chore(deps): bump github.com/miekg/dns from 1.1.43 to 1.1.50 (#385)

Bumps [github.com/miekg/dns](https://github.com/miekg/dns) from 1.1.43 to 1.1.50. - [Release notes](https://github.com/miekg/dns/releases) - [Changelog](https://github.com/miekg/dns/blob/master/Makefile.release) - [Commits](https://github.com/miekg/dns/compare/v1.1.43...v1.1.50) --- updated-dependencies: - dependency-name: github.com/miekg/dns dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-11-21 23:43:27 +01:00 · 2022-12-14 23:51:19 -05:00 · 2022-12-14 23:51:19 -05:00 · a5f135c675
commit a5f135c675
parent 9acace7d37
21 changed files with 617 additions and 281 deletions
--- a/go.mod
+++ b/go.mod
@ -12,7 +12,7 @@ require (
 	github.com/google/uuid v1.3.0
 	github.com/gorilla/mux v1.8.0
 	github.com/lib/pq v1.10.7
-	github.com/miekg/dns v1.1.43
+	github.com/miekg/dns v1.1.50
 	github.com/prometheus/client_golang v1.14.0
 	github.com/wcharczuk/go-chart/v2 v2.1.0
 	golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9
--- a/go.sum
+++ b/go.sum
@ -246,8 +246,8 @@ github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/
 github.com/mattn/go-sqlite3 v1.14.15 h1:vfoHhTN1af61xCRSWzFIWzx2YskyMTwHLrExkBOjvxI=
 github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
-github.com/miekg/dns v1.1.43 h1:JKfpVSCB84vrAmHzyrsxB5NAr5kLoMXZArPSw7Qlgyg=
+github.com/miekg/dns v1.1.50 h1:DQUfb9uc6smULcREF09Uc+/Gd46YWqJd5DbpPE9xkcA=
-github.com/miekg/dns v1.1.43/go.mod h1:+evo5L0630/F6ca/Z9+GAqzhjGyn8/c+TBaOyfEl0V4=
+github.com/miekg/dns v1.1.50/go.mod h1:e3IlAVfNqAllflbibAZEWOXOQ+Ynzk/dDozDxY7XnME=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
@ -403,6 +403,7 @@ golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLd
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220325170049-de3da57026de/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
@ -486,7 +487,6 @@ golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@ -583,6 +583,7 @@ golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.7 h1:6j8CgantCy3yc8JGBqkDLMKWqZ0RDU2g1HVgacojGWQ=
 golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
--- a/vendor/github.com/miekg/dns/README.md
+++ b/vendor/github.com/miekg/dns/README.md
@ -73,6 +73,10 @@ A not-so-up-to-date-list-that-may-be-actually-current:
 * https://github.com/bodgit/tsig
 * https://github.com/v2fly/v2ray-core (test only)
 * https://kuma.io/
 * https://www.misaka.io/services/dns
 * https://ping.sx/dig
 * https://fleetdeck.io/
 * https://github.com/markdingo/autoreverse
 Send pull request if you want to be listed here.
--- a/vendor/github.com/miekg/dns/acceptfunc.go
+++ b/vendor/github.com/miekg/dns/acceptfunc.go
@ -12,7 +12,7 @@ type MsgAcceptFunc func(dh Header) MsgAcceptAction
 //
 // * Zero bit isn't zero
 //
-// * has more than 1 question in the question section
+// * does not have exactly 1 question in the question section
 //
 // * has more than 1 RR in the Answer section
 //
--- a/vendor/github.com/miekg/dns/client.go
+++ b/vendor/github.com/miekg/dns/client.go
@ -18,6 +18,18 @@ const (
 	tcpIdleTimeout time.Duration = 8 * time.Second
 )
 func isPacketConn(c net.Conn) bool {
 	if _, ok := c.(net.PacketConn); !ok {
 		return false
 	}
 	if ua, ok := c.LocalAddr().(*net.UnixAddr); ok {
 		return ua.Net == "unixgram" || ua.Net == "unixpacket"
 	}
 	return true
 }
 // A Conn represents a connection to a DNS server.
 type Conn struct {
 	net.Conn                         // a net.Conn holding the connection
@ -27,6 +39,14 @@ type Conn struct {
 	tsigRequestMAC string
 }
 func (co *Conn) tsigProvider() TsigProvider {
 	if co.TsigProvider != nil {
 		return co.TsigProvider
 	}
 	// tsigSecretProvider will return ErrSecret if co.TsigSecret is nil.
 	return tsigSecretProvider(co.TsigSecret)
 }
 // A Client defines parameters for a DNS client.
 type Client struct {
 	Net       string      // if "tcp" or "tcp-tls" (DNS over TLS) a TCP query will be initiated, otherwise an UDP one (default is "" for UDP)
@ -82,6 +102,12 @@ func (c *Client) writeTimeout() time.Duration {
 // Dial connects to the address on the named network.
 func (c *Client) Dial(address string) (conn *Conn, err error) {
 	return c.DialContext(context.Background(), address)
 }
 // DialContext connects to the address on the named network, with a context.Context.
 // For TLS over TCP (DoT) the context isn't used yet. This will be enabled when Go 1.18 is released.
 func (c *Client) DialContext(ctx context.Context, address string) (conn *Conn, err error) {
 	// create a new dialer with the appropriate timeout
 	var d net.Dialer
 	if c.Dialer == nil {
@ -101,9 +127,17 @@ func (c *Client) Dial(address string) (conn *Conn, err error) {
 	if useTLS {
 		network = strings.TrimSuffix(network, "-tls")
 		// TODO(miekg): Enable after Go 1.18 is released, to be able to support two prev. releases.
 		/*
 			tlsDialer := tls.Dialer{
 				NetDialer: &d,
 				Config:    c.TLSConfig,
 			}
 			conn.Conn, err = tlsDialer.DialContext(ctx, network, address)
 		*/
 		conn.Conn, err = tls.DialWithDialer(&d, network, address, c.TLSConfig)
 	} else {
-		conn.Conn, err = d.Dial(network, address)
+		conn.Conn, err = d.DialContext(ctx, network, address)
 	}
 	if err != nil {
 		return nil, err
@ -139,24 +173,34 @@ func (c *Client) Exchange(m *Msg, address string) (r *Msg, rtt time.Duration, er
 // ExchangeWithConn has the same behavior as Exchange, just with a predetermined connection
 // that will be used instead of creating a new one.
 // Usage pattern with a *dns.Client:
 //
 //	c := new(dns.Client)
 //	// connection management logic goes here
 //
 //	conn := c.Dial(address)
 //	in, rtt, err := c.ExchangeWithConn(message, conn)
 //
-//  This allows users of the library to implement their own connection management,
+// This allows users of the library to implement their own connection management,
-//  as opposed to Exchange, which will always use new connections and incur the added overhead
+// as opposed to Exchange, which will always use new connections and incur the added overhead
-//  that entails when using "tcp" and especially "tcp-tls" clients.
+// that entails when using "tcp" and especially "tcp-tls" clients.
 //
 // When the singleflight is set for this client the context is _not_ forwarded to the (shared) exchange, to
 // prevent one cancelation from canceling all outstanding requests.
 func (c *Client) ExchangeWithConn(m *Msg, conn *Conn) (r *Msg, rtt time.Duration, err error) {
 	return c.exchangeWithConnContext(context.Background(), m, conn)
 }
 func (c *Client) exchangeWithConnContext(ctx context.Context, m *Msg, conn *Conn) (r *Msg, rtt time.Duration, err error) {
 	if !c.SingleInflight {
-		return c.exchange(m, conn)
+		return c.exchangeContext(ctx, m, conn)
 	}
 	q := m.Question[0]
 	key := fmt.Sprintf("%s:%d:%d", q.Name, q.Qtype, q.Qclass)
 	r, rtt, err, shared := c.group.Do(key, func() (*Msg, time.Duration, error) {
-		return c.exchange(m, conn)
+		// When we're doing singleflight we don't want one context cancelation, cancel _all_ outstanding queries.
 		// Hence we ignore the context and use Background().
 		return c.exchangeContext(context.Background(), m, conn)
 	})
 	if r != nil && shared {
 		r = r.Copy()
@ -165,8 +209,7 @@ func (c *Client) ExchangeWithConn(m *Msg, conn *Conn) (r *Msg, rtt time.Duration
 	return r, rtt, err
 }
-func (c *Client) exchange(m *Msg, co *Conn) (r *Msg, rtt time.Duration, err error) {
+func (c *Client) exchangeContext(ctx context.Context, m *Msg, co *Conn) (r *Msg, rtt time.Duration, err error) {
 	opt := m.IsEdns0()
 	// If EDNS0 is used use that for size.
 	if opt != nil && opt.UDPSize() >= MinMsgSize {
@ -177,16 +220,28 @@ func (c *Client) exchange(m *Msg, co *Conn) (r *Msg, rtt time.Duration, err erro
 		co.UDPSize = c.UDPSize
 	}
 	co.TsigSecret, co.TsigProvider = c.TsigSecret, c.TsigProvider
 	t := time.Now()
 	// write with the appropriate write timeout
-	co.SetWriteDeadline(t.Add(c.getTimeoutForRequest(c.writeTimeout())))
+	t := time.Now()
 	writeDeadline := t.Add(c.getTimeoutForRequest(c.writeTimeout()))
 	readDeadline := t.Add(c.getTimeoutForRequest(c.readTimeout()))
 	if deadline, ok := ctx.Deadline(); ok {
 		if deadline.Before(writeDeadline) {
 			writeDeadline = deadline
 		}
 		if deadline.Before(readDeadline) {
 			readDeadline = deadline
 		}
 	}
 	co.SetWriteDeadline(writeDeadline)
 	co.SetReadDeadline(readDeadline)
 	co.TsigSecret, co.TsigProvider = c.TsigSecret, c.TsigProvider
 	if err = co.WriteMsg(m); err != nil {
 		return nil, 0, err
 	}
-	co.SetReadDeadline(time.Now().Add(c.getTimeoutForRequest(c.readTimeout())))
+	if isPacketConn(co.Conn) {
 	if _, ok := co.Conn.(net.PacketConn); ok {
 		for {
 			r, err = co.ReadMsg()
 			// Ignore replies with mismatched IDs because they might be
@ -224,15 +279,8 @@ func (co *Conn) ReadMsg() (*Msg, error) {
 		return m, err
 	}
 	if t := m.IsTsig(); t != nil {
-		if co.TsigProvider != nil {
+		// Need to work on the original message p, as that was used to calculate the tsig.
