NSEC3 generation support.

.github/workflows/ci.yml

@@ -10,13 +10,28 @@ jobs:
         rust: [1.76.0, stable, beta, nightly]
     env:
         RUSTFLAGS: "-D warnings"
+        # We use 'vcpkg' to install OpenSSL on Windows.
+        VCPKG_ROOT: "${{ github.workspace }}\\vcpkg"
+        VCPKGRS_TRIPLET: x64-windows-release
+        # Ensure that OpenSSL is dynamically linked.
+        VCPKGRS_DYNAMIC: 1
     steps:
     - name: Checkout repository
       uses: actions/checkout@v1
     - name: Install Rust
       uses: hecrj/setup-rust-action@v2
       with:
         rust-version: ${{ matrix.rust }}
+    - if: matrix.os == 'ubuntu-latest'
+      run: sudo apt install libssl-dev
+    - if: matrix.os == 'windows-latest'
+      id: vcpkg
+      uses: johnwason/vcpkg-action@v6
+      with:
+        pkgs: openssl
+        triplet: ${{ env.VCPKGRS_TRIPLET }}
+        token: ${{ github.token }}
+        github-binarycache: true
     - if: matrix.rust == 'stable'
       run: rustup component add clippy
     - if: matrix.rust == 'stable'
@@ -37,6 +52,8 @@ jobs:
       uses: hecrj/setup-rust-action@v2
       with:
         rust-version: "1.68.2"
+    - name: Install OpenSSL
+      run: sudo apt install libssl-dev
     - name: Install nightly Rust
       run: rustup install nightly
     - name: Check with minimal-versions

Cargo.toml

@@ -33,6 +33,7 @@ heapless       = { version = "0.8", optional = true }
 libc           = { version = "0.2.153", default-features = false, optional = true } # 0.2.79 is the first version that has IP_PMTUDISC_OMIT
 parking_lot    = { version = "0.12", optional = true }
 moka           = { version = "0.12.3", optional = true, features = ["future"] }
+openssl        = { version = "0.10.57", optional = true } # 0.10.57 upgrades to 'bitflags' 2.x
 proc-macro2    = { version = "1.0.69", optional = true } # Force proc-macro2 to at least 1.0.69 for minimal-version build
 ring           = { version = "0.17", optional = true }
 rustversion    = { version = "1", optional = true }
@@ -47,24 +48,32 @@ tracing-subscriber = { version = "0.3.18", optional = true, features = ["env-fil
 
 [features]
 default     = ["std", "rand"]
+
+# Support for libraries
 bytes       = ["dep:bytes", "octseq/bytes"]
 heapless    = ["dep:heapless", "octseq/heapless"]
-resolv      = ["net", "smallvec", "unstable-client-transport"]
-resolv-sync = ["resolv", "tokio/rt"]
 serde       = ["dep:serde", "octseq/serde"]
-sign        = ["std"]
 smallvec    = ["dep:smallvec", "octseq/smallvec"]
 std         = ["dep:hashbrown", "bytes?/std", "octseq/std", "time/std"]
+
+# Cryptographic backends
+ring    = ["dep:ring"]
+openssl = ["dep:openssl"]
+
+# Crate features
+resolv      = ["net", "smallvec", "unstable-client-transport"]
+resolv-sync = ["resolv", "tokio/rt"]
 net         = ["bytes", "futures-util", "rand", "std", "tokio"]
 tsig        = ["bytes", "ring", "smallvec"]
-validate    = ["bytes", "std", "ring"]
 zonefile    = ["bytes", "serde", "std"]
 
 # Unstable features
 unstable-client-transport = ["moka", "net", "tracing"]
 unstable-server-transport = ["arc-swap", "chrono/clock", "libc", "net", "siphasher", "tracing"]
+unstable-sign = ["std", "unstable-validate"]
 unstable-stelline = ["tokio/test-util", "tracing", "tracing-subscriber", "tsig", "unstable-client-transport", "unstable-server-transport", "zonefile"]
-unstable-validator = ["validate", "zonefile", "unstable-client-transport"]
+unstable-validate = ["bytes", "std", "ring"]
+unstable-validator = ["unstable-validate", "zonefile", "unstable-client-transport"]
 unstable-xfr = ["net"]
 unstable-zonetree = ["futures-util", "parking_lot", "rustversion", "serde", "std", "tokio", "tracing", "unstable-xfr", "zonefile"]
 

