zonesync 0.13.0 → 0.14.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d52bed9a567bd04886887c0846ca81a74086ca75e56636ccfd90ec16ca0a113f
-  data.tar.gz: 7561f624f4360a4977a59941483f917832ab126f48843915216af9a51d0904c6
+  metadata.gz: 27a11c2ecbacb7edb9dc6fef0443c5c1d1c8835af8380345bcf2f6e680e3fefb
+  data.tar.gz: c92dc751c801a7b65fd0950f6b454341334dac0660860441c3808418b79df3fa
 SHA512:
-  metadata.gz: 9b187df8cf8cce75a84187704c069e12b9d10d3e830f42065f26ab0d223d85ca79889c9b9f6b6d0edebd486fba38184ce5ad7047aa26759d39b6715ca9f1f785
-  data.tar.gz: 021437d1e18832be6dbc131a60a47c7672d5018d01588a3f6de00cff2571948ca265a3f40b8a4185f6362c054d5f35471b876fabee3bb7da9dc2623c351db7b5
+  metadata.gz: ebfbd2e2da4d63229f968dd5f9287c486e10e9cfc25801376bdee3d94fe09c99debbd74cd6084015a36a0245d61db3736d14f4cc57a4f3ca5e657871078fe877
+  data.tar.gz: 3c6c48c37c130f8adb3fc4acfd5a7a2d20a66aaba23d0d2a2d4788dfd4f8e90dde1fea046a4d318e1731e37e4b1317efc6b6e25aa5b76c61b9b60c2c8fb78ab0

data/README.md

@@ -50,49 +50,64 @@ mail2         A     192.0.2.4
 mail3         A     192.0.2.5
 ```
 
-### DNS Host
+### Credentials
 
-We need to tell `zonesync` about our DNS host by building a small YAML file. The structure of this file will depend on your DNS host, so here are some examples:
+Zonesync reads DNS provider credentials from Rails encrypted credentials (`config/credentials.yml.enc`). Edit them with:
+
+```
+$ bin/rails credentials:edit
+```
+
+Add a key (by default `zonesync`) with your provider configuration:
 
 **Cloudflare**
 
+```yaml
+zonesync:
+  provider: Cloudflare
+  zone_id: <CLOUDFLARE_DOMAIN_ZONE_ID>
+  token: <CLOUDFLARE_API_TOKEN>
+  # or instead of token you can auth with:
+  # email: <CLOUDFLARE_EMAIL>
+  # key: <CLOUDFLARE_API_KEY>
 ```
-provider: Cloudflare
-zone_id: <CLOUDFLARE_DOMAIN_ZONE_ID>
-token: <CLOUDFLARE_API_TOKEN>
-# or instead of token you can auth with:
-email: <CLOUDFLARE_EMAIL>
-key: <CLOUDFLARE_API_KEY>
-``
 
 **Route 53**
 
+```yaml
+zonesync:
+  provider: Route53
+  aws_access_key_id: <AWS_ACCESS_KEY_ID>
+  aws_secret_access_key: <AWS_SECRET_ACCESS_KEY>
+  hosted_zone_id: <HOSTED_ZONE_ID>
 ```
-provider: AWS
-aws_access_key_id: <AWS_ACCESS_KEY_ID>
-aws_secret_access_key: <AWS_SECRET_ACCESS_KEY>
-```
+
+The encryption key is read from `config/master.key` or the `RAILS_MASTER_KEY` environment variable.
