[PR #3445] [MERGED] post-SIG(0) removal simplification of message signing/verifying #3854

New issue

Closed

opened 2026-03-16 12:06:12 +03:00 by kerem · 0 comments

kerem commented

2026-03-16 12:06:12 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/hickory-dns/hickory-dns/pull/3445
Author: @cpu
Created: 1/26/2026
Status: ✅ Merged
Merged: 1/29/2026
Merged by: @cpu

Base: main ← Head: cpu-simplify-tsig_dev

📝 Commits (10+)

16194d5 server: rm explicit return in blocklist store
c6384f5 additional SIG(0) removal comment tidying
6872699 proto: demote TsigAlgorithm.output_len() visibility
bc426ef net: gate client message signer on dnssec
b2d9785 net: use builder-style for DnsMultiplexer timeout
dd26627 net: client/multiplexer dnssec gated signer
c3e8bc1 proto: move tsig modules out of dnssec
a0fa12d replace MessageSignature with Option for TSIG RR
c68db48 replace dyn MessageSigner with TSigner
d0a235c replace dyn MessageVerifier with TSigVerifier

📊 Changes

43 files changed (+742 additions, -824 deletions)

View changed files

📝 bin/benches/comparison_benches.rs (+2 -2)
📝 bin/tests/integration/named_metrics_tests.rs (+16 -12)
📝 bin/tests/integration/named_rustls_tests.rs (+2 -2)
📝 bin/tests/integration/named_test_rsa_dnssec.rs (+1 -1)
📝 bin/tests/integration/named_tests.rs (+17 -17)
📝 bin/tests/integration/zone_handler_battery/dynamic_update.rs (+2 -4)
📝 conformance/compatibility-tests/src/tsig_tests.rs (+17 -19)
📝 conformance/compatibility-tests/src/zone_transfer.rs (+1 -1)
📝 conformance/test-server/src/main.rs (+2 -2)
📝 crates/net/src/client/mod.rs (+4 -14)
📝 crates/net/src/client/tests.rs (+1 -1)
📝 crates/net/src/tcp/tcp_client_stream.rs (+1 -1)
📝 crates/net/src/tls.rs (+1 -1)
📝 crates/net/src/udp/udp_client_stream.rs (+23 -11)
📝 crates/net/src/xfer/dns_multiplexer.rs (+50 -42)
📝 crates/proto/src/dnssec/mod.rs (+1 -5)
📝 crates/proto/src/dnssec/rdata/mod.rs (+0 -123)
📝 crates/proto/src/op/message.rs (+51 -122)
📝 crates/proto/src/op/mod.rs (+1 -4)
📝 crates/proto/src/op/update_message.rs (+4 -4)

...and 23 more files

📄 Description

Follow-up from https://github.com/hickory-dns/hickory-dns/pull/3437

Now that SIG(0) message authentication is removed we don't need the MessageSignature enum, the MessageVerifier closure type, or the MessageSigner/ResponseSigner traits.

The one catch replacing the above types for their TSIG-specific equivalents is that the indirection types were previously used both to abstract over a choice of SIG(0)/TSIG, and to avoid having to change type signatures based on __dnssec being enabled or not. General code/traits could refer to the indirection types without needing to consider the __dnssec feature, and concrete implementations could be gated behind it.

