README
¶
Alternative (more granular) approach to a DNS library.
Less is more.
Complete and usable DNS library. All widely used Resource Records are supported, including the DNSSEC types. It follows a lean and mean philosophy. If there is stuff you should know as a DNS programmer there isn't a convenience function for it. Server side and client side programming is supported, i.e. you can build servers and resolvers with it.
If you like this, you may also be interested in:
- https://github.com/miekg/fks -- a complete nameserver written in Go;
- https://github.com/miekg/unbound -- Go wrapper for the Unbound resolver.
Goals
- KISS;
- Small API, if its easy to code in Go, don't make a function for it.
Features
- UDP/TCP queries, IPv4 and IPv6;
- RFC 1035 zone file parsing ($INCLUDE, $ORIGIN, $TTL and $GENERATE [for all record types] are supported);
- Fast:
- Reply speed around ~ 50K qps (faster hardware results in more qps);
- Parsing RRs with ~ 100K RR/s, that's 5M records in about 50 seconds;
- Server side programming (mimicking the net/http package);
- Client side programming;
- DNSSEC: signing, validating and key generation for DSA, RSA and ECDSA;
- EDNS0, NSID;
- AXFR/IXFR;
- TSIG;
- DNS name compression.
Have fun!
Miek Gieben - 2010-2012 - miek@miek.nl
Building
Building is done with the go tool. If you have setup your GOPATH
correctly, the following should work:
go get github.com/miekg/dns
go build dns
A short "how to use the API" is at the beginning of dns.go (this also will show
when you call go doc github.com/miekg/dns. Sample
programs can be found in the ex directory. They can also be build
with: go build.
Supported RFCs
all of them
- 103{4,5} - DNS standard
- 1982 - Serial Arithmetic
- 1876 - LOC record
- 1995 - IXFR
- 1996 - DNS notify
- 2136 - DNS Update (dynamic updates)
- 2181 - RRset definition
- 2537 - RSAMD5 DNS keys
- 2065 - DNSSEC (updated in later RFCs)
- 2671 - EDNS record
- 2782 - SRV record
- 2845 - TSIG record
- 2915 - NAPTR record
- 3110 - RSASHA1 DNS keys
- 3225 - DO bit (DNSSEC OK)
- 340{1,2,3} - NAPTR record
- 3445 - Limiting the scope of (DNS)KEY
- 3597 - Unkown RRs
- 403{3,4,5} - DNSSEC + validation functions
- 4255 - SSHFP record
- 4408 - SPF record
- 4509 - SHA256 Hash in DS
- 4592 - Wildcards in the DNS
- 4635 - HMAC SHA TSIG
- 4701 - DHCID
- 4892 - id.server
- 5001 - NSID
- 5155 - NSEC3 record
- 5205 - HIP record
- 5702 - SHA2 in the DNS
- 5936 - AXFR
- 6605 - ECDSA
- 6742 - ILNP DNS
- xxxx - URI record (draft)
- xxxx - EDNS0 DNS Update Lease (draft)
Loosely based upon
ldnsNSDNet::DNSGRONG
Documentation
¶
Overview ¶
Package dns implements a full featured interface to the Domain Name System. Server- and client-side programming is supported. The package allows complete control over what is send out to the DNS. The package API follows the less-is-more principle, by presenting a small, clean interface.
The package dns supports (asynchronous) querying/replying, incoming/outgoing AXFR/IXFR, TSIG, EDNS0, dynamic updates, notifies and DNSSEC validation/signing. Note that domain names MUST be fully qualified, before sending them, unqualified names in a message will result in a packing failure.
Resource records are native types. They are not stored in wire format. Basic usage pattern for creating a new resource record:
r := new(dns.MX)
r.Hdr = dns.RR_Header{Name: "miek.nl.", Rrtype: dns.TypeMX, Class: dns.ClassINET, Ttl: 3600}
r.Pref = 10
r.Mx = "mx.miek.nl."
Or directly from a string:
mx, err := dns.NewRR("miek.nl. 3600 IN MX 10 mx.miek.nl.")
Or when the default TTL (3600) and class (IN) suit you:
mx, err := dns.NewRR("miek.nl. MX 10 mx.miek.nl.")
Or even:
mx, err := dns.NewRR("$ORIGIN nl.\nmiek 1H IN MX 10 mx.miek")
In the DNS messages are exchanged, these messages contain resource records (sets). Use pattern for creating a message:
m := dns.new(Msg)
m.SetQuestion("miek.nl.", dns.TypeMX)
Or when not certain if the domain name is fully qualified:
m.SetQuestion(dns.Fqdn("miek.nl"), dns.TypeMX)
The message m is now a message with the question section set to ask the MX records for the miek.nl. zone.
The following is slightly more verbose, but more flexible:
m1 := new(dns.Msg)
m1.Id = Id()
m1.RecursionDesired = true
m1.Question = make([]Question, 1)
m1.Question[0] = dns.Question{"miek.nl.", dns.TypeMX, dns.ClassINET}
After creating a message it can be send. Basic use pattern for synchronous querying the DNS at a server configured on 127.0.0.1 and port 53:
c := new(Client) in, rtt, err := c.Exchange(m1, "127.0.0.1:53")
For asynchronous queries it is easy to wrap Exchange() in a goroutine.
From a birds eye view a dns message consists out of four sections. The question section: in.Question, the answer section: in.Answer, the authority section: in.Ns and the additional section: in.Extra.
Each of these sections (except the Question section) contain a []RR. Basic use pattern for accessing the rdata of a TXT RR as the first RR in the Answer section:
if t, ok := in.Answer[0].(*TXT); ok {
// do something with t.Txt
}
DNSSEC ¶
DNSSEC (DNS Security Extension) adds a layer of security to the DNS. It uses public key cryptography to sign resource records. The public keys are stored in DNSKEY records and the signatures in RRSIG records.
Requesting DNSSEC information for a zone is done by adding the DO (DNSSEC OK) bit to an request.
m := new(dns.Msg) m.SetEdns0(4096, true)
Signature generation, signature verification and key generation are all supported. Writing a DNSSEC validating resolver is hard, if you need something like that you might want to use the Unbound wrapper found at github.com/miekg/unbound .
EDNS0 ¶
EDNS0 is an extension mechanism for the DNS defined in RFC 2671. It defines a standard RR type, the OPT RR, which is then completely abused. Basic use pattern for creating an (empty) OPT RR:
o := new(dns.OPT) o.Hdr.Name = "." // MUST be the root zone, per definition. o.Hdr.Rrtype = dns.TypeOPT
The rdata of an OPT RR consists out of a slice of EDNS0 interfaces. Currently only a few have been standardized: EDNS0_NSID (RFC 5001) and EDNS0_SUBNET (draft). Note that these options may be combined in an OPT RR. Basic use pattern for a server to check if (and which) options are set:
// o is a dns.OPT
for _, s := range o.Options {
switch e := s.(type) {
case *dns.EDNS0_NSID:
// do stuff with e.Nsid
case *dns.EDNS0_SUBNET:
// access e.Family, e.Address, etc.
}
}
TRANSACTION SIGNATURE (TSIG)
An TSIG or transaction signature adds a HMAC TSIG record to each message sent. The supported algorithms include: HmacMD5, HmacSHA1 and HmacSHA256.
Basic use pattern when querying with a TSIG name "axfr." (note that these key names must be fully qualified - as they are domain names) and the base64 secret "so6ZGir4GPAqINNh9U5c3A==":
c := new(dns.Client)
c.TsigSecret = map[string]string{"axfr.": "so6ZGir4GPAqINNh9U5c3A=="}
m := new(dns.Msg)
m.SetQuestion("miek.nl.", dns.TypeMX)
m.SetTsig("axfr.", dns.HmacMD5, 300, time.Now().Unix())
...
