72 feature add nsupdate support

.github/workflows/manual-release.yml

@@ -63,7 +63,7 @@ jobs:
         uses: softprops/action-gh-release@v2
         with:
           tag_name: ${{ github.event.inputs.version }}
-          name: Release ${{ github.event.inputs.version }}
+          name: ${{ github.event.inputs.version }}
           prerelease: ${{ github.event.inputs.prerelease }}
           files: |
             bindizr_*.deb

Cargo.toml

@@ -44,6 +44,8 @@ sqlx = { version = "0.8", features = [
 domain = "0.11"
 rand = "0.10"
 sha2 = "0.10"
+hmac = "0.12"
+base64 = "0.22"
 hex = "0.4"
 thiserror = "2.0.18"
 

README.md

@@ -31,6 +31,8 @@ DNS Synchronization Service for BIND9
 
 - **Secondary DNS Servers**: Standard BIND9 (or any RFC-compliant DNS server) instances configured as secondaries. They automatically discover zones through the catalog zone, pull zone updates from Bindizr's XFR server via zone transfer, and respond to DNS queries from clients.
 
+- **nsupdate (Dynamic Update)**: Supports RFC 2136-style DNS dynamic updates via nsupdate.
+
 <br>
 
 &nbsp;<img src="public/concepts.png" width="462px">
@@ -178,9 +180,10 @@ file_path = "bindizr.db"       # SQLite database file path
 [database.postgresql]
 server_url = "postgresql://user:password@hostname:port/database" # PostgreSQL server configuration
 
-[xfr]
-listen_port = 53                  # XFR server listen port (TCP)
-secondary_addrs = ""                 # Comma-separated secondary DNS server addresses for NOTIFY (e.g., "192.168.1.2:53,192.168.1.3:53")
+[dns]
+listen_port = 53                  # DNS server listen port (UDP and TCP)
+secondary_addrs = ""              # Comma-separated secondary DNS server addresses for NOTIFY (e.g., "192.168.1.2:53,192.168.1.3:53")
+nsupdate_tsig_key = ""            # Shared TSIG secret for nsupdate authentication (empty to disable, base64 recommended)
 
