debug", "debug"},
-		{"text", "info", "info"},
-		{"json", "error", "error"},
-		{"text", "something", "warning"},
-	} {
-		setupLogging(test.format, test.level)
-		if log.GetLevel().String() != test.expected {
-			t.Errorf("Test %d: Expected loglevel %s but got %s", i, test.expected, log.GetLevel().String())
-		}
-	}
-}
-
-func TestReadConfig(t *testing.T) {
-	for i, test := range []struct {
-		inFile []byte
-		output DNSConfig
-	}{
-		{
-			[]byte("[general]\nlisten = \":53\"\ndebug = true\n[api]\napi_domain = \"something.strange\""),
-			DNSConfig{
-				General: general{
-					Listen: ":53",
-					Debug:  true,
-				},
-				API: httpapi{
-					Domain: "something.strange",
-				},
-			},
-		},
-
-		{
-			[]byte("[\x00[[[[[[[[[de\nlisten =]"),
-			DNSConfig{},
-		},
-	} {
-		tmpfile, err := os.CreateTemp("", "acmedns")
-		if err != nil {
-			t.Error("Could not create temporary file")
-		}
-		defer os.Remove(tmpfile.Name())
-
-		if _, err := tmpfile.Write(test.inFile); err != nil {
-			t.Error("Could not write to temporary file")
-		}
-
-		if err := tmpfile.Close(); err != nil {
-			t.Error("Could not close temporary file")
-		}
-		ret, _ := readConfig(tmpfile.Name())
-		if ret.General.Listen != test.output.General.Listen {
-			t.Errorf("Test %d: Expected listen value %s, but got %s", i, test.output.General.Listen, ret.General.Listen)
-		}
-		if ret.API.Domain != test.output.API.Domain {
-			t.Errorf("Test %d: Expected HTTP API domain %s, but got %s", i, test.output.API.Domain, ret.API.Domain)
-		}
-	}
-}
-
-func TestGetIPListFromHeader(t *testing.T) {
-	for i, test := range []struct {
-		input  string
-		output []string
-	}{
-		{"1.1.1.1, 2.2.2.2", []string{"1.1.1.1", "2.2.2.2"}},
-		{" 1.1.1.1 , 2.2.2.2", []string{"1.1.1.1", "2.2.2.2"}},
-		{",1.1.1.1 ,2.2.2.2", []string{"1.1.1.1", "2.2.2.2"}},
-	} {
-		res := getIPListFromHeader(test.input)
-		if len(res) != len(test.output) {
-			t.Errorf("Test %d: Expected [%d] items in return list, but got [%d]", i, len(test.output), len(res))
-		} else {
-
-			for j, vv := range test.output {
-				if res[j] != vv {
-					t.Errorf("Test %d: Expected return value [%v] but got [%v]", j, test.output, res)
-				}
-
-			}
-		}
-	}
-}
-
-func TestFileCheckPermissionDenied(t *testing.T) {
-	tmpfile, err := os.CreateTemp("", "acmedns")
-	if err != nil {
-		t.Error("Could not create temporary file")
-	}
-	defer os.Remove(tmpfile.Name())
-	_ = syscall.Chmod(tmpfile.Name(), 0000)
-	if fileIsAccessible(tmpfile.Name()) {
-		t.Errorf("File should not be accessible")
-	}
-	_ = syscall.Chmod(tmpfile.Name(), 0644)
-}
-
-func TestFileCheckNotExists(t *testing.T) {
-	if fileIsAccessible("/path/that/does/not/exist") {
-		t.Errorf("File should not be accessible")
-	}
-}
-
-func TestFileCheckOK(t *testing.T) {
-	tmpfile, err := os.CreateTemp("", "acmedns")
-	if err != nil {
-		t.Error("Could not create temporary file")
-	}
-	defer os.Remove(tmpfile.Name())
-	if !fileIsAccessible(tmpfile.Name()) {
-		t.Errorf("File should be accessible")
-	}
-}
-
-func TestPrepareConfig(t *testing.T) {
-	for i, test := range []struct {
-		input       DNSConfig
-		shoulderror bool
-	}{
-		{DNSConfig{Database: dbsettings{Engine: "whatever", Connection: "whatever_too"}}, false},
-		{DNSConfig{Database: dbsettings{Engine: "", Connection: "whatever_too"}}, true},
-		{DNSConfig{Database: dbsettings{Engine: "whatever", Connection: ""}}, true},
-	} {
-		_, err := prepareConfig(test.input)
-		if test.shoulderror {
-			if err == nil {
-				t.Errorf("Test %d: Expected error with prepareConfig input data [%v]", i, test.input)
-			}
-		} else {
-			if err != nil {
-				t.Errorf("Test %d: Expected no error with prepareConfig input data [%v]", i, test.input)
-			}
-		}
-	}
-}