 
 ### Usage
 
 #### CLI
 
 ```
-$ bundle exec zonesync
-```
-```
-$ bundle exec zonesync --dry-run # log to STDOUT but don't actually perform the sync
+$ bundle exec zonesync                # sync Zonefile to DNS provider
+$ bundle exec zonesync --dry-run      # log to STDOUT but don't actually perform the sync
+$ bundle exec zonesync generate       # generate a Zonefile from the configured provider
 ```
+
+By default, zonesync reads from `Zonefile` and uses the `zonesync` key in credentials. You can override these:
+
 ```
-$ bundle exec zonesync generate # generate a Zonefile from the configured provider
+$ bundle exec zonesync --source=Zonefile --destination=zonesync
+$ bundle exec zonesync generate --source=zonesync --destination=Zonefile
 ```
-#### Ruby
 
-Assuming your zone file lives in `hostfile.txt` and your DNS provider credentials are configured in `provider.yml`:
+#### Ruby
 
 ```ruby
-require 'zonesync'
-Zonesync.call(zonefile: 'hostfile.txt', credentials: YAML.load('provider.yml'))
+require "zonesync"
+Zonesync.call                                          # uses defaults
+Zonesync.call(source: "Zonefile", destination: "zonesync", dry_run: true)
+Zonesync.generate(source: "zonesync", destination: "Zonefile")
 ```
 
 ### Managing or avoiding conflicts with other people making edits to the DNS records

data/lib/zonesync/cli.rb

@@ -26,6 +26,14 @@ module Zonesync
       Zonesync.generate(**kwargs)
     end
 
+    desc "repair --source=Zonefile --destination=zonesync", "interactively repair differences between Zonefile and DNS provider"
+    option :source, default: "Zonefile", desc: "path to the zonefile"
+    option :destination, default: "zonesync", desc: "key to the DNS server configuration in Rails.application.credentials"
+    def repair
+      kwargs = options.to_hash.transform_keys(&:to_sym)
+      Zonesync.repair(**kwargs)
+    end
+
     def self.exit_on_failure? = true
   end
 end

data/lib/zonesync/manifest.rb

@@ -5,9 +5,9 @@ require "zonesync/record_hash"
 require "digest"
 
 module Zonesync
-  Manifest = Struct.new(:records, :zone) do
-    DIFFABLE_RECORD_TYPES = %w[A AAAA CNAME MX TXT SPF NAPTR PTR].sort
+  DIFFABLE_RECORD_TYPES = %w[A AAAA CNAME MX TXT SPF NAPTR PTR].sort.freeze
 
+  Manifest = Struct.new(:records, :zone) do
     def existing
       records.find(&:manifest?)
     end

data/lib/zonesync/repair.rb

@@ -0,0 +1,273 @@
+# frozen_string_literal: true
+
+module Zonesync
+  class Repair
+    def initialize(local, remote)
+      @local = local
+      @remote = remote
+      @remote_config = remote.config
+    end
+
+    def call(input: $stdin, output: $stdout)
+      differences = compute_differences
+      if differences.empty?
+        output.puts "Already in sync!"
+        return
+      end
+
+      output.puts "Found #{differences.length} difference#{"s" if differences.length != 1}:\n\n"
+
+      actions = differences.map.with_index do |diff, i|
+        display_difference(output, i + 1, diff)
+        prompt_action(input, output, diff)
+      end
+
+      output.puts
+      display_summary(output, actions)
+
+      return unless confirm_apply?(input, output)
+
+      apply_actions(actions)
+      update_manifest(output)
+      output.puts "\nRepair complete."
