From 973a129079fec1d28509fe0f1bc3575d8b7deae1 Mon Sep 17 00:00:00 2001
From: Miraty <miraty+git@antopie.org>
Date: Tue, 20 Jun 2023 00:36:58 +0200
Subject: [PATCH 01/13] Add type in functions signatures

---
 fn/auth.php             | 30 +++++++++++++++---------------
 fn/common.php           | 20 ++++++++++----------
 fn/dns.php              | 14 +++++++-------
 fn/ht.php               | 16 ++++++++--------
 fn/ns.php               |  8 ++++----
 fn/reg.php              |  8 ++++----
 init.php                |  2 +-
 jobs/check.php          |  8 ++++----
 pg-act/reg/register.php |  2 +-
 router.php              |  8 ++++----
 sftpgo-auth.php         |  2 +-
 11 files changed, 59 insertions(+), 59 deletions(-)

diff --git a/fn/auth.php b/fn/auth.php
index 4f321e2..d96d1cb 100644
--- a/fn/auth.php
+++ b/fn/auth.php
@@ -14,47 +14,47 @@ const OPTIONS_PASSWORD = [
 	'threads' => 64,
 ];
 
-function checkUsernameFormat($username) {
+function checkUsernameFormat(string $username): void {
 	if (preg_match('/' . USERNAME_REGEX . '/Du', $username) !== 1)
 		output(403, 'Username malformed.');
 }
 
-function checkPasswordFormat($password) {
+function checkPasswordFormat(string $password): void {
 	if (preg_match('/' . PASSWORD_REGEX . '/Du', $password) !== 1)
 		output(403, 'Password malformed.');
 }
 
-function hashUsername($username) {
+function hashUsername(string $username): string {
 	return base64_encode(sodium_crypto_pwhash(32, $username, hex2bin(query('select', 'params', ['name' => 'username_salt'], 'value')[0]), 2**10, 2**14, SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13));
 }
 
-function hashPassword($password) {
+function hashPassword(string $password): string {
 	return password_hash($password, ALGO_PASSWORD, OPTIONS_PASSWORD);
 }
 
-function usernameExists($username) {
+function usernameExists(string $username): bool {
 	return isset(query('select', 'users', ['username' => $username], 'id')[0]);
 }
 
-function checkPassword($id, $password) {
+function checkPassword(string $id, string $password): bool {
 	return password_verify($password, query('select', 'users', ['id' => $id], 'password')[0]);
 }
 
-function outdatedPasswordHash($id) {
+function outdatedPasswordHash(string $id): bool {
 	return password_needs_rehash(query('select', 'users', ['id' => $id], 'password')[0], ALGO_PASSWORD, OPTIONS_PASSWORD);
 }
 
-function changePassword($id, $password) {
+function changePassword(string $id, string $password): void {
 	DB->prepare('UPDATE users SET password = :password WHERE id = :id')
 		->execute([':password' => hashPassword($password), ':id' => $id]);
 }
 
-function stopSession() {
+function stopSession(): void {
 	if (session_status() === PHP_SESSION_ACTIVE)
 		session_destroy();
 }
 
-function logout() {
+function logout(): never {
 	stopSession();
 
 	header('Clear-Site-Data: "*"');
@@ -62,7 +62,7 @@ function logout() {
 	redir();
 }
 
-function setupDisplayUsername($display_username) {
+function setupDisplayUsername(string $display_username): void {
 	$nonce = random_bytes(24);
 	$key = sodium_crypto_aead_xchacha20poly1305_ietf_keygen();
 	$cyphertext = sodium_crypto_aead_xchacha20poly1305_ietf_encrypt(
@@ -87,7 +87,7 @@ function setupDisplayUsername($display_username) {
 	$_SESSION['display-username-cyphertext'] = $cyphertext;
 }
 
-function authDeleteUser($user_id) {
+function authDeleteUser(string $user_id): void {
 	$user_services = explode(',', query('select', 'users', ['id' => $user_id], 'services')[0]);
 
 	foreach (SERVICES_USER as $service)
@@ -138,7 +138,7 @@ function authDeleteUser($user_id) {
 	query('delete', 'users', ['id' => $user_id]);
 }
 
-function rateLimit() {
+function rateLimit(): void {
 	if (PAGE_METADATA['tokens_account_cost'] ?? 0 > 0)
 		rateLimitAccount(PAGE_METADATA['tokens_account_cost']);
 
@@ -147,7 +147,7 @@ function rateLimit() {
 }
 
 const MAX_ACCOUNT_TOKENS = 86400;
-function rateLimitAccount($requestedTokens) {
+function rateLimitAccount(int $requestedTokens): int {
 	// Get
 	$userData = query('select', 'users', ['id' => $_SESSION['id']]);
 	$tokens = $userData[0]['bucket_tokens'];
@@ -174,7 +174,7 @@ function rateLimitAccount($requestedTokens) {
 	return $tokens;
 }
 
-function rateLimitInstance($requestedTokens) {
+function rateLimitInstance(int $requestedTokens): void {
 	// Get
 	$tokens = query('select', 'params', ['name' => 'instance_bucket_tokens'], 'value')[0];
 	$bucketLastUpdate = query('select', 'params', ['name' => 'instance_bucket_last_update'], 'value')[0];
diff --git a/fn/common.php b/fn/common.php
index 0002ca1..33815e9 100644
--- a/fn/common.php
+++ b/fn/common.php
@@ -1,6 +1,6 @@
 <?php
 
-function output($code, $msg = '', $logs = [''], $data = []) {
+function output(int $code, string $msg = '', array $logs = [''], array $data = []): never {
 	http_response_code($code);
 	$shortCode = intval($code / 100);
 	if ($shortCode === 5)
@@ -21,7 +21,7 @@ function exescape(array $args, array &$output = NULL, int &$result_code = NULL):
 	return $result_code;
 }
 
-function insert($table, $values) {
+function insert(string $table, array $values): void {
 	$query = 'INSERT INTO "' . $table . '"(';
 
 	foreach ($values as $key => $val) {
@@ -44,7 +44,7 @@ function insert($table, $values) {
 	->execute($values);
 }
 
-function query($action, $table, $conditions = [], $column = NULL) {
+function query(string $action, string $table, array $conditions = [], string $column = NULL): array {
 
 	$query = match ($action) {
 		'select' => 'SELECT *',
@@ -66,7 +66,7 @@ function query($action, $table, $conditions = [], $column = NULL) {
 	return array_column($stmt->fetchAll(PDO::FETCH_ASSOC), $column);
 }
 
-function displayIndex() { ?>
+function displayIndex(): void { ?>
 <nav>
 	<dl>
 <?php foreach (PAGES[SERVICE] as $pageId => $page) {
@@ -82,11 +82,11 @@ function displayIndex() { ?>
 <?php
 }
 
-function redirUrl($pageId) {
+function redirUrl(string $pageId): string {
 	return CONF['common']['prefix'] . '/' . $pageId . '?redir=' . PAGE_URL;
 }
 
-function redir($redir_to = NULL) {
+function redir(string $redir_to = NULL): never {
 	$redir_to ??= $_GET['redir'] ?? NULL;
 
 	if ($redir_to === NULL) {
@@ -100,7 +100,7 @@ function redir($redir_to = NULL) {
 }
 
 // PHP rmdir() only works on empty directories
-function removeDirectory($dir) {
+function removeDirectory(string $dir): void {
 	$dirObj = new RecursiveDirectoryIterator($dir, RecursiveDirectoryIterator::SKIP_DOTS);
 	$files = new RecursiveIteratorIterator($dirObj, RecursiveIteratorIterator::CHILD_FIRST);
 	foreach ($files as $file)
@@ -109,7 +109,7 @@ function removeDirectory($dir) {
 		output(500, 'Unable to remove directory.');
 }
 
-function equalArrays($a, $b) {
+function equalArrays(array $a, array $b): bool {
 	return array_diff($a, $b) === [] AND array_diff($b, $a) === [];
 }
 
@@ -126,12 +126,12 @@ if (time() - query('select', 'params', ['name' => 'secret_key_last_change'], 'va
 	->execute([':last_change' => time()]);
 }
 define('SECRET_KEY', hex2bin(query('select', 'params', ['name' => 'secret_key'], 'value')[0]));
-function getAuthToken() {
+function getAuthToken(): string {
 	$salt = bin2hex(random_bytes(4));
 	$hash = hash_hmac('sha256', $salt . ($_SESSION['id'] ?? ''), SECRET_KEY);
 	return $salt . '-' .  substr($hash, 0, 32);
 }
-function checkAuthToken($salt, $hash) {
+function checkAuthToken(string $salt, string $hash): void {
 	$correctProof = substr(hash_hmac('sha256', $salt . $_SESSION['id'], SECRET_KEY), 0, 32);
 	if (hash_equals($correctProof, $hash) !== true)
 		output(403, _('Wrong proof.'));
diff --git a/fn/dns.php b/fn/dns.php
index ef4f803..6c4b171 100644
--- a/fn/dns.php
+++ b/fn/dns.php
@@ -1,6 +1,6 @@
 <?php
 
-function parseZoneFile($zone_content, $types, $filter_domain = false) {
+function parseZoneFile(string $zone_content, array $types, bool|string $filter_domain = false): array {
 	$parsed_zone_content = [];
 	foreach (explode(LF, $zone_content) as $zone_line) {
 		if ($zone_line === '' OR str_starts_with($zone_line, ';'))
@@ -46,7 +46,7 @@ function knotcConfExec(array $cmds): void {
 	}
 }
 
-function knotcZoneExec(string $zone, array $cmd, string $action = NULL) {
+function knotcZoneExec(string $zone, array $cmd, string $action = NULL): void {
 	$action = checkAction($action ?? $_POST['action']);
 
 	knotc(['zone-begin', $zone], $output['begin'], $code['begin']);
@@ -66,7 +66,7 @@ function knotcZoneExec(string $zone, array $cmd, string $action = NULL) {
 	}
 }
 
-function checkIpFormat($ip) {
+function checkIpFormat(string $ip): string {
 	if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4))
 		return 'A';
 	if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6))
@@ -74,24 +74,24 @@ function checkIpFormat($ip) {
 	output(403, _('IP address malformed.'));
 }
 
-function checkAbsoluteDomainFormat($domain) { // If the domain must end with a dot
+function checkAbsoluteDomainFormat(string $domain): void { // If the domain must end with a dot
 	if (!filter_var($domain, FILTER_VALIDATE_DOMAIN) OR preg_match('/^(?=^.{1,254}$)([a-z0-9_-]{1,63}\.){2,127}$/D', $domain) !== 1)
 		output(403, _('Domain malformed.'));
 }
 
-function formatEndWithDot($str) {
+function formatEndWithDot(string $str): string {
 	if (!str_ends_with($str, '.'))
 		$str .= '.';
 	return $str;
 }
 
-function formatAbsoluteDomain($domain) {
+function formatAbsoluteDomain(string $domain): string {
 	$domain = formatEndWithDot(strtolower($domain));
 	checkAbsoluteDomainFormat($domain);
 	return $domain;
 }
 
-function checkAction($action) {
+function checkAction(string $action): string {
 	return match ($action) {
 		'add' => '',
 		'delete' => 'un',
diff --git a/fn/ht.php b/fn/ht.php
index 8b9e3d5..75d03a3 100644
--- a/fn/ht.php
+++ b/fn/ht.php
@@ -3,7 +3,7 @@
 const SUBPATH_REGEX = '^[a-z0-9-]{4,63}$';
 const ED25519_PUBKEY_REGEX = '^[a-zA-Z0-9/+]{68}$';
 
-function htSetupUserFs($id) {
+function htSetupUserFs(string $id): void {
 	// Setup SFTP directory
 	if (mkdir(CONF['ht']['ht_path'] . '/fs/' . $id, 0000) !== true)
 		output(500, 'Can\'t create user directory.');
@@ -42,19 +42,19 @@ function htSetupUserFs($id) {
 		output(500, 'Can\'t create Tor keys directory.');
 }
 
-function checkDomainFormat($domain) {
+function checkDomainFormat(string $domain): void {
 	// If the domain must end without a dot
 	if (!filter_var($domain, FILTER_VALIDATE_DOMAIN) OR !preg_match('/^(?=^.{1,254}$)([a-z0-9_-]{1,63}\.){1,126}[a-z0-9]{1,63}$/D', $domain))
 		output(403, _('Domain malformed.'));
 }
 
-function formatDomain($domain) {
+function formatDomain(string $domain): string {
 	$domain = rtrim(strtolower($domain), '.');
 	checkDomainFormat($domain);
 	return $domain;
 }
 
-function listFsDirs($username) {
+function listFsDirs(string $username): array {
 	if ($username === '')
 		return [];
 	$absoluteDirs = glob(CONF['ht']['ht_path'] . '/fs/' . $username . '/*/', GLOB_ONLYDIR);
@@ -65,7 +65,7 @@ function listFsDirs($username) {
 	return $dirs;
 }
 
-function addSite($username, $siteDir, $address, $type) {
+function addSite(string $username, string $siteDir, string $address, string $type): void {
 	insert('sites', [
 		'username' => $username,
 		'site_dir' => $siteDir,
@@ -75,7 +75,7 @@ function addSite($username, $siteDir, $address, $type) {
 	]);
 }
 
-function dirsStatuses($type) {
+function dirsStatuses(string $type): array {
 	if (isset($_SESSION['id']) !== true)
 		return [];
 	$dbDirs = query('select', 'sites', [
@@ -88,7 +88,7 @@ function dirsStatuses($type) {
 	return $dirs;
 }
 
-function htRelativeSymlink($target, $name) {
+function htRelativeSymlink(string $target, string $name): void {
 	chdir(pathinfo($name)['dirname']);
 	$symlink = symlink($target, pathinfo($name)['basename']);
 	chdir(ROOT_PATH);
@@ -96,7 +96,7 @@ function htRelativeSymlink($target, $name) {
 		output(500, 'Unable to create symlink.');
 }
 
-function htDeleteSite($address, $type, $user_id) {
+function htDeleteSite(string $address, string $type, string $user_id): void {
 
 	if ($type === 'onion') {
 		$dir = query('select', 'sites', [
diff --git a/fn/ns.php b/fn/ns.php
index a93e82c..a659385 100644
--- a/fn/ns.php
+++ b/fn/ns.php
@@ -17,7 +17,7 @@ const ALLOWED_TYPES = ['AAAA', 'A', 'TXT', 'SRV', 'MX', 'SVCB', 'HTTPS', 'NS', '
 
 const ZONE_MAX_CHARACTERS = 10000;
 
-function nsParseCommonRequirements() {
+function nsParseCommonRequirements(): array {
 	nsCheckZonePossession($_POST['zone']);
 
 	if (($_POST['subdomain'] === '') OR ($_POST['subdomain'] === '@'))
@@ -35,20 +35,20 @@ function nsParseCommonRequirements() {
 	return $values;
 }
 
-function nsListUserZones() {
+function nsListUserZones(): array {
 	if (isset($_SESSION['id']))
 		return query('select', 'zones', ['username' => $_SESSION['id']], 'zone');
 	return [];
 }
 
-function nsCheckZonePossession($zone) {
+function nsCheckZonePossession(string $zone): void {
 	checkAbsoluteDomainFormat($zone);
 
 	if (!in_array($zone, nsListUserZones(), true))
 		output(403, 'You don\'t own this zone on the name server.');
 }
 
-function nsDeleteZone($zone, $user_id) {
+function nsDeleteZone(string $zone, string $user_id): void {
 	// Remove from Knot configuration
 	knotcConfExec([['conf-unset', 'zone[' . $zone . ']']]);
 
diff --git a/fn/reg.php b/fn/reg.php
index 0a5f981..c49e6c4 100644
--- a/fn/reg.php
+++ b/fn/reg.php
@@ -2,18 +2,18 @@
 
 const SUBDOMAIN_REGEX = '^(?!\-)(?!..\-\-)[a-z0-9-]{4,63}(?<!\-)$';
 
-function regListUserDomains() {
+function regListUserDomains(): array {
 	if (isset($_SESSION['id']))
 		return query('select', 'registry', ['username' => $_SESSION['id']], 'domain');
 	return [];
 }
 
-function regCheckDomainPossession($domain) {
+function regCheckDomainPossession(string $domain): void {
 	if (in_array($domain, regListUserDomains(), true) !== true)
 		output(403, 'You don\'t own this domain on the registry.');
 }
 
-function regDeleteDomain($domain, $user_id) {
+function regDeleteDomain(string $domain, string $user_id): void {
 	// Delete domain from registry file
 	$path = CONF['reg']['suffixes_path'] . '/' . regParseDomain($domain)['suffix'] . 'zone';
 	$content = file_get_contents($path);
@@ -46,7 +46,7 @@ function regDeleteDomain($domain, $user_id) {
 	}
 }
 
-function regParseDomain($domain) {
+function regParseDomain(string $domain): array {
 	$parts = explode('.', $domain, 2);
 	$subdomain = $parts[0];
 	$suffix = $parts[1];
diff --git a/init.php b/init.php
index 703cd93..c85e75c 100644
--- a/init.php
+++ b/init.php
@@ -5,7 +5,7 @@ set_error_handler(function ($level, $message, $file = '', $line = 0) {
 	throw new ErrorException($message, 0, $level, $file, $line);
 });
 set_exception_handler(function ($e) {
-	error_log($e);
+	error_log($e->getMessage());
 	http_response_code(500);
 	echo '<h1>Error</h1>An error occured.';
 });
diff --git a/jobs/check.php b/jobs/check.php
index 733447b..a6dc279 100644
--- a/jobs/check.php
+++ b/jobs/check.php
@@ -18,7 +18,7 @@ if (preg_match('/^;; Flags: qr rd ra ad;/Dm', implode("\n", $output)) !== 1)
 
 define('COOKIE_FILE', sys_get_temp_dir() . '/cookie-' . bin2hex(random_bytes(16)) . '.txt');
 
-function curlTest($address, $post = [], $tor = false) {
+function curlTest(string $address, array $post = [], bool $tor = false): string {
 	$req = curl_init();
 	curl_setopt($req, CURLOPT_RETURNTRANSFER, true);
 
@@ -85,7 +85,7 @@ curlTest('/auth/username', [
 
 echo 'Created account with username "' . $username . '" and password "' . $password . '".' . LF;
 
-function testReg() {
+function testReg(): string {
 	$subdomain = bin2hex(random_bytes(16));
 
 	curlTest('/reg/register', [
@@ -119,7 +119,7 @@ function testReg() {
 	return $domain;
 }
 
-function testNs($domain) {
+function testNs(string $domain): void {
 	foreach (CONF['ns']['servers'] as $ns)
 		curlTest('/reg/ns', [
 			'action' => 'add',
@@ -178,7 +178,7 @@ function testNs($domain) {
 		exit('Error: /ns/edit: AAAA record not set' . LF);
 }
 
-function testHt($username, $password) {
+function testHt(string $username, string $password): void {
 	define('TEST_CONTENT', 'test-' . bin2hex(random_bytes(16)));
 
 	file_put_contents(sys_get_temp_dir() . '/index.html', TEST_CONTENT);
diff --git a/pg-act/reg/register.php b/pg-act/reg/register.php
index f516c45..ad590f7 100644
--- a/pg-act/reg/register.php
+++ b/pg-act/reg/register.php
@@ -53,7 +53,7 @@ if ($blocked OR $registration_data !== [])
 if ($_POST['action'] !== 'register')
 	message($message . ' ✔️ ' . _('This domain is open to registration!'));
 
-function message($message) {
+function message(string $message): never {
 	output(200, data: [
 		'message' => '<p>' . $message . '</p>',
 		'domain' => htmlspecialchars($_POST['subdomain']),
diff --git a/router.php b/router.php
index a977203..0c0a024 100644
--- a/router.php
+++ b/router.php
@@ -11,7 +11,7 @@ define('PAGE_ADDRESS', $pageAddress . ((substr($pageAddress, -1) === '/' OR $pag
 define('PAGE_LINEAGE', explode('/', PAGE_ADDRESS));
 define('SERVICE', dirname(PAGE_ADDRESS));
 
-function getPageInformations($pages, $pageElements) {
+function getPageInformations(array $pages, array $pageElements): array {
 	if (!isset($pages['index']) OR $pageElements[0] === 'index')
 		return [
 			'titles_lineage' => [$pages[$pageElements[0]]['title'] ?? false],
@@ -44,7 +44,7 @@ if (in_array($_SERVER['SERVER_NAME'], CONF['common']['public_domains'], true) !=
 define('SERVER_NAME', $_SERVER['SERVER_NAME']);
 
 const SESSION_COOKIE_NAME = 'servnest-session-key';
-function startSession() {
+function startSession(): void {
 	session_start([
 		'name' => SESSION_COOKIE_NAME,
 		'sid_length' => 64,
@@ -94,7 +94,7 @@ if (isset($_SESSION['id'])) {
 		}
 }
 
-function displayFinalMessage($data) {
+function displayFinalMessage(?array $data): void {
 	if (isset($data['final_message'])) {
 		echo $data['final_message'];
 		unset($data['final_message']);
@@ -118,7 +118,7 @@ if ($_POST !== []) {
 		require ROOT_PATH . '/pg-act/' . PAGE_ADDRESS . '.php';
 }
 
-function displayPage($data) {
+function displayPage(?array $data): never {
 	require ROOT_PATH . '/view.php';
 	exit();
 }
diff --git a/sftpgo-auth.php b/sftpgo-auth.php
index fa474a0..6ec3ef8 100644
--- a/sftpgo-auth.php
+++ b/sftpgo-auth.php
@@ -5,7 +5,7 @@ const DEBUG = false;
 
 require 'init.php';
 
-function deny($reason) {
+function deny(string $reason): never {
 	!DEBUG or file_put_contents(ROOT_PATH . '/db/debug.txt', ob_get_contents() . $reason . LF);
 	http_response_code(403);
 	exit();

From edcad22a841f64ce3659466aaa8ed555f60bfb56 Mon Sep 17 00:00:00 2001
From: Miraty <miraty+git@antopie.org>
Date: Tue, 20 Jun 2023 00:41:30 +0200
Subject: [PATCH 02/13] Fix missing string internationalization

---
 locales/fr/C/LC_MESSAGES/messages.po | 31 ++++++++++++++++------------
 locales/messages.pot                 | 31 ++++++++++++++++------------
 pg-view/ht/del.php                   |  2 +-
 3 files changed, 37 insertions(+), 27 deletions(-)

diff --git a/locales/fr/C/LC_MESSAGES/messages.po b/locales/fr/C/LC_MESSAGES/messages.po
index 1e0cf70..ac61d4f 100644
--- a/locales/fr/C/LC_MESSAGES/messages.po
+++ b/locales/fr/C/LC_MESSAGES/messages.po
@@ -1,7 +1,7 @@
 msgid ""
 msgstr ""
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2023-06-15 01:33+0200\n"
+"POT-Creation-Date: 2023-06-20 00:38+0200\n"
 "Language: fr\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 
@@ -321,11 +321,11 @@ msgstr "%sCode source%s disponible sous %s."
 msgid "Your account can't be deleted because the %s service is currently unavailable."
 msgstr "Votre compte ne peut pas être supprimé car le service %s est actuellement indisponible."
 
-#: fn/auth.php:143
+#: fn/auth.php:161
 msgid "Account rate limit reached, try again later."
 msgstr "Limite de taux pour ce compte atteinte, réessayez plus tard."
 
-#: fn/auth.php:168
+#: fn/auth.php:186
 msgid "Global rate limit reached, try again later."
 msgstr "Limite de taux globale atteinte, réessayez plus tard."
 
@@ -341,15 +341,15 @@ msgstr "<strong>Erreur de l'utilisataire</strong>&nbsp;: "
 msgid "<strong>Server error</strong>: "
 msgstr "<strong>Erreur du serveur</strong>&nbsp;: "
 
-#: fn/common.php:132
+#: fn/common.php:137
 msgid "Wrong proof."
 msgstr "Preuve incorrecte."
 
-#: fn/dns.php:64
+#: fn/dns.php:74
 msgid "IP address malformed."
 msgstr "Adresse IP malformée."
 
-#: fn/dns.php:69 fn/ht.php:31
+#: fn/dns.php:79 fn/ht.php:48
 msgid "Domain malformed."
 msgstr "Domaine malformé."
 
@@ -434,13 +434,13 @@ msgstr "Ce domaine doit avoir %2$s pour unique enregistrement %1$s."
 msgid "No TXT record with the expected format has been found."
 msgstr "Aucun enregistrement TXT avec le format attendu n'a été trouvé."
 
-#: pg-act/ht/add-dns.php:41 pg-act/ht/add-onion.php:37
+#: pg-act/ht/add-dns.php:48 pg-act/ht/add-onion.php:50
 #: pg-act/ht/add-subdomain.php:19 pg-act/ht/add-subpath.php:19
 #, php-format
 msgid "%s added on this directory."
 msgstr "%s ajouté sur ce dossier."
 
-#: pg-act/ht/add-onion.php:37
+#: pg-act/ht/add-onion.php:50
 #, php-format
 msgid "Its address is: %s"
 msgstr "Son adresse est&nbsp;: %s"
@@ -476,7 +476,7 @@ msgstr "Clés SSH mises à jour."
 #: pg-act/ns/caa.php:25 pg-act/ns/cname.php:16 pg-act/ns/dname.php:16
 #: pg-act/ns/ip.php:16 pg-act/ns/loc.php:72 pg-act/ns/mx.php:20
 #: pg-act/ns/ns.php:16 pg-act/ns/srv.php:28 pg-act/ns/sshfp.php:25
-#: pg-act/ns/tlsa.php:29 pg-act/ns/txt.php:17 pg-act/reg/ds.php:32
+#: pg-act/ns/tlsa.php:29 pg-act/ns/txt.php:17 pg-act/reg/ds.php:30
 #: pg-act/reg/glue.php:14 pg-act/reg/ns.php:14
 msgid "Modification done."
 msgstr "Modification effectuée."
@@ -503,15 +503,15 @@ msgstr "Le contenu de zone envoyé n'est pas correct (selon <code>kzonecheck</co
 msgid "This zone already exists on the service."
 msgstr "Cette zone existe déjà sur ce service."
 
-#: pg-act/ns/zone-add.php:12
+#: pg-act/ns/zone-add.php:18
 msgid "Parent zone's name servers not found."
 msgstr "Serveurs de nom de la zone parente introuvables."
 
-#: pg-act/ns/zone-add.php:18 pg-act/reg/transfer.php:18
+#: pg-act/ns/zone-add.php:30 pg-act/reg/transfer.php:24
 msgid "NS authentication record not found."
 msgstr "Enregistrement d'authentification NS introuvable."
 
-#: pg-act/ns/zone-add.php:54
+#: pg-act/ns/zone-add.php:66
 msgid "Zone created."
 msgstr "Zone créée."
 
@@ -559,7 +559,7 @@ msgstr "Domaine enregistré."
 msgid "The current account already owns this domain."
 msgstr "Le compte actuel possède déjà ce domaine."
 
-#: pg-act/reg/transfer.php:33
+#: pg-act/reg/transfer.php:39
 msgid "The domain has been transferred to the current account ; the NS authentication record has been automatically deleted."
 msgstr "Le domaine a été transféré vers le compte actuel ; l'enregistrement d'authentification NS a été automatiquement supprimé."
 
@@ -731,6 +731,11 @@ msgstr "Chemin"
 msgid "Access to delete"
 msgstr "Accès à retirer"
 
+#: pg-view/ht/del.php:13
+#, php-format
+msgid "%1$s to %2$s"
+msgstr "%1$s vers %2$s"
+
 #: pg-view/ht/index.php:2
 msgid "This service allows you to send files on the server using SFTP, and to make them publicly available with HTTP."
 msgstr "Ce service permet d'envoyer des fichiers sur le serveur par SFTP, et de les rendre publiquement accessibles par HTTP."
diff --git a/locales/messages.pot b/locales/messages.pot
index 382e92e..8cf3904 100644
--- a/locales/messages.pot
+++ b/locales/messages.pot
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2023-06-15 01:33+0200\n"
+"POT-Creation-Date: 2023-06-20 00:38+0200\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -333,11 +333,11 @@ msgstr ""
 msgid "Your account can't be deleted because the %s service is currently unavailable."
 msgstr ""
 
-#: fn/auth.php:143
+#: fn/auth.php:161
 msgid "Account rate limit reached, try again later."
 msgstr ""
 
-#: fn/auth.php:168
+#: fn/auth.php:186
 msgid "Global rate limit reached, try again later."
 msgstr ""
 
@@ -353,15 +353,15 @@ msgstr ""
 msgid "<strong>Server error</strong>: "
 msgstr ""
 
-#: fn/common.php:132
+#: fn/common.php:137
 msgid "Wrong proof."
 msgstr ""
 
-#: fn/dns.php:64
+#: fn/dns.php:74
 msgid "IP address malformed."
 msgstr ""
 
-#: fn/dns.php:69 fn/ht.php:31
+#: fn/dns.php:79 fn/ht.php:48
 msgid "Domain malformed."
 msgstr ""
 
@@ -446,13 +446,13 @@ msgstr ""
 msgid "No TXT record with the expected format has been found."
 msgstr ""
 
-#: pg-act/ht/add-dns.php:41 pg-act/ht/add-onion.php:37
+#: pg-act/ht/add-dns.php:48 pg-act/ht/add-onion.php:50
 #: pg-act/ht/add-subdomain.php:19 pg-act/ht/add-subpath.php:19
 #, php-format
 msgid "%s added on this directory."
 msgstr ""
 
-#: pg-act/ht/add-onion.php:37
+#: pg-act/ht/add-onion.php:50
 #, php-format
 msgid "Its address is: %s"
 msgstr ""
@@ -488,7 +488,7 @@ msgstr ""
 #: pg-act/ns/caa.php:25 pg-act/ns/cname.php:16 pg-act/ns/dname.php:16
 #: pg-act/ns/ip.php:16 pg-act/ns/loc.php:72 pg-act/ns/mx.php:20
 #: pg-act/ns/ns.php:16 pg-act/ns/srv.php:28 pg-act/ns/sshfp.php:25
-#: pg-act/ns/tlsa.php:29 pg-act/ns/txt.php:17 pg-act/reg/ds.php:32
+#: pg-act/ns/tlsa.php:29 pg-act/ns/txt.php:17 pg-act/reg/ds.php:30
 #: pg-act/reg/glue.php:14 pg-act/reg/ns.php:14
 msgid "Modification done."
 msgstr ""
@@ -515,15 +515,15 @@ msgstr ""
 msgid "This zone already exists on the service."
 msgstr ""
 
-#: pg-act/ns/zone-add.php:12
+#: pg-act/ns/zone-add.php:18
 msgid "Parent zone's name servers not found."
 msgstr ""
 
-#: pg-act/ns/zone-add.php:18 pg-act/reg/transfer.php:18
+#: pg-act/ns/zone-add.php:30 pg-act/reg/transfer.php:24
 msgid "NS authentication record not found."
 msgstr ""
 
-#: pg-act/ns/zone-add.php:54
+#: pg-act/ns/zone-add.php:66
 msgid "Zone created."
 msgstr ""
 
@@ -571,7 +571,7 @@ msgstr ""
 msgid "The current account already owns this domain."
 msgstr ""
 
-#: pg-act/reg/transfer.php:33
+#: pg-act/reg/transfer.php:39
 msgid "The domain has been transferred to the current account ; the NS authentication record has been automatically deleted."
 msgstr ""
 
@@ -743,6 +743,11 @@ msgstr ""
 msgid "Access to delete"
 msgstr ""
 
+#: pg-view/ht/del.php:13
+#, php-format
+msgid "%1$s to %2$s"
+msgstr ""
+
 #: pg-view/ht/index.php:2
 msgid "This service allows you to send files on the server using SFTP, and to make them publicly available with HTTP."
 msgstr ""
diff --git a/pg-view/ht/del.php b/pg-view/ht/del.php
index 57acb40..d74adb8 100644
--- a/pg-view/ht/del.php
+++ b/pg-view/ht/del.php
@@ -10,7 +10,7 @@ foreach (query('select', 'sites', ['username' => $_SESSION['id'] ?? '']) as $sit
 		'onion' => 'http://' . $site['address'] . '/',
 		'dns' => 'https://' . $site['address'] . '/',
 	};
-	echo '		<option value="' . $site['type'] . ':' . $site['address'] . '">' . $url . ' vers /' . $site['site_dir'] . '</option>' . LF;
+	echo '		<option value="' . $site['type'] . ':' . $site['address'] . '">' . ' ' . sprintf(_('%1$s to %2$s'), $url, '/' . $site['site_dir']) . '</option>' . LF;
 }
 ?>
 	</select>

From d8b4ee90bbe22bafa2553d3b5387b12ffa1eee05 Mon Sep 17 00:00:00 2001
From: Miraty <miraty+git@antopie.org>
Date: Tue, 20 Jun 2023 02:32:36 +0200
Subject: [PATCH 03/13] check.php: test domain transfers

---
 init.php       |  2 +-
 jobs/check.php | 55 +++++++++++++++++++++++++++++++++++++++++---------
 2 files changed, 47 insertions(+), 10 deletions(-)

diff --git a/init.php b/init.php
index c85e75c..edc6694 100644
--- a/init.php
+++ b/init.php
@@ -5,7 +5,7 @@ set_error_handler(function ($level, $message, $file = '', $line = 0) {
 	throw new ErrorException($message, 0, $level, $file, $line);
 });
 set_exception_handler(function ($e) {
-	error_log($e->getMessage());
+	error_log((string) $e);
 	http_response_code(500);
 	echo '<h1>Error</h1>An error occured.';
 });
diff --git a/jobs/check.php b/jobs/check.php
index a6dc279..7dff255 100644
--- a/jobs/check.php
+++ b/jobs/check.php
@@ -47,7 +47,7 @@ function curlTest(string $address, array $post = [], bool $tor = false): string
 	if ($status_code >= 400 OR $result === false) {
 		var_dump($result);
 		var_dump(curl_error($req));
-		exit($address . ' test failed with status code ' . $status_code . LF);
+		throw new Exception($address . ' test failed with status code ' . $status_code);
 	}
 	return $result;
 }
@@ -60,13 +60,6 @@ curlTest('/auth/register', [
 	'password' => $password,
 ]);
 
-curlTest('/auth/logout', []);
-
-curlTest('/auth/login', [
-	'username' => $username,
-	'password' => $password,
-]);
-
 $new_password = bin2hex(random_bytes(16));
 curlTest('/auth/password', [
 	'current-password' => $password,
@@ -74,9 +67,20 @@ curlTest('/auth/password', [
 ]);
 $password = $new_password;
 
+curlTest('/auth/register', [
+	'username' => $username . '2',
+	'password' => $password,
+]);
+curlTest('/auth/logout', []);
+
+curlTest('/auth/login', [
+	'username' => $username,
+	'password' => $password,
+]);
+
 curlTest('/auth/username', [
 	'current-password' => $password,
-	'new-username' => $username . '2',
+	'new-username' => $username . '3',
 ]);
 curlTest('/auth/username', [
 	'current-password' => $password,
@@ -86,6 +90,8 @@ curlTest('/auth/username', [
 echo 'Created account with username "' . $username . '" and password "' . $password . '".' . LF;
 
 function testReg(): string {
+	global $username, $password;
+
 	$subdomain = bin2hex(random_bytes(16));
 
 	curlTest('/reg/register', [
@@ -116,6 +122,37 @@ function testReg(): string {
 		'ns' => 'ns1.servnest.invalid.',
 	]);
 
