starred/hickory-dns
1
0
Fork 0
mirror of https://github.com/hickory-dns/hickory-dns.git synced 2026-04-25 03:05:51 +03:00
Code Issues 373 Projects Releases 6 Packages Wiki Activity

[GH-ISSUE #205] Create Proto crate: better SoC for Signer/Verifier, KeyPair/PublicKey, etc. #389

New issue
Closed
opened 2026-03-15 22:15:27 +03:00 by kerem · 11 comments
kerem commented 2026-03-15 22:15:27 +03:00
Owner
Copy link

Originally created by @briansmith on GitHub (Sep 24, 2017).
Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/205

Originally assigned to: @bluejekyll on GitHub.

Pure client-side DNSSEC only requires public key operations, namely signature verification. It doesn't require signing. Signing components are really heavyweight, especially when things like HSM support are considered. Clients don't need those heavyweight things.

There are a lot of tests where a Signer (KeyPair) signs something and then a Verifier (PublicKey) verifies what was signed. Ideally all of these tests would be moved to the server crate too. However, we still need to test the verifier. In order to do that, we need to pregenerate (e.g. using the Server code, or using another DNSSEC implementation) the signed records that are being validated, and then use those pregenerated signed records in the test. This would allow the client to be tested 100% without requiring the server to be built.

Originally created by @briansmith on GitHub (Sep 24, 2017). Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/205 Originally assigned to: @bluejekyll on GitHub. Pure client-side DNSSEC only requires public key operations, namely signature verification. It doesn't require signing. Signing components are really heavyweight, especially when things like HSM support are considered. Clients don't need those heavyweight things. There are a lot of tests where a Signer (KeyPair) signs something and then a Verifier (PublicKey) verifies what was signed. Ideally all of these tests would be moved to the server crate too. However, we still need to test the verifier. In order to do that, we need to pregenerate (e.g. using the Server code, or using another DNSSEC implementation) the signed records that are being validated, and then use those pregenerated signed records in the test. This would allow the client to be tested 100% without requiring the server to be built.
kerem commented 2026-03-15 22:15:43 +03:00
Author
Owner
Copy link

@bluejekyll commented on GitHub (Sep 24, 2017):

Is this a blocker for removing OpenSSL from the tests?

<!-- gh-comment-id:331687058 --> @bluejekyll commented on GitHub (Sep 24, 2017): Is this a blocker for removing OpenSSL from the tests?
kerem commented 2026-03-15 22:15:48 +03:00
Author
Owner
Copy link

@briansmith commented on GitHub (Sep 24, 2017):

'> Is this a blocker for removing OpenSSL from the tests?

There are various ways of getting to that point. I filed this after reading the "Dynamic update" example in client/lib.rs, which uses OpenSSL APIs. I first thought about rewriting it to be not-OpenSSL-specific, but then I thought "why is this even in client/ in the first place?"

I think this is something that should be done anyway, so I guess if this can be done quickly, it will avoid some unnecessary work. OTOH, eventually Signer and KeyPair should have full functionality with ring; I just think that will be a while because I've no schedule for implementing RSA key generation in ring. (Another alternative would be to use ECDSA and/or Ed25519 in the tests and demos. Another alternative is to pregenerate the key pairs.)

<!-- gh-comment-id:331687249 --> @briansmith commented on GitHub (Sep 24, 2017): '> Is this a blocker for removing OpenSSL from the tests? There are various ways of getting to that point. I filed this after reading the "Dynamic update" example in client/lib.rs, which uses OpenSSL APIs. I first thought about rewriting it to be not-OpenSSL-specific, but then I thought "why is this even in client/ in the first place?" I think this is something that should be done anyway, so I guess if this can be done quickly, it will avoid some unnecessary work. OTOH, eventually Signer and KeyPair should have full functionality with *ring*; I just think that will be a while because I've no schedule for implementing RSA key generation in *ring*. (Another alternative would be to use ECDSA and/or Ed25519 in the tests and demos. Another alternative is to pregenerate the key pairs.)
kerem commented 2026-03-15 22:15:53 +03:00
Author
Owner
Copy link

@bluejekyll commented on GitHub (Sep 24, 2017):

I just realized something. I don't think this can be easily moved. The Signer is used by the Client for SIG0 record creation. This is currently the only form of authentication support by the TRust-DNS for dynamic update, it's also the only option for compatibility with BIND9.