+    end
+
+    private
+
+    def all_diffable_records(provider)
+      # Get all records of diffable types, ignoring manifest filtering
+      Record.non_meta(provider.records).select { |r| DIFFABLE_RECORD_TYPES.include?(r.type) }.sort
+    end
+
+    def compute_differences
+      # For repair, we want ALL records of diffable types, not just those in manifest
+      local_records = all_diffable_records(@local)
+      remote_records = all_diffable_records(@remote)
+
+      local_by_key = local_records.group_by { |r| [r.name, r.type] }
+      remote_by_key = remote_records.group_by { |r| [r.name, r.type] }
+
+      differences = []
+
+      # Records only on remote
+      (remote_by_key.keys - local_by_key.keys).each do |key|
+        remote_by_key[key].each do |record|
+          differences << { type: :remote_only, record: record }
+        end
+      end
+
+      # Records only on local
+      (local_by_key.keys - remote_by_key.keys).each do |key|
+        local_by_key[key].each do |record|
+          differences << { type: :local_only, record: record }
+        end
+      end
+
+      # Records in both - check for changes
+      (local_by_key.keys & remote_by_key.keys).each do |key|
+        local_set = local_by_key[key]
+        remote_set = remote_by_key[key]
+
+        if local_set.length == 1 && remote_set.length == 1
+          if local_set.first != remote_set.first
+            differences << { type: :changed, local: local_set.first, remote: remote_set.first }
+          end
+        else
+          (remote_set - local_set).each { |r| differences << { type: :remote_only, record: r } }
+          (local_set - remote_set).each { |r| differences << { type: :local_only, record: r } }
+        end
+      end
+
+      differences.sort_by { |d| [(d[:record] || d[:local]).name, (d[:record] || d[:local]).type] }
+    end
+
+    def display_difference(output, num, diff)
+      case diff[:type]
+      when :remote_only
+        output.puts "#{num}. REMOTE ONLY:"
+        output.puts "   #{diff[:record]}"
+      when :local_only
+        output.puts "#{num}. LOCAL ONLY:"
+        output.puts "   #{diff[:record]}"
+      when :changed
+        output.puts "#{num}. CHANGED:"
+        output.puts "   Local:  #{diff[:local]}"
+        output.puts "   Remote: #{diff[:remote]}"
+      end
+      output.puts
+    end
+
+    def prompt_action(input, output, diff)
+      case diff[:type]
+      when :remote_only
+        output.print "   [a] Adopt  [d] Delete  [i] Ignore: "
+        loop do
+          choice = input.gets&.strip&.downcase
+          case choice
+          when "a" then return { action: :adopt, diff: diff }
+          when "d" then return { action: :delete_remote, diff: diff }
+          when "i" then return { action: :ignore, diff: diff }
+          else output.print "   Invalid. [a/d/i]: "
+          end
+        end
+      when :local_only
+        output.print "   [k] Keep (push to remote)  [r] Remove from Zonefile  [i] Ignore: "
+        loop do
+          choice = input.gets&.strip&.downcase
+          case choice
+          when "k" then return { action: :keep_local, diff: diff }
+          when "r" then return { action: :remove_local, diff: diff }
+          when "i" then return { action: :ignore, diff: diff }
+          else output.print "   Invalid. [k/r/i]: "
+          end
+        end
+      when :changed
+        output.print "   [l] Keep local  [r] Keep remote  [i] Ignore: "
+        loop do
+          choice = input.gets&.strip&.downcase
+          case choice
+          when "l" then return { action: :keep_local_changed, diff: diff }
+          when "r" then return { action: :keep_remote_changed, diff: diff }
+          when "i" then return { action: :ignore, diff: diff }
+          else output.print "   Invalid. [l/r/i]: "
+          end
+        end
+      end
+    end
+
+    def display_summary(output, actions)
+      adopt = actions.count { |a| a[:action] == :adopt }
+      delete = actions.count { |a| a[:action] == :delete_remote }
+      keep_local = actions.count { |a| a[:action] == :keep_local }
+      keep_remote_changed = actions.count { |a| a[:action] == :keep_remote_changed }
+      remove_local = actions.count { |a| a[:action] == :remove_local }
+      keep_local_changed = actions.count { |a| a[:action] == :keep_local_changed }
+      ignore = actions.count { |a| a[:action] == :ignore }
+
+      output.puts "Summary:"
+      output.puts "  #{adopt} record#{"s" if adopt != 1} to adopt into Zonefile" if adopt > 0
+      output.puts "  #{delete} record#{"s" if delete != 1} to delete from remote" if delete > 0
+      output.puts "  #{keep_local} record#{"s" if keep_local != 1} to push to remote" if keep_local > 0
+      output.puts "  #{keep_remote_changed} record#{"s" if keep_remote_changed != 1} to pull from remote" if keep_remote_changed > 0
+      output.puts "  #{remove_local} record#{"s" if remove_local != 1} to remove from Zonefile" if remove_local > 0
+      output.puts "  #{keep_local_changed} local change#{"s" if keep_local_changed != 1} to push to remote" if keep_local_changed > 0
+      output.puts "  #{ignore} record#{"s" if ignore != 1} ignored" if ignore > 0
+    end
+
+    def confirm_apply?(input, output)
+      output.print "\nApply changes? [y/n]: "
+      input.gets&.strip&.downcase == "y"
+    end
+
+    def update_manifest(output)
+      # Re-read both providers to get the updated records
+      updated_local = Provider.from({ provider: "Filesystem", path: @local.config.fetch(:path) })
+      updated_remote = Provider.from(@remote_config)
+
+      # Generate new manifest based on current local state
+      new_manifest = updated_local.manifest.generate
+
+      # Get existing manifest on remote
+      existing_manifest = updated_remote.manifest.existing
+
+      if existing_manifest
+        if new_manifest != existing_manifest
+          output.puts "Updating manifest..."
