starred/hickory-dns
1
0
Fork 0
mirror of https://github.com/hickory-dns/hickory-dns.git synced 2026-04-25 03:05:51 +03:00
Code Issues 373 Projects Releases 6 Packages Wiki Activity

[PR #1459] [MERGED] Add support for TSIG #2337

New issue
Closed
opened 2026-03-16 08:48:23 +03:00 by kerem · 0 comments
kerem commented 2026-03-16 08:48:23 +03:00
Owner
Copy link

📋 Pull Request Information

Original PR: https://github.com/hickory-dns/hickory-dns/pull/1459
Author: @trinity-1686a
Created: 4/15/2021
Status: Merged
Merged: 5/26/2021
Merged by: @bluejekyll

Base: mainHead: tsig

📝 Commits (10+)

  • 5e7ec6d sign XFR queries
  • 9a3f465 add TSIG record type
  • 5988ef2 add support for tsig on Message
  • 6d0f527 add actual mac computation
  • c67d41e Add support for TSIG to client
  • ab9cca5 fix https and mdns clients and tests
  • 981af86 add tests and doc-comments
  • 4064d39 fix minimal version violation and fix intra-doc links
  • 8bdc44c try to add tsig test against bind
  • 8a19440 add mac verification

📊 Changes

36 files changed (+1753 additions, -81 deletions)

View changed files

📝 Cargo.lock (+90 -0)
📝 Makefile.toml (+1 -1)
📝 bin/tests/named_test_rsa_dnssec.rs (+1 -1)
📝 crates/client/src/client/async_client.rs (+1 -1)
📝 crates/client/src/client/client.rs (+20 -4)
📝 crates/client/src/client/client_connection.rs (+40 -1)
📝 crates/client/src/client/mod.rs (+1 -0)
📝 crates/client/src/https_client_connection.rs (+1 -2)
📝 crates/client/src/multicast/mdns_client_connection.rs (+1 -2)
📝 crates/client/src/op/mod.rs (+4 -1)
📝 crates/client/src/rr/dnssec/signer.rs (+12 -4)
📝 crates/client/src/rr/mod.rs (+1 -0)
crates/client/src/rr/tsig.rs (+356 -0)
📝 crates/client/src/tcp/tcp_client_connection.rs (+1 -2)
📝 crates/client/src/udp/udp_client_connection.rs (+1 -1)
📝 crates/proto/Cargo.toml (+2 -0)
📝 crates/proto/src/op/message.rs (+102 -26)
📝 crates/proto/src/op/mod.rs (+3 -1)
📝 crates/proto/src/rr/rdata/mod.rs (+2 -0)
📝 crates/proto/src/rr/rdata/sshfp.rs (+1 -1)

...and 16 more files

📄 Description

This PR attempt to fix #14

⚠️ This PR contains breaking changes.

What was done:

  • change logic for what get signed, sign AXFR/IXFR queries and Notify messages, in addition to Update messages, as they often need signing too.
  • add code related to TSIG RR
  • add code related to auth code computation (add dependencies to hmac and sha2)
  • add support for sending signed requests on client
  • some tests, including against BIND
  • validate server answers as per RFC8945 5.3.1

What will probably not be done:

  • changes on the server-side. I don't need that right now, so I will probably not work on it, unless it ends up necessary for proper testing

