Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pass DNS Msg via context into TSIG Verify and Generate functions #1348

Closed
wants to merge 2 commits into from
Closed

Pass DNS Msg via context into TSIG Verify and Generate functions #1348

wants to merge 2 commits into from

Conversation

Fattouche
Copy link
Contributor

This gives the server operator a lot more flexibility as to how they manage the verification and generation of tsigs.
The test TestServerRoundtripTsigProvider displays some of these possibilities.

For example:

  1. Establish a sync.RWMutex on the secret map so that secrets can be dynamically updated even after the server has been started.
  2. Establish more granular secret maps. I.E to ensure that many zones can share TSIG names without collisions in the map.

You could do other things like have zone specific verification or generation.

Fixes #1347

@Fattouche
Add context to server handler interfaces (#2)
66beab3 
This allows server operators to pass data from the read decorators to the actual DNS handlers.

An example use case where this is needed is when there is any proxying service between eyeball and DNS server. In order
to preserve the client IP, the proxy server might have to use PROXY protocol v2. If you don't have a context you can read and see
the client IPs in the decoraters but your handler will not know this information and therefore might not be able to do things like:

1. Block IPs
2. Verify TSIGs based off specific IP
3. Respond with TSIGs based off source IP
4. Respond with different answers based of IP location

Apart from knowing the source IP, there is other situations where you might want to pass information parsed in the read decorators to the handler.
@Fattouche
Pass DNS Msg via context into TSIG Verify and Generate functions
c56bd76 
This gives the server operator a lot more flexibility as to how they manage the verification and generation of tsigs.
The test TestServerRoundtripTsigProvider displays some of these possibilities.

For example:

1. Establish a sync.RWMutex on the secret map so that secrets can be dynamically updated even after the server has been started.
2. Establish more granular secret maps. I.E to ensure that many zones can share TSIG names without collisions in the map.

You could do other things like have zone specific verification or generation.
tmthrgd
tmthrgd requested changes Mar 11, 2022
View reviewed changes
Copy link
Collaborator

@tmthrgd tmthrgd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't backwards compatible.

@miekg
Copy link
Owner

miekg commented Mar 12, 2022

context.Context is a good way to cancel functions, using is to smuggle extra parameter into a function is not.

@miekg miekg closed this Mar 12, 2022
@Fattouche
Copy link
Contributor Author

This isn't backwards compatible.

I'm trying to solve #1331 (comment). Surely there must be a way to get the zoneName inside Generate() function, however it seems that after calling TsigBuffer it's non trivial. I don't want to break signatures, but preventing TSIGs from having duplicate names across different zones is far too strict IMO.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tmthrgd tmthrgd tmthrgd requested changes

@miekg miekg Awaiting requested review from miekg miekg is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

TSIGProvider Generate and Verify functions don't have access to the DNS Message
3 participants
@Fattouche @miekg @tmthrgd