nameserver

package
v0.0.0-...-4a2bce8 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 23, 2026 License: MIT Imports: 24 Imported by: 0

Documentation

Overview

Package nameserver defines the common interface and support types for running DNS servers behind dnse—wrapping third‑party daemons like Knot/NSD so they can be configured, reloaded, and managed uniformly from Go code.

Package nameserver defines a common interface for running name servers.

Index

Constants

View Source 
const (
	// CDSCDNSKEYPublishAlways means always publish one CDS and one CDNSKEY
	// records for the current KSK.
	CDSCDNSKEYPublishAlways CDSCDNSKEYPublish = "always"
	// CDSCDNSKEYPublishDeleteDnssec means publish special CDS and CDNSKEY
	// records indicating turning off DNSSEC.
	CDSCDNSKEYPublishDeleteDnssec CDSCDNSKEYPublish = "delete-dnssec"
	// CDSCDNSKEYPublishDoubleDS means always publish up to two CDS and two
	// CDNSKEY records for ready and/or active KSKs.
	CDSCDNSKEYPublishDoubleDS CDSCDNSKEYPublish = "double-ds"
	// CDSCDNSKEYPublishNone means never publish any CDS or CDNSKEY records in
	// the zone.
	CDSCDNSKEYPublishNone CDSCDNSKEYPublish = "none"
	// CDSCDNSKEYPublishRollover means publish CDS and CDNSKEY records for ready
	// and not yet active KSK (submission phase of KSK rollover).
	CDSCDNSKEYPublishRollover CDSCDNSKEYPublish = "rollover"

	// JournalContentNone means the journal is not used at all.
	JournalContentNone JournalContent = "none"
	// JournalContentChanges means zone changes history is stored in journal.
	JournalContentChanges JournalContent = "changes"
	// JournalContentAll means Zone contents and history is stored in journal.
	JournalContentAll JournalContent = "all"

	// KeyAlgorithmRSAMD5 is RSA/MD5 (1).
	KeyAlgorithmRSAMD5 KeyAlgorithm = 1
	// KeyAlgorithmDSASHA1 is DSA/SHA-1 (3).
	KeyAlgorithmDSASHA1 KeyAlgorithm = 3
	// KeyAlgorithmRSASHA1 is RSA/SHA-1 (5).
	KeyAlgorithmRSASHA1 KeyAlgorithm = 5
	// KeyAlgorithmDSANSEC3SHA1 is DSA-NSEC3-SHA1 (6).
	KeyAlgorithmDSANSEC3SHA1 KeyAlgorithm = 6
	// KeyAlgorithmRSASHA1NSEC3SHA1 is RSASHA1-NSEC3-SHA1 (7).
	KeyAlgorithmRSASHA1NSEC3SHA1 KeyAlgorithm = 7
	// KeyAlgorithmRSASHA256 is RSA/SHA-256 (8).
	KeyAlgorithmRSASHA256 KeyAlgorithm = 8
	// KeyAlgorithmRSASHA512 is RSA/SHA-512 (10).
	KeyAlgorithmRSASHA512 KeyAlgorithm = 10
	// KeyAlgorithmGOSTR34102001 is GOST R 34.10-2001 (12).
	KeyAlgorithmGOSTR34102001 KeyAlgorithm = 12
	// KeyAlgorithmECDSASHA256 is ECDSA/SHA-256 (13).
	KeyAlgorithmECDSASHA256 KeyAlgorithm = 13
	// KeyAlgorithmECDSASHA384 is ECDSA/SHA-384 (14).
	KeyAlgorithmECDSASHA384 KeyAlgorithm = 14
	// KeyAlgorithmEd25519 is Ed25519 (15).
	KeyAlgorithmEd25519 KeyAlgorithm = 15
	// KeyAlgorithmEd448 is Ed448 (16).
	KeyAlgorithmEd448 KeyAlgorithm = 16

	// ZoneFileLoadNone the zone file is not used at all.
	ZoneFileLoadNone ZoneFileLoad = "none"
	// ZoneFileLoadDifference If the zone contents are already available during server start or reload,
	// the difference is computed between them and the contents of the zone file.
	// This difference is then checked for semantic errors and applied to the current zone contents.
	ZoneFileLoadDifference ZoneFileLoad = "difference"
	// ZoneFileLoadDifferenceNoSerial is the same as difference, but the SOA serial in the zone file is ignored,
	// the server takes care of incrementing the serial automatically.
	ZoneFileLoadDifferenceNoSerial ZoneFileLoad = "difference-no-serial"
	// ZoneFileLoadWhole means the zone contents are loaded from the zone file.
	ZoneFileLoadWhole ZoneFileLoad = "whole"
)
View Source 
const (
	// Second is one second as a Duration.
	Second = Duration(time.Second)
	// Minute is one minute as a Duration (always 60 seconds, never accounting
	// for leap seconds).
	Minute = Duration(time.Minute)
	// Hour is one hour as a Duration.
	Hour = Duration(time.Hour)
	// Day is one day as a Duration (always 24 hours, never accounting for
	// daylight saving).
	Day = 24 * Hour
	// Week is one week as a Duration.
	Week = 7 * Day
)

Variables

View Source 
var ErrNotSupported = errors.New("not supported")

ErrNotSupported is an error indicating a feature is not supported.

