diff --git a/go.mod b/go.mod
index 77d2fe24b3075c59558cd617d20d6388c77bcd9c..ff393c156b82940b81d7a1bba79c22f7485a6d4a 100644
--- a/go.mod
+++ b/go.mod
@@ -5,7 +5,7 @@ go 1.14
require (
git.autistici.org/ai3/go-common v0.0.0-20210118064555-73f00db54723
git.autistici.org/ai3/tools/replds v0.0.0-20210117165138-e6368d266143
- github.com/miekg/dns v1.1.35
+ github.com/miekg/dns v1.1.37
github.com/prometheus/client_golang v1.9.0
github.com/prometheus/procfs v0.3.0 // indirect
golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad
diff --git a/go.sum b/go.sum
index 46c62f98c0d72a27d2a209ffda37632af050b9ae..0b3ffaf02be4e4a8256366898eac27ffb97bc6a7 100644
--- a/go.sum
+++ b/go.sum
@@ -197,6 +197,8 @@ github.com/miekg/dns v1.0.14 h1:9jZdLNd/P4+SfEJ0TNyxYpsK8N4GtfylBLqtbYN1sbA=
github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
github.com/miekg/dns v1.1.35 h1:oTfOaDH+mZkdcgdIjH6yBajRGtIwcwcaR+rt23ZSrJs=
github.com/miekg/dns v1.1.35/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM=
+github.com/miekg/dns v1.1.37 h1:+kky2ArpBqk0S/74RkwFjmKM9jja7AB1RN7VUuVq0iM=
+github.com/miekg/dns v1.1.37/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM=
github.com/miscreant/miscreant.go v0.0.0-20200214223636-26d376326b75/go.mod h1:pBbZyGwC5i16IBkjVKoy/sznA8jPD/K9iedwe1ESE6w=
github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
diff --git a/vendor/github.com/miekg/dns/.travis.yml b/vendor/github.com/miekg/dns/.travis.yml
deleted file mode 100644
index 7d9b172756642817b35d524b17e3a50c9459dddf..0000000000000000000000000000000000000000
--- a/vendor/github.com/miekg/dns/.travis.yml
+++ /dev/null
@@ -1,17 +0,0 @@
-language: go
-sudo: false
-
-go:
- - 1.14.x
- - 1.15.x
- - tip
-
-env:
- - GO111MODULE=on
-
-script:
- - go generate ./... && test `git ls-files --modified | wc -l` = 0
- - go test -race -v -bench=. -coverprofile=coverage.txt -covermode=atomic ./...
-
-after_success:
- - bash <(curl -s https://codecov.io/bash)
diff --git a/vendor/github.com/miekg/dns/README.md b/vendor/github.com/miekg/dns/README.md
index fc8394e2697a339d7929361b4b0ff0f7153cb16a..767eb6bf38380c02e3d80c0cca98866f550692a6 100644
--- a/vendor/github.com/miekg/dns/README.md
+++ b/vendor/github.com/miekg/dns/README.md
@@ -69,6 +69,8 @@ A not-so-up-to-date-list-that-may-be-actually-current:
* https://zonedb.org/
* https://router7.org/
* https://github.com/fortio/dnsping
+* https://github.com/Luzilla/dnsbl_exporter
+* https://github.com/bodgit/tsig
Send pull request if you want to be listed here.
diff --git a/vendor/github.com/miekg/dns/client.go b/vendor/github.com/miekg/dns/client.go
index e7ff786a237fc48fc1104814b55013d389810a76..aa2c49d35e412d5d08eb432962bbd885e3744806 100644
--- a/vendor/github.com/miekg/dns/client.go
+++ b/vendor/github.com/miekg/dns/client.go
@@ -23,6 +23,7 @@ type Conn struct {
net.Conn // a net.Conn holding the connection
UDPSize uint16 // minimum receive buffer for UDP messages
TsigSecret map[string]string // secret(s) for Tsig map[<zonename>]<base64 secret>, zonename must be in canonical form (lowercase, fqdn, see RFC 4034 Section 6.2)
+ TsigProvider TsigProvider // An implementation of the TsigProvider interface. If defined it replaces TsigSecret and is used for all TSIG operations.
