plugin/tsig: new plugin TSIG (#4957)

* expose tsig secrets via dnsserver.Config * add tsig plugin Signed-off-by: Chris O'Haver <cohaver@infoblox.com>
2025-10-27 08:14:18 -04:00 · 2022-06-27 15:48:34 -04:00
parent 64885950cc
commit 68e141eff2
14 changed files with 1112 additions and 3 deletions
--- a/core/dnsserver/config.go
+++ b/core/dnsserver/config.go
@@ -43,6 +43,9 @@ type Config struct {
 	// TLSConfig when listening for encrypted connections (gRPC, DNS-over-TLS).
 	TLSConfig *tls.Config

+	// TSIG secrets, [name]key.
+	TsigSecret map[string]string
+
 	// Plugin stack.
 	Plugin []plugin.Plugin

--- a/core/dnsserver/register.go
+++ b/core/dnsserver/register.go
@@ -156,6 +156,7 @@ func (h *dnsContext) MakeServers() ([]caddy.Server, error) {
 		c.Debug = c.firstConfigInBlock.Debug
 		c.Stacktrace = c.firstConfigInBlock.Stacktrace
 		c.TLSConfig = c.firstConfigInBlock.TLSConfig
+		c.TsigSecret = c.firstConfigInBlock.TsigSecret
 	}

 	// we must map (group) each config to a bind address
--- a/core/dnsserver/server.go
+++ b/core/dnsserver/server.go
@@ -44,6 +44,8 @@ type Server struct {
 	debug        bool               // disable recover()
 	stacktrace   bool               // enable stacktrace in recover error log
 	classChaos   bool               // allow non-INET class queries
+
+	tsigSecret map[string]string
 }

 // NewServer returns a new CoreDNS server and compiles all plugins in to it. By default CH class
@@ -54,6 +56,7 @@ func NewServer(addr string, group []*Config) (*Server, error) {
 		Addr:         addr,
 		zones:        make(map[string]*Config),
 		graceTimeout: 5 * time.Second,
+		tsigSecret: make(map[string]string),
 	}

 	// We have to bound our wg with one increment
@@ -73,6 +76,11 @@ func NewServer(addr string, group []*Config) (*Server, error) {
 		// set the config per zone
 		s.zones[site.Zone] = site

+		// copy tsig secrets
+		for key, secret := range site.TsigSecret {
+			s.tsigSecret[key] = secret
+		}
+
 		// compile custom plugin for everything
 		var stack plugin.Handler
 		for i := len(site.Plugin) - 1; i >= 0; i-- {
@@ -115,7 +123,7 @@ func (s *Server) Serve(l net.Listener) error {
 		ctx := context.WithValue(context.Background(), Key{}, s)
 		ctx = context.WithValue(ctx, LoopKey{}, 0)
 		s.ServeDNS(ctx, w, r)
-	})}
+	}), TsigSecret: s.tsigSecret}
 	s.m.Unlock()

 	return s.server[tcp].ActivateAndServe()
@@ -129,7 +137,7 @@ func (s *Server) ServePacket(p net.PacketConn) error {
 		ctx := context.WithValue(context.Background(), Key{}, s)
 		ctx = context.WithValue(ctx, LoopKey{}, 0)
 		s.ServeDNS(ctx, w, r)
-	})}
+	}), TsigSecret: s.tsigSecret}
 	s.m.Unlock()

 	return s.server[udp].ActivateAndServe()
--- a/core/dnsserver/zdirectives.go
+++ b/core/dnsserver/zdirectives.go
@@ -34,6 +34,7 @@ var Directives = []string{
 	"any",
 	"chaos",
 	"loadbalance",
+	"tsig",
 	"cache",
 	"rewrite",
 	"header",