[PR #3060] [MERGED] Authenticated AXFR policy, TSIG response signing #3527

New issue

Closed

opened 2026-03-16 11:48:32 +03:00 by kerem · 0 comments

kerem commented

2026-03-16 11:48:32 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/hickory-dns/hickory-dns/pull/3060
Author: @cpu
Created: 6/17/2025
Status: ✅ Merged
Merged: 6/25/2025
Merged by: @djc

Base: main ← Head: cpu-axfr-auth_dev

📝 Commits (7)

ca6b0a2 server/store: add SqliteAuthority independent AxfrPolicy
a177f1d add AxfrPolicy::AllowSigned, impl in SqliteAuthority
1e3ca30 server: allow authorities to optionally sign some responses
1035ac0 proto: reorder items in tsig module
a40307d proto: extract TSIG::stub() constructor
634edf0 server/store: SqliteAuthority sign responses to auth'd queries
632bbea integration-tests: SqliteAuthority update/AXFR check resp. sig.

📊 Changes

22 files changed (+1090 additions, -283 deletions)

View changed files

📝 bin/tests/integration/authority_battery/basic.rs (+53 -18)
📝 bin/tests/integration/authority_battery/dnssec.rs (+8 -2)
📝 bin/tests/integration/authority_battery/dynamic_update.rs (+43 -17)
📝 crates/proto/src/dnssec/rdata/tsig.rs (+78 -65)
📝 crates/proto/src/dnssec/tsig.rs (+184 -10)
📝 crates/proto/src/op/message.rs (+6 -0)
📝 crates/server/src/authority/authority.rs (+23 -4)
📝 crates/server/src/authority/authority_object.rs (+40 -10)
📝 crates/server/src/authority/catalog.rs (+50 -14)
📝 crates/server/src/authority/message_request.rs (+1 -3)
📝 crates/server/src/authority/message_response.rs (+5 -0)
📝 crates/server/src/store/blocklist.rs (+32 -20)
📝 crates/server/src/store/file.rs (+15 -6)
📝 crates/server/src/store/forwarder.rs (+19 -9)
📝 crates/server/src/store/in_memory/mod.rs (+35 -17)
📝 crates/server/src/store/recursor.rs (+19 -9)
📝 crates/server/src/store/sqlite/mod.rs (+157 -41)
📝 tests/integration-tests/tests/integration/catalog_tests.rs (+37 -0)
📝 tests/integration-tests/tests/integration/chained_authority_tests.rs (+25 -12)
📝 tests/integration-tests/tests/integration/client_future_tests.rs (+3 -1)

...and 2 more files

📄 Description

👋 This branch is a continuation of some work started in https://github.com/hickory-dns/hickory-dns/pull/2977 and https://github.com/hickory-dns/hickory-dns/pull/2982 There's two primary changes for the authoritative server binary included (broken up into smaller individual commits for reviewability):

The existing allow_axfr bool is replaced with an enum, AxfrPolicy, that has three possible values: AxfrPolicy::Deny (equivalent to allow_axfr = false), AxfrPolicy::AllowAll (equivalent to allow_axfr = true), and AxfrPolicy::AllowSigned (a new addition not able to be expressed with the bool). The AllowSigned policy requires the DNSSEC feature and allows AXFR requests iff they present a valid SIG(0) or TSIG signature over the request. The SqliteAuthority is then updated to perform the required signature verification (no other authority implementations have implemented signature validation at this time).
The catalog/authority code is updated to allow an authority processing an update request, or an AXFR query, to optionally return a closure that can be used to produce a MessageSignature for the response delivered to the ResponseHandler. This allows addressing an oversight in the initial TSIG authentication implementation that neglected to sign the responses as mandated by RFC 8945. This requires that we change some trait definitions (for the new optional return type) and to consume the full Request instead of the slimmer RequestInfo as a parameter.

The TSIG response signing process is a little bit nuanced: firstly, it takes part of the authenticated request as input (the request's TSIG MAC). Additionally it may produce both signed and unsigned TSIG RR message signatures for a response. In the happy path we always produce a TSIG RR with a computed MAC. In the error paths we may produce what the RFC calls an "unsigned" response. This is a TSIG RR that has an empty MAC, and a TSIG error RCODE. One error condition (an expired request TSIG signature) produces a signed error response (e.g. a TSIG RR that has both a valid MAC and a TSIG error RCODE).