tsigRequestMAC string
}
@@ -40,6 +41,7 @@ type Client struct {
ReadTimeout time.Duration // net.Conn.SetReadTimeout value for connections, defaults to 2 seconds - overridden by Timeout when that value is non-zero
WriteTimeout time.Duration // net.Conn.SetWriteTimeout value for connections, defaults to 2 seconds - overridden by Timeout when that value is non-zero
TsigSecret map[string]string // secret(s) for Tsig map[<zonename>]<base64 secret>, zonename must be in canonical form (lowercase, fqdn, see RFC 4034 Section 6.2)
+ TsigProvider TsigProvider // An implementation of the TsigProvider interface. If defined it replaces TsigSecret and is used for all TSIG operations.
SingleInflight bool // if true suppress multiple outstanding queries for the same Qname, Qtype and Qclass
group singleflight
}
@@ -124,7 +126,6 @@ func (c *Client) Dial(address string) (conn *Conn, err error) {
// of 512 bytes
// To specify a local address or a timeout, the caller has to set the `Client.Dialer`
// attribute appropriately
-
func (c *Client) Exchange(m *Msg, address string) (r *Msg, rtt time.Duration, err error) {
co, err := c.Dial(address)
@@ -176,7 +177,7 @@ func (c *Client) exchange(m *Msg, co *Conn) (r *Msg, rtt time.Duration, err erro
co.UDPSize = c.UDPSize
}
- co.TsigSecret = c.TsigSecret
+ co.TsigSecret, co.TsigProvider = c.TsigSecret, c.TsigProvider
t := time.Now()
// write with the appropriate write timeout
co.SetWriteDeadline(t.Add(c.getTimeoutForRequest(c.writeTimeout())))
@@ -223,11 +224,15 @@ func (co *Conn) ReadMsg() (*Msg, error) {
return m, err
}
if t := m.IsTsig(); t != nil {
- if _, ok := co.TsigSecret[t.Hdr.Name]; !ok {
- return m, ErrSecret
+ if co.TsigProvider != nil {
+ err = tsigVerifyProvider(p, co.TsigProvider, co.tsigRequestMAC, false)
+ } else {
+ if _, ok := co.TsigSecret[t.Hdr.Name]; !ok {
+ return m, ErrSecret
+ }
+ // Need to work on the original message p, as that was used to calculate the tsig.
+ err = TsigVerify(p, co.TsigSecret[t.Hdr.Name], co.tsigRequestMAC, false)
}
- // Need to work on the original message p, as that was used to calculate the tsig.
- err = TsigVerify(p, co.TsigSecret[t.Hdr.Name], co.tsigRequestMAC, false)
}
return m, err
}
@@ -305,10 +310,14 @@ func (co *Conn) WriteMsg(m *Msg) (err error) {
var out []byte
if t := m.IsTsig(); t != nil {
mac := ""
- if _, ok := co.TsigSecret[t.Hdr.Name]; !ok {
- return ErrSecret
+ if co.TsigProvider != nil {
+ out, mac, err = tsigGenerateProvider(m, co.TsigProvider, co.tsigRequestMAC, false)
+ } else {
+ if _, ok := co.TsigSecret[t.Hdr.Name]; !ok {
+ return ErrSecret
+ }
+ out, mac, err = TsigGenerate(m, co.TsigSecret[t.Hdr.Name], co.tsigRequestMAC, false)
}
- out, mac, err = TsigGenerate(m, co.TsigSecret[t.Hdr.Name], co.tsigRequestMAC, false)
// Set for the next read, although only used in zone transfers
co.tsigRequestMAC = mac
} else {
diff --git a/vendor/github.com/miekg/dns/dns.go b/vendor/github.com/miekg/dns/dns.go
index ad83a27ecfab87249548474cbb861afae76fa468..33c93b2bfd2b89684e72c6ce22d85ab80c85056d 100644
--- a/vendor/github.com/miekg/dns/dns.go
+++ b/vendor/github.com/miekg/dns/dns.go
@@ -1,6 +1,9 @@
package dns
-import "strconv"
+import (
+ "encoding/hex"
+ "strconv"
+)
const (
year68 = 1 << 31 // For RFC1982 (Serial Arithmetic) calculations in 32 bits.