I do want to allow TRust-DNS servers to authenticate with TLS, but even in that case I expect people will want to use SIG0 for compatibility with other DNS servers/authorities.

<!-- gh-comment-id:331735475 --> @bluejekyll commented on GitHub (Sep 24, 2017): I just realized something. I don't think this can be easily moved. The Signer is used by the Client for `SIG0` record creation. This is currently the only form of authentication support by the `TRust-DNS` for dynamic update, it's also the only option for compatibility with `BIND9`. I do want to allow `TRust-DNS` servers to authenticate with TLS, but even in that case I expect people will want to use SIG0 for compatibility with other DNS servers/authorities.
kerem commented 2026-03-15 22:15:58 +03:00
Author
Owner
Copy link

@briansmith commented on GitHub (Sep 24, 2017):

Dynamic update is a server feature, not a client feature. In particular, when one server delegates the serving of DNS to another DNS server, it will send dynamic update requests to the delegated server. Or, put another way, I think of things like "client," "server management," and "server," and dynamic update requests are a "server management" feature. A "normal" client is not going to need to send dynamic update requests.

<!-- gh-comment-id:331737650 --> @briansmith commented on GitHub (Sep 24, 2017): Dynamic update is a server feature, not a client feature. In particular, when one server delegates the serving of DNS to another DNS server, it will send dynamic update requests to the delegated server. Or, put another way, I think of things like "client," "server management," and "server," and dynamic update requests are a "server management" feature. A "normal" client is not going to need to send dynamic update requests.
kerem commented 2026-03-15 22:16:03 +03:00
Author
Owner
Copy link

@bluejekyll commented on GitHub (Sep 24, 2017):

By "normal" client, in this context I would define that as a "resolver", and you're of course correct that the "resolver" doesn't need to sign requests. The TRust-DNS Resolver crate, for example, will never sign a query, and I would look at it as a bug to do so.

That being said, the logic for signing update requests currently resides in the Client crate. A potential solution to this is to start splitting the Client up in to multiple crates, for example a protocol crate which would only implement the DNS protocol, with basic sending and receiving of messages implemented, with the Resolver and "Server Manager" (for lack of a better name at the moment) being built atop of that. Doing this may clean up some issues in the code, but it means rethinking certain choices that were made early on. For example, I don't want the API to expose the query id association logic with the message, as that is a potential avenue for an attack of spoofing message responses (although if everything was just DNSSec I think this attack vector becomes mostly irrelevant). Right now, the id is generated, then the message is signed. We could refactor all of this of course to do things like add message handler facilities into the protocol crate that are run at different stages of the request being sent, but this seems like a lot of work... while the outcome might be cleaner separation of concerns (a valid goal), I'm not sure what the total value add would be.

I also worry that the crate overhead might become too high in a context like that, but that can be dealt with in the build scripts. There would need to be a lot more education of the community about which crate to use (and I'm already fairly bad at this aspect of managing the project ;).

<!-- gh-comment-id:331739243 --> @bluejekyll commented on GitHub (Sep 24, 2017): By "normal" client, in this context I would define that as a "resolver", and you're of course correct that the "resolver" doesn't need to sign requests. The TRust-DNS Resolver crate, for example, will never sign a query, and I would look at it as a bug to do so. That being said, the logic for signing update requests currently resides in the Client crate. A potential solution to this is to start splitting the Client up in to multiple crates, for example a protocol crate which would only implement the DNS protocol, with basic sending and receiving of messages implemented, with the Resolver and "Server Manager" (for lack of a better name at the moment) being built atop of that. Doing this may clean up some issues in the code, but it means rethinking certain choices that were made early on. For example, I don't want the API to expose the query id association logic with the message, as that is a potential avenue for an attack of spoofing message responses (although if everything was just DNSSec I think this attack vector becomes mostly irrelevant). Right now, the id is generated, then the message is signed. We could refactor all of this of course to do things like add message handler facilities into the protocol crate that are run at different stages of the request being sent, but this seems like a lot of work... while the outcome might be cleaner separation of concerns (a valid goal), I'm not sure what the total value add would be. I also worry that the crate overhead might become too high in a context like that, but that can be dealt with in the build scripts. There would need to be a lot more education of the community about which crate to use (and I'm already fairly bad at this aspect of managing the project ;).
kerem commented 2026-03-15 22:16:08 +03:00
Author
Owner
Copy link

