From 312292d06a9cb4f3b1198d7fbdee50b10bb24bc4 Mon Sep 17 00:00:00 2001
From: Miraty <miraty+git@antopie.org>
Date: Mon, 23 Jan 2023 01:14:59 +0100
Subject: [PATCH] feature: reg: allow multiple suffixes

---
 config.ini                           |  6 ++-
 fn/dns.php                           |  2 +-
 fn/reg.php                           | 25 +++++++++---
 locales/fr/C/LC_MESSAGES/messages.po | 57 +++++++++++++++++-----------
 locales/messages.pot                 | 54 +++++++++++++++-----------
 pages.php                            |  8 ++--
 pg-act/ns/edit.php                   |  2 +-
 pg-act/reg/ds.php                    |  2 +-
 pg-act/reg/glue.php                  | 10 ++---
 pg-act/reg/ns.php                    |  5 +--
 pg-act/reg/print.php                 |  2 +-
 pg-act/reg/register.php              | 14 ++++++-
 pg-act/reg/transfer.php              | 11 ++++--
 pg-view/auth/login.php               |  2 +-
 pg-view/index.php                    |  6 +--
 pg-view/reg/glue.php                 |  2 +-
 pg-view/reg/index.php                |  2 +-
 pg-view/reg/register.php             | 26 +++++++++++--
 pg-view/reg/transfer.php             | 24 ++++++++++--
 pg-view/reg/unregister.php           |  2 +-
 view.php                             |  2 +-
 21 files changed, 173 insertions(+), 91 deletions(-)

diff --git a/config.ini b/config.ini
index 896033d..1aa21c4 100644
--- a/config.ini
+++ b/config.ini
@@ -13,8 +13,10 @@ kdig_path = "/usr/bin/kdig"
 
 [reg]
 enabled = true
-registry = "niver.test."
-registry_file = "/srv/niver/reg/niver.test.zone"
+suffixes_path = "/srv/niver/reg"
+suffixes[niver.test.] = "approved"
+suffixes[test.niver.test.] = "all"
+suffixes[old.niver.test.] = "none"
 ttl = 86400
 ; A local address to query the registry nameserver
 address = "[::1]:42053"
diff --git a/fn/dns.php b/fn/dns.php
index 3b3ef57..8a65cab 100644
--- a/fn/dns.php
+++ b/fn/dns.php
@@ -2,7 +2,7 @@
 
 function parseZoneFile($zone_content, $types, $filter_domain = false) {
 	$parsed_zone_content = [];
-	foreach(explode(LF, $zone_content) as $zone_line) {
+	foreach (explode(LF, $zone_content) as $zone_line) {
 		if ($zone_line === '' OR str_starts_with($zone_line, ';'))
 			continue; // Ignore empty lines and comments
 		$elements = preg_split('/[\t ]+/', $zone_line, 4);
diff --git a/fn/reg.php b/fn/reg.php
index 26db8e0..d8f7d39 100644
--- a/fn/reg.php
+++ b/fn/reg.php
@@ -15,11 +15,12 @@ function regCheckDomainPossession($domain) {
 
 function regDeleteDomain($domain) {
 	// Delete domain from registry file
-	$regFile = file_get_contents(CONF['reg']['registry_file']);
-	if ($regFile === false)
-		output(500, 'Failed to read current registry File.');
-	$regFile = preg_replace('/^(?:[a-z0-9._-]+\.)' . preg_quote($domain, '/') . '[\t ]+.+$/Dm', '', $regFile);
-	if (file_put_contents(CONF['reg']['registry_file'], $regFile) === false)
+	$path = CONF['reg']['suffixes_path'] . '/' . regParseDomain($domain)['suffix'] . 'zone';
+	$content = file_get_contents($path);
+	if ($content === false)
+		output(500, 'Failed to read current registry file.');
+	$content = preg_replace('/^(?:[a-z0-9._-]+\.)' . preg_quote($domain, '/') . '[\t ]+.+$/Dm', '', $content);
+	if (file_put_contents($path, $content) === false)
 		output(500, 'Failed to write new registry file.');
 
