* middleware/file: add DNSSEC support
Add tests for DNSSEC and check if everything is working.
* add signatures
* tweak
* Add DNSSEC signing tests for DNAME
* Just sign it all
When CoreDNS starts up and can't get a zone transfer going the Apex is
empty. This `nil` is then transformed into wireformat, which fails with
a nil pointer dereference in Go DNS.
In this case we should just return SERVFAIL, because we don't have any
info (yet). Note the lookup code returned NXDOMAIN, which is correct
from a lookup standpoint, but also invalidates every name in the future
loaded zone.
Anyway, look for an apex before doing the lookup and return SERVFAIL if
nothing is found.
Fixes#679
Limit the options in both errors and log middleware, just output to
stdout and let someone else (journald,docker) care about where to route
the logs. This removes syslog and logging to a file.
Fixes#573#602
* Add external service cnames
* remove cruft
* update CI k8s version
* change CI k8s version
* min k8s ver for ext services
* trying k8s 1.5
* k8s 1.5 requires ports spec
* remove kruft
* update dns schema version
* Test DNAME handling
If the DNAME itself matches the QTYPE, and the owner name matches QNAME,
the relevant DNAME RR should be included in the answer section.
Other parts of RFC 6672 are not implemented yet and hence left untested.
* Implement the DNAME substitution
As specified in RFC 6672, a DNAME substitution is performed by replacing
the suffix labels of the name being sought matching the owner name of
the DNAME resource record with the string of labels in the RDATA field.
The matching labels end with the root label in all cases. Only whole
labels are replaced.
* Handle DNAME redirection
A CNAME RR is created on-the-fly for the DNAME redirection. Be aware
that we do not have all the edge cases covered yet.
* Test DNAME owner name matching the QNAME
A DNAME RR redirects DNS names subordinate to its owner name; the owner
name of a DNAME is NOT redirected itself.
* Ignore names next to and below a DNAME record
According to RFC 6672, resource records MUST NOT exist at any subdomain
of the owner of a DNAME RR. When loading a zone, those names below the
DNAME RR will be quietly ignored.
* Streamline DNAME processing
Instead of checking DNAMEs during lookup, we use a preloaded list of
DNAME RRs to streamline the process without any runtime performance
penalty:
* When loading the zone, keep a record of any DNAME RRs.
* If there aren't any DNAMEs in the zone, just do the lookup as usual.
* Only when the zone has one or more DNAME records, we look for the
matching DNAME and ignore confronting subdomain(s) in the process.
* Make it easier to trace back through test errors
* Make DNAME handling part of lookup routine
DNAME processing is invoked only if the zone has at least one DNAME RR.
* Put DNAME resolution inside the searching of a hit
We can drop some of the other ideas; we don't need to track if we
have DNAMEs in the zone it just follows naturally from the current
lookup code.
See also: #664
* commit for testing in cluster
* commit for testing in cluster
* refactor and add ns.dns record
* Release 007
* reduce heap allocations
* gofmt
* revert accidental Makefile commits
* restore prior rcode for disabled pod mode
* revert Makefile deltas
* add unit tests
* more unit tests
* make isRequestInReverseRange easier to test
* more unit tests
* addressing review feedback
* commit setup.go
* middleware/chaos: fix version
Move the version setting into a init function so it is done early. Then
tweak the setup code for chaos a bit to correctly pick this version up.
Add an integration test to pick this up in the toplevel test/ directory.
Fixes#667
* Update tests
* middleware/file: correctly parse the stanza
Parsing the file stanza would give precedence to 'transfer' and ignore
other bits if it wasn't specified.
This change fixes the parsing. The actually external CNAME retrieval is
working fine (once the upstream is correctly parsed).
This wasn't caught in tests, because we lack a parsing test for this.
Fixes#657
* Add tests
Check message for expired sig and don't cache those.
Aside: This hack of caching entire messages is probably something we
should stop doing at some point in the future and do this on a per RRset
basis.
Fixes#367#635
* Revert "middleware/proxy: Make Unhealthy a pointer (#615)"
This reverts commit acbf522ceb.
