Loading, storing, and generating DNSSEC keys

.github/workflows/ci.yml

@@ -10,13 +10,28 @@ jobs:
         rust: [1.76.0, stable, beta, nightly]
     env:
         RUSTFLAGS: "-D warnings"
+        # We use 'vcpkg' to install OpenSSL on Windows.
+        VCPKG_ROOT: "${{ github.workspace }}\\vcpkg"
+        VCPKGRS_TRIPLET: x64-windows-release
+        # Ensure that OpenSSL is dynamically linked.
+        VCPKGRS_DYNAMIC: 1
     steps:
     - name: Checkout repository
       uses: actions/checkout@v1
     - name: Install Rust
       uses: hecrj/setup-rust-action@v2
       with:
         rust-version: ${{ matrix.rust }}
+    - if: matrix.os == 'ubuntu-latest'
+      run: sudo apt install libssl-dev
+    - if: matrix.os == 'windows-latest'
+      id: vcpkg
+      uses: johnwason/vcpkg-action@v6
+      with:
+        pkgs: openssl
+        triplet: ${{ env.VCPKGRS_TRIPLET }}
+        token: ${{ github.token }}
+        github-binarycache: true
     - if: matrix.rust == 'stable'
       run: rustup component add clippy
     - if: matrix.rust == 'stable'
@@ -37,6 +52,8 @@ jobs:
       uses: hecrj/setup-rust-action@v2
       with:
         rust-version: "1.68.2"
+    - name: Install OpenSSL
+      run: sudo apt install libssl-dev
     - name: Install nightly Rust
       run: rustup install nightly
     - name: Check with minimal-versions

Cargo.toml

@@ -33,6 +33,7 @@ heapless       = { version = "0.8", optional = true }
 libc           = { version = "0.2.153", default-features = false, optional = true } # 0.2.79 is the first version that has IP_PMTUDISC_OMIT
 parking_lot    = { version = "0.12", optional = true }
 moka           = { version = "0.12.3", optional = true, features = ["future"] }
+openssl        = { version = "0.10.57", optional = true } # 0.10.57 upgrades to 'bitflags' 2.x
 proc-macro2    = { version = "1.0.69", optional = true } # Force proc-macro2 to at least 1.0.69 for minimal-version build
 ring           = { version = "0.17", optional = true }
 rustversion    = { version = "1", optional = true }
@@ -47,24 +48,32 @@ tracing-subscriber = { version = "0.3.18", optional = true, features = ["env-fil
 
 [features]
 default     = ["std", "rand"]
+
+# Support for libraries
 bytes       = ["dep:bytes", "octseq/bytes"]
 heapless    = ["dep:heapless", "octseq/heapless"]
-resolv      = ["net", "smallvec", "unstable-client-transport"]
-resolv-sync = ["resolv", "tokio/rt"]
 serde       = ["dep:serde", "octseq/serde"]
-sign        = ["std"]
 smallvec    = ["dep:smallvec", "octseq/smallvec"]
 std         = ["dep:hashbrown", "bytes?/std", "octseq/std", "time/std"]
+
+# Cryptographic backends
+ring    = ["dep:ring"]
+openssl = ["dep:openssl"]
+
+# Crate features
+resolv      = ["net", "smallvec", "unstable-client-transport"]
+resolv-sync = ["resolv", "tokio/rt"]
 net         = ["bytes", "futures-util", "rand", "std", "tokio"]
 tsig        = ["bytes", "ring", "smallvec"]
-validate    = ["bytes", "std", "ring"]
 zonefile    = ["bytes", "serde", "std"]
 
 # Unstable features
 unstable-client-transport = ["moka", "net", "tracing"]
 unstable-server-transport = ["arc-swap", "chrono/clock", "libc", "net", "siphasher", "tracing"]
+unstable-sign = ["std", "unstable-validate"]
 unstable-stelline = ["tokio/test-util", "tracing", "tracing-subscriber", "tsig", "unstable-client-transport", "unstable-server-transport", "zonefile"]
-unstable-validator = ["validate", "zonefile", "unstable-client-transport"]
+unstable-validate = ["bytes", "std", "ring"]
+unstable-validator = ["unstable-validate", "zonefile", "unstable-client-transport"]
 unstable-xfr = ["net"]
 unstable-zonetree = ["futures-util", "parking_lot", "rustversion", "serde", "std", "tokio", "tracing", "unstable-xfr", "zonefile"]
 

src/lib.rs

@@ -36,14 +36,14 @@
 #![cfg_attr(not(feature = "resolv"), doc = "* resolv:")]
 //!   An asynchronous DNS resolver based on the
 //!   [Tokio](https://tokio.rs/) async runtime.
-#![cfg_attr(feature = "sign", doc = "* [sign]:")]
-#![cfg_attr(not(feature = "sign"), doc = "* sign:")]
+#![cfg_attr(feature = "unstable-sign", doc = "* [sign]:")]
+#![cfg_attr(not(feature = "unstable-sign"), doc = "* sign:")]
 //!   Experimental support for DNSSEC signing.
 #![cfg_attr(feature = "tsig", doc = "* [tsig]:")]
 #![cfg_attr(not(feature = "tsig"), doc = "* tsig:")]
 //!   Support for securing DNS transactions with TSIG records.
-#![cfg_attr(feature = "validate", doc = "* [validate]:")]
-#![cfg_attr(not(feature = "validate"), doc = "* validate:")]
+#![cfg_attr(feature = "unstable-validate", doc = "* [validate]:")]
+#![cfg_attr(not(feature = "unstable-validate"), doc = "* validate:")]
 //!   Experimental support for DNSSEC validation.
 #![cfg_attr(feature = "unstable-validator", doc = "* [validator]:")]
 #![cfg_attr(not(feature = "unstable-validator"), doc = "* validator:")]
@@ -86,8 +86,8 @@
 //!   [ring](https://github.com/briansmith/ring) crate.
 //! * `serde`: Enables serde serialization for a number of basic types.
 //! * `sign`: basic DNSSEC signing support. This will enable the
-#![cfg_attr(feature = "sign", doc = "  [sign]")]
-#![cfg_attr(not(feature = "sign"), doc = "  sign")]
+#![cfg_attr(feature = "unstable-sign", doc = "  [sign]")]
+#![cfg_attr(not(feature = "unstable-sign"), doc = "  sign")]
 //!   module and requires the `std` feature. Note that this will not directly
 //!   enable actual signing. For that you will also need to pick a crypto
 //!   module via an additional feature. Currently we only support the `ring`
@@ -108,8 +108,8 @@
 //!   module and currently pulls in the
 //!   `bytes`, `ring`, and `smallvec` features.
 //! * `validate`: basic DNSSEC validation support. This feature enables the
-#![cfg_attr(feature = "validate", doc = "  [validate]")]
-#![cfg_attr(not(feature = "validate"), doc = "  validate")]
+#![cfg_attr(feature = "unstable-validate", doc = "  [validate]")]
+#![cfg_attr(not(feature = "unstable-validate"), doc = "  validate")]
 //!   module and currently also enables the `std` and `ring`
 //!   features.
 //! * `zonefile`: reading and writing of zonefiles. This feature enables the