 	// Delete from Niver's database
@@ -28,3 +29,17 @@ function regDeleteDomain($domain) {
 		'username' => $_SESSION['id'],
 	]);
 }
+
+function regParseDomain($domain) {
+	$parts = explode('.', $domain, 2);
+	$subdomain = $parts[0];
+	$suffix = $parts[1];
+
+	if (array_key_exists($suffix, CONF['reg']['suffixes']) !== true)
+		output(403, 'This suffix doesn\'t exist.');
+
+	return [
+		'subdomain' => $subdomain,
+		'suffix' => $suffix,
+	];
+}
diff --git a/locales/fr/C/LC_MESSAGES/messages.po b/locales/fr/C/LC_MESSAGES/messages.po
index fe0f022..4f329a4 100644
--- a/locales/fr/C/LC_MESSAGES/messages.po
+++ b/locales/fr/C/LC_MESSAGES/messages.po
@@ -1,3 +1,8 @@
+msgid ""
+msgstr ""
+"Content-Type: text/plain; charset=UTF-8\n"
+"Language: fr\n"
+
 #: pages.php:9
 msgid "Authentication"
 msgstr "Authentification"
@@ -267,11 +272,11 @@ msgstr "Supprimer un accès"
 msgid "Delete an existing HTTP access from a subdirectory of the SFTP space"
 msgstr "Retirer un accès HTTP existant d'un sous-dossier de l'espace SFTP"
 
-#: router.php:120
+#: router.php:134
 msgid "You need to be logged in to do this."
 msgstr "Vous devez être connecté·e à un compte pour faire cela."
 
-#: router.php:122
+#: router.php:136
 msgid "This account doesn't exist anymore. Log out to end this ghost session."
 msgstr "Ce compte n'existe plus. Déconnectez-vous pour terminer cette session fantôme."
 
@@ -424,7 +429,7 @@ msgstr "Accès retiré."
 #: pg-act/ns/ip.php:14 pg-act/ns/loc.php:70 pg-act/ns/mx.php:18
 #: pg-act/ns/ns.php:14 pg-act/ns/srv.php:26 pg-act/ns/sshfp.php:23
 #: pg-act/ns/tlsa.php:27 pg-act/ns/txt.php:15 pg-act/reg/ds.php:30
-#: pg-act/reg/glue.php:16 pg-act/reg/ns.php:13
+#: pg-act/reg/glue.php:12 pg-act/reg/ns.php:12
 msgid "Modification done."
 msgstr "Modification effectuée."
 
@@ -454,7 +459,7 @@ msgstr "Cette zone existe déjà sur ce service."
 msgid "Parent zone's name servers not found."
 msgstr "Serveurs de nom de la zone parente introuvables."
 
-#: pg-act/ns/zone-add.php:16 pg-act/reg/transfer.php:13
+#: pg-act/ns/zone-add.php:16 pg-act/reg/transfer.php:16
 msgid "NS authentication record not found."
 msgstr "Enregistrement d'authentification NS introuvable."
 
@@ -466,27 +471,27 @@ msgstr "Zone créée."
 msgid "Zone deleted."
 msgstr "Zone supprimée."
 
-#: pg-act/reg/register.php:4
+#: pg-act/reg/register.php:4 pg-act/reg/transfer.php:4
 msgid "This format of subdomain is not allowed."
 msgstr "Ce format de sous-domaine n'est pas autorisé."
 
-#: pg-act/reg/register.php:9
+#: pg-act/reg/register.php:21
 msgid "This domain is already registered."
 msgstr "Ce domain est déjà enregistré."
 
-#: pg-act/reg/register.php:12
+#: pg-act/reg/register.php:24
 msgid "This domain is reserved."
 msgstr "Ce domain est réservé."
 
-#: pg-act/reg/register.php:22
+#: pg-act/reg/register.php:34
 msgid "Domain registered."
 msgstr "Domaine enregistré."
 
-#: pg-act/reg/transfer.php:9
+#: pg-act/reg/transfer.php:12
 msgid "The current account already owns this domain."
 msgstr "Le compte actuel possède déjà ce domaine."
 
-#: pg-act/reg/transfer.php:26
+#: pg-act/reg/transfer.php:29
 msgid "The domain has been transferred to the current account ; the NS authentication record has been automatically deleted."
 msgstr "Le domaine a été transféré vers le compte actuel ; l'enregistrement d'authentification NS a été automatiquement supprimé."
 
@@ -569,11 +574,11 @@ msgid "Stable Let's Encrypt certificates"
 msgstr "Vrai certificat Let's Encrypt"
 
 #: pg-view/auth/login.php:1
-msgid "Need an accout?"
+msgid "New?"
 msgstr "Nouvele ?"
 
