added

ex/fks-shield/shield.go

@@ -20,6 +20,7 @@ var (
 )
 
 func serve(w dns.ResponseWriter, r *dns.Msg, c *Cache) {
+	// only do queries not dynamic updates
 	if p := c.Find(r); p != nil {
 		dns.RawSetId(p, r.MsgHdr.Id)
 		w.WriteBuf(p)

ex/fksd/cmds/config.mkd

@@ -27,7 +27,7 @@ Zones are listed in the additional section of the reply packet
 
 # USER
 
-    USER. TXT   "ADD miekg hmac:base64-tsig-secret"
+    USER. TXT   "ADD miekg base64-tsig-secret"
     USER. TXT   "DROP miekg"
-    USER. TXT   "ADDRIGHT miekg list"   // list/write/drop/user
+    USER. TXT   "ADDRIGHT miekg list"   // list/write/drop
     USER. TXT   "DROPRIGHT miekg list"

ex/fksd/config.go

@@ -7,6 +7,7 @@ import (
 )
 
 const (
+	R_NONE  = 0 // Right to do nada
 	R_LIST  = 1 // Right to list stuff
 	R_WRITE = 2 // Right to write stuff
 	R_DROP  = 4 // Right to drop stuff
@@ -32,7 +33,7 @@ func formerr(w dns.ResponseWriter, req *dns.Msg) {
 	m := new(dns.Msg)
 	m.MsgHdr.Opcode = dns.OpcodeUpdate
 	if req.IsTsig() {
-		m.SetTsig(tsig(req), dns.HmacMD5, 300, time.Now().Unix())
+		m.SetTsig(userFromTsig(req), dns.HmacMD5, 300, time.Now().Unix())
 	}
 	w.Write(m.SetRcode(req, dns.RcodeFormatError))
 }
@@ -40,11 +41,11 @@ func formerr(w dns.ResponseWriter, req *dns.Msg) {
 func noerr(w dns.ResponseWriter, req *dns.Msg) {
 	m := new(dns.Msg)
 	m.MsgHdr.Opcode = dns.OpcodeUpdate
-	m.SetTsig(tsig(req), dns.HmacMD5, 300, time.Now().Unix())
+	m.SetTsig(userFromTsig(req), dns.HmacMD5, 300, time.Now().Unix())
 	w.Write(m.SetReply(req))
 }
 
-func tsig(req *dns.Msg) string {
+func userFromTsig(req *dns.Msg) string {
 	return req.Extra[len(req.Extra)-1].Header().Name
 }
 
@@ -94,6 +95,12 @@ func config(w dns.ResponseWriter, req *dns.Msg, c *Config) {
 				return
 			}
 		case "USER.":
+			if userFromTsig(req) != *superuser {
+				logPrintf("user management is only superuser\n")
+				formerr(w, req)
+				return
+			}
+
 			if e := configUSER(w, req, t, c); e != nil {
 				formerr(w, req)
 				return
@@ -154,7 +161,7 @@ func configZONE(w dns.ResponseWriter, req *dns.Msg, t *dns.RR_TXT, c *Config) er
 			a, _ := dns.NewRR("ZONE. TXT \"" + zone + "\"")
 			m.Extra = append(m.Extra, a)
 		}
-		m.SetTsig(tsig(req), dns.HmacMD5, 300, time.Now().Unix())
+		m.SetTsig(userFromTsig(req), dns.HmacMD5, 300, time.Now().Unix())
 		w.Write(m)
 	}
 	return nil
@@ -166,5 +173,23 @@ func configUSER(w dns.ResponseWriter, req *dns.Msg, t *dns.RR_TXT, c *Config) er
 	if len(sx) == 0 {
 		return nil
 	}
+	switch strings.ToUpper(sx[0]) {
+	case "ADD":
+		if len(sx) != 3 {
+			return nil
+		}
+		logPrintf("config: ADD %s\n", dns.Fqdn(sx[1]))
+		c.Tsigs[sx[1]] = sx[2]
+		c.Rights[sx[1]] = R_NONE
+	case "DROP":
+		if len(sx) != 2 {
+			return nil
+		}
+		logPrintf("config: DROP %s\n", dns.Fqdn(sx[1]))
+		delete(c.Tsigs, sx[1])
+		delete(c.Rights, sx[1])
+	case "ADDRIGHT":
+	case "DROPRIGHT":
+	}
 	return nil
 }

ex/fksd/main.go

@@ -18,7 +18,6 @@ func main() {
 	flag.Parse()
 	conf := NewConfig()
 	*superuser = strings.ToLower(*superuser)
-	conf.Users[*superuser] = true
 	conf.Tsigs[dns.Fqdn(*superuser)] = *superkey
 	conf.Rights[*superuser] = R_LIST | R_WRITE | R_DROP | R_USER // *all* of them