-			err = tsigVerifyProvider(p, co.TsigProvider, co.tsigRequestMAC, false)
+		err = TsigVerifyWithProvider(p, co.tsigProvider(), co.tsigRequestMAC, false)
 		} else {
 			if _, ok := co.TsigSecret[t.Hdr.Name]; !ok {
 				return m, ErrSecret
 			}
 			// Need to work on the original message p, as that was used to calculate the tsig.
 			err = TsigVerify(p, co.TsigSecret[t.Hdr.Name], co.tsigRequestMAC, false)
 		}
 	}
 	return m, err
 }
@ -247,7 +295,7 @@ func (co *Conn) ReadMsgHeader(hdr *Header) ([]byte, error) {
 		err error
 	)
-	if _, ok := co.Conn.(net.PacketConn); ok {
+	if isPacketConn(co.Conn) {
 		if co.UDPSize > MinMsgSize {
 			p = make([]byte, co.UDPSize)
 		} else {
@ -287,7 +335,7 @@ func (co *Conn) Read(p []byte) (n int, err error) {
 		return 0, ErrConnEmpty
 	}
-	if _, ok := co.Conn.(net.PacketConn); ok {
+	if isPacketConn(co.Conn) {
 		// UDP connection
 		return co.Conn.Read(p)
 	}
@ -309,17 +357,8 @@ func (co *Conn) Read(p []byte) (n int, err error) {
 func (co *Conn) WriteMsg(m *Msg) (err error) {
 	var out []byte
 	if t := m.IsTsig(); t != nil {
-		mac := ""
+		// Set tsigRequestMAC for the next read, although only used in zone transfers.
-		if co.TsigProvider != nil {
+		out, co.tsigRequestMAC, err = TsigGenerateWithProvider(m, co.tsigProvider(), co.tsigRequestMAC, false)
 			out, mac, err = tsigGenerateProvider(m, co.TsigProvider, co.tsigRequestMAC, false)
 		} else {
 			if _, ok := co.TsigSecret[t.Hdr.Name]; !ok {
 				return ErrSecret
 			}
 			out, mac, err = TsigGenerate(m, co.TsigSecret[t.Hdr.Name], co.tsigRequestMAC, false)
 		}
 		// Set for the next read, although only used in zone transfers
 		co.tsigRequestMAC = mac
 	} else {
 		out, err = m.Pack()
 	}
@ -336,7 +375,7 @@ func (co *Conn) Write(p []byte) (int, error) {
 		return 0, &Error{err: "message too large"}
 	}
-	if _, ok := co.Conn.(net.PacketConn); ok {
+	if isPacketConn(co.Conn) {
 		return co.Conn.Write(p)
 	}
@ -435,15 +474,11 @@ func DialTimeoutWithTLS(network, address string, tlsConfig *tls.Config, timeout
 // context, if present. If there is both a context deadline and a configured
 // timeout on the client, the earliest of the two takes effect.
 func (c *Client) ExchangeContext(ctx context.Context, m *Msg, a string) (r *Msg, rtt time.Duration, err error) {
-	var timeout time.Duration
+	conn, err := c.DialContext(ctx, a)
-	if deadline, ok := ctx.Deadline(); !ok {
+	if err != nil {
-		timeout = 0
+		return nil, 0, err
 	} else {
 		timeout = time.Until(deadline)
 	}
-	// not passing the context to the underlying calls, as the API does not support
+	defer conn.Close()
-	// context. For timeouts you should set up Client.Dialer and call Client.Exchange.
+
-	// TODO(tmthrgd,miekg): this is a race condition.
+	return c.exchangeWithConnContext(ctx, m, conn)
 	c.Dialer = &net.Dialer{Timeout: timeout}
 	return c.Exchange(m, a)
 }
--- a/vendor/github.com/miekg/dns/defaults.go
+++ b/vendor/github.com/miekg/dns/defaults.go
@ -218,6 +218,11 @@ func IsDomainName(s string) (labels int, ok bool) {
 			wasDot = false
 		case '.':
 			if i == 0 && len(s) > 1 {
 				// leading dots are not legal except for the root zone
 				return labels, false
 			}
 			if wasDot {
 				// two dots back to back is not legal
 				return labels, false
--- a/vendor/github.com/miekg/dns/dnssec.go
+++ b/vendor/github.com/miekg/dns/dnssec.go
@ -65,6 +65,9 @@ var AlgorithmToString = map[uint8]string{
 }
 // AlgorithmToHash is a map of algorithm crypto hash IDs to crypto.Hash's.
 // For newer algorithm that do their own hashing (i.e. ED25519) the returned value
 // is 0, implying no (external) hashing should occur. The non-exported identityHash is then
 // used.
 var AlgorithmToHash = map[uint8]crypto.Hash{
 	RSAMD5:           crypto.MD5, // Deprecated in RFC 6725
 	DSA:              crypto.SHA1,
@ -74,7 +77,7 @@ var AlgorithmToHash = map[uint8]crypto.Hash{
 	ECDSAP256SHA256:  crypto.SHA256,
 	ECDSAP384SHA384:  crypto.SHA384,
 	RSASHA512:        crypto.SHA512,
-	ED25519:          crypto.Hash(0),
+	ED25519:          0,
 }
 // DNSSEC hashing algorithm codes.
@ -137,12 +140,12 @@ func (k *DNSKEY) KeyTag() uint16 {
 	var keytag int
 	switch k.Algorithm {
 	case RSAMD5:
 		// Look at the bottom two bytes of the modules, which the last
 		// item in the pubkey.
 		// This algorithm has been deprecated, but keep this key-tag calculation.
 		// Look at the bottom two bytes of the modules, which the last item in the pubkey.
 		// See https://www.rfc-editor.org/errata/eid193 .
 		modulus, _ := fromBase64([]byte(k.PublicKey))
 		if len(modulus) > 1 {
-			x := binary.BigEndian.Uint16(modulus[len(modulus)-2:])
+			x := binary.BigEndian.Uint16(modulus[len(modulus)-3:])
 			keytag = int(x)
 		}
 	default:
@ -296,35 +299,20 @@ func (rr *RRSIG) Sign(k crypto.Signer, rrset []RR) error {
 		return err
 	}
-	hash, ok := AlgorithmToHash[rr.Algorithm]
+	h, cryptohash, err := hashFromAlgorithm(rr.Algorithm)
-	if !ok {
+	if err != nil {
-		return ErrAlg
+		return err
 	}
 	switch rr.Algorithm {
 	case ED25519:
 		// ed25519 signs the raw message and performs hashing internally.
 		// All other supported signature schemes operate over the pre-hashed
 		// message, and thus ed25519 must be handled separately here.
 		//
 		// The raw message is passed directly into sign and crypto.Hash(0) is
 		// used to signal to the crypto.Signer that the data has not been hashed.
 		signature, err := sign(k, append(signdata, wire...), crypto.Hash(0), rr.Algorithm)
 		if err != nil {
 			return err
 		}
 		rr.Signature = toBase64(signature)
 		return nil
 	case RSAMD5, DSA, DSANSEC3SHA1:
 		// See RFC 6944.
 		return ErrAlg
 	default:
 		h := hash.New()
 		h.Write(signdata)
 		h.Write(wire)
-		signature, err := sign(k, h.Sum(nil), hash, rr.Algorithm)
+		signature, err := sign(k, h.Sum(nil), cryptohash, rr.Algorithm)
 		if err != nil {
 			return err
 		}
@ -341,7 +329,7 @@ func sign(k crypto.Signer, hashed []byte, hash crypto.Hash, alg uint8) ([]byte,
 	}
 	switch alg {
-	case RSASHA1, RSASHA1NSEC3SHA1, RSASHA256, RSASHA512:
+	case RSASHA1, RSASHA1NSEC3SHA1, RSASHA256, RSASHA512, ED25519:
 		return signature, nil
 	case ECDSAP256SHA256, ECDSAP384SHA384:
 		ecdsaSignature := &struct {
@ -362,8 +350,6 @@ func sign(k crypto.Signer, hashed []byte, hash crypto.Hash, alg uint8) ([]byte,
 		signature := intToBytes(ecdsaSignature.R, intlen)
 		signature = append(signature, intToBytes(ecdsaSignature.S, intlen)...)
 		return signature, nil
 	case ED25519:
 		return signature, nil
 	default:
 		return nil, ErrAlg
 	}
@ -437,9 +423,9 @@ func (rr *RRSIG) Verify(k *DNSKEY, rrset []RR) error {
 		// remove the domain name and assume its ours?