+	{ // Domain transfer
+		curlTest('/auth/logout', []);
+		curlTest('/auth/login', [
+			'username' => $username . '2',
+			'password' => $password,
+		]);
+		preg_match('#\<code\>(?<token>[0-9a-z-]{16,128}\._transfer-verification\.' . preg_quote(CORE_DOMAIN, '#') . '\.)\</code\>#', curlTest('/reg/transfer', []), $matches);
+
+		curlTest('/auth/logout', []);
+		curlTest('/auth/login', [
+			'username' => $username,
+			'password' => $password,
+		]);
+		curlTest('/reg/ns', [
+			'action' => 'add',
+			'domain' => $domain,
+			'ns' => $matches['token'],
+		]);
+
+		curlTest('/auth/logout', []);
+		curlTest('/auth/login', [
+			'username' => $username . '2',
+			'password' => $password,
+		]);
+		curlTest('/reg/transfer', [
+			'subdomain' => $subdomain,
+			'suffix' => SUFFIX,
+			'ns' => $matches['token'],
+		]);
+	}
+
 	return $domain;
 }
 

From b2fdc0c92575365a52a89020d504a1d1295db4c0 Mon Sep 17 00:00:00 2001
From: Miraty <miraty+git@antopie.org>
Date: Wed, 21 Jun 2023 01:23:19 +0200
Subject: [PATCH 04/13] Fix jobs/check.php

---
 jobs/check.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/jobs/check.php b/jobs/check.php
index 7dff255..ac97876 100644
--- a/jobs/check.php
+++ b/jobs/check.php
@@ -151,6 +151,8 @@ function testReg(): string {
 			'suffix' => SUFFIX,
 			'ns' => $matches['token'],
 		]);
+
+		$username = $username . '2';
 	}
 
 	return $domain;

From ccd17b7ffa5cde99c2ab946251b725f2759b153a Mon Sep 17 00:00:00 2001
From: Miraty <miraty+git@antopie.org>
Date: Wed, 21 Jun 2023 22:08:57 +0200
Subject: [PATCH 05/13] Clear entries in ssh-keys when deleting account

---
 fn/auth.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fn/auth.php b/fn/auth.php
index d96d1cb..fd3d48f 100644
--- a/fn/auth.php
+++ b/fn/auth.php
@@ -133,6 +133,8 @@ function authDeleteUser(string $user_id): void {
 		], result_code: $code);
 		if ($code !== 0)
 			output(500, 'Can\'t remove user\'s directory.');
+
+		query('delete', 'ssh-keys', ['username' => $user_id]);
 	}
 
 	query('delete', 'users', ['id' => $user_id]);

From 858d6e8d02bab59c16e01d9bf817a8da6f376814 Mon Sep 17 00:00:00 2001
From: Miraty <miraty+git@antopie.org>
Date: Sat, 24 Jun 2023 16:54:36 +0200
Subject: [PATCH 06/13] Add ns/sync and jobs/ns-syncs

---
 db/migrations/006-create-ns-syncs-table.sql | 12 ++++++
 db/schema.sql                               |  8 ++++
 fn/auth.php                                 |  4 +-
 fn/common.php                               | 18 +++++++++
 fn/dns.php                                  |  9 +++--
 fn/ns.php                                   |  2 +
 init.php                                    |  2 +-
 jobs/ns-sync.php                            | 42 +++++++++++++++++++++
 pages.php                                   |  5 +++
 pg-act/ns/sync.php                          | 37 ++++++++++++++++++
 pg-view/ht/keys.php                         |  8 ++--
 pg-view/ns/form.ns.php                      |  2 +-
 pg-view/ns/print.php                        |  2 +-
 pg-view/ns/sync.php                         | 38 +++++++++++++++++++
 14 files changed, 178 insertions(+), 11 deletions(-)
 create mode 100644 db/migrations/006-create-ns-syncs-table.sql
 create mode 100644 jobs/ns-sync.php
 create mode 100644 pg-act/ns/sync.php
 create mode 100644 pg-view/ns/sync.php

diff --git a/db/migrations/006-create-ns-syncs-table.sql b/db/migrations/006-create-ns-syncs-table.sql
new file mode 100644
index 0000000..baca87f
--- /dev/null
+++ b/db/migrations/006-create-ns-syncs-table.sql
@@ -0,0 +1,12 @@
+BEGIN TRANSACTION;
+
+CREATE TABLE IF NOT EXISTS "ns-syncs" (
+	"username"    TEXT    NOT NULL,
+	"source"      TEXT    NOT NULL,
+	"destination" TEXT    NOT NULL UNIQUE,
+	UNIQUE("username", "source", "destination"),
+	FOREIGN KEY("username") REFERENCES "users"("id"),
+	FOREIGN KEY("destination") REFERENCES "zones"("zone")
+);
+
+COMMIT;
diff --git a/db/schema.sql b/db/schema.sql
index 8233bbe..a0a664c 100644
--- a/db/schema.sql
+++ b/db/schema.sql
@@ -42,6 +42,14 @@ CREATE TABLE IF NOT EXISTS "zones" (
 	PRIMARY KEY("zone"),
 	FOREIGN KEY("username") REFERENCES "users"("id")
 );
+CREATE TABLE IF NOT EXISTS "ns-syncs" (
+	"username"    TEXT    NOT NULL,
+	"source"      TEXT    NOT NULL,
+	"destination" TEXT    NOT NULL UNIQUE,
+	UNIQUE("username", "source", "destination"),
+	FOREIGN KEY("username") REFERENCES "users"("id"),
+	FOREIGN KEY("destination") REFERENCES "zones"("zone")
+);
 CREATE TABLE IF NOT EXISTS "sites" (
 	"username"      TEXT    NOT NULL,
 	"site_dir"      TEXT    NOT NULL,
diff --git a/fn/auth.php b/fn/auth.php
index fd3d48f..023bb41 100644
--- a/fn/auth.php
+++ b/fn/auth.php
@@ -98,9 +98,11 @@ function authDeleteUser(string $user_id): void {
 		foreach (query('select', 'registry', ['username' => $user_id], 'domain') as $domain)
 			regDeleteDomain($domain, $user_id);
 
-	if (in_array('ns', $user_services, true))
+	if (in_array('ns', $user_services, true)) {
+		query('delete', 'ns-syncs', ['username' => $user_id]);
 		foreach (query('select', 'zones', ['username' => $user_id], 'zone') as $zone)
 			nsDeleteZone($zone, $user_id);
+	}
 
 	if (in_array('ht', $user_services, true)) {
 		foreach (query('select', 'sites', ['username' => $user_id]) as $site)
diff --git a/fn/common.php b/fn/common.php
index 33815e9..2ce54ca 100644
--- a/fn/common.php
+++ b/fn/common.php
@@ -21,6 +21,24 @@ function exescape(array $args, array &$output = NULL, int &$result_code = NULL):
 	return $result_code;
 }
 
+class KdigException extends Exception {};
+function kdig(string $name, string $type, string $server = NULL): array {
+	exescape([
+		CONF['dns']['kdig_path'],
+		'+json',
+		'+timeout=5',
+		'+retry=0',
+		'-q',
+		$name,
+		'-t',
+		$type,
+		...(isset($server) ? ['@' . $server] : []),
+	], $output, $code);
+	if ($code !== 0)
+		throw new KdigException();
+	return json_decode(implode(LF, $output), true, flags: JSON_THROW_ON_ERROR);
+}
+
 function insert(string $table, array $values): void {
 	$query = 'INSERT INTO "' . $table . '"(';
 
diff --git a/fn/dns.php b/fn/dns.php
index 6c4b171..33597b6 100644
--- a/fn/dns.php
+++ b/fn/dns.php
@@ -1,16 +1,19 @@
 <?php
 
-function parseZoneFile(string $zone_content, array $types, bool|string $filter_domain = false): array {
+function parseZoneFile(string $zone_content, array $types, bool|string $filter_domain = false, bool $filter_include_subdomains = true): array {
 	$parsed_zone_content = [];
 	foreach (explode(LF, $zone_content) as $zone_line) {
 		if ($zone_line === '' OR str_starts_with($zone_line, ';'))
 			continue; // Ignore empty lines and comments
 		$elements = preg_split('/[\t ]+/', $zone_line, 4);
-		if ($filter_domain !== false AND !str_ends_with($elements[0], $filter_domain))
+		if ($filter_domain !== false AND match ($filter_include_subdomains) {
+			true => !str_ends_with($elements[0], $filter_domain),
+			false => $elements[0] !== $filter_domain,
+		})
 			continue; // Ignore records for other domains
 		if (!in_array($elements[2], $types, true))
 			continue; // Ignore records generated by Knot
-		array_push($parsed_zone_content, array_map('htmlspecialchars', $elements));
+		array_push($parsed_zone_content, $elements);
 	}
 	return $parsed_zone_content;
 }
diff --git a/fn/ns.php b/fn/ns.php
index a659385..128fca1 100644
--- a/fn/ns.php
+++ b/fn/ns.php
@@ -17,6 +17,8 @@ const ALLOWED_TYPES = ['AAAA', 'A', 'TXT', 'SRV', 'MX', 'SVCB', 'HTTPS', 'NS', '
 
 const ZONE_MAX_CHARACTERS = 10000;
 
+const SYNC_TTL = 3600;
+
 function nsParseCommonRequirements(): array {
 	nsCheckZonePossession($_POST['zone']);
 
diff --git a/init.php b/init.php
index edc6694..7ac3acb 100644
--- a/init.php
+++ b/init.php
@@ -7,7 +7,7 @@ set_error_handler(function ($level, $message, $file = '', $line = 0) {
 set_exception_handler(function ($e) {
 	error_log((string) $e);
 	http_response_code(500);
-	echo '<h1>Error</h1>An error occured.';
+	echo '<h1>Error</h1><p>An error occured.<p>';
 });
 register_shutdown_function(function () { // Also catch fatal errors
 	if (($error = error_get_last()) !== NULL)
diff --git a/jobs/ns-sync.php b/jobs/ns-sync.php
new file mode 100644
index 0000000..934e32c
--- /dev/null
+++ b/jobs/ns-sync.php
@@ -0,0 +1,42 @@
+<?php
+require 'init.php';
+
+foreach (query('select', 'ns-syncs') as $sync) {
+	$zone_raw = file_get_contents(CONF['ns']['knot_zones_path'] . '/' . $sync['destination'] . 'zone');
+	if ($zone_raw === false)
+		output(403, 'Unable to read zone file.');
+
+	foreach (['AAAA', 'A', 'SRV', 'CAA'] as $type) {
+		// Get source/distant records
+		try {
+			$results = kdig(name: $sync['source'], type: $type);
+		} catch (KdigException) {
+			error_log($sync['source'] . ' resolution failed.' . LF);
+			break;
+		}
+		if ($results['AD'] !== 1) {
+			error_log($sync['source'] . ' skipped: not signed using DNSSEC.' . LF);
+			continue;
+		}
+		$source_records = array_column($results['answerRRs'] ?? [], 'rdata' . $type);
+
+		// Get destination/local records
+		$dest_records = array_column(parseZoneFile($zone_raw, [$type], $sync['destination'], false), 3);
+
+		// Add source records that are not yet in destination
+		foreach (array_diff($source_records, $dest_records) as $value_to_add)
+			knotcZoneExec($sync['destination'], [
+				$sync['destination'],
+				SYNC_TTL,
+				$type,
+				$value_to_add,
+			], 'add');
+		// Delete destination records that are not part of source anymore
+		foreach (array_diff($dest_records, $source_records) as $value_to_delete)
+			knotcZoneExec($sync['destination'], [
+				$sync['destination'],
+				$type,
+				$value_to_delete,
+			], 'delete');
+	}
+}
diff --git a/pages.php b/pages.php
index ef50eac..ebbc4ac 100644
--- a/pages.php
+++ b/pages.php
@@ -163,6 +163,11 @@ define('PAGES', [
 			'description' => _('Store geographic coordinates'),
 			'tokens_account_cost' => 120,
 		],
+		'sync' => [
+			'title' => sprintf(_('Synchronized records')),
+			'description' => _('Regularly fetch distant record value and update it to a local zone'),
+			'tokens_account_cost' => 900,
+		],
 	],
 	'ht' => [
 		'index' => [
diff --git a/pg-act/ns/sync.php b/pg-act/ns/sync.php
new file mode 100644
index 0000000..9275678
--- /dev/null
+++ b/pg-act/ns/sync.php
@@ -0,0 +1,37 @@
+<?php
+
+$el_nb = count($_POST['syncs']);
+if ($el_nb < 1 OR $el_nb > 8)
+	output(403, 'Wrong elements number.');
+
+foreach ($_POST['syncs'] as $i => &$sync) {
+	if (($sync['source'] ?? '') === '') {
+		unset($_POST['syncs'][$i]);
+		continue;
+	}
+	$sync['source'] = formatAbsoluteDomain($sync['source']);
+	nsCheckZonePossession($sync['destination']);
+}
+$syncs = array_values($_POST['syncs']);
+
+rateLimit();
+
+try {
+	DB->beginTransaction();
+
+	query('delete', 'ns-syncs', ['username' => $_SESSION['id']]);
+
+	foreach ($syncs as $sync)
+		insert('ns-syncs', [
+			'username' => $_SESSION['id'],
+			'source' => $sync['source'],
+			'destination' => $sync['destination'],
+		]);
+
+	DB->commit();
+} catch (Exception $e) {
+	DB->rollback();
+	output(500, 'Database error.', [$e->getMessage()]);
+}
+
+output(200, _('Synchronized records updated.'));
diff --git a/pg-view/ht/keys.php b/pg-view/ht/keys.php
index e99f28c..3f613ef 100755
--- a/pg-view/ht/keys.php
+++ b/pg-view/ht/keys.php
@@ -16,12 +16,12 @@ foreach (array_slice(array_merge(query('select', 'ssh-keys', ['username' => $_SE
 	<fieldset>
 		<legend><?= ($ssh_key['key'] === '') ? _('Add new SSH key access') : _('SSH key access') ?></legend>
 		<div>
-			<label for="public-key"><?= _('Public key') ?></label><br>
-			<code>ssh-ed15519 <input pattern="<?= ED25519_PUBKEY_REGEX ?>" placeholder="AAAAC3NzaC1lZDI1NTE5AAAAI<?= substr(base64_encode(random_bytes(32)), 0, 43) ?>" id="public-key" name="keys[<?= $i ?>][public-key]" value="<?= $ssh_key['key'] ?>" type="text"></code>
+			<label for="public-key<?= $i ?>"><?= _('Public key') ?></label><br>
+			<code>ssh-ed15519 <input pattern="<?= ED25519_PUBKEY_REGEX ?>" placeholder="AAAAC3NzaC1lZDI1NTE5AAAAI<?= substr(base64_encode(random_bytes(32)), 0, 43) ?>" id="public-key<?= $i ?>" name="keys[<?= $i ?>][public-key]" value="<?= $ssh_key['key'] ?>" type="text"></code>
 		</div>
 		<div>
-			<label for="dir"><?= _('Allowed directory') ?></label><br>
-			<input list="dirs" placeholder="/" value="<?= htmlspecialchars($ssh_key['directory']) ?>" id="dir" name="keys[<?= $i ?>][dir]" type="text">
+			<label for="dir<?= $i ?>"><?= _('Allowed directory') ?></label><br>
+			<input list="dirs" placeholder="/" value="<?= htmlspecialchars($ssh_key['directory']) ?>" id="dir<?= $i ?>" name="keys[<?= $i ?>][dir]" type="text">
 		</div>
 	</fieldset>
 <?php
diff --git a/pg-view/ns/form.ns.php b/pg-view/ns/form.ns.php
index 304b026..5f18f7f 100644
--- a/pg-view/ns/form.ns.php
+++ b/pg-view/ns/form.ns.php
@@ -15,7 +15,7 @@
 			<label for="zone"><?= _('Zone') ?></label>
 			<br>
 			<select required="" name="zone" id="zone">
-				<option value="" disabled="" selected="">-</option>
+				<option value="" disabled="" selected="">—</option>
 <?php
 foreach (nsListUserZones() as $zone)
 	echo "<option value='" . $zone . "'>" . $zone . "</option>";
diff --git a/pg-view/ns/print.php b/pg-view/ns/print.php
index a7dbbdf..3492b1d 100644
--- a/pg-view/ns/print.php
+++ b/pg-view/ns/print.php
@@ -38,7 +38,7 @@ if (isset($data['zone-table'])) { ?>
 	foreach ($data['zone-table'] as $zone_line) {
 		echo '	<tr>' . LF;
 		foreach ($zone_line as $element)
-			echo '		<td><code>' . $element . '</code></td>' . LF;
+			echo '		<td><code>' . htmlspecialchars($element) . '</code></td>' . LF;
 		echo '	</tr>' . LF;
 	}
 }
diff --git a/pg-view/ns/sync.php b/pg-view/ns/sync.php
new file mode 100644
index 0000000..740ba10
--- /dev/null
+++ b/pg-view/ns/sync.php
@@ -0,0 +1,38 @@
+<p>
+	<?= sprintf(_('AAAA, A and CAA records are regularly copied from the source domain to the target domain. Their TTLs are set to %s seconds.'), SYNC_TTL) ?>
+</p>
+<p>
+	<?= _('Source domains that are not signed with DNSSEC are not synchronized. Synchronizations that remain broken may be deleted.') ?>
+</p>
+<p>
+	<?= _('This is meant to be used for apex domains, where a CNAME record is not allowed. For non-apex domains, CNAME records should be used instead.') ?>
+</p>
+
+<form method="post">
+<?php
+foreach (array_slice(array_merge(query('select', 'ns-syncs', ['username' => $_SESSION['id'] ?? '']), [['source' => '', 'destination' => '—']]), 0, 8) as $i => $sync) {
+?>
+	<fieldset>
+		<legend><?= ($sync['source'] === '') ? _('Add new domain records to be synchronized') : _('Synchronized record') ?></legend>
+		<div>
+			<label for="source<?= $i ?>"><?= _('Source domain') ?></label><br>
+			<input placeholder="provider.<?= PLACEHOLDER_DOMAIN ?>." id="source<?= $i ?>" name="syncs[<?= $i ?>][source]" value="<?= $sync['source'] ?>" type="text">
+		</div>
+		<div>
+			<label for="destination<?= $i ?>"><?= _('Target domain') ?></label>
+			<br>
+			<select required="" name="syncs[<?= $i ?>][destination]" id="destination<?= $i ?>">
+				<option <?= (($sync['destination'] === '') ? 'value="" disabled=""' : 'value="' . $sync['destination'] . '"') ?> selected=""><?= $sync['destination'] ?></option>
+<?php
+foreach (nsListUserZones() as $zone)
+	echo "<option value='" . $zone . "'>" . $zone . "</option>";
+?>
+
+			</select>
+		</div>
+	</fieldset>
+<?php
+}
+?>
+	<input type="submit" value="<?= _('Update') ?>">
+</form>

From 1d856e1e2e77e7f4601805ac02c13708012f4039 Mon Sep 17 00:00:00 2001
From: Miraty <miraty+git@antopie.org>
Date: Mon, 26 Jun 2023 04:13:52 +0200
Subject: [PATCH 07/13] ns/sync: translations and bugfixes

---
 db/schema.sql                        |   1 -
 fn/auth.php                          |   4 +-
 fn/ns.php                            |   4 +-
 jobs/check.php                       |   2 +-
 jobs/delete-old-testing.php          |   2 +-
 jobs/ns-sync.php                     |   8 +-
 locales/fr/C/LC_MESSAGES/messages.po |  90 ++++++++++++++++------
 locales/messages.pot                 | 110 +++++++++++++++++++--------
 pages.php                            |   2 +-
 pg-act/ns/sync.php                   |   6 +-
 pg-view/ns/sync.php                  |   6 +-
 11 files changed, 165 insertions(+), 70 deletions(-)

diff --git a/db/schema.sql b/db/schema.sql
index a0a664c..4d253f2 100644
--- a/db/schema.sql
+++ b/db/schema.sql
@@ -46,7 +46,6 @@ CREATE TABLE IF NOT EXISTS "ns-syncs" (
 	"username"    TEXT    NOT NULL,
 	"source"      TEXT    NOT NULL,
 	"destination" TEXT    NOT NULL UNIQUE,
-	UNIQUE("username", "source", "destination"),
 	FOREIGN KEY("username") REFERENCES "users"("id"),
 	FOREIGN KEY("destination") REFERENCES "zones"("zone")
 );
diff --git a/fn/auth.php b/fn/auth.php
index 023bb41..fd3d48f 100644
--- a/fn/auth.php
+++ b/fn/auth.php
@@ -98,11 +98,9 @@ function authDeleteUser(string $user_id): void {
 		foreach (query('select', 'registry', ['username' => $user_id], 'domain') as $domain)
 			regDeleteDomain($domain, $user_id);
 
-	if (in_array('ns', $user_services, true)) {
-		query('delete', 'ns-syncs', ['username' => $user_id]);
+	if (in_array('ns', $user_services, true))
 		foreach (query('select', 'zones', ['username' => $user_id], 'zone') as $zone)
 			nsDeleteZone($zone, $user_id);
-	}
 
 	if (in_array('ht', $user_services, true)) {
 		foreach (query('select', 'sites', ['username' => $user_id]) as $site)
diff --git a/fn/ns.php b/fn/ns.php
index 128fca1..f84b553 100644
--- a/fn/ns.php
+++ b/fn/ns.php
@@ -17,7 +17,7 @@ const ALLOWED_TYPES = ['AAAA', 'A', 'TXT', 'SRV', 'MX', 'SVCB', 'HTTPS', 'NS', '
 
 const ZONE_MAX_CHARACTERS = 10000;
 
-const SYNC_TTL = 3600;
+const SYNC_TTL = 10800;
 
 function nsParseCommonRequirements(): array {
 	nsCheckZonePossession($_POST['zone']);
@@ -73,6 +73,8 @@ function nsDeleteZone(string $zone, string $user_id): void {
 	if ($code !== 0)
 		output(500, 'Failed to purge zone data.');
 
+	query('delete', 'ns-syncs', ['destination' => $zone]);
+
 	// Remove from database
 	query('delete', 'zones', [
 		'zone' => $zone,
diff --git a/jobs/check.php b/jobs/check.php
index ac97876..fb28394 100644
--- a/jobs/check.php
+++ b/jobs/check.php
@@ -1,6 +1,6 @@
 <?php // Test that the current setup is working
 
-require 'init.php';
+require __DIR__ . '/../init.php';
 
 const SFTP = '/usr/bin/sftp';
 const SSHPASS = '/usr/bin/sshpass';
diff --git a/jobs/delete-old-testing.php b/jobs/delete-old-testing.php
index 58671dd..b295520 100644
--- a/jobs/delete-old-testing.php
+++ b/jobs/delete-old-testing.php
@@ -1,5 +1,5 @@
 <?php
-require 'init.php';
+require __DIR__ . '/../init.php';
 
 const MAX_TESTING_ACCOUNT_AGE = 86400 * 10;
 
diff --git a/jobs/ns-sync.php b/jobs/ns-sync.php
index 934e32c..9097813 100644
--- a/jobs/ns-sync.php
+++ b/jobs/ns-sync.php
@@ -1,21 +1,21 @@
 <?php
-require 'init.php';
+require __DIR__ . '/../init.php';
 
 foreach (query('select', 'ns-syncs') as $sync) {
 	$zone_raw = file_get_contents(CONF['ns']['knot_zones_path'] . '/' . $sync['destination'] . 'zone');
 	if ($zone_raw === false)
 		output(403, 'Unable to read zone file.');
 
-	foreach (['AAAA', 'A', 'SRV', 'CAA'] as $type) {
+	foreach (['AAAA', 'A', 'CAA'] as $type) {
 		// Get source/distant records
 		try {
 			$results = kdig(name: $sync['source'], type: $type);
 		} catch (KdigException) {
-			error_log($sync['source'] . ' resolution failed.' . LF);
+			fwrite(STDERR, $sync['source'] . ' resolution failed.' . LF);
 			break;
 		}
 		if ($results['AD'] !== 1) {
-			error_log($sync['source'] . ' skipped: not signed using DNSSEC.' . LF);
+			fwrite(STDERR, $sync['source'] . ' skipped: not signed using DNSSEC.' . LF);
 			continue;
 		}
 		$source_records = array_column($results['answerRRs'] ?? [], 'rdata' . $type);
diff --git a/locales/fr/C/LC_MESSAGES/messages.po b/locales/fr/C/LC_MESSAGES/messages.po
index ac61d4f..3467305 100644
--- a/locales/fr/C/LC_MESSAGES/messages.po
+++ b/locales/fr/C/LC_MESSAGES/messages.po
@@ -1,7 +1,7 @@
 msgid ""
 msgstr ""
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2023-06-20 00:38+0200\n"
+"POT-Creation-Date: 2023-06-26 02:14+0200\n"
 "Language: fr\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 
@@ -226,59 +226,68 @@ msgstr "Définir la descendance d'un domaine comme alias de la descendance d'un
 msgid "Store geographic coordinates"
 msgstr "Indiquer des coordonnées géographiques"
 
-#: pages.php:169
+#: pages.php:167
+#, php-format
+msgid "Synchronized records"
+msgstr "Enregistrements synchronisés"
+
+#: pages.php:168
+msgid "Regularly fetch distant records and update them to a local zone"
+msgstr "Récupérer régulièrement des enregistrements distants et les mettre à jour vers une zone locale"
+
+#: pages.php:174
 msgid "Web"
 msgstr "Web"
 
-#: pages.php:170
+#: pages.php:175
 msgid "Upload a static website into an <abbr title=\"SSH File Transfer Protocol\">SFTP</abbr> space"
 msgstr "Téléverser un site statique dans un espace <abbr title=\"SSH File Transfert Protocol\">SFTP</abbr>"
 
-#: pages.php:173
+#: pages.php:178
 #, php-format
 msgid "%s subpath access"
 msgstr "Accès par sous-chemin de %s"
 
-#: pages.php:174 pages.php:179 pages.php:184
+#: pages.php:179 pages.php:184 pages.php:189
 #, php-format
 msgid "Its URL will look like %s"
 msgstr "Son URL ressemblera à %s"
 
-#: pages.php:174 pages.php:179 pages.php:184
+#: pages.php:179 pages.php:184 pages.php:189
 msgid "mysite"
 msgstr "monsite"
 
-#: pages.php:178
+#: pages.php:183
 #, php-format
 msgid "%s subdomain access"
 msgstr "Accès par sous-domaine de %s"
 
-#: pages.php:183
+#: pages.php:188
 msgid "Dedicated domain with Let's Encrypt certificate access"
 msgstr "Accès par domaine dédié avec certificat Let's Encrypt"
 
-#: pages.php:188
+#: pages.php:193
 msgid "Onion service access"
 msgstr "Accès par service Onion"
 
-#: pages.php:189
+#: pages.php:194
 #, php-format
 msgid "Its URL will look like %s, and work only through the Tor network"
 msgstr "Son URL ressemblera à %s, et ne fonctionnera que par le réseau Tor"
 
-#: pages.php:193 pg-view/ht/del.php:18
+#: pages.php:198 pg-view/ht/del.php:18
 msgid "Delete access"
 msgstr "Supprimer un accès"
 
-#: pages.php:194
+#: pages.php:199
 msgid "Delete an existing HTTP access from a subdirectory of the SFTP space"
 msgstr "Retirer un accès HTTP existant d'un sous-dossier de l'espace SFTP"
 
-#: pages.php:197
+#: pages.php:202
 msgid "Manage SSH keys"
 msgstr "Gérer les clés SSH"
 
-#: pages.php:198
+#: pages.php:203
 msgid "Choose what SSH key can edit what directory"
 msgstr "Choisir quelle clé SSH peut modifier quel dossier"
 
@@ -321,11 +330,11 @@ msgstr "%sCode source%s disponible sous %s."
 msgid "Your account can't be deleted because the %s service is currently unavailable."
 msgstr "Votre compte ne peut pas être supprimé car le service %s est actuellement indisponible."
 
-#: fn/auth.php:161
+#: fn/auth.php:163
 msgid "Account rate limit reached, try again later."
 msgstr "Limite de taux pour ce compte atteinte, réessayez plus tard."
 
-#: fn/auth.php:186
+#: fn/auth.php:188
 msgid "Global rate limit reached, try again later."
 msgstr "Limite de taux globale atteinte, réessayez plus tard."
 
@@ -341,24 +350,24 @@ msgstr "<strong>Erreur de l'utilisataire</strong>&nbsp;: "
 msgid "<strong>Server error</strong>: "
 msgstr "<strong>Erreur du serveur</strong>&nbsp;: "
 
-#: fn/common.php:137
+#: fn/common.php:155
 msgid "Wrong proof."
 msgstr "Preuve incorrecte."
 
-#: fn/dns.php:74
+#: fn/dns.php:77
 msgid "IP address malformed."
 msgstr "Adresse IP malformée."
 
-#: fn/dns.php:79 fn/ht.php:48
+#: fn/dns.php:82 fn/ht.php:48
 msgid "Domain malformed."
 msgstr "Domaine malformé."
 
-#: fn/ns.php:31 pg-act/ns/edit.php:25
+#: fn/ns.php:33 pg-act/ns/edit.php:25
 #, php-format
 msgid "TTLs shorter than %s seconds are forbidden."
 msgstr "Les TTLs plus courts que %s secondes sont interdits."
 
-#: fn/ns.php:33 pg-act/ns/edit.php:27
+#: fn/ns.php:35 pg-act/ns/edit.php:27
 #, php-format
 msgid "TTLs longer than %s seconds are forbidden."
 msgstr "Les TTLs plus longs que %s secondes sont interdits."
@@ -499,6 +508,14 @@ msgstr "Le type %s n'est pas autorisé."
 msgid "Sent zone content is not correct (according to <code>kzonecheck</code>)."
 msgstr "Le contenu de zone envoyé n'est pas correct (selon <code>kzonecheck</code>)."
 
+#: pg-act/ns/sync.php:19
+msgid "Multiple source domains can't be applied to the same target domain."
+msgstr "Plusieurs domaines sources ne peuvent pas être appliqués sur un même domaine cible."
+
+#: pg-act/ns/sync.php:41
+msgid "Synchronized records updated."
+msgstr "Enregistrements synchronisés mis à jour."
+
 #: pg-act/ns/zone-add.php:6
 msgid "This zone already exists on the service."
 msgstr "Cette zone existe déjà sur ce service."
@@ -858,7 +875,7 @@ msgstr "Clé publique"
 msgid "Allowed directory"
 msgstr "Dossier autorisé"
 
-#: pg-view/ht/keys.php:30
+#: pg-view/ht/keys.php:30 pg-view/ns/sync.php:37
 msgid "Update"
 msgstr "Mettre à jour"
 
@@ -1109,6 +1126,35 @@ msgstr "Type de hash"
 msgid "Fingerprint"
 msgstr "Empreinte"
 
+#: pg-view/ns/sync.php:2
+#, php-format
+msgid "AAAA, A and CAA records are regularly copied from the source domain to the target domain. Their TTLs are set to %s seconds."
+msgstr "Les enregistrements AAAA, A et CAA sont régulièrement copiés du domain source vers le domain cible. Leurs TTLs sont définis à %s secondes."
+
+#: pg-view/ns/sync.php:5
+msgid "Source domains that are not signed with DNSSEC are not synchronized. Synchronizations that remain broken may be deleted."
+msgstr "Les domains sources qui ne sont pas signés avec DNSSEC ne sont pas synchronisés. Les synchronisations qui restent cassées peuvent être supprimées."
+
+#: pg-view/ns/sync.php:8
+msgid "This is meant to be used for apex domains, where CNAME records are not allowed. For non-apex domains, CNAME records should be used instead."
+msgstr "Ceci est destiné à être utilisé sur des domaines apex, où les enregistrements CNAME ne sont pas autorisés. Pour des domaines non-apex, les enregistrements CNAME devraient être utilisés à la place."
+
+#: pg-view/ns/sync.php:16
+msgid "Add new domain records to be synchronized"
+msgstr "Ajouter de nouveaux enregistrements de domain à synchroniser"
+
+#: pg-view/ns/sync.php:16
+msgid "Synchronized domain"
+msgstr "Domaine synchronisé"
+
+#: pg-view/ns/sync.php:18
+msgid "Source domain"
+msgstr "Domaine source"
+
+#: pg-view/ns/sync.php:22
+msgid "Target domain"
+msgstr "Domaine cible"
+
 #: pg-view/ns/tlsa.php:4
 msgid "Use"
 msgstr "Utilisation"
diff --git a/locales/messages.pot b/locales/messages.pot
index 8cf3904..d65ec2c 100644
--- a/locales/messages.pot
+++ b/locales/messages.pot
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2023-06-20 00:38+0200\n"
+"POT-Creation-Date: 2023-06-26 02:14+0200\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -238,59 +238,68 @@ msgstr ""
 msgid "Store geographic coordinates"
 msgstr ""
 
-#: pages.php:169
+#: pages.php:167
+#, php-format
+msgid "Synchronized records"
+msgstr ""
+
+#: pages.php:168
+msgid "Regularly fetch distant records and update them to a local zone"
+msgstr ""
+
+#: pages.php:174
 msgid "Web"
 msgstr ""
 
-#: pages.php:170
+#: pages.php:175
 msgid "Upload a static website into an <abbr title=\"SSH File Transfer Protocol\">SFTP</abbr> space"
 msgstr ""
 
-#: pages.php:173
-#, php-format
-msgid "%s subpath access"
-msgstr ""
-
-#: pages.php:174 pages.php:179 pages.php:184
-#, php-format
-msgid "Its URL will look like %s"
-msgstr ""
-
-#: pages.php:174 pages.php:179 pages.php:184
-msgid "mysite"
-msgstr ""
-
 #: pages.php:178
 #, php-format
-msgid "%s subdomain access"
+msgid "%s subpath access"
+msgstr ""
+
+#: pages.php:179 pages.php:184 pages.php:189
+#, php-format
+msgid "Its URL will look like %s"
+msgstr ""
+
+#: pages.php:179 pages.php:184 pages.php:189
+msgid "mysite"
 msgstr ""
 
 #: pages.php:183
-msgid "Dedicated domain with Let's Encrypt certificate access"
+#, php-format
+msgid "%s subdomain access"
 msgstr ""
 
 #: pages.php:188
+msgid "Dedicated domain with Let's Encrypt certificate access"
+msgstr ""
+
+#: pages.php:193
 msgid "Onion service access"
 msgstr ""
 
-#: pages.php:189
+#: pages.php:194
 #, php-format
 msgid "Its URL will look like %s, and work only through the Tor network"
 msgstr ""
 
-#: pages.php:193 pg-view/ht/del.php:18
+#: pages.php:198 pg-view/ht/del.php:18
 msgid "Delete access"
 msgstr ""
 
-#: pages.php:194
+#: pages.php:199
 msgid "Delete an existing HTTP access from a subdirectory of the SFTP space"
 msgstr ""
 
-#: pages.php:197
+#: pages.php:202
 msgid "Manage SSH keys"
 msgstr ""
 
-#: pages.php:198
+#: pages.php:203
 msgid "Choose what SSH key can edit what directory"
 msgstr ""
 
@@ -333,11 +342,11 @@ msgstr ""
 msgid "Your account can't be deleted because the %s service is currently unavailable."
 msgstr ""
 
