Merge branch 'initial-nsec3-generation' into multiple-key-signing

.github/workflows/ci.yml

@@ -23,7 +23,7 @@ jobs:
       with:
         rust-version: ${{ matrix.rust }}
     - if: matrix.os == 'ubuntu-latest'
-      run: sudo apt install libssl-dev
+      run: sudo apt-get install -y libssl-dev
     - if: matrix.os == 'windows-latest'
       id: vcpkg
       uses: johnwason/vcpkg-action@v6
@@ -53,7 +53,7 @@ jobs:
       with:
         rust-version: "1.68.2"
     - name: Install OpenSSL
-      run: sudo apt install libssl-dev
+      run: sudo apt-get install -y libssl-dev
     - name: Install nightly Rust
       run: rustup install nightly
     - name: Check with minimal-versions

Cargo.toml

@@ -37,6 +37,7 @@ openssl        = { version = "0.10.57", optional = true } # 0.10.57 upgrades to
 proc-macro2    = { version = "1.0.69", optional = true } # Force proc-macro2 to at least 1.0.69 for minimal-version build
 ring           = { version = "0.17", optional = true }
 rustversion    = { version = "1", optional = true }
+secrecy        = { version = "0.10", optional = true }
 serde          = { version = "1.0.130", optional = true, features = ["derive"] }
 siphasher      = { version = "1", optional = true }
 smallvec       = { version = "1.3", optional = true }
@@ -61,16 +62,16 @@ ring    = ["dep:ring"]
 openssl = ["dep:openssl"]
 
 # Crate features
+net         = ["bytes", "futures-util", "rand", "std", "tokio"]
 resolv      = ["net", "smallvec", "unstable-client-transport"]
 resolv-sync = ["resolv", "tokio/rt"]
-net         = ["bytes", "futures-util", "rand", "std", "tokio"]
 tsig        = ["bytes", "ring", "smallvec"]
 zonefile    = ["bytes", "serde", "std"]
 
 # Unstable features
 unstable-client-transport = ["moka", "net", "tracing"]
 unstable-server-transport = ["arc-swap", "chrono/clock", "libc", "net", "siphasher", "tracing"]
-unstable-sign = ["std", "unstable-validate"]
+unstable-sign = ["std", "dep:secrecy", "unstable-validate"]
 unstable-stelline = ["tokio/test-util", "tracing", "tracing-subscriber", "tsig", "unstable-client-transport", "unstable-server-transport", "zonefile"]
 unstable-validate = ["bytes", "std", "ring"]
 unstable-validator = ["unstable-validate", "zonefile", "unstable-client-transport"]