 [logging]
 log_level = "debug"           # Log level: error, warn, info, debug, trace
@@ -220,6 +223,19 @@ $ bindizr notify zone <ZONE_NAME>
 $ bindizr --help
 ```
 
+### nsupdate (Dynamic Update)
+
+Bindizr supports RFC 2136-style dynamic updates through the DNS listener.
+
+```bash
+$ nsupdate <<EOF
+server 127.0.0.1 53
+zone example.com
+update add sub.example.com. 300 A 1.2.3.4
+send
+EOF
+```
+
 ### Token Management
 
 Bindizr uses API tokens for authentication. You can manage these tokens using the following commands:

bindizr.conf.toml

@@ -1,24 +1,25 @@
-listen_addr = "127.0.0.1"         # Common listen address for all services
+listen_addr = "127.0.0.1"     # Common listen address for all services
 
 [api]
-listen_port = 3000             # HTTP API listen port
-require_authentication = true  # Enable API authentication (true/false)
+listen_port = 3000            # HTTP API listen port
+require_authentication = true # Enable API authentication (true/false)
 
 [database]
-type = "mysql"                 # Database type: mysql, sqlite, postgresql
+type = "mysql"                # Database type: mysql, sqlite, postgresql
 
 [database.mysql]
 server_url = "mysql://user:password@hostname:port/database"      # Mysql server configuration
 
 [database.sqlite]
-file_path = "bindizr.db"       # SQLite database file path
+file_path = "bindizr.db"      # SQLite database file path
 
 [database.postgresql]
 server_url = "postgresql://user:password@hostname:port/database" # PostgreSQL server configuration
 
-[xfr]
-listen_port = 53            # XFR server listen port (TCP)
-secondary_addrs = ""           # Comma-separated secondary DNS server addresses (e.g., "192.168.1.2:53,192.168.1.3:53") for NOTIFY
+[dns]
+listen_port = 53              # DNS server listen port (UDP and TCP)
+secondary_addrs = ""          # Comma-separated secondary DNS server addresses for NOTIFY (e.g., "192.168.1.2:53,192.168.1.3:53") 
+nsupdate_tsig_key = ""        # Shared TSIG secret for nsupdate authentication (empty to disable, base64 recommended)
 
 [logging]
 log_level = "debug"           # Log level: error, warn, info, debug, trace

src/api/error.rs

@@ -46,3 +46,16 @@ impl IntoResponse for ApiError {
         (status, body).into_response()
     }
 }
+
+impl From<crate::service::error::ServiceError> for ApiError {
+    fn from(value: crate::service::error::ServiceError) -> Self {
+        match value {
+            crate::service::error::ServiceError::BadRequest(msg) => ApiError::BadRequest(msg),
+            crate::service::error::ServiceError::NotFound(msg) => ApiError::NotFound(msg),
+            crate::service::error::ServiceError::Unauthorized(msg) => ApiError::Unauthorized(msg),
+            crate::service::error::ServiceError::Internal(msg) => {
+                ApiError::InternalServerError(msg)
+            }
+        }
+    }
+}

src/api/controller/middleware/auth.rs → src/api/middleware/auth.rs

@@ -1,5 +1,5 @@
-use crate::api::service::auth::AuthService;
 use crate::log_debug;
+use crate::service::auth::AuthService;
 use axum::Json;
 use axum::body::Body;
 use axum::http::header::AUTHORIZATION;
@@ -11,15 +11,13 @@ use axum::{
 use serde_json::json;
 
 pub async fn auth_middleware(mut req: Request<Body>, next: Next) -> Result<Response, StatusCode> {
-    // Extract Authorization header
     let auth_header = match req.headers().get(AUTHORIZATION) {
         Some(header) => header,
         None => {
             return Ok(unauthorized("No authorization header"));
         }
     };
 
-    // Extract Bearer token
     let auth_str = match auth_header.to_str() {
         Ok(s) => s,
         Err(_) => return Ok(unauthorized("Invalid authorization header")),
@@ -31,7 +29,6 @@ pub async fn auth_middleware(mut req: Request<Body>, next: Next) -> Result<Respo
 
     let token = &auth_str[7..];
 
-    // Validate token
     match AuthService::validate_token(token).await {
         Ok(api_token) => {
             req.extensions_mut().insert(api_token);

src/api/controller/middleware/body_parser.rs → src/api/middleware/body_parser.rs

@@ -4,19 +4,16 @@ use serde_json::json;
 
 use crate::log_error;
 
-// Custom extractor for JSON body with error handling
 #[derive(FromRequest)]
 #[from_request(via(axum::Json), rejection(ApiError))]
 pub struct JsonBody<T>(pub T);
 
-// Custom API error type for handling JSON extraction errors
 #[derive(Debug)]
 pub struct ApiError {
     code: StatusCode,
     message: String,
 }
 
-// Implement conversion from JsonRejection to ApiError
 impl From<JsonRejection> for ApiError {
     fn from(rejection: JsonRejection) -> Self {
         let code = match rejection {
@@ -39,7 +36,6 @@ impl IntoResponse for ApiError {
     fn into_response(self) -> axum::response::Response {
         let payload = json!({
             "message": self.message,
-            // "origin": "derive_from_request"
         });
 
         (self.code, axum::Json(payload)).into_response()

src/api/mod.rs

@@ -1,11 +1,13 @@
-pub mod controller;
 pub mod dto;
 pub mod error;
-pub mod service;
+pub mod middleware;
+pub mod record;
+pub mod router;
 pub mod validation;
+pub mod zone;
 
 use crate::{config, log_error, log_info};
-use controller::ApiController;
+use router::ApiRouter;
 use std::net::SocketAddr;
 use tokio::net::TcpListener;
 
@@ -31,7 +33,7 @@ pub async fn initialize() -> Result<(), String> {
 
     // Spawn API server in background
     tokio::spawn(async move {
-        if let Err(e) = axum::serve(listener, ApiController::routes().await).await {
+        if let Err(e) = axum::serve(listener, ApiRouter::routes().await).await {
             log_error!("API server error: {:?}", e);
         }
     });

src/api/controller/record.rs → src/api/record.rs

@@ -1,8 +1,9 @@
 use crate::api::{
-    controller::middleware::body_parser::JsonBody,
     dto::{CreateRecordRequest, GetRecordResponse},
-    service::record::RecordService,
+    error::ApiError,
+    middleware::body_parser::JsonBody,
 };
+use crate::service::record::RecordService;
 use axum::{
     Json, Router,
     extract::{Path, Query},
@@ -13,9 +14,9 @@ use axum::{
 use serde::Deserialize;
 use serde_json::json;
 
-pub struct RecordController;
+pub struct RecordApi;
 
-impl RecordController {
+impl RecordApi {
     pub async fn routes() -> Router {
         Router::new()
             .route("/records", routing::get(Self::get_records))
@@ -39,7 +40,7 @@ impl RecordController {
 
         let raw_records = match RecordService::get_records(zone_name).await {
             Ok(records) => records,
-            Err(err) => return err.into_response(),
+            Err(err) => return ApiError::from(err).into_response(),
         };
 
         let records = raw_records
@@ -57,7 +58,7 @@ impl RecordController {
 
         let raw_record = match RecordService::get_record(&name, &record_type).await {
             Ok(record) => record,
-            Err(err) => return err.into_response(),
+            Err(err) => return ApiError::from(err).into_response(),
         };
 
         let record = GetRecordResponse::from_record(&raw_record);
@@ -69,7 +70,7 @@ impl RecordController {
     async fn create_record(JsonBody(body): JsonBody<CreateRecordRequest>) -> impl IntoResponse {
         let raw_record = match RecordService::create_record(&body).await {
             Ok(record) => record,
-            Err(err) => return err.into_response(),
+            Err(err) => return ApiError::from(err).into_response(),
         };
 
         let record = GetRecordResponse::from_record(&raw_record);
@@ -87,7 +88,7 @@ impl RecordController {
 
         let raw_record = match RecordService::update_record(&name, &record_type, &body).await {
             Ok(record) => record,
-            Err(err) => return err.into_response(),
+            Err(err) => return ApiError::from(err).into_response(),
         };
 
         let record = GetRecordResponse::from_record(&raw_record);
@@ -105,7 +106,7 @@ impl RecordController {
                 let json_body = json!({ "message": "Record deleted successfully" });
                 (StatusCode::OK, Json(json_body)).into_response()
             }
-            Err(err) => err.into_response(),
+            Err(err) => ApiError::from(err).into_response(),
         }
     }
 }