+          updated_remote.change(existing_manifest, new_manifest)
+        end
+      else
+        output.puts "Creating manifest..."
+        updated_remote.add(new_manifest)
+      end
+
+      # Remove old checksum if present (v2 manifests don't need it)
+      if existing_checksum = updated_remote.manifest.existing_checksum
+        output.puts "Removing old checksum..."
+        updated_remote.remove(existing_checksum)
+      end
+    end
+
+    def apply_actions(actions)
+      zonefile_additions = []
+      zonefile_removals = []
+
+      actions.each do |action|
+        case action[:action]
+        when :adopt
+          zonefile_additions << action[:diff][:record]
+        when :delete_remote
+          @remote.remove(action[:diff][:record])
+        when :keep_local
+          @remote.add(action[:diff][:record])
+        when :remove_local
+          zonefile_removals << action[:diff][:record]
+        when :keep_local_changed
+          @remote.change(action[:diff][:remote], action[:diff][:local])
+        when :keep_remote_changed
+          zonefile_additions << action[:diff][:remote]
+          zonefile_removals << action[:diff][:local]
+        end
+      end
+
+      if zonefile_additions.any? || zonefile_removals.any?
+        update_zonefile(zonefile_additions, zonefile_removals)
+      end
+    end
+
+    def update_zonefile(additions, removals)
+      content = @local.read
+      origin = @local.manifest.zone.origin
+
+      # Use treetop parser to find exact character positions of records to remove
+      intervals_to_remove = find_record_intervals(content, origin, removals)
+
+      # Remove intervals in reverse order to preserve positions
+      intervals_to_remove.sort_by { |i| -i.begin }.each do |interval|
+        content = content[0...interval.begin] + content[interval.end..]
+      end
+
+      if additions.any?
+        content = content.rstrip + "\n\n"
+        additions.each do |record|
+          short_name = record.short_name(origin)
+          line = "#{short_name}  #{record.ttl}  #{record.type}  #{record.rdata}"
+          line += "  ; #{record.comment}" if record.comment
+          content += "#{line}\n"
+        end
+      end
+
+      @local.write(content)
+    end
+
+    def find_record_intervals(content, origin, removals)
+      removal_set = removals.map { |r| [r.name, r.type, r.rdata] }.to_set
+
+      parseable_content, soa_insertion = Zonefile.ensure_soa(content)
+
+      parser = ZonefileParser.new
+      result = parser.parse(parseable_content)
+      raise Parser::ParsingError, parser.failure_reason unless result
+
+      # Build Zone to get properly qualified record objects
+      zone = Parser::Zone.new(result.entries, origin: origin)
+
+      # Pair raw record entries (for intervals) with parser records (for qualified fields)
+      raw_entries = result.entries.select { |e| e.parse_type == :record && e.record_type != "SOA" }
+      parser_records = zone.records.reject { |r| r.is_a?(Parser::SOA) }
+
+      intervals = []
+      raw_entries.zip(parser_records).each do |entry, parser_record|
+        record = Record.from_dns_zonefile_record(parser_record)
+
+        if removal_set.include?([record.name, record.type, record.rdata])
+          interval = entry.interval
+          if soa_insertion && interval.begin >= soa_insertion[:at]
+            interval = (interval.begin - soa_insertion[:length])...(interval.end - soa_insertion[:length])
+          end
+          intervals << interval
+        end
+      end
+      intervals
+    end
+  end
+end

data/lib/zonesync/route53.rb

@@ -18,57 +18,52 @@ module Zonesync
     end
 
     def remove(record)
-      if record.type == "TXT"
-        # Route53 requires all TXT records with the same name to be managed together
-        existing_txt_records = records.select do |r|
-          r.name == record.name && r.type == "TXT"