 	}
-	hash, ok := AlgorithmToHash[rr.Algorithm]
+	h, cryptohash, err := hashFromAlgorithm(rr.Algorithm)
-	if !ok {
+	if err != nil {
-		return ErrAlg
+		return err
 	}
 	switch rr.Algorithm {
@ -450,10 +436,9 @@ func (rr *RRSIG) Verify(k *DNSKEY, rrset []RR) error {
 			return ErrKey
 		}
 		h := hash.New()
 		h.Write(signeddata)
 		h.Write(wire)
-		return rsa.VerifyPKCS1v15(pubkey, hash, h.Sum(nil), sigbuf)
+		return rsa.VerifyPKCS1v15(pubkey, cryptohash, h.Sum(nil), sigbuf)
 	case ECDSAP256SHA256, ECDSAP384SHA384:
 		pubkey := k.publicKeyECDSA()
@ -465,7 +450,6 @@ func (rr *RRSIG) Verify(k *DNSKEY, rrset []RR) error {
 		r := new(big.Int).SetBytes(sigbuf[:len(sigbuf)/2])
 		s := new(big.Int).SetBytes(sigbuf[len(sigbuf)/2:])
 		h := hash.New()
 		h.Write(signeddata)
 		h.Write(wire)
 		if ecdsa.Verify(pubkey, h.Sum(nil), r, s) {
--- a/vendor/github.com/miekg/dns/doc.go
+++ b/vendor/github.com/miekg/dns/doc.go
@ -251,7 +251,7 @@ information.
 EDNS0
 EDNS0 is an extension mechanism for the DNS defined in RFC 2671 and updated by
-RFC 6891. It defines an new RR type, the OPT RR, which is then completely
+RFC 6891. It defines a new RR type, the OPT RR, which is then completely
 abused.
 Basic use pattern for creating an (empty) OPT RR:
--- a/vendor/github.com/miekg/dns/edns.go
+++ b/vendor/github.com/miekg/dns/edns.go
@ -14,6 +14,7 @@ const (
 	EDNS0LLQ          = 0x1     // long lived queries: http://tools.ietf.org/html/draft-sekar-dns-llq-01
 	EDNS0UL           = 0x2     // update lease draft: http://files.dns-sd.org/draft-sekar-dns-ul.txt
 	EDNS0NSID         = 0x3     // nsid (See RFC 5001)
 	EDNS0ESU          = 0x4     // ENUM Source-URI draft: https://datatracker.ietf.org/doc/html/draft-kaplan-enum-source-uri-00
 	EDNS0DAU          = 0x5     // DNSSEC Algorithm Understood
 	EDNS0DHU          = 0x6     // DS Hash Understood
 	EDNS0N3U          = 0x7     // NSEC3 Hash Understood
@ -56,6 +57,8 @@ func makeDataOpt(code uint16) EDNS0 {
 		return new(EDNS0_PADDING)
 	case EDNS0EDE:
 		return new(EDNS0_EDE)
 	case EDNS0ESU:
 		return &EDNS0_ESU{Code: EDNS0ESU}
 	default:
 		e := new(EDNS0_LOCAL)
 		e.Code = code
@ -95,6 +98,8 @@ func (rr *OPT) String() string {
 			s += "\n; SUBNET: " + o.String()
 		case *EDNS0_COOKIE:
 			s += "\n; COOKIE: " + o.String()
 		case *EDNS0_TCP_KEEPALIVE:
 			s += "\n; KEEPALIVE: " + o.String()
 		case *EDNS0_UL:
 			s += "\n; UPDATE LEASE: " + o.String()
 		case *EDNS0_LLQ:
@ -111,6 +116,8 @@ func (rr *OPT) String() string {
 			s += "\n; PADDING: " + o.String()
 		case *EDNS0_EDE:
 			s += "\n; EDE: " + o.String()
 		case *EDNS0_ESU:
 			s += "\n; ESU: " + o.String()
 		}
 	}
 	return s
@ -577,14 +584,17 @@ func (e *EDNS0_N3U) copy() EDNS0 { return &EDNS0_N3U{e.Code, e.AlgCode} }
 type EDNS0_EXPIRE struct {
 	Code   uint16 // Always EDNS0EXPIRE
 	Expire uint32
 	Empty  bool // Empty is used to signal an empty Expire option in a backwards compatible way, it's not used on the wire.
 }
 // Option implements the EDNS0 interface.
 func (e *EDNS0_EXPIRE) Option() uint16 { return EDNS0EXPIRE }
-func (e *EDNS0_EXPIRE) String() string { return strconv.FormatUint(uint64(e.Expire), 10) }
+func (e *EDNS0_EXPIRE) copy() EDNS0    { return &EDNS0_EXPIRE{e.Code, e.Expire, e.Empty} }
 func (e *EDNS0_EXPIRE) copy() EDNS0    { return &EDNS0_EXPIRE{e.Code, e.Expire} }
 func (e *EDNS0_EXPIRE) pack() ([]byte, error) {
 	if e.Empty {
 		return []byte{}, nil
 	}
 	b := make([]byte, 4)
 	binary.BigEndian.PutUint32(b, e.Expire)
 	return b, nil
@ -593,15 +603,24 @@ func (e *EDNS0_EXPIRE) pack() ([]byte, error) {
 func (e *EDNS0_EXPIRE) unpack(b []byte) error {
 	if len(b) == 0 {
 		// zero-length EXPIRE query, see RFC 7314 Section 2
 		e.Empty = true
 		return nil
 	}
 	if len(b) < 4 {
 		return ErrBuf
 	}
 	e.Expire = binary.BigEndian.Uint32(b)
 	e.Empty = false
 	return nil
 }
 func (e *EDNS0_EXPIRE) String() (s string) {
 	if e.Empty {
 		return ""
 	}
 	return strconv.FormatUint(uint64(e.Expire), 10)
 }
 // The EDNS0_LOCAL option is used for local/experimental purposes. The option
 // code is recommended to be within the range [EDNS0LOCALSTART, EDNS0LOCALEND]
 // (RFC6891), although any unassigned code can actually be used.  The content of
@ -652,57 +671,52 @@ func (e *EDNS0_LOCAL) unpack(b []byte) error {
 // EDNS0_TCP_KEEPALIVE is an EDNS0 option that instructs the server to keep
 // the TCP connection alive. See RFC 7828.
 type EDNS0_TCP_KEEPALIVE struct {
-	Code    uint16 // Always EDNSTCPKEEPALIVE
+	Code uint16 // Always EDNSTCPKEEPALIVE
-	Length  uint16 // the value 0 if the TIMEOUT is omitted, the value 2 if it is present;
+
-	Timeout uint16 // an idle timeout value for the TCP connection, specified in units of 100 milliseconds, encoded in network byte order.
+	// Timeout is an idle timeout value for the TCP connection, specified in
 	// units of 100 milliseconds, encoded in network byte order. If set to 0,
 	// pack will return a nil slice.
 	Timeout uint16
 	// Length is the option's length.
 	// Deprecated: this field is deprecated and is always equal to 0.
 	Length uint16
 }
 // Option implements the EDNS0 interface.
 func (e *EDNS0_TCP_KEEPALIVE) Option() uint16 { return EDNS0TCPKEEPALIVE }
 func (e *EDNS0_TCP_KEEPALIVE) pack() ([]byte, error) {
-	if e.Timeout != 0 && e.Length != 2 {
+	if e.Timeout > 0 {
-		return nil, errors.New("dns: timeout specified but length is not 2")
+		b := make([]byte, 2)
 		binary.BigEndian.PutUint16(b, e.Timeout)
 		return b, nil
 	}
-	if e.Timeout == 0 && e.Length != 0 {
+	return nil, nil
 		return nil, errors.New("dns: timeout not specified but length is not 0")
 	}
 	b := make([]byte, 4+e.Length)
 	binary.BigEndian.PutUint16(b[0:], e.Code)
 	binary.BigEndian.PutUint16(b[2:], e.Length)
 	if e.Length == 2 {
 		binary.BigEndian.PutUint16(b[4:], e.Timeout)
 	}
 	return b, nil
 }
 func (e *EDNS0_TCP_KEEPALIVE) unpack(b []byte) error {
-	if len(b) < 4 {
+	switch len(b) {
-		return ErrBuf
+	case 0:
-	}
+	case 2:
-	e.Length = binary.BigEndian.Uint16(b[2:4])
+		e.Timeout = binary.BigEndian.Uint16(b)
-	if e.Length != 0 && e.Length != 2 {
+	default:
-		return errors.New("dns: length mismatch, want 0/2 but got " + strconv.FormatUint(uint64(e.Length), 10))
+		return fmt.Errorf("dns: length mismatch, want 0/2 but got %d", len(b))
 	}
 	if e.Length == 2 {
 		if len(b) < 6 {
 			return ErrBuf
 		}
 		e.Timeout = binary.BigEndian.Uint16(b[4:6])
 	}
 	return nil
 }
-func (e *EDNS0_TCP_KEEPALIVE) String() (s string) {
+func (e *EDNS0_TCP_KEEPALIVE) String() string {
-	s = "use tcp keep-alive"
+	s := "use tcp keep-alive"
-	if e.Length == 0 {
+	if e.Timeout == 0 {
 		s += ", timeout omitted"
 	} else {
 		s += fmt.Sprintf(", timeout %dms", e.Timeout*100)
 	}
-	return
+	return s
 }
-func (e *EDNS0_TCP_KEEPALIVE) copy() EDNS0 { return &EDNS0_TCP_KEEPALIVE{e.Code, e.Length, e.Timeout} }
+
 func (e *EDNS0_TCP_KEEPALIVE) copy() EDNS0 { return &EDNS0_TCP_KEEPALIVE{e.Code, e.Timeout, e.Length} }
 // EDNS0_PADDING option is used to add padding to a request/response. The default
 // value of padding SHOULD be 0x0 but other values MAY be used, for instance if
@ -819,3 +833,19 @@ func (e *EDNS0_EDE) unpack(b []byte) error {
 	e.ExtraText = string(b[2:])
 	return nil
 }
 // The EDNS0_ESU option for ENUM Source-URI Extension
 type EDNS0_ESU struct {
 	Code uint16
 	Uri  string
 }
 // Option implements the EDNS0 interface.
