plugin/dnssec: use entire RRset as key input (#4537)

* plugin/dnssec: use entire RRset as key input

This uses the entire rrset as input for the hash key; this is to detect
differences in the RRset and generate the correct signature.

As this would then lead to unbounded growth, we periodically (every 8h)
prune the cache of old entries. In theory we could rely on the random
eviction, but it seems nicer to do this in a maintannce loop so that we
remove the unused ones. This required adding a Walk function to the
plugin/pkg/cache.

Signed-off-by: Miek Gieben <miek@miek.nl>

* Update plugin/dnssec/cache.go

Co-authored-by: Chris O'Haver <cohaver@infoblox.com>

Co-authored-by: Chris O'Haver <cohaver@infoblox.com>

plugin/dnssec/README.md

@@ -31,8 +31,11 @@ ZSK/KSK split. All signing operations are done online.
 Authenticated denial of existence is implemented with NSEC black lies. Using ECDSA as an algorithm
 is preferred as this leads to smaller signatures (compared to RSA). NSEC3 is *not* supported.
 
+As the *dnssec* plugin can't see the original TTL of the RRSets it signs, it will always use 3600s
+as the value.
+
 If multiple *dnssec* plugins are specified in the same zone, the last one specified will be
-used (See [bugs](#bugs)).
+used.
 
 * **ZONES** zones that should be signed. If empty, the zones from the configuration block
     are used.

plugin/dnssec/cache.go

@@ -3,8 +3,9 @@ package dnssec
 import (
 	"hash/fnv"
 	"io"
-	"strconv"
-	"strings"
+	"time"
+
+	"github.com/coredns/coredns/plugin/pkg/cache"
 
 	"github.com/miekg/dns"
 )
@@ -12,16 +13,36 @@ import (
 // hash serializes the RRset and returns a signature cache key.
 func hash(rrs []dns.RR) uint64 {
 	h := fnv.New64()
-	// Only need this to be unique for ownername + qtype (+class), but we
-	// only care about IN. Its already an RRSet, so the ownername is the
-	// same as is the qtype. Take the first one and construct the hash
-	// string that creates the key
-	io.WriteString(h, strings.ToLower(rrs[0].Header().Name))
-	typ, ok := dns.TypeToString[rrs[0].Header().Rrtype]
-	if !ok {
-		typ = "TYPE" + strconv.FormatUint(uint64(rrs[0].Header().Rrtype), 10)
+	// we need to hash the entire RRset to pick the correct sig, if the rrset
+	// changes for whatever reason we should resign.
+	// We could use wirefmt, or the string format, both create garbage when creating
+	// the hash key. And of course is a uint64 big enough?
+	for _, rr := range rrs {
+		io.WriteString(h, rr.String())
+	}
+	return h.Sum64()
+}
+
+func periodicClean(c *cache.Cache, stop <-chan struct{}) {
+	tick := time.NewTicker(8 * time.Hour)
+	defer tick.Stop()
+	for {
+		select {
+		case <-tick.C:
+			// we sign for 8 days, check if a signature in the cache reached 75% of that (i.e. 6), if found delete
+			// the signature
+			is75 := time.Now().UTC().Add(sixDays)
+			c.Walk(func(items map[uint64]interface{}, key uint64) bool {
+				sig := items[key].(*dns.RRSIG)
+				if !sig.ValidityPeriod(is75) {
+					delete(items, key)
+				}
+				return true
+			})
+
+		case <-stop:
+			return
+
+		}
 	}
-	io.WriteString(h, typ)
-	i := h.Sum64()
-	return i
 }

plugin/dnssec/setup.go

@@ -24,6 +24,17 @@ func setup(c *caddy.Controller) error {
 	}
 
 	ca := cache.New(capacity)
+	stop := make(chan struct{})
+
+	c.OnShutdown(func() error {
+		close(stop)
+		return nil
+	})
+	c.OnStartup(func() error {
+		go periodicClean(ca, stop)
+		return nil
+	})
+
 	dnsserver.GetConfig(c).AddPlugin(func(next plugin.Handler) plugin.Handler {
 		return New(zones, keys, splitkeys, next, ca)
 	})