Addresses a bug in the file plugin where SOA queries to zone delegations are
inappropriately returned the SOA for the delegating zone, and not a downward
referral to the delegated zone.
Here is an example of what I believe the expected downward referral in response
to a SOA query for a delegated zone should be (note that no SOA record is
returned):
~~~
; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> @k.root-servers.net. miek.nl. SOA
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58381
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 7
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;miek.nl. IN SOA
;; AUTHORITY SECTION:
nl. 172800 IN NS ns1.dns.nl.
nl. 172800 IN NS ns2.dns.nl.
nl. 172800 IN NS ns3.dns.nl.
;; ADDITIONAL SECTION:
ns1.dns.nl. 172800 IN A 194.0.28.53
ns2.dns.nl. 172800 IN A 194.146.106.42
ns3.dns.nl. 172800 IN A 194.0.25.24
ns1.dns.nl. 172800 IN AAAA 2001:678:2c:0:194:0:28:53
ns2.dns.nl. 172800 IN AAAA 2001:67c:1010:10::53
ns3.dns.nl. 172800 IN AAAA 2001:678:20::24
~~~
See #3852 for the original fix.
Modified clouddns/route53 and removed the faulty tests there.
Signed-off-by: Miek Gieben <miek@miek.nl>
Don't sign data we are not authoritative for. This adds an AuthWalk
which skips names we should not authoritative for. Adds a few tests to
check this is the case. Generates zones have been compared to
dnssec-signzone.
A number of changes have been made:
* don't add DS records to the apex
* NSEC TTL is the SOA's minttl value (copying bind9)
* Various cleanups
* signer struct was cleaned up: doesn't need ttl, nor expiration or
inception.
* plugin/sign: remove apex stuff from names()
This is never used because we will always have other types in the
apex, because we *ADD* them ourselves, before we sign (DNSKEY, CDS and
CDNSKEY).
Signed-off-by: Miek Gieben <miek@miek.nl>
Co-Authored-By: Chris O'Haver <cohaver@infoblox.com>
* Move to CODEOWNERS
No change in who own what; just a move to CODEOWNERS. This allows
dreck cleanups.
Added .dreck.yaml for alias and exec.
Fixes: #3486
Signed-off-by: Miek Gieben <miek@miek.nl>
* stickler bot
Signed-off-by: Miek Gieben <miek@miek.nl>
* sort the file
Signed-off-by: Miek Gieben <miek@miek.nl>
Caught my eye, we name things directive still, esp when talking about
the prometheus *plugin*. Rename everything that needs to be plugin to
'plugin'. Also make sure Metrics is a H2 section (not H1).
Signed-off-by: Miek Gieben <miek@miek.nl>
Abstract the caddy call and make it simpler.
See #3261 for some part of the discussion.
Go from:
~~~ go
func init() {
caddy.RegisterPlugin("any", caddy.Plugin{
ServerType: "dns",
Action: setup,
})
}
~~~
To:
~~~ go
func init() { plugin.Register("any", setup) }
~~~
This requires some external documents in coredns.io to be updated as
well; the old way still works, so it's backwards compatible.
Signed-off-by: Miek Gieben <miek@miek.nl>
This reloader didn't close the openened file handle. Add a close. Can't
use `defer` because this is in a endless loop.
Signed-off-by: Miek Gieben <miek@miek.nl>
* plugin/file: respond correctly to IXFR message
Respond with a sing SOA record to an IXFR request if the SOA serials
match.
The added test fails on the current code with:
~~~
=== RUN TestIxfrResponse
--- FAIL: TestIxfrResponse (0.00s)
secondary_test.go:122: Expected answer section with single RR
FAIL
exit status 1
~~~
And obviously passes with the new code. This should cut down on the
weird number of zone transfers that I was seeing. At some point IXFR
support might be cool.
Fixes: #3176
Signed-off-by: Miek Gieben <miek@miek.nl>
* reuse code
Signed-off-by: Miek Gieben <miek@miek.nl>
* Sligtht tweaks
Signed-off-by: Miek Gieben <miek@miek.nl>
This can't be used in its current form; revert the entire PR.
Revert "fuzzing: allow setup function to be called (#3175)"
This reverts commit 62451fd3eb.
* fuzz: use gofuzz build tag instead of fuzz
Since go-fuzz does not support Go modules yet, vendor dependencies.