Functions

func NotSupported 

func NotSupported(feature string) error

NotSupported returns an error wrapping ErrNotSupported.

func ValidateRemoteZone 

func ValidateRemoteZone(rules ...validation.Rule) validation.RuleWithContextFunc

ValidateRemoteZone validates the zone of a Remote.

func ValidateRemoteZoneIs 

func ValidateRemoteZoneIs(name dnse.Name) validation.RuleWithContextFunc

ValidateRemoteZoneIs validates that the zone of a Remote is a specific one.

Types

type ACL 

type ACL struct {
	ID       string
	Actions  []Action
	Prefixes []netip.Prefix
	TSIGKeys tsig.KeySet
	Zone     dnse.Name
}

ACL a struct holding an ACL configuration.

func (ACL) LogValue 

func (a ACL) LogValue() slog.Value

LogValue implements log/slog.LogValuer.

func (ACL) ValidateWithContext 

func (a ACL) ValidateWithContext(ctx context.Context) error

ValidateWithContext validates the ACL struct.

type Action 

type Action string

Action is something a client might want to do. 

const (
	// ActionNotify is the notify action.
	ActionNotify Action = "notify"

	// ActionQuery is the query action.
	ActionQuery Action = "query"

	// ActionTransfer is the transfer action.
	ActionTransfer Action = "transfer"

	// ActionUpdate is the update action.
	ActionUpdate Action = "update"
)

func (Action) ValidateWithContext 

func (a Action) ValidateWithContext(ctx context.Context) error

ValidateWithContext makes sure the Action is one of the predefined values.

type CDSCDNSKEYPublish 

type CDSCDNSKEYPublish string

CDSCDNSKEYPublish controls if and how shall the CDS and CDNSKEY be published in the zone.

func (*CDSCDNSKEYPublish) UnmarshalText 

func (c *CDSCDNSKEYPublish) UnmarshalText(text []byte) error

UnmarshalText implements encoding.TextUnmarshaler.

func (CDSCDNSKEYPublish) ValidateWithContext 

func (c CDSCDNSKEYPublish) ValidateWithContext(ctx context.Context) error

ValidateWithContext makes sure the Action is one of the predefined values.

type Config 

type Config struct {
	// ACLs are added to the ACL section of knot configurations allowing the
	// specified action for the remote.
	ACLs []ACL

	// AllowUpdates is set when dynamic updates are allowed.
	AllowUpdates bool

	BackgroundWorkers uint

	DNSSEC *DNSSECConfig

	// ExpireMinInterval is the minimum expiration time for a zone. Will
	// override the value set in the SOA.
	ExpireMinInterval Duration

	// Downstreams are other name servers that receive NOTIFY queries and are
	// allowed to do XFRs.
	Downstreams []Remote

	IXFRFromAXFR   bool
	Identity       string
	JournalContent JournalContent
	JournalDepth   uint
	JournalMaxSize Size
	Listen         []netip.AddrPort
	NoIXFRIn       bool
	NoIXFROut      bool
	NSID           string
	Refresh        Range[Duration]

	// Retry limits the time between a failed (incoming) zone transfer and
	// retrying the same transfer, to a minimum and a maximum.
	Retry Range[Duration]

	SerialModulo Modulo
	Storage      string

	// TCPRemoteIOTimeout sets a round-trip timeout for when the name server is
	// a TCP client to a remote server.
	//
	// Translates to Knot’s [tcp-remote-io-timeout].
	//
	// [tcp-remote-io-timeout]: https://www.knot-dns.cz/docs/latest/singlehtml/index.html#tcp-remote-io-timeout
	TCPRemoteIOTimeout *Duration

	// Upstreams are other name servers that can send NOTIFY queries and respond
	// to XFRs.
	Upstreams []Remote

	Verify *Verify
	ZONEMD
	ZoneFiles     dnse.NameMap[string]
	ZoneFilesDir  string
	ZoneFileLoad  ZoneFileLoad
	ZoneFilesSync *Duration
}

Config holds name server configuration.

func (Config) AllTSIGKeys 

func (c Config) AllTSIGKeys(context.Context) (*tsig.KeySet, error)

AllTSIGKeys returns a gitlab.com/internetstiftelsen-oss/dnse/tsig.KeySet containing all the TSIG keys.