// When sending the TSIG RR is calculated and filled in before sending
When requesting an AXFR (almost all TSIG usage is when requesting zone transfers), with TSIG, this is the basic use pattern. In this example we request an AXFR for miek.nl. with TSIG key named "axfr." and secret "so6ZGir4GPAqINNh9U5c3A==" and using the server 85.223.71.124
c := new(dns.Client)
c.TsigSecret = map[string]string{"axfr.": "so6ZGir4GPAqINNh9U5c3A=="}
m := new(dns.Msg)
m.SetAxfr("miek.nl.")
m.SetTsig("axfr.", dns.HmacMD5, 300, time.Now().Unix())
t, err := c.TransferIn(m, "85.223.71.124:53")
for r := range t { /* ... */ }
You can now read the records from the AXFR as they come in. Each envelope is checked with TSIG. If something is not correct an error is returned.
Basic use pattern validating and replying to a message that has TSIG set.
server := &dns.Server{Addr: ":53", Net: "udp"}
server.TsigSecret = map[string]string{"axfr.": "so6ZGir4GPAqINNh9U5c3A=="}
go server.ListenAndServe()
dns.HandleFunc(".", handleRequest)
func handleRequest(w dns.ResponseWriter, r *dns.Msg) {
m := new(Msg)
m.SetReply(r)
if r.IsTsig() {
if w.TsigStatus() == nil {
// *Msg r has an TSIG record and it was validated
m.SetTsig("axfr.", dns.HmacMD5, 300, time.Now().Unix())
} else {
// *Msg r has an TSIG records and it was not valided
}
}
w.WriteMsg(m)
}
DYNAMIC UPDATES ¶
Dynamic updates reuses the DNS message format, but renames three of the sections. Question is Zone, Answer is Prerequisite, Authority is Update, only the Additional is not renamed. See RFC 2136 for the gory details.
You can set a rather complex set of rules for the existence of absence of certain resource records or names in a zone to specify if resource records should be added or removed. The table from RFC 2136 supplemented with the Go DNS function shows which functions exist to specify the prerequisites.
3.2.4 - Table Of Metavalues Used In Prerequisite Section
CLASS TYPE RDATA Meaning Function -------------------------------------------------------------- ANY ANY empty Name is in use NameUsed ANY rrset empty RRset exists (value indep) RRsetUsed NONE ANY empty Name is not in use NameNotUsed NONE rrset empty RRset does not exist RRsetNotUsed zone rrset rr RRset exists (value dep) Used
The prerequisite section can also be left empty. If you have decided on the prerequisites you can tell what RRs should be added or deleted. The next table shows the options you have and what functions to call.
3.4.2.6 - Table Of Metavalues Used In Update Section
CLASS TYPE RDATA Meaning Function --------------------------------------------------------------- ANY ANY empty Delete all RRsets from name RemoveName ANY rrset empty Delete an RRset RemoveRRset NONE rrset rr Delete an RR from RRset Remove zone rrset rr Add to an RRset Insert
Index ¶
- Constants
- Variables
- func CertificateToDANE(selector, matchingType uint8, cert *x509.Certificate) string
- func CompareLabels(s1, s2 string) (n int)
- func Fqdn(s string) string
- func Handle(pattern string, handler Handler)
- func HandleAuthors(w ResponseWriter, r *Msg)
- func HandleFailed(w ResponseWriter, r *Msg)
- func HandleFunc(pattern string, handler func(ResponseWriter, *Msg))
- func HandleRemove(pattern string)
- func HandleVersion(w ResponseWriter, r *Msg)
- func HashName(label string, ha uint8, iter uint16, salt string) string
- func Id() uint16
- func IsDomainName(s string) (uint8, uint8, bool)
- func IsFqdn(s string) bool
- func IsSubDomain(parent, child string) bool
- func LenLabels(s string) (labels int)
- func ListenAndServe(addr string, network string, handler Handler) error
- func PackDomainName(s string, msg []byte, off int, compression map[string]int, compress bool) (off1 int, err error)
- func PackRR(rr RR, msg []byte, off int, compression map[string]int, compress bool) (off1 int, err error)
- func PackStruct(any interface{}, msg []byte, off int) (off1 int, err error)
- func ParseZone(r io.Reader, origin, file string) chan Token
- func ReverseAddr(addr string) (arpa string, err error)
- func SplitLabels(s string) []string
- func StringToTime(s string) (uint32, error)
- func TLSAName(name, service, network string) string
- func TimeToString(t uint32) string
- func TransferOut(w ResponseWriter, q *Msg, c chan *Envelope, e *error) error
- func TsigGenerate(m *Msg, secret, requestMAC string, timersOnly bool) ([]byte, string, error)
- func TsigVerify(msg []byte, secret, requestMAC string, timersOnly bool) error
- func UnpackDomainName(msg []byte, off int) (s string, off1 int, err error)
- func UnpackStruct(any interface{}, msg []byte, off int) (off1 int, err error)
- type A
- type AAAA
- type AFSDB
- type ANY
- type CDS
- type CERT
- type CNAME
- type Client
- type ClientConfig
- type DHCID
- type DLV
- type DNAME
- type DNSKEY
- func (rr *DNSKEY) Copy() RR
- func (r *DNSKEY) Generate(bits int) (PrivateKey, error)
- func (rr *DNSKEY) Header() *RR_Header
- func (k *DNSKEY) KeyTag() uint16
- func (rr *DNSKEY) Len() int
- func (k *DNSKEY) NewPrivateKey(s string) (PrivateKey, error)
- func (r *DNSKEY) PrivateKeyString(p PrivateKey) (s string)
- func (k *DNSKEY) ReadPrivateKey(q io.Reader, file string) (PrivateKey, error)
- func (rr *DNSKEY) String() string
- func (k *DNSKEY) ToDS(h int) *DS
- type DS
- type EDNS0
- type EDNS0_NSID
- type EDNS0_SUBNET
- type EDNS0_UPDATE_LEASE
- type Envelope
- type Error
- type HINFO
- type HIP
- type Handler
- type HandlerFunc
- type Header
- type IPSECKEY
- type KX
- type L32
- type L64
- type LOC
- type LP
- type MB
- type MD
- type MF
- type MG
- type MINFO
- type MR
- type MX
- type Msg
- func (u *Msg) Insert(rr []RR)
- func (dns *Msg) IsEdns0() *OPT
- func (dns *Msg) IsTsig() *TSIG
- func (dns *Msg) Len() int
- func (u *Msg) NameNotUsed(rr []RR)
- func (u *Msg) NameUsed(rr []RR)
- func (dns *Msg) Pack() (msg []byte, err error)
- func (u *Msg) RRsetNotUsed(rr []RR)
- func (u *Msg) RRsetUsed(rr []RR)
- func (u *Msg) Remove(rr []RR)
- func (u *Msg) RemoveName(rr []RR)
- func (u *Msg) RemoveRRset(rr []RR)
- func (dns *Msg) SetAxfr(z string) *Msg
- func (dns *Msg) SetEdns0(udpsize uint16, do bool) *Msg
- func (dns *Msg) SetIxfr(z string, serial uint32) *Msg
- func (dns *Msg) SetNotify(z string) *Msg
- func (dns *Msg) SetQuestion(z string, t uint16) *Msg
- func (dns *Msg) SetRcode(request *Msg, rcode int) *Msg
- func (dns *Msg) SetRcodeFormatError(request *Msg) *Msg
- func (dns *Msg) SetReply(request *Msg) *Msg
- func (dns *Msg) SetTsig(z, algo string, fudge, timesigned int64) *Msg
- func (dns *Msg) SetUpdate(z string) *Msg
- func (dns *Msg) String() string
- func (dns *Msg) Unpack(msg []byte) (err error)
- func (u *Msg) Used(rr []RR)
- type MsgHdr
- type NAPTR
- type NID
- type NINFO
- type NS
- type NSEC
- type NSEC3
- type NSEC3PARAM
- type OPT
- func (rr *OPT) Copy() RR
- func (rr *OPT) Do() bool
- func (rr *OPT) Header() *RR_Header
- func (rr *OPT) Len() int
- func (rr *OPT) SetDo()
- func (rr *OPT) SetUDPSize(size uint16)
- func (rr *OPT) SetVersion(v uint8)
- func (rr *OPT) String() string
- func (rr *OPT) UDPSize() uint16
- func (rr *OPT) Version() uint8
- type PTR
- type ParseError
- type PrivateKey
- type Question
- type RFC3597
- type RKEY
- type RP
- type RR
- type RRSIG
- type RR_Header
- type RT
- type ResponseWriter
- type SOA
- type SPF
- type SRV
- type SSHFP
- type ServeMux
- type Server
- type SignatureConfig
- type TA
- type TALINK
- type TKEY
- type TLSA
- type TSIG
- type TXT
- type Token
- type URI
- type WKS
- type X25
- type Zone
- func (z *Zone) Apex() *ZoneData
- func (z *Zone) Find(s string) (node *ZoneData, exact bool)
- func (z *Zone) FindFunc(s string, f func(interface{}) bool) (*ZoneData, bool, bool)
- func (z *Zone) Insert(r RR) error
- func (z *Zone) Remove(r RR) error
- func (z *Zone) RemoveName(s string) error
- func (z *Zone) RemoveRRset(s string, t uint16) error
- func (z *Zone) Sign(keys map[*DNSKEY]PrivateKey, config *SignatureConfig) error
- type ZoneData
Examples ¶
Constants ¶
const ( DefaultMsgSize = 4096 // Standard default for larger than 512 packets. MaxMsgSize = 65536 // Largest possible DNS packet. )
const ( RSAMD5 = 1 DH = 2 DSA = 3 ECC = 4 RSASHA1 = 5 DSANSEC3SHA1 = 6 RSASHA1NSEC3SHA1 = 7 RSASHA256 = 8 RSASHA512 = 10 ECCGOST = 12 ECDSAP256SHA256 = 13 ECDSAP384SHA384 = 14 INDIRECT = 252 PRIVATEDNS = 253 // Private (experimental keys) PRIVATEOID = 254 )
DNSSEC encryption algorithm codes.