@@ -111,7 +114,7 @@ func (h *RR_Header) parse(c *zlexer, origin string) *ParseError {
// ToRFC3597 converts a known RR to the unknown RR representation from RFC 3597.
func (rr *RFC3597) ToRFC3597(r RR) error {
- buf := make([]byte, Len(r)*2)
+ buf := make([]byte, Len(r))
headerEnd, off, err := packRR(r, buf, 0, compressionMap{}, false)
if err != nil {
return err
@@ -126,9 +129,25 @@ func (rr *RFC3597) ToRFC3597(r RR) error {
}
_, err = rr.unpack(buf, headerEnd)
+ return err
+}
+
+// fromRFC3597 converts an unknown RR representation from RFC 3597 to the known RR type.
+func (rr *RFC3597) fromRFC3597(r RR) error {
+ *r.Header() = rr.Hdr
+
+ if len(rr.Rdata) == 0 {
+ // Dynamic update.
+ return nil
+ }
+
+ // rr.pack requires an extra allocation and a copy so we just decode Rdata
+ // manually, it's simpler anyway.
+ msg, err := hex.DecodeString(rr.Rdata)
if err != nil {
return err
}
- return nil
+ _, err = r.unpack(msg, 0)
+ return err
}
diff --git a/vendor/github.com/miekg/dns/doc.go b/vendor/github.com/miekg/dns/doc.go
index 6861de774b7070cceda84acd7bf5c50c813627ce..f7629ec3fff34cc5b88b81aeedd6bf7661b1f5a0 100644
--- a/vendor/github.com/miekg/dns/doc.go
+++ b/vendor/github.com/miekg/dns/doc.go
@@ -194,6 +194,30 @@ request an AXFR for miek.nl. with TSIG key named "axfr." and secret
You can now read the records from the transfer as they come in. Each envelope
is checked with TSIG. If something is not correct an error is returned.
+A custom TSIG implementation can be used. This requires additional code to
+perform any session establishment and signature generation/verification. The
+client must be configured with an implementation of the TsigProvider interface:
+
+ type Provider struct{}
+
+ func (*Provider) Generate(msg []byte, tsig *dns.TSIG) ([]byte, error) {
+ // Use tsig.Hdr.Name and tsig.Algorithm in your code to
+ // generate the MAC using msg as the payload.
+ }
+
+ func (*Provider) Verify(msg []byte, tsig *dns.TSIG) error {
+ // Use tsig.Hdr.Name and tsig.Algorithm in your code to verify
+ // that msg matches the value in tsig.MAC.
+ }
+
+ c := new(dns.Client)
+ c.TsigProvider = new(Provider)
+ m := new(dns.Msg)
+ m.SetQuestion("miek.nl.", dns.TypeMX)
+ m.SetTsig(keyname, dns.HmacSHA1, 300, time.Now().Unix())
+ ...
+ // TSIG RR is calculated by calling your Generate method
+
Basic use pattern validating and replying to a message that has TSIG set.