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/hickory-dns/hickory-dns/pull/1459 **Author:** [@trinity-1686a](https://github.com/trinity-1686a) **Created:** 4/15/2021 **Status:** ✅ Merged **Merged:** 5/26/2021 **Merged by:** [@bluejekyll](https://github.com/bluejekyll) **Base:** `main` ← **Head:** `tsig` --- ### 📝 Commits (10+) - [`5e7ec6d`](https://github.com/hickory-dns/hickory-dns/commit/5e7ec6d4e85a76d9bc5358dda2d09137ae49e42e) sign XFR queries - [`9a3f465`](https://github.com/hickory-dns/hickory-dns/commit/9a3f4653e5d53e37a12d1a1b0f3a48fbe5bbfaff) add TSIG record type - [`5988ef2`](https://github.com/hickory-dns/hickory-dns/commit/5988ef27b4c1adfa89d91f1470ade7da235b7546) add support for tsig on Message - [`6d0f527`](https://github.com/hickory-dns/hickory-dns/commit/6d0f527d67d857e4edc6d3bf8a44946e92d320b1) add actual mac computation - [`c67d41e`](https://github.com/hickory-dns/hickory-dns/commit/c67d41e535133c57f5bd0b709966e31853c4d596) Add support for TSIG to client - [`ab9cca5`](https://github.com/hickory-dns/hickory-dns/commit/ab9cca5c25c8c4839d5410ad97e54a1b50f968d5) fix https and mdns clients and tests - [`981af86`](https://github.com/hickory-dns/hickory-dns/commit/981af86f0180eb0f65aa3a12da5ccf8c4ca7eefb) add tests and doc-comments - [`4064d39`](https://github.com/hickory-dns/hickory-dns/commit/4064d3918a1897ab9ea7c84277d7f0575c473676) fix minimal version violation and fix intra-doc links - [`8bdc44c`](https://github.com/hickory-dns/hickory-dns/commit/8bdc44ce07d2697778f0c4a528ebad652ae057ed) try to add tsig test against bind - [`8a19440`](https://github.com/hickory-dns/hickory-dns/commit/8a194404f317dbe023076eea8a9cee5eff941cbb) add mac verification ### 📊 Changes **36 files changed** (+1753 additions, -81 deletions) <details> <summary>View changed files</summary> 📝 `Cargo.lock` (+90 -0) 📝 `Makefile.toml` (+1 -1) 📝 `bin/tests/named_test_rsa_dnssec.rs` (+1 -1) 📝 `crates/client/src/client/async_client.rs` (+1 -1) 📝 `crates/client/src/client/client.rs` (+20 -4) 📝 `crates/client/src/client/client_connection.rs` (+40 -1) 📝 `crates/client/src/client/mod.rs` (+1 -0) 📝 `crates/client/src/https_client_connection.rs` (+1 -2) 📝 `crates/client/src/multicast/mdns_client_connection.rs` (+1 -2) 📝 `crates/client/src/op/mod.rs` (+4 -1) 📝 `crates/client/src/rr/dnssec/signer.rs` (+12 -4) 📝 `crates/client/src/rr/mod.rs` (+1 -0) ➕ `crates/client/src/rr/tsig.rs` (+356 -0) 📝 `crates/client/src/tcp/tcp_client_connection.rs` (+1 -2) 📝 `crates/client/src/udp/udp_client_connection.rs` (+1 -1) 📝 `crates/proto/Cargo.toml` (+2 -0) 📝 `crates/proto/src/op/message.rs` (+102 -26) 📝 `crates/proto/src/op/mod.rs` (+3 -1) 📝 `crates/proto/src/rr/rdata/mod.rs` (+2 -0) 📝 `crates/proto/src/rr/rdata/sshfp.rs` (+1 -1) _...and 16 more files_ </details> ### 📄 Description This PR attempt to fix #14 ⚠️ This PR contains breaking changes. What was done: - change logic for what get signed, sign AXFR/IXFR queries and Notify messages, in addition to Update messages, as they often need signing too. - add code related to TSIG RR - add code related to auth code computation (add dependencies to [hmac](https://crates.io/crates/hmac) and [sha2](https://crates.io/crates/sha2)) - add support for sending signed requests on client - some tests, including against BIND - validate server answers as per [RFC8945 5.3.1](https://tools.ietf.org/html/rfc8945#section-5.3.1) What will probably _not_ be done: - changes on the server-side. I don't need that right now, so I will probably not work on it, unless it ends up necessary for proper testing --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
kerem 2026-03-16 08:48:23 +03:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
david/conformance-dnssec-negative-tests
prepare-0.26.1
release/0.26
query-api
opt-types
cname-nsec
no-cname-recursion
conformance-min-ttl
dname-base
drop-message-request
no-error-queries
cpu-sig0-rm-message-sig_dev
cpu-tsig-test-update_dev
windows-config
dnssec-net
release/0.25
opp-enc-persist
integration-test
cpu-tidying-recursor-opts_dev
happy-eyeballs
david/authoritative-zone-storage-trait
dnssec-ad
no-authority
release/0.24
pvdrz/remove-top-file
pvdrz/h3-handshake-timeout
pvdrz/quic-handshake-timeout
nxdomain-for-recursor
ja-test-merque-queue
ja-fix-ci-again
sz-add-ede-tests
sz-test-tc-bit-with-large-response
sz-fix-tokio-dependency
gh-2275-test-rrsig-signature
refactor-sign-zone-file
fix-1.79-cleanliness
update-nightly-hash
release/0.23
gh-pages
use-just-for-server-toml
release/0.22
revert-1874-cpu-zone-parse-default-class
disable-bind-compatibility-tests
disable-test_tls_client_stream_ipv4
update-native-tls-0.2.11
recursor-tests
fix-clippy-self
release/0.20
saethlin-fix-rdata-zero
release/0.19
flat_name
drop_unused_futures
release/0.18
release-r0.12-cs0.17
release/r0.12-cs0.17
trust-dns-book
r0.10
test-connections-not-dropped
fix_exec_status_on_rs_files
release-0.9
add-mutex-to-integration-tests
0.8_release
bfry/dns-crypt
v0.26.0
v0.26.0-beta.4
v0.26.0-beta.3
v0.26.0-beta.2
v0.26.0-beta.1
v0.26.0-alpha.1
v0.25.2
v0.25.1
v0.25.0
v0.24.4
v0.24.3
v0.25.0-alpha.5
v0.24.2
v0.25.0-alpha.4
v0.25.0-alpha.3
v0.25.0-alpha.2
v0.25.0-alpha.1
v0.24.1
v0.23.2
v0.24.0
v0.23.1
v0.23.0
v0.23.0-alpha.5
v0.23.0-alpha.4
v0.23.0-alpha.3
v0.22.1
v0.23.0-alpha.2
v0.23.0-alpha.1
v0.22.0
v0.21.2
v0.21.1
v0.21.0
v0.21.0-alpha.5
v0.20.4
v0.21.0-alpha.4
v0.21.0-alpha.3
v0.21.0-alpha.2
v0.21.0-alpha.1
v0.20.3
v0.20.2
v0.20.1
v0.19.7
v0.20.0
0.19.6
v0.20.0-alpha.3
v0.20.0-alpha.2
v0.20.0-alpha.1
0.19.5
0.19.4
0.19.3
0.19.0
0.18.1
0.18
0.18.0.alpha.2
r0.12_cs0.17
r0.11.1
cs0.16.1
r0.11
cs0.16
r0.10.1
r0.10.0
cs0.15.0
r0.9.1
v0.14.0
r0.9.0
r0.8.1
r0.8.0
v0.13.0
r0.7.0
c0.12.0
r0.6.0
r0.5.0
resolver.0.4.0
0.11.0
0.10.5
0.10.4
0.10.3
0.10.2
0.10.1
0.10.0
0.9.3
0.9.2
0.9.1
0.9.0
0.8.1
0.8.0
0.7.3
0.7.2
0.7.1
0.7.0
0.6.0
0.5.3
0.5.1
0.5.0
0.4.0
0.3.1
0.3.0
0.2.1
0.2.0
0.1.0
Labels
Clear labels   
blocked