 func (e *EDNS0_ESU) Option() uint16        { return EDNS0ESU }
 func (e *EDNS0_ESU) String() string        { return e.Uri }
 func (e *EDNS0_ESU) copy() EDNS0           { return &EDNS0_ESU{e.Code, e.Uri} }
 func (e *EDNS0_ESU) pack() ([]byte, error) { return []byte(e.Uri), nil }
 func (e *EDNS0_ESU) unpack(b []byte) error {
 	e.Uri = string(b)
 	return nil
 }
--- a/vendor/github.com/miekg/dns/hash.go
+++ b/vendor/github.com/miekg/dns/hash.go
@ -0,0 +1,31 @@
 package dns
 import (
 	"bytes"
 	"crypto"
 	"hash"
 )
 // identityHash will not hash, it only buffers the data written into it and returns it as-is.
 type identityHash struct {
 	b *bytes.Buffer
 }
 // Implement the hash.Hash interface.
 func (i identityHash) Write(b []byte) (int, error) { return i.b.Write(b) }
 func (i identityHash) Size() int                   { return i.b.Len() }
 func (i identityHash) BlockSize() int              { return 1024 }
 func (i identityHash) Reset()                      { i.b.Reset() }
 func (i identityHash) Sum(b []byte) []byte         { return append(b, i.b.Bytes()...) }
 func hashFromAlgorithm(alg uint8) (hash.Hash, crypto.Hash, error) {
 	hashnumber, ok := AlgorithmToHash[alg]
 	if !ok {
 		return nil, 0, ErrAlg
 	}
 	if hashnumber == 0 {
 		return identityHash{b: &bytes.Buffer{}}, hashnumber, nil
 	}
 	return hashnumber.New(), hashnumber, nil
 }
--- a/vendor/github.com/miekg/dns/msg.go
+++ b/vendor/github.com/miekg/dns/msg.go
@ -265,6 +265,11 @@ loop:
 			wasDot = false
 		case '.':
 			if i == 0 && len(s) > 1 {
 				// leading dots are not legal except for the root zone
 				return len(msg), ErrRdata
 			}
 			if wasDot {
 				// two dots back to back is not legal
 				return len(msg), ErrRdata
@ -901,6 +906,11 @@ func (dns *Msg) String() string {
 	s += "ANSWER: " + strconv.Itoa(len(dns.Answer)) + ", "
 	s += "AUTHORITY: " + strconv.Itoa(len(dns.Ns)) + ", "
 	s += "ADDITIONAL: " + strconv.Itoa(len(dns.Extra)) + "\n"
 	opt := dns.IsEdns0()
 	if opt != nil {
 		// OPT PSEUDOSECTION
 		s += opt.String() + "\n"
 	}
 	if len(dns.Question) > 0 {
 		s += "\n;; QUESTION SECTION:\n"
 		for _, r := range dns.Question {
@ -923,10 +933,10 @@ func (dns *Msg) String() string {
 			}
 		}
 	}
-	if len(dns.Extra) > 0 {
+	if len(dns.Extra) > 0 && (opt == nil || len(dns.Extra) > 1) {
 		s += "\n;; ADDITIONAL SECTION:\n"
 		for _, r := range dns.Extra {
-			if r != nil {
+			if r != nil && r.Header().Rrtype != TypeOPT {
 				s += r.String() + "\n"
 			}
 		}
--- a/vendor/github.com/miekg/dns/msg_helpers.go
+++ b/vendor/github.com/miekg/dns/msg_helpers.go
@ -476,7 +476,7 @@ func unpackDataNsec(msg []byte, off int) ([]uint16, int, error) {
 	length, window, lastwindow := 0, 0, -1
 	for off < len(msg) {
 		if off+2 > len(msg) {
-			return nsec, len(msg), &Error{err: "overflow unpacking nsecx"}
+			return nsec, len(msg), &Error{err: "overflow unpacking NSEC(3)"}
 		}
 		window = int(msg[off])
 		length = int(msg[off+1])
@ -484,17 +484,17 @@ func unpackDataNsec(msg []byte, off int) ([]uint16, int, error) {
 		if window <= lastwindow {
 			// RFC 4034: Blocks are present in the NSEC RR RDATA in
 			// increasing numerical order.
-			return nsec, len(msg), &Error{err: "out of order NSEC block"}
+			return nsec, len(msg), &Error{err: "out of order NSEC(3) block in type bitmap"}
 		}
 		if length == 0 {
 			// RFC 4034: Blocks with no types present MUST NOT be included.
-			return nsec, len(msg), &Error{err: "empty NSEC block"}
+			return nsec, len(msg), &Error{err: "empty NSEC(3) block in type bitmap"}
 		}
 		if length > 32 {
-			return nsec, len(msg), &Error{err: "NSEC block too long"}
+			return nsec, len(msg), &Error{err: "NSEC(3) block too long in type bitmap"}
 		}
 		if off+length > len(msg) {
-			return nsec, len(msg), &Error{err: "overflowing NSEC block"}
+			return nsec, len(msg), &Error{err: "overflowing NSEC(3) block in type bitmap"}
 		}
 		// Walk the bytes in the window and extract the type bits
@ -558,6 +558,16 @@ func packDataNsec(bitmap []uint16, msg []byte, off int) (int, error) {
 	if len(bitmap) == 0 {
 		return off, nil
 	}
 	if off > len(msg) {
 		return off, &Error{err: "overflow packing nsec"}
 	}
 	toZero := msg[off:]
 	if maxLen := typeBitMapLen(bitmap); maxLen < len(toZero) {
 		toZero = toZero[:maxLen]
 	}
 	for i := range toZero {
 		toZero[i] = 0
 	}
 	var lastwindow, lastlength uint16
 	for _, t := range bitmap {
 		window := t / 256
@ -781,6 +791,8 @@ func unpackDataAplPrefix(msg []byte, off int) (APLPrefix, int, error) {
 	if off+afdlen > len(msg) {
 		return APLPrefix{}, len(msg), &Error{err: "overflow unpacking APL address"}
 	}
 	// Address MUST NOT contain trailing zero bytes per RFC3123 Sections 4.1 and 4.2.
 	off += copy(ip, msg[off:off+afdlen])
 	if afdlen > 0 {
 		last := ip[afdlen-1]
@ -792,10 +804,6 @@ func unpackDataAplPrefix(msg []byte, off int) (APLPrefix, int, error) {
 		IP:   ip,
 		Mask: net.CIDRMask(int(prefix), 8*len(ip)),
 	}
 	network := ipnet.IP.Mask(ipnet.Mask)
 	if !network.Equal(ipnet.IP) {
 		return APLPrefix{}, len(msg), &Error{err: "invalid APL address length"}
 	}
 	return APLPrefix{
 		Negation: (nlen & 0x80) != 0,
--- a/vendor/github.com/miekg/dns/server.go
+++ b/vendor/github.com/miekg/dns/server.go
@ -71,12 +71,12 @@ type response struct {
 	tsigTimersOnly bool
 	tsigStatus     error
 	tsigRequestMAC string
-	tsigSecret     map[string]string // the tsig secrets
+	tsigProvider   TsigProvider
-	udp            net.PacketConn    // i/o connection if UDP was used
+	udp            net.PacketConn // i/o connection if UDP was used
-	tcp            net.Conn          // i/o connection if TCP was used
+	tcp            net.Conn       // i/o connection if TCP was used
-	udpSession     *SessionUDP       // oob data to get egress interface right
+	udpSession     *SessionUDP    // oob data to get egress interface right
-	pcSession      net.Addr          // address to use when writing to a generic net.PacketConn
+	pcSession      net.Addr       // address to use when writing to a generic net.PacketConn
-	writer         Writer            // writer to output the raw DNS bits
+	writer         Writer         // writer to output the raw DNS bits
 }
 // handleRefused returns a HandlerFunc that returns REFUSED for every request it gets.
@ -211,6 +211,8 @@ type Server struct {
 	WriteTimeout time.Duration
 	// TCP idle timeout for multiple queries, if nil, defaults to 8 * time.Second (RFC 5966).
 	IdleTimeout func() time.Duration
 	// An implementation of the TsigProvider interface. If defined it replaces TsigSecret and is used for all TSIG operations.
 	TsigProvider TsigProvider
 	// Secret(s) for Tsig map[<zonename>]<base64 secret>. The zonename must be in canonical form (lowercase, fqdn, see RFC 4034 Section 6.2).
 	TsigSecret map[string]string
 	// If NotifyStartedFunc is set it is called once the server has started listening.