-#: pg-view/auth/login.php:1 pg-view/reg/register.php:10
-msgid "Register"
+#: pg-view/auth/login.php:1 pg-view/auth/register.php:14
+msgid "Create an account"
 msgstr "Créer un compte"
 
 #: pg-view/auth/login.php:4 pg-view/auth/register.php:4 pg-view/ht/index.php:94
@@ -605,10 +610,6 @@ msgstr "Déjà un compte ?"
 msgid "Minimum %1$s characters, or %2$s characters if it contains lowercase, uppercase and digit."
 msgstr "Minimum %1$s caractères, ou %2$s caractères si elle contient minuscule, majuscule et chiffre."
 
-#: pg-view/auth/register.php:14
-msgid "Create an account"
-msgstr "Se créer un nouveau compte"
-
 #: pg-view/auth/unregister.php:2
 msgid "This will delete every resource managed by the current account, including registered domains, hosted DNS records, websites files and cryptographic keys for Onion services and DNSSEC."
 msgstr "Ceci supprimera toutes les ressources gérées par le compte actuel, y compris les domaines enregistrés, les enregistrements DNS hébergés, les fichiers des sites et les clés cryptographiques des services Onion et de DNSSEC."
@@ -641,7 +642,8 @@ msgstr "Le domaine doit avoir les enregistrements suivant pendant le traitement
 #: pg-view/ht/add-dns.php:25 pg-view/ns/form.ns.php:8 pg-view/ns/print.php:32
 #: pg-view/ns/zone-add.php:6 pg-view/reg/ds.php:8 pg-view/reg/glue.php:8
 #: pg-view/reg/glue.php:15 pg-view/reg/ns.php:8 pg-view/reg/print.php:2
-#: pg-view/reg/print.php:16 pg-view/reg/unregister.php:6
+#: pg-view/reg/print.php:16 pg-view/reg/register.php:7
+#: pg-view/reg/unregister.php:6
 msgid "Domain"
 msgstr "Domaine"
 
@@ -656,7 +658,8 @@ msgid "Setup access"
 msgstr "Créer l'accès"
 
 #: pg-view/ht/add-subdomain.php:2 pg-view/ns/form.ns.php:10
-#: pg-view/reg/glue.php:10 pg-view/reg/register.php:6
+#: pg-view/reg/glue.php:10 pg-view/reg/register.php:9
+#: pg-view/reg/transfer.php:9
 msgid "Subdomain"
 msgstr "Sous-domaine"
 
@@ -1072,16 +1075,24 @@ msgstr "Domaines actuellement enregistrés"
 msgid "Register a new domain on your account. It must consist of between 4 and 63 letters and digits."
 msgstr "Enregistrer un nouveau domaine sur son compte. Il doit être composé d'entre 4 et 63 lettres et chiffres."
 
+#: pg-view/reg/register.php:14 pg-view/reg/transfer.php:14
+msgid "Suffix"
+msgstr "Suffixe"
+
+#: pg-view/reg/register.php:28
+msgid "Register"
+msgstr "Enregistrer"
+
 #: pg-view/reg/transfer.php:2
 #, php-format
 msgid "To prove that you are allowed to receive the domain by its current owner, the domain must have an NS record equal to %s when the form is being processed. The NS record will be automatically deleted once validated."
 msgstr "Pour prouver que vous êtes autorisé à recevoir le domaine par san possessaire actuele, ledit domaine doit posséder un enregistrement NS égal à %s lors du traitement de ce formulaire. Cet enregistrement sera automatiquement retiré une fois validé."
 
-#: pg-view/reg/transfer.php:6
-msgid "Subdomain that will be transferred to this account"
-msgstr "Sous-domaine à transférer vers ce compte"
+#: pg-view/reg/transfer.php:7
+msgid "Domain that will be transferred to this account"
+msgstr "Domaine à transférer vers ce compte"
 
-#: pg-view/reg/transfer.php:10
+#: pg-view/reg/transfer.php:26
 msgid "Receive the domain"
 msgstr "Recevoir le domaine"
 
diff --git a/locales/messages.pot b/locales/messages.pot
index 0cf299d..bff598d 100644
--- a/locales/messages.pot
+++ b/locales/messages.pot
@@ -1,3 +1,7 @@
+msgid ""
+msgstr ""
+"Content-Type: text/plain; charset=UTF-8\n"
+
 #: pages.php:9
 msgid "Authentication"
 msgstr ""
@@ -267,11 +271,11 @@ msgstr ""
 msgid "Delete an existing HTTP access from a subdirectory of the SFTP space"
 msgstr ""
 