   
breaking-change

   
bug

   
bug:critical

   
bug:tests

   
cleanup

   
compliance

   
compliance

   
compliance

   
crate:all

   
crate:client

   
crate:native-tls

   
crate:proto

   
crate:recursor

   
crate:resolver

   
crate:resolver

   
crate:rustls

   
crate:server

   
crate:util

   
dependencies

   
docs

   
duplicate

   
easy

   
easy

   
enhance

   
enhance

   
enhance

   
feature:dns-over-https

   
feature:dns-over-quic

   
feature:dns-over-tls

   
feature:dnsssec

   
feature:global_lb

   
feature:mdns

   
feature:tsig

   
features:edns

   
has workaround

   
ops

   
perf

   
platform:WASM

   
platform:android

   
platform:fuchsia

   
platform:linux

   
platform:macos

   
platform:windows

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
test

   
tools

   
tools

   
trust

   
unclear

   
wontfix
No labels
blocked
breaking-change
bug
bug:critical
bug:tests
cleanup
compliance
compliance
compliance
crate:all
crate:client
crate:native-tls
crate:proto
crate:recursor
crate:resolver
crate:resolver
crate:rustls
crate:server
crate:util
dependencies
docs
duplicate
easy
easy
enhance
enhance
enhance
feature:dns-over-https
feature:dns-over-quic
feature:dns-over-tls
feature:dnsssec
feature:global_lb
feature:mdns
feature:tsig
features:edns
has workaround
ops
perf
platform:WASM
platform:android
platform:fuchsia
platform:linux
platform:macos
platform:windows
pull-request
question
test
tools
tools
trust
unclear
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/hickory-dns#2337
No description provided.