README
¶
Additional TSIG methods
The github.com/bodgit/tsig package adds support for additional TSIG methods used in DNS queries. It is designed to be used alongside the github.com/miekg/dns package which is used to construct and parse DNS queries and responses.
This is most useful for allowing RFC 3645 GSS-TSIG which is necessary for dealing with Windows DNS servers that require 'Secure only' updates or BIND if it has been configured to use Kerberos.
⚠ Windows DNS servers don't accept wildcard resource names in dynamic updates.
Here is an example client, it is necessary that your Kerberos or Active Directory environment is configured and functional:
package main
import (
"fmt"
"time"
"github.com/bodgit/tsig"
"github.com/bodgit/tsig/gss"
"github.com/miekg/dns"
)
func main() {
dnsClient := new(dns.Client)
dnsClient.Net = "tcp"
gssClient, err := gss.NewClient(dnsClient)
if err != nil {
panic(err)
}
defer gssClient.Close()
host := "ns.example.com:53"
// Negotiate a context with the chosen server using the
// current user. See also gssClient.NegotiateContextWithCredentials()
// and gssClient.NegotiateContextWithKeytab() for alternatives
keyname, _, err := gssClient.NegotiateContext(host)
if err != nil {
panic(err)
}
dnsClient.TsigProvider = gssClient
// Use the DNS client as normal
msg := new(dns.Msg)
msg.SetUpdate(dns.Fqdn("example.com"))
insert, err := dns.NewRR("test.example.com. 300 A 192.0.2.1")
if err != nil {
panic(err)
}
msg.Insert([]dns.RR{insert})
msg.SetTsig(keyname, tsig.GSS, 300, time.Now().Unix())
rr, _, err := dnsClient.Exchange(msg, host)
if err != nil {
panic(err)
}
if rr.Rcode != dns.RcodeSuccess {
fmt.Printf("DNS error: %s (%d)\n", dns.RcodeToString[rr.Rcode], rr.Rcode)
}
// Cleanup the context
err = gssClient.DeleteContext(keyname)
if err != nil {
panic(err)
}
}
If you need to deal with both regular TSIG and GSS-TSIG together then this package also exports an HMAC TSIG implementation. To use both together set your client up something like this:
package main
import (
"github.com/bodgit/tsig"
"github.com/bodgit/tsig/gss"
"github.com/miekg/dns"
)
func main() {
dnsClient := new(dns.Client)
dnsClient.Net = "tcp"
// Create HMAC TSIG provider
hmac := tsig.HMAC{"axfr.": "so6ZGir4GPAqINNh9U5c3A=="}
// Create GSS-TSIG provider
gssClient, err := gss.NewClient(dnsClient)
if err != nil {
panic(err)
}
defer gssClient.Close()
// Configure DNS client with both providers
dnsClient.TsigProvider = tsig.MultiProvider(hmac, gssClient)
// Use the DNS client as normal
}
Documentation
¶
Index ¶
Constants ¶
const (
// GSS is the RFC 3645 defined algorithm name
GSS = "gss-tsig."
)
Variables ¶
This section is empty.
Functions ¶
func MultiProvider ¶ added in v1.1.0
func MultiProvider(providers ...dns.TsigProvider) dns.TsigProvider
MultiProvider creates a dns.TsigProvider that chains the provided input providers. This allows multiple TSIG algorithms.
Each provider is called in turn and if it returns dns.ErrKeyAlg the next provider in the list is tried. On success or any other error, the result is returned; it does not continue down the list.
Types ¶
type HMAC ¶ added in v1.1.0
HMAC implements the standard HMAC TSIG methods using the dns.TsigProvider interface. It holds a map of TSIG key names to base64-encoded secrets. The key names should be in canonical form, see dns.CanonicalName.
Source Files
Directories