* [tls] Carry TLS state within (possibly) response writer
This allows a server to make decision wether or not the link used to
connect to the DNS server is using TLS.
This can be used by the handler for instance to (but not limited to):
- log that the request was TLS vs TCP
- craft specific responsed knowing that the link is secured
- return custom answers based on client cert (if provided)
...
Fixes#711
* Address @tmthrgd comments:
- do not check whether w.tcp is nil
- create RR after setting txt value
* Address @miekg comments.
Attempt to make a TLS connection state specific test, it goes over
testing each individual server types (TLS, TCP, UDP) and validate that
tls.Connectionstate is only accessible when expected.
* ConnectionState() returns value instead of pointer
* * make ConnectionStater.ConnectionState() return a pointer again
* rename interface ConnectionState to ConnectionStater
* fix nits pointed by @tmthrgd
* @tmthrgd comment: Do not use concret type in `ConnectionState`
* Make Shutdown wait for connections to terminate gracefully
* Add graceful shutdown test files from #713
* Tidy up graceful shutdown tests
* Call t.Error directly in checkInProgressQueriesAtShutdownServer
* Remove timeout arguments from RunLocal*ServerWithFinChan
* Merge defers together in (*Server).serve
This removes the defer from the UDP path, in favour of directly
calling (*sync.WaitGroup).Done after (*Serve).serveDNS has
returned.
* Replace checkInProgressQueriesAtShutdownServer implementation
This performs dialing, writing and reading as three seperate steps.
* Add sleep after writing shutdown test messages
* Avoid race condition when setting server timeouts
Server timeouts cannot be set after the server has started without
triggering the race detector. The timeout's are not strictly needed, so
remove them.
* Use a sync.Cond for testShutdownNotify
Using a chan erroneously triggered the race detector, using a sync.Cond
avoids that problem.
* Remove TestShutdownUDPWithContext
This doesn't really add anything.
* Move shutdown and conn into (*Server).init
* Only log ResponseWriter.WriteMsg error once
* Test that ShutdownContext waits for the reply
* Remove stray newline from diff
* Rename err to ctxErr in ShutdownContext
* Reword testShutdownNotify comment
* Use strings.TrimSuffix in ListenAndServe for TLS
This replaces the if/else statements with something simpler.
Interestingly, the first pull request I submitted to this library was
to fix the tcp6-tls case way back in 4744e915eb.
* Add SO_REUSEPORT implementation
Fixes#654
* Rename Reuseport field to ReusePort
* Rename supportsReuseport to match ReusePort
* Rename listenUDP and listenTCP file to listen_*.go
* Clear the response.msg field after unpacking
The allocated buffer cannot be freed by the garbage collector while the
response is alive, by clearing msg here, the GC can collect the buffer
sooner.
* Use a sync.Pool for UDP message buffers
* Return UDP message buffer to pool in all paths
* Move udpPool.New closure out of (*Server).init
The closure used to capture the *Server which would cause a reference
loop and prevent it from ever being released by the garbage collector.
This also gives the closure a more obvious name in memory profiles:
github.com/miekg/dns.makeUDPBuffer.func1 rather than
github.com/miekg/dns.(*Server).init.func1.
* Fix Serve benchmark failures
At present, these benchmarks don't actually work or measure anything.
SetQuestion must have a fully qualified domain name (trailing dot) to
be valid. Because the question wasn't valid, the request never reached
the server and was rejected by the client.
With the error check added, the benchmarks started failing with:
--- FAIL: BenchmarkServe
server_test.go:346: Exchange failed: dns: domain must be fully qualified
* Enable Serve6 benchmark
Currently this benchmark isn't run as it's not exported.
* Only enable BenchmarkServe6 when IPv6 is supported
The Serve6 benchmark has been disabled since 2014 (in 28d936c032)
because it doesn't play nice with Travis. We can just skip the benchmark
if it fails to bind to an IPv6 address.
* Remove redundant parenthesis
These were caught with:
gofmt -r '(a) -> a' -w *.go
This commit only includes the changes where the formatting makes the
ordering of operations clear.
