generate docs and address feedback

Signed-off-by: Lee Briggs <lee@leebriggs.co.uk>

Author: jaxxstorm

cmd/tscli/set/dns/nameservers/cli.go

@@ -1,10 +1,10 @@
-// cmd/tscli/set/nameservers/cli.go
+// cmd/tscli/set/dns/nameservers/cli.go
 //
-// `tscli set nameservers --nameserver 1.1.1.1 --nameserver https://dns.google/dns-query`
+// `tscli set dns nameservers --nameserver 1.1.1.1 --nameserver https://dns.google/dns-query`
 // Replace the tailnet-wide DNS nameserver list with IPs or DoH endpoints.
 //
-// If you pass an empty slice (`--nameserver ""`) the custom list is removed
-// and Tailscale falls back to its defaults.
+// If you pass `--nameserver ""`, the custom list is removed and Tailscale
+// falls back to its defaults.
 package nameservers
 
 import (
@@ -29,7 +29,7 @@ func Command() *cobra.Command {
 		Aliases: []string{"ns"},
 		Short:   "Set the DNS nameservers for the tailnet",
 		PersistentPreRunE: func(cmd *cobra.Command, _ []string) error {
-			if len(ns) == 0 {
+			if !cmd.Flags().Lookup("nameserver").Changed {
 				return fmt.Errorf("at least one --nameserver is required")
 			}
 			for _, nameserver := range ns {
@@ -46,7 +46,12 @@ func Command() *cobra.Command {
 				return err
 			}
 
-			body := map[string][]string{"dns": ns}
+			nameservers := ns
+			if len(nameservers) == 0 {
+				nameservers = []string{}
+			}
+
+			body := map[string][]string{"dns": nameservers}
 
 			var resp json.RawMessage // <- receives the body untouched
 			if _, err := tscli.Do(
@@ -70,7 +75,7 @@ func Command() *cobra.Command {
 		&ns,
 		"nameserver", "N",
 		nil,
-		"DNS nameserver IP or DoH endpoint (repeatable). Example: --nameserver 1.1.1.1 --nameserver https://dns.google/dns-query",
+		"DNS nameserver IP or DoH endpoint (repeatable). Use --nameserver \"\" to clear the custom list.",
 	)
 	_ = cmd.MarkFlagRequired("nameserver")
 

cmd/tscli/set/dns/split/cli.go

@@ -1,18 +1,18 @@
-// cmd/tscli/set/splitdns/cli.go
+// cmd/tscli/set/dns/split/cli.go
 //
 // Replace *or* patch the split-DNS mapping.
 //
 //	# add two nameservers for example.com, one DoH endpoint for other.com
-//	tscli set splitdns \
+//	tscli set dns split-dns \
 //	   --entry example.com=1.1.1.1 \
 //	   --entry example.com=8.8.8.8 \
 //	   --entry other.com=https://dns.google/dns-query
 //
 //	# clear a single domain (entry with empty RHS)
-//	tscli set splitdns --entry stale.com=
+//	tscli set dns split-dns --entry stale.com=
 //
 //	# replace the whole mapping (PUT, drop everything else)
-//	tscli set splitdns --replace --entry corp.local=10.0.0.53
+//	tscli set dns split-dns --replace --entry corp.local=10.0.0.53
 package split
 
 import (
@@ -36,7 +36,7 @@ var domainRE = regexp.MustCompile(`^[a-zA-Z0-9][a-zA-Z0-9\.\-]*\.[a-zA-Z]{2,}$`)
 // Command registers `tscli set dns split-dns`.
 func Command() *cobra.Command {
 	var (
-		entries []string // domain=ip (repeatable, one per IP)
+		entries []string // domain=nameserver (repeatable, one per nameserver)
 		replace bool
 	)
 
