rsp2k/coredns-rfc2136
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
coredns-rfc2136/plugin.go
Ryan Malloy 1cca9a5aa7 Phase 1.3: in-memory store + ServeDNS query dispatch 
ServeDNS now answers authoritatively for the configured zone(s):
- Apex SOA → synthetic SOA (serial = store generation counter)
- Apex NS  → synthetic NS pointing at p.Nameserver
- In-store lookups for any qtype
- NODATA vs NXDOMAIN correctly distinguished (SOA in authority section)
- UPDATE opcode → REFUSED (Phase 1.4 implements properly)
- Queries outside our zones pass through to Next

Added:
- store.go: recordStore with sync.RWMutex + atomic generation counter.
  Operations: Add (de-dupes), RemoveRRset, RemoveRR, RemoveName, Lookup
  (returns a copy so callers can't corrupt internal state), NameExists.
  All keyed on canonical lowercase + trailing-dot names.
- plugin.go: ServeDNS dispatch, findZone (longest-suffix match),
  syntheticSOA, syntheticNS. New Nameserver field.
- setup.go: nameserver directive. Default Nameserver = first zone apex.
  Store initialised at parse time.
- store_test.go: 12 unit tests covering add/dedupe/remove/lookup/
  generation/case-insensitivity/copy-safety.
- plugin_test.go: 10 dispatch tests covering pass-through, apex
  synthetics, in-store lookups, NXDOMAIN/NODATA semantics, UPDATE
  refusal, findZone longest-suffix-wins and case behavior.
- setup_test.go: 3 new cases for the nameserver directive + store init.

Total: 38 tests passing.