-#: router.php:120
+#: router.php:134
 msgid "You need to be logged in to do this."
 msgstr ""
 
-#: router.php:122
+#: router.php:136
 msgid "This account doesn't exist anymore. Log out to end this ghost session."
 msgstr ""
 
@@ -424,7 +428,7 @@ msgstr ""
 #: pg-act/ns/ip.php:14 pg-act/ns/loc.php:70 pg-act/ns/mx.php:18
 #: pg-act/ns/ns.php:14 pg-act/ns/srv.php:26 pg-act/ns/sshfp.php:23
 #: pg-act/ns/tlsa.php:27 pg-act/ns/txt.php:15 pg-act/reg/ds.php:30
-#: pg-act/reg/glue.php:16 pg-act/reg/ns.php:13
+#: pg-act/reg/glue.php:12 pg-act/reg/ns.php:12
 msgid "Modification done."
 msgstr ""
 
@@ -454,7 +458,7 @@ msgstr ""
 msgid "Parent zone's name servers not found."
 msgstr ""
 
-#: pg-act/ns/zone-add.php:16 pg-act/reg/transfer.php:13
+#: pg-act/ns/zone-add.php:16 pg-act/reg/transfer.php:16
 msgid "NS authentication record not found."
 msgstr ""
 
@@ -466,27 +470,27 @@ msgstr ""
 msgid "Zone deleted."
 msgstr ""
 
-#: pg-act/reg/register.php:4
+#: pg-act/reg/register.php:4 pg-act/reg/transfer.php:4
 msgid "This format of subdomain is not allowed."
 msgstr ""
 
-#: pg-act/reg/register.php:9
+#: pg-act/reg/register.php:21
 msgid "This domain is already registered."
 msgstr ""
 
-#: pg-act/reg/register.php:12
+#: pg-act/reg/register.php:24
 msgid "This domain is reserved."
 msgstr ""
 
-#: pg-act/reg/register.php:22
+#: pg-act/reg/register.php:34
 msgid "Domain registered."
 msgstr ""
 
-#: pg-act/reg/transfer.php:9
+#: pg-act/reg/transfer.php:12
 msgid "The current account already owns this domain."
 msgstr ""
 
-#: pg-act/reg/transfer.php:26
+#: pg-act/reg/transfer.php:29
 msgid "The domain has been transferred to the current account ; the NS authentication record has been automatically deleted."
 msgstr ""
 
@@ -569,11 +573,11 @@ msgid "Stable Let's Encrypt certificates"
 msgstr ""
 
 #: pg-view/auth/login.php:1
-msgid "Need an accout?"
+msgid "New?"
 msgstr ""
 
-#: pg-view/auth/login.php:1 pg-view/reg/register.php:10
-msgid "Register"
+#: pg-view/auth/login.php:1 pg-view/auth/register.php:14
+msgid "Create an account"
 msgstr ""
 
 #: pg-view/auth/login.php:4 pg-view/auth/register.php:4 pg-view/ht/index.php:94
@@ -605,10 +609,6 @@ msgstr ""
 msgid "Minimum %1$s characters, or %2$s characters if it contains lowercase, uppercase and digit."
 msgstr ""
 
-#: pg-view/auth/register.php:14
-msgid "Create an account"
-msgstr ""
-
 #: pg-view/auth/unregister.php:2
 msgid "This will delete every resource managed by the current account, including registered domains, hosted DNS records, websites files and cryptographic keys for Onion services and DNSSEC."
 msgstr ""
@@ -641,7 +641,8 @@ msgstr ""
 #: pg-view/ht/add-dns.php:25 pg-view/ns/form.ns.php:8 pg-view/ns/print.php:32
 #: pg-view/ns/zone-add.php:6 pg-view/reg/ds.php:8 pg-view/reg/glue.php:8
 #: pg-view/reg/glue.php:15 pg-view/reg/ns.php:8 pg-view/reg/print.php:2
-#: pg-view/reg/print.php:16 pg-view/reg/unregister.php:6
+#: pg-view/reg/print.php:16 pg-view/reg/register.php:7
+#: pg-view/reg/unregister.php:6
 msgid "Domain"
 msgstr ""
 
@@ -656,7 +657,8 @@ msgid "Setup access"
 msgstr ""
 