const ( SHA1 // RFC 4034 SHA256 // RFC 4509 GOST94 // RFC 5933 SHA384 // Experimental SHA512 // Experimental )
DNSSEC hashing algorithm codes.
const ( SEP = 1 ZONE = 1 << 7 REVOKE = 1 << 8 )
DNSKEY flag values.
const ( EDNS0LLQ = 0x1 // not used EDNS0UL = 0x2 // not used EDNS0UPDATELEASE = 0x2 // update lease draft EDNS0NSID = 0x3 // nsid (RFC5001) EDNS0SUBNET = 0x50fa // client-subnet draft )
EDNS0 Option codes.
const ( HmacMD5 = "hmac-md5.sig-alg.reg.int." HmacSHA1 = "hmac-sha1." HmacSHA256 = "hmac-sha256." )
HMAC hashing codes. These are transmitted as domain names.
const ( // valid RR_Header.Rrtype and Question.qtype TypeA uint16 = 1 TypeNS uint16 = 2 TypeMD uint16 = 3 TypeMF uint16 = 4 TypeCNAME uint16 = 5 TypeSOA uint16 = 6 TypeMB uint16 = 7 TypeMG uint16 = 8 TypeMR uint16 = 9 TypeNULL uint16 = 10 TypeWKS uint16 = 11 TypePTR uint16 = 12 TypeHINFO uint16 = 13 TypeMINFO uint16 = 14 TypeMX uint16 = 15 TypeTXT uint16 = 16 TypeRP uint16 = 17 TypeAFSDB uint16 = 18 TypeX25 uint16 = 19 TypeISDN uint16 = 20 TypeRT uint16 = 21 TypeSIG uint16 = 24 TypeKEY uint16 = 25 TypeAAAA uint16 = 28 TypeLOC uint16 = 29 TypeNXT uint16 = 30 TypeSRV uint16 = 33 TypeATMA uint16 = 34 TypeNAPTR uint16 = 35 TypeKX uint16 = 36 TypeCERT uint16 = 37 TypeDNAME uint16 = 39 TypeOPT uint16 = 41 // EDNS TypeDS uint16 = 43 TypeSSHFP uint16 = 44 TypeIPSECKEY uint16 = 45 TypeRRSIG uint16 = 46 TypeNSEC uint16 = 47 TypeDNSKEY uint16 = 48 TypeDHCID uint16 = 49 TypeNSEC3 uint16 = 50 TypeNSEC3PARAM uint16 = 51 TypeTLSA uint16 = 52 TypeHIP uint16 = 55 TypeNINFO uint16 = 56 TypeRKEY uint16 = 57 TypeTALINK uint16 = 58 TypeCDS uint16 = 59 TypeSPF uint16 = 99 TypeNID uint16 = 104 TypeL32 uint16 = 105 TypeL64 uint16 = 106 TypeLP uint16 = 107 TypeTKEY uint16 = 249 TypeTSIG uint16 = 250 // valid Question.Qtype only TypeIXFR uint16 = 251 TypeAXFR uint16 = 252 TypeMAILB uint16 = 253 TypeMAILA uint16 = 254 TypeANY uint16 = 255 TypeURI uint16 = 256 TypeCAA uint16 = 257 TypeTA uint16 = 32768 TypeDLV uint16 = 32769 // valid Question.Qclass ClassINET = 1 ClassCSNET = 2 ClassCHAOS = 3 ClassHESIOD = 4 ClassNONE = 254 ClassANY = 255 // Msg.rcode RcodeSuccess = 0 RcodeFormatError = 1 RcodeServerFailure = 2 RcodeNameError = 3 RcodeNotImplemented = 4 RcodeRefused = 5 RcodeYXDomain = 6 RcodeYXRrset = 7 RcodeNXRrset = 8 RcodeNotAuth = 9 RcodeNotZone = 10 RcodeBadSig = 16 // TSIG RcodeBadKey = 17 RcodeBadTime = 18 RcodeBadMode = 19 // TKEY RcodeBadName = 20 RcodeBadAlg = 21 RcodeBadTrunc = 22 // TSIG // Opcode OpcodeQuery = 0 OpcodeIQuery = 1 OpcodeStatus = 2 // There is no 3 OpcodeNotify = 4 OpcodeUpdate = 5 )
Wire constants and supported types.
Variables ¶
var ( ErrFqdn error = &Error{Err: "domain must be fully qualified"} ErrId error = &Error{Err: "id mismatch"} ErrRdata error = &Error{Err: "bad rdata"} ErrBuf error = &Error{Err: "buffer size too small"} ErrShortRead error = &Error{Err: "short read"} ErrConn error = &Error{Err: "conn holds both UDP and TCP connection"} ErrConnEmpty error = &Error{Err: "conn has no connection"} ErrServ error = &Error{Err: "no servers could be reached"} ErrKey error = &Error{Err: "bad key"} ErrPrivKey error = &Error{Err: "bad private key"} ErrKeySize error = &Error{Err: "bad key size"} ErrKeyAlg error = &Error{Err: "bad key algorithm"} ErrAlg error = &Error{Err: "bad algorithm"} ErrTime error = &Error{Err: "bad time"} ErrNoSig error = &Error{Err: "no signature found"} ErrSig error = &Error{Err: "bad signature"} ErrSecret error = &Error{Err: "no secrets defined"} ErrSigGen error = &Error{Err: "bad signature generation"} ErrAuth error = &Error{Err: "bad authentication"} ErrSoa error = &Error{Err: "no SOA"} ErrRRset error = &Error{Err: "bad rrset"} )
var AlgorithmToString = map[uint8]string{ RSAMD5: "RSAMD5", DH: "DH", DSA: "DSA", RSASHA1: "RSASHA1", DSANSEC3SHA1: "DSA-NSEC3-SHA1", RSASHA1NSEC3SHA1: "RSASHA1-NSEC3-SHA1", RSASHA256: "RSASHA256", RSASHA512: "RSASHA512", ECCGOST: "ECC-GOST", ECDSAP256SHA256: "ECDSAP256SHA256", ECDSAP384SHA384: "ECDSAP384SHA384", INDIRECT: "INDIRECT", PRIVATEDNS: "PRIVATEDNS", PRIVATEOID: "PRIVATEOID", }
Map for algorithm names.