server := &dns.Server{Addr: ":53", Net: "udp"}
diff --git a/vendor/github.com/miekg/dns/edns.go b/vendor/github.com/miekg/dns/edns.go
index 04808d57897d78be558bb170ccd0551c06fc2f8d..f3fb1c6849511965fe980ee3d4a512366853772a 100644
--- a/vendor/github.com/miekg/dns/edns.go
+++ b/vendor/github.com/miekg/dns/edns.go
@@ -88,8 +88,8 @@ func (rr *OPT) len(off int, compression map[string]struct{}) int {
return l
}
-func (rr *OPT) parse(c *zlexer, origin string) *ParseError {
- panic("dns: internal error: parse should never be called on OPT")
+func (*OPT) parse(c *zlexer, origin string) *ParseError {
+ return &ParseError{err: "OPT records do not have a presentation format"}
}
func (r1 *OPT) isDuplicate(r2 RR) bool { return false }
diff --git a/vendor/github.com/miekg/dns/generate.go b/vendor/github.com/miekg/dns/generate.go
index f713074a181c05406dcb60cb6b3ef6562e0dbc81..ac8df34dd525a2b0b2d143a0c71e215e4ef33314 100644
--- a/vendor/github.com/miekg/dns/generate.go
+++ b/vendor/github.com/miekg/dns/generate.go
@@ -75,10 +75,10 @@ func (zp *ZoneParser) generate(l lex) (RR, bool) {
r := &generateReader{
s: s,
- cur: int(start),
- start: int(start),
- end: int(end),
- step: int(step),
+ cur: start,
+ start: start,
+ end: end,
+ step: step,
file: zp.file,
lex: &l,
@@ -94,10 +94,10 @@ type generateReader struct {
s string
si int
- cur int
- start int
- end int
- step int
+ cur int64
+ start int64
+ end int64
+ step int64
mod bytes.Buffer
@@ -173,7 +173,7 @@ func (r *generateReader) ReadByte() (byte, error) {
return '$', nil
}
- var offset int
+ var offset int64
// Search for { and }
if r.s[si+1] == '{' {
@@ -188,7 +188,7 @@ func (r *generateReader) ReadByte() (byte, error) {
if errMsg != "" {
return 0, r.parseError(errMsg, si+3+sep)
}
- if r.start+offset < 0 || int64(r.end) + int64(offset) > 1<<31-1 {
+ if r.start+offset < 0 || r.end+offset > 1<<31-1 {
return 0, r.parseError("bad offset in $GENERATE", si+3+sep)
}
@@ -208,7 +208,7 @@ func (r *generateReader) ReadByte() (byte, error) {
}
// Convert a $GENERATE modifier 0,0,d to something Printf can deal with.
-func modToPrintf(s string) (string, int, string) {
+func modToPrintf(s string) (string, int64, string) {
// Modifier is { offset [ ,width [ ,base ] ] } - provide default
// values for optional width and type, if necessary.
var offStr, widthStr, base string
@@ -240,8 +240,8 @@ func modToPrintf(s string) (string, int, string) {
}
if width == 0 {
- return "%" + base, int(offset), ""
+ return "%" + base, offset, ""
}
- return "%0" + widthStr + base, int(offset), ""
+ return "%0" + widthStr + base, offset, ""
}
diff --git a/vendor/github.com/miekg/dns/scan.go b/vendor/github.com/miekg/dns/scan.go
index aa2840efba890cf768537d27f6fce97e81e1b695..67161de29cda355180633708502640934ab1a0da 100644
--- a/vendor/github.com/miekg/dns/scan.go
+++ b/vendor/github.com/miekg/dns/scan.go
@@ -577,10 +577,23 @@ func (zp *ZoneParser) Next() (RR, bool) {
st = zExpectRdata
case zExpectRdata:
- var rr RR
- if newFn, ok := TypeToRR[h.Rrtype]; ok && canParseAsRR(h.Rrtype) {
+ var (
+ rr RR
+ parseAsRFC3597 bool
+ )
+ if newFn, ok := TypeToRR[h.Rrtype]; ok {
rr = newFn()
*rr.Header() = *h
+
+ // We may be parsing a known RR type using the RFC3597 format.
+ // If so, we handle that here in a generic way.
+ //
+ // This is also true for PrivateRR types which will have the
+ // RFC3597 parsing done for them and the Unpack method called
+ // to populate the RR instead of simply deferring to Parse.
+ if zp.c.Peek().token == "\\#" {
+ parseAsRFC3597 = true
+ }
} else {
rr = &RFC3597{Hdr: *h}
}
@@ -600,13 +613,18 @@ func (zp *ZoneParser) Next() (RR, bool) {
return zp.setParseError("unexpected newline", l)
}
- if err := rr.parse(zp.c, zp.origin); err != nil {
+ parseAsRR := rr
+ if parseAsRFC3597 {
+ parseAsRR = &RFC3597{Hdr: *h}
+ }
+
+ if err := parseAsRR.parse(zp.c, zp.origin); err != nil {
// err is a concrete *ParseError without the file field set.
// The setParseError call below will construct a new
// *ParseError with file set to zp.file.
- // If err.lex is nil than we have encounter an unknown RR type
- // in that case we substitute our current lex token.