 #: pg-view/ht/add-subdomain.php:2 pg-view/ns/form.ns.php:10
-#: pg-view/reg/glue.php:10 pg-view/reg/register.php:6
+#: pg-view/reg/glue.php:10 pg-view/reg/register.php:9
+#: pg-view/reg/transfer.php:9
 msgid "Subdomain"
 msgstr ""
 
@@ -1072,16 +1074,24 @@ msgstr ""
 msgid "Register a new domain on your account. It must consist of between 4 and 63 letters and digits."
 msgstr ""
 
+#: pg-view/reg/register.php:14 pg-view/reg/transfer.php:14
+msgid "Suffix"
+msgstr ""
+
+#: pg-view/reg/register.php:28
+msgid "Register"
+msgstr ""
+
 #: pg-view/reg/transfer.php:2
 #, php-format
 msgid "To prove that you are allowed to receive the domain by its current owner, the domain must have an NS record equal to %s when the form is being processed. The NS record will be automatically deleted once validated."
 msgstr ""
 
-#: pg-view/reg/transfer.php:6
-msgid "Subdomain that will be transferred to this account"
+#: pg-view/reg/transfer.php:7
+msgid "Domain that will be transferred to this account"
 msgstr ""
 
-#: pg-view/reg/transfer.php:10
+#: pg-view/reg/transfer.php:26
 msgid "Receive the domain"
 msgstr ""
 
diff --git a/pages.php b/pages.php
index c7ae861..3aa4aee 100644
--- a/pages.php
+++ b/pages.php
@@ -43,12 +43,12 @@ define('PAGES', [
 	],
 	'reg' => [
 		'index' => [
-			'title' => '<span aria-hidden="true">🏷️ </span>' . sprintf(_('%s registry'), '<code>' . CONF['reg']['registry'] . '</code>'),
-			'description' => sprintf(_('Register and delegate a %s subdomain'), '<code>' . CONF['reg']['registry'] . '</code>'),
+			'title' => '<span aria-hidden="true">🏷️ </span>' . sprintf(_('%s registry'), '<code>' . key(CONF['reg']['suffixes']) . '</code>'),
+			'description' => sprintf(_('Register and delegate a %s subdomain'), '<code>' . key(CONF['reg']['suffixes']) . '</code>'),
 		],
 		'register' => [
 			'title' => _('Register domain'),
-			'description' => sprintf(_('Get a %s subdomain'), '<code>' . CONF['reg']['registry'] . '</code>'),
+			'description' => sprintf(_('Get a %s subdomain'), '<code>' . key(CONF['reg']['suffixes']) . '</code>'),
 			'tokens_account_cost' => 3600,
 		],
 		'unregister' => [
@@ -61,7 +61,7 @@ define('PAGES', [
 		],
 		'ns' => [
 			'title' => sprintf(_('%s records'), '<abbr title="Name Server">NS</abbr>'),
-			'description' => sprintf(_('Indicate the name servers of a %s subdomain'), '<code>' . CONF['reg']['registry'] . '</code>'),
+			'description' => sprintf(_('Indicate the name servers of a %s subdomain'), '<code>' . key(CONF['reg']['suffixes']) . '</code>'),
 		],
 		'ds' => [
 			'title' => sprintf(_('%s records'), '<abbr title="Delegation Signer">DS</abbr>'),
diff --git a/pg-act/ns/edit.php b/pg-act/ns/edit.php
index 80bedfe..174666b 100644
--- a/pg-act/ns/edit.php
+++ b/pg-act/ns/edit.php
@@ -68,7 +68,7 @@ if ($zone_content === false)
 	output(500, 'Unable to read zone file.');
 
 $data['zone_content'] = '';
-foreach(explode(LF, $zone_content) as $zone_line) {
+foreach (explode(LF, $zone_content) as $zone_line) {
 	if (empty($zone_line) OR str_starts_with($zone_line, ';'))
 		continue;
 	if (preg_match('/^(?:(?:[a-z0-9_-]{1,63}\.){1,127})?' . preg_quote($_POST['zone'], '/') . '[\t ]+[0-9]{1,8}[\t ]+(?<type>[A-Z]{1,16})[\t ]+.+$/D', $zone_line, $matches)) {
diff --git a/pg-act/reg/ds.php b/pg-act/reg/ds.php
index df13b74..0b6710e 100644
--- a/pg-act/reg/ds.php
+++ b/pg-act/reg/ds.php
@@ -17,7 +17,7 @@ if ($_POST['dt'] !== '2' AND $_POST['dt'] !== '4')
 
 regCheckDomainPossession($_POST['zone']);
 