var Authors = []string{"Miek Gieben", "Ask Bjørn Hansen", "Dave Cheney", "Dusty Wilson", "Peter van Dijk"}
Authors is a list of authors that helped create or make Go DNS better.
var ClassToString = map[uint16]string{
ClassINET: "IN",
ClassCSNET: "CS",
ClassCHAOS: "CH",
ClassHESIOD: "HS",
ClassNONE: "NONE",
ClassANY: "ANY",
}
Map of strings for each CLASS wire type.
var DefaultServeMux = NewServeMux()
DefaultServeMux is the default ServeMux used by Serve.
var DefaultSignatureConfig = newSignatureConfig()
DefaultSignaturePolicy has the following values. Validity is 4 weeks, Refresh is set to 3 days, Jitter to 12 hours and InceptionOffset to 300 seconds. HonorSepFlag is set to true, SignerRoutines is set to runtime.NumCPU() + 1. The Minttl value is zero.
var OpcodeToString = map[int]string{
OpcodeQuery: "QUERY",
OpcodeIQuery: "IQUERY",
OpcodeStatus: "STATUS",
OpcodeNotify: "NOTIFY",
OpcodeUpdate: "UPDATE",
}
Map of strings for opcodes.
var RcodeToString = map[int]string{
RcodeSuccess: "NOERROR",
RcodeFormatError: "FORMERR",
RcodeServerFailure: "SERVFAIL",
RcodeNameError: "NXDOMAIN",
RcodeNotImplemented: "NOTIMPL",
RcodeRefused: "REFUSED",
RcodeYXDomain: "YXDOMAIN",
RcodeYXRrset: "YXRRSET",
RcodeNXRrset: "NXRRSET",
RcodeNotAuth: "NOTAUTH",
RcodeNotZone: "NOTZONE",
RcodeBadSig: "BADSIG",
RcodeBadKey: "BADKEY",
RcodeBadTime: "BADTIME",
RcodeBadMode: "BADMODE",
RcodeBadName: "BADNAME",
RcodeBadAlg: "BADALG",
RcodeBadTrunc: "BADTRUNC",
}
Map of strings for rcodes.
var StringToAlgorithm = reverseInt8(AlgorithmToString)
Map of algorithm strings.
var StringToClass = reverseInt16(ClassToString)
var StringToOpcode = reverseInt(OpcodeToString)
Map of opcodes strings.
var StringToRcode = reverseInt(RcodeToString)
Map of rcodes strings.
var StringToType = reverseInt16(TypeToString)
Reverse, needed for string parsing.
var TypeToString = map[uint16]string{
TypeCNAME: "CNAME",
TypeHINFO: "HINFO",
TypeTLSA: "TSLA",
TypeMB: "MB",
TypeMG: "MG",
TypeRP: "RP",
TypeMD: "MD",
TypeMF: "MF",
TypeMINFO: "MINFO",
TypeMR: "MR",
TypeMX: "MX",
TypeWKS: "WKS",
TypeNS: "NS",
TypeNULL: "NULL",
TypeAFSDB: "AFSDB",
TypeX25: "X25",
TypeISDN: "ISDN",
TypePTR: "PTR",
TypeRT: "RT",
TypeSOA: "SOA",
TypeTXT: "TXT",
TypeSRV: "SRV",
TypeATMA: "ATMA",
TypeNAPTR: "NAPTR",
TypeKX: "KX",
TypeCERT: "CERT",
TypeDNAME: "DNAME",
TypeA: "A",
TypeAAAA: "AAAA",
TypeLOC: "LOC",
TypeOPT: "OPT",
TypeDS: "DS",
TypeDHCID: "DHCID",
TypeHIP: "HIP",
TypeNINFO: "NINFO",
TypeRKEY: "RKEY",
TypeCDS: "CDS",
TypeCAA: "CAA",
TypeIPSECKEY: "IPSECKEY",
TypeSSHFP: "SSHFP",
TypeRRSIG: "RRSIG",
TypeNSEC: "NSEC",
TypeDNSKEY: "DNSKEY",
TypeNSEC3: "NSEC3",
TypeNSEC3PARAM: "NSEC3PARAM",
TypeTALINK: "TALINK",
TypeSPF: "SPF",
TypeNID: "NID",
TypeL32: "L32",
TypeL64: "L64",
TypeLP: "LP",
TypeTKEY: "TKEY",
TypeTSIG: "TSIG",
TypeAXFR: "AXFR",
TypeIXFR: "IXFR",
TypeANY: "ANY",
TypeURI: "URI",
TypeTA: "TA",
TypeDLV: "DLV",
}
Map of strings for each RR wire type.
var Version = "v1.0"
Version holds the current version.
Functions ¶
func CertificateToDANE ¶
func CertificateToDANE(selector, matchingType uint8, cert *x509.Certificate) string
CertificateToDANE converts a certificate to a hex string as used in the TLSA record.
func CompareLabels ¶
CompareLabels compares the strings s1 and s2 and returns how many labels they have in common starting from the right. The comparison stops at the first inequality. The labels are not downcased before the comparison.
www.miek.nl. and miek.nl. have two labels in common: miek and nl www.miek.nl. and www.bla.nl. have one label in common: nl
func Fqdn ¶
Fqdns return the fully qualified domain name from s. If s is already fully qualified, it behaves as the identity function.
func Handle ¶
Handle registers the handler with the given pattern in the DefaultServeMux. The documentation for ServeMux explains how patterns are matched.
func HandleAuthors ¶
func HandleAuthors(w ResponseWriter, r *Msg)
AuthorHandler returns a HandlerFunc that returns the authors of Go DNS for 'authors.bind' or 'authors.server' queries in the CHAOS Class. Note with:
HandleFunc("authors.bind.", HandleAuthors)
the handler is registered for all DNS classes, thereby potentially hijacking the authors.bind. zone in the IN class. If you need the authors.bind zone to exist in the IN class, you need to register some other handler, check the class in there and then call HandleAuthors.
func HandleFailed ¶
func HandleFailed(w ResponseWriter, r *Msg)
FailedHandler returns a HandlerFunc returns SERVFAIL for every request it gets.
func HandleFunc ¶
func HandleFunc(pattern string, handler func(ResponseWriter, *Msg))
HandleFunc registers the handler function with the given pattern in the DefaultServeMux.
func HandleRemove ¶
func HandleRemove(pattern string)
HandleRemove deregisters the handle with the given pattern in the DefaultServeMux.
func HandleVersion ¶
func HandleVersion(w ResponseWriter, r *Msg)
VersionHandler returns a HandlerFunc that returns the version of Go DNS for 'version.bind' or 'version.server' queries in the CHAOS Class. Note with:
HandleFunc("version.bind.", HandleVersion)
the handler is registered for all DNS classes, thereby potentially hijacking the version.bind. zone in the IN class. If you need the version.bind zone to exist in the IN class, you need to register some other handler, check the class in there and then call HandleVersion.
func HashName ¶
HashName hashes a string (label) according to RFC 5155. It returns the hashed string.
func Id ¶
func Id() uint16
Id return a 16 bits random number to be used as a message id. The random provided should be good enough.