@ -238,6 +240,16 @@ type Server struct {
 	udpPool sync.Pool
 }
 func (srv *Server) tsigProvider() TsigProvider {
 	if srv.TsigProvider != nil {
 		return srv.TsigProvider
 	}
 	if srv.TsigSecret != nil {
 		return tsigSecretProvider(srv.TsigSecret)
 	}
 	return nil
 }
 func (srv *Server) isStarted() bool {
 	srv.lock.RLock()
 	started := srv.started
@ -526,7 +538,7 @@ func (srv *Server) serveUDP(l net.PacketConn) error {
 // Serve a new TCP connection.
 func (srv *Server) serveTCPConn(wg *sync.WaitGroup, rw net.Conn) {
-	w := &response{tsigSecret: srv.TsigSecret, tcp: rw}
+	w := &response{tsigProvider: srv.tsigProvider(), tcp: rw}
 	if srv.DecorateWriter != nil {
 		w.writer = srv.DecorateWriter(w)
 	} else {
@ -581,7 +593,7 @@ func (srv *Server) serveTCPConn(wg *sync.WaitGroup, rw net.Conn) {
 // Serve a new UDP request.
 func (srv *Server) serveUDPPacket(wg *sync.WaitGroup, m []byte, u net.PacketConn, udpSession *SessionUDP, pcSession net.Addr) {
-	w := &response{tsigSecret: srv.TsigSecret, udp: u, udpSession: udpSession, pcSession: pcSession}
+	w := &response{tsigProvider: srv.tsigProvider(), udp: u, udpSession: udpSession, pcSession: pcSession}
 	if srv.DecorateWriter != nil {
 		w.writer = srv.DecorateWriter(w)
 	} else {
@ -632,15 +644,11 @@ func (srv *Server) serveDNS(m []byte, w *response) {
 	}
 	w.tsigStatus = nil
-	if w.tsigSecret != nil {
+	if w.tsigProvider != nil {
 		if t := req.IsTsig(); t != nil {
-			if secret, ok := w.tsigSecret[t.Hdr.Name]; ok {
+			w.tsigStatus = TsigVerifyWithProvider(m, w.tsigProvider, "", false)
 				w.tsigStatus = TsigVerify(m, secret, "", false)
 			} else {
 				w.tsigStatus = ErrSecret
 			}
 			w.tsigTimersOnly = false
-			w.tsigRequestMAC = req.Extra[len(req.Extra)-1].(*TSIG).MAC
+			w.tsigRequestMAC = t.MAC
 		}
 	}
@ -718,9 +726,9 @@ func (w *response) WriteMsg(m *Msg) (err error) {
 	}
 	var data []byte
-	if w.tsigSecret != nil { // if no secrets, dont check for the tsig (which is a longer check)
+	if w.tsigProvider != nil { // if no provider, dont check for the tsig (which is a longer check)
 		if t := m.IsTsig(); t != nil {
-			data, w.tsigRequestMAC, err = TsigGenerate(m, w.tsigSecret[t.Hdr.Name], w.tsigRequestMAC, w.tsigTimersOnly)
+			data, w.tsigRequestMAC, err = TsigGenerateWithProvider(m, w.tsigProvider, w.tsigRequestMAC, w.tsigTimersOnly)
 			if err != nil {
 				return err
 			}
--- a/vendor/github.com/miekg/dns/sig0.go
+++ b/vendor/github.com/miekg/dns/sig0.go
@ -3,6 +3,7 @@ package dns
 import (
 	"crypto"
 	"crypto/ecdsa"
 	"crypto/ed25519"
 	"crypto/rsa"
 	"encoding/binary"
 	"math/big"
@ -38,18 +39,17 @@ func (rr *SIG) Sign(k crypto.Signer, m *Msg) ([]byte, error) {
 	}
 	buf = buf[:off:cap(buf)]
-	hash, ok := AlgorithmToHash[rr.Algorithm]
+	h, cryptohash, err := hashFromAlgorithm(rr.Algorithm)
-	if !ok {
+	if err != nil {
-		return nil, ErrAlg
+		return nil, err
 	}
 	hasher := hash.New()
 	// Write SIG rdata
-	hasher.Write(buf[len(mbuf)+1+2+2+4+2:])
+	h.Write(buf[len(mbuf)+1+2+2+4+2:])
 	// Write message
-	hasher.Write(buf[:len(mbuf)])
+	h.Write(buf[:len(mbuf)])
-	signature, err := sign(k, hasher.Sum(nil), hash, rr.Algorithm)
+	signature, err := sign(k, h.Sum(nil), cryptohash, rr.Algorithm)
 	if err != nil {
 		return nil, err
 	}
@ -82,20 +82,10 @@ func (rr *SIG) Verify(k *KEY, buf []byte) error {
 		return ErrKey
 	}
-	var hash crypto.Hash
+	h, cryptohash, err := hashFromAlgorithm(rr.Algorithm)
-	switch rr.Algorithm {
+	if err != nil {
-	case RSASHA1:
+		return err
 		hash = crypto.SHA1
 	case RSASHA256, ECDSAP256SHA256:
 		hash = crypto.SHA256
 	case ECDSAP384SHA384:
 		hash = crypto.SHA384
 	case RSASHA512:
 		hash = crypto.SHA512
 	default:
 		return ErrAlg
 	}
 	hasher := hash.New()
 	buflen := len(buf)
 	qdc := binary.BigEndian.Uint16(buf[4:])
@ -103,7 +93,6 @@ func (rr *SIG) Verify(k *KEY, buf []byte) error {
 	auc := binary.BigEndian.Uint16(buf[8:])
 	adc := binary.BigEndian.Uint16(buf[10:])
 	offset := headerSize
 	var err error
 	for i := uint16(0); i < qdc && offset < buflen; i++ {
 		_, offset, err = UnpackDomainName(buf, offset)
 		if err != nil {
@ -166,21 +155,21 @@ func (rr *SIG) Verify(k *KEY, buf []byte) error {
 		return &Error{err: "signer name doesn't match key name"}
 	}
 	sigend := offset
-	hasher.Write(buf[sigstart:sigend])
+	h.Write(buf[sigstart:sigend])
-	hasher.Write(buf[:10])
+	h.Write(buf[:10])
-	hasher.Write([]byte{
+	h.Write([]byte{
 		byte((adc - 1) << 8),
 		byte(adc - 1),
 	})
-	hasher.Write(buf[12:bodyend])
+	h.Write(buf[12:bodyend])
-	hashed := hasher.Sum(nil)
+	hashed := h.Sum(nil)
 	sig := buf[sigend:]
 	switch k.Algorithm {
 	case RSASHA1, RSASHA256, RSASHA512:
 		pk := k.publicKeyRSA()
 		if pk != nil {
-			return rsa.VerifyPKCS1v15(pk, hash, hashed, sig)
+			return rsa.VerifyPKCS1v15(pk, cryptohash, hashed, sig)
 		}
 	case ECDSAP256SHA256, ECDSAP384SHA384:
 		pk := k.publicKeyECDSA()
@ -192,6 +181,14 @@ func (rr *SIG) Verify(k *KEY, buf []byte) error {
 			}
 			return ErrSig
 		}
 	case ED25519:
 		pk := k.publicKeyED25519()
 		if pk != nil {
 			if ed25519.Verify(pk, hashed, sig) {
 				return nil
 			}
 			return ErrSig
 		}
 	}
 	return ErrKeyAlg
 }
--- a/vendor/github.com/miekg/dns/svcb.go
+++ b/vendor/github.com/miekg/dns/svcb.go
@ -4,6 +4,7 @@ import (
 	"bytes"
 	"encoding/binary"
 	"errors"
 	"fmt"
 	"net"
 	"sort"
 	"strconv"
@ -13,16 +14,18 @@ import (
 // SVCBKey is the type of the keys used in the SVCB RR.
 type SVCBKey uint16
-// Keys defined in draft-ietf-dnsop-svcb-https-01 Section 12.3.2.
+// Keys defined in draft-ietf-dnsop-svcb-https-08 Section 14.3.2.
 const (
-	SVCB_MANDATORY       SVCBKey = 0
+	SVCB_MANDATORY SVCBKey = iota
-	SVCB_ALPN            SVCBKey = 1
+	SVCB_ALPN
-	SVCB_NO_DEFAULT_ALPN SVCBKey = 2
+	SVCB_NO_DEFAULT_ALPN
-	SVCB_PORT            SVCBKey = 3
+	SVCB_PORT
-	SVCB_IPV4HINT        SVCBKey = 4
+	SVCB_IPV4HINT
-	SVCB_ECHCONFIG       SVCBKey = 5
+	SVCB_ECHCONFIG
-	SVCB_IPV6HINT        SVCBKey = 6
+	SVCB_IPV6HINT
-	svcb_RESERVED        SVCBKey = 65535
+	SVCB_DOHPATH // draft-ietf-add-svcb-dns-02 Section 9
 	svcb_RESERVED SVCBKey = 65535
 )
 var svcbKeyToStringMap = map[SVCBKey]string{
@ -31,8 +34,9 @@ var svcbKeyToStringMap = map[SVCBKey]string{
 	SVCB_NO_DEFAULT_ALPN: "no-default-alpn",
 	SVCB_PORT:            "port",
 	SVCB_IPV4HINT:        "ipv4hint",
-	SVCB_ECHCONFIG:       "echconfig",
+	SVCB_ECHCONFIG:       "ech",
 	SVCB_IPV6HINT:        "ipv6hint",
 	SVCB_DOHPATH:         "dohpath",
 }
 var svcbStringToKeyMap = reverseSVCBKeyMap(svcbKeyToStringMap)
@ -167,10 +171,14 @@ func (rr *SVCB) parse(c *zlexer, o string) *ParseError {
 		}
 		l, _ = c.Next()
 	}
 	// "In AliasMode, records SHOULD NOT include any SvcParams, and recipients MUST
 	// ignore any SvcParams that are present."