* middleware/proxy: add proper locking
This add the proper locking around `Unhealthy`.
This method parses the Host field in the service. It returns 1 or 3
things 1) it is a host 2) an IPv4 address or an 3) IPv6 address.
This simplifies some code a bit and allows for 1 way of parsing the Host
field.
This *only* parse the Host field, Mail and/or Text values should be
checked separately.
We reuse the dns.TypeXXX values for this as to not invent anything new.
* Add fallthrough support for Kubernetes
This enables registering other services in the same zone as
Kubernetes services. This also re-orders the middleware chain
so that Kubernetes comes before other types, in order to make
this work out-of-the-box.
* Remove extra line
* Implements tracing in the native gRPC server
* Undo some unnecessary changes
* Properly revert trace/setup.go this time
* Some very very basic tests
* Remove warning for non-Trace middleware
Pointer updates are atomic so drop the sync.RWMutex as it is not needed
anymore. This also fixes the race introduced with dfc71df (although I
believe this is the first time we properly tested that code path).
There was no inherent reason *not* to allow multiple listeners for the
monitoring data. Actually enforcing only one listener lead to more code
then just allowing multiple. It's probably not what you want; but
CoreDNS is happy to oblige.
* add proxy tcp
* add truncated for tcp to udp response
* move truncation to scrubbing
* add test that executes upstream over tcp
* middleware/proxy: some tweaks
rename force-tcp to force_tcp to be inline with the rest and use
a dnsOptions struct to put the options in to allow it to be extended.
Add some parse tests as well.
* Fix test and rename dnsOptions Options
According to the code, the default health check interval is 30 seconds,
not 10 as stated in the documentation. (The alternative would be to
adjust the interval in the code.)
* core: add listening for other protocols
Allow CoreDNS to listen for TLS request coming over port 853. This can
be enabled with `tls://` in the config file.
Implement listening for grps:// as well.
a Corefile like:
~~~
. tls://.:1853 {
whoami
tls
}
~~~
Means we listen on 1853 for tls requests, the `tls` config item allows
configuration for TLS parameters. We *might* be tempted to use Caddy's
Let's Encrypt implementation here.
* Refactor coredns/grpc into CoreDNS
This makes gRPC a first class citizen in CoreDNS. Add defines as being
just another server.
* some cleanups
* unexport the servers
* Move protobuf dir
* Hook up TLS properly
* Fix test
* listen for TLS as well. README updates
* disable test, fix package
* fix test
* Fix tests
* Fix remaining test
* Some tests
* Make the test work
* Add grpc test from #580
* fix crash
* Fix tests
* Close conn
* README cleanups
* README
* link RFC
* Add edns0 code rewrite
* check arg count
* change `new`; set EDNS0 if request doesn't have it set
* change set to replace_or_append
* change to append_or_replace
* return error in new
* update documents
* fixt UT
* return error
* go fmt
* Rework for more general EDNS0 use
Also changed how rules are created and validated. Implements
EDNS0 NSID in addition to local.
* go fmt
* README updates, NSID tests and fixes
* gofmt -s -w
* Fix tests for rewrite syntax change
* Add tests, fix error message
* Review nits
* Missed on nit
* More tests, integration test, fix edns0 parse issue
* Fix README, use RewriteIgnored
* go fmt
In both etcd and k8s don't error log NXDOMAIN as this log spams the logs
for no good reason.
Fixes#568
Better long term solution is log rate limiting for both *log* and
*error*.
This fix updates the Makefile to add the `go lint` check
for the build. This fix also fixes several go lint issues.
NOTE: This fix does not enforce `go lint` (suggestion only).
This fix also ignores the `go lint` error:
```
middleware/middleware.go:72:1: context.Context should be the first parameter of a function
```
as it requires too many changes in API.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
* checkpoint
* Pass context through ServeDNS, enable gRPC tracing
* Fix types and make tracer available to proxy. go fmt
* Fix imports
* Use the DoNotStartTrace option
* Change to SpanFilter from DoNotStartTrace
* Use new name (IncludeSpan)
* Final names
* Add tests; fix possible client/conn leaks in grpc
* go fmt
