NSEC3 and multiple key signing support.

Cargo.toml

@@ -25,7 +25,7 @@ octseq         = { version = "0.5.2", default-features = false }
 time           = { version = "0.3.1", default-features = false }
 rand           = { version = "0.8", optional = true }
 arc-swap       = { version = "1.7.0", optional = true }
-bytes          = { version = "1.0", optional = true, default-features = false }
+bytes          = { version = "1.2", optional = true, default-features = false }
 chrono         = { version = "0.4.35", optional = true, default-features = false } # 0.4.35 deprecates Duration::seconds()
 futures-util   = { version = "0.3", optional = true }
 hashbrown      = { version = "0.14.2", optional = true, default-features = false, features = ["allocator-api2", "inline-more"] } # 0.14.2 introduces explicit hashing
@@ -73,7 +73,7 @@ zonefile    = ["bytes", "serde", "std"]
 # Unstable features
 unstable-client-transport = ["moka", "net", "tracing"]
 unstable-server-transport = ["arc-swap", "chrono/clock", "libc", "net", "siphasher", "tracing"]
-unstable-sign = ["std", "dep:secrecy", "unstable-validate", "time/formatting"]
+unstable-sign = ["std", "dep:secrecy", "dep:smallvec", "dep:serde", "time/formatting", "tracing", "unstable-validate"]
 unstable-stelline = ["tokio/test-util", "tracing", "tracing-subscriber", "tsig", "unstable-client-transport", "unstable-server-transport", "zonefile"]
 unstable-validate = ["bytes", "std", "ring"]
 unstable-validator = ["unstable-validate", "zonefile", "unstable-client-transport"]
@@ -84,19 +84,20 @@ unstable-zonetree = ["futures-util", "parking_lot", "rustversion", "serde", "std
 arbitrary = ["dep:arbitrary"]
 
 [dev-dependencies]
-itertools = "0.13.0"
-lazy_static        = { version = "1.4.0" }
-rstest             = "0.19.0"
-rustls-pemfile     = { version = "2.1.2" }
-serde_test         = "1.0.130"
-serde_json         = "1.0.113"
-serde_yaml         = "0.9"
-socket2            = { version = "0.5.5" }
-tokio              = { version = "1.37", features = ["rt-multi-thread", "io-util", "net", "test-util"] }
-tokio-rustls       = { version = "0.26", default-features = false, features = [ "ring", "logging", "tls12" ] }
-tokio-test         = "0.4"
-tokio-tfo          = { version = "0.2.0" }
-webpki-roots       = { version = "0.26" }
+itertools         = "0.13.0"
+lazy_static       = { version = "1.4.0" }
+pretty_assertions = "1.4.1"
+rstest            = "0.19.0"
+rustls-pemfile    = { version = "2.1.2" }
+serde_test        = "1.0.130"
+serde_json        = "1.0.113"
+serde_yaml        = "0.9"
+socket2           = { version = "0.5.5" }
+tokio             = { version = "1.37", features = ["rt-multi-thread", "io-util", "net", "test-util"] }
+tokio-rustls      = { version = "0.26", default-features = false, features = [ "ring", "logging", "tls12" ] }
+tokio-test        = "0.4"
+tokio-tfo         = { version = "0.2.0" }
+webpki-roots      = { version = "0.26" }
 
 # For the "mysql-zone" example
 #sqlx = { version = "0.6", features = [ "runtime-tokio-native-tls", "mysql" ] }

examples/keyset.rs

@@ -1,6 +1,6 @@
 //! Demonstrate the use of key sets.
 use domain::base::Name;
-use domain::sign::keyset::{
+use domain::sign::keys::keyset::{
     Action, Error, KeySet, KeyType, RollType, UnixTime,
 };
 use itertools::{Either, Itertools};

src/base/iana/mod.rs

@@ -35,6 +35,7 @@ pub use self::rcode::{OptRcode, Rcode, TsigRcode};
 pub use self::rtype::Rtype;
 pub use self::secalg::SecAlg;
 pub use self::svcb::SvcParamKey;
+pub use self::zonemd::{ZonemdAlg, ZonemdScheme};
 
 #[macro_use]
 mod macros;
@@ -49,3 +50,4 @@ pub mod rcode;
 pub mod rtype;
 pub mod secalg;
 pub mod svcb;
+pub mod zonemd;

src/base/iana/zonemd.rs

@@ -0,0 +1,50 @@
+//! ZONEMD IANA parameters.
+
+//------------ ZonemdScheme --------------------------------------------------
+
+int_enum! {
+    /// ZONEMD schemes.
+    ///
+    /// This type selects the method by which data is collated and presented
+    /// as input to the hashing function for use with [ZONEMD].
+    ///
+    /// For the currently registered values see the [IANA registration]. This
+    /// type is complete as of 2024-11-29.
+    ///
+    /// [ZONEMD]: ../../../rdata/zonemd/index.html
+    /// [IANA registration]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#zonemd-schemes
+    =>
+    ZonemdScheme, u8;
+
+    /// Specifies that the SIMPLE scheme is used.
+    (SIMPLE => 1, "SIMPLE")
+}
+
+int_enum_str_decimal!(ZonemdScheme, u8);
+int_enum_zonefile_fmt_decimal!(ZonemdScheme, "scheme");
+
+//------------ ZonemdAlg -----------------------------------------------------
+
+int_enum! {
+    /// ZONEMD algorithms.
+    ///
+    /// This type selects the algorithm used to hash domain names for use with
+    /// the [ZONEMD].
+    ///
+    /// For the currently registered values see the [IANA registration]. This
+    /// type is complete as of 2024-11-29.
+    ///
+    /// [ZONEMD]: ../../../rdata/zonemd/index.html
+    /// [IANA registration]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#zonemd-hash-algorithms
+    =>
+    ZonemdAlg, u8;
+
+    /// Specifies that the SHA-384 algorithm is used.
+    (SHA384 => 1, "SHA384")
+
+    /// Specifies that the SHA-512 algorithm is used.
+    (SHA512 => 2, "SHA512")
+}
+
+int_enum_str_decimal!(ZonemdAlg, u8);
+int_enum_zonefile_fmt_decimal!(ZonemdAlg, "hash algorithm");

src/net/server/middleware/xfr/tests.rs

@@ -17,7 +17,7 @@ use octseq::Octets;
 use tokio::sync::Semaphore;
 use tokio::time::Instant;
 