@briansmith commented on GitHub (Sep 25, 2017):

IMO, there are a lot of applications, e.g. web browsers and other desktop and web service clients, that will want only resolver functionality, and want to have a very small, well-audited, small-number-of-dependencies implementation of the resolver. So I definitely think that something should be done to make the dependencies of the resolver smaller, by moving functionality from client (etc.) to crates that the resolver doesn't depend on. In turn I think this would make the TRust-DNS resolver more interesting to more people, which would encourage more contributions (code, auditing, documentation, testing, etc.) for that code. For example, I'd like to work on making some aspects of the resolver more efficient in various ways and I'd like to help integrate the resolver with more projects.

By contrast, I probably can't afford to invest too much in server-side functionality or dynamic update, so my (selfish) goal is to move that code out of the TCB for the resolver. It's understandable if your priorities are different than mine, though. :)

Anyway, I started a PoC to do this, but #200 is a sticking point: I'd like to move TBS to the server along with Signer, but currently it is (mis-)used by Verifier, so I got stuck.

<!-- gh-comment-id:331751206 --> @briansmith commented on GitHub (Sep 25, 2017): IMO, there are a lot of applications, e.g. web browsers and other desktop and web service clients, that will want only resolver functionality, and want to have a very small, well-audited, small-number-of-dependencies implementation of the resolver. So I definitely think that something should be done to make the dependencies of the resolver smaller, by moving functionality from client (etc.) to crates that the resolver doesn't depend on. In turn I think this would make the TRust-DNS resolver more interesting to more people, which would encourage more contributions (code, auditing, documentation, testing, etc.) for that code. For example, I'd like to work on making some aspects of the resolver more efficient in various ways and I'd like to help integrate the resolver with more projects. By contrast, I probably can't afford to invest too much in server-side functionality or dynamic update, so my (selfish) goal is to move that code out of the TCB for the resolver. It's understandable if your priorities are different than mine, though. :) Anyway, I started a PoC to do this, but #200 is a sticking point: I'd like to move TBS to the server along with Signer, but currently it is (mis-)used by Verifier, so I got stuck.
kerem commented 2026-03-15 22:16:14 +03:00
Author
Owner
Copy link

@bluejekyll commented on GitHub (Sep 25, 2017):

The issues with Verifier and Signer stem from the fact that they both started as just the Signer.

...want only resolver functionality, and want to have a very small, well-audited, small-number-of-dependencies implementation of the resolver.

You make very compelling arguments :)

Here's my proposal: move the majority of the current Client functionality to a new crate, Proto; this would reduce the disruption to current users. This makes the most sense to me: leave the existing Client in place, create the new Proto crate, to which we'd migrate most of the Client crate, except for the high level stuff. At that point the TRust-DNS libraries would look like this: (Resolver -> Proto) and (Server -> Client -> (Resolver?) -> Proto). There's some complexity here because I still want the Client to use the DNSSec validation which would now live in the Proto crate, but shouldn't be too hard. I think it would be transparent (mostly) to any current users of either the Resolver or the Client.

That might end up being the easiest. Then we'd strongly encourage users to use the Resolver instead of the Client for DNS' most common use cases. This sound good to you? All of the DNSSec stuff would migrate to the Proto crate, along with serialization, etc. Signer would stay with Client, and Verifier would migrate to proto. This should also have the side-effect of cleaning up any inter-dependence between them. The tests will be very annoying though.