-#: fn/auth.php:161
+#: fn/auth.php:163
 msgid "Account rate limit reached, try again later."
 msgstr ""
 
-#: fn/auth.php:186
+#: fn/auth.php:188
 msgid "Global rate limit reached, try again later."
 msgstr ""
 
@@ -353,24 +362,24 @@ msgstr ""
 msgid "<strong>Server error</strong>: "
 msgstr ""
 
-#: fn/common.php:137
+#: fn/common.php:155
 msgid "Wrong proof."
 msgstr ""
 
-#: fn/dns.php:74
+#: fn/dns.php:77
 msgid "IP address malformed."
 msgstr ""
 
-#: fn/dns.php:79 fn/ht.php:48
+#: fn/dns.php:82 fn/ht.php:48
 msgid "Domain malformed."
 msgstr ""
 
-#: fn/ns.php:31 pg-act/ns/edit.php:25
+#: fn/ns.php:33 pg-act/ns/edit.php:25
 #, php-format
 msgid "TTLs shorter than %s seconds are forbidden."
 msgstr ""
 
-#: fn/ns.php:33 pg-act/ns/edit.php:27
+#: fn/ns.php:35 pg-act/ns/edit.php:27
 #, php-format
 msgid "TTLs longer than %s seconds are forbidden."
 msgstr ""
@@ -511,6 +520,14 @@ msgstr ""
 msgid "Sent zone content is not correct (according to <code>kzonecheck</code>)."
 msgstr ""
 
+#: pg-act/ns/sync.php:19
+msgid "Multiple source domains can't be applied to the same target domain."
+msgstr ""
+
+#: pg-act/ns/sync.php:41
+msgid "Synchronized records updated."
+msgstr ""
+
 #: pg-act/ns/zone-add.php:6
 msgid "This zone already exists on the service."
 msgstr ""
@@ -870,7 +887,7 @@ msgstr ""
 msgid "Allowed directory"
 msgstr ""
 
-#: pg-view/ht/keys.php:30
+#: pg-view/ht/keys.php:30 pg-view/ns/sync.php:37
 msgid "Update"
 msgstr ""
 
@@ -1121,6 +1138,35 @@ msgstr ""
 msgid "Fingerprint"
 msgstr ""
 
+#: pg-view/ns/sync.php:2
+#, php-format
+msgid "AAAA, A and CAA records are regularly copied from the source domain to the target domain. Their TTLs are set to %s seconds."
+msgstr ""
+
+#: pg-view/ns/sync.php:5
+msgid "Source domains that are not signed with DNSSEC are not synchronized. Synchronizations that remain broken may be deleted."
+msgstr ""
+
+#: pg-view/ns/sync.php:8
+msgid "This is meant to be used for apex domains, where CNAME records are not allowed. For non-apex domains, CNAME records should be used instead."
+msgstr ""
+
+#: pg-view/ns/sync.php:16
+msgid "Add new domain records to be synchronized"
+msgstr ""
+
+#: pg-view/ns/sync.php:16
+msgid "Synchronized domain"
+msgstr ""
+
+#: pg-view/ns/sync.php:18
+msgid "Source domain"
+msgstr ""
+
+#: pg-view/ns/sync.php:22
+msgid "Target domain"
+msgstr ""
+
 #: pg-view/ns/tlsa.php:4
 msgid "Use"
 msgstr ""
diff --git a/pages.php b/pages.php
index ebbc4ac..fadb435 100644
--- a/pages.php
+++ b/pages.php
@@ -165,7 +165,7 @@ define('PAGES', [
 		],
 		'sync' => [
 			'title' => sprintf(_('Synchronized records')),
-			'description' => _('Regularly fetch distant record value and update it to a local zone'),
+			'description' => _('Regularly fetch distant records and update them to a local zone'),
 			'tokens_account_cost' => 900,
 		],
 	],
diff --git a/pg-act/ns/sync.php b/pg-act/ns/sync.php
index 9275678..9160350 100644
--- a/pg-act/ns/sync.php
+++ b/pg-act/ns/sync.php
@@ -4,7 +4,7 @@ $el_nb = count($_POST['syncs']);
 if ($el_nb < 1 OR $el_nb > 8)
 	output(403, 'Wrong elements number.');
 
-foreach ($_POST['syncs'] as $i => &$sync) {
+foreach ($_POST['syncs'] as $i => $sync) {
 	if (($sync['source'] ?? '') === '') {
 		unset($_POST['syncs'][$i]);
 		continue;
@@ -14,6 +14,10 @@ foreach ($_POST['syncs'] as $i => &$sync) {
 }
 $syncs = array_values($_POST['syncs']);
 
+$destinations = array_column($syncs, 'destination');
+if (count($destinations) !== count(array_unique($destinations)))
+	output(403, _('Multiple source domains can\'t be applied to the same target domain.'));
+
 rateLimit();
 
 try {
diff --git a/pg-view/ns/sync.php b/pg-view/ns/sync.php
index 740ba10..2e52645 100644
--- a/pg-view/ns/sync.php
+++ b/pg-view/ns/sync.php
@@ -5,7 +5,7 @@
 	<?= _('Source domains that are not signed with DNSSEC are not synchronized. Synchronizations that remain broken may be deleted.') ?>
 </p>
 <p>
-	<?= _('This is meant to be used for apex domains, where a CNAME record is not allowed. For non-apex domains, CNAME records should be used instead.') ?>
+	<?= _('This is meant to be used for apex domains, where CNAME records are not allowed. For non-apex domains, CNAME records should be used instead.') ?>
 </p>
 
 <form method="post">
@@ -13,7 +13,7 @@
 foreach (array_slice(array_merge(query('select', 'ns-syncs', ['username' => $_SESSION['id'] ?? '']), [['source' => '', 'destination' => '—']]), 0, 8) as $i => $sync) {
 ?>
 	<fieldset>
-		<legend><?= ($sync['source'] === '') ? _('Add new domain records to be synchronized') : _('Synchronized record') ?></legend>
+		<legend><?= ($sync['source'] === '') ? _('Add new domain records to be synchronized') : _('Synchronized domain') ?></legend>
 		<div>
 			<label for="source<?= $i ?>"><?= _('Source domain') ?></label><br>
 			<input placeholder="provider.<?= PLACEHOLDER_DOMAIN ?>." id="source<?= $i ?>" name="syncs[<?= $i ?>][source]" value="<?= $sync['source'] ?>" type="text">
@@ -24,7 +24,7 @@ foreach (array_slice(array_merge(query('select', 'ns-syncs', ['username' => $_SE
 			<select required="" name="syncs[<?= $i ?>][destination]" id="destination<?= $i ?>">
 				<option <?= (($sync['destination'] === '') ? 'value="" disabled=""' : 'value="' . $sync['destination'] . '"') ?> selected=""><?= $sync['destination'] ?></option>
 <?php
-foreach (nsListUserZones() as $zone)
+foreach (array_diff(nsListUserZones(), query('select', 'ns-syncs', ['username' => $_SESSION['id'] ?? ''], 'destination')) as $zone)
 	echo "<option value='" . $zone . "'>" . $zone . "</option>";
 ?>
 

From b05653d16f6e3c7b1a294c17aed3a8aa6209aaba Mon Sep 17 00:00:00 2001
From: Miraty <miraty+git@antopie.org>
Date: Wed, 5 Jul 2023 19:53:39 +0200
Subject: [PATCH 08/13] ns: add CSYNC to ALLOWED_TYPES

---
 fn/ns.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fn/ns.php b/fn/ns.php
index f84b553..953ef31 100644
--- a/fn/ns.php
+++ b/fn/ns.php
@@ -13,7 +13,7 @@ const MIN_TTL = 300;
 const DEFAULT_TTL = 10800;
 const MAX_TTL = 1728000;
 
-const ALLOWED_TYPES = ['AAAA', 'A', 'TXT', 'SRV', 'MX', 'SVCB', 'HTTPS', 'NS', 'DS', 'CAA', 'CNAME', 'DNAME', 'LOC', 'SSHFP', 'TLSA'];
+const ALLOWED_TYPES = ['AAAA', 'A', 'TXT', 'SRV', 'MX', 'SSHFP', 'TLSA', 'NS', 'DS', 'CSYNC', 'CAA', 'CNAME', 'DNAME', 'SVCB', 'HTTPS', 'LOC'];
 
 const ZONE_MAX_CHARACTERS = 10000;
 

From 3ddbc7cf1a99604b5a8252b8f4b014bf9e2661e4 Mon Sep 17 00:00:00 2001
From: Miraty <miraty+git@antopie.org>
Date: Sun, 16 Jul 2023 21:00:38 +0200
Subject: [PATCH 09/13] reg: sync DS/NS using CDS/CSYNC from child zone

---
 jobs/reg-cds.php                     | 57 ++++++++++++++++++++++++++
 jobs/reg-csync.php                   | 61 ++++++++++++++++++++++++++++
 locales/fr/C/LC_MESSAGES/messages.po | 24 ++++++++++-
 locales/messages.pot                 | 24 ++++++++++-
 pg-act/ns/zone-add.php               |  1 +
 pg-view/reg/index.php                | 12 ++++++
 6 files changed, 175 insertions(+), 4 deletions(-)
 create mode 100644 jobs/reg-cds.php
 create mode 100644 jobs/reg-csync.php

diff --git a/jobs/reg-cds.php b/jobs/reg-cds.php
new file mode 100644
index 0000000..805721a
--- /dev/null
+++ b/jobs/reg-cds.php
@@ -0,0 +1,57 @@
+<?php
+/*
+	RFC 7344: Automating DNSSEC Delegation Trust Maintenance
+	RFC 8078: Managing DS Records from the Parent via CDS/CDNSKEY
+*/
+require __DIR__ . '/../init.php';
+
+foreach (query('select', 'registry') as $entry) {
+	$suffix = regParseDomain($entry['domain'])['suffix'];
+
+	// Get child/distant records
+	try {
+		$results = kdig(name: $entry['domain'], type: 'CDS');
+	} catch (KdigException) {
+		fwrite(STDERR, $entry['domain'] . ' resolution failed.' . LF);
+		continue;
+	}
+	if ($results['AD'] !== 1) // No DNSSEC
+		continue;
+	$cds_records = array_column($results['answerRRs'] ?? [], 'rdataCDS');
+
+	// Skip if no updates
+	if ($cds_records === [])
+		continue;
+
+	// Get parent/local CDS records
+	$zone_raw = file_get_contents(CONF['reg']['suffixes_path'] . '/' . $suffix . 'zone');
+	if ($zone_raw === false)
+		output(403, 'Unable to read zone file.');
+	$pds_records = array_column(parseZoneFile($zone_raw, ['DS'], $entry['domain'], false), 3);
+
+	if ($cds_records === ['0 0 0 0'])
+		// Delete every parent DS records
+		foreach ($pds_records as $value_to_delete)
+			knotcZoneExec($suffix, [
+				$entry['domain'],
+				'DS',
+				$value_to_delete,
+			], 'delete');
+	else {
+		// Add child DS records that are not yet in parent
+		foreach (array_diff($cds_records, $pds_records) as $value_to_add)
+			knotcZoneExec($suffix, [
+				$entry['domain'],
+				CONF['reg']['ttl'],
+				'DS',
+				$value_to_add,
+			], 'add');
+		// Delete parent DS records that are not part of child anymore
+		foreach (array_diff($pds_records, $cds_records) as $value_to_delete)
+			knotcZoneExec($suffix, [
+				$entry['domain'],
+				'DS',
+				$value_to_delete,
+			], 'delete');
+	}
+}
diff --git a/jobs/reg-csync.php b/jobs/reg-csync.php
new file mode 100644
index 0000000..2878788
--- /dev/null
+++ b/jobs/reg-csync.php
@@ -0,0 +1,61 @@
+<?php
+/*
+	RFC 7477: Child-to-Parent Synchronization in DNS
+*/
+require __DIR__ . '/../init.php';
+
+foreach (query('select', 'registry') as $entry) {
+	$suffix = regParseDomain($entry['domain'])['suffix'];
+
+	// Get child/distant CSYNC records
+	try {
+		$results = kdig(name: $entry['domain'], type: 'CSYNC');
+	} catch (KdigException) {
+		fwrite(STDERR, $entry['domain'] . ' CSYNC resolution failed.' . LF);
+		continue;
+	}
+	if ($results['AD'] !== 1)
+		continue;
+	if (count($results['answerRRs'] ?? []) !== 1) // Parental agents MUST ignore a child's CSYNC RDATA set if multiple CSYNC resource records are found; only a single CSYNC record should ever be present.
+		continue;
+	list($serial, $flags, $types) = explode(' ', $results['answerRRs'][0]['rdataCSYNC'], 3);
+	if ($flags !== '1')
+		continue; // Skip unsupported flags
+	if ($types !== 'NS')
+		continue; // Skip unsupported types
+
+	// Get child/distant NS records
+	try {
+		$results = kdig(name: $entry['domain'], type: 'NS');
+	} catch (KdigException) {
+		fwrite(STDERR, $entry['domain'] . ' NS resolution failed.' . LF);
+		continue;
+	}
+	if ($results['AD'] !== 1)
+		continue;
+	$child_ns_records = array_column($results['answerRRs'] ?? [], 'rdataNS');
+	if (count($child_ns_records) === []) // Parental agents MUST NOT perform NS updates if there are no NS records returned in a query, as verified by DNSSEC denial-of-existence protection.
+		continue;
+
+	// Get parent/local NS records
+	$zone_raw = file_get_contents(CONF['reg']['suffixes_path'] . '/' . $suffix . 'zone');
+	if ($zone_raw === false)
+		output(403, 'Unable to read zone file.');
+	$parent_ns_records = array_column(parseZoneFile($zone_raw, ['NS'], $entry['domain'], false), 3);
+
+	// Add child NS records that are not yet in parent
+	foreach (array_diff($child_ns_records, $parent_ns_records) as $value_to_add)
+		knotcZoneExec($suffix, [
+			$entry['domain'],
+			CONF['reg']['ttl'],
+			'NS',
+			$value_to_add,
+		], 'add');
+	// Delete parent NS records that are not part of child anymore
+	foreach (array_diff($parent_ns_records, $child_ns_records) as $value_to_delete)
+		knotcZoneExec($suffix, [
+			$entry['domain'],
+			'NS',
+			$value_to_delete,
+		], 'delete');
+}
diff --git a/locales/fr/C/LC_MESSAGES/messages.po b/locales/fr/C/LC_MESSAGES/messages.po
index 3467305..88c4b6a 100644
--- a/locales/fr/C/LC_MESSAGES/messages.po
+++ b/locales/fr/C/LC_MESSAGES/messages.po
@@ -1,7 +1,7 @@
 msgid ""
 msgstr ""
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2023-06-26 02:14+0200\n"
+"POT-Creation-Date: 2023-07-16 20:50+0200\n"
 "Language: fr\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 
@@ -528,7 +528,7 @@ msgstr "Serveurs de nom de la zone parente introuvables."
 msgid "NS authentication record not found."
 msgstr "Enregistrement d'authentification NS introuvable."
 
-#: pg-act/ns/zone-add.php:66
+#: pg-act/ns/zone-add.php:67
 msgid "Zone created."
 msgstr "Zone créée."
 
@@ -1230,6 +1230,26 @@ msgstr "Seuls les comptes <span aria-hidden=\"true\">👤 </span><em>approuvés<
 msgid "Nobody can register a domain under these suffixes:"
 msgstr "Personne ne peut enregistrer un domain sous ces suffixes&nbsp;:"
 
+#: pg-view/reg/index.php:63
+msgid "Automatic updates from child zone"
+msgstr "Mises à jour automatiques depuis la zone enfant"
+
+#: pg-view/reg/index.php:64
+msgid "CSYNC records"
+msgstr "Enregistrements CSYNC"
+
+#: pg-view/reg/index.php:66
+msgid "The registry can synchronize NS records from the child zone if a CSYNC record is present at the apex of the child zone, has flags <code>1</code> and type bit map <code>NS</code>, and can be DNSSEC-validated. Others values are not supported."
+msgstr "Le registre peut synchroniser les enregistrements NS depuis la zone enfant si un enregistrement CSYNC est présent à l'apex de la zone enfant, a les drapeaux <code>1</code> et le type bit map <code>NS</code>, et peut être validé par DNSSEC. Les autres valeurs ne sont pas supportées."
+
+#: pg-view/reg/index.php:68
+msgid "DNSSEC and DS records"
+msgstr "DNSSEC et enregistrements DS"
+
+#: pg-view/reg/index.php:70
+msgid "Once DNSSEC has been manually enabled through the current interface, the delegated zone can publish a CDS record in order to update the DS record in the registry. A single CDS record with value <code>0 0 0 0</code> tells the registry to disable DNSSEC. Using a CDS record to enable DNSSEC is not supported."
+msgstr "Une fois que DNSSEC a été manuellement activé en utilisant l'interface actuelle, la zone déléguée peut publier un enregistrement CDS afin de mettre à jour l'enregistrement DS dans le registre. Un unique enregistrement CDS avec pour valeur <code>0 0 0 0</code> indique au registre de désactiver DNSSEC. Utiliser un enregistrement CDS pour activer DNSSEC n'est pas supporté."
+
 #: pg-view/reg/register.php:2
 msgid "Register a new domain on your account."
 msgstr "Enregistrer un nouveau domaine sur son compte."
diff --git a/locales/messages.pot b/locales/messages.pot
index d65ec2c..89b82f6 100644
--- a/locales/messages.pot
+++ b/locales/messages.pot
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2023-06-26 02:14+0200\n"
+"POT-Creation-Date: 2023-07-16 20:50+0200\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -540,7 +540,7 @@ msgstr ""
 msgid "NS authentication record not found."
 msgstr ""
 
-#: pg-act/ns/zone-add.php:66
+#: pg-act/ns/zone-add.php:67
 msgid "Zone created."
 msgstr ""
 
@@ -1242,6 +1242,26 @@ msgstr ""
 msgid "Nobody can register a domain under these suffixes:"
 msgstr ""
 
+#: pg-view/reg/index.php:63
+msgid "Automatic updates from child zone"
+msgstr ""
+
+#: pg-view/reg/index.php:64
+msgid "CSYNC records"
+msgstr ""
+
+#: pg-view/reg/index.php:66
+msgid "The registry can synchronize NS records from the child zone if a CSYNC record is present at the apex of the child zone, has flags <code>1</code> and type bit map <code>NS</code>, and can be DNSSEC-validated. Others values are not supported."
+msgstr ""
+
+#: pg-view/reg/index.php:68
+msgid "DNSSEC and DS records"
+msgstr ""
+
+#: pg-view/reg/index.php:70
+msgid "Once DNSSEC has been manually enabled through the current interface, the delegated zone can publish a CDS record in order to update the DS record in the registry. A single CDS record with value <code>0 0 0 0</code> tells the registry to disable DNSSEC. Using a CDS record to enable DNSSEC is not supported."
+msgstr ""
+
 #: pg-view/reg/register.php:2
 msgid "Register a new domain on your account."
 msgstr ""
diff --git a/pg-act/ns/zone-add.php b/pg-act/ns/zone-add.php
index 092e870..1af98fa 100644
--- a/pg-act/ns/zone-add.php
+++ b/pg-act/ns/zone-add.php
@@ -53,6 +53,7 @@ $knotZone = implode(' ', [
 ]) . LF;
 foreach (CONF['ns']['servers'] as $server)
 	$knotZone .= $_POST['domain'] . ' 86400 NS ' . $server . LF;
+$knotZone .= $_POST['domain'] . ' 86400 CSYNC 0 1 NS' . LF;
 if (is_int(file_put_contents($knotZonePath, $knotZone)) !== true)
 	output(500, 'Failed to write new zone file.');
 if (chmod($knotZonePath, 0660) !== true)
diff --git a/pg-view/reg/index.php b/pg-view/reg/index.php
index 495f797..073d259 100644
--- a/pg-view/reg/index.php
+++ b/pg-view/reg/index.php
@@ -58,3 +58,15 @@ foreach (CONF['reg']['suffixes'] as $suffix => $condition)
 		</dd>
 	</dl>
 </section>
+
+<section>
+	<h2><?= _('Automatic updates from child zone') ?></h2>
+	<h3><?= _('CSYNC records') ?></h3>
+	<p>
+		<?= _('The registry can synchronize NS records from the child zone if a CSYNC record is present at the apex of the child zone, has flags <code>1</code> and type bit map <code>NS</code>, and can be DNSSEC-validated. Others values are not supported.') ?>
+	</p>
+	<h3><?= _('DNSSEC and DS records') ?></h3>
+	<p>
+		<?= _('Once DNSSEC has been manually enabled through the current interface, the delegated zone can publish a CDS record in order to update the DS record in the registry. A single CDS record with value <code>0 0 0 0</code> tells the registry to disable DNSSEC. Using a CDS record to enable DNSSEC is not supported.') ?>
+	</p>
+</section>

From 0c15676520031bf8aea91ca87e576267f5ef56c1 Mon Sep 17 00:00:00 2001
From: Miraty <miraty+git@antopie.org>
Date: Sun, 16 Jul 2023 21:08:49 +0200
Subject: [PATCH 10/13] =?UTF-8?q?reg/index:=20registration=20policy:=20dis?=
 =?UTF-8?q?play=20'=E2=88=85'=20if=20empty?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 pg-view/reg/index.php | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/pg-view/reg/index.php b/pg-view/reg/index.php
index 073d259..a00b7db 100644
--- a/pg-view/reg/index.php
+++ b/pg-view/reg/index.php
@@ -30,7 +30,9 @@ else {
 <?php
 foreach (CONF['reg']['suffixes'] as $suffix => $condition)
 	if ($condition === 'all')
-		echo '<li><code>' . $suffix . ' </code></li>';
+		echo '<li><code>' . $suffix . ' </code></li>' . LF;
+if (!in_array('all', CONF['reg']['suffixes'], true))
+	echo '<li>∅</li>' . LF;
 ?>
 			</ul>
 		</dd>
@@ -41,7 +43,9 @@ foreach (CONF['reg']['suffixes'] as $suffix => $condition)
 <?php
 foreach (CONF['reg']['suffixes'] as $suffix => $condition)
 	if ($condition === 'approved')
-		echo '<li><code>' . $suffix . ' </code></li>';
+		echo '<li><code>' . $suffix . ' </code></li>' . LF;
+if (!in_array('approved', CONF['reg']['suffixes'], true))
+	echo '<li>∅</li>' . LF;
 ?>
 			</ul>
 		</dd>
@@ -52,7 +56,9 @@ foreach (CONF['reg']['suffixes'] as $suffix => $condition)
 <?php
 foreach (CONF['reg']['suffixes'] as $suffix => $condition)
 	if ($condition === 'none')
-		echo '<li><code>' . $suffix . ' </code></li>';
+		echo '<li><code>' . $suffix . ' </code></li>' . LF;
+if (!in_array('none', CONF['reg']['suffixes'], true))
+	echo '<li>∅</li>' . LF;
 ?>
 			</ul>
 		</dd>

From 3436d0243fe6848e8e9b5272d9a9589d37b46a31 Mon Sep 17 00:00:00 2001
From: Miraty <miraty+git@antopie.org>
Date: Mon, 17 Jul 2023 21:02:09 +0200
Subject: [PATCH 11/13] Display some field values again after submission

---
 pg-act/reg/ds.php                 |  6 +++---
 pg-act/reg/glue.php               |  6 +++---
 pg-view/ns/form.ns.php            | 25 +++++++++++++------------
 pg-view/reg/ds.php                | 16 ++--------------
 pg-view/reg/glue.php              | 16 ++--------------
 pg-view/reg/ns.php                | 16 ++--------------
 pg-view/reg/print.php             |  9 +--------
 pg-view/reg/select-action.inc.php |  5 +++++
 pg-view/reg/select-domain.inc.php | 11 +++++++++++
 9 files changed, 42 insertions(+), 68 deletions(-)
 create mode 100644 pg-view/reg/select-action.inc.php
 create mode 100644 pg-view/reg/select-domain.inc.php

diff --git a/pg-act/reg/ds.php b/pg-act/reg/ds.php
index bbfd326..bb4168e 100644
--- a/pg-act/reg/ds.php
+++ b/pg-act/reg/ds.php
@@ -13,12 +13,12 @@ if ($_POST['dt'] !== '2' AND $_POST['dt'] !== '4')
 if (preg_match('/^(?:[0-9a-fA-F]{64}|[0-9a-fA-F]{96})$/D', $_POST['key']) !== 1)
 	output(403, 'Wrong value for <code>key</code>.');
 
-regCheckDomainPossession($_POST['zone']);
+regCheckDomainPossession($_POST['domain']);
 
 rateLimit();
 
-knotcZoneExec(regParseDomain($_POST['zone'])['suffix'], [
-	$_POST['zone'],
+knotcZoneExec(regParseDomain($_POST['domain'])['suffix'], [
+	$_POST['domain'],
 	CONF['reg']['ttl'],
 	'DS',
 	$_POST['keytag'],
diff --git a/pg-act/reg/glue.php b/pg-act/reg/glue.php
index 3ceecf9..a7a8ca9 100644
--- a/pg-act/reg/glue.php
+++ b/pg-act/reg/glue.php
@@ -1,11 +1,11 @@
 <?php
 
-regCheckDomainPossession($_POST['suffix']);
+regCheckDomainPossession($_POST['domain']);
 
 rateLimit();
 
-knotcZoneExec(regParseDomain($_POST['suffix'])['suffix'], [
-	formatAbsoluteDomain(formatEndWithDot($_POST['subdomain']) . $_POST['suffix']),
+knotcZoneExec(regParseDomain($_POST['domain'])['suffix'], [
+	formatAbsoluteDomain(formatEndWithDot($_POST['subdomain']) . $_POST['domain']),
 	CONF['reg']['ttl'],
 	checkIpFormat($_POST['ip']),
 	$_POST['ip']
diff --git a/pg-view/ns/form.ns.php b/pg-view/ns/form.ns.php
index 5f18f7f..3c05c42 100644
--- a/pg-view/ns/form.ns.php
+++ b/pg-view/ns/form.ns.php
@@ -1,7 +1,7 @@
 	<label for="action"><?= _('Action') ?></label>
 	<select name="action" id="action">
-		<option value="add"><?= _('Add') ?></option>
-		<option value="delete"><?= _('Delete') ?></option>
+		<option value="add"<?= ($_POST['action'] ?? NULL) === 'add' ? ' selected=""' : '' ?>><?= _('Add') ?></option>
+		<option value="delete"<?= ($_POST['action'] ?? NULL) === 'delete' ? ' selected=""' : '' ?>><?= _('Delete') ?></option>
 	</select>
 
 	<fieldset>
@@ -9,18 +9,19 @@
 		<div>
 			<label for="subdomain"><?= _('Subdomain') ?></label>
 			<br>
-			<input id="subdomain" size="16" placeholder="www" pattern="^(([a-z0-9_-]{1,63}\.?){1,127})|(@){1}$" name="subdomain" type="text">
+			<input id="subdomain" size="16" placeholder="www" pattern="^(([a-z0-9_-]{1,63}\.?){1,127})|(@){1}$" name="subdomain" type="text" value="<?= htmlspecialchars($_POST['subdomain'] ?? '') ?>">
 		</div>
 		<div>
 			<label for="zone"><?= _('Zone') ?></label>
 			<br>
 			<select required="" name="zone" id="zone">
-				<option value="" disabled="" selected="">—</option>
 <?php
-foreach (nsListUserZones() as $zone)
-	echo "<option value='" . $zone . "'>" . $zone . "</option>";
+$user_zones = nsListUserZones();
+if (!in_array($_POST['zone'] ?? NULL, $user_zones, true))
+	echo '				<option value="" disabled="" selected="">—</option>' . LF;
+foreach ($user_zones as $zone)
+	echo '				<option value="' . $zone . '"' . (($_POST['zone'] ?? NULL) === $zone ? ' selected=""' : '') . '>.' . $zone . '</option>' . LF;
 ?>
-
 			</select>
 		</div>
 	</fieldset>
@@ -30,7 +31,7 @@ foreach (nsListUserZones() as $zone)
 		<div>
 			<label for="ttl-value"><?= _('Value') ?></label>
 			<br>
-			<input required="" id="ttl-value" list="ttls" name="ttl-value" size="6" type="number" min="1" max="432000" value="<?= DEFAULT_TTL ?>" placeholder="<?= DEFAULT_TTL ?>">
+			<input required="" id="ttl-value" list="ttls" name="ttl-value" size="6" type="number" min="1" max="432000" value="<?= $_POST['ttl-value'] ?? DEFAULT_TTL ?>" placeholder="<?= DEFAULT_TTL ?>">
 			<datalist id="ttls">
 				<option value="900">
 				<option value="1800">
@@ -45,10 +46,10 @@ foreach (nsListUserZones() as $zone)
 			<label for="ttl-multiplier"><?= _('Unit') ?></label>
 			<br>
 			<select required="" name="ttl-multiplier" id="ttl-multiplier">
-				<option value="1"><?= _('second') ?></option>
-				<option value="60"><?= _('minute') ?></option>
-				<option value="3600"><?= _('hour') ?></option>
-				<option value="86400"><?= _('day') ?></option>
+				<option value="1"<?= ($_POST['ttl-multiplier'] ?? NULL) === '1' ? ' selected=""' : '' ?>><?= _('second') ?></option>
+				<option value="60"<?= ($_POST['ttl-multiplier'] ?? NULL) === '60' ? ' selected=""' : '' ?>><?= _('minute') ?></option>
+				<option value="3600"<?= ($_POST['ttl-multiplier'] ?? NULL) === '3600' ? ' selected=""' : '' ?>><?= _('hour') ?></option>
+				<option value="86400"<?= ($_POST['ttl-multiplier'] ?? NULL) === '86400' ? ' selected=""' : '' ?>><?= _('day') ?></option>
 			</select>
 		</div>
 	</fieldset>
diff --git a/pg-view/reg/ds.php b/pg-view/reg/ds.php
index ef1a6ae..7338136 100644
--- a/pg-view/reg/ds.php
+++ b/pg-view/reg/ds.php
@@ -1,19 +1,7 @@
 <form method="post">
-	<label for="action"><?= _('Action') ?></label>
-	<select name="action" id="action">
-		<option value="add"><?= _('Add') ?></option>
-		<option value="delete"><?= _('Delete') ?></option>
-	</select>
+<?php require ROOT_PATH . '/pg-view/reg/select-action.inc.php'; ?>
 	<br>
-	<label for="zone"><?= _('Domain') ?></label>
-	<br>
-	<select required="" name="zone" id="zone">
-		<option value="" disabled="" selected="">—</option>
-<?php
-foreach (regListUserDomains() as $domain)
-	echo '		<option value="' . $domain . '">' . $domain . '</option>' . LF;
-?>
-	</select>
+<?php require ROOT_PATH . '/pg-view/reg/select-domain.inc.php'; ?>
 	<br>
 	<label for="keytag"><?= _('Key tag') ?></label>
 	<br>
diff --git a/pg-view/reg/glue.php b/pg-view/reg/glue.php
index d1aab56..44ca00a 100644
--- a/pg-view/reg/glue.php
+++ b/pg-view/reg/glue.php
@@ -1,9 +1,5 @@
 <form method="post">
-	<label for="action"><?= _('Action') ?></label>
-	<select name="action" id="action">
-		<option value="add"><?= _('Add') ?></option>
-		<option value="delete"><?= _('Delete') ?></option>
-	</select>
+<?php require ROOT_PATH . '/pg-view/reg/select-action.inc.php'; ?>
 	<fieldset>
 		<legend><?= _('Domain') ?></legend>
 		<div>
@@ -12,15 +8,7 @@
 			<input required="" id="subdomain" placeholder="ns1" name="subdomain" type="text">
 		</div>
 		<div>
-			<label for="suffix"><?= _('Domain') ?></label>
-			<br>
-			<select required="" name="suffix" id="suffix">
-				<option value="" disabled="" selected="">—</option>
-<?php
-foreach (regListUserDomains() as $suffix)
-	echo '		<option value="' . $suffix . '">' . $suffix . '</option>' . LF;
-?>
-			</select>
+<?php require ROOT_PATH . '/pg-view/reg/select-domain.inc.php'; ?>
 		</div>
 	</fieldset>
 	<label for="ip"><?= _('IP address') ?></label><br>
diff --git a/pg-view/reg/ns.php b/pg-view/reg/ns.php
index 2315f05..b092e63 100644
--- a/pg-view/reg/ns.php
+++ b/pg-view/reg/ns.php
@@ -1,19 +1,7 @@
 <form method="post">
-	<label for="action"><?= _('Action') ?></label>
-	<select name="action" id="action">
-		<option value="add"><?= _('Add') ?></option>
-		<option value="delete"><?= _('Delete') ?></option>
-	</select>
+<?php require ROOT_PATH . '/pg-view/reg/select-action.inc.php'; ?>
 	<br>
-	<label for="domain"><?= _('Domain') ?></label>
-	<br>
-	<select required="" name="domain" id="domain">
-		<option value="" disabled="" selected="">—</option>
-<?php
-foreach (regListUserDomains() as $domain)
-	echo '		<option value="' . $domain . '">' . $domain . '</option>' . LF;
-?>
-	</select>
+<?php require ROOT_PATH . '/pg-view/reg/select-domain.inc.php'; ?>
 	<br>
 	<label for="ns"><?= _('Name server') ?></label>
 	<br>
diff --git a/pg-view/reg/print.php b/pg-view/reg/print.php
index bddca80..f59c6f4 100644
--- a/pg-view/reg/print.php
+++ b/pg-view/reg/print.php
@@ -1,12 +1,5 @@
 <form method="post">
-	<label for="domain"><?= _('Domain') ?></label>
-	<select required="" name="domain" id="domain">
-		<option value="" disabled="" selected="">-</option>
-<?php
-foreach (regListUserDomains() as $domain)
-	echo '		<option value="' . $domain . '">' . $domain . '</option>' . LF;
-?>
-	</select>
+<?php require ROOT_PATH . '/pg-view/reg/select-domain.inc.php'; ?>
 	<br>
 	<input type="submit" value="<?= _('Display') ?>">
 </form>
diff --git a/pg-view/reg/select-action.inc.php b/pg-view/reg/select-action.inc.php
new file mode 100644
index 0000000..cfc5d3c
--- /dev/null
+++ b/pg-view/reg/select-action.inc.php
@@ -0,0 +1,5 @@
+	<label for="action"><?= _('Action') ?></label>
+	<select name="action" id="action">
+		<option value="add"<?= ($_POST['action'] ?? NULL) === 'add' ? ' selected=""' : '' ?>><?= _('Add') ?></option>
+		<option value="delete"<?= ($_POST['action'] ?? NULL) === 'delete' ? ' selected=""' : '' ?>><?= _('Delete') ?></option>
+	</select>
diff --git a/pg-view/reg/select-domain.inc.php b/pg-view/reg/select-domain.inc.php
new file mode 100644
index 0000000..0902483
--- /dev/null
+++ b/pg-view/reg/select-domain.inc.php
@@ -0,0 +1,11 @@
+	<label for="domain"><?= _('Domain') ?></label>
+	<br>
+	<select required="" name="domain" id="domain">
+<?php
+$user_domains = regListUserDomains();
+if (!in_array($_POST['domain'] ?? NULL, $user_domains, true))
+	echo '		<option value="" disabled="" selected="">—</option>' . LF;
+foreach ($user_domains as $domain)
+	echo '		<option value="' . $domain . '"' . (($_POST['domain'] ?? NULL === $domain) ? ' selected=""' : '') . '>' . $domain . '</option>' . LF;
+?>
+	</select>

