Bump to Go 1.21 (#54)

Signed-off-by: Jordan Whited <jordan@jordanwhited.com>

.github/workflows/build.yml

@@ -0,0 +1,24 @@
+name: build
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+jobs:
+  build:
+    strategy:
+      matrix:
+        go-version: [1.21.x]
+        os: [ubuntu-latest, macos-latest]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Install Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ matrix.go-version }}
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Build coredns
+        run: go build cmd/coredns/main.go
+      - name: Build wgsd-client
+        run: go build cmd/wgsd-client/main.go

.github/workflows/lint.yml

@@ -1,9 +1,9 @@
 name: golangci-lint
 on:
   push:
-    branches: [ master ]
+    branches: [ main ]
   pull_request:
-    branches: [ master ]
+    branches: [ main ]
 jobs:
   lint:
     name: lint
@@ -14,4 +14,4 @@ jobs:
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v2
         with:
-          version: v1.29
+          version: v1.55.2

.github/workflows/release.yml

@@ -18,7 +18,7 @@ jobs:
         name: Set up Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.15
+          go-version: 1.21
       -
         name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v2

.github/workflows/test.yml

@@ -1,14 +1,14 @@
 name: test
 on:
   push:
-    branches: [ master ]
+    branches: [ main ]
   pull_request:
-    branches: [ master ]
+    branches: [ main ]
 jobs:
   test:
     strategy:
       matrix:
-        go-version: [1.14.x, 1.15.x]
+        go-version: [1.21.x]
         os: [ubuntu-latest, macos-latest]
     runs-on: ${{ matrix.os }}
     steps:

.goreleaser.yml

@@ -22,8 +22,22 @@ builds:
       - CGO_ENABLED=0
     goos:
       - linux
+      - darwin
     goarch:
       - amd64
       - 386
       - arm
       - arm64
+
+archives:
+  - id: coredns
+    format: tar.gz
+    name_template: wgsd-coredns_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}
+    builds:
+      - coredns
+
+  - id: wgsd-client
+    format: tar.gz
+    name_template: wgsd-client_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}
+    builds:
+      - wgsd-client

LICENSE

@@ -1,201 +1,21 @@
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
+MIT License
 
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+Copyright (c) 2022 Jordan Whited
 
-   1. Definitions.
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
 
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
 
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "[]"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright [yyyy] [name of copyright owner]
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -1,13 +1,16 @@
 # wgsd
-`wgsd` is a [CoreDNS](https://github.com/coredns/coredns) plugin that serves WireGuard peer information via DNS-SD ([RFC6763](https://tools.ietf.org/html/rfc6763)) semantics. This enables dynamic discovery of WireGuard Endpoint addressing (both IP address and port number) with the added benefit of NAT-to-NAT WireGuard connectivity where [UDP hole punching](https://en.wikipedia.org/wiki/UDP_hole_punching) is supported.
+`wgsd` is a [CoreDNS](https://github.com/coredns/coredns) plugin that serves WireGuard® peer information via DNS-SD ([RFC6763](https://tools.ietf.org/html/rfc6763)) semantics. This enables use cases such as:
+* Building a mesh of WireGuard peers from a central registry
+* Dynamic discovery of WireGuard Endpoint addressing (both IP address and port number)
+* NAT-to-NAT WireGuard connectivity where [UDP hole punching](https://en.wikipedia.org/wiki/UDP_hole_punching) is supported.
 
 See [this blog post](https://www.jordanwhited.com/posts/wireguard-endpoint-discovery-nat-traversal/) for a deep dive on the underlying techniques and development thought.
 
 ## Installation
 Binary releases are available [here](https://github.com/jwhited/wgsd/releases).
 
-Each release contains 2 binaries:
-* `coredns` - CoreDNS server with all the "internal" plugins + `wgsd`
+There are two packages per GOOS/GOARCH for each release:
+* `wgsd-coredns` - CoreDNS server with all the "internal" plugins + `wgsd`
 * `wgsd-client` - A sample client
 