It's understandable if your priorities are different than mine, though. :)

I think they only differ in so far as what I'm most interested in, new Server features (but I've been much more focused on the Resolver/Client lately). Give the people what they want, it's never a bad thing to have more users :)

There are people using it for dynamic update operations, so it's not that rare ;)

<!-- gh-comment-id:331763627 --> @bluejekyll commented on GitHub (Sep 25, 2017): The issues with Verifier and Signer stem from the fact that they both started as just the Signer. > ...want only resolver functionality, and want to have a very small, well-audited, small-number-of-dependencies implementation of the resolver. You make very compelling arguments :) Here's my proposal: move the majority of the current Client functionality to a new crate, Proto; this would reduce the disruption to current users. This makes the most sense to me: leave the existing Client in place, create the new Proto crate, to which we'd migrate most of the Client crate, except for the high level stuff. At that point the TRust-DNS libraries would look like this: (Resolver -> Proto) and (Server -> Client -> (Resolver?) -> Proto). There's some complexity here because I still want the Client to use the DNSSec validation which would now live in the Proto crate, but shouldn't be too hard. I think it would be transparent (mostly) to any current users of either the Resolver or the Client. That might end up being the easiest. Then we'd strongly encourage users to use the Resolver instead of the Client for DNS' most common use cases. This sound good to you? All of the DNSSec stuff would migrate to the Proto crate, along with serialization, etc. Signer would stay with Client, and Verifier would migrate to proto. This should also have the side-effect of cleaning up any inter-dependence between them. The tests will be very annoying though. > It's understandable if your priorities are different than mine, though. :) I think they only differ in so far as what I'm most interested in, new Server features (but I've been much more focused on the Resolver/Client lately). Give the people what they want, it's never a bad thing to have more users :) There are people using it for dynamic update operations, so it's not *that* rare ;)
kerem commented 2026-03-15 22:16:19 +03:00
Author
Owner
Copy link

@briansmith commented on GitHub (Sep 25, 2017):

I think your idea sounds great.

There is this chunk of code that is currently in client/:

                    // update messages need to be signed.
                    if let OpCode::Update = message.op_code() {
                        if let Some(ref signer) = self.signer {
                            // TODO: it's too bad this happens here...
                            if let Err(e) = message.sign(signer, Utc::now().timestamp() as u32) {
                                warn!("could not sign message: {}", e);
                                complete.send(Err(e.into())).expect(
                                    "error notifying wait, possible future leak",
                                );
                                continue; // to the next message...
                            }
                        }
                    }

This is the main dependency on Signer. Signer depends on KeyPair and thus all the private-key crypto stuff.

Perhaps an easy way to resolve this would be to make trust_dns_proto::Signer a trait and then have the existing trust_dns::Signer implement trust_dns_proto::Signer.

Then we'd have signer.rs, keypair.rs, key_format.rs, and all the tests that use a Signer in client/, and most of the rest of the stuff in proto/?

<!-- gh-comment-id:331776256 --> @briansmith commented on GitHub (Sep 25, 2017): I think your idea sounds great. There is this chunk of code that is currently in `client/`: ```rust // update messages need to be signed. if let OpCode::Update = message.op_code() { if let Some(ref signer) = self.signer { // TODO: it's too bad this happens here... if let Err(e) = message.sign(signer, Utc::now().timestamp() as u32) { warn!("could not sign message: {}", e); complete.send(Err(e.into())).expect( "error notifying wait, possible future leak", ); continue; // to the next message... } } } ``` This is the main dependency on `Signer`. Signer depends on `KeyPair` and thus all the private-key crypto stuff. Perhaps an easy way to resolve this would be to make `trust_dns_proto::Signer` a trait and then have the existing `trust_dns::Signer` implement `trust_dns_proto::Signer`. Then we'd have signer.rs, keypair.rs, key_format.rs, and all the tests that use a Signer in client/, and most of the rest of the stuff in proto/?
kerem commented 2026-03-15 22:16:24 +03:00
Author
Owner
Copy link

@briansmith commented on GitHub (Sep 25, 2017):

The tests will be very annoying though.

For the interim, all the tests would be in client/. Later, we can add separate tests just for Verifier that use fixed test vectors and so don't require a Signer. Basically, in the interim, you'd have to run the client/ tests to test the proto/ Verifier.