-        end
+      # Route53 requires all records with the same name/type to be managed together as a record set
+      existing_records = records.select do |r|
+        r.name == record.name && r.type == record.type
+      end
 
-        if existing_txt_records.length == 1
-          # Only one TXT record, delete it normally
-          change_record("DELETE", record)
-        else
-          # Multiple TXT records - delete all, then recreate without the removed one
-          remaining_txt_records = existing_txt_records.reject { |r| r == record }
-
-          # Use change_records to handle both DELETE and CREATE in one request
-          grouped = [
-            [existing_txt_records, "DELETE"],
-            [remaining_txt_records, "CREATE"]
-          ]
-
-          http.post("", ERB.new(<<~XML, trim_mode: "-").result(binding))
-            <?xml version="1.0" encoding="UTF-8"?>
-            <ChangeResourceRecordSetsRequest xmlns="https://route53.amazonaws.com/doc/2013-04-01/">
-              <ChangeBatch>
-                <Changes>
-                  <%- grouped.each do |records_list, action| -%>
-                  <%- records_grouped = records_list.group_by { |r| [r.name, r.type, r.ttl] } -%>
-                  <%- records_grouped.each do |(name, type, ttl), group_records| -%>
-                  <Change>
-                    <Action><%= action %></Action>
-                    <ResourceRecordSet>
-                      <Name><%= name %></Name>
-                      <Type><%= type %></Type>
-                      <TTL><%= ttl %></TTL>
-                      <ResourceRecords>
-                        <%- group_records.each do |group_record| -%>
-                        <ResourceRecord>
-                          <Value><%= group_record.rdata %></Value>
-                        </ResourceRecord>
-                        <%- end -%>
-                      </ResourceRecords>
-                    </ResourceRecordSet>
-                  </Change>
-                  <%- end -%>
-                  <%- end -%>
-                </Changes>
-              </ChangeBatch>
-            </ChangeResourceRecordSetsRequest>
-          XML
-        end
-      else
+      if existing_records.length == 1
         change_record("DELETE", record)
+      else
+        remaining_records = existing_records.reject { |r| r == record }
+
+        grouped = [
+          [existing_records, "DELETE"],
+          *(remaining_records.any? ? [[remaining_records, "CREATE"]] : [])
+        ]
+
+        http.post("", ERB.new(<<~XML, trim_mode: "-").result(binding))
+          <?xml version="1.0" encoding="UTF-8"?>
+          <ChangeResourceRecordSetsRequest xmlns="https://route53.amazonaws.com/doc/2013-04-01/">
+            <ChangeBatch>
+              <Changes>
+                <%- grouped.each do |records_list, action| -%>
+                <%- records_grouped = records_list.group_by { |r| [r.name, r.type, r.ttl] } -%>
+                <%- records_grouped.each do |(name, type, ttl), group_records| -%>
+                <Change>
+                  <Action><%= action %></Action>
+                  <ResourceRecordSet>
+                    <Name><%= name %></Name>
+                    <Type><%= type %></Type>
+                    <TTL><%= ttl %></TTL>
+                    <ResourceRecords>
+                      <%- group_records.each do |group_record| -%>
+                      <ResourceRecord>
+                        <Value><%= rdata_for_api(group_record) %></Value>
+                      </ResourceRecord>
+                      <%- end -%>
+                    </ResourceRecords>
+                  </ResourceRecordSet>
+                </Change>
+                <%- end -%>
+                <%- end -%>
+              </Changes>
+            </ChangeBatch>
+          </ChangeResourceRecordSetsRequest>
+        XML
+
+        invalidate_cache!
