The coredns/caddy lexer replaces invalid UTF‑8 bytes in tokens with
U+FFFD. When that lossy-decoded value is used as `dbfile` in the sign
plugin, the source zone file path never exists. On startup/refresh,
the `resign()` function sees the signed file missing and triggers
signing. Consequently `Sign()` then fails opening the bogus path,
the signed file is never created, and the cycle repeats across all
expanded origins (e.g., reverse CIDRs), causing unbounded churn/OOM.
Validate `dbfile` in setup and error if it contains U+FFFD. Add a
regression test.
Note: Unicode paths are supported; only U+FFFD (replacement-rune) is rejected.
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
Make normalize return multiple "hosts" (= reverse zones) when a
non-octet boundary cidr is given.
Added pkg/cidr package that holds the cidr calculation routines; felt
they didn't really fit dnsutil.
This change means the IPNet return parameter isn't needed, the hosts are
all correct. The tests that tests this is also removed: TestSplitHostPortReverse
The fallout was that zoneAddr _also_ doesn't need the IPNet member, that
in turn make it visible that zoneAddr in address.go duplicated a bunch
of stuff from register.go; removed/refactored that too.
Created a plugin.OriginsFromArgsOrServerBlock to help plugins do the
right things, by consuming ZONE arguments; this now expands reverse
zones correctly. This is mostly mechanical.
Remove the reverse test in plugin/kubernetes which is a copy-paste from
a core test (which has since been fixed).
Remove MustNormalize as it has no plugin users.
This change is not backwards compatible to plugins that have a ZONE
argument that they parse in the setup util.
All in-tree plugins have been updated.
Signed-off-by: Miek Gieben <miek@miek.nl>
* For caddy v1 in our org
This RP changes all imports for caddyserver/caddy to coredns/caddy. This
is the v1 code of caddy.
For the coredns/caddy repo the following changes have been made:
* anything not needed by us is deleted
* all `telemetry` stuff is deleted
* all its import paths are also changed to point to coredns/caddy
* the v1 branch has been moved to the master branch
* a v1.1.0 tag has been added to signal the latest release
Signed-off-by: Miek Gieben <miek@miek.nl>
* Fix imports
Signed-off-by: Miek Gieben <miek@miek.nl>
* Group coredns/caddy with out plugins
Signed-off-by: Miek Gieben <miek@miek.nl>
* remove this file
Signed-off-by: Miek Gieben <miek@miek.nl>
* Relax import ordering
github.com/coredns is now also a coredns dep, this makes
github.com/coredns/caddy fit more natural in the list.
Signed-off-by: Miek Gieben <miek@miek.nl>
* Fix final import
Signed-off-by: Miek Gieben <miek@miek.nl>
* add expiration jitter
Signed-off-by: Miek Gieben <miek@miek.nl>
* sign: add expiration jitter
This PR adds a expiration jitter to spread out zone re-signing even
more. The max is 5 extra days added when creating the signer for a
specific zone.
Also make the duration* constants private to clean up the godoc for this
plugin.
Signed-off-by: Miek Gieben <miek@miek.nl>
Abstract the caddy call and make it simpler.
See #3261 for some part of the discussion.
Go from:
~~~ go
func init() {
caddy.RegisterPlugin("any", caddy.Plugin{
ServerType: "dns",
Action: setup,
})
}
~~~
To:
~~~ go
func init() { plugin.Register("any", setup) }
~~~
This requires some external documents in coredns.io to be updated as
well; the old way still works, so it's backwards compatible.
Signed-off-by: Miek Gieben <miek@miek.nl>
* plugin/sign: a plugin that signs zones
Sign is a plugin that signs zone data (on disk). The README.md details
what exactly happens to should be accurate related to the code.
Signs are signed with a CSK, resigning and first time signing is all
handled by *sign* plugin.
Logging with a test zone looks something like this:
~~~ txt
[INFO] plugin/sign: Signing "miek.nl." because open plugin/sign/testdata/db.miek.nl.signed: no such file or directory
[INFO] plugin/sign: Signed "miek.nl." with key tags "59725" in 11.670985ms, saved in "plugin/sign/testdata/db.miek.nl.signed". Next: 2019-07-20T15:49:06.560Z
[INFO] plugin/file: Successfully reloaded zone "miek.nl." in "plugin/sign/testdata/db.miek.nl.signed" with serial 1563636548
[INFO] plugin/sign: Signing "miek.nl." because resign was: 10m0s ago
[INFO] plugin/sign: Signed "miek.nl." with key tags "59725" in 2.055895ms, saved in "plugin/sign/testdata/db.miek.nl.signed". Next: 2019-07-20T16:09:06.560Z
[INFO] plugin/file: Successfully reloaded zone "miek.nl." in "plugin/sign/testdata/db.miek.nl.signed" with serial 1563637748
~~~
Signed-off-by: Miek Gieben <miek@miek.nl>
* Adjust readme and remove timestamps
Signed-off-by: Miek Gieben <miek@miek.nl>
* Comment on the newline
Signed-off-by: Miek Gieben <miek@miek.nl>
* Update plugin/sign/README.md
Co-Authored-By: Michael Grosser <development@stp-ip.net>