func IsDomainName ¶
IsDomainName checks if s is a valid domainname, it returns the number of labels, total length and true, when a domain name is valid. When false is returned the labelcount and length are not defined.
func IsSubDomain ¶
IsSubDomain checks if child is indeed a child of the parent.
func ListenAndServe ¶
Start a server on addresss and network speficied. Invoke handler for incoming queries.
func PackDomainName ¶
func PackDomainName(s string, msg []byte, off int, compression map[string]int, compress bool) (off1 int, err error)
PackDomainName packs a domain name s into msg[off:]. If compression is wanted compress must be true and the compression map needs to hold a mapping between domain names and offsets pointing into msg[].
func PackRR ¶
func PackRR(rr RR, msg []byte, off int, compression map[string]int, compress bool) (off1 int, err error)
Resource record packer, pack rr into msg[off:]. See PackDomainName for documentation about the compression.
func ParseZone ¶
ParseZone reads a RFC 1035 style one from r. It returns Tokens on the returned channel, which consist out the parsed RR or an error. If there is an error the RR is nil. The string file is only used in error reporting. The string origin is used as the initial origin, as if the file would start with: $ORIGIN origin . The directives $INCLUDE, $ORIGIN, $TTL and $GENERATE are supported. The channel t is closed by ParseZone when the end of r is reached.
Basic usage pattern when reading from a string (z) containing the zone data:
for x := range dns.ParseZone(strings.NewReader(z), "", "") {
if x.Error != nil {
// Do something with x.RR
}
}
func ReverseAddr ¶
ReverseAddr returns the in-addr.arpa. or ip6.arpa. hostname of the IP address addr suitable for rDNS (PTR) record lookup or an error if it fails to parse the IP address.
func SplitLabels ¶
SplitLabels splits a domainname string into its labels. www.miek.nl. returns []string{"www", "miek", "nl"} The root label (.) returns nil.
func StringToTime ¶
StringToTime translates the RRSIG's incep. and expir. times from string values like "20110403154150" to an 32 bit integer. It takes serial arithmetic (RFC 1982) into account.
func TLSAName ¶
TLSAName returns the ownername of a TLSA resource record as per the rules specified in RFC 6698, Section 3. When an error occurs the empty string is returned.
func TimeToString ¶
TimeToString translates the RRSIG's incep. and expir. times to the string representation used when printing the record. It takes serial arithmetic (RFC 1982) into account.
func TransferOut ¶
func TransferOut(w ResponseWriter, q *Msg, c chan *Envelope, e *error) error
TransferOut performs an outgoing [AI]XFR depending on the request message. The caller is responsible for sending the correct sequence of RR sets through the channel c. For reasons of symmetry Envelope is re-used. Errors are signaled via the error pointer, when an error occurs the function sets the error and returns (it does not close the channel). TSIG and enveloping is handled by TransferOut.
Basic use pattern for sending an AXFR:
// q contains the AXFR request
c := make(chan *Envelope)
var e *error
err := TransferOut(w, q, c, e)
w.Hijack() // hijack the connection so that the package doesn't close it
for _, rrset := range rrsets { // rrsets is a []RR
c <- &{Envelope{RR: rrset}
if e != nil {
close(c)
break
}
}
// w.Close() // Don't! Let the client close the connection
func TsigGenerate ¶
TsigGenerate fills out the TSIG record attached to the message. The message should contain a "stub" TSIG RR with the algorithm, key name (owner name of the RR), time fudge (defaults to 300 seconds) and the current time The TSIG MAC is saved in that Tsig RR. When TsigGenerate is called for the first time requestMAC is set to the empty string and timersOnly is false. If something goes wrong an error is returned, otherwise it is nil.
func TsigVerify ¶
TsigVerify verifies the TSIG on a message. If the signature does not validate err contains the error, otherwise it is nil.
func UnpackDomainName ¶
UnpackDomainName unpacks a domain name into a string.
Types ¶
type CDS ¶
type CERT ¶
type CERT struct {
Hdr RR_Header
Type uint16
KeyTag uint16
Algorithm uint8
Certificate string `dns:"base64"`
}
See RFC 4398.
type Client ¶
type Client struct {
Net string // if "tcp" a TCP query will be initiated, otherwise an UDP one (default is "" for UDP)
Attempts int // number of attempts, if not set defaults to 1
Retry bool // retry with TCP
ReadTimeout time.Duration // the net.Conn.SetReadTimeout value for new connections (ns), defaults to 2 * 1e9
WriteTimeout time.Duration // the net.Conn.SetWriteTimeout value for new connections (ns), defaults to 2 * 1e9
TsigSecret map[string]string // secret(s) for Tsig map[<zonename>]<base64 secret>, zonename must be fully qualified
}
A Client defines parameter for a DNS client. A nil Client is usable for sending queries.
func (*Client) Exchange ¶
Exchange performs an synchronous query. It sends the message m to the address contained in a and waits for an reply. Basic use pattern with a *dns.Client:
c := new(dns.Client) in, rtt, err := c.Exchange(message, "127.0.0.1:53")
func (*Client) TransferIn ¶
TransferIn performs a [AI]XFR request (depends on the message's Qtype). It returns a channel of *Envelope on which the replies from the server are sent. At the end of the transfer the channel is closed. The messages are TSIG checked if needed, no other post-processing is performed. The caller must dissect the returned messages.
Basic use pattern for receiving an AXFR:
// m contains the AXFR request
t, e := c.TransferIn(m, "127.0.0.1:53")
for r := range t {
// ... deal with r.RR or r.Error
}
type ClientConfig ¶
type ClientConfig struct {
Servers []string // servers to use
Search []string // suffixes to append to local name
Port string // what port to use
Ndots int // number of dots in name to trigger absolute lookup
Timeout int // seconds before giving up on packet
Attempts int // lost packets before giving up on server
}
Wraps the contents of the /etc/resolv.conf.
func ClientConfigFromFile ¶
func ClientConfigFromFile(conf string) (*ClientConfig, error)
ClientConfigFromFile parses a resolv.conf(5) like file and returns a *ClientConfig.
type DLV ¶
type DNSKEY ¶
type DNSKEY struct {
Hdr RR_Header
Flags uint16
Protocol uint8
Algorithm uint8
PublicKey string `dns:"base64"`
}
func (*DNSKEY) Generate ¶
func (r *DNSKEY) Generate(bits int) (PrivateKey, error)
Generate generates a DNSKEY of the given bit size. The public part is put inside the DNSKEY record. The Algorithm in the key must be set as this will define what kind of DNSKEY will be generated. The ECDSA algorithms imply a fixed keysize, in that case bits should be set to the size of the algorithm.
func (*DNSKEY) NewPrivateKey ¶
func (k *DNSKEY) NewPrivateKey(s string) (PrivateKey, error)
func (*DNSKEY) PrivateKeyString ¶
func (r *DNSKEY) PrivateKeyString(p PrivateKey) (s string)
PrivateKeyString converts a PrivateKey to a string. This string has the same format as the private-key-file of BIND9 (Private-key-format: v1.3). It needs some info from the key (hashing, keytag), so its a method of the DNSKEY.
func (*DNSKEY) ReadPrivateKey ¶
NewPrivateKey reads a private key from the io.Reader q. The string file is only used in error reporting. The public key must be known, because some cryptographics algorithms embed the public inside the privatekey.
type DS ¶
type EDNS0 ¶
type EDNS0 interface {
// Option returns the option code for the option.
Option() uint16
// String returns the string representation of the option.