-use crate::base::iana::{Class, OptRcode, Rcode};
+use crate::base::iana::{Class, DigestAlg, OptRcode, Rcode, SecAlg};
 use crate::base::{
     Message, MessageBuilder, Name, ParsedName, Rtype, Serial, ToName, Ttl,
 };
@@ -32,7 +32,7 @@ use crate::net::server::service::{
     CallResult, Service, ServiceError, ServiceFeedback, ServiceResult,
 };
 use crate::rdata::{
-    Aaaa, AllRecordData, Cname, Mx, Ns, Soa, Txt, ZoneRecordData, A,
+    Aaaa, AllRecordData, Cname, Ds, Mx, Ns, Soa, Txt, ZoneRecordData, A,
 };
 use crate::tsig::{Algorithm, Key, KeyName};
 use crate::zonefile::inplace::Zonefile;
@@ -74,6 +74,31 @@ async fn axfr_with_example_zone() {
         (n("example.com"), Aaaa::new(p("2001:db8::3")).into()),
         (n("www.example.com"), Cname::new(n("example.com")).into()),
         (n("mail.example.com"), Mx::new(10, n("example.com")).into()),
+        (n("a.b.c.mail.example.com"), A::new(p("127.0.0.1")).into()),
+        (n("x.y.mail.example.com"), A::new(p("127.0.0.1")).into()),
+        (n("some.ent.example.com"), A::new(p("127.0.0.1")).into()),
+        (
+            n("unsigned.example.com"),
+            Ns::new(n("some.other.ns.net.example.com")).into(),
+        ),
+        (
+            n("signed.example.com"),
+            Ns::new(n("some.other.ns.net.example.com")).into(),
+        ),
+        (
+            n("signed.example.com"),
+            Ds::new(
+                60485,
+                SecAlg::RSASHA1,
+                DigestAlg::SHA1,
+                crate::utils::base16::decode(
+                    "2BB183AF5F22588179A53B0A98631FAD1A292118",
+                )
+                .unwrap(),
+            )
+            .unwrap()
+            .into(),
+        ),
         (n("example.com"), zone_soa.into()),
     ];
 

src/rdata/dnssec.rs

@@ -2168,6 +2168,11 @@ impl<Octs: AsRef<[u8]>> RtypeBitmap<Octs> {
     ) -> Result<(), Target::AppendError> {
         target.append_slice(self.0.as_ref())
     }
+
+    #[must_use]
+    pub fn is_empty(&self) -> bool {
+        self.iter().next().is_none()
+    }
 }
 
 //--- AsRef

src/rdata/nsec3.rs

@@ -102,6 +102,10 @@ impl<Octs> Nsec3<Octs> {
         &self.next_owner
     }
 
+    pub fn set_next_owner(&mut self, next_owner: OwnerHash<Octs>) {
+        self.next_owner = next_owner;
+    }
+
     pub fn types(&self) -> &RtypeBitmap<Octs> {
         &self.types
     }
@@ -354,7 +358,10 @@ impl<Octs: AsRef<[u8]>> fmt::Display for Nsec3<Octs> {
             self.hash_algorithm, self.flags, self.iterations, self.salt
         )?;
         base32::display_hex(&self.next_owner, f)?;
-        write!(f, " {}", self.types)
+        if !self.types.is_empty() {
+            write!(f, " {}", self.types)?;
+        }
+        Ok(())
     }
 }
 
@@ -453,6 +460,10 @@ impl<Octs> Nsec3param<Octs> {
         &self.salt
     }
 
+    pub fn into_salt(self) -> Nsec3Salt<Octs> {
+        self.salt
+    }
+
     pub(super) fn convert_octets<Target>(
         self,
     ) -> Result<Nsec3param<Target>, Target::Error>
@@ -496,6 +507,35 @@ impl<Octs> Nsec3param<Octs> {
     }
 }
 
+//--- Default
+
+impl<Octs> Default for Nsec3param<Octs>
+where
+    Octs: From<&'static [u8]>,
+{
+    /// Best practice default values for NSEC3 hashing.
+    ///
+    /// Per [RFC 9276] section 3.1:
+    ///
+    /// - _SHA-1, no extra iterations, empty salt._
+    ///
+    /// Per [RFC 5155] section 4.1.2:
+    ///
+    /// - _The Opt-Out flag is not used and is set to zero._
+    /// - _All other flags are reserved for future use, and must be zero._
+    ///
+    /// [RFC 5155]: https://www.rfc-editor.org/rfc/rfc5155.html
+    /// [RFC 9276]: https://www.rfc-editor.org/rfc/rfc9276.html
+    fn default() -> Self {
+        Self {
+            hash_algorithm: Nsec3HashAlg::SHA1,
+            flags: 0,
+            iterations: 0,
+            salt: Nsec3Salt::empty(),
+        }
+    }
+}
+
 //--- OctetsFrom
 
 impl<Octs, SrcOcts> OctetsFrom<Nsec3param<SrcOcts>> for Nsec3param<Octs>