 ## Building from source
@@ -32,9 +35,20 @@ A basic client is available under [cmd/wgsd-client](cmd/wgsd-client).
 wgsd ZONE DEVICE
 ```
 
+* `ZONE` is the zone name wgsd should be authoritative for, e.g. example.com.
+* `DEVICE` is the name of the WireGuard interface, e.g. wg0
+
+```
+wgsd ZONE DEVICE {
+    self [ ENDPOINT ] [ ALLOWED-IPS ... ]
+}
+```
+
+* Supplying the `self` option enables serving data about the local WireGuard device in addition to its peers. The optional `ENDPOINT` argument enables setting a custom endpoint in ip:port form. If `ENDPOINT` is omitted wgsd will default to the local IP address for the DNS query and `ListenPort` of the WireGuard device. This can be useful if your host is behind NAT. The optional, variadic `ALLOWED-IPS` argument sets allowed-ips to be served for the local WireGuard device.
+
 ## Querying
 
-Following RFC6763 this plugin provides a listing of peers via PTR records at the namespace `_wireguard._udp.<zone>`. The target for the PTR records is `<base32PubKey>._wireguard._udp.<zone>` which corresponds to SRV records. SRV targets are of the format `<base32PubKey>.<zone>`. When querying the SRV record for a peer, the target A/AAAA records will be included in the "additional" section of the response. Public keys are represented in Base32 rather than Base64 to allow for their use in node names where they are treated as case-insensitive by the DNS.
+Following RFC6763 this plugin provides a listing of peers via PTR records at the namespace `_wireguard._udp.<zone>`. The target for the PTR records is of the format  `<base32PubKey>._wireguard._udp.<zone>`. This same format is used for the accompanying SRV, A/AAAA, and TXT records. When querying the SRV record for a peer, the target A/AAAA & TXT records will be included in the "additional" section of the response. TXT records include Base64 public key and allowed IPs. Public keys are represented in Base32 rather than Base64 in record names as they are treated as case-insensitive by the DNS.
 
 ## Example
 
@@ -42,7 +56,9 @@ This configuration:
 ```
 $ cat Corefile
 .:5353 {
-  wgsd example.com. wg0
+  wgsd example.com. wg0 {
+    self 192.0.2.1:51820 10.0.0.254/32
+  }
 }
 ```
 
@@ -72,14 +88,22 @@ Will respond with:
 $ dig @127.0.0.1 -p 5353 _wireguard._udp.example.com. PTR +noall +answer +additional
 _wireguard._udp.example.com. 0	IN	PTR	yutrled535igkl7bdlerl6m4vjxsxm3uqqpl4nmsn27mt56ad4ha====._wireguard._udp.example.com.
 _wireguard._udp.example.com. 0	IN	PTR	wmrid55v4enhxqx2jstyoyvkicj5pihkb2tr7r42smiu3t5l4i5q====._wireguard._udp.example.com.
+_wireguard._udp.example.com. 0	IN	PTR	extglt26a3znqnigvb5gvg26cqwblbgynf5re5pukdhx53cqwvda====._wireguard._udp.example.com.
 $
 $ dig @127.0.0.1 -p 5353 yutrled535igkl7bdlerl6m4vjxsxm3uqqpl4nmsn27mt56ad4ha====._wireguard._udp.example.com. SRV +noall +answer +additional
-yutrled535igkl7bdlerl6m4vjxsxm3uqqpl4nmsn27mt56ad4ha====._wireguard._udp.example.com. 0	IN SRV 0 0 7777 yutrled535igkl7bdlerl6m4vjxsxm3uqqpl4nmsn27mt56ad4ha====.example.com.
-yutrled535igkl7bdlerl6m4vjxsxm3uqqpl4nmsn27mt56ad4ha====.example.com. 0	IN A 203.0.113.1
+yutrled535igkl7bdlerl6m4vjxsxm3uqqpl4nmsn27mt56ad4ha====._wireguard._udp.example.com. 0	IN SRV 0 0 7777 yutrled535igkl7bdlerl6m4vjxsxm3uqqpl4nmsn27mt56ad4ha====._wireguard._udp.example.com.
+yutrled535igkl7bdlerl6m4vjxsxm3uqqpl4nmsn27mt56ad4ha====._wireguard._udp.example.com. 0	IN A 203.0.113.1
+yutrled535igkl7bdlerl6m4vjxsxm3uqqpl4nmsn27mt56ad4ha====._wireguard._udp.example.com. 0	IN TXT "txtvers=1" "pub=xScVkH3fUGUv4RrJFfmcqm8rs3SEHr41km6+yffAHw4=" "allowed=10.0.0.1/32"
 $
 $ dig @127.0.0.1 -p 5353 wmrid55v4enhxqx2jstyoyvkicj5pihkb2tr7r42smiu3t5l4i5q====._wireguard._udp.example.com. SRV +noall +answer +additional
-wmrid55v4enhxqx2jstyoyvkicj5pihkb2tr7r42smiu3t5l4i5q====._wireguard._udp.example.com. 0	IN SRV 0 0 8888 wmrid55v4enhxqx2jstyoyvkicj5pihkb2tr7r42smiu3t5l4i5q====.example.com.
-wmrid55v4enhxqx2jstyoyvkicj5pihkb2tr7r42smiu3t5l4i5q====.example.com. 0	IN A 198.51.100.1
+wmrid55v4enhxqx2jstyoyvkicj5pihkb2tr7r42smiu3t5l4i5q====._wireguard._udp.example.com. 0	IN SRV 0 0 8888 wmrid55v4enhxqx2jstyoyvkicj5pihkb2tr7r42smiu3t5l4i5q====._wireguard._udp.example.com.
+wmrid55v4enhxqx2jstyoyvkicj5pihkb2tr7r42smiu3t5l4i5q====._wireguard._udp.example.com. 0	IN A 198.51.100.1
+wmrid55v4enhxqx2jstyoyvkicj5pihkb2tr7r42smiu3t5l4i5q====._wireguard._udp.example.com. 0	IN TXT "txtvers=1" "pub=syKB97XhGnvC+kynh2KqQJPXoOoOpx/HmpMRTc+r4js=" "allowed=10.0.0.2/32"
+$
+$ dig @127.0.0.1 -p 5353 extglt26a3znqnigvb5gvg26cqwblbgynf5re5pukdhx53cqwvda====._wireguard._udp.example.com. SRV +noall +answer +additional
+extglt26a3znqnigvb5gvg26cqwblbgynf5re5pukdhx53cqwvda====._wireguard._udp.example.com. 0	IN SRV 0 0 51820 extglt26a3znqnigvb5gvg26cqwblbgynf5re5pukdhx53cqwvda====._wireguard._udp.example.com.
+extglt26a3znqnigvb5gvg26cqwblbgynf5re5pukdhx53cqwvda====._wireguard._udp.example.com. 0	IN A 192.0.2.1
+extglt26a3znqnigvb5gvg26cqwblbgynf5re5pukdhx53cqwvda====._wireguard._udp.example.com. 0	IN TXT "txtvers=1" "pub=JeZlz14G8tg1Bqh6apteFCwVhNhpexJ19FDPfuxQtUY=" "allowed=10.0.0.254/32"
 ```
 