Module: git.supported.systems/rsp2k/coredns-rfc2136
2026-05-21 10:37:48 -06:00

214 lines
6.6 KiB
Go
Raw Blame History

// Package rfc2136 implements a CoreDNS plugin that accepts dynamic DNS
// updates per RFC 2136 (UPDATE opcode), authenticated via TSIG. The
// primary use case is self-hosted ACME DNS-01 cert automation: an ACME
// client (e.g. Caddy via caddy-dns/rfc2136) injects _acme-challenge TXT
// records into a delegated sub-zone that this plugin serves.
//
// Phase 1.3 status: store + query dispatch. ServeDNS now answers
// authoritatively for the configured zone(s) from the in-memory store
// (plus synthetic SOA/NS at apex). UPDATE handling still rejected —
// that lands in Phase 1.4. See plan at
//
// ~/.claude/plans/dood-does-coredns-offer-enumerated-piglet.md
package rfc2136
import (
"context"
"strings"
"github.com/coredns/coredns/plugin"
"github.com/miekg/dns"
)
// DefaultTTL is the TTL applied to dynamically-added records when the
// Corefile doesn't specify one. 60s matches the short-lived nature of
// ACME challenge TXT records and keeps stale answers from lingering in
// resolver caches.
const DefaultTTL uint32 = 60
// RFC2136 is the plugin handler. One instance per Corefile server block.
type RFC2136 struct {
// Next is the downstream plugin in the chain.
Next plugin.Handler
// Zones is the set of canonical (dot-terminated, lowercase) zone
// names this instance is authoritative for. Queries outside these
// zones pass through to Next.
Zones []string
// TSIGKeys is keyed by canonical key name (lowercased, trailing
// dot). Empty means TSIG is disabled — UPDATEs without TSIG are
// rejected unconditionally in Phase 1.4.
TSIGKeys map[string]tsigKey
// TTL is applied to dynamically-injected records that don't carry
// an explicit TTL in the UPDATE message.
TTL uint32
// PersistPath, when non-empty, names a file the plugin writes a
// JSON snapshot of its in-memory store to on a periodic schedule.
// Empty means in-memory only (acceptable for ACME challenges).
PersistPath string
// Nameserver is the host returned in synthetic NS records and as
// the SOA's MNAME. Defaults (set in setup) to the first zone apex.
Nameserver string
// store holds the dynamic records. Always non-nil after setup.
store *recordStore
}
// Name implements plugin.Handler.
func (p *RFC2136) Name() string { return "rfc2136" }
// ServeDNS implements plugin.Handler.
//
// Dispatch:
//
// UPDATE opcode → rejected with REFUSED (Phase 1.4 implements properly).
// Query opcode:
// - Not in our zones → pass to Next.
// - Apex SOA → synthetic SOA.
// - Apex NS → synthetic NS.
// - Match in store → return RRset.
// - Name exists, wrong type → NODATA (NOERROR + SOA in authority).
// - Name doesn't exist → NXDOMAIN (NameError + SOA in authority).
func (p *RFC2136) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg) (int, error) {
if r.Opcode == dns.OpcodeUpdate {
// Phase 1.4 will dispatch to update handler. For now, refuse
// loudly so clients know the plugin is loaded but not yet
// accepting updates.
return p.refuseUpdate(w, r)
}
if len(r.Question) == 0 {
return plugin.NextOrFailure(p.Name(), p.Next, ctx, w, r)
}
q := r.Question[0]
zone := p.findZone(q.Name)
if zone == "" {
return plugin.NextOrFailure(p.Name(), p.Next, ctx, w, r)
}
// We're authoritative for this name. Build a reply.
msg := new(dns.Msg)
msg.SetReply(r)
msg.Authoritative = true
qname := strings.ToLower(dns.Fqdn(q.Name))
isApex := qname == zone
// Apex SOA / NS are synthetic.
if isApex {
switch q.Qtype {
case dns.TypeSOA:
msg.Answer = []dns.RR{p.syntheticSOA(zone)}
_ = w.WriteMsg(msg)
return dns.RcodeSuccess, nil
case dns.TypeNS:
msg.Answer = p.syntheticNS(zone)
_ = w.WriteMsg(msg)
return dns.RcodeSuccess, nil
}
}
// Look up the asked type in the store.
if rrs := p.store.Lookup(qname, q.Qtype); rrs != nil {
msg.Answer = rrs
_ = w.WriteMsg(msg)
return dns.RcodeSuccess, nil
}
// Special case: ANY at the apex isn't in the store but we have
// synthetic SOA + NS. Return them rather than NODATA.
if isApex && q.Qtype == dns.TypeANY {
msg.Answer = append(msg.Answer, p.syntheticSOA(zone))
msg.Answer = append(msg.Answer, p.syntheticNS(zone)...)
_ = w.WriteMsg(msg)
return dns.RcodeSuccess, nil
}
// Distinguish NODATA from NXDOMAIN.
if p.store.NameExists(qname) || isApex {
// NODATA: name exists, but not with this type.
msg.Ns = []dns.RR{p.syntheticSOA(zone)}
_ = w.WriteMsg(msg)
return dns.RcodeSuccess, nil
}
// NXDOMAIN: name doesn't exist anywhere in this zone.
msg.Rcode = dns.RcodeNameError
msg.Ns = []dns.RR{p.syntheticSOA(zone)}
_ = w.WriteMsg(msg)
return dns.RcodeNameError, nil
}
// refuseUpdate returns REFUSED for UPDATE messages until Phase 1.4
// wires the proper UPDATE handler. We keep a dedicated method so the
// "this plugin doesn't yet accept updates" path is searchable in logs.
func (p *RFC2136) refuseUpdate(w dns.ResponseWriter, r *dns.Msg) (int, error) {
log.Warningf("UPDATE opcode received but Phase 1.4 not yet implemented — refusing")
msg := new(dns.Msg)
msg.SetRcode(r, dns.RcodeRefused)
_ = w.WriteMsg(msg)
return dns.RcodeRefused, nil
}
// findZone returns the longest matching zone for qname, or "" if qname
// is outside all configured zones. The returned zone is in canonical
// form (lowercase, trailing dot).
func (p *RFC2136) findZone(qname string) string {
qname = strings.ToLower(dns.Fqdn(qname))
// Longest-suffix wins so nested zones work correctly.
var best string
for _, z := range p.Zones {
if qname == z || strings.HasSuffix(qname, "."+z) {
if len(z) > len(best) {
best = z
}
}
}
return best
}
// syntheticSOA returns the SOA RR for a zone. Serial is derived from
// the store's monotonic generation counter — every UPDATE bumps it,
// so downstream observers can detect "something changed" without
// having to AXFR.
func (p *RFC2136) syntheticSOA(zone string) *dns.SOA {
return &dns.SOA{
Hdr: dns.RR_Header{
Name: zone,
Rrtype: dns.TypeSOA,
Class: dns.ClassINET,
Ttl: p.TTL,
},
Ns: p.Nameserver,
Mbox: "admin." + zone,
Serial: uint32(p.store.generation()),
Refresh: 3600, // 1 hour
Retry: 600, // 10 min
Expire: 604800, // 1 week
Minttl: 60, // negative-cache TTL
}
}
// syntheticNS returns the NS RRset for a zone. Currently a single NS
// pointing at p.Nameserver (the host that runs this plugin). For
// resiliency, future versions could accept multiple `nameserver`
// directives.
func (p *RFC2136) syntheticNS(zone string) []dns.RR {
return []dns.RR{
&dns.NS{
Hdr: dns.RR_Header{
Name: zone,
Rrtype: dns.TypeNS,
Class: dns.ClassINET,
Ttl: p.TTL,
},
Ns: p.Nameserver,
},
}
}
Reference in New Issue View Git Blame Copy Permalink