Add TSIG middleware. #380
Add TSIG middleware. #380
Conversation
…tain number of bytes should be reserved (to make space for post-processing adding EDNS options to the response), and (b) strongly typed passing of arbitrary metadata between middleware that produces a type and middleware that consumes the type (e.g. a TSIG key name).
…to be part of this PR branch.
…to be part of this PR branch.
…nded to be part of this PR branch.
…nded to be part of this PR branch.
… a function is no longer possible.
… fix-edns-middleware / PR #355.
…o that a wrapper client (such as a future TSIG client) can augment the message before it gets sent.
- Added a simple UDP client that doesn't interfere with requests before sending (for TSIG testing). - Added support for receiving multiple responses (for XFR testing). - Added support for connection timeout errors - Added support for connection termination errors (for EDNS testing). - Added support for specifying the TSIG key to use (for TSIG testing). - Added support for $ORIGIN in zone file fragments. - Simplified rcode checking and use it instead of the yxrrset BADCOOKIE hack. - In memory channel changes: - Fixed a trace message that incorrectly referred to client instead of server. - Fixed a too-tight connection read loop that was preventing Tokio task switching. - Added connection shutdown detection. - Fixed incorrect setting of TCP mode to true when UDP mode was requested.
…an error message.
…t' into stelline-server-testing-changes
…t' into stelline-server-testing-changes. Update Stelline based server tests to work with new multiple response capable Rust types and alternate stream end detection mechanism.
|
For RFC 8945 compliance we also need #334. While it doesn't violate a MUST, this PR doesn't handle this at present:
|
|
That needs to listed as a limitation. Certainly for UPDATE that is something we need. |
…f available, via a new TruncationContext type. - Truncate for TCP as well as UDP. - Return ServiceError::InternalError if truncation fails. - Implement handling of ServiceError in DgramServer and stream::Connection. - Break DgramServer and stream::Connection dispatch to service code out into helper RequestDispatcher types. - Terminate the response stream if ServiceError::InternalError occurs.
Done. |
There was a problem hiding this comment.
I think that for a middleware TSIG layer it is best to reject what we cannot support at the moment. So if get_relevant_question fails then don't proceed.
After some internal discussion it seems to me that there is no reason to restrict the opcode or query type on which TSIG verification is performed. If the request has a TSIG RR and the server stack includes TSIG middleware then that middleware should verify the TSIG signature and also sign any corresponding response. So I'm going to remove this restriction entirely.
Co-authored-by: Terts Diepraam <[email protected]>
Co-authored-by: Terts Diepraam <[email protected]>
Co-authored-by: Terts Diepraam <[email protected]>
Taken from the
xfrbranch in order to split PR #335 into several smaller PRs.Notable changes:
net::server::message::Request.CloneforKey.Key::compose_len()for determining how many response bytes to reserve.From<ServerTransaction<K>> for ServerSequence<K>.tsig::ServerError::unsigned()public.Time48obey mock (predictable and controllable) time so that TSIG signing uses mock time during Stelline tests.This PR will also benefit from merging PR #334 and PR #390.