duedil-ltd · tarnfeld · Sep 20, 2014 · Sep 21, 2014 · Sep 22, 2014 · Sep 23, 2014
diff --git a/README.md b/README.md
@@ -18,7 +18,7 @@ An authoritative DNS nameserver that queries an [etcd](http://github.com/coreos/
 - Support for TTLs
     - Global default on all records
     - Individual TTL values for individual records
-- Runtime and application metrics are captured regularly for monitoring (stdout or grahite)
+- Runtime and application metrics are captured regularly for monitoring (stdout or graphite)
 - Incoming query filters
 
 #### Production Readyness

diff --git a/format.go b/format.go
@@ -0,0 +1,23 @@
+package main
+
+import (
+    "bytes"
+    "strings"
+)
+
+// nameToKey returns a string representing the etcd version of a domain, replacing dots with slashes
+// and reversing it (foo.net. -> /net/foo)
+func nameToKey(name string, suffix string) string {
+    segments := strings.Split(name, ".")
+
+    var keyBuffer bytes.Buffer
+    for i := len(segments) - 1; i >= 0; i-- {
+        if len(segments[i]) > 0 {
+            keyBuffer.WriteString("/")
+            keyBuffer.WriteString(segments[i])
+        }
+    }
+
+    keyBuffer.WriteString(suffix)
+    return keyBuffer.String()
+}
diff --git a/main.go b/main.go
@@ -30,6 +30,7 @@ var (
         DefaultTtl          uint32      `short:"t" long:"default-ttl" description:"Default TTL to return on records without an explicit TTL" default:"300"`
         Accept              []string    `long:"accept" description:"Limit DNS queries to a set of domain:[type,...] pairs"`
         Reject              []string    `long:"reject" description:"Limit DNS queries to a set of domain:[type,...] pairs"`
+        TsigSecret          []string    `short:"s" long:"tsig" description:"Transaction signature secret in the format name:secret"`
     }
 )
 
@@ -79,6 +80,17 @@ func main() {
         logger.Printf("Metric logging disabled")
     }
 
+    // Parse the tsig arguments
+    tsigSecret := map[string]string{}
+    for _, arg := range Options.TsigSecret {
+        components := strings.SplitN(arg, ":", 2)
+        if len(components) != 2 {
+            logger.Printf("Failed to parse TSIG argument")
+            continue
+        }
+        tsigSecret[dns.Fqdn(components[0])] = components[1]
+    }
+
     // Start up the DNS resolver server
     server := &Server{
         addr: Options.ListenAddress,
@@ -87,6 +99,7 @@ func main() {
         rTimeout: time.Duration(5) * time.Second,
         wTimeout: time.Duration(5) * time.Second,
         defaultTtl: Options.DefaultTtl,
+        tsigSecret: tsigSecret,
         queryFilterer: &QueryFilterer{acceptFilters: parseFilters(Options.Accept),
                                       rejectFilters: parseFilters(Options.Reject)}}
 

diff --git a/resolver.go b/resolver.go
@@ -1,7 +1,6 @@
 package main
 
 import (
-    "bytes"
     "fmt"
     "github.com/coreos/go-etcd/etcd"
     "github.com/miekg/dns"
@@ -246,7 +245,7 @@ func (r *Resolver) AnswerQuestion(answers chan dns.RR, errors chan error, q dns.
 
         for rrType, _ := range converters {
             go func(rrType uint16) {
-                defer func() { recover() }()
+                defer recover()
                 defer wg.Done()
 
                 results, err := r.LookupAnswersForType(q.Name, rrType)
@@ -325,23 +324,6 @@ func (r *Resolver) LookupAnswersForType(name string, rrType uint16) (answers []d
     return
 }
 
-// nameToKey returns a string representing the etcd version of a domain, replacing dots with slashes
-// and reversing it (foo.net. -> /net/foo)
-func nameToKey(name string, suffix string) string {
-    segments := strings.Split(name, ".")
-
-    var keyBuffer bytes.Buffer
-    for i := len(segments) - 1; i >= 0; i-- {
-        if len(segments[i]) > 0 {
-            keyBuffer.WriteString("/")
-            keyBuffer.WriteString(segments[i])
-        }
-    }
-
-    keyBuffer.WriteString(suffix)
-    return keyBuffer.String()
-}
-
 // Map of conversion functions that turn individual etcd nodes into dns.RR answers
 var converters = map[uint16]func (node *etcd.Node, header dns.RR_Header) (rr dns.RR, err error) {
 

diff --git a/server.go b/server.go
@@ -15,51 +15,86 @@ type Server struct {
     rTimeout        time.Duration
     wTimeout        time.Duration
     defaultTtl      uint32
+    tsigSecret      map[string]string
     queryFilterer   *QueryFilterer
 }
 
 type Handler struct {
     resolver        *Resolver
     queryFilterer   *QueryFilterer
+    updateManager   *DynamicUpdateManager
 