src/lib.rs

@@ -36,14 +36,14 @@
 #![cfg_attr(not(feature = "resolv"), doc = "* resolv:")]
 //!   An asynchronous DNS resolver based on the
 //!   [Tokio](https://tokio.rs/) async runtime.
-#![cfg_attr(feature = "sign", doc = "* [sign]:")]
-#![cfg_attr(not(feature = "sign"), doc = "* sign:")]
+#![cfg_attr(feature = "unstable-sign", doc = "* [sign]:")]
+#![cfg_attr(not(feature = "unstable-sign"), doc = "* sign:")]
 //!   Experimental support for DNSSEC signing.
 #![cfg_attr(feature = "tsig", doc = "* [tsig]:")]
 #![cfg_attr(not(feature = "tsig"), doc = "* tsig:")]
 //!   Support for securing DNS transactions with TSIG records.
-#![cfg_attr(feature = "validate", doc = "* [validate]:")]
-#![cfg_attr(not(feature = "validate"), doc = "* validate:")]
+#![cfg_attr(feature = "unstable-validate", doc = "* [validate]:")]
+#![cfg_attr(not(feature = "unstable-validate"), doc = "* validate:")]
 //!   Experimental support for DNSSEC validation.
 #![cfg_attr(feature = "unstable-validator", doc = "* [validator]:")]
 #![cfg_attr(not(feature = "unstable-validator"), doc = "* validator:")]
@@ -86,8 +86,8 @@
 //!   [ring](https://github.com/briansmith/ring) crate.
 //! * `serde`: Enables serde serialization for a number of basic types.
 //! * `sign`: basic DNSSEC signing support. This will enable the
-#![cfg_attr(feature = "sign", doc = "  [sign]")]
-#![cfg_attr(not(feature = "sign"), doc = "  sign")]
+#![cfg_attr(feature = "unstable-sign", doc = "  [sign]")]
+#![cfg_attr(not(feature = "unstable-sign"), doc = "  sign")]
 //!   module and requires the `std` feature. Note that this will not directly
 //!   enable actual signing. For that you will also need to pick a crypto
 //!   module via an additional feature. Currently we only support the `ring`
@@ -108,8 +108,8 @@
 //!   module and currently pulls in the
 //!   `bytes`, `ring`, and `smallvec` features.
 //! * `validate`: basic DNSSEC validation support. This feature enables the
-#![cfg_attr(feature = "validate", doc = "  [validate]")]
-#![cfg_attr(not(feature = "validate"), doc = "  validate")]
+#![cfg_attr(feature = "unstable-validate", doc = "  [validate]")]
+#![cfg_attr(not(feature = "unstable-validate"), doc = "  validate")]
 //!   module and currently also enables the `std` and `ring`
 //!   features.
 //! * `zonefile`: reading and writing of zonefiles. This feature enables the

src/rdata/nsec3.rs

@@ -102,6 +102,10 @@ impl<Octs> Nsec3<Octs> {
         &self.next_owner
     }
 
+    pub fn set_next_owner(&mut self, next_owner: OwnerHash<Octs>) {
+        self.next_owner = next_owner;
+    }
+
     pub fn types(&self) -> &RtypeBitmap<Octs> {
         &self.types
     }
@@ -453,6 +457,10 @@ impl<Octs> Nsec3param<Octs> {
         &self.salt
     }
 
+    pub fn into_salt(self) -> Nsec3Salt<Octs> {
+        self.salt
+    }
+
     pub(super) fn convert_octets<Target>(
         self,
     ) -> Result<Nsec3param<Target>, Target::Error>
@@ -496,6 +504,35 @@ impl<Octs> Nsec3param<Octs> {
     }
 }
 
+//--- Default
+
+impl<Octs> Default for Nsec3param<Octs>
+where
+    Octs: From<&'static [u8]>,
+{
+    /// Best practice default values for NSEC3 hashing.
+    ///
+    /// Per [RFC 9276] section 3.1:
+    ///
+    /// - _SHA-1, no extra iterations, empty salt._
+    ///
+    /// Per [RFC 5155] section 4.1.2:
+    ///
+    /// - _The Opt-Out flag is not used and is set to zero._
+    /// - _All other flags are reserved for future use, and must be zero._
+    ///
+    /// [RFC 5155]: https://www.rfc-editor.org/rfc/rfc5155.html
+    /// [RFC 9276]: https://www.rfc-editor.org/rfc/rfc9276.html
+    fn default() -> Self {
+        Self {
+            hash_algorithm: Nsec3HashAlg::SHA1,
+            flags: 0,
+            iterations: 0,
+            salt: Nsec3Salt::empty(),
+        }
+    }
+}
+
 //--- OctetsFrom
 
 impl<Octs, SrcOcts> OctetsFrom<Nsec3param<SrcOcts>> for Nsec3param<Octs>