Add TSIG Support

[pusateri]

I'll be needing TSIG support for Update. I'll be glad to add this feature but I'll need some coaching. Can you point me in the right direction?

[pusateri]

My Update code looks like this:

fn build_update(se: &services::ServiceEvent) -> Message
{
    use std::str::FromStr;
    use domain_core::bits::{Dname, MessageBuilder, SectionBuilder, RecordSectionBuilder};
    use domain_core::iana::opcode;
    use domain_core::iana::Rtype;

    let mut msg = MessageBuilder::new_udp();
    msg.header_mut().set_opcode(opcode::Opcode::Update);

    // Zone section
    let name = Dname::from_str(&se.subdomain).unwrap();
    msg.push((&name, Rtype::Soa)).unwrap();

    // skip prereq sections
    let msg = msg.answer();

    // add to Update section
    let mut msg = msg.authority();
    msg.push((&se.sname, 86400, se.sdata.clone())).unwrap();

    let mut msg = msg.opt().unwrap();
    
    msg.freeze()
}

For the API, I could use something like:

msg.set_tsig();

in the OPT section or would you prefer something else?

[pusateri]

Oops, I think I remembered that wrong. It's just the last record, not in the OPT but after the OPT.

[pusateri]

Or maybe the API should be more like:

msg.push(msg.tsig());

[partim]

There’s two parts to this. First you need to add core::rdata::rfc2845.rs with the Tsig record data. Once you have that, the most simple way is to push the record in the additional builder.

The more advance version is also more complex to implement. It would take a key and some parameters (like fuzz), calculate the signature and the TSIG record, add that to the additional section, and freeze the message (assuming TSIG is always last). That would require some trait for the algorithms. I think it would look something like the one we did for rpki-rs. except it should also allow validation.

For validation, it would be cool if Message had a method to validate a TSIG and produce another Message on success.

[partim]

Addendum: If you prefer me taking a stab at the implementation, I’d be happy to. I want to get started at implementing zone signing, anyway, so this might be a good time to lay out the underlying infrastructure for swapping out signers etc.

[pusateri]

Yes, please do. I welcome the assistance.

[partim]

Quick question: Do you need to support HMAC-MD5 or is the SHA family sufficient. Background is that ring doesn’t seem support MD5 but I would like to only depend on ring.

[pusateri]

No, I will not need MD5. Probably only use SHA-256 for the foreseeable future.

[partim]

Quick update: I have an initial implementation. Cleaning this up now and hoping to have it ready tomorrow.

[pusateri]

Nice! I will try it out at the IETF Hackathon if not before.

[partim]

This has been implemented in #16 which has been merged.