 Converting public keys to Base64 with coreutils:
@@ -88,9 +112,14 @@ $ echo yutrled535igkl7bdlerl6m4vjxsxm3uqqpl4nmsn27mt56ad4ha==== | tr '[:lower:]'
 xScVkH3fUGUv4RrJFfmcqm8rs3SEHr41km6+yffAHw4=
 $ echo wmrid55v4enhxqx2jstyoyvkicj5pihkb2tr7r42smiu3t5l4i5q==== | tr '[:lower:]' '[:upper:]' | base32 -d | base64
 syKB97XhGnvC+kynh2KqQJPXoOoOpx/HmpMRTc+r4js=
+$ echo extglt26a3znqnigvb5gvg26cqwblbgynf5re5pukdhx53cqwvda==== | tr '[:lower:]' '[:upper:]' | base32 -d | base64
+JeZlz14G8tg1Bqh6apteFCwVhNhpexJ19FDPfuxQtUY=
 ```
 
 ## TODOs
 - [x] unit tests
 - [ ] SOA record support
-- [x] CI & release binaries
+- [x] CI & release binaries
+
+## Legal
+WireGuard is a registered trademark of Jason A. Donenfeld.

go.mod

@@ -1,10 +1,154 @@
 module github.com/jwhited/wgsd
 
-go 1.14
+go 1.21
 
 require (
-	github.com/coredns/caddy v1.1.0
-	github.com/coredns/coredns v1.8.0
-	github.com/miekg/dns v1.1.34
-	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20200511024508-91d9787b944f
+	github.com/coredns/caddy v1.1.1
+	github.com/coredns/coredns v1.11.1
+	github.com/miekg/dns v1.1.57
+	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20221104135756-97bc4ad4a1cb
+)
+
+require (
+	cloud.google.com/go/compute v1.23.3 // indirect
+	cloud.google.com/go/compute/metadata v0.2.3 // indirect
+	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect
+	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
+	github.com/Azure/go-autorest/autorest v0.11.29 // indirect
+	github.com/Azure/go-autorest/autorest/adal v0.9.23 // indirect
+	github.com/Azure/go-autorest/autorest/azure/auth v0.5.12 // indirect
+	github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 // indirect
+	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
+	github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect
+	github.com/Azure/go-autorest/logger v0.2.1 // indirect
+	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
+	github.com/DataDog/appsec-internal-go v1.4.0 // indirect
+	github.com/DataDog/datadog-agent/pkg/obfuscate v0.50.1 // indirect
+	github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.50.1 // indirect
+	github.com/DataDog/datadog-go/v5 v5.4.0 // indirect
+	github.com/DataDog/go-libddwaf/v2 v2.2.3 // indirect
+	github.com/DataDog/go-sqllexer v0.0.10 // indirect
+	github.com/DataDog/go-tuf v1.0.2-0.5.2 // indirect
+	github.com/DataDog/sketches-go v1.4.3 // indirect
+	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/antonmedv/expr v1.15.5 // indirect
+	github.com/apparentlymart/go-cidr v1.1.0 // indirect
+	github.com/aws/aws-sdk-go v1.49.10 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/coreos/go-semver v0.3.1 // indirect
+	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/dimchansky/utfbom v1.1.1 // indirect
+	github.com/dnstap/golang-dnstap v0.4.0 // indirect
+	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/ebitengine/purego v0.5.1 // indirect
+	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
+	github.com/farsightsec/golang-framestream v0.3.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 // indirect
+	github.com/go-logr/logr v1.4.1 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-openapi/jsonpointer v0.20.2 // indirect
+	github.com/go-openapi/jsonreference v0.20.4 // indirect
+	github.com/go-openapi/swag v0.22.6 // indirect
+	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/google/pprof v0.0.0-20231212022811-ec68065c825e // indirect
+	github.com/google/s2a-go v0.1.7 // indirect
+	github.com/google/uuid v1.5.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
+	github.com/googleapis/gax-go/v2 v2.12.0 // indirect
+	github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/imdario/mergo v0.3.16 // indirect
+	github.com/infobloxopen/go-trees v0.0.0-20221216143356-66ceba885ebc // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/josharian/native v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
+	github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect
+	github.com/mdlayher/genetlink v1.2.0 // indirect
+	github.com/mdlayher/netlink v1.6.2 // indirect
+	github.com/mdlayher/socket v0.2.3 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/onsi/ginkgo/v2 v2.13.2 // indirect
+	github.com/opentracing-contrib/go-observer v0.0.0-20170622124052-a52f23424492 // indirect
+	github.com/opentracing/opentracing-go v1.2.0 // indirect
+	github.com/openzipkin-contrib/zipkin-go-opentracing v0.5.0 // indirect
+	github.com/openzipkin/zipkin-go v0.4.2 // indirect
+	github.com/oschwald/geoip2-golang v1.9.0 // indirect
+	github.com/oschwald/maxminddb-golang v1.12.0 // indirect
+	github.com/outcaste-io/ristretto v0.2.3 // indirect
+	github.com/philhofer/fwd v1.1.2 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/prometheus/client_golang v1.17.0 // indirect
+	github.com/prometheus/client_model v0.5.0 // indirect
+	github.com/prometheus/common v0.45.0 // indirect
+	github.com/prometheus/procfs v0.12.0 // indirect
+	github.com/quic-go/qtls-go1-20 v0.4.1 // indirect
+	github.com/quic-go/quic-go v0.40.1 // indirect
+	github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/tinylib/msgp v1.1.9 // indirect
+	go.etcd.io/etcd/api/v3 v3.5.11 // indirect
+	go.etcd.io/etcd/client/pkg/v3 v3.5.11 // indirect