func (Config) ValidateWithContext 

func (c Config) ValidateWithContext(ctx context.Context) error

ValidateWithContext validates the configuration.

type DNSSECConfig 

type DNSSECConfig struct {
	CDSCDNSKEYPublish        CDSCDNSKEYPublish
	DNSKeyTTL                Duration
	DNSSECKeyLabel           bool
	KASPDir                  string
	KSK, ZSK                 KeyConfig
	ManualKeyGeneration      bool
	MaxZoneTTL               Duration
	PKCS11                   *PKCS11
	PublishSafety            Duration
	PurgeKeys                *Duration
	RetireSafety             Duration
	SignaturesRefresh        Range[Duration]
	SignaturesValidity       Duration
	SignaturesValidityDNSKey Duration
	Workers                  uint64
	ZonePropagationDelay     Duration
}

DNSSECConfig holds DNSSEC-related name server configuration.

type Duration 

type Duration time.Duration

Duration represents a period of time. Negative durations are possible but considered invalid.

It can parse the same format as time.ParseDuration as well as just an integer, which will be used as number of seconds.

It always encodes to a decimal integer of seconds.

func NewDuration 

func NewDuration(d time.Duration) *Duration

NewDuration returns a new Duration for a time.Duration.

func (Duration) Duration 

func (d Duration) Duration() time.Duration

Duration returns a time.Duration.

func (Duration) MarshalText 

func (d Duration) MarshalText() (text []byte, err error)

MarshalText returns the number of seconds as a decimal integer.

func (Duration) MarshalYAML 

func (d Duration) MarshalYAML() (any, error)

MarshalYAML returns the number of seconds as a decimal integer.

func (Duration) Seconds 

func (d Duration) Seconds() uint64

Seconds returns the number of seconds in a Duration, as an integer.

func (Duration) String 

func (d Duration) String() string

String returns the number of seconds as a decimal integer.

func (*Duration) UnmarshalText 

func (d *Duration) UnmarshalText(text []byte) error

UnmarshalText parses a text into a duration. It understands the same format as time.ParseDuration as well as unit-less decimal integers of seconds.

func (Duration) ValidateWithContext 

func (d Duration) ValidateWithContext(ctx context.Context) error

ValidateWithContext returns a validation error if the duration is negative.

type JournalContent 

type JournalContent string

JournalContent is a value for zones’ ‘journal-content’ setting.

func (JournalContent) ValidateWithContext 

func (j JournalContent) ValidateWithContext(ctx context.Context) error

ValidateWithContext makes sure the journal content is one of the known values.

type KeyAlgorithm 

type KeyAlgorithm uint8

KeyAlgorithm is the DNSSEC number for a key algorithm.

func (KeyAlgorithm) String 

func (a KeyAlgorithm) String() string

func (KeyAlgorithm) Uint8 

func (a KeyAlgorithm) Uint8() uint8

Uint8 returns the underlying uint8 of the key algorithm.

type KeyConfig 

type KeyConfig struct {
	Lifetime  Duration
	Algorithm KeyAlgorithm
	Size      uint64
}

KeyConfig holds the configuration of a DNSSEC key.

type Modulo 

type Modulo struct {
	R, M uint8
}

Modulo is a container of two elements consisting of the remainder R and the Modulo M which specify how the SOA serial is incremented.

func (Modulo) MarshalText 

func (m Modulo) MarshalText() (text []byte, err error)

MarshalText returns a knot friendly serial-modulo.

func (Modulo) String 

func (m Modulo) String() string

String returns a knot friendly serial-modulo.

func (Modulo) ValidateWithContext 

func (m Modulo) ValidateWithContext(ctx context.Context) error

ValidateWithContext returns a validation error if R < M <= 256 fails 256 is not supported.

type Nameserver 

type Nameserver interface {
	io.Closer
	Configure(ctx context.Context, config *Config) error
	ReloadZone(ctx context.Context, zone dnse.Name) error
	Run(ctx context.Context, notifyStarted func()) error
}

Nameserver is an instance of a name server, possibly wrapping a running third-party implementation.

type PKCS11 

type PKCS11 struct {
	ID                  []byte            `path:"id"`
	LibraryDescription  string            `path:"library-description"`
	LibraryManufacturer string            `path:"library-manufacturer"`
	LibraryVersion      string            `path:"library-version"`
	Manufacturer        string            `path:"manufacturer"`
	Model               string            `path:"model"`
	Object              string            `path:"object"`
	Serial              string            `path:"serial"`
	SlotDescription     string            `path:"slot-description"`
	SlotID              string            `path:"slot-id"`
	SlotManufacturer    string            `path:"slot-manufacturer"`
	Token               string            `path:"token"`
	Type                string            `path:"type"`
	VendorPath          map[string]string `path:",remain"`

