#!/usr/bin/env bash
#
# onx-dnssec-disable — Zone için DNSSEC pasifleştir
#
# Stdin:  {"zone":"example.com"}
# Stdout: {"ok":true,"zone":"..."}

set -uo pipefail

die() {
    local msg="$1" code="${2:-3}"
    msg="${msg//\\/\\\\}"; msg="${msg//\"/\\\"}"
    printf '{"error":"%s","code":%d}\n' "$msg" "$code" >&2
    exit "$code"
}

INPUT=$(cat 2>/dev/null || echo '{}')
ZONE=$(echo "$INPUT" | jq -r '.zone // ""')
[[ -z "$ZONE" ]] && die "zone gerekli" 1

command -v pdnsutil >/dev/null 2>&1 || die "pdnsutil yok" 2
pdnsutil show-zone "$ZONE" >/dev/null 2>&1 || die "Zone yok: $ZONE" 2

pdnsutil disable-dnssec "$ZONE" 2>&1 >/dev/null || die "disable-dnssec başarısız" 3

jq -nc --arg zone "$ZONE" \
    '{ok:true,zone:$zone,note:"DNSSEC pasifleştirildi. Registrar panelindeki DS kayıtlarını da silin."}'

exit 0