-knotcZoneExec(CONF['reg']['registry'], [
+knotcZoneExec(regParseDomain($_POST['zone'])['suffix'], [
 	$_POST['zone'],
 	CONF['reg']['ttl'],
 	'DS',
diff --git a/pg-act/reg/glue.php b/pg-act/reg/glue.php
index 8e2e4b8..2b4e7c7 100644
--- a/pg-act/reg/glue.php
+++ b/pg-act/reg/glue.php
@@ -2,14 +2,10 @@
 
 regCheckDomainPossession($_POST['suffix']);
 
-$domain = formatAbsoluteDomain(formatEndWithDot($_POST['subdomain']) . $_POST['suffix']);
-
-$record = checkIpFormat($_POST['ip']);
-
-knotcZoneExec(CONF['reg']['registry'], [
-	$domain,
+knotcZoneExec(regParseDomain($_POST['suffix'])['suffix'], [
+	formatAbsoluteDomain(formatEndWithDot($_POST['subdomain']) . $_POST['suffix']),
 	CONF['reg']['ttl'],
-	$record,
+	checkIpFormat($_POST['ip']),
 	$_POST['ip']
 ]);
 
diff --git a/pg-act/reg/ns.php b/pg-act/reg/ns.php
index 551b4a6..3da9608 100644
--- a/pg-act/reg/ns.php
+++ b/pg-act/reg/ns.php
@@ -1,13 +1,12 @@
 <?php
 
 regCheckDomainPossession($_POST['domain']);
-$_POST['ns'] = formatAbsoluteDomain($_POST['ns']);
 
-knotcZoneExec(CONF['reg']['registry'], [
+knotcZoneExec(regParseDomain($_POST['domain'])['suffix'], [
 	$_POST['domain'],
 	CONF['reg']['ttl'],
 	'NS',
-	$_POST['ns']
+	formatAbsoluteDomain($_POST['ns'])
 ]);
 
 output(200, _('Modification done.'));
diff --git a/pg-act/reg/print.php b/pg-act/reg/print.php
index 8cae8d5..d00a99e 100644
--- a/pg-act/reg/print.php
+++ b/pg-act/reg/print.php
@@ -2,7 +2,7 @@
 
 regCheckDomainPossession($_POST['domain']);
 
-$zone_content = file_get_contents(CONF['reg']['registry_file']);
+$zone_content = file_get_contents(CONF['reg']['suffixes_path'] . '/' . regParseDomain($_POST['domain'])['suffix'] . 'zone');
 if ($zone_content === false)
 	output(500, 'Unable to read registry file.');
 
diff --git a/pg-act/reg/register.php b/pg-act/reg/register.php
index b08e94f..130d108 100644
--- a/pg-act/reg/register.php
+++ b/pg-act/reg/register.php
@@ -3,7 +3,19 @@
 if (preg_match('/' . SUBDOMAIN_REGEX . '/D', $_POST['subdomain']) !== 1)
 	output(403, _('This format of subdomain is not allowed.'));
 
-$domain = formatAbsoluteDomain($_POST['subdomain'] . '.' . CONF['reg']['registry']);
+if (array_key_exists($_POST['suffix'], CONF['reg']['suffixes']) !== true)
+	output(403, 'This suffix doesn\'t exist.');
+
+match (CONF['reg']['suffixes'][$_POST['suffix']]) {
+	'all' => NULL,
+	'approved' => match ($_SESSION['type']) {
+		'approved' => NULL,
+		default => output(403, 'The current account type is not allowed to register in this suffix.'),
+	},
+	default => output(403, 'This suffix is not open to registration.'),
+};
+
+$domain = formatAbsoluteDomain($_POST['subdomain'] . '.' . $_POST['suffix']);
 
 if (query('select', 'registry', ['domain' => $domain], 'domain') !== [])
 	output(403, _('This domain is already registered.'));
diff --git a/pg-act/reg/transfer.php b/pg-act/reg/transfer.php
index b63e768..ab90167 100644
--- a/pg-act/reg/transfer.php
+++ b/pg-act/reg/transfer.php
@@ -1,9 +1,12 @@
 <?php
 