       end
     end
 
@@ -80,25 +75,19 @@ module Zonesync
     def add(record)
       add_with_duplicate_handling(record) do
         begin
-          if record.type == "TXT"
-            # Route53 requires all TXT records with the same name to be combined into a single record set
-            existing_txt_records = records.select do |r|
-              r.name == record.name && r.type == "TXT"
-            end
-            all_txt_records = existing_txt_records + [record]
-
-            # Use UPSERT if records already exist, CREATE if they don't
-            action = existing_txt_records.empty? ? "CREATE" : "UPSERT"
-            change_records(action, all_txt_records)
-          else
-            change_record("CREATE", record)
+          # Route53 requires all records with the same name/type to be in a single record set
+          existing_records = records.select do |r|
+            r.name == record.name && r.type == record.type
           end
+          all_records = (existing_records + [record]).uniq
+
+          action = existing_records.empty? ? "CREATE" : "UPSERT"
+          change_records(action, all_records)
+          invalidate_cache! if existing_records.any?
         rescue RuntimeError => e
-          # Convert Route53-specific duplicate error to standard exception
           if e.message.include?("RRSet already exists")
             raise DuplicateRecordError.new(record, "Route53 duplicate record error")
           else
-            # Re-raise other errors
             raise
           end
         end
@@ -107,6 +96,11 @@ module Zonesync
 
     private
 
+    def invalidate_cache!
+      @read = nil
+      @zonefile = nil
+    end
+
     def change_record(action, record)
       http.post("", <<~XML)
         <?xml version="1.0" encoding="UTF-8"?>
@@ -121,7 +115,7 @@ module Zonesync
                   <TTL>#{record.ttl}</TTL>
                   <ResourceRecords>
                     <ResourceRecord>
-                      <Value>#{record.rdata}</Value>
+                      <Value>#{rdata_for_api(record)}</Value>
                     </ResourceRecord>
                   </ResourceRecords>
                 </ResourceRecordSet>
@@ -151,7 +145,7 @@ module Zonesync
                   <ResourceRecords>
                     <%- records.each do |record| -%>
                     <ResourceRecord>
-                      <Value><%= record.rdata %></Value>
+                      <Value><%= rdata_for_api(record) %></Value>
                     </ResourceRecord>
                     <%- end -%>
                   </ResourceRecords>
@@ -164,12 +158,23 @@ module Zonesync
       XML
     end
 
+    def rdata_for_api(record)
+      return record.rdata unless record.type == "TXT"
+
+      # DNS TXT strings have a 255-character limit per quoted string.
+      # Split any single quoted string that exceeds this limit.
+      record.rdata.scan(/"([^"]*)"/).flatten.flat_map { |s|
+        s.scan(/.{1,255}/)
+      }.map { |s| %("#{s}") }.join(" ")
+    end
+
     def to_records(el)
       el.elements.collect("ResourceRecords/ResourceRecord") do |rr|
         name = normalize_trailing_period(get_value(el, "Name"))
         type = get_value(el, "Type")
         ttl = get_value(el, "TTL")
         rdata = get_value(rr, "Value")
+        rdata = normalize_txt_rdata(rdata) if type == "TXT"
 
         record = Record.new(
           name: name,
@@ -185,6 +190,13 @@ module Zonesync
       el.elements[field].text.gsub(/\\(\d{3})/) { $1.to_i(8).chr } # unescape octal
     end
 
+    def normalize_txt_rdata(rdata)
+      # Route53 splits long TXT strings at 255 chars. Join them back into a
+      # single quoted string so hashes match the Zonefile's canonical format.
