-
-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: (A/I)XFR-in/out (with TSIG), NOTIFY-in/out + demo zone persistence. #335
Draft
ximon18
wants to merge
93
commits into
service-layering
Choose a base branch
from
xfr
base: service-layering
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…al I/O errors occur (such as the other end has disconnected) and for not aborting response stream processing if there is no space in the write queue. These issues were hit when testing with the default dig timeout of 5 seconds and a large zone that took a while to start transferring.
…very many Tokio tasks, otherwise we compete with other actions being performed by the applicaition. Instead use a dedicated thread pool for zone walking for AXFR transfers. Also use a Tokio unbounded receiver stream instead of a ordered futures stream to avoid creating N boxed futures, to avoid a mutex lock around the stream, and to avoid waiting for the initial zone walk to finish before sending any AXFR records.
…imited support for A/IXFR in/out and NOTIFY, e.g. doesn't honor RETRY or EXPIRE SOA timers yet, and needs a lot of cleaning up. Has been seen successfully exchanging zones with NSD via XFR acting both as primary and secondary.
Relevant changes: - Adds net::client::auth: a new client layer for doing TSIG request signing and response validation. - Extends Catalog to use net::client::auth. - Add Message::is_streaming() and ComposeRequest::is_streaming() which returns true if the QTYPE of the first question indicates a type of request which may cause a stream of responses instead of a single response, limited to AXFR and IXFR at the moment. - Adds GetResponse::stream_complete() and GetResponse::is_stream_complete() to signal from a caller that the last message of a response stream has been seen (as only the caller can know this, the DNS protocol does not include a general purpose end marker for response streams if the TCP stream is kept open for further use) as TSIG stream validation needs to know when the last message of the stream has been encountered. - Factors the code of ComposeRequest::to_message() out to the call sites (cache.rs, dgram.rs) and removes ComposeRequest::to_vec() as they were not compatible with net::client::auth. - Extends Request::is_answer() to NOT require AXFR subsequent responses to have a question (as it is optional per RFC 5936). - Extends net::client::stream support more than a single response to a single request: - Adds Config::set_streaming_response_timeout() and Config::set_initial_idle_timeout(). - Adds Request::stream_complete. - Extends send_request() to behave differently if ComposeRequest::is_streaming() is true. - Preserves - Extends the serve-zone example to pass a key store with a hard-coded HMAC-SHA256 TSIG key to the Catalog. Unrelated changes: - Also extend the serve-zone example to persist a zone to disk on commit, and optionally load it at startup. - Removes an unnecessary problematic Clone bound on dgram.impl SendRequest for Connection in dgram.rs. - Adds impl Display for net::client::stream::ConnState. - Logs at trace level the reason a net::client::stream is closed. - Logs failed handling of NOTIFY requests and returns an error to the client instead of panicking. - Logs XFR-in progress. - Replace the large match data block in Catalog with much simpler code.
ximon18
changed the title
WIP: (A/I)XFR-in/out, NOTIFY-in/out and TSIG support.
WIP: (A/I)XFR-in/out (with TSIG), NOTIFY-in/out
Jun 11, 2024
ximon18
changed the title
WIP: (A/I)XFR-in/out (with TSIG), NOTIFY-in/out
WIP: (A/I)XFR-in/out (with TSIG) and NOTIFY-in/out
Jun 11, 2024
ximon18
changed the title
WIP: (A/I)XFR-in/out (with TSIG) and NOTIFY-in/out
WIP: (A/I)XFR-in/out (with TSIG), NOTIFY-in/out + demo zone persistence.
Jun 11, 2024
…ded by Stelline XFR tests (to make requests using the Stelline client instead of a real client).
…n. Currently seems to break some other Stelline tests.
- Batch as many RRs per AXFR response as will fit. - Support backward compatible AXFR out (one RRset per response) if configured for the client IP. - Reject AXFR over UDP unless we're (a) transferring the entire zone for IXFR because there is no diff available, and (b) (TODO) the response fits in a single datagram. - Disable the TCP idle timer while in a transaction to avoid timing out XFR responses (especially in Tokio paused time test mode but could also occur normally). - Honour stream shutdown in the Stelline ClientServerChannel to avoid a never ending test. - Use 127.0.0.1 as the client in Stelline server tests, not ::. - Support EXTRA_PACKET in Stelline SECTION ANSWER blocks for streaming response matching. - Add an initial IXFR Stelline test.
Changed and fixed the data structures and logic for XFR diffs, also enabling received IXFRs to be kept as diffs. Changed how a connection factory is passed to the Catalog to enable it to be replaced with Stelline transports when testing. Renamed ZoneType to ZoneConfig. Add support for "allow-notify" and "request-xfr" in Stelline server configs. Add support for specifying the Stelline request OPCODE. Added a get_rrset) fn to WritableZoneNode.
…nd testable) via use of fixed null random.
The transmit loop looped from 0..max_retries _exclusive_, so with the default max_retries value of 5 it would go round the loop 5 times, i.e. 1 try and 4 retries, not 5 retries. This commit adjusts the logic and allowed minimum value to match the actual behaviour. This commit also fixes a typo in the word "capped" in the doc strings.
…ll be changed in a separate commit). - Rename some tests. - Use spaces not tabs. - Fix indentation. - Use the pattern QUERY in step N then CHECK_ANSWER in step N+1.
… only, not about NOTIFY.
… dependency between NotifyMiddlewareSvc and Catalog and simplifying the trait bounds of NotifyMiddlewareSvc.
…d dependency between XfrMiddlewareSvc and Catalog and simplifying the trait bounds of XfriddlewareSvc. Also removed some unnecessary trait bounds along the way.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Based on the
service-layering
branch.Manually tested as both primary and secondary with NSD and BIND.
Still lots to do:
main
.Introduces the following new major components:
Catalog
XfrMiddlewareSvc
Catalog
.NotifyMiddlewareSvc
Catalog
.TsigMiddlewareSvc
net::client::auth::Connection
Catalog
.Zone persistence on change (either edit to a local primary zone or sync of a local secondary zone with changes obtained from a remote primary) is demonstrated in
examples/serve-zone.rs
via theArchiveZone
impl of theZoneStore
trait and by using the sameZone
wrapping "hack" thatCatalog
uses to monitor zones for changes.