NEW FEATURE: Add SMIMEA support for BIND and deSEC (#3786)

Author: ClusterJan

build/generate/featureMatrix.go

@@ -115,6 +115,7 @@ func matrixData() *FeatureMatrix {
 		DomainModifierNaptr      = "[`NAPTR`](../language-reference/domain-modifiers/NAPTR.md)"
 		DomainModifierOpenpgpkey = "[`DNSKEY`](../language-reference/domain-modifiers/OPENPGPKEY.md)"
 		DomainModifierPtr        = "[`PTR`](../language-reference/domain-modifiers/PTR.md)"
+		DomainModifierSMIMEA     = "[`SMIMEA`](../language-reference/domain-modifiers/SMIMEA.md)"
 		DomainModifierSoa        = "[`SOA`](../language-reference/domain-modifiers/SOA.md)"
 		DomainModifierSrv        = "[`SRV`](../language-reference/domain-modifiers/SRV.md)"
 		DomainModifierSshfp      = "[`SSHFP`](../language-reference/domain-modifiers/SSHFP.md)"
@@ -164,6 +165,7 @@ func matrixData() *FeatureMatrix {
 			[]string{ // security
 				DomainModifierCaa,
 				DomainModifierHTTPS,
+				DomainModifierSMIMEA,
 				DomainModifierSshfp,
 				DomainModifierTlsa,
 			},
@@ -278,6 +280,10 @@ func matrixData() *FeatureMatrix {
 			DomainModifierPtr,
 			providers.CanUsePTR,
 		)
+		setCapability(
+			DomainModifierSMIMEA,
+			providers.CanUseSMIMEA,
+		)
 		setCapability(
 			DomainModifierSoa,
 			providers.CanUseSOA,

commands/getZones.go

@@ -351,6 +351,8 @@ func formatDsl(rec *models.RecordConfig, defaultTTL uint32) string {
 			jsonQuoted(rec.NaptrRegexp),      // regex
 			jsonQuoted(rec.GetTargetField()), // .
 		)
+	case "SMIMEA":
+		target = fmt.Sprintf(`%d, %d, %d, "%s"`, rec.SmimeaUsage, rec.SmimeaSelector, rec.SmimeaMatchingType, rec.GetTargetField())
 	case "SSHFP":
 		target = fmt.Sprintf(`%d, %d, "%s"`, rec.SshfpAlgorithm, rec.SshfpFingerprint, rec.GetTargetField())
 	case "SOA":

commands/types/dnscontrol.d.ts

@@ -2870,6 +2870,38 @@ declare function REV(address: string): string;
  */
 declare function REVCOMPAT(rfc: string): string;
 
+/**
+ * `SMIMEA` adds a `SMIMEA` record to a domain. The name should be the hashed and stripped local part of the e-mail.
+ *
+ * To create the name, you can the following command:
+ *
+ * ```bash
+ * # For the e-mail [email protected] run:
+ * echo -n "bosun" | sha256sum | awk '{print $1}' | cut -c1-56
+ * # f10e7de079689f55c0cdd6782e4dd1448c84006962a4bd832e8eff73
+ * ```
+ *
+ * Usage, selector, and type are ints.
+ *
+ * Certificate is a hex string.
+ *
+ * To create the string for the type 0, you can run this command with your S/MIME certificate:
+ *
+ * ```bash
+ * openssl x509 -in smime-cert.pem -outform DER | xxd -p -c 10000
+ * ```
+ *
+ * ```javascript
+ * D("example.com", REG_MY_PROVIDER, DnsProvider(DSP_MY_PROVIDER),
+ *   // Create SMIMEA record for certificate for the name bosun
+ *   SMIMEA("f10e7de079689f55c0cdd6782e4dd1448c84006962a4bd832e8eff73", 3, 0, 0, "30820353308202f8a003020102..."),
+ * );
+ * ```
+ *
+ * @see https://docs.dnscontrol.org/language-reference/domain-modifiers/smimea
+ */
+declare function SMIMEA(name: string, usage: number, selector: number, type: number, certificate: string, ...modifiers: RecordModifier[]): DomainModifier;
+
 /**
  * `SOA` adds an `SOA` record to a domain. The name should be `@`.  ns and mbox are strings. The other fields are unsigned 32-bit ints.
  *