<!-- gh-comment-id:331777171 --> @briansmith commented on GitHub (Sep 25, 2017): > The tests will be very annoying though. For the interim, all the tests would be in client/. Later, we can add separate tests just for Verifier that use fixed test vectors and so don't require a Signer. Basically, in the interim, you'd have to run the client/ tests to test the proto/ Verifier.
kerem commented 2026-03-15 22:16:29 +03:00
Author
Owner
Copy link

@briansmith commented on GitHub (Sep 25, 2017):

Here's a problem I see: Right now "trust-dns" has a "openssl" implicit default feature that enables crypto stuff. After the split, it would need to have an explicit "openssl" default feature that depends on the "trust-dns-proto/openssl" feature. However, keeping the OpenSSL-based tests in "trust-dns" (not moving them to "trust-dns-proto") requires keeping the dev-dependency on openssl in trust-dns. However, an explicit feature cannot have the same name as a dependency; only implicit features can! And, the "ring" feature has the same problem, potentially. So, AFAICT, with the split you suggest, it would be impossible to have a 100%-backward-compatible API, because the "openssl" and "ring" features need to be renamed. However, the default would still be backward compatible.

<!-- gh-comment-id:331777823 --> @briansmith commented on GitHub (Sep 25, 2017): Here's a problem I see: Right now "trust-dns" has a "openssl" implicit default feature that enables crypto stuff. After the split, it would need to have an explicit "openssl" default feature that depends on the "trust-dns-proto/openssl" feature. However, keeping the OpenSSL-based tests in "trust-dns" (not moving them to "trust-dns-proto") requires keeping the dev-dependency on openssl in trust-dns. However, an explicit feature cannot have the same name as a dependency; only implicit features can! And, the "ring" feature has the same problem, potentially. So, AFAICT, with the split you suggest, it would be impossible to have a 100%-backward-compatible API, because the "openssl" and "ring" features need to be renamed. However, the default would still be backward compatible.
kerem commented 2026-03-15 22:16:34 +03:00
Author
Owner
Copy link

@bluejekyll commented on GitHub (Sep 25, 2017):

it would be impossible to have a 100%-backward-compatible API

My goal isn't to make it 100% backward compatible, but to make it at least easy and obvious to upgrade where it differs. I was able to do this when swapping out direct mio usage for tokio. If we can keep the default settings as the upgrade path, then we will be good.

