fix(unbound): Apex-Records (@/leer) korrekt zur Zone-FQDN expandieren

Vorher: Renderer hat record.Name 1:1 ins local-data übernommen.
Bei Apex-Records (Operator gibt '@' oder leer ein um die Zone selbst
zu adressieren) kam '@.' raus statt der Zone-FQDN — unbound parsed
das als FQDN '@', was funktional tot ist.

Fix: resolveFQDN(recName, zoneName):
  '@' / leer  → zone + '.'
  endet mit . → as-is
  endet mit zone-suffix → name + '.'
  sonst       → name + '.' + zone + '.'

Renderer baut recordView{DNSRecord, FQDN} pro record.

Test: zone proxy.resdom.loc + record name='@' value='10.10.20.1'
  $ dig @10.10.20.1 +short proxy.resdom.loc
  10.10.20.1

Auch wenn der Operator 'proxy.resdom.loc' als Name eingibt
(absoluter FQDN), 'mailcow' (relativ), oder 'mailcow.proxy.resdom.loc.'
(absolut mit Punkt) — alle drei expandieren korrekt.

Version 1.0.42.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

VERSION

@@ -1 +1 @@
-1.0.41
+1.0.42

cmd/edgeguard-api/main.go

@@ -45,7 +45,7 @@ import (
 	wgsvc "git.netcell-it.de/projekte/edgeguard-native/internal/services/wireguard"
 )
 
-var version = "1.0.41"
+var version = "1.0.42"
 
 func main() {
 	addr := os.Getenv("EDGEGUARD_API_ADDR")

cmd/edgeguard-ctl/main.go

@@ -9,7 +9,7 @@ import (
 	"os"
 )
 
-var version = "1.0.41"
+var version = "1.0.42"
 
 const usage = `edgeguard-ctl — EdgeGuard CLI
 

cmd/edgeguard-scheduler/main.go

@@ -21,7 +21,7 @@ import (
 	"git.netcell-it.de/projekte/edgeguard-native/internal/services/tlscerts"
 )
 
-var version = "1.0.41"
+var version = "1.0.42"
 
 const (
 	// renewTickInterval — how often we re-evaluate expiring certs.

internal/unbound/unbound.cfg.tpl

@@ -58,7 +58,7 @@ server:
 {{range .LocalZones}}
     local-zone: "{{.Name}}." static
 {{- range .Records}}
-    local-data: "{{.Name}}{{if not (hasSuffix .Name $.dot)}}.{{end}} {{.TTL}} IN {{.RecordType}} {{.Value}}"
+    local-data: "{{.FQDN}} {{.TTL}} IN {{.RecordType}} {{.Value}}"
 {{- end}}
 {{end}}
 

internal/unbound/unbound.go

@@ -50,7 +50,30 @@ type View struct {
 
 type localZoneView struct {
 	Name    string
-	Records []models.DNSRecord
+	Records []recordView
+}
+
+// recordView ist DNSRecord plus FQDN — der Renderer expandiert
+// "@"/leer zu zone.Name, relative names zu "<name>.<zone>." Punkt
+// am Ende ist für unbound's local-data Pflicht.
+type recordView struct {
+	models.DNSRecord
+	FQDN string
+}
+
+func resolveFQDN(recName, zoneName string) string {
+	zone := strings.TrimSuffix(zoneName, ".")
+	n := strings.TrimSpace(recName)
+	if n == "" || n == "@" {
+		return zone + "."
+	}
+	if strings.HasSuffix(n, ".") {
+		return n // schon FQDN mit Punkt
+	}
+	if strings.HasSuffix(n, "."+zone) || n == zone {
+		return n + "."
+	}
+	return n + "." + zone + "."
 }
 
 type forwardZoneView struct {
@@ -96,10 +119,13 @@ func (g *Generator) Render(ctx context.Context) error {
 			if err != nil {
 				return fmt.Errorf("records for zone %s: %w", z.Name, err)
 			}
-			active := make([]models.DNSRecord, 0, len(recs))
+			active := make([]recordView, 0, len(recs))
 			for _, r := range recs {
 				if r.Active {
-					active = append(active, r)
+					active = append(active, recordView{
+						DNSRecord: r,
+						FQDN:      resolveFQDN(r.Name, z.Name),
+					})
 				}
 			}
 			view.LocalZones = append(view.LocalZones, localZoneView{

management-ui/package.json

@@ -1,7 +1,7 @@
 {
   "name": "edgeguard-management-ui",
   "private": true,
-  "version": "1.0.41",
+  "version": "1.0.42",
   "type": "module",
   "scripts": {
     "dev": "vite",

management-ui/src/components/Layout/Sidebar.tsx

@@ -75,7 +75,7 @@ const NAV: NavSection[] = [
   },
 ]
 
-const VERSION = '1.0.41'
+const VERSION = '1.0.42'
 
 export default function Sidebar({ isOpen, onClose }: SidebarProps) {
   const { t } = useTranslation()