documentation/SUMMARY.md

@@ -70,6 +70,7 @@
     * [OPENPGPKEY](language-reference/domain-modifiers/OPENPGPKEY.md)
     * [PTR](language-reference/domain-modifiers/PTR.md)
     * [PURGE](language-reference/domain-modifiers/PURGE.md)
+    * [SMIMEA](language-reference/domain-modifiers/SMIMEA.md)
     * [SOA](language-reference/domain-modifiers/SOA.md)
     * [SPF_BUILDER](language-reference/domain-modifiers/SPF_BUILDER.md)
     * [SRV](language-reference/domain-modifiers/SRV.md)

documentation/language-reference/domain-modifiers/SMIMEA.md

@@ -0,0 +1,46 @@
+---
+name: SMIMEA 
+parameters:
+  - name
+  - usage
+  - selector
+  - type
+  - certificate
+  - modifiers...
+parameter_types:
+  name: string
+  usage: number
+  selector: number
+  type: number
+  certificate: string
+  "modifiers...": RecordModifier[]
+---
+
+`SMIMEA` adds a `SMIMEA` record to a domain. The name should be the hashed and stripped local part of the e-mail. 
+
+To create the name, you can the following command:
+
+```bash
+# For the e-mail [email protected] run:
+echo -n "bosun" | sha256sum | awk '{print $1}' | cut -c1-56
+# f10e7de079689f55c0cdd6782e4dd1448c84006962a4bd832e8eff73
+```
+
+Usage, selector, and type are ints.
+
+Certificate is a hex string.
+
+To create the string for the type 0, you can run this command with your S/MIME certificate:
+
+```bash
+openssl x509 -in smime-cert.pem -outform DER | xxd -p -c 10000
+```
+
+{% code title="dnsconfig.js" %}
+```javascript
+D("example.com", REG_MY_PROVIDER, DnsProvider(DSP_MY_PROVIDER),
+  // Create SMIMEA record for certificate for the name bosun
+  SMIMEA("f10e7de079689f55c0cdd6782e4dd1448c84006962a4bd832e8eff73", 3, 0, 0, "30820353308202f8a003020102..."),
+);
+```
+{% endcode %}

documentation/provider/index.md

@@ -252,53 +252,53 @@ Jump to a table:
 