From 40e67b0c0c549d62be3c53ddcf57080bd797c27b Mon Sep 17 00:00:00 2001
From: Miraty <miraty+git@antopie.org>
Date: Mon, 17 Jul 2023 21:15:18 +0200
Subject: [PATCH 12/13] declare(strict_types=1);

---
 fn/auth.php                       | 2 +-
 fn/common.php                     | 2 +-
 fn/dns.php                        | 2 +-
 fn/ht.php                         | 2 +-
 fn/ns.php                         | 2 +-
 fn/reg.php                        | 2 +-
 init.php                          | 2 +-
 jobs/check.php                    | 3 ++-
 jobs/delete-old-testing.php       | 2 +-
 jobs/ns-sync.php                  | 2 +-
 jobs/reg-cds.php                  | 2 +-
 jobs/reg-csync.php                | 2 +-
 pages.php                         | 2 +-
 pg-act/auth/approval.php          | 2 +-
 pg-act/auth/login.php             | 2 +-
 pg-act/auth/logout.php            | 3 ---
 pg-act/auth/password.php          | 2 +-
 pg-act/auth/register.php          | 2 +-
 pg-act/auth/unregister.php        | 2 +-
 pg-act/auth/username.php          | 2 +-
 pg-act/ht/add-dns.php             | 2 +-
 pg-act/ht/add-onion.php           | 2 +-
 pg-act/ht/add-subdomain.php       | 2 +-
 pg-act/ht/add-subpath.php         | 2 +-
 pg-act/ht/del.php                 | 2 +-
 pg-act/ht/keys.php                | 2 +-
 pg-act/ns/caa.php                 | 2 +-
 pg-act/ns/cname.php               | 2 +-
 pg-act/ns/dname.php               | 2 +-
 pg-act/ns/edit.php                | 2 +-
 pg-act/ns/ip.php                  | 2 +-
 pg-act/ns/loc.php                 | 2 +-
 pg-act/ns/mx.php                  | 2 +-
 pg-act/ns/ns.php                  | 2 +-
 pg-act/ns/print.php               | 2 +-
 pg-act/ns/srv.php                 | 2 +-
 pg-act/ns/sshfp.php               | 2 +-
 pg-act/ns/sync.php                | 2 +-
 pg-act/ns/tlsa.php                | 2 +-
 pg-act/ns/txt.php                 | 2 +-
 pg-act/ns/zone-add.php            | 2 +-
 pg-act/ns/zone-del.php            | 2 +-
 pg-act/reg/ds.php                 | 2 +-
 pg-act/reg/glue.php               | 2 +-
 pg-act/reg/ns.php                 | 2 +-
 pg-act/reg/print.php              | 2 +-
 pg-act/reg/register.php           | 2 +-
 pg-act/reg/transfer.php           | 2 +-
 pg-act/reg/unregister.php         | 2 +-
 pg-view/auth/approval.php         | 1 +
 pg-view/auth/index.php            | 1 +
 pg-view/auth/login.php            | 1 +
 pg-view/auth/logout.php           | 2 +-
 pg-view/auth/password.php         | 1 +
 pg-view/auth/register.php         | 1 +
 pg-view/auth/unregister.php       | 1 +
 pg-view/auth/username.php         | 1 +
 pg-view/ht/add-dns.php            | 1 +
 pg-view/ht/add-onion.php          | 1 +
 pg-view/ht/add-subdomain.php      | 1 +
 pg-view/ht/add-subpath.php        | 1 +
 pg-view/ht/del.php                | 1 +
 pg-view/ht/index.php              | 1 +
 pg-view/ht/keys.php               | 1 +
 pg-view/index.php                 | 1 +
 pg-view/ns/caa.php                | 1 +
 pg-view/ns/cname.php              | 1 +
 pg-view/ns/dname.php              | 1 +
 pg-view/ns/edit.php               | 1 +
 pg-view/ns/form.ns.php            | 1 +
 pg-view/ns/index.php              | 1 +
 pg-view/ns/ip.php                 | 1 +
 pg-view/ns/loc.php                | 1 +
 pg-view/ns/mx.php                 | 1 +
 pg-view/ns/ns.php                 | 1 +
 pg-view/ns/print.php              | 1 +
 pg-view/ns/srv.php                | 1 +
 pg-view/ns/sshfp.php              | 1 +
 pg-view/ns/sync.php               | 1 +
 pg-view/ns/tlsa.php               | 1 +
 pg-view/ns/txt.php                | 1 +
 pg-view/ns/zone-add.php           | 1 +
 pg-view/ns/zone-del.php           | 1 +
 pg-view/reg/ds.php                | 1 +
 pg-view/reg/glue.php              | 1 +
 pg-view/reg/index.php             | 1 +
 pg-view/reg/ns.php                | 1 +
 pg-view/reg/print.php             | 1 +
 pg-view/reg/register.php          | 1 +
 pg-view/reg/select-action.inc.php | 1 +
 pg-view/reg/select-domain.inc.php | 1 +
 pg-view/reg/transfer.php          | 1 +
 pg-view/reg/unregister.php        | 1 +
 router.php                        | 2 +-
 sftpgo-auth.php                   | 3 ++-
 view.php                          | 1 +
 96 files changed, 97 insertions(+), 54 deletions(-)
 delete mode 100644 pg-act/auth/logout.php

diff --git a/fn/auth.php b/fn/auth.php
index fd3d48f..240f8ea 100644
--- a/fn/auth.php
+++ b/fn/auth.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 const USERNAME_REGEX = '^.{1,1024}$';
 const PASSWORD_REGEX = '^(?=.*[\p{Ll}])(?=.*[\p{Lu}])(?=.*[\p{N}]).{8,1024}|.{10,1024}$';
diff --git a/fn/common.php b/fn/common.php
index 2ce54ca..bb20853 100644
--- a/fn/common.php
+++ b/fn/common.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 function output(int $code, string $msg = '', array $logs = [''], array $data = []): never {
 	http_response_code($code);
diff --git a/fn/dns.php b/fn/dns.php
index 33597b6..2d0566e 100644
--- a/fn/dns.php
+++ b/fn/dns.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 function parseZoneFile(string $zone_content, array $types, bool|string $filter_domain = false, bool $filter_include_subdomains = true): array {
 	$parsed_zone_content = [];
diff --git a/fn/ht.php b/fn/ht.php
index 75d03a3..fb4ef0b 100644
--- a/fn/ht.php
+++ b/fn/ht.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 const SUBPATH_REGEX = '^[a-z0-9-]{4,63}$';
 const ED25519_PUBKEY_REGEX = '^[a-zA-Z0-9/+]{68}$';
diff --git a/fn/ns.php b/fn/ns.php
index 953ef31..d4195db 100644
--- a/fn/ns.php
+++ b/fn/ns.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 const SOA_VALUES = [
 	'ttl' => 10800,
diff --git a/fn/reg.php b/fn/reg.php
index c49e6c4..d71b8f3 100644
--- a/fn/reg.php
+++ b/fn/reg.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 const SUBDOMAIN_REGEX = '^(?!\-)(?!..\-\-)[a-z0-9-]{4,63}(?<!\-)$';
 
diff --git a/init.php b/init.php
index 7ac3acb..33c1b82 100644
--- a/init.php
+++ b/init.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 umask(0077);
 
 set_error_handler(function ($level, $message, $file = '', $line = 0) {
diff --git a/jobs/check.php b/jobs/check.php
index fb28394..2ce0af7 100644
--- a/jobs/check.php
+++ b/jobs/check.php
@@ -1,4 +1,5 @@
-<?php // Test that the current setup is working
+<?php declare(strict_types=1);
+// Test that the current setup is working
 
 require __DIR__ . '/../init.php';
 
diff --git a/jobs/delete-old-testing.php b/jobs/delete-old-testing.php
index b295520..a8afab5 100644
--- a/jobs/delete-old-testing.php
+++ b/jobs/delete-old-testing.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 require __DIR__ . '/../init.php';
 
 const MAX_TESTING_ACCOUNT_AGE = 86400 * 10;
diff --git a/jobs/ns-sync.php b/jobs/ns-sync.php
index 9097813..afdd234 100644
--- a/jobs/ns-sync.php
+++ b/jobs/ns-sync.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 require __DIR__ . '/../init.php';
 
 foreach (query('select', 'ns-syncs') as $sync) {
diff --git a/jobs/reg-cds.php b/jobs/reg-cds.php
index 805721a..c0685b2 100644
--- a/jobs/reg-cds.php
+++ b/jobs/reg-cds.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 /*
 	RFC 7344: Automating DNSSEC Delegation Trust Maintenance
 	RFC 8078: Managing DS Records from the Parent via CDS/CDNSKEY
diff --git a/jobs/reg-csync.php b/jobs/reg-csync.php
index 2878788..9d19524 100644
--- a/jobs/reg-csync.php
+++ b/jobs/reg-csync.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 /*
 	RFC 7477: Child-to-Parent Synchronization in DNS
 */
diff --git a/pages.php b/pages.php
index fadb435..a44c333 100644
--- a/pages.php
+++ b/pages.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 define('PAGES', [
 	'index' => [
diff --git a/pg-act/auth/approval.php b/pg-act/auth/approval.php
index 9a8a046..b6f568e 100644
--- a/pg-act/auth/approval.php
+++ b/pg-act/auth/approval.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 if ($_SESSION['type'] !== 'testing')
 	output(403, _('This account is already approved.'));
diff --git a/pg-act/auth/login.php b/pg-act/auth/login.php
index 580f25a..77cbd39 100644
--- a/pg-act/auth/login.php
+++ b/pg-act/auth/login.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 checkPasswordFormat($_POST['password']);
 
diff --git a/pg-act/auth/logout.php b/pg-act/auth/logout.php
deleted file mode 100644
index bf11e4b..0000000
--- a/pg-act/auth/logout.php
+++ /dev/null
@@ -1,3 +0,0 @@
-<?php
-
-logout();
diff --git a/pg-act/auth/password.php b/pg-act/auth/password.php
index 6da1be9..d543a2c 100644
--- a/pg-act/auth/password.php
+++ b/pg-act/auth/password.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 checkPasswordFormat($_POST['new-password']);
 
diff --git a/pg-act/auth/register.php b/pg-act/auth/register.php
index 088fa63..4225b0f 100644
--- a/pg-act/auth/register.php
+++ b/pg-act/auth/register.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 if (CONF['common']['services']['auth'] !== 'enabled')
 	output(403, _('Registrations are currently closed on this installation.'));
diff --git a/pg-act/auth/unregister.php b/pg-act/auth/unregister.php
index 13b4357..9480f79 100644
--- a/pg-act/auth/unregister.php
+++ b/pg-act/auth/unregister.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 if (checkPassword($_SESSION['id'], $_POST['current-password']) !== true)
 	output(403, _('Wrong current password.'));
diff --git a/pg-act/auth/username.php b/pg-act/auth/username.php
index 274e818..1e9b440 100644
--- a/pg-act/auth/username.php
+++ b/pg-act/auth/username.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 checkUsernameFormat($_POST['new-username']);
 
diff --git a/pg-act/ht/add-dns.php b/pg-act/ht/add-dns.php
index 561aee0..6da0043 100644
--- a/pg-act/ht/add-dns.php
+++ b/pg-act/ht/add-dns.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 $_POST['domain'] = formatDomain($_POST['domain']);
 
diff --git a/pg-act/ht/add-onion.php b/pg-act/ht/add-onion.php
index f90cc35..3d6c7ab 100644
--- a/pg-act/ht/add-onion.php
+++ b/pg-act/ht/add-onion.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 if (dirsStatuses('onion')[$_POST['dir']] !== false)
 	output(403, 'Wrong value for <code>dir</code>.');
diff --git a/pg-act/ht/add-subdomain.php b/pg-act/ht/add-subdomain.php
index 0a1b667..b47234c 100644
--- a/pg-act/ht/add-subdomain.php
+++ b/pg-act/ht/add-subdomain.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 if (dirsStatuses('subdomain')[$_POST['dir']] !== false)
 	output(403, 'Wrong value for <code>dir</code>.');
diff --git a/pg-act/ht/add-subpath.php b/pg-act/ht/add-subpath.php
index e0bb139..8a0fa27 100644
--- a/pg-act/ht/add-subpath.php
+++ b/pg-act/ht/add-subpath.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 if (dirsStatuses('subpath')[$_POST['dir']] !== false)
 	output(403, 'Wrong value for <code>dir</code>.');
diff --git a/pg-act/ht/del.php b/pg-act/ht/del.php
index 476cfcc..8b25929 100644
--- a/pg-act/ht/del.php
+++ b/pg-act/ht/del.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 if (preg_match('/^(?<type>subpath|subdomain|onion|dns):(?<address>[a-z0-9._-]{1,256})$/D', $_POST['site'], $site) !== 1)
 	output(403, 'Malformed value for <code>site</code>.');
diff --git a/pg-act/ht/keys.php b/pg-act/ht/keys.php
index 3ff46aa..2d537df 100755
--- a/pg-act/ht/keys.php
+++ b/pg-act/ht/keys.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 $el_nb = count($_POST['keys']);
 if ($el_nb < 1 OR $el_nb > 8)
diff --git a/pg-act/ns/caa.php b/pg-act/ns/caa.php
index ee528a6..8012efe 100644
--- a/pg-act/ns/caa.php
+++ b/pg-act/ns/caa.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 $values = nsParseCommonRequirements();
 
diff --git a/pg-act/ns/cname.php b/pg-act/ns/cname.php
index f870b05..b1d4746 100644
--- a/pg-act/ns/cname.php
+++ b/pg-act/ns/cname.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 $values = nsParseCommonRequirements();
 
diff --git a/pg-act/ns/dname.php b/pg-act/ns/dname.php
index 155fae3..3e0e52e 100644
--- a/pg-act/ns/dname.php
+++ b/pg-act/ns/dname.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 $values = nsParseCommonRequirements();
 
diff --git a/pg-act/ns/edit.php b/pg-act/ns/edit.php
index 5ee0181..8a27f24 100644
--- a/pg-act/ns/edit.php
+++ b/pg-act/ns/edit.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 nsCheckZonePossession($_POST['zone']);
 
diff --git a/pg-act/ns/ip.php b/pg-act/ns/ip.php
index 4c6b9b9..582ae40 100644
--- a/pg-act/ns/ip.php
+++ b/pg-act/ns/ip.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 $values = nsParseCommonRequirements();
 
diff --git a/pg-act/ns/loc.php b/pg-act/ns/loc.php
index a3a50de..d49bb44 100644
--- a/pg-act/ns/loc.php
+++ b/pg-act/ns/loc.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 $values = nsParseCommonRequirements();
 
diff --git a/pg-act/ns/mx.php b/pg-act/ns/mx.php
index c534816..9652573 100644
--- a/pg-act/ns/mx.php
+++ b/pg-act/ns/mx.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 $values = nsParseCommonRequirements();
 
diff --git a/pg-act/ns/ns.php b/pg-act/ns/ns.php
index c064131..f65a699 100644
--- a/pg-act/ns/ns.php
+++ b/pg-act/ns/ns.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 $values = nsParseCommonRequirements();
 
diff --git a/pg-act/ns/print.php b/pg-act/ns/print.php
index c415d15..c5f40b3 100644
--- a/pg-act/ns/print.php
+++ b/pg-act/ns/print.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 nsCheckZonePossession($_POST['zone']);
 
diff --git a/pg-act/ns/srv.php b/pg-act/ns/srv.php
index 7c5af6b..e95bebc 100644
--- a/pg-act/ns/srv.php
+++ b/pg-act/ns/srv.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 $values = nsParseCommonRequirements();
 
diff --git a/pg-act/ns/sshfp.php b/pg-act/ns/sshfp.php
index b3b40a1..9bf4979 100644
--- a/pg-act/ns/sshfp.php
+++ b/pg-act/ns/sshfp.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 $values = nsParseCommonRequirements();
 
diff --git a/pg-act/ns/sync.php b/pg-act/ns/sync.php
index 9160350..78ba6bd 100644
--- a/pg-act/ns/sync.php
+++ b/pg-act/ns/sync.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 $el_nb = count($_POST['syncs']);
 if ($el_nb < 1 OR $el_nb > 8)
diff --git a/pg-act/ns/tlsa.php b/pg-act/ns/tlsa.php
index de5241e..5550e00 100644
--- a/pg-act/ns/tlsa.php
+++ b/pg-act/ns/tlsa.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 $values = nsParseCommonRequirements();
 
diff --git a/pg-act/ns/txt.php b/pg-act/ns/txt.php
index ebb7ec6..7d5c997 100644
--- a/pg-act/ns/txt.php
+++ b/pg-act/ns/txt.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 $values = nsParseCommonRequirements();
 
diff --git a/pg-act/ns/zone-add.php b/pg-act/ns/zone-add.php
index 1af98fa..b77bc04 100644
--- a/pg-act/ns/zone-add.php
+++ b/pg-act/ns/zone-add.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 $_POST['domain'] = formatAbsoluteDomain($_POST['domain']);
 
diff --git a/pg-act/ns/zone-del.php b/pg-act/ns/zone-del.php
index 1a53f91..564eee8 100644
--- a/pg-act/ns/zone-del.php
+++ b/pg-act/ns/zone-del.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 nsCheckZonePossession($_POST['zone']);
 
diff --git a/pg-act/reg/ds.php b/pg-act/reg/ds.php
index bb4168e..65542d9 100644
--- a/pg-act/reg/ds.php
+++ b/pg-act/reg/ds.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 if (!in_array($_POST['algo'], ['8', '13', '14', '15', '16'], true))
 	output(403, 'Wrong value for <code>algo</code>.');
diff --git a/pg-act/reg/glue.php b/pg-act/reg/glue.php
index a7a8ca9..60177a2 100644
--- a/pg-act/reg/glue.php
+++ b/pg-act/reg/glue.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 regCheckDomainPossession($_POST['domain']);
 
diff --git a/pg-act/reg/ns.php b/pg-act/reg/ns.php
index 487c27e..751f86e 100644
--- a/pg-act/reg/ns.php
+++ b/pg-act/reg/ns.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 regCheckDomainPossession($_POST['domain']);
 
diff --git a/pg-act/reg/print.php b/pg-act/reg/print.php
index b639a52..c98b2a8 100644
--- a/pg-act/reg/print.php
+++ b/pg-act/reg/print.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 regCheckDomainPossession($_POST['domain']);
 
diff --git a/pg-act/reg/register.php b/pg-act/reg/register.php
index ad590f7..a51cdc9 100644
--- a/pg-act/reg/register.php
+++ b/pg-act/reg/register.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 if (preg_match('/' . SUBDOMAIN_REGEX . '/D', $_POST['subdomain']) !== 1)
 	output(403, _('This format of subdomain is not allowed.'));
diff --git a/pg-act/reg/transfer.php b/pg-act/reg/transfer.php
index f1ffdd9..12b87e7 100644
--- a/pg-act/reg/transfer.php
+++ b/pg-act/reg/transfer.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 if (preg_match('/' . SUBDOMAIN_REGEX . '/D', $_POST['subdomain']) !== 1)
 	output(403, _('This format of subdomain is not allowed.'));
diff --git a/pg-act/reg/unregister.php b/pg-act/reg/unregister.php
index e926a92..0b664ba 100644
--- a/pg-act/reg/unregister.php
+++ b/pg-act/reg/unregister.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 
 regCheckDomainPossession($_POST['domain']);
 
diff --git a/pg-view/auth/approval.php b/pg-view/auth/approval.php
index 43a17d4..2655473 100644
--- a/pg-view/auth/approval.php
+++ b/pg-view/auth/approval.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <p>
 	<?= _('This form allows to use an approval key to validate your account. Approval keys are distributed by an administrator upon request.') ?>
 </p>
diff --git a/pg-view/auth/index.php b/pg-view/auth/index.php
index e0d156b..1ef1675 100644
--- a/pg-view/auth/index.php
+++ b/pg-view/auth/index.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <?php displayIndex(); ?>
 
 <h2 id="type"><?= _('Account type') ?></h2>
diff --git a/pg-view/auth/login.php b/pg-view/auth/login.php
index 1adf3be..55a438c 100644
--- a/pg-view/auth/login.php
+++ b/pg-view/auth/login.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <p><?= _('New?') ?> <a href="register"><?= _('Create an account') ?></a></p>
 
 <form method="post">
diff --git a/pg-view/auth/logout.php b/pg-view/auth/logout.php
index bf11e4b..1459a06 100644
--- a/pg-view/auth/logout.php
+++ b/pg-view/auth/logout.php
@@ -1,3 +1,3 @@
-<?php
+<?php declare(strict_types=1);
 
 logout();
diff --git a/pg-view/auth/password.php b/pg-view/auth/password.php
index 0836f99..87b9990 100644
--- a/pg-view/auth/password.php
+++ b/pg-view/auth/password.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <form method="post">
 	<label for="current-password"><?= _('Current password') ?></label><br>
 	<input required="" autocomplete="current-password" minlength="8" maxlength="1024" pattern="<?= PASSWORD_REGEX ?>" id="current-password" name="current-password" type="password" placeholder="<?= PLACEHOLDER_PASSWORD ?>"><br>
diff --git a/pg-view/auth/register.php b/pg-view/auth/register.php
index 5ecc0ab..3eda2a0 100644
--- a/pg-view/auth/register.php
+++ b/pg-view/auth/register.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <p><?= _('Already have an account?') ?> <a href="login"><?= _('Log in') ?></a></p>
 
 <?= (CONF['common']['services']['auth'] !== 'enabled') ? '<p><strong>' . _('Registrations are currently closed on this installation.') . '</strong></p>' : '' ?>
diff --git a/pg-view/auth/unregister.php b/pg-view/auth/unregister.php
index f517c39..cfdb1ff 100644
--- a/pg-view/auth/unregister.php
+++ b/pg-view/auth/unregister.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <p>
 	<?= _('This will delete every resource managed by the current account, including registered domains, hosted DNS records, websites files and cryptographic keys for Onion services and DNSSEC.') ?>
 </p>
diff --git a/pg-view/auth/username.php b/pg-view/auth/username.php
index 1bba92e..95a6397 100644
--- a/pg-view/auth/username.php
+++ b/pg-view/auth/username.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <form method="post">
 	<label for="current-password"><?= _('Current password') ?></label><br>
 	<input required="" autocomplete="current-password" minlength="8" maxlength="1024" pattern="<?= PASSWORD_REGEX ?>" id="current-password" name="current-password" type="password" placeholder="<?= PLACEHOLDER_PASSWORD ?>"><br>
diff --git a/pg-view/ht/add-dns.php b/pg-view/ht/add-dns.php
index 96d665e..02432cf 100644
--- a/pg-view/ht/add-dns.php
+++ b/pg-view/ht/add-dns.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <p>
 	<?= _('A Let\'s Encrypt certificate will be obtained.') ?>
 </p>
diff --git a/pg-view/ht/add-onion.php b/pg-view/ht/add-onion.php
index 40f6bed..aa04ecd 100644
--- a/pg-view/ht/add-onion.php
+++ b/pg-view/ht/add-onion.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <form method="post">
 	<label for="dir"><?= _('Target directory') ?></label><br>
 	<select required="" name="dir" id="dir">
diff --git a/pg-view/ht/add-subdomain.php b/pg-view/ht/add-subdomain.php
index 3fce989..319e4b6 100644
--- a/pg-view/ht/add-subdomain.php
+++ b/pg-view/ht/add-subdomain.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <p>
 	<?= sprintf(_('The subdomain can only contain %1$s, %2$s and %3$s, and must be between 4 and 63 characters. It can\'t have an hyphen (%3$s) in first, last or both third and fourth position.'), '<abbr title="abcdefghijklmnopqrstuvwxyz"><code>a</code>-<code>z</code></abbr>',  '<abbr title="0123456789"><code>0</code>-<code>9</code></abbr>', '<code>-</code>') ?>
 </p>
diff --git a/pg-view/ht/add-subpath.php b/pg-view/ht/add-subpath.php
index 948abc4..4a0ab05 100644
--- a/pg-view/ht/add-subpath.php
+++ b/pg-view/ht/add-subpath.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <p>
 	<?= sprintf(_('The path can only contain %1$s, %2$s and %3$s, and must be between 4 and 63 characters.'), '<abbr title="abcdefghijklmnopqrstuvwxyz"><code>a</code>-<code>z</code></abbr>',  '<abbr title="0123456789"><code>0</code>-<code>9</code></abbr>', '<code>-</code>') ?>
 </p>
diff --git a/pg-view/ht/del.php b/pg-view/ht/del.php
index d74adb8..e3bc4bd 100644
--- a/pg-view/ht/del.php
+++ b/pg-view/ht/del.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <form method="post">
 	<label for="site"><?= _('Access to delete') ?></label><br>
 	<select required="" name="site" id="site">
diff --git a/pg-view/ht/index.php b/pg-view/ht/index.php
index 388877d..e55b292 100644
--- a/pg-view/ht/index.php
+++ b/pg-view/ht/index.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <p>
 	<?= _('This service allows you to send files on the server using SFTP, and to make them publicly available with HTTP.') ?>
 </p>
diff --git a/pg-view/ht/keys.php b/pg-view/ht/keys.php
index 3f613ef..4529576 100755
--- a/pg-view/ht/keys.php
+++ b/pg-view/ht/keys.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <p>
 	<?= _('In addition to your password, you can also access your SFTP space using Ed25519 SSH keys. A key can be granted modification rights to the full space (<code>/</code>) or to any arbitrary subdirectory. A key is always  allowed to list any directory content.') ?>
 </p>
diff --git a/pg-view/index.php b/pg-view/index.php
index 355c09c..ba564cb 100644
--- a/pg-view/index.php
+++ b/pg-view/index.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <nav>
 	<p>
 		<span aria-hidden="true">➡️ </span><em><a href="<?= CONF['common']['about_url'] ?>"><?= _('About this installation') ?></a></em>
diff --git a/pg-view/ns/caa.php b/pg-view/ns/caa.php
index 2040b1b..464c207 100644
--- a/pg-view/ns/caa.php
+++ b/pg-view/ns/caa.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <form method="post">
 <?php require ROOT_PATH . '/pg-view/ns/form.ns.php'; ?>
 	<label for="flag"><?= _('Flag') ?></label>
diff --git a/pg-view/ns/cname.php b/pg-view/ns/cname.php
index 8c97807..201b54f 100644
--- a/pg-view/ns/cname.php
+++ b/pg-view/ns/cname.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <form method="post">
 <?php require ROOT_PATH . '/pg-view/ns/form.ns.php'; ?>
 	<label for="cname"><?= _('Canonical name') ?></label>
diff --git a/pg-view/ns/dname.php b/pg-view/ns/dname.php
index 40a748a..0ca5bbe 100644
--- a/pg-view/ns/dname.php
+++ b/pg-view/ns/dname.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <form method="post">
 <?php require ROOT_PATH . '/pg-view/ns/form.ns.php'; ?>
 	<label for="dname"><?= _('Delegation name') ?></label>
diff --git a/pg-view/ns/edit.php b/pg-view/ns/edit.php
index bb14b63..52e399d 100644
--- a/pg-view/ns/edit.php
+++ b/pg-view/ns/edit.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <form method="post">
 	<label for="zone"><?= _('Zone to be changed') ?></label>
 	<br>
diff --git a/pg-view/ns/form.ns.php b/pg-view/ns/form.ns.php
index 3c05c42..6cc6d25 100644
--- a/pg-view/ns/form.ns.php
+++ b/pg-view/ns/form.ns.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 	<label for="action"><?= _('Action') ?></label>
 	<select name="action" id="action">
 		<option value="add"<?= ($_POST['action'] ?? NULL) === 'add' ? ' selected=""' : '' ?>><?= _('Add') ?></option>
diff --git a/pg-view/ns/index.php b/pg-view/ns/index.php
index 72e0603..37f94b7 100644
--- a/pg-view/ns/index.php
+++ b/pg-view/ns/index.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <p>
 	<?= _('This service allows to host and manage DNS records inside a DNS zone.') ?>
 </p>
diff --git a/pg-view/ns/ip.php b/pg-view/ns/ip.php
index 51d8392..1eefebf 100644
--- a/pg-view/ns/ip.php
+++ b/pg-view/ns/ip.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <form method="post">
 <?php require ROOT_PATH . '/pg-view/ns/form.ns.php'; ?>
 	<label for="ip"><?= _('IP address') ?></label><br>
diff --git a/pg-view/ns/loc.php b/pg-view/ns/loc.php
index 5344a94..3273c1e 100644
--- a/pg-view/ns/loc.php
+++ b/pg-view/ns/loc.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <form method="post">
 <?php require ROOT_PATH . '/pg-view/ns/form.ns.php'; ?>
 	<fieldset>
diff --git a/pg-view/ns/mx.php b/pg-view/ns/mx.php
index dc8c933..0e04b64 100644
--- a/pg-view/ns/mx.php
+++ b/pg-view/ns/mx.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <form method="post">
 <?php require ROOT_PATH . '/pg-view/ns/form.ns.php'; ?>
 	<label for="priority"><?= _('Priority') ?></label>
diff --git a/pg-view/ns/ns.php b/pg-view/ns/ns.php
index 0cd6fef..a201f92 100644
--- a/pg-view/ns/ns.php
+++ b/pg-view/ns/ns.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <form method="post">
 <?php require ROOT_PATH . '/pg-view/ns/form.ns.php'; ?>
 	<label for="ns"><?= _('Name server') ?></label>
diff --git a/pg-view/ns/print.php b/pg-view/ns/print.php
index 3492b1d..d3236cd 100644
--- a/pg-view/ns/print.php
+++ b/pg-view/ns/print.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <form method="post">
 	<input type="radio" name="print" id="table" value="table" checked="">
 	<label for="table"><?= _('Records table') ?></label>
diff --git a/pg-view/ns/srv.php b/pg-view/ns/srv.php
index 4972852..3445eaa 100644
--- a/pg-view/ns/srv.php
+++ b/pg-view/ns/srv.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <form method="post">
 <?php require ROOT_PATH . '/pg-view/ns/form.ns.php'; ?>
 
diff --git a/pg-view/ns/sshfp.php b/pg-view/ns/sshfp.php
index 4f72ea7..261598d 100644
--- a/pg-view/ns/sshfp.php
+++ b/pg-view/ns/sshfp.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <form method="post">
 <?php require ROOT_PATH . '/pg-view/ns/form.ns.php'; ?>
 
diff --git a/pg-view/ns/sync.php b/pg-view/ns/sync.php
index 2e52645..fade7f9 100644
--- a/pg-view/ns/sync.php
+++ b/pg-view/ns/sync.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <p>
 	<?= sprintf(_('AAAA, A and CAA records are regularly copied from the source domain to the target domain. Their TTLs are set to %s seconds.'), SYNC_TTL) ?>
 </p>
diff --git a/pg-view/ns/tlsa.php b/pg-view/ns/tlsa.php
index 3e0a812..97fe70e 100644
--- a/pg-view/ns/tlsa.php
+++ b/pg-view/ns/tlsa.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <form method="post">
 <?php require ROOT_PATH . '/pg-view/ns/form.ns.php'; ?>
 
diff --git a/pg-view/ns/txt.php b/pg-view/ns/txt.php
index 5cd0f7b..a39c4fc 100644
--- a/pg-view/ns/txt.php
+++ b/pg-view/ns/txt.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <form method="post">
 <?php require ROOT_PATH . '/pg-view/ns/form.ns.php'; ?>
 	<label for="txt"><?= _('Text') ?></label>
diff --git a/pg-view/ns/zone-add.php b/pg-view/ns/zone-add.php
index 39522cf..a9f0932 100644
--- a/pg-view/ns/zone-add.php
+++ b/pg-view/ns/zone-add.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <p>
 	<?= sprintf(_('To prove that you own this domain, it must have a NS record equal to %s when the form is being processed.'), '<code>' . getAuthToken() . '._domain-verification.' . SERVER_NAME . '.</code>') ?>
 </p>
diff --git a/pg-view/ns/zone-del.php b/pg-view/ns/zone-del.php
index fb0b580..956939e 100644
--- a/pg-view/ns/zone-del.php
+++ b/pg-view/ns/zone-del.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <form method="post">
 	<label for="zone"><?= _('Zone') ?></label>
 	<select required="" name="zone" id="zone">
diff --git a/pg-view/reg/ds.php b/pg-view/reg/ds.php
index 7338136..7aab92a 100644
--- a/pg-view/reg/ds.php
+++ b/pg-view/reg/ds.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <form method="post">
 <?php require ROOT_PATH . '/pg-view/reg/select-action.inc.php'; ?>
 	<br>
diff --git a/pg-view/reg/glue.php b/pg-view/reg/glue.php
index 44ca00a..fae84b2 100644
--- a/pg-view/reg/glue.php
+++ b/pg-view/reg/glue.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <form method="post">
 <?php require ROOT_PATH . '/pg-view/reg/select-action.inc.php'; ?>
 	<fieldset>
diff --git a/pg-view/reg/index.php b/pg-view/reg/index.php
index a00b7db..aafa686 100644
--- a/pg-view/reg/index.php
+++ b/pg-view/reg/index.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <p>
 	<?= sprintf(_('This domain name registry allows to register domains ending with <code>%1$s</code>, for instance <code><em>domain</em>%1$s</code>.'), '.' . key(CONF['reg']['suffixes'])) ?>
 </p>
diff --git a/pg-view/reg/ns.php b/pg-view/reg/ns.php
index b092e63..e4ba2e5 100644
--- a/pg-view/reg/ns.php
+++ b/pg-view/reg/ns.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <form method="post">
 <?php require ROOT_PATH . '/pg-view/reg/select-action.inc.php'; ?>
 	<br>
diff --git a/pg-view/reg/print.php b/pg-view/reg/print.php
index f59c6f4..56d09c6 100644
--- a/pg-view/reg/print.php
+++ b/pg-view/reg/print.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <form method="post">
 <?php require ROOT_PATH . '/pg-view/reg/select-domain.inc.php'; ?>
 	<br>
diff --git a/pg-view/reg/register.php b/pg-view/reg/register.php
index 522257e..2e2fd53 100644
--- a/pg-view/reg/register.php
+++ b/pg-view/reg/register.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <p>
 	<?= _('Register a new domain on your account.') ?>
 </p>
diff --git a/pg-view/reg/select-action.inc.php b/pg-view/reg/select-action.inc.php
index cfc5d3c..75d79ff 100644
--- a/pg-view/reg/select-action.inc.php
+++ b/pg-view/reg/select-action.inc.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 	<label for="action"><?= _('Action') ?></label>
 	<select name="action" id="action">
 		<option value="add"<?= ($_POST['action'] ?? NULL) === 'add' ? ' selected=""' : '' ?>><?= _('Add') ?></option>
diff --git a/pg-view/reg/select-domain.inc.php b/pg-view/reg/select-domain.inc.php
index 0902483..2303bd6 100644
--- a/pg-view/reg/select-domain.inc.php
+++ b/pg-view/reg/select-domain.inc.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 	<label for="domain"><?= _('Domain') ?></label>
 	<br>
 	<select required="" name="domain" id="domain">
diff --git a/pg-view/reg/transfer.php b/pg-view/reg/transfer.php
index bdddda7..c76f28c 100644
--- a/pg-view/reg/transfer.php
+++ b/pg-view/reg/transfer.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <p>
 	<?= sprintf(_('To prove that you are allowed to receive the domain by its current owner, the domain must have an NS record equal to %s when the form is being processed. The NS record will be automatically deleted once validated.'), '<code>' . getAuthToken() . '._transfer-verification.' . SERVER_NAME . '.</code>') ?>
 </p>
diff --git a/pg-view/reg/unregister.php b/pg-view/reg/unregister.php
index 0ab31f6..e192147 100644
--- a/pg-view/reg/unregister.php
+++ b/pg-view/reg/unregister.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <p>
 	<?= _('This will unregister the domain, making it registerable by anyone again (after a delay of 1 year plus half the registration period, with a maximum of 8 years).') ?>
 </p>
diff --git a/router.php b/router.php
index 0c0a024..6a2635a 100644
--- a/router.php
+++ b/router.php
@@ -1,4 +1,4 @@
-<?php
+<?php declare(strict_types=1);
 require 'init.php';
 