+	go.etcd.io/etcd/client/v3 v3.5.11 // indirect
+	go.opencensus.io v0.24.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 // indirect
+	go.opentelemetry.io/otel v1.21.0 // indirect
+	go.opentelemetry.io/otel/metric v1.21.0 // indirect
+	go.opentelemetry.io/otel/trace v1.21.0 // indirect
+	go.uber.org/atomic v1.11.0 // indirect
+	go.uber.org/mock v0.4.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/zap v1.26.0 // indirect
+	go4.org/intern v0.0.0-20230525184215-6c62f75575cb // indirect
+	go4.org/unsafe/assume-no-moving-gc v0.0.0-20231121144256-b99613f794b6 // indirect
+	golang.org/x/crypto v0.17.0 // indirect
+	golang.org/x/exp v0.0.0-20231226003508-02704c960a9b // indirect
+	golang.org/x/mod v0.14.0 // indirect
+	golang.org/x/net v0.19.0 // indirect
+	golang.org/x/oauth2 v0.15.0 // indirect
+	golang.org/x/sync v0.5.0 // indirect
+	golang.org/x/sys v0.15.0 // indirect
+	golang.org/x/term v0.15.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/time v0.5.0 // indirect
+	golang.org/x/tools v0.16.1 // indirect
+	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
+	golang.zx2c4.com/wireguard v0.0.0-20220920152132-bb719d3a6e2c // indirect
+	google.golang.org/api v0.154.0 // indirect
+	google.golang.org/appengine v1.6.8 // indirect
+	google.golang.org/genproto v0.0.0-20231212172506-995d672761c0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20231212172506-995d672761c0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20231212172506-995d672761c0 // indirect
+	google.golang.org/grpc v1.60.1 // indirect
+	google.golang.org/protobuf v1.32.0 // indirect
+	gopkg.in/DataDog/dd-trace-go.v1 v1.58.1 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	inet.af/netaddr v0.0.0-20230525184311-b8eac61e914a // indirect
+	k8s.io/api v0.29.0 // indirect
+	k8s.io/apimachinery v0.29.0 // indirect
+	k8s.io/client-go v0.29.0 // indirect
+	k8s.io/klog/v2 v2.110.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20231214164306-ab13479f8bf8 // indirect
+	k8s.io/utils v0.0.0-20231127182322-b307cd553661 // indirect
+	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
 )

setup.go

@@ -2,6 +2,8 @@ package wgsd
 
 import (
 	"fmt"
+	"net"
+	"strconv"
 
 	"github.com/coredns/caddy"
 	"github.com/coredns/coredns/core/dnsserver"
@@ -11,45 +13,98 @@ import (
 )
 
 func init() {
-	plugin.Register("wgsd", setup)
+	plugin.Register(pluginName, setup)
+}
+
+func parse(c *caddy.Controller) (Zones, error) {
+	z := make(map[string]*Zone)
+	names := []string{}
+
+	for c.Next() {
+		// wgsd zone device
+		args := c.RemainingArgs()
+		if len(args) != 2 {
+			return Zones{}, fmt.Errorf("expected 2 args, got %d", len(args))
+		}
+		zone := &Zone{
+			name:   dns.Fqdn(args[0]),
+			device: args[1],
+		}
+		names = append(names, zone.name)
+		_, ok := z[zone.name]
+		if ok {
+			return Zones{}, fmt.Errorf("duplicate zone name %s",
+				zone.name)
+		}
+		z[zone.name] = zone
+
+		for c.NextBlock() {
+			switch c.Val() {
+			case "self":
+				// self [endpoint] [allowed-ips ... ]
+				zone.serveSelf = true
+				args = c.RemainingArgs()
+				if len(args) < 1 {
+					break
+				}
+
+				// assume first arg is endpoint
+				host, portS, err := net.SplitHostPort(args[0])
+				if err == nil {
+					port, err := strconv.Atoi(portS)
+					if err != nil {
+						return Zones{}, fmt.Errorf("error converting self endpoint port: %v", err)
+					}
+					ip := net.ParseIP(host)
+					if ip == nil {
+						return Zones{}, fmt.Errorf("invalid self endpoint IP address: %s", host)
+					}
+					zone.selfEndpoint = &net.UDPAddr{
+						IP:   ip,
+						Port: port,
+					}
+					args = args[1:]
+				}
+
+				if len(args) > 0 {
+					zone.selfAllowedIPs = make([]net.IPNet, 0)
+				}
+				for _, allowedIPString := range args {
+					_, prefix, err := net.ParseCIDR(allowedIPString)
+					if err != nil {
+						return Zones{}, fmt.Errorf("invalid self allowed-ip '%s' err: %v", allowedIPString, err)
+					}
+					zone.selfAllowedIPs = append(zone.selfAllowedIPs, *prefix)
+				}
+			default:
+				return Zones{}, c.ArgErr()
+			}
+		}
+	}
+
+	return Zones{Z: z, Names: names}, nil
 }
 
 func setup(c *caddy.Controller) error {
-	c.Next() // Ignore "wgsd" and give us the next token.
-
-	// return an error if there is no zone specified
-	if !c.NextArg() {
-		return plugin.Error("wgsd", c.ArgErr())
+	zones, err := parse(c)
+	if err != nil {
+		return plugin.Error(pluginName, err)
 	}
-	zone := dns.Fqdn(c.Val())
-
-	// return an error if there is no device name specified
-	if !c.NextArg() {
-		return plugin.Error("wgsd", c.ArgErr())
-	}
-	device := c.Val()
-
-	// return an error if there are more tokens on this line
-	if c.NextArg() {
-		return plugin.Error("wgsd", c.ArgErr())
-	}
-
 	client, err := wgctrl.New()
 	if err != nil {
-		return plugin.Error("wgsd",
+		return plugin.Error(pluginName,
 			fmt.Errorf("error constructing wgctrl client: %v",
 				err))
 	}
+	c.OnFinalShutdown(client.Close)
 
 	// Add the Plugin to CoreDNS, so Servers can use it in their plugin chain.
 	dnsserver.GetConfig(c).AddPlugin(func(next plugin.Handler) plugin.Handler {
 		return &WGSD{
 			Next:   next,
+			Zones:  zones,
 			client: client,
-			zone:   zone,