String() string
// contains filtered or unexported methods
}
EDNS0 defines an EDNS0 Option. An OPT RR can have multiple option appended to it. Basic use pattern for adding an option to and OPT RR:
// o is the OPT RR, e is the EDNS0 option o.Option = append(o.Option, e)
type EDNS0_NSID ¶
type EDNS0_NSID struct {
Code uint16 // Always EDNS0NSID
Nsid string // This string needs to be hex encoded
}
The nsid EDNS0 option is used to retrieve some sort of nameserver identifier. When seding a request Nsid must be set to the empty string The identifier is an opaque string encoded as hex. Basic use pattern for creating an nsid option:
o := new(dns.OPT) o.Hdr.Name = "." o.Hdr.Rrtype = dns.TypeOPT e := new(dns.EDNS0_NSID) e.Code = dns.EDNS0NSID o.Option = append(o.Option, e)
func (*EDNS0_NSID) Option ¶
func (e *EDNS0_NSID) Option() uint16
func (*EDNS0_NSID) String ¶
func (e *EDNS0_NSID) String() string
type EDNS0_SUBNET ¶
type EDNS0_SUBNET struct {
Code uint16 // Always EDNS0SUBNET
Family uint16 // 1 for IP, 2 for IP6
SourceNetmask uint8
SourceScope uint8
Address net.IP
}
The subnet EDNS0 option is used to give the remote nameserver an idea of where the client lives. It can then give back a different answer depending on the location or network topology. Basic use pattern for creating an subnet option:
o := new(dns.OPT)
o.Hdr.Name = "."
o.Hdr.Rrtype = dns.TypeOPT
e := new(dns.EDNS0_SUBNET)
e.Code = dns.EDNS0SUBNET
e.Family = 1 // 1 for IPv4 source address, 2 for IPv6
e.NetMask = 32 // 32 for IPV4, 128 for IPv6
e.SourceScope = 0
e.Address = net.ParseIP("127.0.0.1").To4() // for IPv4
// e.Address = net.ParseIP("2001:7b8:32a::2") // for IPV6
o.Option = append(o.Option, e)
func (*EDNS0_SUBNET) Option ¶
func (e *EDNS0_SUBNET) Option() uint16
func (*EDNS0_SUBNET) String ¶
func (e *EDNS0_SUBNET) String() (s string)
type EDNS0_UPDATE_LEASE ¶
func (*EDNS0_UPDATE_LEASE) Option ¶
func (e *EDNS0_UPDATE_LEASE) Option() uint16
func (*EDNS0_UPDATE_LEASE) String ¶
func (e *EDNS0_UPDATE_LEASE) String() string
type Envelope ¶
type Envelope struct {
RR []RR // The set of RRs in the answer section of the AXFR reply message.
Error error // If something went wrong, this contains the error.
}
Envelope is used when doing [IA]XFR with a remote server.
type HIP ¶
type HIP struct {
Hdr RR_Header
HitLength uint8
PublicKeyAlgorithm uint8
PublicKeyLength uint16
Hit string `dns:"hex"`
PublicKey string `dns:"base64"`
RendezvousServers []string `dns:"domain-name"`
}
Example ¶
h := `www.example.com IN HIP ( 2 200100107B1A74DF365639CC39F1D578
AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p
9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQ
b1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D
rvs.example.com. )`
if hip, err := NewRR(h); err == nil {
fmt.Printf("%s\n", hip.String())
}
Output: www.example.com. 3600 IN HIP 2 200100107B1A74DF365639CC39F1D578 AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D rvs.example.com.
type Handler ¶
type Handler interface {
ServeDNS(w ResponseWriter, r *Msg)
}
type HandlerFunc ¶
type HandlerFunc func(ResponseWriter, *Msg)
The HandlerFunc type is an adapter to allow the use of ordinary functions as DNS handlers. If f is a function with the appropriate signature, HandlerFunc(f) is a Handler object that calls f.
func (HandlerFunc) ServeDNS ¶
func (f HandlerFunc) ServeDNS(w ResponseWriter, r *Msg)
ServerDNS calls f(w, r)
type IPSECKEY ¶
type LOC ¶
type MINFO ¶
type Msg ¶
type Msg struct {
MsgHdr
Compress bool // If true, the message will be compressed when converted to wire format.
Size int // Number of octects in the message received from the wire.
Question []Question // Holds the RR(s) of the question section.
Answer []RR // Holds the RR(s) of the answer section.
Ns []RR // Holds the RR(s) of the authority section.
Extra []RR // Holds the RR(s) of the additional section.
}
The layout of a DNS message.
func (*Msg) Insert ¶
Insert creates a dynamic update packet that adds an complete RRset, see RFC 2136 section 2.5.1.
func (*Msg) IsEdns0 ¶
IsEdns0 checks if the message has a EDNS0 (OPT) record, any EDNS0 record in the additional section will do. It returns the OPT record found or nil.
func (*Msg) IsTsig ¶
IsTsig checks if the message has a TSIG record as the last record in the additional section. It returns the TSIG record found or nil.
func (*Msg) Len ¶
Len return the message length when in (un)compressed wire format. If dns.Compress is true compression is taken into account, currently this only counts owner name compression. There is no check for nil valued sections (allocated, but contains no RRs).
func (*Msg) NameNotUsed ¶
NameNotUsed sets the RRs in the prereq section to "Name is in not use" RRs. RFC 2136 section 2.4.5.
func (*Msg) NameUsed ¶
NameUsed sets the RRs in the prereq section to "Name is in use" RRs. RFC 2136 section 2.4.4.
func (*Msg) Pack ¶
Pack packs a Msg: it is converted to to wire format. If the dns.Compress is true the message will be in compressed wire format.
func (*Msg) RRsetNotUsed ¶
RRsetNotUsed sets the RRs in the prereq section to "RRset does not exist" RRs. RFC 2136 section 2.4.3.
func (*Msg) RRsetUsed ¶
RRsetUsed sets the RRs in the prereq section to "RRset exists (value independent -- no rdata)" RRs. RFC 2136 section 2.4.1.
func (*Msg) Remove ¶
Remove creates a dynamic update packet deletes RR from the RRSset, see RFC 2136 section 2.5.4
func (*Msg) RemoveName ¶
RemoveName creates a dynamic update packet that deletes all RRsets of a name, see RFC 2136 section 2.5.3
func (*Msg) RemoveRRset ¶
RemoveRRset creates a dynamic update packet that deletes an RRset, see RFC 2136 section 2.5.2.
func (*Msg) SetEdns0 ¶
SetEdns0 appends a EDNS0 OPT RR to the message. TSIG should always the last RR in a message.
func (*Msg) SetQuestion ¶
SetQuestion creates a question packet.
func (*Msg) SetRcodeFormatError ¶
SetRcodeFormatError creates a packet with FormError set.
func (*Msg) SetTsig ¶
SetTsig appends a TSIG RR to the message. This is only a skeleton TSIG RR that is added as the last RR in the additional section. The Tsig is calculated when the message is being send.
func (*Msg) SetUpdate ¶
SetUpdate makes the message a dynamic update packet. It sets the ZONE section to: z, TypeSOA, ClassINET.
func (*Msg) Used ¶
Used sets the RRs in the prereq section to "RRset exists (value dependent -- with rdata)" RRs. RFC 2136 section 2.4.2.
type MsgHdr ¶
type MsgHdr struct {
Id uint16
Response bool
Opcode int
Authoritative bool
Truncated bool
RecursionDesired bool
RecursionAvailable bool
Zero bool
AuthenticatedData bool
CheckingDisabled bool
Rcode int
}
A manually-unpacked version of (id, bits). This is in its own struct for easy printing.
type NAPTR ¶
type NSEC ¶
type NSEC struct {
Hdr RR_Header
NextDomain string `dns:"domain-name"`
TypeBitMap []uint16 `dns:"nsec"`
}
func (*NSEC) Cover ¶
Cover checks if domain is covered by the NSEC record. Domain must be given in plain text.