-if (preg_match('/' . SUBDOMAIN_REGEX . '/D', $_POST['domain']) !== 1)
-	output(403, 'Wrong domain name format.');
+if (preg_match('/' . SUBDOMAIN_REGEX . '/D', $_POST['subdomain']) !== 1)
+	output(403, _('This format of subdomain is not allowed.'));
 
-$domain = $_POST['domain'] . '.' . CONF['reg']['registry'];
+if (array_key_exists($_POST['suffix'], CONF['reg']['suffixes']) !== true)
+	output(403, 'This suffix doesn\'t exist.');
+
+$domain = formatAbsoluteDomain($_POST['subdomain'] . '.' . $_POST['suffix']);
 
 if (query('select', 'registry', ['username' => $_SESSION['id'], 'domain' => $domain], 'domain') !== [])
 	output(403, _('The current account already owns this domain.'));
@@ -17,7 +20,7 @@ checkAuthToken($matches['salt'], $matches['hash']);
 DB->prepare('UPDATE registry SET username = :username WHERE domain = :domain')
 ->execute([':username' => $_SESSION['id'], ':domain' => $domain]);
 
-knotcZoneExec(CONF['reg']['registry'], [
+knotcZoneExec($_POST['suffix'], [
 	$domain,
 	'NS',
 	$matches['salt'] . '-' . $matches['hash'] . '._transfer-verification.' . SERVER_NAME . '.'
diff --git a/pg-view/auth/login.php b/pg-view/auth/login.php
index c3f472c..1adf3be 100644
--- a/pg-view/auth/login.php
+++ b/pg-view/auth/login.php
@@ -1,4 +1,4 @@
-<p><?= _('Need an accout?') ?> <a href="register"><?= _('Register') ?></a></p>
+<p><?= _('New?') ?> <a href="register"><?= _('Create an account') ?></a></p>
 
 <form method="post">
 	<label for="username"><?= _('Username') ?></label><br>
diff --git a/pg-view/index.php b/pg-view/index.php
index 4a301f3..29bb9b9 100644
--- a/pg-view/index.php
+++ b/pg-view/index.php
@@ -4,19 +4,19 @@
 		<dd>
 			<?= PAGES['auth']['index']['description'] ?>
 		</dd>
-	<?php if(CONF['reg']['enabled'] === true) { ?>
+	<?php if (CONF['reg']['enabled'] === true) { ?>
 		<dt><a class="reg" href="reg/"><?= PAGES['reg']['index']['title'] ?></code></a></dt>
 		<dd>
 			<?= PAGES['reg']['index']['description'] ?>
 		</dd>
 	<?php } ?>
-	<?php if(CONF['ns']['enabled'] === true) { ?>
+	<?php if (CONF['ns']['enabled'] === true) { ?>
 		<dt><a class="ns" href="ns/"><?= PAGES['ns']['index']['title'] ?></a></dt>
 		<dd>
 			<?= PAGES['ns']['index']['description'] ?>
 		</dd>
 	<?php } ?>
-	<?php if(CONF['ht']['enabled'] === true) { ?>
+	<?php if (CONF['ht']['enabled'] === true) { ?>
 		<dt><a class="ht" href="ht/"><?= PAGES['ht']['index']['title'] ?></a></dt>
 		<dd>
 			<?= PAGES['ht']['index']['description'] ?>
diff --git a/pg-view/reg/glue.php b/pg-view/reg/glue.php
index 1f4db4e..d1aab56 100644
--- a/pg-view/reg/glue.php
+++ b/pg-view/reg/glue.php
@@ -17,7 +17,7 @@
 			<select required="" name="suffix" id="suffix">
 				<option value="" disabled="" selected="">—</option>
 <?php
-foreach(regListUserDomains() as $suffix)
+foreach (regListUserDomains() as $suffix)
 	echo '		<option value="' . $suffix . '">' . $suffix . '</option>' . LF;
 ?>
 			</select>
diff --git a/pg-view/reg/index.php b/pg-view/reg/index.php
index 5167f15..dc2f138 100644
--- a/pg-view/reg/index.php
+++ b/pg-view/reg/index.php
@@ -1,5 +1,5 @@
 <p>
-	<?= sprintf(_('This domain name registry allows to register domains ending with <code>%1$s</code>, for instance <code><em>domain</em>%1$s</code>.'), '.' . CONF['reg']['registry']) ?>
+	<?= sprintf(_('This domain name registry allows to register domains ending with <code>%1$s</code>, for instance <code><em>domain</em>%1$s</code>.'), '.' . key(CONF['reg']['suffixes'])) ?>
 </p>
 