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/hickory-dns/hickory-dns/pull/3060 **Author:** [@cpu](https://github.com/cpu) **Created:** 6/17/2025 **Status:** ✅ Merged **Merged:** 6/25/2025 **Merged by:** [@djc](https://github.com/djc) **Base:** `main` ← **Head:** `cpu-axfr-auth_dev` --- ### 📝 Commits (7) - [`ca6b0a2`](https://github.com/hickory-dns/hickory-dns/commit/ca6b0a2f77685e7851d48cdf050833258e79aa7d) server/store: add SqliteAuthority independent AxfrPolicy - [`a177f1d`](https://github.com/hickory-dns/hickory-dns/commit/a177f1d305e7045d212a949cd777b3df0e216179) add AxfrPolicy::AllowSigned, impl in SqliteAuthority - [`1e3ca30`](https://github.com/hickory-dns/hickory-dns/commit/1e3ca30e4e052cd2303a6a0c18c2ff425c022fe0) server: allow authorities to optionally sign some responses - [`1035ac0`](https://github.com/hickory-dns/hickory-dns/commit/1035ac00cc9966c120d8b6efde72061269e08057) proto: reorder items in tsig module - [`a40307d`](https://github.com/hickory-dns/hickory-dns/commit/a40307d1a52beab9964d32be61025a5944ab098a) proto: extract TSIG::stub() constructor - [`634edf0`](https://github.com/hickory-dns/hickory-dns/commit/634edf075828bc5828e40dc08891ee8dded572f2) server/store: SqliteAuthority sign responses to auth'd queries - [`632bbea`](https://github.com/hickory-dns/hickory-dns/commit/632bbea651bb1fc17c02fab79ea34e04abefa370) integration-tests: SqliteAuthority update/AXFR check resp. sig. ### 📊 Changes **22 files changed** (+1090 additions, -283 deletions) <details> <summary>View changed files</summary> 📝 `bin/tests/integration/authority_battery/basic.rs` (+53 -18) 📝 `bin/tests/integration/authority_battery/dnssec.rs` (+8 -2) 📝 `bin/tests/integration/authority_battery/dynamic_update.rs` (+43 -17) 📝 `crates/proto/src/dnssec/rdata/tsig.rs` (+78 -65) 📝 `crates/proto/src/dnssec/tsig.rs` (+184 -10) 📝 `crates/proto/src/op/message.rs` (+6 -0) 📝 `crates/server/src/authority/authority.rs` (+23 -4) 📝 `crates/server/src/authority/authority_object.rs` (+40 -10) 📝 `crates/server/src/authority/catalog.rs` (+50 -14) 📝 `crates/server/src/authority/message_request.rs` (+1 -3) 📝 `crates/server/src/authority/message_response.rs` (+5 -0) 📝 `crates/server/src/store/blocklist.rs` (+32 -20) 📝 `crates/server/src/store/file.rs` (+15 -6) 📝 `crates/server/src/store/forwarder.rs` (+19 -9) 📝 `crates/server/src/store/in_memory/mod.rs` (+35 -17) 📝 `crates/server/src/store/recursor.rs` (+19 -9) 📝 `crates/server/src/store/sqlite/mod.rs` (+157 -41) 📝 `tests/integration-tests/tests/integration/catalog_tests.rs` (+37 -0) 📝 `tests/integration-tests/tests/integration/chained_authority_tests.rs` (+25 -12) 📝 `tests/integration-tests/tests/integration/client_future_tests.rs` (+3 -1) _...and 2 more files_ </details> ### 📄 Description :wave: This branch is a continuation of some work started in https://github.com/hickory-dns/hickory-dns/pull/2977 and https://github.com/hickory-dns/hickory-dns/pull/2982 There's two primary changes for the authoritative server binary included (broken up into smaller individual commits for reviewability): 1. The existing `allow_axfr` bool is replaced with an enum, `AxfrPolicy`, that has three possible values: `AxfrPolicy::Deny` (equivalent to `allow_axfr = false`), `AxfrPolicy::AllowAll` (equivalent to `allow_axfr = true`), and `AxfrPolicy::AllowSigned` (a new addition not able to be expressed with the `bool`). The `AllowSigned` policy requires the DNSSEC feature and allows AXFR requests iff they present a valid SIG(0) or TSIG signature over the request. The `SqliteAuthority` is then updated to perform the required signature verification (no other authority implementations have implemented signature validation at this time). 2. The catalog/authority code is updated to allow an authority processing an update request, or an AXFR query, to optionally return a closure that can be used to produce a `MessageSignature` for the response delivered to the `ResponseHandler`. This allows addressing an oversight in the initial TSIG authentication implementation that neglected to sign the responses as mandated by RFC 8945. This requires that we change some trait definitions (for the new optional return type) and to consume the full `Request` instead of the slimmer `RequestInfo` as a parameter. The TSIG response signing process is a little bit nuanced: firstly, it takes part of the authenticated request as input (the request's TSIG MAC). Additionally it may produce both signed and unsigned TSIG RR message signatures for a response. In the happy path we always produce a TSIG RR with a computed MAC. In the error paths we may produce what the RFC calls an "unsigned" response. This is a TSIG RR that has an empty MAC, and a TSIG error RCODE. One error condition (an expired request TSIG signature) produces a signed error response (e.g. a TSIG RR that has both a valid MAC and a TSIG error RCODE). --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>