-			device: device,
 		}
 	})
-
 	return nil
 }

setup_test.go

@@ -1,40 +1,167 @@
 package wgsd
 
 import (
+	"net"
+	"reflect"
 	"testing"
 
 	"github.com/coredns/caddy"
 )
 
 func TestSetup(t *testing.T) {
+	_, prefix1, _ := net.ParseCIDR("1.1.1.1/32")
+	_, prefix2, _ := net.ParseCIDR("2.2.2.2/32")
+	_, prefix3, _ := net.ParseCIDR("3.3.3.3/32")
+	_, prefix4, _ := net.ParseCIDR("4.4.4.4/32")
+	endpoint1 := &net.UDPAddr{IP: net.ParseIP("127.0.0.1"), Port: 51820}
+
 	testCases := []struct {
-		name      string
-		input     string
-		expectErr bool
+		name          string
+		input         string
+		shouldErr     bool
+		expectedZones Zones
 	}{
 		{
 			"valid input",
 			"wgsd example.com. wg0",
 			false,
+			Zones{
+				Z: map[string]*Zone{
+					"example.com.": {
+						name:   "example.com.",
+						device: "wg0",
+					},
+				},
+				Names: []string{"example.com."},
+			},
 		},
 		{
 			"missing token",
 			"wgsd example.com.",
 			true,
+			Zones{},
 		},
 		{
 			"too many tokens",
 			"wgsd example.com. wg0 extra",
 			true,
+			Zones{},
+		},
+		{
+			"valid self allowed-ips",
+			`wgsd example.com. wg0 {
+						self 1.1.1.1/32 2.2.2.2/32
+					}`,
+			false,
+			Zones{
+				Z: map[string]*Zone{
+					"example.com.": {
+						name:           "example.com.",
+						device:         "wg0",
+						serveSelf:      true,
+						selfAllowedIPs: []net.IPNet{*prefix1, *prefix2},
+					},
+				},
+				Names: []string{"example.com."},
+			},
+		},
+		{
+			"invalid self-allowed-ips",
+			`wgsd example.com. wg0 {
+						self 1.1.11/32 2.2.2.2/32
+					}`,
+			true,
+			Zones{},
+		},
+		{
+			"valid self-endpoint",
+			`wgsd example.com. wg0 {
+						self 127.0.0.1:51820
+					}`,
+			false,
+			Zones{
+				Z: map[string]*Zone{
+					"example.com.": {
+						name:         "example.com.",
+						device:       "wg0",
+						serveSelf:    true,
+						selfEndpoint: endpoint1,
+					},
+				},
+				Names: []string{"example.com."},
+			},
+		},
+		{
+			"invalid self-endpoint",
+			`wgsd example.com. wg0 {
+						self hostname:51820
+					}`,
+			true,
+			Zones{},
+		},
+		{
+			"multiple blocks",
+			`wgsd example.com. wg0 {
+						self 127.0.0.1:51820 1.1.1.1/32 2.2.2.2/32
+					}
+					wgsd example2.com. wg1 {
+						self 127.0.0.1:51820 3.3.3.3/32 4.4.4.4/32
+					}`,
+			false,
+			Zones{
+				Z: map[string]*Zone{
+					"example.com.": {
+						name:           "example.com.",
+						device:         "wg0",
+						serveSelf:      true,
+						selfEndpoint:   endpoint1,
+						selfAllowedIPs: []net.IPNet{*prefix1, *prefix2},
+					},
+					"example2.com.": {
+						name:           "example2.com.",
+						device:         "wg1",
+						serveSelf:      true,
+						selfEndpoint:   endpoint1,
+						selfAllowedIPs: []net.IPNet{*prefix3, *prefix4},
+					},
+				},
+				Names: []string{"example.com.", "example2.com."},
+			},
+		},
+		{
+			"all options",
+			`wgsd example.com. wg0 {
+						self 127.0.0.1:51820 1.1.1.1/32 2.2.2.2/32
+					}`,
+			false,
+			Zones{
+				Z: map[string]*Zone{
+					"example.com.": {
+						name:           "example.com.",
+						device:         "wg0",
+						serveSelf:      true,
+						selfEndpoint:   endpoint1,
+						selfAllowedIPs: []net.IPNet{*prefix1, *prefix2},
+					},
+				},
+				Names: []string{"example.com."},
+			},
 		},
 	}
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			c := caddy.NewTestController("dns", tc.input)
-			err := setup(c)
-			if (err != nil) != tc.expectErr {
-				t.Fatalf("expectErr: %v, got err=%v", tc.expectErr, err)
+			zones, err := parse(c)
+
+			if err == nil && tc.shouldErr {
+				t.Fatal("expected errors, but got no error")
+			} else if err != nil && !tc.shouldErr {
+				t.Fatalf("expected no errors, but got '%v'", err)
+			} else {
+				if !reflect.DeepEqual(tc.expectedZones, zones) {
+					t.Fatalf("expected %v, got %v", tc.expectedZones, zones)
+				}
 			}
 		})
 	}

wgsd.go

@@ -3,6 +3,7 @@ package wgsd
 import (
 	"context"
 	"encoding/base32"
+	"encoding/base64"
 	"fmt"
 	"net"
 	"strings"
@@ -15,19 +16,31 @@ import (
 )
 
 // coredns plugin-specific logger
-var logger = clog.NewWithPlugin("wgsd")
+var logger = clog.NewWithPlugin(pluginName)
 
-// WGSD is a CoreDNS plugin that provides Wireguard peer information via DNS-SD
+const (
+	pluginName = "wgsd"
+)
+
+// WGSD is a CoreDNS plugin that provides WireGuard peer information via DNS-SD
 // semantics. WGSD implements the plugin.Handler interface.
 type WGSD struct {
 	Next plugin.Handler
+	Zones
+	client wgctrlClient // the client for retrieving WireGuard peer information
+}
 
-	// the client for retrieving Wireguard peer information
-	client wgctrlClient
-	// the DNS zone we are serving records for
-	zone string
-	// the Wireguard device name, e.g. wg0
-	device string
+type Zones struct {
+	Z     map[string]*Zone // a mapping from zone name to zone data
+	Names []string         // all keys from the map z as a string slice
+}
+
+type Zone struct {
+	name           string       // the name of the zone we are authoritative for
+	device         string       // the WireGuard device name, e.g. wg0
+	serveSelf      bool         // flag to enable serving data about self