 ### Security <!--(table 5/6)-->
 
-| Provider name | [`CAA`](../language-reference/domain-modifiers/CAA.md) | [`HTTPS`](../language-reference/domain-modifiers/HTTPS.md) | [`SSHFP`](../language-reference/domain-modifiers/SSHFP.md) | [`TLSA`](../language-reference/domain-modifiers/TLSA.md) |
-| ------------- | ------------------------------------------------------ | ---------------------------------------------------------- | ---------------------------------------------------------- | -------------------------------------------------------- |
-| [`AKAMAIEDGEDNS`](akamaiedgedns.md) | ✅ | ❔ | ✅ | ✅ |
-| [`AUTODNS`](autodns.md) | ✅ | ❔ | ❌ | ❌ |
-| [`AXFRDDNS`](axfrddns.md) | ✅ | ✅ | ✅ | ✅ |
-| [`AZURE_DNS`](azure_dns.md) | ✅ | ❔ | ❌ | ❌ |
-| [`AZURE_PRIVATE_DNS`](azure_private_dns.md) | ❌ | ❔ | ❌ | ❌ |
-| [`BIND`](bind.md) | ✅ | ✅ | ✅ | ✅ |
-| [`BUNNY_DNS`](bunny_dns.md) | ✅ | ❔ | ❌ | ❌ |
-| [`CLOUDFLAREAPI`](cloudflareapi.md) | ✅ | ✅ | ✅ | ✅ |
-| [`CLOUDNS`](cloudns.md) | ✅ | ❌ | ✅ | ✅ |
-| [`CNR`](cnr.md) | ✅ | ❌ | ✅ | ✅ |
-| [`CSCGLOBAL`](cscglobal.md) | ✅ | ❔ | ❔ | ❔ |
-| [`DESEC`](desec.md) | ✅ | ✅ | ✅ | ✅ |
-| [`DIGITALOCEAN`](digitalocean.md) | ✅ | ❔ | ❔ | ❔ |
-| [`DNSIMPLE`](dnsimple.md) | ✅ | ❔ | ✅ | ❌ |
-| [`DNSMADEEASY`](dnsmadeeasy.md) | ✅ | ❔ | ❌ | ❌ |
-| [`DOMAINNAMESHOP`](domainnameshop.md) | ✅ | ❔ | ❌ | ❔ |
-| [`EXOSCALE`](exoscale.md) | ✅ | ❔ | ❔ | ❌ |
-| [`GANDI_V5`](gandi_v5.md) | ✅ | ❔ | ✅ | ✅ |
-| [`GCLOUD`](gcloud.md) | ✅ | ✅ | ✅ | ✅ |
-| [`GCORE`](gcore.md) | ✅ | ✅ | ❌ | ❌ |
-| [`HEDNS`](hedns.md) | ✅ | ✅ | ✅ | ❌ |
-| [`HETZNER`](hetzner.md) | ✅ | ❔ | ❌ | ✅ |
-| [`HEXONET`](hexonet.md) | ✅ | ❔ | ❔ | ✅ |
-| [`HOSTINGDE`](hostingde.md) | ✅ | ❔ | ✅ | ✅ |
-| [`HUAWEICLOUD`](huaweicloud.md) | ✅ | ❌ | ❌ | ❌ |
-| [`INWX`](inwx.md) | ✅ | ✅ | ✅ | ✅ |
-| [`JOKER`](joker.md) | ✅ | ❌ | ❌ | ❌ |
-| [`LINODE`](linode.md) | ✅ | ❔ | ❔ | ❔ |
-| [`LOOPIA`](loopia.md) | ✅ | ❌ | ✅ | ✅ |
-| [`LUADNS`](luadns.md) | ✅ | ✅ | ✅ | ✅ |
-| [`MYTHICBEASTS`](mythicbeasts.md) | ✅ | ❔ | ✅ | ✅ |
-| [`NAMECHEAP`](namecheap.md) | ✅ | ❔ | ❔ | ❌ |
-| [`NETCUP`](netcup.md) | ✅ | ❔ | ❔ | ❔ |
-| [`NETLIFY`](netlify.md) | ✅ | ❔ | ❌ | ❌ |
-| [`NS1`](ns1.md) | ✅ | ✅ | ❔ | ✅ |
-| [`ORACLE`](oracle.md) | ✅ | ❔ | ✅ | ✅ |
-| [`OVH`](ovh.md) | ✅ | ❔ | ✅ | ✅ |
-| [`PORKBUN`](porkbun.md) | ✅ | ✅ | ❌ | ✅ |
-| [`POWERDNS`](powerdns.md) | ✅ | ✅ | ✅ | ✅ |
-| [`REALTIMEREGISTER`](realtimeregister.md) | ✅ | ❔ | ✅ | ✅ |
-| [`ROUTE53`](route53.md) | ✅ | ✅ | ✅ | ✅ |
-| [`RWTH`](rwth.md) | ✅ | ❔ | ✅ | ❌ |
-| [`SAKURACLOUD`](sakuracloud.md) | ✅ | ✅ | ❌ | ❌ |
-| [`TRANSIP`](transip.md) | ✅ | ❌ | ✅ | ✅ |
-| [`VULTR`](vultr.md) | ✅ | ❔ | ✅ | ❌ |
