[PR #3437] [MERGED] remove SIG(0) message authentication #3840

New issue

Closed

opened 2026-03-16 12:05:40 +03:00 by kerem · 0 comments

kerem commented

2026-03-16 12:05:40 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/hickory-dns/hickory-dns/pull/3437
Author: @cpu
Created: 1/14/2026
Status: ✅ Merged
Merged: 1/21/2026
Merged by: @cpu

Base: main ← Head: cpu-sig0-update-rm_dev

📝 Commits (4)

dd5b5f2 server: add RFC 8945 comment for TSIG key filtering
144a73a convert SIG(0) tests to use TSIG, DNSSEC
d21b155 remove SIG(0) message authentication
6236a07 rework SigSigner to focus only on DNSSEC case

📊 Changes

37 files changed (+253 additions, -966 deletions)

View changed files

📝 bin/src/config/tests.rs (+0 -11)
📝 bin/src/dnssec.rs (+11 -55)
📝 bin/tests/integration/named_metrics_tests.rs (+9 -11)
📝 bin/tests/integration/zone_handler_battery/dnssec.rs (+5 -9)
📝 bin/tests/integration/zone_handler_battery/dynamic_update.rs (+47 -99)
📝 conformance/dns-test/src/templates/hickory.name-server.toml.jinja (+0 -1)
📝 crates/proto/src/dnssec/mod.rs (+1 -1)
📝 crates/proto/src/dnssec/rdata/key.rs (+0 -37)
📝 crates/proto/src/dnssec/rdata/rrsig.rs (+2 -2)
📝 crates/proto/src/dnssec/rdata/sig.rs (+2 -2)
📝 crates/proto/src/dnssec/rdata/tsig.rs (+3 -3)
📝 crates/proto/src/dnssec/signer.rs (+48 -260)
📝 crates/proto/src/dnssec/tbs.rs (+1 -23)
📝 crates/proto/src/dnssec/tsig.rs (+2 -2)
📝 crates/proto/src/dnssec/verifier.rs (+1 -26)
📝 crates/proto/src/op/message.rs (+20 -141)
📝 crates/proto/src/serialize/binary/encoder.rs (+2 -28)
📝 crates/proto/src/serialize/binary/mod.rs (+1 -1)
📝 crates/server/src/store/file.rs (+2 -7)
📝 crates/server/src/store/in_memory/inner.rs (+3 -3)

...and 17 more files

📄 Description

Support for authenticating messages (e.g. updates, zone tranfers) using SIG(0) sees little real-world use. Asymmetric cryptography is heavy-weight, and complex. For most purposes TSIG authentication based on symmetric cryptography is a better fit and simpler to configure/operate.

We've seen other more widely deployed authoritative nameserver implementations drop support for SIG(0) in this context, so we might as well do the same. Less code to maintain is better for everyone.

There is likely additional tidying we can do next to simplify/replace the MessageSignature type, and some associated traits.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/hickory-dns/hickory-dns/pull/3437 **Author:** [@cpu](https://github.com/cpu) **Created:** 1/14/2026 **Status:** ✅ Merged **Merged:** 1/21/2026 **Merged by:** [@cpu](https://github.com/cpu) **Base:** `main` ← **Head:** `cpu-sig0-update-rm_dev` --- ### 📝 Commits (4) - [`dd5b5f2`](https://github.com/hickory-dns/hickory-dns/commit/dd5b5f2106d9bffc9ca09eec9bc79e7b595d63bc) server: add RFC 8945 comment for TSIG key filtering - [`144a73a`](https://github.com/hickory-dns/hickory-dns/commit/144a73ad7503064fbe0457c84bdfbc05713333a9) convert SIG(0) tests to use TSIG, DNSSEC - [`d21b155`](https://github.com/hickory-dns/hickory-dns/commit/d21b155497836b3becdf92580cba9d90e84d6075) remove SIG(0) message authentication - [`6236a07`](https://github.com/hickory-dns/hickory-dns/commit/6236a079bc337e0202a990578f2a660fd1f2ce37) rework SigSigner to focus only on DNSSEC case ### 📊 Changes **37 files changed** (+253 additions, -966 deletions) <details> <summary>View changed files</summary> 📝 `bin/src/config/tests.rs` (+0 -11) 📝 `bin/src/dnssec.rs` (+11 -55) 📝 `bin/tests/integration/named_metrics_tests.rs` (+9 -11) 📝 `bin/tests/integration/zone_handler_battery/dnssec.rs` (+5 -9) 📝 `bin/tests/integration/zone_handler_battery/dynamic_update.rs` (+47 -99) 📝 `conformance/dns-test/src/templates/hickory.name-server.toml.jinja` (+0 -1) 📝 `crates/proto/src/dnssec/mod.rs` (+1 -1) 📝 `crates/proto/src/dnssec/rdata/key.rs` (+0 -37) 📝 `crates/proto/src/dnssec/rdata/rrsig.rs` (+2 -2) 📝 `crates/proto/src/dnssec/rdata/sig.rs` (+2 -2) 📝 `crates/proto/src/dnssec/rdata/tsig.rs` (+3 -3) 📝 `crates/proto/src/dnssec/signer.rs` (+48 -260) 📝 `crates/proto/src/dnssec/tbs.rs` (+1 -23) 📝 `crates/proto/src/dnssec/tsig.rs` (+2 -2) 📝 `crates/proto/src/dnssec/verifier.rs` (+1 -26) 📝 `crates/proto/src/op/message.rs` (+20 -141) 📝 `crates/proto/src/serialize/binary/encoder.rs` (+2 -28) 📝 `crates/proto/src/serialize/binary/mod.rs` (+1 -1) 📝 `crates/server/src/store/file.rs` (+2 -7) 📝 `crates/server/src/store/in_memory/inner.rs` (+3 -3) _...and 17 more files_ </details> ### 📄 Description Support for authenticating messages (e.g. updates, zone tranfers) using SIG(0) sees little real-world use. Asymmetric cryptography is heavy-weight, and complex. For most purposes TSIG authentication based on symmetric cryptography is a better fit and simpler to configure/operate. We've seen other more widely deployed authoritative nameserver implementations [drop support for SIG(0) in this context](https://github.com/isc-projects/bind9/commit/bef3d2cca3552100bbe44790c8c1a4f5bef06798), so we might as well do the same. Less code to maintain is better for everyone. There is likely additional tidying we can do next to simplify/replace the `MessageSignature` type, and some associated traits. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>