+	selfEndpoint   *net.UDPAddr // overrides the self endpoint value
+	selfAllowedIPs []net.IPNet  // self allowed IPs
 }
 
 type wgctrlClient interface {
@@ -35,120 +48,192 @@ type wgctrlClient interface {
 }
 
 const (
-	keyLen             = 56 // the number of characters in a base32-encoded Wireguard public key
+	keyLen             = 56 // the number of characters in a base32-encoded WireGuard public key
 	spPrefix           = "_wireguard._udp."
-	serviceInstanceLen = keyLen + len(".") + len(spPrefix)
+	spSubPrefix        = "." + spPrefix
+	serviceInstanceLen = keyLen + len(spSubPrefix)
 )
 
+type handlerFn func(state request.Request, peers []wgtypes.Peer) (int, error)
+
+func getHandlerFn(queryType uint16, name string) handlerFn {
+	switch {
+	case name == spPrefix && queryType == dns.TypePTR:
+		return handlePTR
+	case len(name) == serviceInstanceLen && queryType == dns.TypeSRV:
+		return handleSRV
+	case len(name) == len(spSubPrefix)+keyLen && (queryType == dns.TypeA ||
+		queryType == dns.TypeAAAA || queryType == dns.TypeTXT):
+		return handleHostOrTXT
+	default:
+		return nil
+	}
+}
+
+func handlePTR(state request.Request, peers []wgtypes.Peer) (int, error) {
+	m := new(dns.Msg)
+	m.SetReply(state.Req)
+	m.Authoritative = true
+	for _, peer := range peers {
+		if peer.Endpoint == nil {
+			continue
+		}
+		m.Answer = append(m.Answer, &dns.PTR{
+			Hdr: dns.RR_Header{
+				Name:   state.Name(),
+				Rrtype: dns.TypePTR,
+				Class:  dns.ClassINET,
+				Ttl:    0,
+			},
+			Ptr: fmt.Sprintf("%s.%s%s",
+				strings.ToLower(base32.StdEncoding.EncodeToString(peer.PublicKey[:])),
+				spPrefix, state.Zone),
+		})
+	}
+	state.W.WriteMsg(m) // nolint: errcheck
+	return dns.RcodeSuccess, nil
+}
+
+func handleSRV(state request.Request, peers []wgtypes.Peer) (int, error) {
+	m := new(dns.Msg)
+	m.SetReply(state.Req)
+	m.Authoritative = true
+	pubKey := state.Name()[:keyLen]
+	for _, peer := range peers {
+		if strings.EqualFold(
+			base32.StdEncoding.EncodeToString(peer.PublicKey[:]), pubKey) {
+			endpoint := peer.Endpoint
+			if endpoint == nil {
+				return nxDomain(state)
+			}
+			hostRR := getHostRR(state.Name(), endpoint)
+			if hostRR == nil {
+				return nxDomain(state)
+			}
+			txtRR := getTXTRR(state.Name(), peer)
+			m.Extra = append(m.Extra, hostRR, txtRR)
+			m.Answer = append(m.Answer, &dns.SRV{
+				Hdr: dns.RR_Header{
+					Name:   state.Name(),
+					Rrtype: dns.TypeSRV,
+					Class:  dns.ClassINET,
+					Ttl:    0,
+				},
+				Priority: 0,
+				Weight:   0,
+				Port:     uint16(endpoint.Port),
+				Target:   state.Name(),
+			})
+			state.W.WriteMsg(m) // nolint: errcheck
+			return dns.RcodeSuccess, nil
+		}
+	}
+	return nxDomain(state)
+}
+
+func handleHostOrTXT(state request.Request, peers []wgtypes.Peer) (int, error) {
+	m := new(dns.Msg)
+	m.SetReply(state.Req)
+	m.Authoritative = true
+	pubKey := state.Name()[:keyLen]
+	for _, peer := range peers {
+		if strings.EqualFold(
+			base32.StdEncoding.EncodeToString(peer.PublicKey[:]), pubKey) {
+			endpoint := peer.Endpoint
+			if endpoint == nil {
+				return nxDomain(state)
+			}
+			if state.QType() == dns.TypeA || state.QType() == dns.TypeAAAA {
+				hostRR := getHostRR(state.Name(), endpoint)
+				if hostRR == nil {
+					return nxDomain(state)
+				}
+				m.Answer = append(m.Answer, hostRR)
+			} else {
+				txtRR := getTXTRR(state.Name(), peer)
+				m.Answer = append(m.Answer, txtRR)
+			}
+			state.W.WriteMsg(m) // nolint: errcheck
+			return dns.RcodeSuccess, nil
+		}
+	}
+	return nxDomain(state)
+}
+
+func getSelfPeer(zone *Zone, device *wgtypes.Device, state request.Request) (wgtypes.Peer, error) {
+	self := wgtypes.Peer{
+		PublicKey: device.PublicKey,
+	}
+	if zone.selfEndpoint != nil {
+		self.Endpoint = zone.selfEndpoint
+	} else {
+		self.Endpoint = &net.UDPAddr{
+			IP:   net.ParseIP(state.LocalIP()),
+			Port: device.ListenPort,
+		}
+	}
+	self.AllowedIPs = zone.selfAllowedIPs
+	return self, nil
+}
+
+func getPeers(client wgctrlClient, zone *Zone, state request.Request) (
+	[]wgtypes.Peer, error) {
+	peers := make([]wgtypes.Peer, 0)
+	device, err := client.Device(zone.device)
+	if err != nil {
+		return nil, err
+	}
+	peers = append(peers, device.Peers...)
+	if zone.serveSelf {
+		self, err := getSelfPeer(zone, device, state)
+		if err != nil {
+			return nil, err
+		}
+		peers = append(peers, self)
+	}
+	return peers, nil
+}
+
 func (p *WGSD) ServeDNS(ctx context.Context, w dns.ResponseWriter,
 	r *dns.Msg) (int, error) {
 	// request.Request is a convenience struct we wrap around the msg and
 	// ResponseWriter.
 	state := request.Request{W: w, Req: r}
 
-	// Check if the request is for the zone we are serving. If it doesn't match
-	// we pass the request on to the next plugin.
-	if plugin.Zones([]string{p.zone}).Matches(state.Name()) == "" {
+	// Check if the request is for a zone we are serving. If it doesn't match we
+	// pass the request on to the next plugin.
+	zoneName := plugin.Zones(p.Names).Matches(state.Name())
+	if zoneName == "" {
 		return plugin.NextOrFailure(p.Name(), p.Next, ctx, w, r)
 	}
+	state.Zone = zoneName
+
+	zone, ok := p.Z[zoneName]
+	if !ok {
+		return dns.RcodeServerFailure, nil
+	}
 