     // Metrics
     requestCounter      metrics.Counter
     acceptCounter       metrics.Counter
     rejectCounter       metrics.Counter
+    // authFailCounter     metrics.Counter
+    // authSuccessCounter  metrics.Counter
     responseTimer       metrics.Timer
 }
 
 func (h *Handler) Handle(response dns.ResponseWriter, req *dns.Msg) {
     h.requestCounter.Inc(1)
     h.responseTimer.Time(func() {
-        debugMsg("Handling incoming query for domain " + req.Question[0].Name)
-
-        // Lookup the dns record for the request
-        // This method will add any answers to the message
-        var msg *dns.Msg
-        if h.queryFilterer.ShouldAcceptQuery(req) != true {
-            debugMsg("Query not accepted")
-
-            h.rejectCounter.Inc(1)
-
-            msg =  new(dns.Msg)
-            msg.SetReply(req)
-            msg.SetRcode(req, dns.RcodeNameError)
-            msg.Authoritative = true
-            msg.RecursionAvailable = false
-
-            // Add a useful TXT record
-            header := dns.RR_Header{Name: req.Question[0].Name,
-                                    Class: dns.ClassINET,
-                                    Rrtype: dns.TypeTXT}
-            msg.Ns = []dns.RR{&dns.TXT{header, []string{"Rejected query based on matched filters"}}}
+        debugMsg("Incoming message with opcode " + dns.OpcodeToString[req.MsgHdr.Opcode])
+
+        var res *dns.Msg
+        if req.MsgHdr.Opcode == dns.OpcodeQuery {
+            // TODO(tarnfeld): Support for multiple questions?
+            debugMsg("Handling incoming query for domain " + req.Question[0].Name)
+
+            // Lookup the dns record for the request
+            // This method will add any answers to the message
+            if h.queryFilterer.ShouldAcceptQuery(req) != true {
+                debugMsg("Query not accepted")
+
+                h.rejectCounter.Inc(1)
+
+                res = new(dns.Msg)
+                res.SetReply(req)
+                res.SetRcode(req, dns.RcodeNameError)
+                res.Authoritative = true
+                res.RecursionAvailable = false
+
+                // Add a useful TXT record
+                header := dns.RR_Header{Name: req.Question[0].Name,
+                                        Class: dns.ClassINET,
+                                        Rrtype: dns.TypeTXT}
+                res.Ns = []dns.RR{&dns.TXT{header, []string{"Rejected query based on matched filters"}}}
+            } else {
+                h.acceptCounter.Inc(1)
+                res = h.resolver.Lookup(req)
+            }
+        } else if req.MsgHdr.Opcode == dns.OpcodeUpdate {
+            zone := req.Question[0].Name
+            debugMsg("Handling incoming update for zone " + zone)
+
+            res = new(dns.Msg)
+            res.SetReply(req)
+
+            // Authenticate the request
+            if req.IsTsig() != nil && response.TsigStatus() == nil {
+                sig := req.IsTsig()
+                debugMsg("Authenticated update request")
+
+                // Verify the tsig is for the correct zone
+                if sig.Hdr.Name != zone {
+                    res.SetRcode(req, dns.RcodeBadSig)
+                } else {
+                    res = h.updateManager.Update(zone, req)
+                }
+            } else {
+                debugMsg("Authentication failed")
+                res.SetRcode(req, dns.RcodeNotAuth)
+            }
         } else {
-            h.acceptCounter.Inc(1)
-            msg = h.resolver.Lookup(req)
+            res = new(dns.Msg)
+            res.SetReply(req)
+            res.SetRcode(req, dns.RcodeNotImplemented)
         }
 
-        if msg != nil {
-            err := response.WriteMsg(msg)
+        if res != nil {
+            err := response.WriteMsg(res)
             if err != nil {
                 debugMsg("Error writing message: ", err)
             }
@@ -94,20 +129,23 @@ func (s *Server) Run() {
     metrics.Register("request.handler.udp.filter_rejects", udpRejectCounter)
 
     resolver := Resolver{etcd: s.etcd, defaultTtl: s.defaultTtl}
+    updateManager := DynamicUpdateManager{etcd: s.etcd}
     tcpDNShandler := &Handler{
         resolver: &resolver,
         requestCounter: tcpRequestCounter,
         acceptCounter: tcpAcceptCounter,
         rejectCounter: tcpRejectCounter,
         responseTimer: tcpResponseTimer,
-        queryFilterer: s.queryFilterer}
+        queryFilterer: s.queryFilterer,
+        updateManager: &updateManager}
     udpDNShandler := &Handler{
         resolver: &resolver,
         requestCounter: udpRequestCounter,
         acceptCounter: udpAcceptCounter,
         rejectCounter: udpRejectCounter,
         responseTimer: udpResponseTimer,
-        queryFilterer: s.queryFilterer}
+        queryFilterer: s.queryFilterer,
+        updateManager: &updateManager}
 
     udpHandler := dns.NewServeMux()
     tcpHandler := dns.NewServeMux()
@@ -119,14 +157,16 @@ func (s *Server) Run() {
         Net:          "tcp",
         Handler:      tcpHandler,
         ReadTimeout:  s.rTimeout,
-        WriteTimeout: s.wTimeout}
+        WriteTimeout: s.wTimeout,
+        TsigSecret:   s.tsigSecret}
 
     udpServer := &dns.Server{Addr: s.Addr(),
         Net:          "udp",
         Handler:      udpHandler,
         UDPSize:      65535,
         ReadTimeout:  s.rTimeout,
-        WriteTimeout: s.wTimeout}
+        WriteTimeout: s.wTimeout,
+        TsigSecret:   s.tsigSecret}
 
     go s.start(udpServer)
     go s.start(tcpServer)