258 lines
7.2 KiB
Go
258 lines
7.2 KiB
Go
package rfc2136
|
|
|
|
import (
|
|
"encoding/base64"
|
|
"fmt"
|
|
"os"
|
|
"path/filepath"
|
|
"strconv"
|
|
|
|
"github.com/coredns/caddy"
|
|
"github.com/coredns/coredns/core/dnsserver"
|
|
"github.com/coredns/coredns/plugin"
|
|
clog "github.com/coredns/coredns/plugin/pkg/log"
|
|
"github.com/miekg/dns"
|
|
)
|
|
|
|
// log is the package logger, scoped so messages are prefixed `[rfc2136]`.
|
|
var log = clog.NewWithPlugin("rfc2136")
|
|
|
|
func init() {
|
|
plugin.Register("rfc2136", setup)
|
|
|
|
// miekg/dns's default MsgAcceptFunc rejects UPDATE opcode messages
|
|
// with NOTIMP before they ever reach the plugin chain (see the
|
|
// comment in miekg/dns/acceptfunc.go: "Don't allow dynamic updates,
|
|
// because then the sections can contain a whole bunch of RRs").
|
|
//
|
|
// CoreDNS constructs its dns.Server instances without setting a
|
|
// per-server MsgAcceptFunc, so the package-level default is the
|
|
// one that runs. We override it here at plugin init() time -- well
|
|
// before any dns.Server starts listening -- to permit UPDATE
|
|
// through. The plugin itself does proper validation in the
|
|
// UPDATE handler, so opening this gate doesn't lower security.
|
|
dns.DefaultMsgAcceptFunc = msgAcceptFunc
|
|
}
|
|
|
|
// msgAcceptFunc mirrors miekg/dns's defaultMsgAcceptFunc but additionally
|
|
// allows OpcodeUpdate. For UPDATE messages, the conservative Ancount/
|
|
// Nscount limits in the default function don't apply -- per RFC 2136
|
|
// those sections (Prerequisite / Update) can carry many RRs.
|
|
func msgAcceptFunc(dh dns.Header) dns.MsgAcceptAction {
|
|
// Responses are silently ignored regardless of opcode (default behaviour).
|
|
if isResponse := dh.Bits&0x8000 != 0; isResponse {
|
|
return dns.MsgIgnore
|
|
}
|
|
|
|
opcode := int(dh.Bits>>11) & 0xF
|
|
switch opcode {
|
|
case dns.OpcodeQuery, dns.OpcodeNotify, dns.OpcodeUpdate:
|
|
// allowed
|
|
default:
|
|
return dns.MsgRejectNotImplemented
|
|
}
|
|
|
|
if dh.Qdcount != 1 {
|
|
return dns.MsgReject
|
|
}
|
|
|
|
// UPDATE messages legitimately carry multiple RRs in the
|
|
// Prerequisite (Ancount) and Update (Nscount) sections -- skip the
|
|
// "exactly 1" check that the default function applies for queries.
|
|
if opcode != dns.OpcodeUpdate {
|
|
if dh.Ancount > 1 {
|
|
return dns.MsgReject
|
|
}
|
|
if dh.Nscount > 1 {
|
|
return dns.MsgReject
|
|
}
|
|
}
|
|
|
|
if dh.Arcount > 2 {
|
|
return dns.MsgReject
|
|
}
|
|
return dns.MsgAccept
|
|
}
|
|
|
|
// setup is invoked by the CoreDNS plugin registry once per Corefile
|
|
// `rfc2136` directive. It parses the directive, validates that each
|
|
// declared zone has a corresponding file in zones-dir, registers
|
|
// TSIG keys with the underlying dns.Server, and links the handler
|
|
// into the plugin chain.
|
|
func setup(c *caddy.Controller) error {
|
|
p, err := parse(c)
|
|
if err != nil {
|
|
return plugin.Error("rfc2136", err)
|
|
}
|
|
if err := p.validateZoneFiles(); err != nil {
|
|
return plugin.Error("rfc2136", err)
|
|
}
|
|
|
|
cfg := dnsserver.GetConfig(c)
|
|
|
|
// Register TSIG keys with the underlying dns.Server so miekg/dns
|
|
// auto-verifies incoming signatures. We then just inspect the
|
|
// result via dns.ResponseWriter.TsigStatus() in our UPDATE handler.
|
|
if len(p.TSIGKeys) > 0 {
|
|
if cfg.TsigSecret == nil {
|
|
cfg.TsigSecret = make(map[string]string)
|
|
}
|
|
for name, key := range p.TSIGKeys {
|
|
cfg.TsigSecret[name] = base64.StdEncoding.EncodeToString(key.Secret)
|
|
}
|
|
}
|
|
|
|
cfg.AddPlugin(func(next plugin.Handler) plugin.Handler {
|
|
p.Next = next
|
|
return p
|
|
})
|
|
|
|
log.Infof("ready: zones=%v keys=%d ttl=%d dir=%q auto-commit=%t",
|
|
p.Zones, len(p.TSIGKeys), p.TTL, p.ZonesDir, p.AutoCommit)
|
|
return nil
|
|
}
|
|
|
|
// parse reads a single `rfc2136 <zone> [<zone>...] { ... }` block.
