rsp2k/coredns-rfc2136
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
coredns-rfc2136/plugin.go
Ryan Malloy 8e421f925e C1/C2/M9: tighten security boundary at handleUpdate 
C1 — Document the process-global MsgAcceptFunc mutation:
CoreDNS 1.14.3 doesn't expose per-Config MsgAcceptFunc (server.go:159
hardcodes the dns.Server struct), so the override has to be global. The
init()-level comment now explains the operational consequences in
detail, and setup() emits a loud INFO log calling out the global scope
for operator audit. Upstream support for per-Config MsgAcceptFunc would
let us delete the whole stanza.

C2 — handleUpdate now requires the caller to assert TSIG verification
via an explicit `verified bool` parameter. The security contract is
encoded in the function signature, not in convention. ServeDNS passes
verified=true after checkTSIG succeeds; verified=false produces an
immediate Refused with no state mutation. Future internal callers
(NOTIFY relay, admin RPC, refactor) physically cannot reach the
mutation code without proving the request was authenticated.

M9 — Don't sign TSIG-failure rejection responses. Per Hamilton's
finding, signing a rejection with the named key attests "yes, this
server holds that key" — useful intel for an attacker probing key
existence. Unsigned Refused is the right shape: nsupdate sees "no TSIG
on reply" and treats as auth failure, which is what actually happened.

New test TestUpdate_UnverifiedCaller_Refused proves the C2 contract:
handleUpdate(w, msg, false) refuses, zone file unchanged.
2026-05-22 21:18:47 -06:00

95 lines
3.5 KiB
Go
Raw Blame History

// Package rfc2136 is a CoreDNS plugin that accepts dynamic DNS updates
// per RFC 2136 (UPDATE opcode), authenticated via TSIG, and applies
// them to on-disk zone files. This is the right shape for stacks where
// the operator wants to keep zones in flat files (perhaps under git,
// with HE pulling AXFR), but also wants programmatic updates from
// clients like Caddy's caddy-dns/rfc2136 module.
//
// The plugin does NOT serve any queries — that's the job of the
// `auto`/`file` plugin running alongside it. This plugin's only
// responsibility is the UPDATE opcode path: verify TSIG, dissect the
// UPDATE, write the zone file, bump the SOA serial, optionally
// auto-commit to git. CoreDNS's auto plugin notices the mtime change
// and re-serves the zone within its reload interval.
//
// See the plan at
// ~/.claude/plans/dood-does-coredns-offer-enumerated-piglet.md
// for the architectural rationale.
package rfc2136
import (
"context"
"github.com/coredns/coredns/plugin"
"github.com/miekg/dns"
)
// DefaultTTL is applied to dynamically-added records whose UPDATE
// messages carry TTL=0. 60s matches the short-lived nature of ACME
// challenge records and keeps stale answers from lingering in
// resolver caches.
const DefaultTTL uint32 = 60
// RFC2136 is the plugin handler. One instance per Corefile server block.
type RFC2136 struct {
// Next is the downstream plugin in the chain — queries always
// pass through; only UPDATE opcode is intercepted.
Next plugin.Handler
// Zones is the set of canonical (dot-terminated, lowercase) zone
// names this instance accepts UPDATEs for. UPDATEs for any other
// zone are rejected with NOTAUTH.
Zones []string
// TSIGKeys is keyed by canonical key name (lowercased, trailing
// dot). Empty means TSIG is disabled — UPDATEs are refused
// unconditionally as a safety default.
TSIGKeys map[string]tsigKey
// TTL is applied to dynamically-injected records that don't carry
// an explicit TTL in the UPDATE message.
TTL uint32
// ZonesDir is the directory where <zone>.zone files live (matching
// the mount path inside the CoreDNS container). The plugin reads
// and writes files at <ZonesDir>/<zone>.zone.
ZonesDir string
// AutoCommit governs whether the plugin auto-commits zone-file
// changes to git after every successful UPDATE.
AutoCommit bool
// zones holds per-zone file handlers, keyed by canonical zone name.
// Populated in setup; mutexes live inside each zoneFile.
zones map[string]*zoneFile
}
// Name implements plugin.Handler.
func (p *RFC2136) Name() string { return "rfc2136" }
// ServeDNS implements plugin.Handler.
//
// Dispatch:
//
// UPDATE opcode → verify TSIG, then apply via the UPDATE handler.
// Anything else → pass through to Next (the auto plugin handles
// queries against the zone files we maintain).
func (p *RFC2136) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg) (int, error) {
if r.Opcode == dns.OpcodeUpdate {
if err := p.checkTSIG(w, r); err != nil {
log.Warningf("UPDATE rejected: %v", err)
resp := new(dns.Msg)
resp.SetRcode(r, dns.RcodeRefused)
// Do NOT sign rejection responses. Signing a refusal with
// the named key would attest the key exists on this server
// (Hamilton M9). Unsigned Refused is the right shape — the
// client sees "no TSIG on reply" and treats that as auth
// failure, which is correct because auth DID fail.
_ = w.WriteMsg(resp)
return dns.RcodeRefused, nil
}
return p.handleUpdate(w, r, true)
}
return plugin.NextOrFailure(p.Name(), p.Next, ctx, w, r)
}
Reference in New Issue View Git Blame Copy Permalink