Struct ResolverRefresh 

pub struct ResolverRefresh<'a> {
    pub policy: Option<&'a DnsRefreshPolicy>,
    pub rebinding_policy: Option<&'a DnsRebindingPolicy>,
    pub resolvers: &'a [DnsResolver],
    pub hostnames: &'a [String],
    pub keyset_id: Option<&'a str>,
    pub issuer_kid: Option<&'a str>,
    pub policy_digest: Option<&'a str>,
    pub correlation_id: Option<&'a str>,
    pub source: Option<&'a str>,
    pub dnssec_policy: Option<&'a DnsResolverDnssecPolicy>,
    pub trust_anchors: Option<&'a TrustAnchors>,
}

One refresh-tick execution.

Borrows the spec-side configuration (no allocation), runs each declared hostname through the injected resolver, and produces drift CloudEvents the caller publishes via the configured event sink.

Fields

policy: Option<&'a DnsRefreshPolicy>

Refresh policy from spec.authority.dnsAuthority.refreshPolicy. None → defaults: no floor, no ceiling, ttl-honor strategy.

rebinding_policy: Option<&'a DnsRebindingPolicy>

SEC-21 Phase 3e — DNS rebinding mitigation policy from spec.authority.dnsAuthority.rebindingPolicy. None → no per-hostname response-IP tracking. Combined with the P3a TTL floor (policy.min_ttl_seconds), this structurally closes the v0.4.0 rebinding residual.

resolvers: &'a [DnsResolver]

Declared resolvers from spec.authority.dnsAuthority.resolvers[]. The first entry’s resolverId is used as the event’s resolverId when present; the empty string is used when none are declared.

hostnames: &'a [String]

Hostnames the supervisor may refresh — typically derived from spec.authority.egressRules[].host ∪ spec.authority.dnsAuthority.hostnameAllowlist.

keyset_id: Option<&'a str>

Optional keysetId to bind into emitted events.

issuer_kid: Option<&'a str>

Optional issuerKid to bind into emitted events.

policy_digest: Option<&'a str>

Optional policy-bundle digest (sha256:<hex>) to bind into emitted events.

correlation_id: Option<&'a str>

Optional pass-through correlation id.

source: Option<&'a str>

CloudEvent source field — defaults to cellos-supervisor when the caller passes None.

dnssec_policy: Option<&'a DnsResolverDnssecPolicy>

SEC-21 Phase 3h — opt-in DNSSEC validation policy. None (default) preserves P3a/P3e behaviour exactly: no validation, no dns_authority_dnssec_failed events, no dnssec_status tagging on drift events. When Some, the Self::tick_with_dnssec method honours validate / failClosed per resolver — see method docs.

trust_anchors: Option<&'a TrustAnchors>

Trust anchors loaded from the env / spec / IANA-default precedence chain. Used purely for stamping the source descriptor into emitted events; hickory 0.24’s resolver does not accept custom anchors via public API. See [super::dnssec] module docs for the residual.

Implementations

impl<'a> ResolverRefresh<'a>

pub fn tick( &self, state: &mut ResolverState, resolver: &ResolverFn<'_>, now: SystemTime, cell_id: &str, run_id: &str, ) -> Vec<CloudEventV1>

Run one refresh tick.

For each declared hostname:

• If the strategy is manual, skip (operator must opt in).
• If min_ttl_seconds says we refreshed recently, skip — unless max_stale_seconds has been exceeded (ceiling overrides floor).
• Call the injected resolver. On error: leave prior state untouched and emit no event (transient failures are not drift).
• Canonicalize, hash, compare against prior digest.
• On change, build a DnsAuthorityDrift payload, wrap it in a CloudEvent envelope, and append to the returned vector.
• Update state with the new observation.

Returns the events the caller should publish — possibly empty.

pub fn tick_with_rebinding( &self, state: &mut ResolverState, rebinding_state: &mut RebindingState, resolver: &ResolverFn<'_>, now: SystemTime, cell_id: &str, run_id: &str, ) -> Vec<CloudEventV1>

SEC-21 Phase 3e variant of Self::tick that also threads a per-cell RebindingState for DNS rebinding mitigation.

Behaves identically to tick when self.rebinding_policy is None: emits only dns_authority_drift events, never touches rebinding_state. When rebinding_policy is Some:

1. Resolves every hostname (same as tick).
2. For each successful resolution, calls RebindingState::evaluate to decide which IPs are novel, whether the per-hostname cap is exceeded, and which IPs violate the operator allowlist.
3. Emits one dns_authority_rebind_threshold per hostname when the cap is exceeded, and one dns_authority_rebind_rejected per allowlist violation.
4. Stamps the EFFECTIVE targets (post-rejection when reject_on_rebind=true) into the subsequent dns_authority_drift event so the drift digest reflects what the workload actually resolves to.
5. Calls RebindingState::commit with the effective targets so the per-cell history persists across ticks.

impl<'a> ResolverRefresh<'a>

pub fn tick_with_dnssec( &self, state: &mut ResolverState, rebinding_state: &mut RebindingState, validated_resolved: &HashMap<String, Result<ValidatedResolvedAnswer>>, now: SystemTime, cell_id: &str, run_id: &str, ) -> Vec<CloudEventV1>

SEC-21 Phase 3h variant of Self::tick_with_rebinding that also processes DNSSEC validation outcomes per hostname.

Behaviour:

• When self.dnssec_policy is None, this method behaves exactly like Self::tick_with_rebinding except it pulls per-hostname answers from validated_resolved and stamps dnssec_status: not_attempted on every emitted drift event.
• When self.dnssec_policy is Some(policy):
  • Validated → dnssec_status: validated, normal flow.
  • Failed{reason} → emit dns_authority_dnssec_failed (reason: validation_failed); when policy.fail_closed, drop answer.targets to empty BEFORE the rebinding evaluator runs and tag drift dnssec_status: validation_failed.
  • Unsigned → emit dns_authority_dnssec_failed (reason: unsigned_zone); same fail_closed semantics.

Order: dnssec_failed events are emitted BEFORE the drift / rebinding events for that hostname so a SIEM sees them in causal order (“dnssec_failed → drift”).