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
* fuzz: avoid vendoring code for go-fuzz
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
Various fixes to make things less flaky:
* kubernetes: put klog.SetOutput in the setup function, not in the init
function to see if that helps
* file: make z.Expired a boolean instead of a pointer to a boolean
* test: fix TestSecondaryZoneTransfer test, which wasn't actually
testing in the right way. It's more right now, but may still be racy
(race introduced because a file's lazy loading of zones)
Signed-off-by: Miek Gieben <miek@miek.nl>
* Fix corefile usage
* plugin/file: allow README.md testing
Allow readme testing for the file plugin and fix bugs that where found:
* the reader wasn't reset when re-reading the same io.reader for a
different origin.
Signed-off-by: Miek Gieben <miek@miek.nl>
* Update test/example_test.go
Co-Authored-By: Michael Grosser <development@stp-ip.net>
* plugin/file: simplify locking
Simplify the locking, remove the reloadMu and just piggyback on the
other lock for accessing content, which assumes things can be move
underneath.
Copy the Apex and Zone to new vars to make sure the pointer isn't
updated from under us.
The releadMu isn't need at all, the time.Ticker firing while we're
reading means we will just miss that tick and get it on the next go.
Add rrutil subpackage and put some more generic functions in there, that
are now used from file and the tree package. This removes some
duplication.
Rename additionalProcessing that didn't actually do that to
externalLookup, because that's what being done at some point.
Signed-off-by: Miek Gieben <miek@miek.nl>
* Update plugin/file/lookup.go
Co-Authored-By: Michael Grosser <development@stp-ip.net>
After calling NewZone the number of records should be zero, but due to
how zone.All() was implemented so empty RRs would be added. This then
fails the == 0 check in xfr.go and put nil in the slice, this then
subsequently panics on the Len().
Fix this making All() smarter when adding records. Added little test to
enfore this.
Signed-off-by: Miek Gieben <miek@miek.nl>
* plugin/file: Rename do to walk, cleanup and document
* This renames Do to Walk to be more inline with Go standards. Also make
it return an error instead of a bool.
Also give give walk access to rrs. Alternatively e.m could be
exported, but just access the map of rrs should work as well. Another
alternative would be adding a whole bunch of helper functions, but
those need grab and return the data. Just having access to the rrs
should be easiest for most Walks.
* It adds Type and TypeForWildcard to show the different functions
* *Removes* the identical RR check when inserting; this was only done
for A, AAAA and MX and not finished; removed under the mantra garbage
in garbage out.
* Reuses Types to return all the types in an *tree.Elem
Signed-off-by: Miek Gieben <miek@miek.nl>
* better comments
Signed-off-by: Miek Gieben <miek@miek.nl>
* plugin/file: fix setting ReloadInterval
The reload interval was only correctly set if there was an extra
block for the file. Move this down to set up.
Add test case that fails before, but now works.
Signed-off-by: Miek Gieben <miek@miek.nl>
* layout and use Errorf
Signed-off-by: Miek Gieben <miek@miek.nl>
* plugin/file: make non-existent file non-fatal
If the zone file being loaded doesn't exist *and* reload is enabled,
just wait the file to pop up in the normal Reload routine.
If reload is set to 0s; we keep this a fatal error on startup. Aslo fix
the ticker in z.Reload(): remove the per second ticks and just use the
reload interval for the ticker.
Brush up the documentation a bit as well.
Fixes: #2951
Signed-off-by: Miek Gieben <miek@miek.nl>
* Stickler and test compile
Signed-off-by: Miek Gieben <miek@miek.nl>
* Remove there too
Signed-off-by: Miek Gieben <miek@miek.nl>
* Cant README test these because zone files dont exist
Signed-off-by: Miek Gieben <miek@miek.nl>
* file: close correctlty after AXFR
Don't hijack, but wait for the writes to be done and then savely close
the connection.
Fixes: #2929
Signed-off-by: Miek Gieben <miek@miek.nl>
* Update comment
Signed-off-by: Miek Gieben <miek@miek.nl>
* file: close correctlty after AXFR (#2943)
apply
Signed-off-by: Miek Gieben <miek@miek.nl>
* Update Caddy to 1.0.1, and update import path
This fix updates caddy to 1.0.1 and also
updates the import path to github.com/caddyserver/caddy
This fix fixes 2959
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
* Also update plugin.cfg
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
* Update and bump zplugin.go
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
`upstream` is not needed as a setting; just set if unconditionally and
remove all documentation and tests for it.
At some point we want remove the hanlding for `upstream` as well and
error out on seeing it.
Signed-off-by: Miek Gieben <miek@miek.nl>
This fixes a long standing bug:
fixes: #1609
Load secondary zones in a go-routine; this required another mutex to
protect some fields; I think those were needded anyway because a
transfer can also happen when we're running; we just didn't have a test
for that situation.