+| Provider name | [`CAA`](../language-reference/domain-modifiers/CAA.md) | [`HTTPS`](../language-reference/domain-modifiers/HTTPS.md) | [`SMIMEA`](../language-reference/domain-modifiers/SMIMEA.md) | [`SSHFP`](../language-reference/domain-modifiers/SSHFP.md) | [`TLSA`](../language-reference/domain-modifiers/TLSA.md) |
+| ------------- | ------------------------------------------------------ | ---------------------------------------------------------- | ------------------------------------------------------------ | ---------------------------------------------------------- | -------------------------------------------------------- |
+| [`AKAMAIEDGEDNS`](akamaiedgedns.md) | ✅ | ❔ | ❔ | ✅ | ✅ |
+| [`AUTODNS`](autodns.md) | ✅ | ❔ | ❔ | ❌ | ❌ |
+| [`AXFRDDNS`](axfrddns.md) | ✅ | ✅ | ❔ | ✅ | ✅ |
+| [`AZURE_DNS`](azure_dns.md) | ✅ | ❔ | ❔ | ❌ | ❌ |
+| [`AZURE_PRIVATE_DNS`](azure_private_dns.md) | ❌ | ❔ | ❔ | ❌ | ❌ |
+| [`BIND`](bind.md) | ✅ | ✅ | ✅ | ✅ | ✅ |
+| [`BUNNY_DNS`](bunny_dns.md) | ✅ | ❔ | ❔ | ❌ | ❌ |
+| [`CLOUDFLAREAPI`](cloudflareapi.md) | ✅ | ✅ | ❔ | ✅ | ✅ |
+| [`CLOUDNS`](cloudns.md) | ✅ | ❌ | ❔ | ✅ | ✅ |
+| [`CNR`](cnr.md) | ✅ | ❌ | ❔ | ✅ | ✅ |
+| [`CSCGLOBAL`](cscglobal.md) | ✅ | ❔ | ❔ | ❔ | ❔ |
+| [`DESEC`](desec.md) | ✅ | ✅ | ✅ | ✅ | ✅ |
+| [`DIGITALOCEAN`](digitalocean.md) | ✅ | ❔ | ❔ | ❔ | ❔ |
+| [`DNSIMPLE`](dnsimple.md) | ✅ | ❔ | ❔ | ✅ | ❌ |
+| [`DNSMADEEASY`](dnsmadeeasy.md) | ✅ | ❔ | ❔ | ❌ | ❌ |
+| [`DOMAINNAMESHOP`](domainnameshop.md) | ✅ | ❔ | ❔ | ❌ | ❔ |
+| [`EXOSCALE`](exoscale.md) | ✅ | ❔ | ❔ | ❔ | ❌ |
+| [`GANDI_V5`](gandi_v5.md) | ✅ | ❔ | ❔ | ✅ | ✅ |
+| [`GCLOUD`](gcloud.md) | ✅ | ✅ | ❔ | ✅ | ✅ |
+| [`GCORE`](gcore.md) | ✅ | ✅ | ❔ | ❌ | ❌ |
+| [`HEDNS`](hedns.md) | ✅ | ✅ | ❔ | ✅ | ❌ |
+| [`HETZNER`](hetzner.md) | ✅ | ❔ | ❔ | ❌ | ✅ |
+| [`HEXONET`](hexonet.md) | ✅ | ❔ | ❔ | ❔ | ✅ |
+| [`HOSTINGDE`](hostingde.md) | ✅ | ❔ | ❔ | ✅ | ✅ |
+| [`HUAWEICLOUD`](huaweicloud.md) | ✅ | ❌ | ❔ | ❌ | ❌ |
+| [`INWX`](inwx.md) | ✅ | ✅ | ❔ | ✅ | ✅ |
+| [`JOKER`](joker.md) | ✅ | ❌ | ❔ | ❌ | ❌ |
+| [`LINODE`](linode.md) | ✅ | ❔ | ❔ | ❔ | ❔ |
+| [`LOOPIA`](loopia.md) | ✅ | ❌ | ❔ | ✅ | ✅ |
+| [`LUADNS`](luadns.md) | ✅ | ✅ | ❔ | ✅ | ✅ |
+| [`MYTHICBEASTS`](mythicbeasts.md) | ✅ | ❔ | ❔ | ✅ | ✅ |
+| [`NAMECHEAP`](namecheap.md) | ✅ | ❔ | ❔ | ❔ | ❌ |
+| [`NETCUP`](netcup.md) | ✅ | ❔ | ❔ | ❔ | ❔ |
+| [`NETLIFY`](netlify.md) | ✅ | ❔ | ❔ | ❌ | ❌ |
+| [`NS1`](ns1.md) | ✅ | ✅ | ❔ | ❔ | ✅ |
+| [`ORACLE`](oracle.md) | ✅ | ❔ | ❔ | ✅ | ✅ |
+| [`OVH`](ovh.md) | ✅ | ❔ | ❔ | ✅ | ✅ |
+| [`PORKBUN`](porkbun.md) | ✅ | ✅ | ❔ | ❌ | ✅ |
+| [`POWERDNS`](powerdns.md) | ✅ | ✅ | ❔ | ✅ | ✅ |
+| [`REALTIMEREGISTER`](realtimeregister.md) | ✅ | ❔ | ❔ | ✅ | ✅ |
+| [`ROUTE53`](route53.md) | ✅ | ✅ | ❔ | ✅ | ✅ |
+| [`RWTH`](rwth.md) | ✅ | ❔ | ❔ | ✅ | ❌ |
+| [`SAKURACLOUD`](sakuracloud.md) | ✅ | ✅ | ❔ | ❌ | ❌ |
+| [`TRANSIP`](transip.md) | ✅ | ❌ | ❔ | ✅ | ✅ |
+| [`VULTR`](vultr.md) | ✅ | ❔ | ❔ | ✅ | ❌ |
 