+ // err.lex may be nil in which case we substitute our current
+ // lex token.
if err.lex == (lex{}) {
return zp.setParseError(err.err, l)
}
@@ -614,6 +632,13 @@ func (zp *ZoneParser) Next() (RR, bool) {
return zp.setParseError(err.err, err.lex)
}
+ if parseAsRFC3597 {
+ err := parseAsRR.(*RFC3597).fromRFC3597(rr)
+ if err != nil {
+ return zp.setParseError(err.Error(), l)
+ }
+ }
+
return rr, true
}
}
@@ -623,18 +648,6 @@ func (zp *ZoneParser) Next() (RR, bool) {
return nil, false
}
-// canParseAsRR returns true if the record type can be parsed as a
-// concrete RR. It blacklists certain record types that must be parsed
-// according to RFC 3597 because they lack a presentation format.
-func canParseAsRR(rrtype uint16) bool {
- switch rrtype {
- case TypeANY, TypeNULL, TypeOPT, TypeTSIG:
- return false
- default:
- return true
- }
-}
-
type zlexer struct {
br io.ByteReader
@@ -1290,7 +1303,7 @@ func appendOrigin(name, origin string) string {
// LOC record helper function
func locCheckNorth(token string, latitude uint32) (uint32, bool) {
- if latitude > 90 * 1000 * 60 * 60 {
+ if latitude > 90*1000*60*60 {
return latitude, false
}
switch token {
@@ -1304,7 +1317,7 @@ func locCheckNorth(token string, latitude uint32) (uint32, bool) {
// LOC record helper function
func locCheckEast(token string, longitude uint32) (uint32, bool) {
- if longitude > 180 * 1000 * 60 * 60 {
+ if longitude > 180*1000*60*60 {
return longitude, false
}
switch token {
diff --git a/vendor/github.com/miekg/dns/svcb.go b/vendor/github.com/miekg/dns/svcb.go
index f44dc67d7b5098e0efd520c064396cfb93259c5c..1373fe21b730477d385afe53d6355b6f524aff0c 100644
--- a/vendor/github.com/miekg/dns/svcb.go
+++ b/vendor/github.com/miekg/dns/svcb.go
@@ -204,7 +204,7 @@ type SVCB struct {
Hdr RR_Header
Priority uint16
Target string `dns:"domain-name"`
- Value []SVCBKeyValue `dns:"pairs"` // Value must be empty if Priority is non-zero.
+ Value []SVCBKeyValue `dns:"pairs"` // Value must be empty if Priority is zero.
}
// HTTPS RR. Everything valid for SVCB applies to HTTPS as well.
diff --git a/vendor/github.com/miekg/dns/tsig.go b/vendor/github.com/miekg/dns/tsig.go
index 59904dd6a090aa400c03df281c154703ffd83993..b49562d847bc5e39713236f1a3e38df39a6275e8 100644
--- a/vendor/github.com/miekg/dns/tsig.go
+++ b/vendor/github.com/miekg/dns/tsig.go
@@ -24,6 +24,56 @@ const (
HmacMD5 = "hmac-md5.sig-alg.reg.int." // Deprecated: HmacMD5 is no longer supported.
)
+// TsigProvider provides the API to plug-in a custom TSIG implementation.
+type TsigProvider interface {
+ // Generate is passed the DNS message to be signed and the partial TSIG RR. It returns the signature and nil, otherwise an error.
+ Generate(msg []byte, t *TSIG) ([]byte, error)
+ // Verify is passed the DNS message to be verified and the TSIG RR. If the signature is valid it will return nil, otherwise an error.