The test had to be changed to wait for the transfer to happen at this is
async now.
Signed-off-by: Miek Gieben <miek@miek.nl>
* Fully deprecate NO_RELOAD
Signed-off-by: Xiao An <hac@zju.edu.cn>
* Fully deprecate TIMEOUT
Signed-off-by: Xiao An <hac@zju.edu.cn>
* Update CI tests to adapt to the deprecation of TIMEOUT
Signed-off-by: Xiao An <hac@zju.edu.cn>
* Add documents for directive transfer in plugin auto
Signed-off-by: Xiao An <hac@zju.edu.cn>
* Remove context.Context from request.Request
This removes the context from request.Request and makes all the changes
in the code to make it compile again. It's all mechanical. It did
unearth some weirdness in that the context was kept in handler structs
which may cause havoc with concurrently handling of requests.
Fixes#2721
Signed-off-by: Miek Gieben <miek@miek.nl>
* Make test compile
Signed-off-by: Miek Gieben <miek@miek.nl>
Currently, there are some links that we access with **HTTP**, it is
redirected to **HTTPS** automatically. So this commit aims to
replace **http://...** by **https://...** for security.
Co-Authored-By: Nguyen Phuong An <AnNP@vn.fujitsu.com>
Signed-off-by: Kim Bao Long <longkb@vn.fujitsu.com>
* Stop importing testing in the main binary
Stop importing "testing" into the main binary:
* test/helpers.go imported it; remote that and change function signature
* update all tests that use this
Signed-off-by: Miek Gieben <miek@miek.nl>
* Drop import testing from metrics plugin
Signed-off-by: Miek Gieben <miek@miek.nl>
* more fiddling
Signed-off-by: Miek Gieben <miek@miek.nl>
* Default to upstream to self
This is a backwards incompatible change.
This is a massive (cleanup) PR where we default to resolving external
names by the coredns process itself, instead of directly forwarding them
to some upstream.
This ignores any arguments `upstream` may have had and makes it depend
on proxy/forward configuration in the Corefile. This allows resolved
upstream names to be cached and we have better healthchecking of the
upstreams. It also means there is only one way to resolve names, by
either using the proxy or forward plugin.
The proxy/forward lookup.go functions have been removed. This also
lessen the dependency on proxy, meaning deprecating proxy will become
easier. Some tests have been removed as well, or moved to the top-level
test directory as they now require a full coredns process instead of
just the plugin.
For the etcd plugin, the entire StubZone resolving is *dropped*! This
was a hacky (but working) solution to say the least. If someone cares
deeply it can be brought back (maybe)?
The pkg/upstream is now very small and almost does nothing. Also the
New() function was changed to return a pointer to upstream.Upstream. It
also returns only one parameter, so any stragglers using it will
encounter a compile error.
All documentation has been adapted. This affected the following plugins:
* etcd
* file
* auto
* secondary
* federation
* template
* route53
A followup PR will make any upstream directives with arguments an error,
right now they are ignored.
Signed-off-by: Miek Gieben <miek@miek.nl>
* Fix etcd build - probably still fails unit test
Signed-off-by: Miek Gieben <miek@miek.nl>
* Slightly smarter lookup check in upstream
Signed-off-by: Miek Gieben <miek@miek.nl>
* Compilez
Signed-off-by: Miek Gieben <miek@miek.nl>
* Fix EDNS0 compliance
Do SizeAndDo in the server (ScrubWriter) and remove all uses of this
from the plugins. Also *always* do it. This is to get into compliance
for https://dnsflagday.net/.
The pkg/edns0 now exports the EDNS0 options we understand; this is
exported to allow plugins add things there. The *rewrite* plugin used
this to add custom EDNS0 option codes that the server needs to
understand.
This also needs a new release of miekg/dns because it triggered a
race-condition that was basicly there forever.
See:
* https://github.com/miekg/dns/issues/857
* https://github.com/miekg/dns/pull/859
Running a test instance and pointing the https://ednscomp.isc.org/ednscomp
to it shows the tests are now fixed:
~~~
EDNS Compliance Tester
Checking: 'miek.nl' as at 2018-12-01T17:53:15Z
miek.nl. @147.75.204.203 (drone.coredns.io.): dns=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=ok
miek.nl. @2604:1380:2002:a000::1 (drone.coredns.io.): dns=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=ok
All Ok
Codes
ok - test passed.
~~~
Signed-off-by: Miek Gieben <miek@miek.nl>
Signed-off-by: Miek Gieben <miek@miek.nl>
* typos in comments
Signed-off-by: Miek Gieben <miek@miek.nl>