+      strings = rdata.scan(/"([^"]*)"/).flatten
+      %("#{strings.join}")
+    end
+
     def normalize_trailing_period(value)
       value =~ /\.$/ ? value : value + "."
     end
@@ -219,7 +231,7 @@ module Zonesync
       ].join("\n")
 
       algorithm = "AWS4-HMAC-SHA256"
-      credential_scope = "#{date}/#{config.fetch(:aws_region)}/#{service}/aws4_request"
+      credential_scope = "#{date}/us-east-1/#{service}/aws4_request"
       string_to_sign = [
         algorithm,
         amz_date,
@@ -227,7 +239,7 @@ module Zonesync
         OpenSSL::Digest::SHA256.hexdigest(canonical_request)
       ].join("\n")
 
-      signing_key = get_signature_key(config.fetch(:aws_secret_access_key), date, config.fetch(:aws_region), service)
+      signing_key = get_signature_key(config.fetch(:aws_secret_access_key), date, "us-east-1", service)
       signature = OpenSSL::HMAC.hexdigest("SHA256", signing_key, string_to_sign)
 
       "#{algorithm} Credential=#{config.fetch(:aws_access_key_id)}/#{credential_scope}, SignedHeaders=#{signed_headers}, Signature=#{signature}"

data/lib/zonesync/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Zonesync
-  VERSION = "0.13.0"
+  VERSION = "0.14.0"
 end

data/lib/zonesync/zonefile.rb

@@ -4,11 +4,30 @@ require "zonesync/parser"
 
 module Zonesync
   class Zonefile
-    def self.load(zone_string)
-      if zone_string !~ /\sSOA\s/ # insert dummy SOA to trick parser if needed
-        zone_string.sub!(/\n([^$])/, "\n@ 1 SOA example.com example.com ( 2000010101 1 1 1 1 )\n\\1")
+    DUMMY_SOA = "@ 1 SOA example.com example.com ( 2000010101 1 1 1 1 )\n"
+
+    # Inserts a dummy SOA record if needed for parsing.
+    # Returns [modified_content, insertion_offset] where insertion_offset is nil if no SOA was added,
+    # or the byte position and length of the inserted SOA.
+    def self.ensure_soa(zone_string)
+      if zone_string =~ /\sSOA\s/
+        [zone_string, nil]
+      else
+        content = zone_string.dup
+        match = content.match(/\n([^$])/)
+        if match
+          insertion_point = match.begin(0) + 1
+          content.sub!(/\n([^$])/, "\n#{DUMMY_SOA}\\1")
+          [content, { at: insertion_point, length: DUMMY_SOA.length }]
+        else
+          [content, nil]
+        end
       end
-      zone = Parser.parse(zone_string)
+    end
+
+    def self.load(zone_string)
+      content, _ = ensure_soa(zone_string)
+      zone = Parser.parse(content)
       records = zone.records.map do |dns_zonefile_record|
         Zonesync::Record.from_dns_zonefile_record(dns_zonefile_record)
       end

data/lib/zonesync.rb

@@ -3,6 +3,7 @@
 require "zonesync/sync"
 require "zonesync/generate"
 require "zonesync/provider"
+require "zonesync/repair"
 require "zonesync/cli"
 require "zonesync/rake"
 require "zonesync/errors"
@@ -29,6 +30,13 @@ module Zonesync
     ).call
   end
 
+  def self.repair(source: "Zonefile", destination: "zonesync")
+    Repair.new(
+      Provider.from({ provider: "Filesystem", path: source }),
+      Provider.from(credentials(destination.to_sym)),
+    ).call
+  end
+
   def self.credentials(key)
     ActiveSupport::EncryptedConfiguration.new(
       config_path: "config/credentials.yml.enc",

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: zonesync
 version: !ruby/object:Gem::Version
-  version: 0.13.0
+  version: 0.14.0
 platform: ruby
 authors:
 - Micah Geisel
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-12-22 00:00:00.000000000 Z
+date: 2026-02-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -113,6 +113,7 @@ files:
 - lib/zonesync/rake.rb
 - lib/zonesync/record.rb
 - lib/zonesync/record_hash.rb
+- lib/zonesync/repair.rb
 - lib/zonesync/route53.rb
 - lib/zonesync/sync.rb
 - lib/zonesync/validator.rb