Proof of concept based on Rotonda.

[ximon18]

This draft PR contains a proof-of-concept "bump-in-the-wire" DNSSEC signing server that can receive and publish zones via XFR.

TL;DR

See README.md and nameshed.conf for more information.

The longer explanation :-)

It is based on a modified branch of domain to address some issues found with Service trait bound matching and to address a short coming in the ZoneUpdater.

It is not meant to be fast or memory efficient or even a correct DNS server (as domain lacks various things needed for that such as setting the AA flag correctly on responses, support for various record types is missing, and support for DNSSEC signed responses). It is also not meant to be clean code without bugs.

Instead it is meant as a quickly put together demonstration of the design ideas that were discussed internally about a component based model with events flowing to a Central Command and commands in turn being issued to components. It doesn't strictly implement the async fn event and command model that was discussed, as only events are communicated via async fn calls while commands are issued via multiple-producer single-consumer channel.

Known issues include blocking the HTTP API while signing.

• No printing of timestamps in the log output.
• DUMB SUPPORT FOR SIGNING OF Zones VIA COLLECTION FIRST INTO A VEC.
• Limited docs (especially around the signer configuration), confusing handling of misspelled config file entries (by silently ignoring them).
• Poor config file syntax.
• Some things in config maybe should never be in config as they are dynamic.
• HTTP outputs should be JSON not plain text. (to enable using them from a future web UI).
• Cannot request XFR from nameshed with TSIG due to todo!() in the code even though all the necessary puzzle pieces exist.

Missing features include:

• No hot-reconfiguration support (though the underlying Rotonda base supports it).
• No Key Manager component yet (and thus no key lifecycle management).
• No proper authentication on APIs.
• No metrics (though the underlying Rotonda base supports it).
• No use of the Rotonda base "Status Reporter" system (relates to logging output)
• NO SUPPORT FOR INCREMENTAL SIGNING.
• Perhaps it would make sense to support catalog zones.
• No command line interface.
• No web UI
• Hook scripts don't currently get told the base URL to POST back to but must hardcode it.
• No HSM support.
• No DB support.

I probably forgot a lot of things... ;-)