<!-- gh-comment-id:331827816 --> @bluejekyll commented on GitHub (Sep 25, 2017): > it would be impossible to have a 100%-backward-compatible API My goal isn't to make it 100% backward compatible, but to make it at least easy and obvious to upgrade where it differs. I was able to do this when swapping out direct mio usage for tokio. If we can keep the default settings as the upgrade path, then we will be good.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
david/conformance-dnssec-negative-tests
prepare-0.26.1
release/0.26
query-api
opt-types
cname-nsec
no-cname-recursion
conformance-min-ttl
dname-base
drop-message-request
no-error-queries
cpu-sig0-rm-message-sig_dev
cpu-tsig-test-update_dev
windows-config
dnssec-net
release/0.25
opp-enc-persist
integration-test
cpu-tidying-recursor-opts_dev
happy-eyeballs
david/authoritative-zone-storage-trait
dnssec-ad
no-authority
release/0.24
pvdrz/remove-top-file
pvdrz/h3-handshake-timeout
pvdrz/quic-handshake-timeout
nxdomain-for-recursor
ja-test-merque-queue
ja-fix-ci-again
sz-add-ede-tests
sz-test-tc-bit-with-large-response
sz-fix-tokio-dependency
gh-2275-test-rrsig-signature
refactor-sign-zone-file
fix-1.79-cleanliness
update-nightly-hash
release/0.23
gh-pages
use-just-for-server-toml
release/0.22
revert-1874-cpu-zone-parse-default-class
disable-bind-compatibility-tests
disable-test_tls_client_stream_ipv4
update-native-tls-0.2.11
recursor-tests
fix-clippy-self
release/0.20
saethlin-fix-rdata-zero
release/0.19
flat_name
drop_unused_futures
release/0.18
release-r0.12-cs0.17
release/r0.12-cs0.17
trust-dns-book
r0.10
test-connections-not-dropped
fix_exec_status_on_rs_files
release-0.9
add-mutex-to-integration-tests
0.8_release
bfry/dns-crypt
v0.26.0
v0.26.0-beta.4
v0.26.0-beta.3
v0.26.0-beta.2
v0.26.0-beta.1
v0.26.0-alpha.1
v0.25.2
v0.25.1
v0.25.0
v0.24.4
v0.24.3
v0.25.0-alpha.5
v0.24.2
v0.25.0-alpha.4
v0.25.0-alpha.3
v0.25.0-alpha.2
v0.25.0-alpha.1
v0.24.1
v0.23.2
v0.24.0
v0.23.1
v0.23.0
v0.23.0-alpha.5
v0.23.0-alpha.4
v0.23.0-alpha.3
v0.22.1
v0.23.0-alpha.2
v0.23.0-alpha.1
v0.22.0
v0.21.2
v0.21.1
v0.21.0
v0.21.0-alpha.5
v0.20.4
v0.21.0-alpha.4
v0.21.0-alpha.3
v0.21.0-alpha.2
v0.21.0-alpha.1
v0.20.3
v0.20.2
v0.20.1
v0.19.7
v0.20.0
0.19.6
v0.20.0-alpha.3
v0.20.0-alpha.2
v0.20.0-alpha.1
0.19.5
0.19.4
0.19.3
0.19.0
0.18.1
0.18
0.18.0.alpha.2
r0.12_cs0.17
r0.11.1
cs0.16.1
r0.11
cs0.16
r0.10.1
r0.10.0
cs0.15.0
r0.9.1
v0.14.0
r0.9.0
r0.8.1
r0.8.0
v0.13.0
r0.7.0
c0.12.0
r0.6.0
r0.5.0
resolver.0.4.0
0.11.0
0.10.5
0.10.4
0.10.3
0.10.2
0.10.1
0.10.0
0.9.3
0.9.2
0.9.1
0.9.0
0.8.1
0.8.0
0.7.3
0.7.2
0.7.1
0.7.0
0.6.0
0.5.3
0.5.1
0.5.0
0.4.0
0.3.1
0.3.0
0.2.1
0.2.0
0.1.0
Labels
Clear labels   
blocked

   
breaking-change

   
bug

   
bug:critical

   
bug:tests

   
cleanup

   
compliance

   
compliance

   
compliance

   
crate:all

   
crate:client

   
crate:native-tls

   
crate:proto

   
crate:recursor

   
crate:resolver

   
crate:resolver

   
crate:rustls

   
crate:server

   
crate:util

   
dependencies

   
docs

   
duplicate

   
easy

   
easy

   
enhance

   
enhance

   
enhance

   
feature:dns-over-https

   
feature:dns-over-quic

   
feature:dns-over-tls

   
feature:dnsssec

   
feature:global_lb

   
feature:mdns

   
feature:tsig

   
features:edns

   
has workaround

   
ops

   
perf

   
platform:WASM

   
platform:android

   
platform:fuchsia

   
platform:linux

   
platform:macos

   
platform:windows

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
test

   
tools

   
tools

   
trust

   
unclear

   
wontfix
No labels
blocked
breaking-change
bug
bug:critical
bug:tests
cleanup
compliance
compliance
compliance
crate:all
crate:client
crate:native-tls
crate:proto
crate:recursor
crate:resolver
crate:resolver
crate:rustls
crate:server
crate:util
dependencies
docs
duplicate
easy
easy
enhance
enhance
enhance
feature:dns-over-https
feature:dns-over-quic
feature:dns-over-tls
feature:dnsssec
feature:global_lb
feature:mdns
feature:tsig
features:edns
has workaround
ops
perf
platform:WASM
platform:android
platform:fuchsia
platform:linux
platform:macos
platform:windows
pull-request
question
test
tools
tools
trust
unclear
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/hickory-dns#389
No description provided.