@@ -47,7 +47,7 @@ func Command() *cobra.Command {
 
 		PersistentPreRunE: func(cmd *cobra.Command, _ []string) error {
 			if !cmd.Flags().Lookup("entry").Changed {
-				return fmt.Errorf("at least one --entry is required (domain=ip)")
+				return fmt.Errorf("at least one --entry is required (domain=nameserver)")
 			}
 			return nil
 		},
@@ -61,24 +61,24 @@ func Command() *cobra.Command {
 			for _, e := range entries {
 				parts := strings.SplitN(e, "=", 2)
 				if len(parts) != 2 {
-					return fmt.Errorf("invalid --entry %q (expect domain=ip)", e)
+					return fmt.Errorf("invalid --entry %q (expect domain=nameserver)", e)
 				}
-				dom, ip := strings.ToLower(parts[0]), parts[1]
+				dom, nameserver := strings.ToLower(parts[0]), parts[1]
 
 				if !domainRE.MatchString(dom) {
 					return fmt.Errorf("invalid domain: %q", dom)
 				}
 
 				// empty RHS → clear this domain
-				if ip == "" {
+				if nameserver == "" {
 					payload[dom] = nil
 					continue
 				}
 
-				if err := cldns.ValidateNameserver(ip); err != nil {
-					return fmt.Errorf("invalid nameserver %q for %s", ip, dom)
+				if err := cldns.ValidateNameserver(nameserver); err != nil {
+					return fmt.Errorf("invalid nameserver %q for %q", nameserver, dom)
 				}
-				tmp[dom] = append(tmp[dom], ip)
+				tmp[dom] = append(tmp[dom], nameserver)
 			}
 
 			// merge temp slices unless domain already set to nil
@@ -122,7 +122,7 @@ func Command() *cobra.Command {
 		&entries,
 		"entry", "e",
 		nil,
-		`Mapping "domain=nameserver". Repeat --entry for multiple IP/DoH values or domains. Set an empty value to clear.`,
+		`Mapping "domain=nameserver". Repeat --entry for multiple IP or DoH endpoint values. Set an empty value to clear.`,
 	)
 	cmd.Flags().BoolVar(&replace, "replace", false,
 		"Replace the entire mapping (PUT) instead of patching (PATCH).")

docs/commands/tscli_set_dns_nameservers.md

@@ -12,7 +12,7 @@ tscli set dns nameservers [flags]
 
 ```
   -h, --help                 help for nameservers
-  -N, --nameserver strings   DNS nameserver IP (repeatable). Example: --nameserver 1.1.1.1 --nameserver 8.8.8.8
+  -N, --nameserver strings   DNS nameserver IP or DoH endpoint (repeatable). Use --nameserver "" to clear the custom list.
 ```
 
 ### Options inherited from parent commands

docs/commands/tscli_set_dns_split-dns.md

@@ -11,7 +11,7 @@ tscli set dns split-dns [flags]
 ### Options
 
 ```
-  -e, --entry stringArray   Mapping "domain=ip". Repeat --entry for multiple IPs or domains. Set an empty IP to clear.
+  -e, --entry stringArray   Mapping "domain=nameserver". Repeat --entry for multiple IP or DoH endpoint values. Set an empty value to clear.
   -h, --help                help for split-dns
       --replace             Replace the entire mapping (PUT) instead of patching (PATCH).
 ```

pkg/dns/nameserver.go

@@ -4,28 +4,44 @@ import (
 	"fmt"
 	"net"
 	"net/url"
+	"strconv"
 	"strings"
 )
 
 // ValidateNameserver accepts either a literal IP address or a valid HTTPS DoH endpoint.
 func ValidateNameserver(value string) error {
+	if value == "" {
+		return nil
+	}
+
 	if net.ParseIP(value) != nil {
 		return nil
 	}
 
 	parsed, err := url.Parse(value)
 	if err != nil {
-		return fmt.Errorf("invalid nameserver: %s", value)
+		return invalidNameserverError(value)
 	}
 	if parsed.Scheme != "https" {
-		return fmt.Errorf("invalid nameserver: %s", value)
+		return invalidNameserverError(value)
 	}
 	if parsed.Host == "" || parsed.Hostname() == "" {
-		return fmt.Errorf("invalid nameserver: %s", value)
+		return invalidNameserverError(value)
 	}
 	if strings.Contains(parsed.Host, " ") {
-		return fmt.Errorf("invalid nameserver: %s", value)
+		return invalidNameserverError(value)
+	}
+
+	if parsed.Port() != "" {
+		port, err := strconv.ParseUint(parsed.Port(), 10, 16)
+		if err != nil || port > 65535 {
+			return invalidNameserverError(value)
+		}
 	}
 
