1 files changed, 49 insertions, 0 deletions

diff --git a/plugin/dnssec/responsewriter.go b/plugin/dnssec/responsewriter.go
new file mode 100644
index 000000000..793cbcdd0
--- /dev/null
+++ b/plugin/dnssec/responsewriter.go
@@ -0,0 +1,49 @@
+package dnssec
+
+import (
+	"log"
+	"time"
+
+	"github.com/coredns/coredns/plugin"
+	"github.com/coredns/coredns/request"
+
+	"github.com/miekg/dns"
+)
+
+// ResponseWriter sign the response on the fly.
+type ResponseWriter struct {
+	dns.ResponseWriter
+	d Dnssec
+}
+
+// WriteMsg implements the dns.ResponseWriter interface.
+func (d *ResponseWriter) WriteMsg(res *dns.Msg) error {
+	// By definition we should sign anything that comes back, we should still figure out for
+	// which zone it should be.
+	state := request.Request{W: d.ResponseWriter, Req: res}
+
+	qname := state.Name()
+	zone := plugin.Zones(d.d.zones).Matches(qname)
+	if zone == "" {
+		return d.ResponseWriter.WriteMsg(res)
+	}
+
+	if state.Do() {
+		res = d.d.Sign(state, zone, time.Now().UTC())
+
+		cacheSize.WithLabelValues("signature").Set(float64(d.d.cache.Len()))
+	}
+	state.SizeAndDo(res)
+
+	return d.ResponseWriter.WriteMsg(res)
+}
+
+// Write implements the dns.ResponseWriter interface.
+func (d *ResponseWriter) Write(buf []byte) (int, error) {
+	log.Printf("[WARNING] Dnssec called with Write: not signing reply")
+	n, err := d.ResponseWriter.Write(buf)
+	return n, err
+}
+
+// Hijack implements the dns.ResponseWriter interface.
+func (d *ResponseWriter) Hijack() { d.ResponseWriter.Hijack() }