 $pageAddress = substr($_SERVER['REQUEST_URI'], strlen(CONF['common']['prefix']) + 1);
diff --git a/sftpgo-auth.php b/sftpgo-auth.php
index 6ec3ef8..b73dbbb 100644
--- a/sftpgo-auth.php
+++ b/sftpgo-auth.php
@@ -1,4 +1,5 @@
-<?php // ServNest authenticator for SFTPGo https://github.com/drakkan/sftpgo/blob/main/docs/external-auth.md
+<?php declare(strict_types=1);
+// ServNest authenticator for SFTPGo https://github.com/drakkan/sftpgo/blob/main/docs/external-auth.md
 
 const DEBUG = false;
 !DEBUG or ob_start();
diff --git a/view.php b/view.php
index 67e9cc7..9bf6544 100644
--- a/view.php
+++ b/view.php
@@ -1,3 +1,4 @@
+<?php declare(strict_types=1); ?>
 <!DOCTYPE html>
 <html lang="<?= LOCALE ?>"<?= empty(SERVICE) ? '' : ' class="' . SERVICE . '"' ?>>
 	<head>

From 2570d09ba97c598a0675dbfd32880e6a2703571f Mon Sep 17 00:00:00 2001
From: Miraty <miraty+git@antopie.org>
Date: Mon, 31 Jul 2023 01:13:06 +0200
Subject: [PATCH 13/13] Add reg/edit.php and regParseRecord()

---
 fn/dns.php                           |  10 +-
 fn/ns.php                            |  22 +-
 fn/reg.php                           |  63 ++-
 jobs/check.php                       |   4 +-
 locales/fr/C/LC_MESSAGES/messages.po | 557 ++++++++++++++------------
 locales/messages.pot                 | 569 ++++++++++++++-------------
 pages.php                            |   5 +
 pg-act/ns/edit.php                   |  65 +--
 pg-act/ns/zone-add.php               |  12 +-
 pg-act/reg/ds.php                    |  26 +-
 pg-act/reg/edit.php                  |  97 +++++
 pg-act/reg/glue.php                  |  11 +-
 pg-act/reg/ns.php                    |  10 +-
 pg-view/ns/edit.php                  |  26 +-
 pg-view/ns/form.ns.php               |   2 +-
 pg-view/reg/edit.php                 |  54 +++
 16 files changed, 899 insertions(+), 634 deletions(-)
 create mode 100644 pg-act/reg/edit.php
 create mode 100644 pg-view/reg/edit.php

diff --git a/fn/dns.php b/fn/dns.php
index 2d0566e..2e4e5c6 100644
--- a/fn/dns.php
+++ b/fn/dns.php
@@ -70,11 +70,11 @@ function knotcZoneExec(string $zone, array $cmd, string $action = NULL): void {
 }
 
 function checkIpFormat(string $ip): string {
-	if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4))
-		return 'A';
-	if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6))
-		return 'AAAA';
-	output(403, _('IP address malformed.'));
+	return match ($ip) {
+		filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6) => 'AAAA',
+		filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4) => 'A',
+		default => output(403, _('IP address malformed.')),
+	};
 }
 
 function checkAbsoluteDomainFormat(string $domain): void { // If the domain must end with a dot
diff --git a/fn/ns.php b/fn/ns.php
index d4195db..62c99f8 100644
--- a/fn/ns.php
+++ b/fn/ns.php
@@ -1,6 +1,6 @@
 <?php declare(strict_types=1);
 
-const SOA_VALUES = [
+const NS_SOA_VALUES = [
 	'ttl' => 10800,
 	'email' => CONF['ns']['public_soa_email'],
 	'refresh' => 10800,
@@ -9,15 +9,15 @@ const SOA_VALUES = [
 	'negative' => 10800,
 ];
 
-const MIN_TTL = 300;
-const DEFAULT_TTL = 10800;
-const MAX_TTL = 1728000;
+const NS_MIN_TTL = 300;
+const NS_DEFAULT_TTL = 10800;
+const NS_MAX_TTL = 1728000;
 
-const ALLOWED_TYPES = ['AAAA', 'A', 'TXT', 'SRV', 'MX', 'SSHFP', 'TLSA', 'NS', 'DS', 'CSYNC', 'CAA', 'CNAME', 'DNAME', 'SVCB', 'HTTPS', 'LOC'];
+const NS_ALLOWED_TYPES = ['AAAA', 'A', 'TXT', 'SRV', 'MX', 'SSHFP', 'TLSA', 'NS', 'DS', 'CSYNC', 'CAA', 'CNAME', 'DNAME', 'SVCB', 'HTTPS', 'LOC'];
 
-const ZONE_MAX_CHARACTERS = 10000;
+const NS_TEXTAREA_MAX_CHARACTERS = 10000;
 
-const SYNC_TTL = 10800;
+const NS_SYNC_TTL = 10800;
 
 function nsParseCommonRequirements(): array {
 	nsCheckZonePossession($_POST['zone']);
@@ -29,10 +29,10 @@ function nsParseCommonRequirements(): array {
 
 	$values['ttl'] = intval($_POST['ttl-value'] * $_POST['ttl-multiplier']);
 
-	if ($values['ttl'] < MIN_TTL)
-		output(403, sprintf(_('TTLs shorter than %s seconds are forbidden.'), MIN_TTL));
-	if ($values['ttl'] > MAX_TTL)
-		output(403, sprintf(_('TTLs longer than %s seconds are forbidden.'), MAX_TTL));
+	if ($values['ttl'] < NS_MIN_TTL)
+		output(403, sprintf(_('TTLs shorter than %s seconds are forbidden.'), NS_MIN_TTL));
+	if ($values['ttl'] > NS_MAX_TTL)
+		output(403, sprintf(_('TTLs longer than %s seconds are forbidden.'), NS_MAX_TTL));
 
 	return $values;
 }
diff --git a/fn/reg.php b/fn/reg.php
index d71b8f3..c5cf7fa 100644
--- a/fn/reg.php
+++ b/fn/reg.php
@@ -2,6 +2,9 @@
 
 const SUBDOMAIN_REGEX = '^(?!\-)(?!..\-\-)[a-z0-9-]{4,63}(?<!\-)$';
 
+const REG_TEXTAREA_MAX_CHARACTERS = 5000;
+const REG_ALLOWED_TYPES = ['NS', 'DS', 'AAAA', 'A'];
+
 function regListUserDomains(): array {
 	if (isset($_SESSION['id']))
 		return query('select', 'registry', ['username' => $_SESSION['id']], 'domain');
@@ -13,14 +16,16 @@ function regCheckDomainPossession(string $domain): void {
 		output(403, 'You don\'t own this domain on the registry.');
 }
 
+function regStripDomain(string $domain, string $content): string {
+	return preg_replace('/^(?:[a-z0-9._-]+\.)?' . preg_quote($domain, '/') . '[\t ]+.+$/Dm', '', $content);
+}
+
 function regDeleteDomain(string $domain, string $user_id): void {
 	// Delete domain from registry file
 	$path = CONF['reg']['suffixes_path'] . '/' . regParseDomain($domain)['suffix'] . 'zone';
-	$content = file_get_contents($path);
-	if ($content === false)
+	if (($content = file_get_contents($path)) === false)
 		output(500, 'Failed to read current registry file.');
-	$content = preg_replace('/^(?:[a-z0-9._-]+\.)?' . preg_quote($domain, '/') . '[\t ]+.+$/Dm', '', $content);
-	if (file_put_contents($path, $content) === false)
+	if (file_put_contents($path, regStripDomain($domain, $content)) === false)
 		output(500, 'Failed to write new registry file.');
 
 	try {
@@ -59,3 +64,53 @@ function regParseDomain(string $domain): array {
 		'suffix' => $suffix,
 	];
 }
+
+function regParseRecord(string $domain, array $record): array {
+	checkAbsoluteDomainFormat($record['domain']);
+
+	if ($record['domain'] !== $_POST['domain']) {
+		if ($record['type'] !== 'ip')
+			output(403, _('You can only set a NS/DS record for an apex domain.'));
+		else if (!str_ends_with($record['domain'], '.' . $domain))
+			output(403, _('You can\'t set a record for another domain.'));
+	}
+
+	$new_rec = [
+		$record['domain'],
+		CONF['reg']['ttl'],
+		$record['type'],
+	];
+	if ($record['type'] === 'DS') {
+		if (!in_array($record['algo'], ['8', '13', '14', '15', '16'], true))
+			output(403, 'Wrong value for <code>algo</code>.');
+
+		if ((preg_match('/^[0-9]{1,6}$/D', $record['keytag'])) !== 1 OR !($record['keytag'] >= 1) OR !($record['keytag'] <= 65535))
+			output(403, 'Wrong value for <code>keytag</code>.');
+
+		if ($record['dt'] !== '2' AND $record['dt'] !== '4')
+			output(403, 'Wrong value for <code>dt</code>.');
+
+		if (preg_match('/^(?:[0-9a-fA-F]{64}|[0-9a-fA-F]{96})$/D', $record['key']) !== 1)
+			output(403, 'Wrong value for <code>key</code>.');
+
+		return [
+			...$new_rec,
+			$record['keytag'],
+			$record['algo'],
+			$record['dt'],
+			$record['key'],
+		];
+	}
+	if ($record['type'] === 'NS')
+		return [
+			...$new_rec,
+			formatAbsoluteDomain($record['ns']),
+		];
+	if ($record['type'] === 'ip')
+		return [
+			$record['domain'],
+			CONF['reg']['ttl'],
+			checkIpFormat($record['ip']),
+			$record['ip'],
+		];
+}
diff --git a/jobs/check.php b/jobs/check.php
index 2ce0af7..3e9562d 100644
--- a/jobs/check.php
+++ b/jobs/check.php
@@ -204,8 +204,8 @@ function testNs(string $domain): void {
 		exit('Error: /ns/caa: CAA record not set' . LF);
 
 	curlTest('/ns/edit', [
-		'zone' => $domain,
-		'zone-content' => 'aaaa.' . $domain . ' 3600 AAAA ' . CONF['ht']['ipv6_address'] . "\r\n"
+		'domain' => $domain,
+		'records' => 'aaaa.' . $domain . ' 3600 AAAA ' . CONF['ht']['ipv6_address'] . "\r\n"
 			. '@ 86400 NS ' . CONF['ns']['servers'][0] . "\r\n",
 	]);
 	exescape([
diff --git a/locales/fr/C/LC_MESSAGES/messages.po b/locales/fr/C/LC_MESSAGES/messages.po
index 88c4b6a..7796c03 100644
--- a/locales/fr/C/LC_MESSAGES/messages.po
+++ b/locales/fr/C/LC_MESSAGES/messages.po
@@ -1,7 +1,7 @@
 msgid ""
 msgstr ""
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2023-07-16 20:50+0200\n"
+"POT-Creation-Date: 2023-07-31 01:03+0200\n"
 "Language: fr\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 
@@ -13,8 +13,8 @@ msgstr "Authentification"
 msgid "Manage account"
 msgstr "Gérer son compte"
 
-#: pages.php:13 view.php:21 pg-view/auth/login.php:12
-#: pg-view/auth/register.php:1
+#: pages.php:13 view.php:22 pg-view/auth/login.php:13
+#: pg-view/auth/register.php:2
 msgid "Log in"
 msgstr "Se connecter"
 
@@ -22,7 +22,7 @@ msgstr "Se connecter"
 msgid "Start a new navigation session with an existing account"
 msgstr "Démarrer une nouvelle session avec un compte existant"
 
-#: pages.php:18 view.php:19
+#: pages.php:18 view.php:20
 msgid "Log out"
 msgstr "Se déconnecter"
 
@@ -105,189 +105,197 @@ msgstr "Afficher les enregistrements"
 msgid "Print every record related to a domain and served by the registry"
 msgstr "Montrer tous les enregistrements liés à un domaine et servis par le registre"
 
-#: pages.php:67 pages.php:72 pages.php:117 pages.php:122 pages.php:127
-#: pages.php:132 pages.php:137 pages.php:142 pages.php:147 pages.php:152
-#: pages.php:157 pages.php:162
+#: pages.php:67
+msgid "Edit records"
+msgstr "Modifier des enregistrements"
+
+#: pages.php:68
+msgid "Set registry records to delegate a domain to chosen name servers"
+msgstr "Définir les enregistrements du registre pour déléguer un domaine à des serveurs de noms de son choix"
+
+#: pages.php:72 pages.php:77 pages.php:122 pages.php:127 pages.php:132
+#: pages.php:137 pages.php:142 pages.php:147 pages.php:152 pages.php:157
+#: pages.php:162 pages.php:167
 #, php-format
 msgid "%s records"
 msgstr "Enregistrements %s"
 
-#: pages.php:68
+#: pages.php:73
 #, php-format
 msgid "Indicate the name servers of a %s subdomain"
 msgstr "Indiquer les serveurs de nom d'un sous-domaine de %s"
 
-#: pages.php:73
+#: pages.php:78
 msgid "Delegate <abbr title=\"Domain Name System Security Extensions\">DNSSEC</abbr> trust"
 msgstr "Déléguer la confiance <abbr title=\"Domain Name System Security Extensions\">DNSSEC</abbr>"
 
-#: pages.php:77
+#: pages.php:82
 msgid "Receive a domain transfer"
 msgstr "Recevoir un transfert de domaine"
 
-#: pages.php:78
+#: pages.php:83
 msgid "Transfer a domain owned by another account to the current account"
 msgstr "Transférer vers le compte actuel un domaine possédé par un autre compte"
 
-#: pages.php:82
+#: pages.php:87
 msgid "Glue records"
 msgstr "Glue records"
 
-#: pages.php:83
+#: pages.php:88
 msgid "Advanced: store the IP address of a name server whose domain is inside the domain it serves"
 msgstr "Avancé&nbsp;: indiquer l'adresse IP d'un serveur de nom dont le domaine descend de la zone qu'il sert"
 
-#: pages.php:89 pg-view/ns/index.php:24
+#: pages.php:94 pg-view/ns/index.php:25
 msgid "Name servers"
 msgstr "Serveurs de nom"
 
-#: pages.php:90
+#: pages.php:95
 msgid "Host and manage domain's records"
 msgstr "Héberger et gérer les enregistrements d'un domaine"
 
-#: pages.php:93
+#: pages.php:98
 msgid "Add zone"
 msgstr "Ajouter une zone"
 
-#: pages.php:94
+#: pages.php:99
 #, php-format
 msgid "The zone will be managed by %s name servers"
 msgstr "La zone sera gérée par les serveurs de nom de %s"
 
-#: pages.php:98
+#: pages.php:103
 msgid "Delete zone"
 msgstr "Supprimer une zone"
 
-#: pages.php:99
+#: pages.php:104
 msgid "Erase all zone data"
 msgstr "Effacer tous les enregistrements d'une zone"
 
-#: pages.php:102
+#: pages.php:107
 msgid "Display zone"
 msgstr "Afficher une zone"
 
-#: pages.php:103
+#: pages.php:108
 msgid "Print zonefile content"
 msgstr "Montrer le contenu d'un fichier de zone"
 
-#: pages.php:107
+#: pages.php:112
 msgid "Edit zone"
 msgstr "Modifier une zone"
 
-#: pages.php:108
+#: pages.php:113
 msgid "Change zonefile content"
 msgstr "Éditer le contenu d'un fichier de zone"
 
-#: pages.php:112
+#: pages.php:117
 msgid "AAAA and A records"
 msgstr "Enregistrements AAAA et A"
 
-#: pages.php:113
+#: pages.php:118
 msgid "Store domain's IP address"
 msgstr "Indiquer l'adresse IP d'un domaine"
 
-#: pages.php:118
+#: pages.php:123
 msgid "Store zone's name server"
 msgstr "Indiquer les serveurs de nom d'une zone"
 
-#: pages.php:123
+#: pages.php:128
 msgid "Associate text to domain"
 msgstr "Associer du texte à un domaine"
 
-#: pages.php:128
+#: pages.php:133
 msgid "Limit the certificate authorities allowed to certify the domain"
 msgstr "Limiter les autorités de certification autorisées à certifier un domaine"
 
-#: pages.php:133
+#: pages.php:138
 msgid "Store the location of a domain's service"
 msgstr "Indiquer l'adresse exacte d'un service pour un domaine"
 
-#: pages.php:138
+#: pages.php:143
 msgid "Store the email server's address"
 msgstr "Indiquer l'adresse d'un serveur de courriels"
 
-#: pages.php:143
+#: pages.php:148
 msgid "Store <abbr title=\"Secure SHell\">SSH</abbr> public keys fingerprints"
 msgstr "Indiquer les empreintes de clés publiques <abbr title=\"Secure SHell\">SSH</abbr>"
 
-#: pages.php:148
+#: pages.php:153
 msgid "Setup <abbr title=\"DNS-based Authentication of Named Entities\">DANE</abbr> by publishing the <abbr title=\"Transport Layer Security\">TLS</abbr> certificate fingerprint"
 msgstr "Mettre en place <abbr title=\"DNS-based Authentication of Named Entities\">DANE</abbr> et publiant l'empreinte d'un certificat <abbr title=\"Transport Layer Security\">TLS</abbr>"
 
-#: pages.php:153
+#: pages.php:158
 msgid "Define a domain as an alias of another"
 msgstr "Définir un domaine comme étant l'alias d'un autre"
 
-#: pages.php:158
+#: pages.php:163
 msgid "Define all subdomains of a domain as aliases of subdomains of another domain"
 msgstr "Définir la descendance d'un domaine comme alias de la descendance d'un autre domaine"
 
-#: pages.php:163
+#: pages.php:168
 msgid "Store geographic coordinates"
 msgstr "Indiquer des coordonnées géographiques"
 
-#: pages.php:167
+#: pages.php:172
 #, php-format
 msgid "Synchronized records"
 msgstr "Enregistrements synchronisés"
 
-#: pages.php:168
+#: pages.php:173
 msgid "Regularly fetch distant records and update them to a local zone"
 msgstr "Récupérer régulièrement des enregistrements distants et les mettre à jour vers une zone locale"
 
-#: pages.php:174
+#: pages.php:179
 msgid "Web"
 msgstr "Web"
 
-#: pages.php:175
+#: pages.php:180
 msgid "Upload a static website into an <abbr title=\"SSH File Transfer Protocol\">SFTP</abbr> space"
 msgstr "Téléverser un site statique dans un espace <abbr title=\"SSH File Transfert Protocol\">SFTP</abbr>"
 
-#: pages.php:178
+#: pages.php:183
 #, php-format
 msgid "%s subpath access"
 msgstr "Accès par sous-chemin de %s"
 
-#: pages.php:179 pages.php:184 pages.php:189
+#: pages.php:184 pages.php:189 pages.php:194
 #, php-format
 msgid "Its URL will look like %s"
 msgstr "Son URL ressemblera à %s"
 
-#: pages.php:179 pages.php:184 pages.php:189
+#: pages.php:184 pages.php:189 pages.php:194
 msgid "mysite"
 msgstr "monsite"
 
-#: pages.php:183
+#: pages.php:188
 #, php-format
 msgid "%s subdomain access"
 msgstr "Accès par sous-domaine de %s"
 
-#: pages.php:188
+#: pages.php:193
 msgid "Dedicated domain with Let's Encrypt certificate access"
 msgstr "Accès par domaine dédié avec certificat Let's Encrypt"
 
-#: pages.php:193
+#: pages.php:198
 msgid "Onion service access"
 msgstr "Accès par service Onion"
 
-#: pages.php:194
+#: pages.php:199
 #, php-format
 msgid "Its URL will look like %s, and work only through the Tor network"
 msgstr "Son URL ressemblera à %s, et ne fonctionnera que par le réseau Tor"
 
-#: pages.php:198 pg-view/ht/del.php:18
+#: pages.php:203 pg-view/ht/del.php:19
 msgid "Delete access"
 msgstr "Supprimer un accès"
 
-#: pages.php:199
+#: pages.php:204
 msgid "Delete an existing HTTP access from a subdirectory of the SFTP space"
 msgstr "Retirer un accès HTTP existant d'un sous-dossier de l'espace SFTP"
 
-#: pages.php:202
+#: pages.php:207
 msgid "Manage SSH keys"
 msgstr "Gérer les clés SSH"
 
-#: pages.php:203
+#: pages.php:208
 msgid "Choose what SSH key can edit what directory"
 msgstr "Choisir quelle clé SSH peut modifier quel dossier"
 
@@ -295,7 +303,7 @@ msgstr "Choisir quelle clé SSH peut modifier quel dossier"
 msgid "This account doesn't exist anymore. Log out to end this ghost session."
 msgstr "Ce compte n'existe plus. Déconnectez-vous pour terminer cette session fantôme."
 
-#: router.php:106 view.php:39
+#: router.php:106 view.php:40
 msgid "This service is currently under maintenance. No action can be taken on it until an administrator finishes repairing it."
 msgstr "Ce service est en cours de maintenance. Aucune action ne peut être effectuée avant qu'ane administrataire termine de le réparer."
 
@@ -303,24 +311,24 @@ msgstr "Ce service est en cours de maintenance. Aucune action ne peut être effe
 msgid "You need to be logged in to do this."
 msgstr "Vous devez être connecté·e à un compte pour faire cela."
 
-#: view.php:19
+#: view.php:20
 msgid "You are using a testing account. It may be deleted anytime."
 msgstr "Vous utilisez un compte de test. Il risque d'être supprimé n'importe quand."
 
-#: view.php:19
+#: view.php:20
 msgid "Read more"
 msgstr "En savoir plus"
 
-#: view.php:21
+#: view.php:22
 msgid "Anonymous"
 msgstr "Anonyme"
 
-#: view.php:44
+#: view.php:45
 #, php-format
 msgid "This form won't be accepted because you need to %slog in%s first."
 msgstr "Ce formulaire ne sera pas accepté car il faut %sse connecter%s d'abord."
 
-#: view.php:51
+#: view.php:52
 #, php-format
 msgid "%sSource code%s available under %s."
 msgstr "%sCode source%s disponible sous %s."
@@ -354,7 +362,7 @@ msgstr "<strong>Erreur du serveur</strong>&nbsp;: "
 msgid "Wrong proof."
 msgstr "Preuve incorrecte."
 
-#: fn/dns.php:77
+#: fn/dns.php:76
 msgid "IP address malformed."
 msgstr "Adresse IP malformée."
 
@@ -362,17 +370,25 @@ msgstr "Adresse IP malformée."
 msgid "Domain malformed."
 msgstr "Domaine malformé."
 
-#: fn/ns.php:33 pg-act/ns/edit.php:25
+#: fn/ns.php:33 pg-act/ns/edit.php:27
 #, php-format
 msgid "TTLs shorter than %s seconds are forbidden."
 msgstr "Les TTLs plus courts que %s secondes sont interdits."
 
-#: fn/ns.php:35 pg-act/ns/edit.php:27
+#: fn/ns.php:35 pg-act/ns/edit.php:29
 #, php-format
 msgid "TTLs longer than %s seconds are forbidden."
 msgstr "Les TTLs plus longs que %s secondes sont interdits."
 
-#: pg-view/index.php:3
+#: fn/reg.php:73
+msgid "You can only set a NS/DS record for an apex domain."
+msgstr "Vous pouvez seulement définir un enregistrement NS/DS à l'apex du domaine."
+
+#: fn/reg.php:75
+msgid "You can't set a record for another domain."
+msgstr "Vous ne pouvez pas définir un enregistrement pour un autre domaine."
+
+#: pg-view/index.php:4
 msgid "About this installation"
 msgstr "À propos de cette installation"
 
@@ -405,7 +421,7 @@ msgstr "Clé de passe actuelle incorrecte."
 msgid "Password updated."
 msgstr "Clé de passe mise à jour."
 
-#: pg-act/auth/register.php:4 pg-view/auth/register.php:3
+#: pg-act/auth/register.php:4 pg-view/auth/register.php:4
 msgid "Registrations are currently closed on this installation."
 msgstr "Les inscriptions sont actuellement fermées sur cette installation."
 
@@ -485,28 +501,28 @@ msgstr "Clés SSH mises à jour."
 #: pg-act/ns/caa.php:25 pg-act/ns/cname.php:16 pg-act/ns/dname.php:16
 #: pg-act/ns/ip.php:16 pg-act/ns/loc.php:72 pg-act/ns/mx.php:20
 #: pg-act/ns/ns.php:16 pg-act/ns/srv.php:28 pg-act/ns/sshfp.php:25
-#: pg-act/ns/tlsa.php:29 pg-act/ns/txt.php:17 pg-act/reg/ds.php:30
-#: pg-act/reg/glue.php:14 pg-act/reg/ns.php:14
+#: pg-act/ns/tlsa.php:29 pg-act/ns/txt.php:17 pg-act/reg/ds.php:12
+#: pg-act/reg/glue.php:13 pg-act/reg/ns.php:12
 msgid "Modification done."
 msgstr "Modification effectuée."
 
-#: pg-act/ns/edit.php:17
+#: pg-act/ns/edit.php:19 pg-act/reg/edit.php:14
 #, php-format
 msgid "The zone is limited to %s characters."
 msgstr "La zone est limitée à %s caractères."
 
-#: pg-act/ns/edit.php:21
+#: pg-act/ns/edit.php:23 pg-act/reg/edit.php:18
 msgid "The following line does not match the expected format: "
 msgstr "La ligne suivante ne correspond pas au format attendu&nbsp;: "
 
-#: pg-act/ns/edit.php:23
+#: pg-act/ns/edit.php:25 pg-act/reg/edit.php:20 pg-act/reg/edit.php:28
 #, php-format
 msgid "The %s type is not allowed."
 msgstr "Le type %s n'est pas autorisé."
 
-#: pg-act/ns/edit.php:38
-msgid "Sent zone content is not correct (according to <code>kzonecheck</code>)."
-msgstr "Le contenu de zone envoyé n'est pas correct (selon <code>kzonecheck</code>)."
+#: pg-act/ns/edit.php:40 pg-act/reg/edit.php:51
+msgid "Sent content is not correct (according to <code>kzonecheck</code>)."
+msgstr "Le contenu envoyé n'est pas correct (selon <code>kzonecheck</code>)."
 
 #: pg-act/ns/sync.php:19
 msgid "Multiple source domains can't be applied to the same target domain."
@@ -536,6 +552,10 @@ msgstr "Zone créée."
 msgid "Zone deleted."
 msgstr "Zone supprimée."
 
+#: pg-act/reg/edit.php:22
+msgid "A DS record expects 4 arguments."
+msgstr "Un enregistrement DS attends 4 arguments."
+
 #: pg-act/reg/register.php:4 pg-act/reg/transfer.php:4
 msgid "This format of subdomain is not allowed."
 msgstr "Ce format de sous-domaine n'est pas autorisé."
@@ -584,705 +604,722 @@ msgstr "Le domaine a été transféré vers le compte actuel ; l'enregistrement
 msgid "Domain unregistered."
 msgstr "Domaine désenregistré."
 
-#: pg-view/auth/approval.php:2
+#: pg-view/auth/approval.php:3
 msgid "This form allows to use an approval key to validate your account. Approval keys are distributed by an administrator upon request."
 msgstr "Ce formulaire permet d'utiliser une clé d'approbation pour valider son compte. Les clés d'approbation sont distribuées par ane administrataire sur demande."
 
-#: pg-view/auth/approval.php:6
+#: pg-view/auth/approval.php:7
 msgid "Approval key"
 msgstr "Clé d'approbation"
 
-#: pg-view/auth/approval.php:9
+#: pg-view/auth/approval.php:10
 msgid "Use for this account"
 msgstr "Utiliser pour ce compte"
 
-#: pg-view/auth/index.php:3
+#: pg-view/auth/index.php:4
 msgid "Account type"
 msgstr "Type de compte"
 
-#: pg-view/auth/index.php:9
+#: pg-view/auth/index.php:10
 msgid "You are currently using a <strong>testing</strong> account."
 msgstr "Vous utilisez actuellement un compte <strong>de test</strong>."
 
-#: pg-view/auth/index.php:10
+#: pg-view/auth/index.php:11
 msgid "You are currently using an <strong>approved</strong> account."
 msgstr "Vous utilisez actuellement un compte <strong>approuvé</strong>."
 
-#: pg-view/auth/index.php:13
+#: pg-view/auth/index.php:14
 msgid "You are not logged in."
 msgstr "Vous n'êtes connecté·e à aucun compte."
 
-#: pg-view/auth/index.php:18
+#: pg-view/auth/index.php:19
 msgid "When an account is created, it's a <em>testing</em> account. A testing account is only temporary and with limited capabilities on the services. Once the account is validated by using an approval key requested to an administrator, it becomes an <em>approved</em> account."
 msgstr "Quand un compte est créé, c'est un compte <em>de test</em>. Un compte de test est seulement temporaire et avec des capacités restreintes sur les services. Une fois le compte validé en utilisant une clé d'approbation demandée à ane administrataire, il devient un compte <em>approuvé</em>."
 
-#: pg-view/auth/index.php:21
+#: pg-view/auth/index.php:22
 msgid "Rate limit"
 msgstr "Limite de débit"
 
-#: pg-view/auth/index.php:25
+#: pg-view/auth/index.php:26
 #, php-format
 msgid "Your account is at %s%% of the rate limit."
 msgstr "Votre compte est à %s%% de la limite de débit."
 
-#: pg-view/auth/index.php:27
+#: pg-view/auth/index.php:28
 msgid "Most of the form submissions bring you closer to the rate limit. If you reach it, you need to wait in order to be able to submit forms again."
 msgstr "La plupart des traitements de formulaires vous rapprochent de la limite de débit. Si vous l'atteignez, vous devez attendre avant de pouvoir envoyer des formulaires à nouveau."
 
-#: pg-view/auth/index.php:31
+#: pg-view/auth/index.php:32
 msgid "Internal ID"
 msgstr "Identifiant interne"
 
-#: pg-view/auth/index.php:33
+#: pg-view/auth/index.php:34
 #, php-format
 msgid "The current account's internal ID is %s."
 msgstr "L'identifiant interne du compte actuel est %s."
 
-#: pg-view/auth/login.php:1
+#: pg-view/auth/login.php:2
 msgid "New?"
 msgstr "Nouvele ?"
 
-#: pg-view/auth/login.php:1 pg-view/auth/register.php:16
+#: pg-view/auth/login.php:2 pg-view/auth/register.php:17
 msgid "Create an account"
 msgstr "Créer un compte"
 
-#: pg-view/auth/login.php:4 pg-view/auth/register.php:6 pg-view/ht/index.php:64
+#: pg-view/auth/login.php:5 pg-view/auth/register.php:7 pg-view/ht/index.php:65
 msgid "Username"
 msgstr "Identifiant"
 
-#: pg-view/auth/login.php:8 pg-view/auth/register.php:11
-#: pg-view/ht/index.php:68
+#: pg-view/auth/login.php:9 pg-view/auth/register.php:12
+#: pg-view/ht/index.php:69
 msgid "Password"
 msgstr "Clé de passe"
 
-#: pg-view/auth/password.php:2 pg-view/auth/unregister.php:6
-#: pg-view/auth/username.php:2
+#: pg-view/auth/password.php:3 pg-view/auth/unregister.php:7
+#: pg-view/auth/username.php:3
 msgid "Current password"
 msgstr "Clé de passe actuelle"
 
-#: pg-view/auth/password.php:5
+#: pg-view/auth/password.php:6
 msgid "New password"
 msgstr "Nouvelle clé de passe"
 
-#: pg-view/auth/password.php:8
+#: pg-view/auth/password.php:9
 msgid "Update password"
 msgstr "Mettre à jour la clé de passe"
 
-#: pg-view/auth/register.php:1
+#: pg-view/auth/register.php:2
 msgid "Already have an account?"
 msgstr "Déjà un compte ?"
 
-#: pg-view/auth/register.php:12
+#: pg-view/auth/register.php:13
 #, php-format
 msgid "Minimum %1$s characters, or %2$s characters if it contains lowercase, uppercase and digit."
 msgstr "Minimum %1$s caractères, ou %2$s caractères si elle contient minuscule, majuscule et chiffre."
 
-#: pg-view/auth/unregister.php:2
+#: pg-view/auth/unregister.php:3
 msgid "This will delete every resource managed by the current account, including registered domains, hosted DNS records, websites files and cryptographic keys for Onion services and DNSSEC."
 msgstr "Ceci supprimera toutes les ressources gérées par le compte actuel, y compris les domaines enregistrés, les enregistrements DNS hébergés, les fichiers des sites et les clés cryptographiques des services Onion et de DNSSEC."
 
-#: pg-view/auth/unregister.php:10
+#: pg-view/auth/unregister.php:11
 msgid "Delete the current account and everything related (required)"
 msgstr "Supprimer le compte actuel et tout ce qui y est lié (requis)"
 
-#: pg-view/auth/unregister.php:12 pg-view/ns/form.ns.php:4 pg-view/reg/ds.php:5
-#: pg-view/reg/glue.php:5 pg-view/reg/ns.php:5
+#: pg-view/auth/unregister.php:13 pg-view/ns/form.ns.php:5
+#: pg-view/reg/select-action.inc.php:5
 msgid "Delete"
 msgstr "Supprimer"
 
-#: pg-view/auth/username.php:5
+#: pg-view/auth/username.php:6
 msgid "New username"
 msgstr "Nouvel identifiant"
 
-#: pg-view/auth/username.php:8
+#: pg-view/auth/username.php:9
 msgid "Update username"
 msgstr "Mettre à jour l'identifiant"
 
-#: pg-view/ht/add-dns.php:2
+#: pg-view/ht/add-dns.php:3
 msgid "A Let's Encrypt certificate will be obtained."
 msgstr "Un certificat Let's Encrypt sera obtenu."
 
-#: pg-view/ht/add-dns.php:6
+#: pg-view/ht/add-dns.php:7
 msgid "The domain must have the following records when the form is being processed."
 msgstr "Le domaine doit avoir les enregistrements suivants pendant le traitement du formulaire."
 