	PINSource   string              `query:"pin-source"`
	PINValue    string              `query:"pin-value"`
	ModuleName  string              `query:"module-name"`
	ModulePath  string              `query:"module-path"`
	VendorQuery map[string][]string `query:",remain"`
}

PKCS11 represents PKCS #11 configuration. It maps to a PKCS #11 URI, see <https://datatracker.ietf.org/doc/html/rfc7512>.

func PKCS11FromURI 

func PKCS11FromURI(u *url.URL) (*PKCS11, error)

PKCS11FromURI parses a URI.

func (*PKCS11) URI 

func (p *PKCS11) URI() (u *url.URL)

URI resturns a PKCS #11 URI.

func (*PKCS11) UnmarshalText 

func (p *PKCS11) UnmarshalText(text []byte) error

UnmarshalText implements encoding.TextUnmarshaler.

type Range 

type Range[T cmp.Ordered] [2]T

Range is a container of two elements representing a minimum and maximum. The order of the elements is unimportant as long as Range.Min and Range.Max are used to access them.

func (*Range[T]) Max 

func (r *Range[T]) Max() T

Max returns the largest value of the range.

func (*Range[T]) Min 

func (r *Range[T]) Min() T

Min returns the smallest value of the range.

func (*Range[T]) String 

func (r *Range[T]) String() string

type Remote 

type Remote struct {
	Addrs           []netip.AddrPort
	Prefixes        []netip.Prefix
	TSIGClientKey   *tsig.Key
	TSIGTrustedKeys tsig.KeySet
	Zone            dnse.Name
}

Remote represents a name server somewhere (it doesn’t have to be very remote).

func NewRemoteFromURI 

func NewRemoteFromURI(
	ctx context.Context,
	u *dnse.URI,
	keys tsig.KeySet,
) (*Remote, error)

NewRemoteFromURI creates a Remote by parsing a DNS URI.

func NewRemoteWithSymmetricTSIG 

func NewRemoteWithSymmetricTSIG(
	ctx context.Context,
	zone dnse.Name,
	key *tsig.Key,
	addrs ...netip.AddrPort,
) (*Remote, error)

NewRemoteWithSymmetricTSIG creates a new Remote that uses one TSIG key. The key can be nil in which case no TSIG is used.

func (Remote) AllPrefixes 

func (r Remote) AllPrefixes() []netip.Prefix

AllPrefixes returns a slice of the Remote’s prefixes and single-address prefixes from its IP addresses.

func (Remote) LogValue 

func (r Remote) LogValue() slog.Value

LogValue returns a log/slog.Value for logging a Remote.

func (*Remote) ValidateWithContext 

func (r *Remote) ValidateWithContext(ctx context.Context) error

ValidateWithContext validates a remote.

type Size 

type Size struct {
	Size uint64
	Unit string
}

Size is a struct representing a Knot SIZE and NSD size/sizeval. It doese not currently support the NSD "unlimited" keyword.

func (Size) MarshalYAML 

func (s Size) MarshalYAML() (any, error)

MarshalYAML returns a Sizes textual representation.

func (Size) String 

func (s Size) String() string

func (*Size) UnmarshalText 

func (s *Size) UnmarshalText(text []byte) error

UnmarshalText unmarshals a byte slice into a Size.

type Verify 

type Verify struct {
	Addresses []netip.AddrPort
	Command   []string
	Parallel  uint64
	Port      uint16
	Stdin     bool
	Timeout   Duration
}

Verify holds configuration for name servers that can verify incoming zones.

func (*Verify) ValidateWithContext 

func (v *Verify) ValidateWithContext(ctx context.Context) error

ValidateWithContext returns an error if a Verify is incorrectly configured.

type ZONEMD 

type ZONEMD int

ZONEMD configures whether the name server should:

  • not generate ZONEMDS: 0
  • generate ZONEMDs: the algorithm ID, see RFC 8976 §5.3
  • remove ZONEMDS: <0

type ZoneFileLoad 

type ZoneFileLoad string

ZoneFileLoad is a value for zones' 'zonefile-load' setting.

func (ZoneFileLoad) ValidateWithContext 

func (z ZoneFileLoad) ValidateWithContext(ctx context.Context) error

ValidateWithContext makes sure the zonefile-load is one of the known values.

Source Files

View all Source files

Directories

Path Synopsis
Package knot configures and runs an [Knot DNS] nameserver that implements gitlab.com/internetstiftelsen-oss/dnse/nameserver.Nameserver.
 Package knot configures and runs an [Knot DNS] nameserver that implements gitlab.com/internetstiftelsen-oss/dnse/nameserver.Nameserver.
Package nsd configures and runs an NSD nameserver that implements gitlab.com/internetstiftelsen-oss/dnse/nameserver.Nameserver.
 Package nsd configures and runs an NSD nameserver that implements gitlab.com/internetstiftelsen-oss/dnse/nameserver.Nameserver.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.