|
|
//
|
|
// Grammar:
|
|
//
|
|
// rfc2136 <zone> [<zone>...] {
|
|
// zones-dir <path> ; required
|
|
// tsig-key <name> <algorithm> <base64-secret> ; may repeat
|
|
// ttl <seconds> ; default 60
|
|
// auto-commit <true|false> ; default true
|
|
// git-author <name> <email> ; optional
|
|
// }
|
|
func parse(c *caddy.Controller) (*RFC2136, error) {
|
|
p := &RFC2136{
|
|
TSIGKeys: make(map[string]tsigKey),
|
|
TTL: DefaultTTL,
|
|
AutoCommit: true,
|
|
}
|
|
|
|
// Per-zone git author overrides. Defaults are applied later.
|
|
var gitAuthorName, gitAuthorEmail string
|
|
|
|
for c.Next() {
|
|
args := c.RemainingArgs()
|
|
if len(args) < 1 {
|
|
return nil, c.ArgErr()
|
|
}
|
|
for _, z := range args {
|
|
p.Zones = append(p.Zones, plugin.Host(z).NormalizeExact()...)
|
|
}
|
|
|
|
for c.NextBlock() {
|
|
switch c.Val() {
|
|
|
|
case "zones-dir":
|
|
dArgs := c.RemainingArgs()
|
|
if len(dArgs) != 1 {
|
|
return nil, c.ArgErr()
|
|
}
|
|
p.ZonesDir = dArgs[0]
|
|
|
|
case "tsig-key":
|
|
kArgs := c.RemainingArgs()
|
|
if len(kArgs) != 3 {
|
|
return nil, c.Errf("tsig-key requires 3 args (name algorithm secret), got %d", len(kArgs))
|
|
}
|
|
keyName := canonicalKeyName(kArgs[0])
|
|
algo, err := parseTSIGAlgorithm(kArgs[1])
|
|
if err != nil {
|
|
return nil, c.Err(err.Error())
|
|
}
|
|
secret, err := decodeTSIGSecret(kArgs[2])
|
|
if err != nil {
|
|
return nil, c.Errf("tsig-key %q: %v", keyName, err)
|
|
}
|
|
if _, exists := p.TSIGKeys[keyName]; exists {
|
|
return nil, c.Errf("duplicate tsig-key %q", keyName)
|
|
}
|
|
p.TSIGKeys[keyName] = tsigKey{Algorithm: algo, Secret: secret}
|
|
|
|
case "ttl":
|
|
tArgs := c.RemainingArgs()
|
|
if len(tArgs) != 1 {
|
|
return nil, c.ArgErr()
|
|
}
|
|
ttl, err := strconv.ParseUint(tArgs[0], 10, 32)
|
|
if err != nil {
|
|
return nil, c.Errf("ttl must be a non-negative integer: %v", err)
|
|
}
|
|
p.TTL = uint32(ttl)
|
|
|
|
case "auto-commit":
|
|
aArgs := c.RemainingArgs()
|
|
if len(aArgs) != 1 {
|
|
return nil, c.ArgErr()
|
|
}
|
|
switch aArgs[0] {
|
|
case "true", "yes", "on":
|
|
p.AutoCommit = true
|
|
case "false", "no", "off":
|
|
p.AutoCommit = false
|
|
default:
|
|
return nil, c.Errf("auto-commit must be true|false, got %q", aArgs[0])
|
|
}
|
|
|
|
case "git-author":
|
|
gArgs := c.RemainingArgs()
|
|
if len(gArgs) != 2 {
|
|
return nil, c.Errf("git-author requires 2 args (name email), got %d", len(gArgs))
|
|
}
|
|
gitAuthorName = gArgs[0]
|
|
gitAuthorEmail = gArgs[1]
|
|
|
|
default:
|
|
return nil, c.Errf("unknown directive: %s", c.Val())
|
|
}
|
|
}
|
|
}
|
|
|
|
if len(p.Zones) == 0 {
|
|
return nil, c.Err("at least one zone must be specified")
|
|
}
|
|
if p.ZonesDir == "" {
|
|
return nil, c.Err("zones-dir is required")
|
|
}
|
|
|
|
// Build zoneFile handles for each declared zone.
|
|
p.zones = make(map[string]*zoneFile, len(p.Zones))
|
|
for _, z := range p.Zones {
|
|
// Trailing dot → filename. supported.systems. → supported.systems.zone
|
|
stem := z
|
|
if l := len(stem); l > 0 && stem[l-1] == '.' {
|
|
stem = stem[:l-1]
|
|
}
|
|
path := filepath.Join(p.ZonesDir, stem+".zone")
|
|
zf := openZoneFile(path, z)
|
|
zf.AutoCommit = p.AutoCommit
|
|
if gitAuthorName != "" {
|
|
zf.GitAuthorName = gitAuthorName
|
|
}
|
|
if gitAuthorEmail != "" {
|
|
zf.GitAuthorEmail = gitAuthorEmail
|
|
}
|
|
p.zones[z] = zf
|
|
}
|
|
|
|
return p, nil
|
|
}
|
|
|
|
// validateZoneFiles ensures every configured zone has an accessible
|
|
// file on disk at the expected path. Catches typos at CoreDNS startup
|
|
// rather than the first UPDATE.
|
|
func (p *RFC2136) validateZoneFiles() error {
|
|
for zone, zf := range p.zones {
|
|
st, err := os.Stat(zf.Path)
|
|
if err != nil {
|
|
return fmt.Errorf("zone %q: file not accessible at %s: %w", zone, zf.Path, err)
|
|
}
|
|
if st.IsDir() {
|
|
return fmt.Errorf("zone %q: %s is a directory, expected a regular file", zone, zf.Path)
|
|
}
|
|
}
|
|
return nil
|
|
}
|