* Remove more redundant parenthesis
These were caught with:
gofmt -r '(a) -> a' -w *.go
This commit includes the remaining changes where the formatting does not
make the ordering of operations as clear as the previous commit.
* Add a ParseZone test for $GENERATE.
* Add a test for modToPrintf used by $GENERATE.
* Correctly handle $GENERATE modifiers.
As per http://www.zytrax.com/books/dns/ch8/generate.html, the width and type (aka base)
components of a modifier are optional. This means that ${2,0,d}, ${2,0} and ${2} are
valid modifiers, however only the first format was previously permitted. Use default
values for the width and/or type if they are unspecified in the modifier.
RFC 2537 (RSA/MD5) and RFC 3110 (RSA/SHA1) disallow leading zero octets.
RFC 5702 (RSA/SHA256 and RSA/SHA512) isn't specific but defers to these
earlier RFCs in other places.
There is an upper limit of 4096 bits for both the modulus and exponent.
The modulus must be at least 512 bits. No minimum is specified for the
exponent but a quick search suggests single byte exponents are viable.
Exponents larger than 32 bits are already disallowed. This commit adds
checks for the other requirements, general bounds checks, and defers
initialisation of the big num till the other checks have passed.
* Add test from #688 demonstrating bug decoding RSA exponent
* Unpack RSA exponent in correct order
Fixes#688
* Don't unpack RSA keys with an exponent too large for the crypto package
* Update dnssec_test.go
Fix the one nit
* ensure dialTimeout is used at Dial time. Ensure dial functions setup the right timeout
* - on Dialing, ensure a dialTimeout for the Dialer only if it is just created, else keep going with parameters of the Dialer.
* Require URLs for DOH addresses
* Move time.Now directly above http.Client.Do in DoH
* Remove https scheme check from DOH
Although the draft RFC explicitly requires that the scheme be https,
this was deemed undesirable, so remove it.
The base32 variant NSEC3 uses doesn't have padding. This hasn't been a
problem in practice because SHA1 is the only current NSEC3 hash algorithm
and its output doesn't require padding.
No-pad support was introduced in Go 1.9 which is the oldest release this
package supports.
* Add DNS-over-HTTPS support to (*Client).Exchange
* Ignore net/http goroutine leak from DoH
* Use existing Dialer and TLSConfig fields on Client for DOH
* Make DOH http.Client fully configurable
* Pipe context into exchangeDOH
* Fixed len computation when size just goes beyond 14 bits
* Added bouds checks around 14bits
* Len() always right including when around 14bits boudaries
* Avoid splitting into labels when not applicable
* Fixed comments
* Added comments in code
* Added new test cases
* Fixed computation of Len() for SRV and all kind of records
* Fixed Sign that was relying on non-copy for Unit tests
* Removed unused padding
* Fixed typo in PackBuffer() function
* Added comment about packBufferWithCompressionMap() for testing purposes
* do not modify dns.Rcode when packing to wire format
When the message has an EDNS0 option in the additional section and
dns.Msg.Rcode is set to an extended rcode, dns.Msg.PackBuffer() modifies
dns.Msg.Rcode.
If you were to `Pack` the message and log it after, the Rcode would show
NOERROR.
Running the test before the change would error with:
```
=== RUN TestPackNoSideEffect
--- FAIL: TestPackNoSideEffect (0.00s)
msg_test.go:51: after pack: Rcode is expected to be BADVERS
```
after fixing dns.Msg.PackBuffer(), all tests are still passing.
Fixes#674
* address comments from PR#675
copyHeader() is redundant, we allocate a header and then copy the
non-pointer elements into it; we don't need to do this, because if we
just asssign rr.Hdr to something else we get the same result.
Remove copyHeader() and the generation and use of it in ztypes.go.
* Split central ServeDNS code out of (*Server).serve
* Add UDP and TCP specific (*Server).serve wrappers
* Move UDP serve functionality into serveUDPPacket
* Merge serve into serveTCPConn
* Cleanup serveTCPConn replacing goto with for
* defer Close in serveTCPConn
* Remove remoteAddr field from response struct
* Fix broken tsigSecret check in serveDNS
* Reorder serveDNS arguments
This makes it consistent with the ordering of arguments to
serveUDPPacket and serveTCPConn.