 	return nil
 }
+
+func invalidNameserverError(value string) error {
+	return fmt.Errorf("invalid nameserver %q", value)
+}

pkg/dns/nameserver_test.go

@@ -12,9 +12,11 @@ func TestValidateNameserver(t *testing.T) {
 	}{
 		{name: "ipv4", value: "1.1.1.1", valid: true},
 		{name: "ipv6", value: "2606:4700:4700::1111", valid: true},
+		{name: "empty clears list", value: "", valid: true},
 		{name: "doh base", value: "https://dns.google/dns-query", valid: true},
 		{name: "doh with path and query", value: "https://dns.nextdns.io/abcd12?device=test", valid: true},
 		{name: "http rejected", value: "http://dns.google/dns-query", valid: false},
+		{name: "invalid port rejected", value: "https://dns.google:65536/dns-query", valid: false},
 		{name: "missing host rejected", value: "https:///dns-query", valid: false},
 		{name: "nonsense rejected", value: "not-a-nameserver", valid: false},
 	}

test/cli/dns_nameserver_validation_test.go

@@ -22,15 +22,24 @@ func TestSetDNSNameserversValidation(t *testing.T) {
 			name: "accepts doh nameserver",
 			args: []string{"set", "dns", "nameservers", "--nameserver", "https://dns.google/dns-query"},
 		},
+		{
+			name: "accepts empty nameserver to clear list",
+			args: []string{"set", "dns", "nameservers", "--nameserver", ""},
+		},
 		{
 			name:        "rejects malformed nameserver",
 			args:        []string{"set", "dns", "nameservers", "--nameserver", "dns.google"},
-			errContains: "invalid nameserver",
+			errContains: `invalid nameserver "dns.google"`,
 		},
 		{
 			name:        "rejects non-https doh nameserver",
 			args:        []string{"set", "dns", "nameservers", "--nameserver", "http://dns.google/dns-query"},
-			errContains: "invalid nameserver",
+			errContains: `invalid nameserver "http://dns.google/dns-query"`,
+		},
+		{
+			name:        "rejects out of range doh port",
+			args:        []string{"set", "dns", "nameservers", "--nameserver", "https://dns.google:65536/dns-query"},
+			errContains: `invalid nameserver "https://dns.google:65536/dns-query"`,
 		},
 	}
 
@@ -71,7 +80,12 @@ func TestSetDNSSplitValidation(t *testing.T) {
 		{
 			name:        "rejects invalid nameserver entry",
 			args:        []string{"set", "dns", "split-dns", "--entry", "corp.example.com=dns.google"},
-			errContains: "invalid nameserver",
+			errContains: `invalid nameserver "dns.google"`,
+		},
+		{
+			name:        "rejects malformed entry shape",
+			args:        []string{"set", "dns", "split-dns", "--entry", "corp.example.com"},
+			errContains: `expect domain=nameserver`,
 		},
 	}
 
@@ -120,6 +134,24 @@ func TestSetDNSNameserverDoHValuesReachAPI(t *testing.T) {
 		}
 	})
 
+	t.Run("nameservers clear list", func(t *testing.T) {
+		mock := apimock.New(t)
+		mock.AddJSON(http.MethodPost, "/dns/nameservers", http.StatusOK, map[string]any{"dns": []string{}})
+
+		res := executeCLI(t, []string{"set", "dns", "nameservers", "--nameserver", ""}, map[string]string{"TSCLI_BASE_URL": mock.URL()})
+		if res.err != nil {
+			t.Fatalf("unexpected error: %v\nstderr:\n%s", res.err, res.stderr)
+		}
+
+		reqs := mock.Requests()
+		if len(reqs) == 0 {
+			t.Fatalf("expected request to mock API, got none")
+		}
+		if !strings.Contains(reqs[0].Body, `"dns":[]`) {
+			t.Fatalf("expected request body to send an empty list, got %s", reqs[0].Body)
+		}
+	})
+
 	t.Run("split dns", func(t *testing.T) {
 		mock := apimock.New(t)
 		mock.AddJSON(http.MethodPatch, "/dns/split-dns", http.StatusOK, apimock.DNSSplitConfig())