 
 ### DNSSEC <!--(table 6/6)-->

integrationTest/helpers_integration_test.go

@@ -479,6 +479,12 @@ func r53alias(name, aliasType, target, evalTargetHealth string) *models.RecordCo
 	return r
 }
 
+func smimea(name string, usage, selector, matchingtype uint8, target string) *models.RecordConfig {
+	r := makeRec(name, target, "SMIMEA")
+	panicOnErr(r.SetTargetSMIMEA(usage, selector, matchingtype, target))
+	return r
+}
+
 func soa(name string, ns, mbox string, serial, refresh, retry, expire, minttl uint32) *models.RecordConfig {
 	r := makeRec(name, "", "SOA")
 	panicOnErr(r.SetTargetSOA(ns, mbox, serial, refresh, retry, expire, minttl))

integrationTest/integration_test.go

@@ -2021,6 +2021,15 @@ func makeTests() []*TestGroup {
 			tc("final", txt("final", `TestDNSProviders was successful!`)),
 		),
 
+		testgroup("SMIMEA",
+			requires(providers.CanUseSMIMEA),
+			tc("SMIMEA record", smimea("_443._tcp", 3, 1, 1, sha256hash)),
+			tc("SMIMEA change usage", smimea("_443._tcp", 2, 1, 1, sha256hash)),
+			tc("SMIMEA change selector", smimea("_443._tcp", 2, 0, 1, sha256hash)),
+			tc("SMIMEA change matchingtype", smimea("_443._tcp", 2, 0, 2, sha512hash)),
+			tc("SMIMEA change certificate", smimea("_443._tcp", 2, 0, 2, reversedSha512)),
+		),
+
 		// Narrative: Congrats! You're done!  If you've made it this far
 		// you're very close to being able to submit your PR.  Here's
 		// some tips:

models/dnsrr.go

@@ -68,6 +68,8 @@ func helperRRtoRC(rr dns.RR, origin string, fixBug bool) (RecordConfig, error) {
 		err = rc.SetTarget(v.Ns)
 	case *dns.PTR:
 		err = rc.SetTarget(v.Ptr)
+	case *dns.SMIMEA:
+		err = rc.SetTargetSMIMEA(v.Usage, v.Selector, v.MatchingType, v.Certificate)
 	case *dns.SOA:
 		err = rc.SetTargetSOA(v.Ns, v.Mbox, v.Serial, v.Refresh, v.Retry, v.Expire, v.Minttl)
 	case *dns.SRV:

models/domain.go

@@ -142,7 +142,7 @@ func (dc *DomainConfig) Punycode() error {
 			if err := rec.SetTarget(rec.GetTargetField()); err != nil {
 				return err
 			}
-		case "A", "AAAA", "CAA", "DHCID", "DNSKEY", "DS", "HTTPS", "LOC", "NAPTR", "OPENPGPKEY", "SOA", "SSHFP", "SVCB", "TXT", "TLSA", "AZURE_ALIAS":
+		case "A", "AAAA", "CAA", "DHCID", "DNSKEY", "DS", "HTTPS", "LOC", "NAPTR", "OPENPGPKEY", "SMIMEA", "SOA", "SSHFP", "SVCB", "TXT", "TLSA", "AZURE_ALIAS":
 			// Nothing to do.
 		default:
 			return fmt.Errorf("Punycode rtype %v unimplemented", rec.Type)