+ Verify(msg []byte, t *TSIG) error
+}
+
+type tsigHMACProvider string
+
+func (key tsigHMACProvider) Generate(msg []byte, t *TSIG) ([]byte, error) {
+ // If we barf here, the caller is to blame
+ rawsecret, err := fromBase64([]byte(key))
+ if err != nil {
+ return nil, err
+ }
+ var h hash.Hash
+ switch CanonicalName(t.Algorithm) {
+ case HmacSHA1:
+ h = hmac.New(sha1.New, rawsecret)
+ case HmacSHA224:
+ h = hmac.New(sha256.New224, rawsecret)
+ case HmacSHA256:
+ h = hmac.New(sha256.New, rawsecret)
+ case HmacSHA384:
+ h = hmac.New(sha512.New384, rawsecret)
+ case HmacSHA512:
+ h = hmac.New(sha512.New, rawsecret)
+ default:
+ return nil, ErrKeyAlg
+ }
+ h.Write(msg)
+ return h.Sum(nil), nil
+}
+
+func (key tsigHMACProvider) Verify(msg []byte, t *TSIG) error {
+ b, err := key.Generate(msg, t)
+ if err != nil {
+ return err
+ }
+ mac, err := hex.DecodeString(t.MAC)
+ if err != nil {
+ return err
+ }
+ if !hmac.Equal(b, mac) {
+ return ErrSig
+ }
+ return nil
+}
+
// TSIG is the RR the holds the transaction signature of a message.
// See RFC 2845 and RFC 4635.
type TSIG struct {
@@ -56,8 +106,8 @@ func (rr *TSIG) String() string {
return s
}
-func (rr *TSIG) parse(c *zlexer, origin string) *ParseError {
- panic("dns: internal error: parse should never be called on TSIG")
+func (*TSIG) parse(c *zlexer, origin string) *ParseError {
+ return &ParseError{err: "TSIG records do not have a presentation format"}
}
// The following values must be put in wireformat, so that the MAC can be calculated.
@@ -98,14 +148,13 @@ type timerWireFmt struct {
// timersOnly is false.
// If something goes wrong an error is returned, otherwise it is nil.
func TsigGenerate(m *Msg, secret, requestMAC string, timersOnly bool) ([]byte, string, error) {
+ return tsigGenerateProvider(m, tsigHMACProvider(secret), requestMAC, timersOnly)
+}
+
+func tsigGenerateProvider(m *Msg, provider TsigProvider, requestMAC string, timersOnly bool) ([]byte, string, error) {
if m.IsTsig() == nil {
panic("dns: TSIG not last RR in additional")
}
- // If we barf here, the caller is to blame
- rawsecret, err := fromBase64([]byte(secret))
- if err != nil {
- return nil, "", err
- }
rr := m.Extra[len(m.Extra)-1].(*TSIG)
m.Extra = m.Extra[0 : len(m.Extra)-1] // kill the TSIG from the msg
@@ -119,25 +168,13 @@ func TsigGenerate(m *Msg, secret, requestMAC string, timersOnly bool) ([]byte, s
}
t := new(TSIG)
- var h hash.Hash
- switch CanonicalName(rr.Algorithm) {
- case HmacSHA1:
- h = hmac.New(sha1.New, rawsecret)
- case HmacSHA224:
- h = hmac.New(sha256.New224, rawsecret)
- case HmacSHA256:
- h = hmac.New(sha256.New, rawsecret)
- case HmacSHA384:
- h = hmac.New(sha512.New384, rawsecret)
- case HmacSHA512:
- h = hmac.New(sha512.New, rawsecret)
- default:
- return nil, "", ErrKeyAlg
- }
- h.Write(buf)
// Copy all TSIG fields except MAC and its size, which are filled using the computed digest.
*t = *rr
- t.MAC = hex.EncodeToString(h.Sum(nil))
+ mac, err := provider.Generate(buf, rr)
+ if err != nil {
+ return nil, "", err
+ }
+ t.MAC = hex.EncodeToString(mac)
t.MACSize = uint16(len(t.MAC) / 2) // Size is half!
tbuf := make([]byte, Len(t))
@@ -156,49 +193,28 @@ func TsigGenerate(m *Msg, secret, requestMAC string, timersOnly bool) ([]byte, s
// If the signature does not validate err contains the
// error, otherwise it is nil.
func TsigVerify(msg []byte, secret, requestMAC string, timersOnly bool) error {
- return tsigVerify(msg, secret, requestMAC, timersOnly, uint64(time.Now().Unix()))
+ return tsigVerify(msg, tsigHMACProvider(secret), requestMAC, timersOnly, uint64(time.Now().Unix()))
+}
+
+func tsigVerifyProvider(msg []byte, provider TsigProvider, requestMAC string, timersOnly bool) error {
+ return tsigVerify(msg, provider, requestMAC, timersOnly, uint64(time.Now().Unix()))
}
// actual implementation of TsigVerify, taking the current time ('now') as a parameter for the convenience of tests.