type NSEC3 ¶
type NSEC3 struct {
Hdr RR_Header
Hash uint8
Flags uint8
Iterations uint16
SaltLength uint8
Salt string `dns:"size-hex"`
HashLength uint8
NextDomain string `dns:"size-base32"`
TypeBitMap []uint16 `dns:"nsec"`
}
func (*NSEC3) Cover ¶
Cover checks if domain is covered by the NSEC3 record. Domain must be given in plain text (i.e. not hashed) TODO(mg): this doesn't loop around TODO(mg): make a CoverHashed variant?
type NSEC3PARAM ¶
type NSEC3PARAM struct {
Hdr RR_Header
Hash uint8
Flags uint8
Iterations uint16
SaltLength uint8
Salt string `dns:"hex"`
}
func (*NSEC3PARAM) Copy ¶
func (rr *NSEC3PARAM) Copy() RR
func (*NSEC3PARAM) Header ¶
func (rr *NSEC3PARAM) Header() *RR_Header
func (*NSEC3PARAM) Len ¶
func (rr *NSEC3PARAM) Len() int
func (*NSEC3PARAM) String ¶
func (rr *NSEC3PARAM) String() string
type OPT ¶
func (*OPT) SetUDPSize ¶
SetUDPSize sets the UDP buffer size.
func (*OPT) SetVersion ¶
SetVersion sets the version of EDNS. This is usually zero.
type ParseError ¶
type ParseError struct {
// contains filtered or unexported fields
}
ParseError is a parsing error. It contains the parse error and the location in the io.Reader where the error occured.
func (*ParseError) Error ¶
func (e *ParseError) Error() (s string)
type PrivateKey ¶
type PrivateKey interface{}
Empty interface that is used as a wrapper around all possible private key implementations from the crypto package.
type Question ¶
type Question struct {
Name string `dns:"cdomain-name"` // "cdomain-name" specifies encoding (and may be compressed)
Qtype uint16
Qclass uint16
}
DNS queries.
type RKEY ¶
type RR ¶
type RR interface {
// Header returns the header of an resource record. The header contains
// everything up to the rdata.
Header() *RR_Header
// String returns the text representation of the resource record.
String() string
// Len returns the length (in octects) of the uncompressed RR in wire format.
Len() int
// Copy returns a copy of the RR
Copy() RR
}
An RR represents a resource record.
func NewRR ¶
NewRR reads the RR contained in the string s. Only the first RR is returned. The class defaults to IN and TTL defaults to 3600. The full zone file syntax like $TTL, $ORIGIN, etc. is supported.
type RRSIG ¶
type RRSIG struct {
Hdr RR_Header
TypeCovered uint16
Algorithm uint8
Labels uint8
OrigTtl uint32
Expiration uint32
Inception uint32
KeyTag uint16
SignerName string `dns:"domain-name"`
Signature string `dns:"base64"`
}
func (*RRSIG) Sign ¶
func (rr *RRSIG) Sign(k PrivateKey, rrset []RR) error
Sign signs an RRSet. The signature needs to be filled in with the values: Inception, Expiration, KeyTag, SignerName and Algorithm. The rest is copied from the RRset. Sign returns true when the signing went OK, otherwise false. There is no check if RRSet is a proper (RFC 2181) RRSet.
func (*RRSIG) ValidityPeriod ¶
ValidityPeriod uses RFC1982 serial arithmetic to calculate if a signature period is valid.
type RR_Header ¶
type RR_Header struct {
Name string `dns:"cdomain-name"`
Rrtype uint16
Class uint16
Ttl uint32
Rdlength uint16 // length of data after header
}
DNS resource records. There are many types of RRs, but they all share the same header.
func (*RR_Header) CopyHeader ¶
type ResponseWriter ¶
type ResponseWriter interface {
// RemoteAddr returns the net.Addr of the client that sent the current request.
RemoteAddr() net.Addr
// WriteMsg writes a reply back to the client.
WriteMsg(*Msg) error
// Write writes a raw buffer back to the client.
Write([]byte) (int, error)
// Close closes the connection.
Close() error
// TsigStatus returns the status of the Tsig.
TsigStatus() error
// TsigTimersOnly sets the tsig timers only boolean.
TsigTimersOnly(bool)
// Hijack lets the caller take over the connection.
// After a call to Hijack(), the DNS package will not do anything with the connection
Hijack()
}
A ResponseWriter interface is used by an DNS handler to construct an DNS response.
type SOA ¶
type SOA struct {
Hdr RR_Header
Ns string `dns:"cdomain-name"`
Mbox string `dns:"cdomain-name"`
Serial uint32
Refresh uint32
Retry uint32
Expire uint32
Minttl uint32
}
Example ¶
s := "example.com. 1000 SOA master.example.com. admin.example.com. 1 4294967294 4294967293 4294967295 100"
if soa, err := NewRR(s); err == nil {
fmt.Printf("%s\n", soa.String())
}
Output: example.com. 1000 IN SOA master.example.com. admin.example.com. 1 4294967294 4294967293 4294967295 100
type SRV ¶
type ServeMux ¶
type ServeMux struct {
// contains filtered or unexported fields
}
ServeMux is an DNS request multiplexer. It matches the zone name of each incoming request against a list of registered patterns add calls the handler for the pattern that most closely matches the zone name. ServeMux is DNSSEC aware, meaning that queries for the DS record are redirected to the parent zone (if that is also registered), otherwise the child gets the query.
func (*ServeMux) HandleFunc ¶
func (mux *ServeMux) HandleFunc(pattern string, handler func(ResponseWriter, *Msg))
Handle adds a handler to the ServeMux for pattern.
func (*ServeMux) HandleRemove ¶
HandleRemove deregistrars the handler specific for pattern from the ServeMux.
func (*ServeMux) ServeDNS ¶
func (mux *ServeMux) ServeDNS(w ResponseWriter, request *Msg)
ServeDNS dispatches the request to the handler whose pattern most closely matches the request message. If DefaultServeMux is used the correct thing for DS queries is done: a possible parent is sought. If no handler is found a standard SERVFAIL message is returned If the request message does not have a single question in the question section a SERVFAIL is returned.
type Server ¶
type Server struct {
Addr string // address to listen on, ":dns" if empty
Net string // if "tcp" it will invoke a TCP listener, otherwise an UDP one
Handler Handler // handler to invoke, dns.DefaultServeMux if nil
UDPSize int // default buffer size to use to read incoming UDP messages
ReadTimeout time.Duration // the net.Conn.SetReadTimeout value for new connections
WriteTimeout time.Duration // the net.Conn.SetWriteTimeout value for new connections
TsigSecret map[string]string // secret(s) for Tsig map[<zonename>]<base64 secret>
}
A Server defines parameters for running an DNS server.
func (*Server) ListenAndServe ¶
ListenAndServe starts a nameserver on the configured address in *Server.
type SignatureConfig ¶
type SignatureConfig struct {
// Validity period of the signatures, typically 2 to 4 weeks.
Validity time.Duration
// When the end of the validity approaches, how much time should remain
// before we start to resign. Typical value is 3 days.
Refresh time.Duration
// Jitter is an random amount of time added or subtracted from the
// expiration time to ensure not all signatures expire a the same time.
// Typical value is 12 hours, which means the actual jitter value is
// between -12..0..+12.
Jitter time.Duration
// InceptionOffset is subtracted from the inception time to ensure badly
// calibrated clocks on the internet can still validate a signature.
// Typical value is 300 seconds.
InceptionOffset time.Duration
// HonorSepFlag is a boolean which when try instructs the signer to use
// a KSK/ZSK split and only sign the keyset with the KSK(s). If not
// set all records are signed with all keys. If this flag is true and
// a single KSK is used for signing, only the keyset is signed.
HonorSepFlag bool
// SignerRoutines specifies the number of signing goroutines, if not
// set runtime.NumCPU() + 1 is used as the value.
SignerRoutines int
// SOA Minttl value must be used as the ttl on NSEC/NSEC3 records.