 	// However, we don't check rr.Priority == 0 && len(xs) > 0 here
 	// It is the responsibility of the user of the library to check this.
 	// This is to encourage the fixing of the source of this error.
 	rr.Value = xs
 	if rr.Priority == 0 && len(xs) > 0 {
 		return &ParseError{l.token, "SVCB aliasform can't have values", l}
 	}
 	return nil
 }
@ -191,6 +199,8 @@ func makeSVCBKeyValue(key SVCBKey) SVCBKeyValue {
 		return new(SVCBECHConfig)
 	case SVCB_IPV6HINT:
 		return new(SVCBIPv6Hint)
 	case SVCB_DOHPATH:
 		return new(SVCBDoHPath)
 	case svcb_RESERVED:
 		return nil
 	default:
@ -200,16 +210,24 @@ func makeSVCBKeyValue(key SVCBKey) SVCBKeyValue {
 	}
 }
-// SVCB RR. See RFC xxxx (https://tools.ietf.org/html/draft-ietf-dnsop-svcb-https-01).
+// SVCB RR. See RFC xxxx (https://tools.ietf.org/html/draft-ietf-dnsop-svcb-https-08).
 //
 // NOTE: The HTTPS/SVCB RFCs are in the draft stage.
 // The API, including constants and types related to SVCBKeyValues, may
 // change in future versions in accordance with the latest drafts.
 type SVCB struct {
 	Hdr      RR_Header
-	Priority uint16
+	Priority uint16         // If zero, Value must be empty or discarded by the user of this library
 	Target   string         `dns:"domain-name"`
-	Value    []SVCBKeyValue `dns:"pairs"` // Value must be empty if Priority is zero.
+	Value    []SVCBKeyValue `dns:"pairs"`
 }
 // HTTPS RR. Everything valid for SVCB applies to HTTPS as well.
 // Except that the HTTPS record is intended for use with the HTTP and HTTPS protocols.
 //
 // NOTE: The HTTPS/SVCB RFCs are in the draft stage.
 // The API, including constants and types related to SVCBKeyValues, may
 // change in future versions in accordance with the latest drafts.
 type HTTPS struct {
 	SVCB
 }
@ -235,15 +253,29 @@ type SVCBKeyValue interface {
 }
 // SVCBMandatory pair adds to required keys that must be interpreted for the RR
-// to be functional.
+// to be functional. If ignored, the whole RRSet must be ignored.
 // "port" and "no-default-alpn" are mandatory by default if present,
 // so they shouldn't be included here.
 //
 // It is incumbent upon the user of this library to reject the RRSet if
 // or avoid constructing such an RRSet that:
 // - "mandatory" is included as one of the keys of mandatory
 // - no key is listed multiple times in mandatory
 // - all keys listed in mandatory are present
 // - escape sequences are not used in mandatory
 // - mandatory, when present, lists at least one key
 //
 // Basic use pattern for creating a mandatory option:
 //
 //	s := &dns.SVCB{Hdr: dns.RR_Header{Name: ".", Rrtype: dns.TypeSVCB, Class: dns.ClassINET}}
 //	e := new(dns.SVCBMandatory)
-//	e.Code = []uint16{65403}
+//	e.Code = []uint16{dns.SVCB_ALPN}
 //	s.Value = append(s.Value, e)
 //	t := new(dns.SVCBAlpn)
 //	t.Alpn = []string{"xmpp-client"}
 //	s.Value = append(s.Value, t)
 type SVCBMandatory struct {
-	Code []SVCBKey // Must not include mandatory
+	Code []SVCBKey
 }
 func (*SVCBMandatory) Key() SVCBKey { return SVCB_MANDATORY }
@ -302,7 +334,8 @@ func (s *SVCBMandatory) copy() SVCBKeyValue {
 }
 // SVCBAlpn pair is used to list supported connection protocols.
-// Protocol ids can be found at:
+// The user of this library must ensure that at least one protocol is listed when alpn is present.
 // Protocol IDs can be found at:
 // https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids
 // Basic use pattern for creating an alpn option:
 //
@ -310,13 +343,57 @@ func (s *SVCBMandatory) copy() SVCBKeyValue {
 //	h.Hdr = dns.RR_Header{Name: ".", Rrtype: dns.TypeHTTPS, Class: dns.ClassINET}
 //	e := new(dns.SVCBAlpn)
 //	e.Alpn = []string{"h2", "http/1.1"}
-//	h.Value = append(o.Value, e)
+//	h.Value = append(h.Value, e)
 type SVCBAlpn struct {
 	Alpn []string
 }
-func (*SVCBAlpn) Key() SVCBKey     { return SVCB_ALPN }
+func (*SVCBAlpn) Key() SVCBKey { return SVCB_ALPN }
-func (s *SVCBAlpn) String() string { return strings.Join(s.Alpn, ",") }
+
 func (s *SVCBAlpn) String() string {
 	// An ALPN value is a comma-separated list of values, each of which can be
 	// an arbitrary binary value. In order to allow parsing, the comma and
 	// backslash characters are themselves excaped.
 	//
 	// However, this escaping is done in addition to the normal escaping which
 	// happens in zone files, meaning that these values must be
 	// double-escaped. This looks terrible, so if you see a never-ending
 	// sequence of backslash in a zone file this may be why.
 	//
 	// https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-08#appendix-A.1
 	var str strings.Builder
 	for i, alpn := range s.Alpn {
 		// 4*len(alpn) is the worst case where we escape every character in the alpn as \123, plus 1 byte for the ',' separating the alpn from others
 		str.Grow(4*len(alpn) + 1)
 		if i > 0 {
 			str.WriteByte(',')
 		}
 		for j := 0; j < len(alpn); j++ {
 			e := alpn[j]
 			if ' ' > e || e > '~' {
 				str.WriteString(escapeByte(e))
 				continue
 			}
 			switch e {
 			// We escape a few characters which may confuse humans or parsers.
 			case '"', ';', ' ':
 				str.WriteByte('\\')
 				str.WriteByte(e)
 			// The comma and backslash characters themselves must be
 			// doubly-escaped. We use `\\` for the first backslash and
 			// the escaped numeric value for the other value. We especially
 			// don't want a comma in the output.
 			case ',':
 				str.WriteString(`\\\044`)
 			case '\\':
 				str.WriteString(`\\\092`)
 			default:
 				str.WriteByte(e)
 			}
 		}
 	}
 	return str.String()
 }
 func (s *SVCBAlpn) pack() ([]byte, error) {
 	// Liberally estimate the size of an alpn as 10 octets
@ -351,7 +428,47 @@ func (s *SVCBAlpn) unpack(b []byte) error {
 }
 func (s *SVCBAlpn) parse(b string) error {
-	s.Alpn = strings.Split(b, ",")
+	if len(b) == 0 {
 		s.Alpn = []string{}
 		return nil
 	}
 	alpn := []string{}
 	a := []byte{}
 	for p := 0; p < len(b); {
 		c, q := nextByte(b, p)
 		if q == 0 {
 			return errors.New("dns: svcbalpn: unterminated escape")
 		}
 		p += q
 		// If we find a comma, we have finished reading an alpn.
 		if c == ',' {
 			if len(a) == 0 {
 				return errors.New("dns: svcbalpn: empty protocol identifier")
 			}
 			alpn = append(alpn, string(a))
 			a = []byte{}
 			continue
 		}
 		// If it's a backslash, we need to handle a comma-separated list.
 		if c == '\\' {
 			dc, dq := nextByte(b, p)
 			if dq == 0 {
 				return errors.New("dns: svcbalpn: unterminated escape decoding comma-separated list")
 			}
 			if dc != '\\' && dc != ',' {
 				return errors.New("dns: svcbalpn: bad escaped character decoding comma-separated list")
 			}
 			p += dq
 			c = dc
 		}
 		a = append(a, c)
 	}
 	// Add the final alpn.
 	if len(a) == 0 {
 		return errors.New("dns: svcbalpn: last protocol identifier empty")
 	}
 	s.Alpn = append(alpn, string(a))
 	return nil
 }
@ -370,9 +487,13 @@ func (s *SVCBAlpn) copy() SVCBKeyValue {
 }
 // SVCBNoDefaultAlpn pair signifies no support for default connection protocols.
 // Should be used in conjunction with alpn.
 // Basic use pattern for creating a no-default-alpn option:
 //
 //	s := &dns.SVCB{Hdr: dns.RR_Header{Name: ".", Rrtype: dns.TypeSVCB, Class: dns.ClassINET}}
 //	t := new(dns.SVCBAlpn)
 //	t.Alpn = []string{"xmpp-client"}
 //	s.Value = append(s.Value, t)
 //	e := new(dns.SVCBNoDefaultAlpn)
 //	s.Value = append(s.Value, e)
 type SVCBNoDefaultAlpn struct{}
@ -385,14 +506,14 @@ func (*SVCBNoDefaultAlpn) len() int              { return 0 }
 func (*SVCBNoDefaultAlpn) unpack(b []byte) error {
 	if len(b) != 0 {
-		return errors.New("dns: svcbnodefaultalpn: no_default_alpn must have no value")
+		return errors.New("dns: svcbnodefaultalpn: no-default-alpn must have no value")
 	}
 	return nil
 }
 func (*SVCBNoDefaultAlpn) parse(b string) error {
 	if b != "" {
-		return errors.New("dns: svcbnodefaultalpn: no_default_alpn must have no value")
+		return errors.New("dns: svcbnodefaultalpn: no-default-alpn must have no value")
 	}
 	return nil
 }
@ -523,7 +644,7 @@ func (s *SVCBIPv4Hint) copy() SVCBKeyValue {
 }
 // SVCBECHConfig pair contains the ECHConfig structure defined in draft-ietf-tls-esni [RFC xxxx].