-func tsigVerify(msg []byte, secret, requestMAC string, timersOnly bool, now uint64) error {
- rawsecret, err := fromBase64([]byte(secret))
- if err != nil {
- return err
- }
+func tsigVerify(msg []byte, provider TsigProvider, requestMAC string, timersOnly bool, now uint64) error {
// Strip the TSIG from the incoming msg
stripped, tsig, err := stripTsig(msg)
if err != nil {
return err
}
- msgMAC, err := hex.DecodeString(tsig.MAC)
- if err != nil {
- return err
- }
-
buf, err := tsigBuffer(stripped, tsig, requestMAC, timersOnly)
if err != nil {
return err
}
- var h hash.Hash
- switch CanonicalName(tsig.Algorithm) {
- case HmacSHA1:
- h = hmac.New(sha1.New, rawsecret)
- case HmacSHA224:
- h = hmac.New(sha256.New224, rawsecret)
- case HmacSHA256:
- h = hmac.New(sha256.New, rawsecret)
- case HmacSHA384:
- h = hmac.New(sha512.New384, rawsecret)
- case HmacSHA512:
- h = hmac.New(sha512.New, rawsecret)
- default:
- return ErrKeyAlg
- }
- h.Write(buf)
- if !hmac.Equal(h.Sum(nil), msgMAC) {
- return ErrSig
+ if err := provider.Verify(buf, tsig); err != nil {
+ return err
}
// Fudge factor works both ways. A message can arrive before it was signed because
diff --git a/vendor/github.com/miekg/dns/types.go b/vendor/github.com/miekg/dns/types.go
index 1f385bd229bfd9171f32cee157aa1308541d48e8..9e379eb351bc1798b59ff12a6b80ee8ba1131d34 100644
--- a/vendor/github.com/miekg/dns/types.go
+++ b/vendor/github.com/miekg/dns/types.go
@@ -245,8 +245,8 @@ type ANY struct {
func (rr *ANY) String() string { return rr.Hdr.String() }
-func (rr *ANY) parse(c *zlexer, origin string) *ParseError {
- panic("dns: internal error: parse should never be called on ANY")
+func (*ANY) parse(c *zlexer, origin string) *ParseError {
+ return &ParseError{err: "ANY records do not have a presentation format"}
}
// NULL RR. See RFC 1035.
@@ -260,8 +260,8 @@ func (rr *NULL) String() string {
return ";" + rr.Hdr.String() + rr.Data
}
-func (rr *NULL) parse(c *zlexer, origin string) *ParseError {
- panic("dns: internal error: parse should never be called on NULL")
+func (*NULL) parse(c *zlexer, origin string) *ParseError {
+ return &ParseError{err: "NULL records do not have a presentation format"}
}
// CNAME RR. See RFC 1034.
diff --git a/vendor/github.com/miekg/dns/version.go b/vendor/github.com/miekg/dns/version.go
index 5c75851b41dc1268ca246b2de8d2102f6bb9bf94..ea3401fac8d062ad6b765cfe0e04dd7a40d4bd7b 100644
--- a/vendor/github.com/miekg/dns/version.go
+++ b/vendor/github.com/miekg/dns/version.go
@@ -3,7 +3,7 @@ package dns
import "fmt"
// Version is current version of this library.
-var Version = v{1, 1, 35}
+var Version = v{1, 1, 37}
// v holds the version of this library.
type v struct {
diff --git a/vendor/modules.txt b/vendor/modules.txt
index f21079ca3dc3833fbcd0d6baabc5315ad48c8a65..13df304bd6c8618252e37b3b41253dad7d935279 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -31,7 +31,7 @@ github.com/golang/protobuf/ptypes/timestamp
github.com/gorilla/handlers
# github.com/matttproud/golang_protobuf_extensions v1.0.1
github.com/matttproud/golang_protobuf_extensions/pbutil
-# github.com/miekg/dns v1.1.35
+# github.com/miekg/dns v1.1.37
## explicit
github.com/miekg/dns
# github.com/openzipkin/zipkin-go v0.2.5