Add TSIG Support about domain HOT 11 CLOSED

My Update code looks like this:

fn build_update(se: &services::ServiceEvent) -> Message
{
    use std::str::FromStr;
    use domain_core::bits::{Dname, MessageBuilder, SectionBuilder, RecordSectionBuilder};
    use domain_core::iana::opcode;
    use domain_core::iana::Rtype;

    let mut msg = MessageBuilder::new_udp();
    msg.header_mut().set_opcode(opcode::Opcode::Update);

    // Zone section
    let name = Dname::from_str(&se.subdomain).unwrap();
    msg.push((&name, Rtype::Soa)).unwrap();

    // skip prereq sections
    let msg = msg.answer();

    // add to Update section
    let mut msg = msg.authority();
    msg.push((&se.sname, 86400, se.sdata.clone())).unwrap();

    let mut msg = msg.opt().unwrap();
    
    msg.freeze()
}

For the API, I could use something like:

msg.set_tsig();

in the OPT section or would you prefer something else?

from domain.

Oops, I think I remembered that wrong. It's just the last record, not in the OPT but after the OPT.

from domain.

Or maybe the API should be more like:

msg.push(msg.tsig());

from domain.

There’s two parts to this. First you need to add core::rdata::rfc2845.rs with the Tsig record data. Once you have that, the most simple way is to push the record in the additional builder.

The more advance version is also more complex to implement. It would take a key and some parameters (like fuzz), calculate the signature and the TSIG record, add that to the additional section, and freeze the message (assuming TSIG is always last). That would require some trait for the algorithms. I think it would look something like the one we did for rpki-rs. except it should also allow validation.

For validation, it would be cool if Message had a method to validate a TSIG and produce another Message on success.

from domain.

Addendum: If you prefer me taking a stab at the implementation, I’d be happy to. I want to get started at implementing zone signing, anyway, so this might be a good time to lay out the underlying infrastructure for swapping out signers etc.

from domain.

Yes, please do. I welcome the assistance.

from domain.

Quick question: Do you need to support HMAC-MD5 or is the SHA family sufficient. Background is that ring doesn’t seem support MD5 but I would like to only depend on ring.

from domain.

No, I will not need MD5. Probably only use SHA-256 for the foreseeable future.

from domain.

Quick update: I have an initial implementation. Cleaning this up now and hoping to have it ready tomorrow.

from domain.

Nice! I will try it out at the IETF Hackathon if not before.

from domain.

This has been implemented in #16 which has been merged.

from domain.