-#: pg-view/ht/add-dns.php:29 pg-view/ns/form.ns.php:8 pg-view/ns/print.php:32
-#: pg-view/ns/zone-add.php:6 pg-view/reg/ds.php:8 pg-view/reg/glue.php:8
-#: pg-view/reg/glue.php:15 pg-view/reg/ns.php:8 pg-view/reg/print.php:2
-#: pg-view/reg/print.php:16 pg-view/reg/register.php:11
-#: pg-view/reg/unregister.php:6
+#: pg-view/ht/add-dns.php:30 pg-view/ns/form.ns.php:9 pg-view/ns/print.php:33
+#: pg-view/ns/zone-add.php:7 pg-view/reg/glue.php:5 pg-view/reg/print.php:10
+#: pg-view/reg/register.php:12 pg-view/reg/select-domain.inc.php:2
+#: pg-view/reg/unregister.php:7
 msgid "Domain"
 msgstr "Domaine"
 
-#: pg-view/ht/add-dns.php:31 pg-view/ht/add-onion.php:2
-#: pg-view/ht/add-subdomain.php:8 pg-view/ht/add-subpath.php:8
+#: pg-view/ht/add-dns.php:32 pg-view/ht/add-onion.php:3
+#: pg-view/ht/add-subdomain.php:9 pg-view/ht/add-subpath.php:9
 msgid "Target directory"
 msgstr "Dossier ciblé"
 
-#: pg-view/ht/add-dns.php:40 pg-view/ht/add-onion.php:11
-#: pg-view/ht/add-subdomain.php:17 pg-view/ht/add-subpath.php:17
+#: pg-view/ht/add-dns.php:41 pg-view/ht/add-onion.php:12
+#: pg-view/ht/add-subdomain.php:18 pg-view/ht/add-subpath.php:18
 msgid "Setup access"
 msgstr "Créer l'accès"
 
-#: pg-view/ht/add-subdomain.php:2 pg-view/reg/register.php:6
+#: pg-view/ht/add-subdomain.php:3 pg-view/reg/register.php:7
 #, php-format
 msgid "The subdomain can only contain %1$s, %2$s and %3$s, and must be between 4 and 63 characters. It can't have an hyphen (%3$s) in first, last or both third and fourth position."
 msgstr "Le sous-domain peut uniquement contenir %1$s, %2$s et %3$s, et doit être entre 4 et 63 caractères. Il ne peut pas avoir un tiret (%3$s) en première, dernière ou à la fois troisième et quatrième position."
 
-#: pg-view/ht/add-subdomain.php:6 pg-view/ns/form.ns.php:10
-#: pg-view/reg/glue.php:10 pg-view/reg/register.php:13
-#: pg-view/reg/transfer.php:9
+#: pg-view/ht/add-subdomain.php:7 pg-view/ns/form.ns.php:11
+#: pg-view/reg/glue.php:7 pg-view/reg/register.php:14
+#: pg-view/reg/transfer.php:10
 msgid "Subdomain"
 msgstr "Sous-domaine"
 
-#: pg-view/ht/add-subpath.php:2
+#: pg-view/ht/add-subpath.php:3
 #, php-format
 msgid "The path can only contain %1$s, %2$s and %3$s, and must be between 4 and 63 characters."
 msgstr "Le chemin peut uniquement contenir %1$s, %2$s et %3$s, et doit être entre 4 et 63 caractères."
 
-#: pg-view/ht/add-subpath.php:6
+#: pg-view/ht/add-subpath.php:7
 msgid "Path"
 msgstr "Chemin"
 
-#: pg-view/ht/del.php:2
+#: pg-view/ht/del.php:3
 msgid "Access to delete"
 msgstr "Accès à retirer"
 
-#: pg-view/ht/del.php:13
+#: pg-view/ht/del.php:14
 #, php-format
 msgid "%1$s to %2$s"
 msgstr "%1$s vers %2$s"
 
-#: pg-view/ht/index.php:2
+#: pg-view/ht/index.php:3
 msgid "This service allows you to send files on the server using SFTP, and to make them publicly available with HTTP."
 msgstr "Ce service permet d'envoyer des fichiers sur le serveur par SFTP, et de les rendre publiquement accessibles par HTTP."
 
-#: pg-view/ht/index.php:8
+#: pg-view/ht/index.php:9
 msgid "Currently hosted sites"
 msgstr "Sites actuellement hébergés"
 
-#: pg-view/ht/index.php:38
+#: pg-view/ht/index.php:39
 msgid "Adding a site access"
 msgstr "Ajouter un accès de site"
 
-#: pg-view/ht/index.php:40
+#: pg-view/ht/index.php:41
 #, php-format
 msgid "In order to be able to set up an HTTP site with this service, a subdirectory for this site must be created inside the SFTP space first. The name of this subdirectory can only contain %1$s, %2$s, %3$s, %4$s and %5$s."
 msgstr "Pour pouvoir créer un site HTTP avec ce service, un sous-dossier pour ce site doit d'abord être créé dans l'espace SFTP. Le nom de ce sous-dossier ne peut contenir que %1$s, %2$s, %3$s, %4$s et %5$s."
 
-#: pg-view/ht/index.php:44
+#: pg-view/ht/index.php:45
 msgid "Connecting to the SFTP server"
 msgstr "Se connecter au serveur SFTP"
 
-#: pg-view/ht/index.php:52
+#: pg-view/ht/index.php:53
 msgid "Server"
 msgstr "Serveur"
 
-#: pg-view/ht/index.php:56 pg-view/ns/srv.php:16
+#: pg-view/ht/index.php:57 pg-view/ns/srv.php:17
 msgid "Port"
 msgstr "Port"
 
-#: pg-view/ht/index.php:60
+#: pg-view/ht/index.php:61
 msgid "Directory"
 msgstr "Dossier"
 
-#: pg-view/ht/index.php:70
+#: pg-view/ht/index.php:71
 msgid "The one of your account"
 msgstr "Celle de votre compte"
 
-#: pg-view/ht/index.php:74
+#: pg-view/ht/index.php:75
 msgid "Authenticating the server"
 msgstr "Authentifier le serveur"
 
-#: pg-view/ht/index.php:76
+#: pg-view/ht/index.php:77
 msgid "An SSHFP record is available."
 msgstr "Un enregistrement SSHFP est disponible."
 
-#: pg-view/ht/index.php:79
+#: pg-view/ht/index.php:80
 msgid "Plain public key"
 msgstr "Clé publique"
 
-#: pg-view/ht/index.php:84
+#: pg-view/ht/index.php:85
 msgid "Public key fingerprint"
 msgstr "Empreinte de la clé publique"
 
-#: pg-view/ht/index.php:89
+#: pg-view/ht/index.php:90
 msgid "ASCII art"
 msgstr "Art ASCII"
 
-#: pg-view/ht/index.php:102
+#: pg-view/ht/index.php:103
 msgid "A content security policy (CSP) forbids Web browsers from loading JavaScript or third-party resources."
 msgstr "Une politique de sécurité du contenu (CSP) interdit l'intégration de ressources tierces ou de JavaScript."
 
-#: pg-view/ht/index.php:105
+#: pg-view/ht/index.php:106
 msgid "<code>.htaccess</code> configuration"
 msgstr "Configuration par <code>.htaccess</code>"
 
-#: pg-view/ht/index.php:107
+#: pg-view/ht/index.php:108
 msgid "You can change the way the HTTP server answers to requests in a directory by setting some directives in a file named <code>.htaccess</code> at the root of this directory. Only the following directives are allowed:"
 msgstr "Vous pouvez modifier la façon dont le serveur HTTP répond aux requêtes dans un dossier en indiquant des directives dans un fichier nommé <code>.htaccess</code> à la racine de ce dossier. Seules les directives suivantes sont autorisées&nbsp;:"
 
-#: pg-view/ht/index.php:163
+#: pg-view/ht/index.php:164
 msgid "Accounts capabilities"
 msgstr "Capacités des comptes"
 
-#: pg-view/ht/index.php:165
+#: pg-view/ht/index.php:166
 msgid "Testing"
 msgstr "De test"
 
-#: pg-view/ht/index.php:168 pg-view/ht/index.php:175
+#: pg-view/ht/index.php:169 pg-view/ht/index.php:176
 #, php-format
 msgid "%s of SFTP quota"
 msgstr "Quota SFTP de %s"
 
-#: pg-view/ht/index.php:168 pg-view/ht/index.php:175
+#: pg-view/ht/index.php:169 pg-view/ht/index.php:176
 msgid "<abbr title=\"gibibyte\">GiB</abbr>"
 msgstr "<abbr title=\"gibioctet\">Gio</abbr>"
 
-#: pg-view/ht/index.php:168 pg-view/ht/index.php:175
+#: pg-view/ht/index.php:169 pg-view/ht/index.php:176
 msgid "<abbr title=\"mebibyte\">MiB</abbr>"
 msgstr "<abbr title=\"mébioctet\">Mio</abbr>"
 
-#: pg-view/ht/index.php:169
+#: pg-view/ht/index.php:170
 msgid "Let's Encrypt certificate from the staging environment (not trusted by clients)"
 msgstr "Certificat Let's Encrypt de test (n'est pas reconnu par les clients)"
 
-#: pg-view/ht/index.php:172
+#: pg-view/ht/index.php:173
 msgid "Approved"
 msgstr "Approuvé"
 
-#: pg-view/ht/index.php:176
+#: pg-view/ht/index.php:177
 msgid "Stable Let's Encrypt certificates"
 msgstr "Vrai certificat Let's Encrypt"
 
-#: pg-view/ht/keys.php:2
+#: pg-view/ht/keys.php:3
 msgid "In addition to your password, you can also access your SFTP space using Ed25519 SSH keys. A key can be granted modification rights to the full space (<code>/</code>) or to any arbitrary subdirectory. A key is always  allowed to list any directory content."
 msgstr "En plus de la clé de passe, c'est également possible d'accéder à l'espace SFTP en utilisant des clés SSH Ed25519. Une clé peut être autorisée à modifier dans tout l'espace (<code>/</code>) ou dans un quelconque sous-dossier spécifique. Une clé est toujours autorisée à lister le contenu de n'importe quel dossier."
 
-#: pg-view/ht/keys.php:17
+#: pg-view/ht/keys.php:18
 msgid "Add new SSH key access"
 msgstr "Ajouter un nouvel accès par clé SSH"
 
-#: pg-view/ht/keys.php:17
+#: pg-view/ht/keys.php:18
 msgid "SSH key access"
 msgstr "Accès par clé SSH"
 
-#: pg-view/ht/keys.php:19
+#: pg-view/ht/keys.php:20
 msgid "Public key"
 msgstr "Clé publique"
 
-#: pg-view/ht/keys.php:23
+#: pg-view/ht/keys.php:24
 msgid "Allowed directory"
 msgstr "Dossier autorisé"
 
-#: pg-view/ht/keys.php:30 pg-view/ns/sync.php:37
+#: pg-view/ht/keys.php:31 pg-view/ns/sync.php:38
 msgid "Update"
 msgstr "Mettre à jour"
 
-#: pg-view/ns/caa.php:3
+#: pg-view/ns/caa.php:4
 msgid "Flag"
 msgstr "Flag"
 
-#: pg-view/ns/caa.php:7 pg-view/ns/print.php:56
+#: pg-view/ns/caa.php:8 pg-view/ns/print.php:57
 msgid "Tag"
 msgstr "Tag"
 
-#: pg-view/ns/caa.php:11 pg-view/ns/form.ns.php:31 pg-view/ns/print.php:35
-#: pg-view/ns/tlsa.php:37 pg-view/reg/print.php:19
+#: pg-view/ns/caa.php:12 pg-view/ns/form.ns.php:33 pg-view/ns/print.php:36
+#: pg-view/ns/tlsa.php:38 pg-view/reg/print.php:13
 msgid "Value"
 msgstr "Valeur"
 
-#: pg-view/ns/caa.php:15 pg-view/ns/cname.php:7 pg-view/ns/dname.php:7
-#: pg-view/ns/ip.php:5 pg-view/ns/loc.php:75 pg-view/ns/mx.php:11
-#: pg-view/ns/ns.php:7 pg-view/ns/srv.php:27 pg-view/ns/sshfp.php:29
-#: pg-view/ns/tlsa.php:43 pg-view/ns/txt.php:7 pg-view/reg/ds.php:56
-#: pg-view/reg/glue.php:29 pg-view/reg/ns.php:22
+#: pg-view/ns/caa.php:16 pg-view/ns/cname.php:8 pg-view/ns/dname.php:8
+#: pg-view/ns/ip.php:6 pg-view/ns/loc.php:76 pg-view/ns/mx.php:12
+#: pg-view/ns/ns.php:8 pg-view/ns/srv.php:28 pg-view/ns/sshfp.php:30
+#: pg-view/ns/tlsa.php:44 pg-view/ns/txt.php:8 pg-view/reg/ds.php:45
+#: pg-view/reg/glue.php:18 pg-view/reg/ns.php:11
 msgid "Apply"
 msgstr "Appliquer"
 
-#: pg-view/ns/cname.php:3
+#: pg-view/ns/cname.php:4
 msgid "Canonical name"
 msgstr "Nom canonique"
 
-#: pg-view/ns/dname.php:3
+#: pg-view/ns/dname.php:4
 msgid "Delegation name"
 msgstr "Nom délégué"
 
-#: pg-view/ns/edit.php:2
+#: pg-view/ns/edit.php:3
 msgid "Zone to be changed"
 msgstr "Zone à modifier"
 
-#: pg-view/ns/edit.php:12 pg-view/ns/print.php:20 pg-view/reg/print.php:11
+#: pg-view/ns/edit.php:13 pg-view/ns/print.php:21 pg-view/reg/edit.php:13
+#: pg-view/reg/print.php:5
 msgid "Display"
 msgstr "Afficher"
 
-#: pg-view/ns/edit.php:23
+#: pg-view/ns/edit.php:24
 #, php-format
-msgid "New content of the %s zone"
-msgstr "Nouveau contenu de la zone %s"
+msgid "Authoritative records for %s"
+msgstr "Enregistrements ayant autorité pour %s"
 
-#: pg-view/ns/edit.php:27
+#: pg-view/ns/edit.php:28 pg-view/reg/edit.php:28
 msgid "Replace"
 msgstr "Remplacer"
 
-#: pg-view/ns/edit.php:38
+#: pg-view/ns/edit.php:39
 msgid "Default values"
 msgstr "Valeurs par défaut"
 
-#: pg-view/ns/edit.php:40
+#: pg-view/ns/edit.php:41
 #, php-format
 msgid "If the TTL is omitted, it will default to %s seconds."
 msgstr "Si le TTL est omis, il sera définit à %s secondes."
 
-#: pg-view/ns/edit.php:42
+#: pg-view/ns/edit.php:43 pg-view/reg/edit.php:41
 msgid "Precising the class (<code>IN</code>) is optional."
 msgstr "La précision de la classe (<code>IN</code>) est facultative."
 
-#: pg-view/ns/edit.php:44
+#: pg-view/ns/edit.php:45
 msgid "Allowed values"
 msgstr "Valeurs autorisées"
 
-#: pg-view/ns/edit.php:46
+#: pg-view/ns/edit.php:47 pg-view/reg/edit.php:43
 #, php-format
-msgid "Submitted zone content is limited to %s characters."
-msgstr "La zone n'est pas autorisée à dépasser %s caractères."
+msgid "Submitted field content is limited to %s characters."
+msgstr "Le champ envoyé n'est pas autorisé à dépasser %s caractères."
 
-#: pg-view/ns/edit.php:48
+#: pg-view/ns/edit.php:49
 #, php-format
 msgid "TTLs must last between %1$s and %2$s seconds."
 msgstr "Les TTLs ne sont autorisés qu'entre %1$s et %2$s secondes."
 
-#: pg-view/ns/edit.php:50
-msgid "The only types that can be defined are:"
-msgstr "Les seuls types dont l'édition est autorisée sont&nbsp;:"
+#: pg-view/ns/edit.php:51 pg-view/reg/edit.php:47
+msgid "The only types that can be defined here are:"
+msgstr "Les seuls types qui peuvent être définis ici sont&nbsp;:"
 
-#: pg-view/ns/form.ns.php:1 pg-view/reg/ds.php:2 pg-view/reg/glue.php:2
-#: pg-view/reg/ns.php:2
+#: pg-view/ns/form.ns.php:2 pg-view/reg/select-action.inc.php:2
 msgid "Action"
 msgstr "Action"
 
-#: pg-view/ns/form.ns.php:3 pg-view/ns/zone-add.php:8 pg-view/reg/ds.php:4
-#: pg-view/reg/glue.php:4 pg-view/reg/ns.php:4
+#: pg-view/ns/form.ns.php:4 pg-view/ns/zone-add.php:9
+#: pg-view/reg/select-action.inc.php:4
 msgid "Add"
 msgstr "Ajouter"
 
-#: pg-view/ns/form.ns.php:15 pg-view/ns/print.php:52 pg-view/ns/zone-del.php:2
+#: pg-view/ns/form.ns.php:16 pg-view/ns/print.php:53 pg-view/ns/zone-del.php:3
 msgid "Zone"
 msgstr "Zone"
 
-#: pg-view/ns/form.ns.php:29 pg-view/ns/print.php:33 pg-view/reg/print.php:17
+#: pg-view/ns/form.ns.php:31 pg-view/ns/print.php:34 pg-view/reg/print.php:11
 msgid "TTL"
 msgstr "TTL"
 
-#: pg-view/ns/form.ns.php:45
+#: pg-view/ns/form.ns.php:47
 msgid "Unit"
 msgstr "Unité"
 
-#: pg-view/ns/form.ns.php:48
+#: pg-view/ns/form.ns.php:50
 msgid "second"
 msgstr "seconde"
 
-#: pg-view/ns/form.ns.php:49
+#: pg-view/ns/form.ns.php:51
 msgid "minute"
 msgstr "minute"
 
-#: pg-view/ns/form.ns.php:50
+#: pg-view/ns/form.ns.php:52
 msgid "hour"
 msgstr "heure"
 
-#: pg-view/ns/form.ns.php:51
+#: pg-view/ns/form.ns.php:53
 msgid "day"
 msgstr "jour"
 
-#: pg-view/ns/index.php:2
+#: pg-view/ns/index.php:3
 msgid "This service allows to host and manage DNS records inside a DNS zone."
 msgstr "Ce service permet d'héberger et de gérer les enregistrements DNS à l'intérieur d'une zone DNS."
 
-#: pg-view/ns/index.php:8
+#: pg-view/ns/index.php:9
 msgid "Currently hosted zones"
 msgstr "Zones actuellement hébergées"
 
-#: pg-view/ns/index.php:26
+#: pg-view/ns/index.php:27
 msgid "A zone hosted on this service is served by these name servers:"
 msgstr "Une zone hébergée sur ce service est servie par les serveurs suivants&nbsp;:"
 
-#: pg-view/ns/ip.php:3 pg-view/reg/glue.php:26
+#: pg-view/ns/ip.php:4 pg-view/reg/glue.php:15
 msgid "IP address"
 msgstr "Adresse IP"
 
-#: pg-view/ns/loc.php:4
+#: pg-view/ns/loc.php:5
 msgid "Latitude"
 msgstr "Latitude"
 
-#: pg-view/ns/loc.php:6 pg-view/ns/loc.php:34
+#: pg-view/ns/loc.php:7 pg-view/ns/loc.php:35
 msgid "Degrees"
 msgstr "Dégrés"
 
-#: pg-view/ns/loc.php:11 pg-view/ns/loc.php:39
+#: pg-view/ns/loc.php:12 pg-view/ns/loc.php:40
 msgid "Minutes"
 msgstr "Minutes"
 
-#: pg-view/ns/loc.php:16 pg-view/ns/loc.php:44
+#: pg-view/ns/loc.php:17 pg-view/ns/loc.php:45
 msgid "Seconds"
 msgstr "Secondes"
 
-#: pg-view/ns/loc.php:21 pg-view/ns/loc.php:49
+#: pg-view/ns/loc.php:22 pg-view/ns/loc.php:50
 msgid "Direction"
 msgstr "Direction"
 
-#: pg-view/ns/loc.php:25
+#: pg-view/ns/loc.php:26
 msgid "North"
 msgstr "Nord"
 
-#: pg-view/ns/loc.php:26
+#: pg-view/ns/loc.php:27
 msgid "South"
 msgstr "Sud"
 
-#: pg-view/ns/loc.php:32
+#: pg-view/ns/loc.php:33
 msgid "Longitude"
 msgstr "Longitude"
 
-#: pg-view/ns/loc.php:53
+#: pg-view/ns/loc.php:54
 msgid "East"
 msgstr "Est"
 
-#: pg-view/ns/loc.php:54
+#: pg-view/ns/loc.php:55
 msgid "West"
 msgstr "Ouest"
 
-#: pg-view/ns/loc.php:59
+#: pg-view/ns/loc.php:60
 msgid "Altitude"
 msgstr "Altitude"
 
-#: pg-view/ns/loc.php:63
+#: pg-view/ns/loc.php:64
 msgid "Size"
 msgstr "Taille"
 
-#: pg-view/ns/loc.php:67
+#: pg-view/ns/loc.php:68
 msgid "Horizontal precision"
 msgstr "Précision horizontale"
 
-#: pg-view/ns/loc.php:71
+#: pg-view/ns/loc.php:72
 msgid "Vertical precision"
 msgstr "Précision verticale"
 
-#: pg-view/ns/mx.php:3 pg-view/ns/srv.php:4
+#: pg-view/ns/mx.php:4 pg-view/ns/srv.php:5
 msgid "Priority"
 msgstr "Priorité"
 
-#: pg-view/ns/mx.php:7
+#: pg-view/ns/mx.php:8
 msgid "Host"
 msgstr "Hôte"
 
-#: pg-view/ns/ns.php:3 pg-view/reg/ns.php:18
+#: pg-view/ns/ns.php:4 pg-view/reg/ns.php:7
 msgid "Name server"
 msgstr "Serveur de nom"
 
-#: pg-view/ns/print.php:3
+#: pg-view/ns/print.php:4
 msgid "Records table"
 msgstr "Tableau des enregistrements"
 
-#: pg-view/ns/print.php:6
+#: pg-view/ns/print.php:7
 msgid "DS record"
 msgstr "Enregistrement DS"
 
-#: pg-view/ns/print.php:9
+#: pg-view/ns/print.php:10
 msgid "Raw zonefile"
 msgstr "Fichier de zone brut"
 
-#: pg-view/ns/print.php:11
+#: pg-view/ns/print.php:12
 msgid "Selected zone"
 msgstr "Zone"
 
-#: pg-view/ns/print.php:34 pg-view/reg/print.php:18
+#: pg-view/ns/print.php:35 pg-view/reg/print.php:12
 msgid "Type"
 msgstr "Type"
 
-#: pg-view/ns/print.php:60 pg-view/ns/sshfp.php:4 pg-view/reg/ds.php:22
+#: pg-view/ns/print.php:61 pg-view/ns/sshfp.php:5 pg-view/reg/ds.php:11
 msgid "Algorithm"
 msgstr "Algorithme"
 
-#: pg-view/ns/print.php:64 pg-view/reg/ds.php:41
+#: pg-view/ns/print.php:65 pg-view/reg/ds.php:30
 msgid "Digest type"
 msgstr "Type de condensat"
 
-#: pg-view/ns/print.php:68
+#: pg-view/ns/print.php:69
 msgid "Digest"
 msgstr "Condensat"
 
-#: pg-view/ns/srv.php:10
+#: pg-view/ns/srv.php:11
 msgid "Weight"
 msgstr "Poids"
 
-#: pg-view/ns/srv.php:22
+#: pg-view/ns/srv.php:23
 msgid "Target"
 msgstr "Cible"
 
-#: pg-view/ns/sshfp.php:15
+#: pg-view/ns/sshfp.php:16
 msgid "Hash type"
 msgstr "Type de hash"
 
-#: pg-view/ns/sshfp.php:24
+#: pg-view/ns/sshfp.php:25
 msgid "Fingerprint"
 msgstr "Empreinte"
 
-#: pg-view/ns/sync.php:2
+#: pg-view/ns/sync.php:3
 #, php-format
 msgid "AAAA, A and CAA records are regularly copied from the source domain to the target domain. Their TTLs are set to %s seconds."
 msgstr "Les enregistrements AAAA, A et CAA sont régulièrement copiés du domain source vers le domain cible. Leurs TTLs sont définis à %s secondes."
 
-#: pg-view/ns/sync.php:5
+#: pg-view/ns/sync.php:6
 msgid "Source domains that are not signed with DNSSEC are not synchronized. Synchronizations that remain broken may be deleted."
 msgstr "Les domains sources qui ne sont pas signés avec DNSSEC ne sont pas synchronisés. Les synchronisations qui restent cassées peuvent être supprimées."
 
-#: pg-view/ns/sync.php:8
+#: pg-view/ns/sync.php:9
 msgid "This is meant to be used for apex domains, where CNAME records are not allowed. For non-apex domains, CNAME records should be used instead."
 msgstr "Ceci est destiné à être utilisé sur des domaines apex, où les enregistrements CNAME ne sont pas autorisés. Pour des domaines non-apex, les enregistrements CNAME devraient être utilisés à la place."
 
-#: pg-view/ns/sync.php:16
+#: pg-view/ns/sync.php:17
 msgid "Add new domain records to be synchronized"
 msgstr "Ajouter de nouveaux enregistrements de domain à synchroniser"
 
-#: pg-view/ns/sync.php:16
+#: pg-view/ns/sync.php:17
 msgid "Synchronized domain"
 msgstr "Domaine synchronisé"
 
-#: pg-view/ns/sync.php:18
+#: pg-view/ns/sync.php:19
 msgid "Source domain"
 msgstr "Domaine source"
 
-#: pg-view/ns/sync.php:22
+#: pg-view/ns/sync.php:23
 msgid "Target domain"
 msgstr "Domaine cible"
 
-#: pg-view/ns/tlsa.php:4
+#: pg-view/ns/tlsa.php:5
 msgid "Use"
 msgstr "Utilisation"
 
-#: pg-view/ns/tlsa.php:16
+#: pg-view/ns/tlsa.php:17
 msgid "Selector"
 msgstr "Selecteur"
 
-#: pg-view/ns/tlsa.php:20
+#: pg-view/ns/tlsa.php:21
 msgid "the full certificate must match"
 msgstr "le certificat entier doit correspondre"
 
-#: pg-view/ns/tlsa.php:21
+#: pg-view/ns/tlsa.php:22
 msgid "the certificate public key must match"
 msgstr "la clé publique du certificat doit correspondre"
 
-#: pg-view/ns/tlsa.php:26
+#: pg-view/ns/tlsa.php:27
 msgid "Match type"
 msgstr "Type de correspondance"
 
-#: pg-view/ns/tlsa.php:30
+#: pg-view/ns/tlsa.php:31
 msgid "full certificate"
 msgstr "certificat entier"
 
-#: pg-view/ns/txt.php:3
+#: pg-view/ns/txt.php:4
 msgid "Text"
 msgstr "Texte"
 
-#: pg-view/ns/txt.php:5
+#: pg-view/ns/txt.php:6
 msgid "Some text…"
 msgstr "Du texte…"
 
-#: pg-view/ns/zone-add.php:2
+#: pg-view/ns/zone-add.php:3
 #, php-format
 msgid "To prove that you own this domain, it must have a NS record equal to %s when the form is being processed."
 msgstr "Pour prouver que vous possédez bien ce domaine, il doit posséder un enregistrement NS égal à %s lors du traitement de ce formulaire."
 
-#: pg-view/ns/zone-del.php:11
+#: pg-view/ns/zone-del.php:12
 msgid "Delete everything related to this zone"
 msgstr "Supprimer tout de cette zone"
 
-#: pg-view/reg/ds.php:18
+#: pg-view/reg/ds.php:7
 msgid "Key tag"
 msgstr "Tag de la clé"
 
-#: pg-view/reg/ds.php:52
+#: pg-view/reg/ds.php:41
 msgid "Key"
 msgstr "Condensat"
 
-#: pg-view/reg/glue.php:27
+#: pg-view/reg/edit.php:3
+msgid "Domain to be changed"
+msgstr "Domaine à modifier"
+
+#: pg-view/reg/edit.php:24
+#, php-format
+msgid "Delegation records for %s"
+msgstr "Enregistrements de délégation pour %s"
+
+#: pg-view/reg/edit.php:39
+msgid "Input values"
+msgstr "Saisie des valeurs"
+
+#: pg-view/reg/edit.php:45
+#, php-format
+msgid "TTL values are ignored and always set to %s seconds."
+msgstr "Les valeurs de TTL sont ignorées et toujours définies à %s secondes."
+
+#: pg-view/reg/glue.php:16
 #, php-format
 msgid "%1$s or %2$s"
 msgstr "%1$s ou %2$s"
 
-#: pg-view/reg/index.php:2
+#: pg-view/reg/index.php:3
 #, php-format
 msgid "This domain name registry allows to register domains ending with <code>%1$s</code>, for instance <code><em>domain</em>%1$s</code>."
 msgstr "Ce registre de noms de domaine permet d'enregistrer des domaines se terminant par <code>%1$s</code>, par exemple <code><em>domaine</em>%1$s</code>."
 
-#: pg-view/reg/index.php:7
+#: pg-view/reg/index.php:8
 msgid "Currently registered domains"
 msgstr "Domaines actuellement enregistrés"
 
-#: pg-view/reg/index.php:27
+#: pg-view/reg/index.php:28
 msgid "Both <span aria-hidden=\"true\">⏳ </span><em>testing</em> and <span aria-hidden=\"true\">👤 </span><em>approved</em> accounts can register a domain under these suffixes:"
 msgstr "Les comptes <span aria-hidden=\"true\">⏳ </span><em>de test</em> et <span aria-hidden=\"true\">👤 </span><em>approuvés</em> peuvent enregistrer un domaine sous ces suffixes&nbsp;:"
 
-#: pg-view/reg/index.php:38
+#: pg-view/reg/index.php:41
 msgid "Only <span aria-hidden=\"true\">👤 </span><em>approved</em> accounts can register a domain under these suffixes:"
 msgstr "Seuls les comptes <span aria-hidden=\"true\">👤 </span><em>approuvés</em> peuvent enregistrer un domaine sous ces suffixes&nbsp;:"
 
-#: pg-view/reg/index.php:49
+#: pg-view/reg/index.php:54
 msgid "Nobody can register a domain under these suffixes:"
 msgstr "Personne ne peut enregistrer un domain sous ces suffixes&nbsp;:"
 
-#: pg-view/reg/index.php:63
+#: pg-view/reg/index.php:70
 msgid "Automatic updates from child zone"
 msgstr "Mises à jour automatiques depuis la zone enfant"
 
-#: pg-view/reg/index.php:64
+#: pg-view/reg/index.php:71
 msgid "CSYNC records"
 msgstr "Enregistrements CSYNC"
 
-#: pg-view/reg/index.php:66
+#: pg-view/reg/index.php:73
 msgid "The registry can synchronize NS records from the child zone if a CSYNC record is present at the apex of the child zone, has flags <code>1</code> and type bit map <code>NS</code>, and can be DNSSEC-validated. Others values are not supported."
 msgstr "Le registre peut synchroniser les enregistrements NS depuis la zone enfant si un enregistrement CSYNC est présent à l'apex de la zone enfant, a les drapeaux <code>1</code> et le type bit map <code>NS</code>, et peut être validé par DNSSEC. Les autres valeurs ne sont pas supportées."
 
-#: pg-view/reg/index.php:68
+#: pg-view/reg/index.php:75
 msgid "DNSSEC and DS records"
 msgstr "DNSSEC et enregistrements DS"
 
-#: pg-view/reg/index.php:70
+#: pg-view/reg/index.php:77
 msgid "Once DNSSEC has been manually enabled through the current interface, the delegated zone can publish a CDS record in order to update the DS record in the registry. A single CDS record with value <code>0 0 0 0</code> tells the registry to disable DNSSEC. Using a CDS record to enable DNSSEC is not supported."
 msgstr "Une fois que DNSSEC a été manuellement activé en utilisant l'interface actuelle, la zone déléguée peut publier un enregistrement CDS afin de mettre à jour l'enregistrement DS dans le registre. Un unique enregistrement CDS avec pour valeur <code>0 0 0 0</code> indique au registre de désactiver DNSSEC. Utiliser un enregistrement CDS pour activer DNSSEC n'est pas supporté."
 
-#: pg-view/reg/register.php:2
+#: pg-view/reg/register.php:3
 msgid "Register a new domain on your account."
 msgstr "Enregistrer un nouveau domaine sur son compte."
 
-#: pg-view/reg/register.php:18 pg-view/reg/transfer.php:14
+#: pg-view/reg/register.php:19 pg-view/reg/transfer.php:15
 msgid "Suffix"
 msgstr "Suffixe"
 
-#: pg-view/reg/register.php:31
+#: pg-view/reg/register.php:32
 msgid "Check availability"
 msgstr "Vérifier sa disponibilité"
 
-#: pg-view/reg/register.php:33
+#: pg-view/reg/register.php:34
 msgid "Register"
 msgstr "Enregistrer"
 
-#: pg-view/reg/transfer.php:2
+#: pg-view/reg/transfer.php:3
 #, php-format
 msgid "To prove that you are allowed to receive the domain by its current owner, the domain must have an NS record equal to %s when the form is being processed. The NS record will be automatically deleted once validated."
 msgstr "Pour prouver que vous êtes autorisé à recevoir le domaine par san possessaire actuele, ledit domaine doit posséder un enregistrement NS égal à %s lors du traitement de ce formulaire. Cet enregistrement sera automatiquement retiré une fois validé."
 
-#: pg-view/reg/transfer.php:7
+#: pg-view/reg/transfer.php:8
 msgid "Domain that will be transferred to this account"
 msgstr "Domaine à transférer vers ce compte"
 
-#: pg-view/reg/transfer.php:26
+#: pg-view/reg/transfer.php:27
 msgid "Receive the domain"
 msgstr "Recevoir le domaine"
 
-#: pg-view/reg/unregister.php:2
+#: pg-view/reg/unregister.php:3
 msgid "This will unregister the domain, making it registerable by anyone again (after a delay of 1 year plus half the registration period, with a maximum of 8 years)."
 msgstr "Ceci désenregistrera le domaine, ce qui le re-disponibilisera à tout le monde (après un délai de 1 an + la moitié de la durée d'enregistrement, avec un maximum de 8 ans)."
 
