even faster, by smarter checking for tsig

server.go

@@ -390,14 +390,16 @@ func serve(a net.Addr, h Handler, m []byte, u *net.UDPConn, t *net.TCPConn, tsig
 		}
 
 		w.tsigStatus = nil
-		if t := req.IsTsig(); t != nil {
+		if w.tsigSecret != nil {
-			secret := t.Hdr.Name
+			if t := req.IsTsig(); t != nil {
-			if _, ok := tsigSecret[secret]; !ok {
+				secret := t.Hdr.Name
-				w.tsigStatus = ErrKeyAlg
+				if _, ok := tsigSecret[secret]; !ok {
+					w.tsigStatus = ErrKeyAlg
+				}
+				w.tsigStatus = TsigVerify(m, tsigSecret[secret], "", false)
+				w.tsigTimersOnly = false
+				w.tsigRequestMAC = req.Extra[len(req.Extra)-1].(*RR_TSIG).MAC
 			}
-			w.tsigStatus = TsigVerify(m, tsigSecret[secret], "", false)
-			w.tsigTimersOnly = false
-			w.tsigRequestMAC = req.Extra[len(req.Extra)-1].(*RR_TSIG).MAC
 		}
 		h.ServeDNS(w, req) // this does the writing back to the client
 		if w.hijacked {
@@ -418,17 +420,19 @@ func (w *response) Write(m *Msg) (err error) {
 	if m == nil {
 		return &Error{Err: "nil message"}
 	}
-	if t := m.IsTsig(); t != nil {
+	if w.tsigSecret != nil { // if no secrets, dont check for the tsig (which is a longer check)
-		data, w.tsigRequestMAC, err = TsigGenerate(m, w.tsigSecret[t.Hdr.Name], w.tsigRequestMAC, w.tsigTimersOnly)
+		if t := m.IsTsig(); t != nil {
-		if err != nil {
+			data, w.tsigRequestMAC, err = TsigGenerate(m, w.tsigSecret[t.Hdr.Name], w.tsigRequestMAC, w.tsigTimersOnly)
-			return err
+			if err != nil {
-		}
+				return err
-	} else {
+			}
-		data, err = m.Pack()
+			return w.WriteBuf(data)
-		if err != nil {
-			return err
 		}
 	}
+	data, err = m.Pack()
+	if err != nil {
+		return err
+	}
 	return w.WriteBuf(data)
 }