 	// strip zone from name
-	name := strings.TrimSuffix(state.Name(), p.zone)
-	qtype := state.QType()
+	name := strings.TrimSuffix(state.Name(), zoneName)
+	queryType := state.QType()
 
 	logger.Debugf("received query for: %s type: %s", name,
-		dns.TypeToString[qtype])
+		dns.TypeToString[queryType])
 
-	device, err := p.client.Device(p.device)
+	handler := getHandlerFn(queryType, name)
+	if handler == nil {
+		return nxDomain(state)
+	}
+
+	peers, err := getPeers(p.client, zone, state)
 	if err != nil {
 		return dns.RcodeServerFailure, err
 	}
-	if len(device.Peers) == 0 {
-		return nxDomain(p.zone, w, r)
-	}
 
-	// setup our reply message
-	m := new(dns.Msg)
-	m.SetReply(r)
-	m.Authoritative = true
-
-	switch {
-	// TODO: handle SOA
-	case name == spPrefix && qtype == dns.TypePTR:
-		for _, peer := range device.Peers {
-			if peer.Endpoint == nil {
-				continue
-			}
-			m.Answer = append(m.Answer, &dns.PTR{
-				Hdr: dns.RR_Header{
-					Name:   state.Name(),
-					Rrtype: dns.TypePTR,
-					Class:  dns.ClassINET,
-					Ttl:    0,
-				},
-				Ptr: fmt.Sprintf("%s.%s%s",
-					strings.ToLower(base32.StdEncoding.EncodeToString(peer.PublicKey[:])),
-					spPrefix, p.zone),
-			})
-		}
-		w.WriteMsg(m) // nolint: errcheck
-		return dns.RcodeSuccess, nil
-	case len(name) == serviceInstanceLen && qtype == dns.TypeSRV:
-		pubKey := name[:keyLen]
-		for _, peer := range device.Peers {
-			if strings.EqualFold(
-				base32.StdEncoding.EncodeToString(peer.PublicKey[:]), pubKey) {
-				endpoint := peer.Endpoint
-				hostRR := getHostRR(pubKey, p.zone, endpoint)
-				if hostRR == nil {
-					return nxDomain(p.zone, w, r)
-				}
-				m.Extra = append(m.Extra, hostRR)
-				m.Answer = append(m.Answer, &dns.SRV{
-					Hdr: dns.RR_Header{
-						Name:   state.Name(),
-						Rrtype: dns.TypeSRV,
-						Class:  dns.ClassINET,
-						Ttl:    0,
-					},
-					Priority: 0,
-					Weight:   0,
-					Port:     uint16(endpoint.Port),
-					Target: fmt.Sprintf("%s.%s",
-						strings.ToLower(pubKey), p.zone),
-				})
-				w.WriteMsg(m) // nolint: errcheck
-				return dns.RcodeSuccess, nil
-			}
-		}
-		return nxDomain(p.zone, w, r)
-	case len(name) == keyLen+1 && (qtype == dns.TypeA ||
-		qtype == dns.TypeAAAA):
-		pubKey := name[:keyLen]
-		for _, peer := range device.Peers {
-			if strings.EqualFold(
-				base32.StdEncoding.EncodeToString(peer.PublicKey[:]), pubKey) {
-				endpoint := peer.Endpoint
-				hostRR := getHostRR(pubKey, p.zone, endpoint)
-				if hostRR == nil {
-					return nxDomain(p.zone, w, r)
-				}
-				m.Answer = append(m.Answer, hostRR)
-				w.WriteMsg(m) // nolint: errcheck
-				return dns.RcodeSuccess, nil
-			}
-		}
-		return nxDomain(p.zone, w, r)
-	default:
-		return nxDomain(p.zone, w, r)
-	}
+	return handler(state, peers)
 }
 
-func getHostRR(pubKey, zone string, endpoint *net.UDPAddr) dns.RR {
-	if endpoint == nil || endpoint.IP == nil {
-		return nil
-	}
-	name := fmt.Sprintf("%s.%s", strings.ToLower(pubKey), zone)
+func getHostRR(name string, endpoint *net.UDPAddr) dns.RR {
 	switch {
 	case endpoint.IP.To4() != nil:
 		return &dns.A{
@@ -176,13 +261,45 @@ func getHostRR(pubKey, zone string, endpoint *net.UDPAddr) dns.RR {
 	}
 }
 
-func nxDomain(zone string, w dns.ResponseWriter, r *dns.Msg) (int, error) {
+const (
+	// txtVersion is the first key/value pair in the TXT RR. Its serves to aid
+	// clients with maintaining backwards compatibility.
+	//
+	// https://tools.ietf.org/html/rfc6763#section-6.7
+	txtVersion = 1
+)
+
+func getTXTRR(name string, peer wgtypes.Peer) *dns.TXT {
+	var allowedIPs string
+	for i, prefix := range peer.AllowedIPs {
+		if i != 0 {
+			allowedIPs += ","
+		}
+		allowedIPs += prefix.String()
+	}
+	return &dns.TXT{
+		Hdr: dns.RR_Header{
+			Name:   name,
+			Rrtype: dns.TypeTXT,
+			Class:  dns.ClassINET,
+			Ttl:    0,
+		},
+		Txt: []string{
+			fmt.Sprintf("txtvers=%d", txtVersion),
+			fmt.Sprintf("pub=%s",
+				base64.StdEncoding.EncodeToString(peer.PublicKey[:])),
+			fmt.Sprintf("allowed=%s", allowedIPs),
+		},
+	}
+}
+
+func nxDomain(state request.Request) (int, error) {
 	m := new(dns.Msg)
-	m.SetReply(r)
+	m.SetReply(state.Req)
 	m.Authoritative = true
 	m.Rcode = dns.RcodeNameError
-	m.Ns = []dns.RR{soa(zone)}
-	w.WriteMsg(m) // nolint: errcheck
+	m.Ns = []dns.RR{soa(state.Zone)}
+	state.W.WriteMsg(m) // nolint: errcheck
 	return dns.RcodeSuccess, nil
 }
 
@@ -205,5 +322,5 @@ func soa(zone string) dns.RR {
 }
 
 func (p *WGSD) Name() string {
-	return "wgsd"
+	return pluginName
 }

wgsd_test.go

@@ -3,6 +3,7 @@ package wgsd
 import (
 	"context"
 	"encoding/base32"
+	"encoding/base64"
 	"fmt"
 	"net"
 	"strings"
@@ -15,44 +16,94 @@ import (
 )
 
 type mockClient struct {
-	peers []wgtypes.Peer
+	devices map[string]*wgtypes.Device
 }
 
 func (m *mockClient) Device(d string) (*wgtypes.Device, error) {
-	return &wgtypes.Device{
-		Name:  d,
-		Peers: m.peers,
-	}, nil
+	return m.devices[d], nil
+}
+
+func constructAllowedIPs(t *testing.T, prefixes []string) ([]net.IPNet, string) {
+	var allowed []net.IPNet
+	var allowedString string
+	for i, s := range prefixes {
+		_, prefix, err := net.ParseCIDR(s)
+		if err != nil {
+			t.Fatalf("error parsing cidr: %v", err)