-#: pg-view/reg/unregister.php:16
+#: pg-view/reg/unregister.php:17
 msgid "Unregister"
 msgstr "Désenregistrer"
diff --git a/locales/messages.pot b/locales/messages.pot
index 89b82f6..667ea1f 100644
--- a/locales/messages.pot
+++ b/locales/messages.pot
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2023-07-16 20:50+0200\n"
+"POT-Creation-Date: 2023-07-31 01:03+0200\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -25,8 +25,8 @@ msgstr ""
 msgid "Manage account"
 msgstr ""
 
-#: pages.php:13 view.php:21 pg-view/auth/login.php:12
-#: pg-view/auth/register.php:1
+#: pages.php:13 view.php:22 pg-view/auth/login.php:13
+#: pg-view/auth/register.php:2
 msgid "Log in"
 msgstr ""
 
@@ -34,7 +34,7 @@ msgstr ""
 msgid "Start a new navigation session with an existing account"
 msgstr ""
 
-#: pages.php:18 view.php:19
+#: pages.php:18 view.php:20
 msgid "Log out"
 msgstr ""
 
@@ -117,189 +117,197 @@ msgstr ""
 msgid "Print every record related to a domain and served by the registry"
 msgstr ""
 
-#: pages.php:67 pages.php:72 pages.php:117 pages.php:122 pages.php:127
-#: pages.php:132 pages.php:137 pages.php:142 pages.php:147 pages.php:152
-#: pages.php:157 pages.php:162
+#: pages.php:67
+msgid "Edit records"
+msgstr ""
+
+#: pages.php:68
+msgid "Set registry records to delegate a domain to chosen name servers"
+msgstr ""
+
+#: pages.php:72 pages.php:77 pages.php:122 pages.php:127 pages.php:132
+#: pages.php:137 pages.php:142 pages.php:147 pages.php:152 pages.php:157
+#: pages.php:162 pages.php:167
 #, php-format
 msgid "%s records"
 msgstr ""
 
-#: pages.php:68
+#: pages.php:73
 #, php-format
 msgid "Indicate the name servers of a %s subdomain"
 msgstr ""
 
-#: pages.php:73
+#: pages.php:78
 msgid "Delegate <abbr title=\"Domain Name System Security Extensions\">DNSSEC</abbr> trust"
 msgstr ""
 
-#: pages.php:77
+#: pages.php:82
 msgid "Receive a domain transfer"
 msgstr ""
 
-#: pages.php:78
+#: pages.php:83
 msgid "Transfer a domain owned by another account to the current account"
 msgstr ""
 
-#: pages.php:82
+#: pages.php:87
 msgid "Glue records"
 msgstr ""
 
-#: pages.php:83
+#: pages.php:88
 msgid "Advanced: store the IP address of a name server whose domain is inside the domain it serves"
 msgstr ""
 
-#: pages.php:89 pg-view/ns/index.php:24
+#: pages.php:94 pg-view/ns/index.php:25
 msgid "Name servers"
 msgstr ""
 
-#: pages.php:90
+#: pages.php:95
 msgid "Host and manage domain's records"
 msgstr ""
 
-#: pages.php:93
+#: pages.php:98
 msgid "Add zone"
 msgstr ""
 
-#: pages.php:94
+#: pages.php:99
 #, php-format
 msgid "The zone will be managed by %s name servers"
 msgstr ""
 
-#: pages.php:98
+#: pages.php:103
 msgid "Delete zone"
 msgstr ""
 
-#: pages.php:99
+#: pages.php:104
 msgid "Erase all zone data"
 msgstr ""
 
-#: pages.php:102
+#: pages.php:107
 msgid "Display zone"
 msgstr ""
 
-#: pages.php:103
+#: pages.php:108
 msgid "Print zonefile content"
 msgstr ""
 
-#: pages.php:107
+#: pages.php:112
 msgid "Edit zone"
 msgstr ""
 
-#: pages.php:108
+#: pages.php:113
 msgid "Change zonefile content"
 msgstr ""
 
-#: pages.php:112
+#: pages.php:117
 msgid "AAAA and A records"
 msgstr ""
 
-#: pages.php:113
+#: pages.php:118
 msgid "Store domain's IP address"
 msgstr ""
 
-#: pages.php:118
+#: pages.php:123
 msgid "Store zone's name server"
 msgstr ""
 
-#: pages.php:123
+#: pages.php:128
 msgid "Associate text to domain"
 msgstr ""
 
-#: pages.php:128
+#: pages.php:133
 msgid "Limit the certificate authorities allowed to certify the domain"
 msgstr ""
 
-#: pages.php:133
+#: pages.php:138
 msgid "Store the location of a domain's service"
 msgstr ""
 
-#: pages.php:138
+#: pages.php:143
 msgid "Store the email server's address"
 msgstr ""
 
-#: pages.php:143
+#: pages.php:148
 msgid "Store <abbr title=\"Secure SHell\">SSH</abbr> public keys fingerprints"
 msgstr ""
 
-#: pages.php:148
+#: pages.php:153
 msgid "Setup <abbr title=\"DNS-based Authentication of Named Entities\">DANE</abbr> by publishing the <abbr title=\"Transport Layer Security\">TLS</abbr> certificate fingerprint"
 msgstr ""
 
-#: pages.php:153
+#: pages.php:158
 msgid "Define a domain as an alias of another"
 msgstr ""
 
-#: pages.php:158
+#: pages.php:163
 msgid "Define all subdomains of a domain as aliases of subdomains of another domain"
 msgstr ""
 
-#: pages.php:163
+#: pages.php:168
 msgid "Store geographic coordinates"
 msgstr ""
 
-#: pages.php:167
+#: pages.php:172
 #, php-format
 msgid "Synchronized records"
 msgstr ""
 
-#: pages.php:168
+#: pages.php:173
 msgid "Regularly fetch distant records and update them to a local zone"
 msgstr ""
 
-#: pages.php:174
+#: pages.php:179
 msgid "Web"
 msgstr ""
 
-#: pages.php:175
+#: pages.php:180
 msgid "Upload a static website into an <abbr title=\"SSH File Transfer Protocol\">SFTP</abbr> space"
 msgstr ""
 
-#: pages.php:178
-#, php-format
-msgid "%s subpath access"
-msgstr ""
-
-#: pages.php:179 pages.php:184 pages.php:189
-#, php-format
-msgid "Its URL will look like %s"
-msgstr ""
-
-#: pages.php:179 pages.php:184 pages.php:189
-msgid "mysite"
-msgstr ""
-
 #: pages.php:183
 #, php-format
-msgid "%s subdomain access"
+msgid "%s subpath access"
+msgstr ""
+
+#: pages.php:184 pages.php:189 pages.php:194
+#, php-format
+msgid "Its URL will look like %s"
+msgstr ""
+
+#: pages.php:184 pages.php:189 pages.php:194
+msgid "mysite"
 msgstr ""
 
 #: pages.php:188
-msgid "Dedicated domain with Let's Encrypt certificate access"
+#, php-format
+msgid "%s subdomain access"
 msgstr ""
 
 #: pages.php:193
+msgid "Dedicated domain with Let's Encrypt certificate access"
+msgstr ""
+
+#: pages.php:198
 msgid "Onion service access"
 msgstr ""
 
-#: pages.php:194
+#: pages.php:199
 #, php-format
 msgid "Its URL will look like %s, and work only through the Tor network"
 msgstr ""
 
-#: pages.php:198 pg-view/ht/del.php:18
+#: pages.php:203 pg-view/ht/del.php:19
 msgid "Delete access"
 msgstr ""
 
-#: pages.php:199
+#: pages.php:204
 msgid "Delete an existing HTTP access from a subdirectory of the SFTP space"
 msgstr ""
 
-#: pages.php:202
+#: pages.php:207
 msgid "Manage SSH keys"
 msgstr ""
 
-#: pages.php:203
+#: pages.php:208
 msgid "Choose what SSH key can edit what directory"
 msgstr ""
 
@@ -307,7 +315,7 @@ msgstr ""
 msgid "This account doesn't exist anymore. Log out to end this ghost session."
 msgstr ""
 
-#: router.php:106 view.php:39
+#: router.php:106 view.php:40
 msgid "This service is currently under maintenance. No action can be taken on it until an administrator finishes repairing it."
 msgstr ""
 
@@ -315,24 +323,24 @@ msgstr ""
 msgid "You need to be logged in to do this."
 msgstr ""
 
-#: view.php:19
+#: view.php:20
 msgid "You are using a testing account. It may be deleted anytime."
 msgstr ""
 
-#: view.php:19
+#: view.php:20
 msgid "Read more"
 msgstr ""
 
-#: view.php:21
+#: view.php:22
 msgid "Anonymous"
 msgstr ""
 
-#: view.php:44
+#: view.php:45
 #, php-format
 msgid "This form won't be accepted because you need to %slog in%s first."
 msgstr ""
 
-#: view.php:51
+#: view.php:52
 #, php-format
 msgid "%sSource code%s available under %s."
 msgstr ""
@@ -366,7 +374,7 @@ msgstr ""
 msgid "Wrong proof."
 msgstr ""
 
-#: fn/dns.php:77
+#: fn/dns.php:76
 msgid "IP address malformed."
 msgstr ""
 
@@ -374,17 +382,25 @@ msgstr ""
 msgid "Domain malformed."
 msgstr ""
 
-#: fn/ns.php:33 pg-act/ns/edit.php:25
+#: fn/ns.php:33 pg-act/ns/edit.php:27
 #, php-format
 msgid "TTLs shorter than %s seconds are forbidden."
 msgstr ""
 
-#: fn/ns.php:35 pg-act/ns/edit.php:27
+#: fn/ns.php:35 pg-act/ns/edit.php:29
 #, php-format
 msgid "TTLs longer than %s seconds are forbidden."
 msgstr ""
 
-#: pg-view/index.php:3
+#: fn/reg.php:73
+msgid "You can only set a NS/DS record for an apex domain."
+msgstr ""
+
+#: fn/reg.php:75
+msgid "You can't set a record for another domain."
+msgstr ""
+
+#: pg-view/index.php:4
 msgid "About this installation"
 msgstr ""
 
@@ -417,7 +433,7 @@ msgstr ""
 msgid "Password updated."
 msgstr ""
 
-#: pg-act/auth/register.php:4 pg-view/auth/register.php:3
+#: pg-act/auth/register.php:4 pg-view/auth/register.php:4
 msgid "Registrations are currently closed on this installation."
 msgstr ""
 
@@ -497,27 +513,27 @@ msgstr ""
 #: pg-act/ns/caa.php:25 pg-act/ns/cname.php:16 pg-act/ns/dname.php:16
 #: pg-act/ns/ip.php:16 pg-act/ns/loc.php:72 pg-act/ns/mx.php:20
 #: pg-act/ns/ns.php:16 pg-act/ns/srv.php:28 pg-act/ns/sshfp.php:25
-#: pg-act/ns/tlsa.php:29 pg-act/ns/txt.php:17 pg-act/reg/ds.php:30
-#: pg-act/reg/glue.php:14 pg-act/reg/ns.php:14
+#: pg-act/ns/tlsa.php:29 pg-act/ns/txt.php:17 pg-act/reg/ds.php:12
+#: pg-act/reg/glue.php:13 pg-act/reg/ns.php:12
 msgid "Modification done."
 msgstr ""
 
-#: pg-act/ns/edit.php:17
+#: pg-act/ns/edit.php:19 pg-act/reg/edit.php:14
 #, php-format
 msgid "The zone is limited to %s characters."
 msgstr ""
 
-#: pg-act/ns/edit.php:21
+#: pg-act/ns/edit.php:23 pg-act/reg/edit.php:18
 msgid "The following line does not match the expected format: "
 msgstr ""
 
-#: pg-act/ns/edit.php:23
+#: pg-act/ns/edit.php:25 pg-act/reg/edit.php:20 pg-act/reg/edit.php:28
 #, php-format
 msgid "The %s type is not allowed."
 msgstr ""
 
-#: pg-act/ns/edit.php:38
-msgid "Sent zone content is not correct (according to <code>kzonecheck</code>)."
+#: pg-act/ns/edit.php:40 pg-act/reg/edit.php:51
+msgid "Sent content is not correct (according to <code>kzonecheck</code>)."
 msgstr ""
 
 #: pg-act/ns/sync.php:19
@@ -548,6 +564,10 @@ msgstr ""
 msgid "Zone deleted."
 msgstr ""
 
+#: pg-act/reg/edit.php:22
+msgid "A DS record expects 4 arguments."
+msgstr ""
+
 #: pg-act/reg/register.php:4 pg-act/reg/transfer.php:4
 msgid "This format of subdomain is not allowed."
 msgstr ""
@@ -596,705 +616,722 @@ msgstr ""
 msgid "Domain unregistered."
 msgstr ""
 
-#: pg-view/auth/approval.php:2
+#: pg-view/auth/approval.php:3
 msgid "This form allows to use an approval key to validate your account. Approval keys are distributed by an administrator upon request."
 msgstr ""
 
-#: pg-view/auth/approval.php:6
+#: pg-view/auth/approval.php:7
 msgid "Approval key"
 msgstr ""
 
-#: pg-view/auth/approval.php:9
+#: pg-view/auth/approval.php:10
 msgid "Use for this account"
 msgstr ""
 
-#: pg-view/auth/index.php:3
+#: pg-view/auth/index.php:4
 msgid "Account type"
 msgstr ""
 
-#: pg-view/auth/index.php:9
+#: pg-view/auth/index.php:10
 msgid "You are currently using a <strong>testing</strong> account."
 msgstr ""
 
-#: pg-view/auth/index.php:10
+#: pg-view/auth/index.php:11
 msgid "You are currently using an <strong>approved</strong> account."
 msgstr ""
 
-#: pg-view/auth/index.php:13
+#: pg-view/auth/index.php:14
 msgid "You are not logged in."
 msgstr ""
 
-#: pg-view/auth/index.php:18
+#: pg-view/auth/index.php:19
 msgid "When an account is created, it's a <em>testing</em> account. A testing account is only temporary and with limited capabilities on the services. Once the account is validated by using an approval key requested to an administrator, it becomes an <em>approved</em> account."
 msgstr ""
 
-#: pg-view/auth/index.php:21
+#: pg-view/auth/index.php:22
 msgid "Rate limit"
 msgstr ""
 
-#: pg-view/auth/index.php:25
+#: pg-view/auth/index.php:26
 #, php-format
 msgid "Your account is at %s%% of the rate limit."
 msgstr ""
 
-#: pg-view/auth/index.php:27
+#: pg-view/auth/index.php:28
 msgid "Most of the form submissions bring you closer to the rate limit. If you reach it, you need to wait in order to be able to submit forms again."
 msgstr ""
 
-#: pg-view/auth/index.php:31
+#: pg-view/auth/index.php:32
 msgid "Internal ID"
 msgstr ""
 
-#: pg-view/auth/index.php:33
+#: pg-view/auth/index.php:34
 #, php-format
 msgid "The current account's internal ID is %s."
 msgstr ""
 
-#: pg-view/auth/login.php:1
+#: pg-view/auth/login.php:2
 msgid "New?"
 msgstr ""
 
-#: pg-view/auth/login.php:1 pg-view/auth/register.php:16
+#: pg-view/auth/login.php:2 pg-view/auth/register.php:17
 msgid "Create an account"
 msgstr ""
 
-#: pg-view/auth/login.php:4 pg-view/auth/register.php:6 pg-view/ht/index.php:64
+#: pg-view/auth/login.php:5 pg-view/auth/register.php:7 pg-view/ht/index.php:65
 msgid "Username"
 msgstr ""
 
-#: pg-view/auth/login.php:8 pg-view/auth/register.php:11
-#: pg-view/ht/index.php:68
+#: pg-view/auth/login.php:9 pg-view/auth/register.php:12
+#: pg-view/ht/index.php:69
 msgid "Password"
 msgstr ""
 
-#: pg-view/auth/password.php:2 pg-view/auth/unregister.php:6
-#: pg-view/auth/username.php:2
+#: pg-view/auth/password.php:3 pg-view/auth/unregister.php:7
+#: pg-view/auth/username.php:3
 msgid "Current password"
 msgstr ""
 
-#: pg-view/auth/password.php:5
+#: pg-view/auth/password.php:6
 msgid "New password"
 msgstr ""
 
-#: pg-view/auth/password.php:8
+#: pg-view/auth/password.php:9
 msgid "Update password"
 msgstr ""
 
-#: pg-view/auth/register.php:1
+#: pg-view/auth/register.php:2
 msgid "Already have an account?"
 msgstr ""
 
-#: pg-view/auth/register.php:12
+#: pg-view/auth/register.php:13
 #, php-format
 msgid "Minimum %1$s characters, or %2$s characters if it contains lowercase, uppercase and digit."
 msgstr ""
 
-#: pg-view/auth/unregister.php:2
+#: pg-view/auth/unregister.php:3
 msgid "This will delete every resource managed by the current account, including registered domains, hosted DNS records, websites files and cryptographic keys for Onion services and DNSSEC."
 msgstr ""
 
-#: pg-view/auth/unregister.php:10
+#: pg-view/auth/unregister.php:11
 msgid "Delete the current account and everything related (required)"
 msgstr ""
 
-#: pg-view/auth/unregister.php:12 pg-view/ns/form.ns.php:4 pg-view/reg/ds.php:5
-#: pg-view/reg/glue.php:5 pg-view/reg/ns.php:5
+#: pg-view/auth/unregister.php:13 pg-view/ns/form.ns.php:5
+#: pg-view/reg/select-action.inc.php:5
 msgid "Delete"
 msgstr ""
 
-#: pg-view/auth/username.php:5
+#: pg-view/auth/username.php:6
 msgid "New username"
 msgstr ""
 
-#: pg-view/auth/username.php:8
+#: pg-view/auth/username.php:9
 msgid "Update username"
 msgstr ""
 
-#: pg-view/ht/add-dns.php:2
+#: pg-view/ht/add-dns.php:3
 msgid "A Let's Encrypt certificate will be obtained."
 msgstr ""
 
-#: pg-view/ht/add-dns.php:6
+#: pg-view/ht/add-dns.php:7
 msgid "The domain must have the following records when the form is being processed."
 msgstr ""
 
-#: pg-view/ht/add-dns.php:29 pg-view/ns/form.ns.php:8 pg-view/ns/print.php:32
-#: pg-view/ns/zone-add.php:6 pg-view/reg/ds.php:8 pg-view/reg/glue.php:8
-#: pg-view/reg/glue.php:15 pg-view/reg/ns.php:8 pg-view/reg/print.php:2
-#: pg-view/reg/print.php:16 pg-view/reg/register.php:11
-#: pg-view/reg/unregister.php:6
+#: pg-view/ht/add-dns.php:30 pg-view/ns/form.ns.php:9 pg-view/ns/print.php:33
+#: pg-view/ns/zone-add.php:7 pg-view/reg/glue.php:5 pg-view/reg/print.php:10
+#: pg-view/reg/register.php:12 pg-view/reg/select-domain.inc.php:2
+#: pg-view/reg/unregister.php:7
 msgid "Domain"
 msgstr ""
 
-#: pg-view/ht/add-dns.php:31 pg-view/ht/add-onion.php:2
-#: pg-view/ht/add-subdomain.php:8 pg-view/ht/add-subpath.php:8
+#: pg-view/ht/add-dns.php:32 pg-view/ht/add-onion.php:3
+#: pg-view/ht/add-subdomain.php:9 pg-view/ht/add-subpath.php:9
 msgid "Target directory"
 msgstr ""
 
-#: pg-view/ht/add-dns.php:40 pg-view/ht/add-onion.php:11
-#: pg-view/ht/add-subdomain.php:17 pg-view/ht/add-subpath.php:17
+#: pg-view/ht/add-dns.php:41 pg-view/ht/add-onion.php:12
+#: pg-view/ht/add-subdomain.php:18 pg-view/ht/add-subpath.php:18
 msgid "Setup access"
 msgstr ""
 
-#: pg-view/ht/add-subdomain.php:2 pg-view/reg/register.php:6
+#: pg-view/ht/add-subdomain.php:3 pg-view/reg/register.php:7
 #, php-format
 msgid "The subdomain can only contain %1$s, %2$s and %3$s, and must be between 4 and 63 characters. It can't have an hyphen (%3$s) in first, last or both third and fourth position."
 msgstr ""
 
-#: pg-view/ht/add-subdomain.php:6 pg-view/ns/form.ns.php:10
-#: pg-view/reg/glue.php:10 pg-view/reg/register.php:13
-#: pg-view/reg/transfer.php:9
+#: pg-view/ht/add-subdomain.php:7 pg-view/ns/form.ns.php:11
+#: pg-view/reg/glue.php:7 pg-view/reg/register.php:14
+#: pg-view/reg/transfer.php:10
 msgid "Subdomain"
 msgstr ""
 
-#: pg-view/ht/add-subpath.php:2
+#: pg-view/ht/add-subpath.php:3
 #, php-format
 msgid "The path can only contain %1$s, %2$s and %3$s, and must be between 4 and 63 characters."
 msgstr ""
 
-#: pg-view/ht/add-subpath.php:6
+#: pg-view/ht/add-subpath.php:7
 msgid "Path"
 msgstr ""
 
-#: pg-view/ht/del.php:2
+#: pg-view/ht/del.php:3
 msgid "Access to delete"
 msgstr ""
 
-#: pg-view/ht/del.php:13
+#: pg-view/ht/del.php:14
 #, php-format
 msgid "%1$s to %2$s"
 msgstr ""
 
-#: pg-view/ht/index.php:2
+#: pg-view/ht/index.php:3
 msgid "This service allows you to send files on the server using SFTP, and to make them publicly available with HTTP."
 msgstr ""
 
-#: pg-view/ht/index.php:8
+#: pg-view/ht/index.php:9
 msgid "Currently hosted sites"
 msgstr ""
 
-#: pg-view/ht/index.php:38
+#: pg-view/ht/index.php:39
 msgid "Adding a site access"
 msgstr ""
 
-#: pg-view/ht/index.php:40
+#: pg-view/ht/index.php:41
 #, php-format
 msgid "In order to be able to set up an HTTP site with this service, a subdirectory for this site must be created inside the SFTP space first. The name of this subdirectory can only contain %1$s, %2$s, %3$s, %4$s and %5$s."
 msgstr ""
 
-#: pg-view/ht/index.php:44
+#: pg-view/ht/index.php:45
 msgid "Connecting to the SFTP server"
 msgstr ""
 
-#: pg-view/ht/index.php:52
+#: pg-view/ht/index.php:53
 msgid "Server"
 msgstr ""
 
-#: pg-view/ht/index.php:56 pg-view/ns/srv.php:16
+#: pg-view/ht/index.php:57 pg-view/ns/srv.php:17
 msgid "Port"
 msgstr ""
 
-#: pg-view/ht/index.php:60
+#: pg-view/ht/index.php:61
 msgid "Directory"
 msgstr ""
 
-#: pg-view/ht/index.php:70
+#: pg-view/ht/index.php:71
 msgid "The one of your account"
 msgstr ""
 
-#: pg-view/ht/index.php:74
+#: pg-view/ht/index.php:75
 msgid "Authenticating the server"
 msgstr ""
 
-#: pg-view/ht/index.php:76
+#: pg-view/ht/index.php:77
 msgid "An SSHFP record is available."
 msgstr ""
 
-#: pg-view/ht/index.php:79
+#: pg-view/ht/index.php:80
 msgid "Plain public key"
 msgstr ""
 
-#: pg-view/ht/index.php:84
+#: pg-view/ht/index.php:85
 msgid "Public key fingerprint"
 msgstr ""
 
-#: pg-view/ht/index.php:89
+#: pg-view/ht/index.php:90
 msgid "ASCII art"
 msgstr ""
 
-#: pg-view/ht/index.php:102
+#: pg-view/ht/index.php:103
 msgid "A content security policy (CSP) forbids Web browsers from loading JavaScript or third-party resources."
 msgstr ""
 
-#: pg-view/ht/index.php:105
+#: pg-view/ht/index.php:106
 msgid "<code>.htaccess</code> configuration"
 msgstr ""
 
-#: pg-view/ht/index.php:107
+#: pg-view/ht/index.php:108
 msgid "You can change the way the HTTP server answers to requests in a directory by setting some directives in a file named <code>.htaccess</code> at the root of this directory. Only the following directives are allowed:"
 msgstr ""
 
-#: pg-view/ht/index.php:163
+#: pg-view/ht/index.php:164
 msgid "Accounts capabilities"
 msgstr ""
 
-#: pg-view/ht/index.php:165
+#: pg-view/ht/index.php:166
 msgid "Testing"
 msgstr ""
 
-#: pg-view/ht/index.php:168 pg-view/ht/index.php:175
+#: pg-view/ht/index.php:169 pg-view/ht/index.php:176
 #, php-format
 msgid "%s of SFTP quota"
 msgstr ""
 
-#: pg-view/ht/index.php:168 pg-view/ht/index.php:175
+#: pg-view/ht/index.php:169 pg-view/ht/index.php:176
 msgid "<abbr title=\"gibibyte\">GiB</abbr>"
 msgstr ""
 
-#: pg-view/ht/index.php:168 pg-view/ht/index.php:175
+#: pg-view/ht/index.php:169 pg-view/ht/index.php:176
 msgid "<abbr title=\"mebibyte\">MiB</abbr>"
 msgstr ""
 
-#: pg-view/ht/index.php:169
+#: pg-view/ht/index.php:170
 msgid "Let's Encrypt certificate from the staging environment (not trusted by clients)"
 msgstr ""
 
-#: pg-view/ht/index.php:172
+#: pg-view/ht/index.php:173
 msgid "Approved"
 msgstr ""
 
-#: pg-view/ht/index.php:176
+#: pg-view/ht/index.php:177
 msgid "Stable Let's Encrypt certificates"
 msgstr ""
 
-#: pg-view/ht/keys.php:2
+#: pg-view/ht/keys.php:3
 msgid "In addition to your password, you can also access your SFTP space using Ed25519 SSH keys. A key can be granted modification rights to the full space (<code>/</code>) or to any arbitrary subdirectory. A key is always  allowed to list any directory content."
 msgstr ""
 
-#: pg-view/ht/keys.php:17
+#: pg-view/ht/keys.php:18
 msgid "Add new SSH key access"
 msgstr ""
 
-#: pg-view/ht/keys.php:17
+#: pg-view/ht/keys.php:18
 msgid "SSH key access"
 msgstr ""
 
-#: pg-view/ht/keys.php:19
+#: pg-view/ht/keys.php:20
 msgid "Public key"
 msgstr ""
 
-#: pg-view/ht/keys.php:23
+#: pg-view/ht/keys.php:24
 msgid "Allowed directory"
 msgstr ""
 
-#: pg-view/ht/keys.php:30 pg-view/ns/sync.php:37
+#: pg-view/ht/keys.php:31 pg-view/ns/sync.php:38
 msgid "Update"
 msgstr ""
 
-#: pg-view/ns/caa.php:3
+#: pg-view/ns/caa.php:4
 msgid "Flag"
 msgstr ""
 
-#: pg-view/ns/caa.php:7 pg-view/ns/print.php:56
+#: pg-view/ns/caa.php:8 pg-view/ns/print.php:57
 msgid "Tag"
 msgstr ""
 
-#: pg-view/ns/caa.php:11 pg-view/ns/form.ns.php:31 pg-view/ns/print.php:35
-#: pg-view/ns/tlsa.php:37 pg-view/reg/print.php:19
+#: pg-view/ns/caa.php:12 pg-view/ns/form.ns.php:33 pg-view/ns/print.php:36
+#: pg-view/ns/tlsa.php:38 pg-view/reg/print.php:13
 msgid "Value"
 msgstr ""
 
-#: pg-view/ns/caa.php:15 pg-view/ns/cname.php:7 pg-view/ns/dname.php:7
-#: pg-view/ns/ip.php:5 pg-view/ns/loc.php:75 pg-view/ns/mx.php:11
-#: pg-view/ns/ns.php:7 pg-view/ns/srv.php:27 pg-view/ns/sshfp.php:29
-#: pg-view/ns/tlsa.php:43 pg-view/ns/txt.php:7 pg-view/reg/ds.php:56
-#: pg-view/reg/glue.php:29 pg-view/reg/ns.php:22
+#: pg-view/ns/caa.php:16 pg-view/ns/cname.php:8 pg-view/ns/dname.php:8
+#: pg-view/ns/ip.php:6 pg-view/ns/loc.php:76 pg-view/ns/mx.php:12
+#: pg-view/ns/ns.php:8 pg-view/ns/srv.php:28 pg-view/ns/sshfp.php:30
+#: pg-view/ns/tlsa.php:44 pg-view/ns/txt.php:8 pg-view/reg/ds.php:45
+#: pg-view/reg/glue.php:18 pg-view/reg/ns.php:11
 msgid "Apply"
 msgstr ""
 
-#: pg-view/ns/cname.php:3
+#: pg-view/ns/cname.php:4
 msgid "Canonical name"
 msgstr ""
 
-#: pg-view/ns/dname.php:3
+#: pg-view/ns/dname.php:4
 msgid "Delegation name"
 msgstr ""
 
-#: pg-view/ns/edit.php:2
+#: pg-view/ns/edit.php:3
 msgid "Zone to be changed"
 msgstr ""
 
-#: pg-view/ns/edit.php:12 pg-view/ns/print.php:20 pg-view/reg/print.php:11
+#: pg-view/ns/edit.php:13 pg-view/ns/print.php:21 pg-view/reg/edit.php:13
+#: pg-view/reg/print.php:5
 msgid "Display"
 msgstr ""
 
-#: pg-view/ns/edit.php:23
+#: pg-view/ns/edit.php:24
 #, php-format
-msgid "New content of the %s zone"
+msgid "Authoritative records for %s"
 msgstr ""
 
-#: pg-view/ns/edit.php:27
+#: pg-view/ns/edit.php:28 pg-view/reg/edit.php:28
 msgid "Replace"
 msgstr ""
 
-#: pg-view/ns/edit.php:38
+#: pg-view/ns/edit.php:39
 msgid "Default values"
 msgstr ""
 
-#: pg-view/ns/edit.php:40
+#: pg-view/ns/edit.php:41
 #, php-format
 msgid "If the TTL is omitted, it will default to %s seconds."
 msgstr ""
 
-#: pg-view/ns/edit.php:42
+#: pg-view/ns/edit.php:43 pg-view/reg/edit.php:41
 msgid "Precising the class (<code>IN</code>) is optional."
 msgstr ""
 
-#: pg-view/ns/edit.php:44
+#: pg-view/ns/edit.php:45
 msgid "Allowed values"
 msgstr ""
 
-#: pg-view/ns/edit.php:46
+#: pg-view/ns/edit.php:47 pg-view/reg/edit.php:43
 #, php-format
-msgid "Submitted zone content is limited to %s characters."
+msgid "Submitted field content is limited to %s characters."
 msgstr ""
 
-#: pg-view/ns/edit.php:48
+#: pg-view/ns/edit.php:49
 #, php-format
 msgid "TTLs must last between %1$s and %2$s seconds."
 msgstr ""
 
-#: pg-view/ns/edit.php:50
-msgid "The only types that can be defined are:"
+#: pg-view/ns/edit.php:51 pg-view/reg/edit.php:47
+msgid "The only types that can be defined here are:"
 msgstr ""
 
-#: pg-view/ns/form.ns.php:1 pg-view/reg/ds.php:2 pg-view/reg/glue.php:2
-#: pg-view/reg/ns.php:2
+#: pg-view/ns/form.ns.php:2 pg-view/reg/select-action.inc.php:2
 msgid "Action"
 msgstr ""
 
-#: pg-view/ns/form.ns.php:3 pg-view/ns/zone-add.php:8 pg-view/reg/ds.php:4
-#: pg-view/reg/glue.php:4 pg-view/reg/ns.php:4
+#: pg-view/ns/form.ns.php:4 pg-view/ns/zone-add.php:9
+#: pg-view/reg/select-action.inc.php:4
 msgid "Add"
 msgstr ""
 
-#: pg-view/ns/form.ns.php:15 pg-view/ns/print.php:52 pg-view/ns/zone-del.php:2
+#: pg-view/ns/form.ns.php:16 pg-view/ns/print.php:53 pg-view/ns/zone-del.php:3
 msgid "Zone"
 msgstr ""
 
-#: pg-view/ns/form.ns.php:29 pg-view/ns/print.php:33 pg-view/reg/print.php:17
+#: pg-view/ns/form.ns.php:31 pg-view/ns/print.php:34 pg-view/reg/print.php:11
 msgid "TTL"
 msgstr ""
 
-#: pg-view/ns/form.ns.php:45
+#: pg-view/ns/form.ns.php:47
 msgid "Unit"
 msgstr ""
 
-#: pg-view/ns/form.ns.php:48
+#: pg-view/ns/form.ns.php:50
 msgid "second"
 msgstr ""
 
-#: pg-view/ns/form.ns.php:49
+#: pg-view/ns/form.ns.php:51
 msgid "minute"
 msgstr ""
 
-#: pg-view/ns/form.ns.php:50
+#: pg-view/ns/form.ns.php:52
 msgid "hour"
 msgstr ""
 
-#: pg-view/ns/form.ns.php:51
+#: pg-view/ns/form.ns.php:53
 msgid "day"
 msgstr ""
 
-#: pg-view/ns/index.php:2
+#: pg-view/ns/index.php:3
 msgid "This service allows to host and manage DNS records inside a DNS zone."
 msgstr ""
 
-#: pg-view/ns/index.php:8
+#: pg-view/ns/index.php:9
 msgid "Currently hosted zones"
 msgstr ""
 
-#: pg-view/ns/index.php:26
+#: pg-view/ns/index.php:27
 msgid "A zone hosted on this service is served by these name servers:"
 msgstr ""
 
-#: pg-view/ns/ip.php:3 pg-view/reg/glue.php:26
+#: pg-view/ns/ip.php:4 pg-view/reg/glue.php:15
 msgid "IP address"
 msgstr ""
 
-#: pg-view/ns/loc.php:4
+#: pg-view/ns/loc.php:5
 msgid "Latitude"
 msgstr ""
 
-#: pg-view/ns/loc.php:6 pg-view/ns/loc.php:34
+#: pg-view/ns/loc.php:7 pg-view/ns/loc.php:35
 msgid "Degrees"
 msgstr ""
 
-#: pg-view/ns/loc.php:11 pg-view/ns/loc.php:39
+#: pg-view/ns/loc.php:12 pg-view/ns/loc.php:40
 msgid "Minutes"
 msgstr ""
 
-#: pg-view/ns/loc.php:16 pg-view/ns/loc.php:44
+#: pg-view/ns/loc.php:17 pg-view/ns/loc.php:45
 msgid "Seconds"
 msgstr ""
 
-#: pg-view/ns/loc.php:21 pg-view/ns/loc.php:49
+#: pg-view/ns/loc.php:22 pg-view/ns/loc.php:50
 msgid "Direction"
 msgstr ""
 
-#: pg-view/ns/loc.php:25
+#: pg-view/ns/loc.php:26
 msgid "North"
 msgstr ""
 
-#: pg-view/ns/loc.php:26
+#: pg-view/ns/loc.php:27
 msgid "South"
 msgstr ""
 
-#: pg-view/ns/loc.php:32
+#: pg-view/ns/loc.php:33
 msgid "Longitude"
 msgstr ""
 
-#: pg-view/ns/loc.php:53
+#: pg-view/ns/loc.php:54
 msgid "East"
 msgstr ""
 
-#: pg-view/ns/loc.php:54
+#: pg-view/ns/loc.php:55
 msgid "West"
 msgstr ""
 
-#: pg-view/ns/loc.php:59
+#: pg-view/ns/loc.php:60
 msgid "Altitude"
 msgstr ""
 
-#: pg-view/ns/loc.php:63
+#: pg-view/ns/loc.php:64
 msgid "Size"
 msgstr ""
 
-#: pg-view/ns/loc.php:67
+#: pg-view/ns/loc.php:68
 msgid "Horizontal precision"
 msgstr ""
 
-#: pg-view/ns/loc.php:71
+#: pg-view/ns/loc.php:72
 msgid "Vertical precision"
 msgstr ""
 
-#: pg-view/ns/mx.php:3 pg-view/ns/srv.php:4
+#: pg-view/ns/mx.php:4 pg-view/ns/srv.php:5
 msgid "Priority"
 msgstr ""
 
-#: pg-view/ns/mx.php:7
+#: pg-view/ns/mx.php:8
 msgid "Host"
 msgstr ""
 
-#: pg-view/ns/ns.php:3 pg-view/reg/ns.php:18
+#: pg-view/ns/ns.php:4 pg-view/reg/ns.php:7
 msgid "Name server"
 msgstr ""
 