 <?php displayIndex(); ?>
diff --git a/pg-view/reg/register.php b/pg-view/reg/register.php
index cf59131..2ec9a67 100644
--- a/pg-view/reg/register.php
+++ b/pg-view/reg/register.php
@@ -3,9 +3,27 @@
 </p>
 
 <form method="post">
-	<label for="subdomain"><?= _('Subdomain') ?></label>
-	<br>
-	<code><input id="subdomain" pattern="<?= SUBDOMAIN_REGEX ?>" required="" placeholder="niver" name="subdomain" type="text">.<?= CONF['reg']['registry'] ?></code>
-	<br>
+	<fieldset>
+		<legend><?= _('Domain') ?></legend>
+		<div>
+			<label for="subdomain"><?= _('Subdomain') ?></label>
+			<br>
+			<input id="subdomain" pattern="<?= SUBDOMAIN_REGEX ?>" required="" placeholder="niver" name="subdomain" type="text">
+		</div>
+		<div>
+			<label for="suffix"><?= _('Suffix') ?></label>
+			<br>
+			<select required="" name="suffix" id="suffix">
+<?php
+foreach (CONF['reg']['suffixes'] as $suffix => $availability) {
+	if ($availability === 'none')
+		continue;
+	echo '				<option' . (($availability === 'approved' AND ($_SESSION['type'] ?? '') !== 'approved') ? ' disabled=""' : '') . ' value="' . $suffix . '">.' . $suffix . '</option>' . LF;
+}
+?>
+			</select>
+		</div>
+	</fieldset>
+
 	<input type="submit" value="<?= _('Register') ?>">
 </form>
diff --git a/pg-view/reg/transfer.php b/pg-view/reg/transfer.php
index 381938a..2c2bb0a 100644
--- a/pg-view/reg/transfer.php
+++ b/pg-view/reg/transfer.php
@@ -3,9 +3,25 @@
 </p>
 
 <form method="post">
-	<label for="subdomain"><?= _('Subdomain that will be transferred to this account') ?></label>
-	<br>
-	<code><input required="" pattern="<?= SUBDOMAIN_REGEX ?>" placeholder="subdomain" id="subdomain" name="subdomain" type="text">.<?= CONF['reg']['registry'] ?></code>
-	<br>
+	<fieldset>
+		<legend><?= _('Domain that will be transferred to this account') ?></legend>
+		<div>
+			<label for="subdomain"><?= _('Subdomain') ?></label>
+			<br>
+			<input id="subdomain" pattern="<?= SUBDOMAIN_REGEX ?>" required="" placeholder="niver" name="subdomain" type="text">
+		</div>
+		<div>
+			<label for="suffix"><?= _('Suffix') ?></label>
+			<br>
+			<select required="" name="suffix" id="suffix">
+<?php
+foreach (CONF['reg']['suffixes'] as $suffix => $availability) {
+	echo '				<option value="' . $suffix . '">.' . $suffix . '</option>' . LF;
+}
+?>
+			</select>
+		</div>
+	</fieldset>
+
 	<input type="submit" value="<?= _('Receive the domain') ?>">
 </form>
diff --git a/pg-view/reg/unregister.php b/pg-view/reg/unregister.php
index eb28ab1..7ac771b 100644
--- a/pg-view/reg/unregister.php
+++ b/pg-view/reg/unregister.php
@@ -8,7 +8,7 @@
 	<select required="" name="domain" id="domain">
 		<option value="" disabled="" selected="">—</option>
 <?php
-foreach(regListUserDomains() as $domain)
+foreach (regListUserDomains() as $domain)
 	echo '		<option value="' . $domain . '">' . $domain . '</option>' . LF;
 ?>
 	</select>
diff --git a/view.php b/view.php
index c7f596d..fa39724 100644
--- a/view.php
+++ b/view.php
@@ -3,7 +3,7 @@
 	<head>
 		<meta charset="utf-8">
 		<title><?php
-	foreach(array_reverse(TITLES_LINEAGE) as $id => $title)
+	foreach (array_reverse(TITLES_LINEAGE) as $id => $title)
 		echo strip_tags($title) . (array_key_last(TITLES_LINEAGE) === $id ? '' : ' < ');
 ?></title>
 <?php