* Split central ServeDNS code out of (*Server).serve
* Add UDP and TCP specific (*Server).serve wrappers
* Move UDP serve functionality into serveUDPPacket
* Merge serve into serveTCPConn
* Cleanup serveTCPConn replacing goto with for
* defer Close in serveTCPConn
* Remove remoteAddr field from response struct
* Fix broken tsigSecret check in serveDNS
* Reorder serveDNS arguments
This makes it consistent with the ordering of arguments to
serveUDPPacket and serveTCPConn.
* Split central ServeDNS code out of (*Server).serve
* Add UDP and TCP specific (*Server).serve wrappers
* Move UDP serve functionality into serveUDPPacket
* Merge serve into serveTCPConn
* Cleanup serveTCPConn replacing goto with for
* defer Close in serveTCPConn
* Remove remoteAddr field from response struct
* Fix broken tsigSecret check in serveDNS
* Reorder serveDNS arguments
This makes it consistent with the ordering of arguments to
serveUDPPacket and serveTCPConn.
serveTCP calls reader.ReadTCP in the accept loop rather than in
the per-connection goroutine. If an attacker opens a connection
and leaves it idle, this will block the accept loop until the
connection times out (2s by default). During this time no other
incoming connections will succeed, preventing legitimate queries
from being answered.
This commit moves the call to reader.ReadTCP into the per-connection
goroutine. It also adds a missing call to Close whose absence allowed
file-descirptors to leak in select cases.
This attack and fix have no impact on serving UDP queries.
The check for srv.started being false is in the wrong place, it should
be after Accept not after ReadTCP. If Shutdown is called, serveTCP will
currently return a 'use of closed network connection' error, which is
undesired.
This commit mirrors the behaviour of serveUDP with respect to Shutdown.
* Do not reutrn ErrShortRead in readUDP
A read of zero bytes indicates a peer shutdown for TCP sockets -- and
thus returning ErrShortRead is fine in readTCP -- but not for UDP
sockets. For UDP sockets a read of zero bytes literally indicates a
zero-byte datagram, and is a valid return value not indicating an error.
Removing this case will cause readUDP to correctly return a zero-byte
message.
* Return non-temporary error from serveUDP loop
Fixes#613
* TSIG name must be presented in canonical form
Update the documentation to make clear that the zonename in the
TsigSecret map must be in canonical form.
* Reference RFC 4034 for canonical form
* Server: drop inflight waitgroup
This drops the waitgroup in Server, the suspicion is this can make the server
fail to stop; doing this make graceful shutdown not work.
Add test that tries to find a race between starting on stopping race;
there was a data race on srv.Inflight.
The coredns' TestReadme doesn't race anymore with this as it did with
the more evasive PR #546.
Drop all graceful handling. There is just too much locking in
waitgrouping going on for very little gain; deal with it.
Make the error handling between serve{TCP,UDP} identical.
In the switch statement srv.Net is matched for tcp6-tls but
then compared against tcp6 within the case statement. This
causes tcp6-tls to be equivalent to tcp-tls and not specific
to tcp6. The `network = "tcp6"` line was previously unreachable.
This change corrects this and ensures tcp6-tls listens on IPv6
only.
* Make the error variable always named err.
Sometimes the error variable was named 'err' sometimes 'e'. Sometimes
'e' refered to an EDNS or string and not an error type.
* Use t.Errorf instead of t.Logf & t.Fail.
* Remove {un,}packUint{16,32}Msg functions.
unpackUint16Msg unpackUint32Msg packUint16Msg packUint32Msg implemented
functionality that is part of the encoding/binary package.
* Use encoding/binary's encoding in more places.
Remove the use of reflection when packing and unpacking, instead
generate all the pack and unpack functions using msg_generate.
This will generate zmsg.go which in turn calls the helper functions from
msg_helper.go.
This increases the speed by about ~30% while cutting back on memory
usage. Not all RRs are using it, but that will be rectified in upcoming
PR.
Most of the speed increase is in the header/question section parsing.
These functions *are* not generated, but straight forward enough. The
implementation can be found in msg.go.
The new code has been fuzzed by go-fuzz, which turned up some issues.
All files that started with 'z', and not autogenerated were renamed,
i.e. zscan.go is now scan.go.
Reflection is still used, in subsequent PRs it will be removed entirely.
Using the ListenAndServe with network as "tcp-tls" will cause an error, as the
certificates weren't informed. To solve that we created the function
ListenAndServeTLS that will configure a DNS server listening TCP and handling
requests on incoming TLS connections.
See #297
We should allow the server to receive requests of an encrypted connection. This
is proposed on the document draft-ietf-dprive-dns-over-tls [1].
Now it is possible to initialize the DNS server to listen with TLS using
"tcp-tls" value in network parameter of ListenAndServe function, or passing a
listener initialized with tls.Listen to ActivateAndServe.
There's also an option in Server type to change the TLS confirguration, to
inform the certificates that are going to be used, or to change any other
desired option of tls.Config.
See #297
[1] http://tools.ietf.org/html/draft-ietf-dprive-dns-over-tls-02
We currently close the connection after 128 TCP queries. But the
when the last query comes in, we close the connection immediately.
Fix this by moving the check to before we read data from the TCP
socket.
Fixes: #218.
Expose the udp and tcp listening socket when ListenAndServe() is used, it seems like
plopping them on Server.Listener and Server.PacketConn would be ideal. The use case is so
that a port of zero can be used and having them exposed will allow for examination of the port
that is bound.
Adds a field, NotifyStartedFunc func() to Server.
If non-nil, it is called after a server starts listening. This is useful
for synchronization purposes, for example when a daemon needs to drop
privileges after binding. Otherwise, there is no way to determine when
the server has begun listening and hardcoded delays (!) must be used or
race conditions may occur.
This stops it from checking if the incoming requests have the QR bit
unset, so be careful when enabling this. This can be useful in
combination with mDNS.
Also the check for only 1 question in the question section is relaxed
to be "at least one", even without setting Unsafe!
Also update TestServingResponse to test for Unsafe vs not using Unsafe.