Minttl uint32
}
SignatureConfig holds the parameters for zone (re)signing. This is copied from OpenDNSSEC. See: https://wiki.opendnssec.org/display/DOCS/kasp.xml
type TA ¶
type TALINK ¶
type TKEY ¶
type TLSA ¶
type TLSA struct {
Hdr RR_Header
Usage uint8
Selector uint8
MatchingType uint8
Certificate string `dns:"hex"`
}
type TSIG ¶
type Token ¶
type Token struct {
RR // the scanned resource record when error is not nil
Error *ParseError // when an error occured, this has the error specifics
}
Tokens are returned when a zone file is parsed.
type WKS ¶
type Zone ¶
type Zone struct {
Origin string // Origin of the zone
Wildcard int // Whenever we see a wildcard name, this is incremented
ModTime time.Time // When is the zone last modified
*radix.Radix // Zone data
*sync.RWMutex
// contains filtered or unexported fields
}
Zone represents a DNS zone. It's safe for concurrent use by multilpe goroutines.
Example ¶
zone := `$ORIGIN .
$TTL 3600 ; 1 hour
name IN SOA a6.nstld.com. hostmaster.nic.name. (
203362132 ; serial
300 ; refresh (5 minutes)
300 ; retry (5 minutes)
1209600 ; expire (2 weeks)
300 ; minimum (5 minutes)
)
$TTL 10800 ; 3 hours
name. 10800 IN NS name.
IN NS g6.nstld.com.
7200 NS h6.nstld.com.
3600 IN NS j6.nstld.com.
IN 3600 NS k6.nstld.com.
NS l6.nstld.com.
NS a6.nstld.com.
NS c6.nstld.com.
NS d6.nstld.com.
NS f6.nstld.com.
NS m6.nstld.com.
(
NS m7.nstld.com.
)
$ORIGIN name.
0-0onlus NS ns7.ehiweb.it.
NS ns8.ehiweb.it.
0-g MX 10 mx01.nic
MX 10 mx02.nic
MX 10 mx03.nic
MX 10 mx04.nic
$ORIGIN 0-g.name
moutamassey NS ns01.yahoodomains.jp.
NS ns02.yahoodomains.jp.
`
to := ParseZone(strings.NewReader(zone), "", "testzone")
for x := range to {
fmt.Printf("%s\n", x.RR)
}
Output: name. 3600 IN SOA a6.nstld.com. hostmaster.nic.name. 203362132 300 300 1209600 300 name. 10800 IN NS name. name. 10800 IN NS g6.nstld.com. name. 7200 IN NS h6.nstld.com. name. 3600 IN NS j6.nstld.com. name. 3600 IN NS k6.nstld.com. name. 10800 IN NS l6.nstld.com. name. 10800 IN NS a6.nstld.com. name. 10800 IN NS c6.nstld.com. name. 10800 IN NS d6.nstld.com. name. 10800 IN NS f6.nstld.com. name. 10800 IN NS m6.nstld.com. name. 10800 IN NS m7.nstld.com. 0-0onlus.name. 10800 IN NS ns7.ehiweb.it. 0-0onlus.name. 10800 IN NS ns8.ehiweb.it. 0-g.name. 10800 IN MX 10 mx01.nic.name. 0-g.name. 10800 IN MX 10 mx02.nic.name. 0-g.name. 10800 IN MX 10 mx03.nic.name. 0-g.name. 10800 IN MX 10 mx04.nic.name. moutamassey.0-g.name.name. 10800 IN NS ns01.yahoodomains.jp. moutamassey.0-g.name.name. 10800 IN NS ns02.yahoodomains.jp.
func (*Zone) Apex ¶
Apex returns the zone's apex records (SOA, NS and possibly other). If the apex can not be found (thereby making it an illegal DNS zone) it returns nil. Updating the zone's SOA serial, provided the apex exists:
z.Apex.RR[TypeSOA][0].(*SOA).Serial++
Note the a) this increment is not protected by locks and b) if you use DNSSEC you MUST resign the SOA record.
func (*Zone) Find ¶
Find looks up the ownername s in the zone and returns the data and true when an exact match is found. If an exact find isn't possible the first parent node with a non-nil Value is returned and the boolean is false.
func (*Zone) FindFunc ¶
FindFunc works like Find, but the function f is executed on each node which has a non-nil Value during the tree traversal. If f returns true, that node is returned.
func (*Zone) Insert ¶
Insert inserts the RR r into the zone. There is no check for duplicate data, although Remove will remove all duplicates.
func (*Zone) Remove ¶
Remove removes the RR r from the zone. If the RR can not be found, this is a no-op.
func (*Zone) RemoveName ¶
RemoveName removes all the RRs with ownername matching s from the zone. Typical use of this method is when processing a RemoveName dynamic update packet.
func (*Zone) RemoveRRset ¶
RemoveRRset removes all the RRs with the ownername matching s and the type matching t from the zone. Typical use of this method is when processing a RemoveRRset dynamic update packet.
func (*Zone) Sign ¶
func (z *Zone) Sign(keys map[*DNSKEY]PrivateKey, config *SignatureConfig) error
Sign (re)signs the zone z with the given keys. NSECs and RRSIGs are added as needed. The public keys themselves are not added to the zone. If config is nil DefaultSignatureConfig is used. The signatureConfig describes how the zone must be signed and if the SEP flag (for KSK) should be honored. If signatures approach their expriration time, they are refreshed with the current set of keys. Valid signatures are left alone.
Basic use pattern for signing a zone with the default SignatureConfig:
// A single PublicKey/PrivateKey have been read from disk.
e := z.Sign(map[*dns.DNSKEY]dns.PrivateKey{pubkey.(*dns.DNSKEY): privkey}, nil)
if e != nil {
// signing error
}
// Admire your signed zone...
type ZoneData ¶
type ZoneData struct {
Name string // Domain name for this node
RR map[uint16][]RR // Map of the RR type to the RR
Signatures map[uint16][]*RRSIG // DNSSEC signatures for the RRs, stored under type covered
NonAuth bool // Always false, except for NSsets that differ from z.Origin
*sync.RWMutex
}
ZoneData holds all the RRs having their owner name equal to Name.
func NewZoneData ¶
NewZoneData creates a new zone data element.
func (*ZoneData) Sign ¶
func (node *ZoneData) Sign(next string, keys map[*DNSKEY]PrivateKey, keytags map[*DNSKEY]uint16, config *SignatureConfig) error
Sign signs a single ZoneData node. The zonedata itself is locked for writing, during the execution. It is important that the nodes' next record does not change. The caller must take care that the zone itself is also locked for writing. For a more complete description see zone.Sign. Note, because this method has no (direct) access to the zone's SOA record, the SOA's Minttl value should be set in *config.
func (*ZoneData) String ¶
String returns a string representation of a ZoneData. There is no String for the entire zone, because this will (most likely) take up a huge amount of memory. Basic use pattern for printing an entire zone:
// z contains the zone
z.Radix.NextDo(func(i interface{}) {
fmt.Printf("%s", i.(*dns.ZoneData).String()) })
Source Files
¶
Directories
¶
| Path | Synopsis |
|---|---|
|
ex
|
|
|
chaos
Chaos is a small program that prints the version.bind and hostname.bind for each address of the nameserver given as argument.
|
Chaos is a small program that prints the version.bind and hostname.bind for each address of the nameserver given as argument. |
|
check-soa
Go equivalent of the "DNS & BIND" book check-soa program.
|
Go equivalent of the "DNS & BIND" book check-soa program. |
|
q
Q is a small utility which acts and behaves like 'dig' from BIND.
|
Q is a small utility which acts and behaves like 'dig' from BIND. |
|
reflect
Reflect is a small name server which sends back the IP address of its client, the recursive resolver.
|
Reflect is a small name server which sends back the IP address of its client, the recursive resolver. |