-// Basic use pattern for creating an echconfig option:
+// Basic use pattern for creating an ech option:
 //
 //	h := new(dns.HTTPS)
 //	h.Hdr = dns.RR_Header{Name: ".", Rrtype: dns.TypeHTTPS, Class: dns.ClassINET}
@ -531,7 +652,7 @@ func (s *SVCBIPv4Hint) copy() SVCBKeyValue {
 //	e.ECH = []byte{0xfe, 0x08, ...}
 //	h.Value = append(h.Value, e)
 type SVCBECHConfig struct {
-	ECH []byte
+	ECH []byte // Specifically ECHConfigList including the redundant length prefix
 }
 func (*SVCBECHConfig) Key() SVCBKey     { return SVCB_ECHCONFIG }
@ -555,7 +676,7 @@ func (s *SVCBECHConfig) unpack(b []byte) error {
 func (s *SVCBECHConfig) parse(b string) error {
 	x, err := fromBase64([]byte(b))
 	if err != nil {
-		return errors.New("dns: svcbechconfig: bad base64 echconfig")
+		return errors.New("dns: svcbech: bad base64 ech")
 	}
 	s.ECH = x
 	return nil
@ -618,9 +739,6 @@ func (s *SVCBIPv6Hint) String() string {
 }
 func (s *SVCBIPv6Hint) parse(b string) error {
 	if strings.Contains(b, ".") {
 		return errors.New("dns: svcbipv6hint: expected ipv6, got ipv4")
 	}
 	str := strings.Split(b, ",")
 	dst := make([]net.IP, len(str))
 	for i, e := range str {
@ -628,6 +746,9 @@ func (s *SVCBIPv6Hint) parse(b string) error {
 		if ip == nil {
 			return errors.New("dns: svcbipv6hint: bad ip")
 		}
 		if ip.To4() != nil {
 			return errors.New("dns: svcbipv6hint: expected ipv6, got ipv4-mapped-ipv6")
 		}
 		dst[i] = ip
 	}
 	s.Hint = dst
@ -645,6 +766,54 @@ func (s *SVCBIPv6Hint) copy() SVCBKeyValue {
 	}
 }
 // SVCBDoHPath pair is used to indicate the URI template that the
 // clients may use to construct a DNS over HTTPS URI.
 //
 // See RFC xxxx (https://datatracker.ietf.org/doc/html/draft-ietf-add-svcb-dns-02)
 // and RFC yyyy (https://datatracker.ietf.org/doc/html/draft-ietf-add-ddr-06).
 //
 // A basic example of using the dohpath option together with the alpn
 // option to indicate support for DNS over HTTPS on a certain path:
 //
 //	s := new(dns.SVCB)
 //	s.Hdr = dns.RR_Header{Name: ".", Rrtype: dns.TypeSVCB, Class: dns.ClassINET}
 //	e := new(dns.SVCBAlpn)
 //	e.Alpn = []string{"h2", "h3"}
 //	p := new(dns.SVCBDoHPath)
 //	p.Template = "/dns-query{?dns}"
 //	s.Value = append(s.Value, e, p)
 //
 // The parsing currently doesn't validate that Template is a valid
 // RFC 6570 URI template.
 type SVCBDoHPath struct {
 	Template string
 }
 func (*SVCBDoHPath) Key() SVCBKey            { return SVCB_DOHPATH }
 func (s *SVCBDoHPath) String() string        { return svcbParamToStr([]byte(s.Template)) }
 func (s *SVCBDoHPath) len() int              { return len(s.Template) }
 func (s *SVCBDoHPath) pack() ([]byte, error) { return []byte(s.Template), nil }
 func (s *SVCBDoHPath) unpack(b []byte) error {
 	s.Template = string(b)
 	return nil
 }
 func (s *SVCBDoHPath) parse(b string) error {
 	template, err := svcbParseParam(b)
 	if err != nil {
 		return fmt.Errorf("dns: svcbdohpath: %w", err)
 	}
 	s.Template = string(template)
 	return nil
 }
 func (s *SVCBDoHPath) copy() SVCBKeyValue {
 	return &SVCBDoHPath{
 		Template: s.Template,
 	}
 }
 // SVCBLocal pair is intended for experimental/private use. The key is recommended
 // to be in the range [SVCB_PRIVATE_LOWER, SVCB_PRIVATE_UPPER].
 // Basic use pattern for creating a keyNNNNN option:
@ -661,6 +830,7 @@ type SVCBLocal struct {
 }
 func (s *SVCBLocal) Key() SVCBKey          { return s.KeyCode }
 func (s *SVCBLocal) String() string        { return svcbParamToStr(s.Data) }
 func (s *SVCBLocal) pack() ([]byte, error) { return append([]byte(nil), s.Data...), nil }
 func (s *SVCBLocal) len() int              { return len(s.Data) }
@ -669,50 +839,10 @@ func (s *SVCBLocal) unpack(b []byte) error {
 	return nil
 }
 func (s *SVCBLocal) String() string {
 	var str strings.Builder
 	str.Grow(4 * len(s.Data))
 	for _, e := range s.Data {
 		if ' ' <= e && e <= '~' {
 			switch e {
 			case '"', ';', ' ', '\\':
 				str.WriteByte('\\')
 				str.WriteByte(e)
 			default:
 				str.WriteByte(e)
 			}
 		} else {
 			str.WriteString(escapeByte(e))
 		}
 	}
 	return str.String()
 }
 func (s *SVCBLocal) parse(b string) error {
-	data := make([]byte, 0, len(b))
+	data, err := svcbParseParam(b)
-	for i := 0; i < len(b); {
+	if err != nil {
-		if b[i] != '\\' {
+		return fmt.Errorf("dns: svcblocal: svcb private/experimental key %w", err)
 			data = append(data, b[i])
 			i++
 			continue
 		}
 		if i+1 == len(b) {
 			return errors.New("dns: svcblocal: svcb private/experimental key escape unterminated")
 		}
 		if isDigit(b[i+1]) {
 			if i+3 < len(b) && isDigit(b[i+2]) && isDigit(b[i+3]) {
 				a, err := strconv.ParseUint(b[i+1:i+4], 10, 8)
 				if err == nil {
 					i += 4
 					data = append(data, byte(a))
 					continue
 				}
 			}
 			return errors.New("dns: svcblocal: svcb private/experimental key bad escaped octet")
 		} else {
 			data = append(data, b[i+1])
 			i += 2
 		}
 	}
 	s.Data = data
 	return nil
@ -753,3 +883,53 @@ func areSVCBPairArraysEqual(a []SVCBKeyValue, b []SVCBKeyValue) bool {
 	}
 	return true
 }
 // svcbParamStr converts the value of an SVCB parameter into a DNS presentation-format string.
 func svcbParamToStr(s []byte) string {
 	var str strings.Builder
 	str.Grow(4 * len(s))
 	for _, e := range s {
 		if ' ' <= e && e <= '~' {
 			switch e {
 			case '"', ';', ' ', '\\':
 				str.WriteByte('\\')
 				str.WriteByte(e)
 			default:
 				str.WriteByte(e)
 			}
 		} else {
 			str.WriteString(escapeByte(e))
 		}
 	}
 	return str.String()
 }
 // svcbParseParam parses a DNS presentation-format string into an SVCB parameter value.
 func svcbParseParam(b string) ([]byte, error) {
 	data := make([]byte, 0, len(b))
 	for i := 0; i < len(b); {
 		if b[i] != '\\' {
 			data = append(data, b[i])
 			i++
 			continue
 		}
 		if i+1 == len(b) {
 			return nil, errors.New("escape unterminated")
 		}
 		if isDigit(b[i+1]) {
 			if i+3 < len(b) && isDigit(b[i+2]) && isDigit(b[i+3]) {
 				a, err := strconv.ParseUint(b[i+1:i+4], 10, 8)
 				if err == nil {
 					i += 4
 					data = append(data, byte(a))
 					continue
 				}
 			}
 			return nil, errors.New("bad escaped octet")
 		} else {
 			data = append(data, b[i+1])
 			i += 2
 		}
 	}
 	return data, nil
 }
--- a/vendor/github.com/miekg/dns/tools.go
+++ b/vendor/github.com/miekg/dns/tools.go
@ -0,0 +1,9 @@
 // +build tools
 // We include our tool dependencies for `go generate` here to ensure they're
 // properly tracked by the go tool. See the Go Wiki for the rationale behind this:
 // https://github.com/golang/go/wiki/Modules#how-can-i-track-tool-dependencies-for-a-module.
 package dns
 import _ "golang.org/x/tools/go/packages"
--- a/vendor/github.com/miekg/dns/tsig.go
+++ b/vendor/github.com/miekg/dns/tsig.go
@ -74,6 +74,24 @@ func (key tsigHMACProvider) Verify(msg []byte, t *TSIG) error {
 	return nil
 }
 type tsigSecretProvider map[string]string
 func (ts tsigSecretProvider) Generate(msg []byte, t *TSIG) ([]byte, error) {
 	key, ok := ts[t.Hdr.Name]
 	if !ok {
 		return nil, ErrSecret
 	}
 	return tsigHMACProvider(key).Generate(msg, t)
 }
 func (ts tsigSecretProvider) Verify(msg []byte, t *TSIG) error {
 	key, ok := ts[t.Hdr.Name]
 	if !ok {
 		return ErrSecret
 	}
 	return tsigHMACProvider(key).Verify(msg, t)
 }
 // TSIG is the RR the holds the transaction signature of a message.