For a similar end-state with less indirection this branch instead makes more of the general TSIG types available, but gates the parts that specifically require __dnssec (e.g. MAC generation/verification), or that are only used from __dnssec gated areas of pre-existing code. This feels appropriate to me since TSIG is itself unrelated to DNSSEC, and so not a good fit for hickory-proto's top-level dnssec module.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/hickory-dns/hickory-dns/pull/3445 **Author:** [@cpu](https://github.com/cpu) **Created:** 1/26/2026 **Status:** ✅ Merged **Merged:** 1/29/2026 **Merged by:** [@cpu](https://github.com/cpu) **Base:** `main` ← **Head:** `cpu-simplify-tsig_dev` --- ### 📝 Commits (10+) - [`16194d5`](https://github.com/hickory-dns/hickory-dns/commit/16194d5cd8e6773347deb1c6f1963afdbe4f53ed) server: rm explicit return in blocklist store - [`c6384f5`](https://github.com/hickory-dns/hickory-dns/commit/c6384f5ae15c54b1633b991a8a6b55d6dafda1ea) additional SIG(0) removal comment tidying - [`6872699`](https://github.com/hickory-dns/hickory-dns/commit/68726995d1afdcbb4e4c49ca240dce0d50e05cd2) proto: demote TsigAlgorithm.output_len() visibility - [`bc426ef`](https://github.com/hickory-dns/hickory-dns/commit/bc426ef05bb2631e63e9af038d272a56c6d7ae3a) net: gate client message signer on dnssec - [`b2d9785`](https://github.com/hickory-dns/hickory-dns/commit/b2d97858d753ae2c2a01c66997f2d151744c0f7a) net: use builder-style for DnsMultiplexer timeout - [`dd26627`](https://github.com/hickory-dns/hickory-dns/commit/dd26627d48f95a74160b19fdc567b8fbf3ef1d57) net: client/multiplexer dnssec gated signer - [`c3e8bc1`](https://github.com/hickory-dns/hickory-dns/commit/c3e8bc142d2f027fc2c94b28f5a5fa5cd43a730d) proto: move tsig modules out of dnssec - [`a0fa12d`](https://github.com/hickory-dns/hickory-dns/commit/a0fa12d09cc176628810df3dc0bcf977662bdd0e) replace MessageSignature with Option for TSIG RR - [`c68db48`](https://github.com/hickory-dns/hickory-dns/commit/c68db48c4553e8d2d9040ab0989a5a76ec78ceb4) replace dyn MessageSigner with TSigner - [`d0a235c`](https://github.com/hickory-dns/hickory-dns/commit/d0a235ce4b946b5591dea79a6d0535626c8f6999) replace dyn MessageVerifier with TSigVerifier ### 📊 Changes **43 files changed** (+742 additions, -824 deletions) <details> <summary>View changed files</summary> 📝 `bin/benches/comparison_benches.rs` (+2 -2) 📝 `bin/tests/integration/named_metrics_tests.rs` (+16 -12) 📝 `bin/tests/integration/named_rustls_tests.rs` (+2 -2) 📝 `bin/tests/integration/named_test_rsa_dnssec.rs` (+1 -1) 📝 `bin/tests/integration/named_tests.rs` (+17 -17) 📝 `bin/tests/integration/zone_handler_battery/dynamic_update.rs` (+2 -4) 📝 `conformance/compatibility-tests/src/tsig_tests.rs` (+17 -19) 📝 `conformance/compatibility-tests/src/zone_transfer.rs` (+1 -1) 📝 `conformance/test-server/src/main.rs` (+2 -2) 📝 `crates/net/src/client/mod.rs` (+4 -14) 📝 `crates/net/src/client/tests.rs` (+1 -1) 📝 `crates/net/src/tcp/tcp_client_stream.rs` (+1 -1) 📝 `crates/net/src/tls.rs` (+1 -1) 📝 `crates/net/src/udp/udp_client_stream.rs` (+23 -11) 📝 `crates/net/src/xfer/dns_multiplexer.rs` (+50 -42) 📝 `crates/proto/src/dnssec/mod.rs` (+1 -5) 📝 `crates/proto/src/dnssec/rdata/mod.rs` (+0 -123) 📝 `crates/proto/src/op/message.rs` (+51 -122) 📝 `crates/proto/src/op/mod.rs` (+1 -4) 📝 `crates/proto/src/op/update_message.rs` (+4 -4) _...and 23 more files_ </details> ### 📄 Description Follow-up from https://github.com/hickory-dns/hickory-dns/pull/3437 Now that `SIG(0)` message authentication is removed we don't need the `MessageSignature` enum, the `MessageVerifier` closure type, or the `MessageSigner`/`ResponseSigner` traits. The one catch replacing the above types for their `TSIG`-specific equivalents is that the indirection types were previously used both to abstract over a choice of `SIG(0)`/`TSIG`, and to avoid having to change type signatures based on `__dnssec` being enabled or not. General code/traits could refer to the indirection types without needing to consider the `__dnssec` feature, and concrete implementations could be gated behind it. For a similar end-state with less indirection this branch instead makes more of the general TSIG types available, but gates the parts that specifically require `__dnssec` (e.g. MAC generation/verification), or that are only used from `__dnssec` gated areas of pre-existing code. This feels appropriate to me since TSIG is itself unrelated to DNSSEC, and so not a good fit for `hickory-proto`'s top-level `dnssec` module. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>