src/lib.rs

@@ -61,61 +61,79 @@
 //!
 //! # Reference of feature flags
 //!
-//! The following is the complete list of the feature flags with the
-//! exception of unstable features which are described below.
+//! Several feature flags simply enable support for other crates, e.g. by
+//! adding `impl`s for their types.  They are optional and do not introduce
+//! new functionality into this crate.
 //!
 //! * `bytes`: Enables using the types `Bytes` and `BytesMut` from the
 //!   [bytes](https://github.com/tokio-rs/bytes) crate as octet sequences.
-//! * `chrono`: Adds the [chrono](https://github.com/chronotope/chrono)
-//!   crate as a dependency. This adds support for generating serial numbers
-//!   from time stamps.
+//!
 //! * `heapless`: enables the use of the `Vec` type from the
 //!   [heapless](https://github.com/japaric/heapless) crate as octet
 //!   sequences.
-//! * `interop`: Activate interoperability tests that rely on other software
-//!   to be installed in the system (currently NSD and dig) and will fail if
-//!   it isn’t. This feature is not meaningful for users of the crate.
+//!
+//! * `smallvec`: enables the use of the `Smallvec` type from the
+//!   [smallvec](https://github.com/servo/rust-smallvec) crate as octet
+//!   sequences.
+//!
+//! Some flags enable support for specific kinds of operations that are not
+//! otherwise possible.  They are gated as they may not always be necessary
+//! and they may introduce new dependencies.
+//!
+//! * `chrono`: Adds the [chrono](https://github.com/chronotope/chrono)
+//!   crate as a dependency. This adds support for generating serial numbers
+//!   from time stamps.
+//!
 //! * `rand`: Enables a number of methods that rely on a random number
 //!   generator being available in the system.
-//! * `resolv`: Enables the asynchronous stub resolver via the
-#![cfg_attr(feature = "resolv", doc = "  [resolv]")]
-#![cfg_attr(not(feature = "resolv"), doc = "  resolv")]
-//!   module.
-//! * `resolv-sync`: Enables the synchronous version of the stub resolver.
-//! * `ring`: Enables crypto functionality via the
-//!   [ring](https://github.com/briansmith/ring) crate.
+//!
 //! * `serde`: Enables serde serialization for a number of basic types.
-//! * `sign`: basic DNSSEC signing support. This will enable the
-#![cfg_attr(feature = "unstable-sign", doc = "  [sign]")]
-#![cfg_attr(not(feature = "unstable-sign"), doc = "  sign")]
-//!   module and requires the `std` feature. Note that this will not directly
-//!   enable actual signing. For that you will also need to pick a crypto
-//!   module via an additional feature. Currently we only support the `ring`
-//!   module, but support for OpenSSL is coming soon.
+//!
 //! * `siphasher`: enables the dependency on the
 //!   [siphasher](https://github.com/jedisct1/rust-siphash) crate which allows
 //!   generating and checking hashes in [standard server
 //!   cookies][crate::base::opt::cookie::StandardServerCookie].
-//! * `smallvec`: enables the use of the `Smallvec` type from the
-//!   [smallvec](https://github.com/servo/rust-smallvec) crate as octet
-//!   sequences.
+//!
 //! * `std`: support for the Rust std library. This feature is enabled by
 //!   default.
+//!
+//! A special case here is cryptographic backends.  Certain modules (e.g. for
+//! DNSSEC signing and validation) require a backend to provide cryptography.
+//! At least one such module should be enabled.
+//!
+//! * `openssl`: Enables crypto functionality via OpenSSL through the
+//!   [rust-openssl](https://github.com/sfackler/rust-openssl) crate.
+//!
+//! * `ring`: Enables crypto functionality via the
+//!   [ring](https://github.com/briansmith/ring) crate.
+//!
+//! Some flags represent entire categories of functionality within this crate.
+//! Each flag is associated with a particular module.  Note that some of these
+//! modules are under heavy development, and so have unstable feature flags
+//! which are categorized separately.
+//!
+//! * `net`: Enables sending and receiving DNS messages via the
+#![cfg_attr(feature = "net", doc = "  [net]")]
+#![cfg_attr(not(feature = "net"), doc = "  net")]
+//!   module.
+//!
+//! * `resolv`: Enables the asynchronous stub resolver via the
+#![cfg_attr(feature = "resolv", doc = "  [resolv]")]
+#![cfg_attr(not(feature = "resolv"), doc = "  resolv")]
+//!   module.
+//!
+//!   * `resolv-sync`: Enables the synchronous version of the stub resolver.
+//!
 //! * `tsig`: support for signing and validating message exchanges via TSIG
 //!   signatures. This enables the
 #![cfg_attr(feature = "tsig", doc = "  [tsig]")]
 #![cfg_attr(not(feature = "tsig"), doc = "  tsig")]
-//!   module and currently pulls in the
-//!   `bytes`, `ring`, and `smallvec` features.
-//! * `validate`: basic DNSSEC validation support. This feature enables the
-#![cfg_attr(feature = "unstable-validate", doc = "  [validate]")]
-#![cfg_attr(not(feature = "unstable-validate"), doc = "  validate")]
-//!   module and currently also enables the `std` and `ring`
-//!   features.
+//!   module and currently enables `bytes`, `ring`, and `smallvec`.
+//!
 //! * `zonefile`: reading and writing of zonefiles. This feature enables the
 #![cfg_attr(feature = "zonefile", doc = "  [zonefile]")]
 #![cfg_attr(not(feature = "zonefile"), doc = "  zonefile")]
-//!   module and currently also enables the `bytes` and `std` features.
+//!   module and currently also enables `bytes`, `serde`, and `std`.
 //!
 //! # Unstable features
 //!
@@ -137,6 +155,16 @@
 //!   a client perspective; primarily the `net::client` module.
 //! * `unstable-server-transport`: receiving and sending DNS messages from
 //!   a server perspective; primarily the `net::server` module.
+//! * `unstable-sign`: basic DNSSEC signing support. This will enable the
+#![cfg_attr(feature = "unstable-sign", doc = "  [sign]")]
+#![cfg_attr(not(feature = "unstable-sign"), doc = "  sign")]
+//!   module and requires the `std` feature. In order to actually perform any
+//!   signing, also enable one or more cryptographic backend modules (`ring`
+//!   and `openssl`).
+//! * `unstable-validate`: basic DNSSEC validation support. This enables the
+#![cfg_attr(feature = "unstable-validate", doc = "  [validate]")]
+#![cfg_attr(not(feature = "unstable-validate"), doc = "  validate")]
+//!   module and currently also enables the `std` and `ring` features.
 //! * `unstable-validator`: a DNSSEC validator, primarily the `validator`
 //!   and the `net::client::validator` modules.
 //! * `unstable-xfr`: zone transfer related functionality..

src/rdata/dnssec.rs

@@ -2169,6 +2169,11 @@ impl<Octs: AsRef<[u8]>> RtypeBitmap<Octs> {
     ) -> Result<(), Target::AppendError> {
         target.append_slice(self.0.as_ref())
     }
+
+    #[must_use]
+    pub fn is_empty(&self) -> bool {
+        self.iter().next().is_none()
+    }
 }
 
 //--- AsRef

src/rdata/nsec3.rs

@@ -358,7 +358,10 @@ impl<Octs: AsRef<[u8]>> fmt::Display for Nsec3<Octs> {
             self.hash_algorithm, self.flags, self.iterations, self.salt
         )?;
         base32::display_hex(&self.next_owner, f)?;
-        write!(f, " {}", self.types)
+        if !self.types.is_empty() {
+            write!(f, " {}", self.types)?;
+        }
+        Ok(())
     }
 }