-#: pg-view/ns/print.php:3
+#: pg-view/ns/print.php:4
 msgid "Records table"
 msgstr ""
 
-#: pg-view/ns/print.php:6
+#: pg-view/ns/print.php:7
 msgid "DS record"
 msgstr ""
 
-#: pg-view/ns/print.php:9
+#: pg-view/ns/print.php:10
 msgid "Raw zonefile"
 msgstr ""
 
-#: pg-view/ns/print.php:11
+#: pg-view/ns/print.php:12
 msgid "Selected zone"
 msgstr ""
 
-#: pg-view/ns/print.php:34 pg-view/reg/print.php:18
+#: pg-view/ns/print.php:35 pg-view/reg/print.php:12
 msgid "Type"
 msgstr ""
 
-#: pg-view/ns/print.php:60 pg-view/ns/sshfp.php:4 pg-view/reg/ds.php:22
+#: pg-view/ns/print.php:61 pg-view/ns/sshfp.php:5 pg-view/reg/ds.php:11
 msgid "Algorithm"
 msgstr ""
 
-#: pg-view/ns/print.php:64 pg-view/reg/ds.php:41
+#: pg-view/ns/print.php:65 pg-view/reg/ds.php:30
 msgid "Digest type"
 msgstr ""
 
-#: pg-view/ns/print.php:68
+#: pg-view/ns/print.php:69
 msgid "Digest"
 msgstr ""
 
-#: pg-view/ns/srv.php:10
+#: pg-view/ns/srv.php:11
 msgid "Weight"
 msgstr ""
 
-#: pg-view/ns/srv.php:22
+#: pg-view/ns/srv.php:23
 msgid "Target"
 msgstr ""
 
-#: pg-view/ns/sshfp.php:15
+#: pg-view/ns/sshfp.php:16
 msgid "Hash type"
 msgstr ""
 
-#: pg-view/ns/sshfp.php:24
+#: pg-view/ns/sshfp.php:25
 msgid "Fingerprint"
 msgstr ""
 
-#: pg-view/ns/sync.php:2
+#: pg-view/ns/sync.php:3
 #, php-format
 msgid "AAAA, A and CAA records are regularly copied from the source domain to the target domain. Their TTLs are set to %s seconds."
 msgstr ""
 
-#: pg-view/ns/sync.php:5
+#: pg-view/ns/sync.php:6
 msgid "Source domains that are not signed with DNSSEC are not synchronized. Synchronizations that remain broken may be deleted."
 msgstr ""
 
-#: pg-view/ns/sync.php:8
+#: pg-view/ns/sync.php:9
 msgid "This is meant to be used for apex domains, where CNAME records are not allowed. For non-apex domains, CNAME records should be used instead."
 msgstr ""
 
-#: pg-view/ns/sync.php:16
+#: pg-view/ns/sync.php:17
 msgid "Add new domain records to be synchronized"
 msgstr ""
 
-#: pg-view/ns/sync.php:16
+#: pg-view/ns/sync.php:17
 msgid "Synchronized domain"
 msgstr ""
 
-#: pg-view/ns/sync.php:18
+#: pg-view/ns/sync.php:19
 msgid "Source domain"
 msgstr ""
 
-#: pg-view/ns/sync.php:22
+#: pg-view/ns/sync.php:23
 msgid "Target domain"
 msgstr ""
 
-#: pg-view/ns/tlsa.php:4
+#: pg-view/ns/tlsa.php:5
 msgid "Use"
 msgstr ""
 
-#: pg-view/ns/tlsa.php:16
+#: pg-view/ns/tlsa.php:17
 msgid "Selector"
 msgstr ""
 
-#: pg-view/ns/tlsa.php:20
+#: pg-view/ns/tlsa.php:21
 msgid "the full certificate must match"
 msgstr ""
 
-#: pg-view/ns/tlsa.php:21
+#: pg-view/ns/tlsa.php:22
 msgid "the certificate public key must match"
 msgstr ""
 
-#: pg-view/ns/tlsa.php:26
+#: pg-view/ns/tlsa.php:27
 msgid "Match type"
 msgstr ""
 
-#: pg-view/ns/tlsa.php:30
+#: pg-view/ns/tlsa.php:31
 msgid "full certificate"
 msgstr ""
 
-#: pg-view/ns/txt.php:3
+#: pg-view/ns/txt.php:4
 msgid "Text"
 msgstr ""
 
-#: pg-view/ns/txt.php:5
+#: pg-view/ns/txt.php:6
 msgid "Some text…"
 msgstr ""
 
-#: pg-view/ns/zone-add.php:2
+#: pg-view/ns/zone-add.php:3
 #, php-format
 msgid "To prove that you own this domain, it must have a NS record equal to %s when the form is being processed."
 msgstr ""
 
-#: pg-view/ns/zone-del.php:11
+#: pg-view/ns/zone-del.php:12
 msgid "Delete everything related to this zone"
 msgstr ""
 
-#: pg-view/reg/ds.php:18
+#: pg-view/reg/ds.php:7
 msgid "Key tag"
 msgstr ""
 
-#: pg-view/reg/ds.php:52
+#: pg-view/reg/ds.php:41
 msgid "Key"
 msgstr ""
 
-#: pg-view/reg/glue.php:27
+#: pg-view/reg/edit.php:3
+msgid "Domain to be changed"
+msgstr ""
+
+#: pg-view/reg/edit.php:24
+#, php-format
+msgid "Delegation records for %s"
+msgstr ""
+
+#: pg-view/reg/edit.php:39
+msgid "Input values"
+msgstr ""
+
+#: pg-view/reg/edit.php:45
+#, php-format
+msgid "TTL values are ignored and always set to %s seconds."
+msgstr ""
+
+#: pg-view/reg/glue.php:16
 #, php-format
 msgid "%1$s or %2$s"
 msgstr ""
 
-#: pg-view/reg/index.php:2
+#: pg-view/reg/index.php:3
 #, php-format
 msgid "This domain name registry allows to register domains ending with <code>%1$s</code>, for instance <code><em>domain</em>%1$s</code>."
 msgstr ""
 
-#: pg-view/reg/index.php:7
+#: pg-view/reg/index.php:8
 msgid "Currently registered domains"
 msgstr ""
 
-#: pg-view/reg/index.php:27
+#: pg-view/reg/index.php:28
 msgid "Both <span aria-hidden=\"true\">⏳ </span><em>testing</em> and <span aria-hidden=\"true\">👤 </span><em>approved</em> accounts can register a domain under these suffixes:"
 msgstr ""
 
-#: pg-view/reg/index.php:38
+#: pg-view/reg/index.php:41
 msgid "Only <span aria-hidden=\"true\">👤 </span><em>approved</em> accounts can register a domain under these suffixes:"
 msgstr ""
 
-#: pg-view/reg/index.php:49
+#: pg-view/reg/index.php:54
 msgid "Nobody can register a domain under these suffixes:"
 msgstr ""
 
-#: pg-view/reg/index.php:63
+#: pg-view/reg/index.php:70
 msgid "Automatic updates from child zone"
 msgstr ""
 
-#: pg-view/reg/index.php:64
+#: pg-view/reg/index.php:71
 msgid "CSYNC records"
 msgstr ""
 
-#: pg-view/reg/index.php:66
+#: pg-view/reg/index.php:73
 msgid "The registry can synchronize NS records from the child zone if a CSYNC record is present at the apex of the child zone, has flags <code>1</code> and type bit map <code>NS</code>, and can be DNSSEC-validated. Others values are not supported."
 msgstr ""
 
-#: pg-view/reg/index.php:68
+#: pg-view/reg/index.php:75
 msgid "DNSSEC and DS records"
 msgstr ""
 
-#: pg-view/reg/index.php:70
+#: pg-view/reg/index.php:77
 msgid "Once DNSSEC has been manually enabled through the current interface, the delegated zone can publish a CDS record in order to update the DS record in the registry. A single CDS record with value <code>0 0 0 0</code> tells the registry to disable DNSSEC. Using a CDS record to enable DNSSEC is not supported."
 msgstr ""
 
-#: pg-view/reg/register.php:2
+#: pg-view/reg/register.php:3
 msgid "Register a new domain on your account."
 msgstr ""
 
-#: pg-view/reg/register.php:18 pg-view/reg/transfer.php:14
+#: pg-view/reg/register.php:19 pg-view/reg/transfer.php:15
 msgid "Suffix"
 msgstr ""
 
-#: pg-view/reg/register.php:31
+#: pg-view/reg/register.php:32
 msgid "Check availability"
 msgstr ""
 
-#: pg-view/reg/register.php:33
+#: pg-view/reg/register.php:34
 msgid "Register"
 msgstr ""
 
-#: pg-view/reg/transfer.php:2
+#: pg-view/reg/transfer.php:3
 #, php-format
 msgid "To prove that you are allowed to receive the domain by its current owner, the domain must have an NS record equal to %s when the form is being processed. The NS record will be automatically deleted once validated."
 msgstr ""
 
-#: pg-view/reg/transfer.php:7
+#: pg-view/reg/transfer.php:8
 msgid "Domain that will be transferred to this account"
 msgstr ""
 
-#: pg-view/reg/transfer.php:26
+#: pg-view/reg/transfer.php:27
 msgid "Receive the domain"
 msgstr ""
 
-#: pg-view/reg/unregister.php:2
+#: pg-view/reg/unregister.php:3
 msgid "This will unregister the domain, making it registerable by anyone again (after a delay of 1 year plus half the registration period, with a maximum of 8 years)."
 msgstr ""
 
-#: pg-view/reg/unregister.php:16
+#: pg-view/reg/unregister.php:17
 msgid "Unregister"
 msgstr ""
diff --git a/pages.php b/pages.php
index a44c333..6e567a3 100644
--- a/pages.php
+++ b/pages.php
@@ -63,6 +63,11 @@ define('PAGES', [
 			'description' => _('Print every record related to a domain and served by the registry'),
 			'tokens_account_cost' => 60,
 		],
+		'edit' => [
+			'title' => _('Edit records'),
+			'description' => _('Set registry records to delegate a domain to chosen name servers'),
+			'tokens_account_cost' => 900,
+		],
 		'ns' => [
 			'title' => sprintf(_('%s records'), '<abbr title="Name Server">NS</abbr>'),
 			'description' => sprintf(_('Indicate the name servers of a %s subdomain'), '<code>' . key(CONF['reg']['suffixes']) . '</code>'),
diff --git a/pg-act/ns/edit.php b/pg-act/ns/edit.php
index 8a27f24..66f06db 100644
--- a/pg-act/ns/edit.php
+++ b/pg-act/ns/edit.php
@@ -1,60 +1,62 @@
 <?php declare(strict_types=1);
 
-nsCheckZonePossession($_POST['zone']);
+nsCheckZonePossession($_POST['domain']);
 
-if (isset($_POST['zone-content'])) { // Update zone
+$path = CONF['ns']['knot_zones_path'] . '/' . $_POST['domain'] . 'zone';
+
+if (isset($_POST['records'])) {
 
 	// Get current SOA record
-	$current_zone_content = file_get_contents(CONF['ns']['knot_zones_path'] . '/' . $_POST['zone'] . 'zone');
+	$current_zone_content = file_get_contents($path);
 	if ($current_zone_content === false)
 		output(500, 'Unable to read zone file.');
-	if (preg_match('/^(?<soa>' . preg_quote($_POST['zone'], '/') . '[\t ]+[0-9]{1,16}[\t ]+SOA[\t ]+.+)$/Dm', $current_zone_content, $matches) !== 1)
+	if (preg_match('/^(?<soa>' . preg_quote($_POST['domain'], '/') . '[\t ]+[0-9]{1,16}[\t ]+SOA[\t ]+.+)$/Dm', $current_zone_content, $matches) !== 1)
 		output(500, 'Unable to get current SOA record from zone file.');
 
-	// Generate new zone content
+	// Generate new content
 	$new_zone_content = $matches['soa'] . LF;
-	if (strlen($_POST['zone-content']) > ZONE_MAX_CHARACTERS)
-		output(403, sprintf(_('The zone is limited to %s characters.'), ZONE_MAX_CHARACTERS));
-	foreach (explode("\r\n", $_POST['zone-content']) as $line) {
-		if ($line === '') continue;
-		if (preg_match('/^(?<domain>[a-z0-9@._-]{1,256})(?:[\t ]+(?<ttl>[0-9]{1,16}))?(?:[\t ]+IN)?[\t ]+(?<type>[A-Z]{1,16})[\t ]+(?<value>.+)$/D', $line, $matches) !== 1)
-			output(403, _('The following line does not match the expected format: ') . '<code>' . htmlspecialchars($line) . '</code>');
-		if (in_array($matches['type'], ALLOWED_TYPES, true) !== true)
+	if (strlen($_POST['records']) > NS_TEXTAREA_MAX_CHARACTERS)
+		output(403, sprintf(_('The zone is limited to %s characters.'), NS_TEXTAREA_MAX_CHARACTERS));
+	foreach (explode("\r\n", $_POST['records']) as $record) {
+		if ($record === '') continue;
+		if (preg_match('/^(?<domain>[a-z0-9@._-]{1,256})(?:[\t ]+(?<ttl>[0-9]{1,16}))?(?:[\t ]+IN)?[\t ]+(?<type>[A-Z]{1,16})[\t ]+(?<value>.+)$/D', $record, $matches) !== 1)
+			output(403, _('The following line does not match the expected format: ') . '<code>' . htmlspecialchars($record) . '</code>');
+		if (in_array($matches['type'], NS_ALLOWED_TYPES, true) !== true)
 			output(403, sprintf(_('The %s type is not allowed.'), '<code>' . $matches['type'] . '</code>'));
-		if ($matches['ttl'] !== '' AND $matches['ttl'] < MIN_TTL)
-			output(403, sprintf(_('TTLs shorter than %s seconds are forbidden.'), MIN_TTL));
-		if ($matches['ttl'] !== '' AND $matches['ttl'] > MAX_TTL)
-			output(403, sprintf(_('TTLs longer than %s seconds are forbidden.'), MAX_TTL));
-		$new_zone_content .= $matches['domain'] . ' ' . (($matches['ttl'] === '') ? DEFAULT_TTL : $matches['ttl']) . ' ' . $matches['type'] . ' ' . $matches['value'] . LF;
+		if ($matches['ttl'] !== '' AND $matches['ttl'] < NS_MIN_TTL)
+			output(403, sprintf(_('TTLs shorter than %s seconds are forbidden.'), NS_MIN_TTL));
+		if ($matches['ttl'] !== '' AND $matches['ttl'] > NS_MAX_TTL)
+			output(403, sprintf(_('TTLs longer than %s seconds are forbidden.'), NS_MAX_TTL));
+		$new_zone_content .= $matches['domain'] . ' ' . (($matches['ttl'] === '') ? NS_DEFAULT_TTL : $matches['ttl']) . ' ' . $matches['type'] . ' ' . $matches['value'] . LF;
 	}
 
 	// Send the zone content to kzonecheck's stdin
-	$process = proc_open(CONF['ns']['kzonecheck_path'] . ' --origin ' . $_POST['zone'] . ' --dnssec off -', [0 => ['pipe', 'r']], $pipes);
+	$process = proc_open(CONF['ns']['kzonecheck_path'] . ' --origin ' . escapeshellarg($_POST['domain']) . ' --dnssec off -', [0 => ['pipe', 'r']], $pipes);
 	if (is_resource($process) !== true)
 		output(500, 'Can\'t spawn kzonecheck.');
 	fwrite($pipes[0], $new_zone_content);
 	fclose($pipes[0]);
 	if (proc_close($process) !== 0)
-		output(403, _('Sent zone content is not correct (according to <code>kzonecheck</code>).'));
+		output(403, _('Sent content is not correct (according to <code>kzonecheck</code>).'));
 
 	ratelimit();
 
-	knotc(['zone-freeze', $_POST['zone']], $output, $return_code);
+	knotc(['zone-freeze', $_POST['domain']], $output, $return_code);
 	if ($return_code !== 0)
 		output(500, 'Failed to freeze zone file.', $output);
 
-	knotc(['zone-flush', $_POST['zone']], $output, $return_code);
+	knotc(['zone-flush', $_POST['domain']], $output, $return_code);
 	if ($return_code !== 0)
 		output(500, 'Failed to flush zone file.', $output);
 
-	if (file_put_contents(CONF['ns']['knot_zones_path'] . '/' . $_POST['zone'] . 'zone', $new_zone_content) === false)
+	if (file_put_contents($path, $new_zone_content) === false)
 		output(500, 'Failed to write zone file.');
 
-	knotc(['zone-reload', $_POST['zone']], $output, $return_code);
+	knotc(['zone-reload', $_POST['domain']], $output, $return_code);
 	if ($return_code !== 0)
 		output(500, 'Failed to reload zone file.', $output);
 
-	knotc(['zone-thaw', $_POST['zone']], $output, $return_code);
+	knotc(['zone-thaw', $_POST['domain']], $output, $return_code);
 	if ($return_code !== 0)
 		output(500, 'Failed to thaw zone file.', $output);
 
@@ -63,18 +65,17 @@ if (isset($_POST['zone-content'])) { // Update zone
 
 // Display zone
 
-$zone_content = file_get_contents(CONF['ns']['knot_zones_path'] . '/' . $_POST['zone'] . 'zone');
-if ($zone_content === false)
+if (($records = file_get_contents($path)) === false)
 	output(500, 'Unable to read zone file.');
 
-$data['zone_content'] = '';
-foreach (explode(LF, $zone_content) as $zone_line) {
+$data['records'] = '';
+foreach (explode(LF, $records) as $zone_line) {
 	if (empty($zone_line) OR str_starts_with($zone_line, ';'))
 		continue;
-	if (preg_match('/^(?:(?:[a-z0-9_-]{1,63}\.){1,127})?' . preg_quote($_POST['zone'], '/') . '[\t ]+[0-9]{1,8}[\t ]+(?<type>[A-Z]{1,16})[\t ]+.+$/D', $zone_line, $matches)) {
-		if (in_array($matches['type'], ALLOWED_TYPES, true) !== true)
+	if (preg_match('/^(?:(?:[a-z0-9_-]{1,63}\.){1,127})?' . preg_quote($_POST['domain'], '/') . '[\t ]+[0-9]{1,8}[\t ]+(?<type>[A-Z]{1,16})[\t ]+.+$/D', $zone_line, $matches)) {
+		if (in_array($matches['type'], NS_ALLOWED_TYPES, true) !== true)
 			continue;
-		$data['zone_content'] .= $zone_line . LF;
+		$data['records'] .= $zone_line . LF;
 	}
 }
-$data['zone_content'] .= LF;
+$data['records'] .= LF;
diff --git a/pg-act/ns/zone-add.php b/pg-act/ns/zone-add.php
index b77bc04..90fa410 100644
--- a/pg-act/ns/zone-add.php
+++ b/pg-act/ns/zone-add.php
@@ -41,15 +41,15 @@ insert('zones', [
 $knotZonePath = CONF['ns']['knot_zones_path'] . '/' . $_POST['domain'] . 'zone';
 $knotZone = implode(' ', [
 	$_POST['domain'],
-	SOA_VALUES['ttl'],
+	NS_SOA_VALUES['ttl'],
 	'SOA',
 	CONF['ns']['servers'][0],
-	SOA_VALUES['email'],
+	NS_SOA_VALUES['email'],
 	1,
-	SOA_VALUES['refresh'],
-	SOA_VALUES['retry'],
-	SOA_VALUES['expire'],
-	SOA_VALUES['negative'],
+	NS_SOA_VALUES['refresh'],
+	NS_SOA_VALUES['retry'],
+	NS_SOA_VALUES['expire'],
+	NS_SOA_VALUES['negative'],
 ]) . LF;
 foreach (CONF['ns']['servers'] as $server)
 	$knotZone .= $_POST['domain'] . ' 86400 NS ' . $server . LF;
diff --git a/pg-act/reg/ds.php b/pg-act/reg/ds.php
index 65542d9..55486f8 100644
--- a/pg-act/reg/ds.php
+++ b/pg-act/reg/ds.php
@@ -1,30 +1,12 @@
 <?php declare(strict_types=1);
 
-if (!in_array($_POST['algo'], ['8', '13', '14', '15', '16'], true))
-	output(403, 'Wrong value for <code>algo</code>.');
-
-$_POST['keytag'] = intval($_POST['keytag']);
-if ((preg_match('/^[0-9]{1,6}$/D', $_POST['keytag'])) !== 1 OR !($_POST['keytag'] >= 1) OR !($_POST['keytag'] <= 65535))
-	output(403, 'Wrong value for <code>keytag</code>.');
-
-if ($_POST['dt'] !== '2' AND $_POST['dt'] !== '4')
-	output(403, 'Wrong value for <code>dt</code>.');
-
-if (preg_match('/^(?:[0-9a-fA-F]{64}|[0-9a-fA-F]{96})$/D', $_POST['key']) !== 1)
-	output(403, 'Wrong value for <code>key</code>.');
-
 regCheckDomainPossession($_POST['domain']);
 
 rateLimit();
 
-knotcZoneExec(regParseDomain($_POST['domain'])['suffix'], [
-	$_POST['domain'],
-	CONF['reg']['ttl'],
-	'DS',
-	$_POST['keytag'],
-	$_POST['algo'],
-	$_POST['dt'],
-	$_POST['key']
-]);
+knotcZoneExec(regParseDomain($_POST['domain'])['suffix'], regParseRecord($_POST['domain'], [
+	'type' => 'DS',
+	...$_POST,
+]));
 
 output(200, _('Modification done.'));
diff --git a/pg-act/reg/edit.php b/pg-act/reg/edit.php
new file mode 100644
index 0000000..a6c1d90
--- /dev/null
+++ b/pg-act/reg/edit.php
@@ -0,0 +1,97 @@
+<?php declare(strict_types=1);
+
+regCheckDomainPossession($_POST['domain']);
+
+$suffix = regParseDomain($_POST['domain'])['suffix'];
+
+$path = CONF['reg']['suffixes_path'] . '/' . $suffix . 'zone';
+
+if (isset($_POST['records'])) {
+
+	// Generate new content
+	$new_records = '';
+	if (strlen($_POST['records']) > REG_TEXTAREA_MAX_CHARACTERS)
+		output(403, sprintf(_('The zone is limited to %s characters.'), REG_TEXTAREA_MAX_CHARACTERS));
+	foreach (explode("\r\n", $_POST['records']) as $record) {
+		if ($record === '') continue;
+		if (preg_match('/^(?<domain>[a-z0-9@._-]{1,256})(?:[\t ]+(?<ttl>[0-9]{1,16}))?(?:[\t ]+IN)?[\t ]+(?<type>[A-Z]{1,16})[\t ]+(?<value>.+)$/D', $record, $matches) !== 1)
+			output(403, _('The following line does not match the expected format: ') . '<code>' . htmlspecialchars($record) . '</code>');
+		if (in_array($matches['type'], REG_ALLOWED_TYPES, true) !== true)
+			output(403, sprintf(_('The %s type is not allowed.'), '<code>' . $matches['type'] . '</code>'));
+		if ($matches['type'] === 'DS' AND count($record_values = explode(' ', $matches['value'])) !== 4)
+			output(403, _('A DS record expects 4 arguments.'));
+		$new_records .= implode(' ', regParseRecord($_POST['domain'], [
+			'domain' => $matches['domain'],
+			'type' => match ($matches['type']) {
+				'NS', 'DS' => $matches['type'],
+				'AAAA', 'A' => 'ip',
+				default => output(403, sprintf(_('The %s type is not allowed.'), '<code>' . $matches['type'] . '</code>')),
+			},
+			...match ($matches['type']) {
+				'NS' => ['ns' => $matches['value']],
+				'AAAA', 'A' => ['ip' => $matches['value']],
+				'DS' => array_combine([
+					'keytag',
+					'algo',
+					'dt',
+					'key',
+				], $record_values),
+			},
+		])) . LF;
+	}
+
+	// Send the zone content to kzonecheck's stdin
+	$process = proc_open(CONF['ns']['kzonecheck_path'] . ' --origin ' . escapeshellarg($suffix) . ' --dnssec off -', [0 => ['pipe', 'r']], $pipes);
+	if (is_resource($process) !== true)
+		output(500, 'Can\'t spawn kzonecheck.');
+	$new = $suffix . ' 10800 SOA invalid. invalid. 0 21600 7200 3628800 3600' . LF . $suffix . ' 10800 NS invalid.' . LF . $new_records;
+	fwrite($pipes[0], $new);
+	fclose($pipes[0]);
+	if (proc_close($process) !== 0)
+		output(403, _('Sent content is not correct (according to <code>kzonecheck</code>).'));
+
+	ratelimit();
+
+	knotc(['zone-freeze', $suffix], $output, $return_code);
+	if ($return_code !== 0)
+		output(500, 'Failed to freeze zone file.', $output);
+
+	knotc(['zone-flush', $suffix], $output, $return_code);
+	if ($return_code !== 0)
+		output(500, 'Failed to flush zone file.', $output);
+
+	if (($zone_content = file_get_contents($path)) === false)
+		output(500, 'Unable to read zone file.');
+
+	$zone_content = regStripDomain($_POST['domain'], $zone_content);
+
+	if (file_put_contents($path, $zone_content . LF . $new_records) === false)
+		output(500, 'Failed to write zone file.');
+
+	knotc(['zone-reload', $suffix], $output, $return_code);
+	if ($return_code !== 0)
+		output(500, 'Failed to reload zone file.', $output);
+
+	knotc(['zone-thaw', $suffix], $output, $return_code);
+	if ($return_code !== 0)
+		output(500, 'Failed to thaw zone file.', $output);
+
+	usleep(1000000);
+}
+
+// Display zone
+
+if (($records = file_get_contents($path)) === false)
+	output(500, 'Unable to read zone file.');
+
+$data['records'] = '';
+foreach (explode(LF, $records) as $zone_line) {
+	if (empty($zone_line) OR str_starts_with($zone_line, ';'))
+		continue;
+	if (preg_match('/^(?:(?:[a-z0-9_-]{1,63}\.){1,127})?' . preg_quote($_POST['domain'], '/') . '[\t ]+[0-9]{1,8}[\t ]+(?<type>[A-Z]{1,16})[\t ]+.+$/D', $zone_line, $matches)) {
+		if (in_array($matches['type'], REG_ALLOWED_TYPES, true) !== true)
+			continue;
+		$data['records'] .= $zone_line . LF;
+	}
+}
+$data['records'] .= LF;
diff --git a/pg-act/reg/glue.php b/pg-act/reg/glue.php
index 60177a2..c46a9ac 100644
--- a/pg-act/reg/glue.php
+++ b/pg-act/reg/glue.php
@@ -4,11 +4,10 @@ regCheckDomainPossession($_POST['domain']);
 
 rateLimit();
 
-knotcZoneExec(regParseDomain($_POST['domain'])['suffix'], [
-	formatAbsoluteDomain(formatEndWithDot($_POST['subdomain']) . $_POST['domain']),
-	CONF['reg']['ttl'],
-	checkIpFormat($_POST['ip']),
-	$_POST['ip']
-]);
+knotcZoneExec(regParseDomain($_POST['domain'])['suffix'], regParseRecord($_POST['domain'], [
+	'type' => 'ip',
+	'domain' => formatAbsoluteDomain(formatEndWithDot($_POST['subdomain']) . $_POST['domain']),
+	...$_POST,
+]));
 
 output(200, _('Modification done.'));
diff --git a/pg-act/reg/ns.php b/pg-act/reg/ns.php
index 751f86e..56b508e 100644
--- a/pg-act/reg/ns.php
+++ b/pg-act/reg/ns.php
@@ -4,11 +4,9 @@ regCheckDomainPossession($_POST['domain']);
 
 rateLimit();
 
-knotcZoneExec(regParseDomain($_POST['domain'])['suffix'], [
-	$_POST['domain'],
-	CONF['reg']['ttl'],
-	'NS',
-	formatAbsoluteDomain($_POST['ns'])
-]);
+knotcZoneExec(regParseDomain($_POST['domain'])['suffix'], regParseRecord($_POST['domain'], [
+	'type' => 'NS',
+	...$_POST,
+]));
 
 output(200, _('Modification done.'));
diff --git a/pg-view/ns/edit.php b/pg-view/ns/edit.php
index 52e399d..0e61ca6 100644
--- a/pg-view/ns/edit.php
+++ b/pg-view/ns/edit.php
@@ -1,12 +1,12 @@
 <?php declare(strict_types=1); ?>
 <form method="post">
-	<label for="zone"><?= _('Zone to be changed') ?></label>
+	<label for="domain"><?= _('Zone to be changed') ?></label>
 	<br>
-	<select required="" name="zone" id="zone">
+	<select required="" name="domain" id="domain">
 		<option value="" disabled="" selected="">-</option>
 <?php
-foreach (nsListUserZones() as $zone)
-	echo '		<option value="' . $zone . '">' . $zone . '</option>' . LF;
+foreach (nsListUserZones() as $domain)
+	echo '		<option value="' . $domain . '">' . $domain . '</option>' . LF;
 ?>
 	</select>
 	<br>
@@ -15,15 +15,15 @@ foreach (nsListUserZones() as $zone)
 
 <?php
 
-if (isset($data['zone_content'])) { // Display zone
+if (isset($data['records'])) { // Display zone
 
 ?>
 <form method="post">
-	<input type="hidden" name="zone" value="<?= $_POST['zone'] ?>">
+	<input type="hidden" name="domain" value="<?= $_POST['domain'] ?>">
 
-	<label for="zone-content"><?= sprintf(_('New content of the %s zone'), '<code><strong>' . $_POST['zone'] . '</strong></code>') ?></label>
+	<label for="zone-content"><?= sprintf(_('Authoritative records for %s'), '<code><strong>' . $_POST['domain'] . '</strong></code>') ?></label>
 	<br>
-	<textarea id="zone-content" name="zone-content" wrap="off" rows="<?= substr_count($data['zone_content'], LF) + 1 ?>"><?= htmlspecialchars($data['zone_content']) ?></textarea>
+	<textarea id="records" name="records" wrap="off" rows="<?= substr_count($data['records'], LF) + 1 ?>"><?= htmlspecialchars($data['records']) ?></textarea>
 	<br>
 	<input type="submit" value="<?= _('Replace') ?>">
 </form>
@@ -38,21 +38,21 @@ displayFinalMessage($data);
 
 <h2><?= _('Default values') ?></h2>
 
-<p><?= sprintf(_('If the TTL is omitted, it will default to %s seconds.'), '<code><time datetime="PT' . DEFAULT_TTL . 'S">' . DEFAULT_TTL . '</time></code>') ?></p>
+<p><?= sprintf(_('If the TTL is omitted, it will default to %s seconds.'), '<code><time datetime="PT' . NS_DEFAULT_TTL . 'S">' . NS_DEFAULT_TTL . '</time></code>') ?></p>
 
 <p><?= _('Precising the class (<code>IN</code>) is optional.') ?></p>
 
 <h2><?= _('Allowed values') ?></h2>
 
-<p><?= sprintf(_('Submitted zone content is limited to %s characters.'), ZONE_MAX_CHARACTERS) ?></p>
+<p><?= sprintf(_('Submitted field content is limited to %s characters.'), NS_TEXTAREA_MAX_CHARACTERS) ?></p>
 
-<p><?= sprintf(_('TTLs must last between %1$s and %2$s seconds.'), '<code><time datetime="PT' . MIN_TTL . 'S">' . MIN_TTL . '</time></code>', '<code><time datetime="PT' . MAX_TTL . 'S">' . MAX_TTL . '</time></code>') ?></p>
+<p><?= sprintf(_('TTLs must last between %1$s and %2$s seconds.'), '<code><time datetime="PT' . NS_MIN_TTL . 'S">' . NS_MIN_TTL . '</time></code>', '<code><time datetime="PT' . NS_MAX_TTL . 'S">' . NS_MAX_TTL . '</time></code>') ?></p>
 
-<p><?= _('The only types that can be defined are:') ?></p>
+<p><?= _('The only types that can be defined here are:') ?></p>
 
 <ul>
 <?php
-	foreach (ALLOWED_TYPES as $allowed_type)
+	foreach (NS_ALLOWED_TYPES as $allowed_type)
 		echo '	<li><code>' . $allowed_type . '</code></li>';
 ?>
 </ul>
diff --git a/pg-view/ns/form.ns.php b/pg-view/ns/form.ns.php
index 6cc6d25..07526cc 100644
--- a/pg-view/ns/form.ns.php
+++ b/pg-view/ns/form.ns.php
@@ -32,7 +32,7 @@ foreach ($user_zones as $zone)
 		<div>
 			<label for="ttl-value"><?= _('Value') ?></label>
 			<br>
-			<input required="" id="ttl-value" list="ttls" name="ttl-value" size="6" type="number" min="1" max="432000" value="<?= $_POST['ttl-value'] ?? DEFAULT_TTL ?>" placeholder="<?= DEFAULT_TTL ?>">
+			<input required="" id="ttl-value" list="ttls" name="ttl-value" size="6" type="number" min="1" max="432000" value="<?= $_POST['ttl-value'] ?? NS_DEFAULT_TTL ?>" placeholder="<?= NS_DEFAULT_TTL ?>">
 			<datalist id="ttls">
 				<option value="900">
 				<option value="1800">
diff --git a/pg-view/reg/edit.php b/pg-view/reg/edit.php
new file mode 100644
index 0000000..548c309
--- /dev/null
+++ b/pg-view/reg/edit.php
@@ -0,0 +1,54 @@
+<?php declare(strict_types=1); ?>
+<form method="post">
+	<label for="domain"><?= _('Domain to be changed') ?></label>
+	<br>
+	<select required="" name="domain" id="domain">
+		<option value="" disabled="" selected="">-</option>
+<?php
+foreach (regListUserDomains() as $domain)
+	echo '		<option value="' . $domain . '">' . $domain . '</option>' . LF;
+?>
+	</select>
+	<br>
+	<input type="submit" value="<?= _('Display') ?>">
+</form>
+
+<?php
+
+if (isset($data['records'])) { // Display zone
+
+?>
+<form method="post">
+	<input type="hidden" name="domain" value="<?= $_POST['domain'] ?>">
+
+	<label for="records"><?= sprintf(_('Delegation records for %s'), '<code><strong>' . $_POST['domain'] . '</strong></code>') ?></label>
+	<br>
+	<textarea id="records" name="records" wrap="off" rows="<?= substr_count($data['records'], LF) + 1 ?>"><?= htmlspecialchars($data['records']) ?></textarea>
+	<br>
+	<input type="submit" value="<?= _('Replace') ?>">
+</form>
+
+<?php
+
+}
+
+displayFinalMessage($data);
+
+?>
+
+<h2><?= _('Input values') ?></h2>
+
+<p><?= _('Precising the class (<code>IN</code>) is optional.') ?></p>
+
+<p><?= sprintf(_('Submitted field content is limited to %s characters.'), REG_TEXTAREA_MAX_CHARACTERS) ?></p>
+
+<p><?= sprintf(_('TTL values are ignored and always set to %s seconds.'), '<code><time datetime="PT' . CONF['reg']['ttl'] . 'S">' . CONF['reg']['ttl'] . '</time></code>') ?></p>
+
+<p><?= _('The only types that can be defined here are:') ?></p>
+
+<ul>
+<?php
+	foreach (REG_ALLOWED_TYPES as $allowed_type)
+		echo '	<li><code>' . $allowed_type . '</code></li>';
+?>
+</ul>