 // See RFC 2845 and RFC 4635.
 type TSIG struct {
@ -140,18 +158,17 @@ type timerWireFmt struct {
 }
 // TsigGenerate fills out the TSIG record attached to the message.
-// The message should contain
+// The message should contain a "stub" TSIG RR with the algorithm, key name
-// a "stub" TSIG RR with the algorithm, key name (owner name of the RR),
+// (owner name of the RR), time fudge (defaults to 300 seconds) and the current
-// time fudge (defaults to 300 seconds) and the current time
+// time The TSIG MAC is saved in that Tsig RR. When TsigGenerate is called for
-// The TSIG MAC is saved in that Tsig RR.
+// the first time requestMAC should be set to the empty string and timersOnly to
-// When TsigGenerate is called for the first time requestMAC is set to the empty string and
+// false.
 // timersOnly is false.
 // If something goes wrong an error is returned, otherwise it is nil.
 func TsigGenerate(m *Msg, secret, requestMAC string, timersOnly bool) ([]byte, string, error) {
-	return tsigGenerateProvider(m, tsigHMACProvider(secret), requestMAC, timersOnly)
+	return TsigGenerateWithProvider(m, tsigHMACProvider(secret), requestMAC, timersOnly)
 }
-func tsigGenerateProvider(m *Msg, provider TsigProvider, requestMAC string, timersOnly bool) ([]byte, string, error) {
+// TsigGenerateWithProvider is similar to TsigGenerate, but allows for a custom TsigProvider.
 func TsigGenerateWithProvider(m *Msg, provider TsigProvider, requestMAC string, timersOnly bool) ([]byte, string, error) {
 	if m.IsTsig() == nil {
 		panic("dns: TSIG not last RR in additional")
 	}
@ -162,20 +179,29 @@ func tsigGenerateProvider(m *Msg, provider TsigProvider, requestMAC string, time
 	if err != nil {
 		return nil, "", err
 	}
 	buf, err := tsigBuffer(mbuf, rr, requestMAC, timersOnly)
 	if err != nil {
 		return nil, "", err
 	}
 	t := new(TSIG)
-	// Copy all TSIG fields except MAC and its size, which are filled using the computed digest.
+	// Copy all TSIG fields except MAC, its size, and time signed which are filled when signing.
 	*t = *rr
-	mac, err := provider.Generate(buf, rr)
+	t.TimeSigned = 0
-	if err != nil {
+	t.MAC = ""
-		return nil, "", err
+	t.MACSize = 0
 	// Sign unless there is a key or MAC validation error (RFC 8945 5.3.2)
 	if rr.Error != RcodeBadKey && rr.Error != RcodeBadSig {
 		mac, err := provider.Generate(buf, rr)
 		if err != nil {
 			return nil, "", err
 		}
 		t.TimeSigned = rr.TimeSigned
 		t.MAC = hex.EncodeToString(mac)
 		t.MACSize = uint16(len(t.MAC) / 2) // Size is half!
 	}
 	t.MAC = hex.EncodeToString(mac)
 	t.MACSize = uint16(len(t.MAC) / 2) // Size is half!
 	tbuf := make([]byte, Len(t))
 	off, err := PackRR(t, tbuf, 0, nil, false)
@ -189,14 +215,15 @@ func tsigGenerateProvider(m *Msg, provider TsigProvider, requestMAC string, time
 	return mbuf, t.MAC, nil
 }
-// TsigVerify verifies the TSIG on a message.
+// TsigVerify verifies the TSIG on a message. If the signature does not
-// If the signature does not validate err contains the
+// validate the returned error contains the cause. If the signature is OK, the
-// error, otherwise it is nil.
+// error is nil.
 func TsigVerify(msg []byte, secret, requestMAC string, timersOnly bool) error {
 	return tsigVerify(msg, tsigHMACProvider(secret), requestMAC, timersOnly, uint64(time.Now().Unix()))
 }
-func tsigVerifyProvider(msg []byte, provider TsigProvider, requestMAC string, timersOnly bool) error {
+// TsigVerifyWithProvider is similar to TsigVerify, but allows for a custom TsigProvider.
 func TsigVerifyWithProvider(msg []byte, provider TsigProvider, requestMAC string, timersOnly bool) error {
 	return tsigVerify(msg, provider, requestMAC, timersOnly, uint64(time.Now().Unix()))
 }
--- a/vendor/github.com/miekg/dns/update.go
+++ b/vendor/github.com/miekg/dns/update.go
@ -32,7 +32,9 @@ func (u *Msg) Used(rr []RR) {
 		u.Answer = make([]RR, 0, len(rr))
 	}
 	for _, r := range rr {
-		r.Header().Class = u.Question[0].Qclass
+		hdr := r.Header()
 		hdr.Class = u.Question[0].Qclass
 		hdr.Ttl = 0
 		u.Answer = append(u.Answer, r)
 	}
 }
--- a/vendor/github.com/miekg/dns/version.go
+++ b/vendor/github.com/miekg/dns/version.go
@ -3,7 +3,7 @@ package dns
 import "fmt"
 // Version is current version of this library.
-var Version = v{1, 1, 43}
+var Version = v{1, 1, 50}
 // v holds the version of this library.
 type v struct {
--- a/vendor/github.com/miekg/dns/xfr.go
+++ b/vendor/github.com/miekg/dns/xfr.go
@ -17,11 +17,22 @@ type Transfer struct {
 	DialTimeout    time.Duration     // net.DialTimeout, defaults to 2 seconds
 	ReadTimeout    time.Duration     // net.Conn.SetReadTimeout value for connections, defaults to 2 seconds
 	WriteTimeout   time.Duration     // net.Conn.SetWriteTimeout value for connections, defaults to 2 seconds
 	TsigProvider   TsigProvider      // An implementation of the TsigProvider interface. If defined it replaces TsigSecret and is used for all TSIG operations.
 	TsigSecret     map[string]string // Secret(s) for Tsig map[<zonename>]<base64 secret>, zonename must be in canonical form (lowercase, fqdn, see RFC 4034 Section 6.2)
 	tsigTimersOnly bool
 }
-// Think we need to away to stop the transfer
+func (t *Transfer) tsigProvider() TsigProvider {
 	if t.TsigProvider != nil {
 		return t.TsigProvider
 	}
 	if t.TsigSecret != nil {
 		return tsigSecretProvider(t.TsigSecret)
 	}
 	return nil
 }
 // TODO: Think we need to away to stop the transfer
 // In performs an incoming transfer with the server in a.
 // If you would like to set the source IP, or some other attribute
@ -224,12 +235,9 @@ func (t *Transfer) ReadMsg() (*Msg, error) {
 	if err := m.Unpack(p); err != nil {
 		return nil, err
 	}
-	if ts := m.IsTsig(); ts != nil && t.TsigSecret != nil {
+	if ts, tp := m.IsTsig(), t.tsigProvider(); ts != nil && tp != nil {
 		if _, ok := t.TsigSecret[ts.Hdr.Name]; !ok {
 			return m, ErrSecret
 		}
 		// Need to work on the original message p, as that was used to calculate the tsig.
-		err = TsigVerify(p, t.TsigSecret[ts.Hdr.Name], t.tsigRequestMAC, t.tsigTimersOnly)
+		err = TsigVerifyWithProvider(p, tp, t.tsigRequestMAC, t.tsigTimersOnly)
 		t.tsigRequestMAC = ts.MAC
 	}
 	return m, err
@ -238,11 +246,8 @@ func (t *Transfer) ReadMsg() (*Msg, error) {
 // WriteMsg writes a message through the transfer connection t.
 func (t *Transfer) WriteMsg(m *Msg) (err error) {
 	var out []byte
-	if ts := m.IsTsig(); ts != nil && t.TsigSecret != nil {
+	if ts, tp := m.IsTsig(), t.tsigProvider(); ts != nil && tp != nil {
-		if _, ok := t.TsigSecret[ts.Hdr.Name]; !ok {
+		out, t.tsigRequestMAC, err = TsigGenerateWithProvider(m, tp, t.tsigRequestMAC, t.tsigTimersOnly)
 			return ErrSecret
 		}
 		out, t.tsigRequestMAC, err = TsigGenerate(m, t.TsigSecret[ts.Hdr.Name], t.tsigRequestMAC, t.tsigTimersOnly)
 	} else {
 		out, err = m.Pack()
 	}
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@ -56,7 +56,7 @@ github.com/mattn/go-isatty
 # github.com/matttproud/golang_protobuf_extensions v1.0.1
 ## explicit
 github.com/matttproud/golang_protobuf_extensions/pbutil
-# github.com/miekg/dns v1.1.43
+# github.com/miekg/dns v1.1.50
 ## explicit; go 1.14
 github.com/miekg/dns
 # github.com/prometheus/client_golang v1.14.0