plugin/dnssec/cache.go

package dnssec

import (
	"hash/fnv"
	"io"
	"time"

	"github.com/coredns/coredns/plugin/pkg/cache"

	"github.com/miekg/dns"
)

// hash serializes the RRset and returns a signature cache key.
func hash(rrs []dns.RR) uint64 {
	h := fnv.New64()
	// we need to hash the entire RRset to pick the correct sig, if the rrset
	// changes for whatever reason we should resign.
	// We could use wirefmt, or the string format, both create garbage when creating
	// the hash key. And of course is a uint64 big enough?
	for _, rr := range rrs {
		io.WriteString(h, rr.String())
	}
	return h.Sum64()
}

func periodicClean(c *cache.Cache, stop <-chan struct{}) {
	tick := time.NewTicker(8 * time.Hour)
	defer tick.Stop()
	for {
		select {
		case <-tick.C:
			// we sign for 8 days, check if a signature in the cache reached 75% of that (i.e. 6), if found delete
			// the signature
			is75 := time.Now().UTC().Add(sixDays)
			c.Walk(func(items map[uint64]interface{}, key uint64) bool {
				sig := items[key].(*dns.RRSIG)
				if !sig.ValidityPeriod(is75) {
					delete(items, key)
				}
				return true
			})

		case <-stop:
			return

		}
	}
}
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`package dnssec`

			`import (`
			`"hash/fnv"`
plugin/dnssec: Change hash key input (#4372) Make this vastly simpler and more efficient. Adding all the bytes and then letting loose fnv doesn't add anything and may actually do the wrong thing. See: #3953 Fixes: #3953 Signed-off-by: Miek Gieben <miek@miek.nl> 2021-01-10 08:30:00 +01:00			`"io"`
plugin/dnssec: use entire RRset as key input (#4537) * plugin/dnssec: use entire RRset as key input This uses the entire rrset as input for the hash key; this is to detect differences in the RRset and generate the correct signature. As this would then lead to unbounded growth, we periodically (every 8h) prune the cache of old entries. In theory we could rely on the random eviction, but it seems nicer to do this in a maintannce loop so that we remove the unused ones. This required adding a Walk function to the plugin/pkg/cache. Signed-off-by: Miek Gieben <miek@miek.nl> * Update plugin/dnssec/cache.go Co-authored-by: Chris O'Haver <cohaver@infoblox.com> Co-authored-by: Chris O'Haver <cohaver@infoblox.com> 2021-04-05 15:45:28 +02:00			`"time"`

			`"github.com/coredns/coredns/plugin/pkg/cache"`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00
			`"github.com/miekg/dns"`
			`)`

Fix some typos in comments. (#4100) Signed-off-by: Hu Shuai <hus.fnst@cn.fujitsu.com> 2020-09-01 15:10:45 +08:00			`// hash serializes the RRset and returns a signature cache key.`
Move cache Keys to 64bit for a better dispersion and lower collision frequency (#2077) * - change Key for cache to 64bits. * - change Key for cache to 64bits. 2018-08-31 17:26:43 -04:00			`func hash(rrs []dns.RR) uint64 {`
			`h := fnv.New64()`
plugin/dnssec: use entire RRset as key input (#4537) * plugin/dnssec: use entire RRset as key input This uses the entire rrset as input for the hash key; this is to detect differences in the RRset and generate the correct signature. As this would then lead to unbounded growth, we periodically (every 8h) prune the cache of old entries. In theory we could rely on the random eviction, but it seems nicer to do this in a maintannce loop so that we remove the unused ones. This required adding a Walk function to the plugin/pkg/cache. Signed-off-by: Miek Gieben <miek@miek.nl> * Update plugin/dnssec/cache.go Co-authored-by: Chris O'Haver <cohaver@infoblox.com> Co-authored-by: Chris O'Haver <cohaver@infoblox.com> 2021-04-05 15:45:28 +02:00			`// we need to hash the entire RRset to pick the correct sig, if the rrset`
			`// changes for whatever reason we should resign.`
			`// We could use wirefmt, or the string format, both create garbage when creating`
			`// the hash key. And of course is a uint64 big enough?`
			`for _, rr := range rrs {`
			`io.WriteString(h, rr.String())`
			`}`
			`return h.Sum64()`
			`}`

			`func periodicClean(c *cache.Cache, stop <-chan struct{}) {`
			`tick := time.NewTicker(8 * time.Hour)`
			`defer tick.Stop()`
			`for {`
			`select {`
			`case <-tick.C:`
			`// we sign for 8 days, check if a signature in the cache reached 75% of that (i.e. 6), if found delete`
			`// the signature`
			`is75 := time.Now().UTC().Add(sixDays)`
			`c.Walk(func(items map[uint64]interface{}, key uint64) bool {`
			`sig := items[key].(*dns.RRSIG)`
			`if !sig.ValidityPeriod(is75) {`
			`delete(items, key)`
			`}`
			`return true`
			`})`

			`case <-stop:`
			`return`

			`}`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`}`
			`}`