+		}
+		allowed = append(allowed, *prefix)
+		if i != 0 {
+			allowedString += ","
+		}
+		allowedString += prefix.String()
+	}
+	return allowed, allowedString
 }
 
 func TestWGSD(t *testing.T) {
+	selfKey := [32]byte{}
+	selfKey[0] = 99
+	selfb32 := strings.ToLower(base32.StdEncoding.EncodeToString(selfKey[:]))
+	selfb64 := base64.StdEncoding.EncodeToString(selfKey[:])
+	selfAllowed, selfAllowedString := constructAllowedIPs(t, []string{"10.0.0.99/32", "10.0.0.100/32"})
 	key1 := [32]byte{}
 	key1[0] = 1
+	peer1Allowed, peer1AllowedString := constructAllowedIPs(t, []string{"10.0.0.1/32", "10.0.0.2/32"})
 	peer1 := wgtypes.Peer{
 		Endpoint: &net.UDPAddr{
 			IP:   net.ParseIP("1.1.1.1"),
 			Port: 1,
 		},
-		PublicKey: key1,
+		PublicKey:  key1,
+		AllowedIPs: peer1Allowed,
 	}
 	peer1b32 := strings.ToLower(base32.StdEncoding.EncodeToString(peer1.PublicKey[:]))
+	peer1b64 := base64.StdEncoding.EncodeToString(peer1.PublicKey[:])
 	key2 := [32]byte{}
 	key2[0] = 2
+	peer2Allowed, peer2AllowedString := constructAllowedIPs(t, []string{"10.0.0.3/32", "10.0.0.4/32"})
 	peer2 := wgtypes.Peer{
 		Endpoint: &net.UDPAddr{
 			IP:   net.ParseIP("::2"),
 			Port: 2,
 		},
-		PublicKey: key2,
+		PublicKey:  key2,
+		AllowedIPs: peer2Allowed,
 	}
 	peer2b32 := strings.ToLower(base32.StdEncoding.EncodeToString(peer2.PublicKey[:]))
+	peer2b64 := base64.StdEncoding.EncodeToString(peer2.PublicKey[:])
+	key3 := [32]byte{}
+	key3[0] = 3
+	peer3Allowed, _ := constructAllowedIPs(t, []string{"10.0.0.5/32", "10.0.0.6/32"})
+	peer3 := wgtypes.Peer{
+		Endpoint:   nil,
+		PublicKey:  key3,
+		AllowedIPs: peer3Allowed,
+	}
+	peer3b32 := strings.ToLower(base32.StdEncoding.EncodeToString(peer3.PublicKey[:]))
 	p := &WGSD{
 		Next: test.ErrorHandler(),
-		client: &mockClient{
-			peers: []wgtypes.Peer{peer1, peer2},
+		Zones: Zones{
+			Names: []string{"example.com."},
+			Z: map[string]*Zone{
+				"example.com.": {
+					name:           "example.com.",
+					device:         "wg0",
+					serveSelf:      true,
+					selfAllowedIPs: selfAllowed,
+				},
+			},
+		},
+		client: &mockClient{
+			devices: map[string]*wgtypes.Device{
+				"wg0": {
+					Name:       "wg0",
+					PublicKey:  selfKey,
+					ListenPort: 51820,
+					Peers:      []wgtypes.Peer{peer1, peer2, peer3},
+				},
+			},
 		},
-		zone:   "example.com.",
-		device: "wg0",
 	}
 
 	testCases := []test.Case{
@@ -63,6 +114,19 @@ func TestWGSD(t *testing.T) {
 			Answer: []dns.RR{
 				test.PTR(fmt.Sprintf("_wireguard._udp.example.com. 0 IN PTR %s._wireguard._udp.example.com.", peer1b32)),
 				test.PTR(fmt.Sprintf("_wireguard._udp.example.com. 0 IN PTR %s._wireguard._udp.example.com.", peer2b32)),
+				test.PTR(fmt.Sprintf("_wireguard._udp.example.com. 0 IN PTR %s._wireguard._udp.example.com.", selfb32)),
+			},
+		},
+		{
+			Qname: fmt.Sprintf("%s._wireguard._udp.example.com.", selfb32),
+			Qtype: dns.TypeSRV,
+			Rcode: dns.RcodeSuccess,
+			Answer: []dns.RR{
+				test.SRV(fmt.Sprintf("%s._wireguard._udp.example.com. 0 IN SRV 0 0 51820 %s._wireguard._udp.example.com.", selfb32, selfb32)),
+			},
+			Extra: []dns.RR{
+				test.A(fmt.Sprintf("%s._wireguard._udp.example.com. 0 IN A %s", selfb32, "127.0.0.1")),
+				test.TXT(fmt.Sprintf(`%s._wireguard._udp.example.com. 0 IN TXT "txtvers=%d" "pub=%s" "allowed=%s"`, selfb32, txtVersion, selfb64, selfAllowedString)),
 			},
 		},
 		{
@@ -70,10 +134,11 @@ func TestWGSD(t *testing.T) {
 			Qtype: dns.TypeSRV,
 			Rcode: dns.RcodeSuccess,
 			Answer: []dns.RR{
-				test.SRV(fmt.Sprintf("%s._wireguard._udp.example.com. 0 IN SRV 0 0 1 %s.example.com.", peer1b32, peer1b32)),
+				test.SRV(fmt.Sprintf("%s._wireguard._udp.example.com. 0 IN SRV 0 0 1 %s._wireguard._udp.example.com.", peer1b32, peer1b32)),
 			},
 			Extra: []dns.RR{
-				test.A(fmt.Sprintf("%s.example.com. 0 IN A %s", peer1b32, peer1.Endpoint.IP.String())),
+				test.A(fmt.Sprintf("%s._wireguard._udp.example.com. 0 IN A %s", peer1b32, peer1.Endpoint.IP.String())),
+				test.TXT(fmt.Sprintf(`%s._wireguard._udp.example.com. 0 IN TXT "txtvers=%d" "pub=%s" "allowed=%s"`, peer1b32, txtVersion, peer1b64, peer1AllowedString)),
 			},
 		},
 		{
@@ -81,26 +146,59 @@ func TestWGSD(t *testing.T) {
 			Qtype: dns.TypeSRV,
 			Rcode: dns.RcodeSuccess,
 			Answer: []dns.RR{
-				test.SRV(fmt.Sprintf("%s._wireguard._udp.example.com. 0 IN SRV 0 0 2 %s.example.com.", peer2b32, peer2b32)),
+				test.SRV(fmt.Sprintf("%s._wireguard._udp.example.com. 0 IN SRV 0 0 2 %s._wireguard._udp.example.com.", peer2b32, peer2b32)),
 			},
 			Extra: []dns.RR{
-				test.AAAA(fmt.Sprintf("%s.example.com. 0 IN AAAA %s", peer2b32, peer2.Endpoint.IP.String())),
+				test.AAAA(fmt.Sprintf("%s._wireguard._udp.example.com. 0 IN AAAA %s", peer2b32, peer2.Endpoint.IP.String())),
+				test.TXT(fmt.Sprintf(`%s._wireguard._udp.example.com. 0 IN TXT "txtvers=%d" "pub=%s" "allowed=%s"`, peer2b32, txtVersion, peer2b64, peer2AllowedString)),
 			},
 		},
 		{
-			Qname: fmt.Sprintf("%s.example.com.", peer1b32),
+			Qname: fmt.Sprintf("%s._wireguard._udp.example.com.", selfb32),
 			Qtype: dns.TypeA,
 			Rcode: dns.RcodeSuccess,
 			Answer: []dns.RR{
-				test.A(fmt.Sprintf("%s.example.com. 0 IN A %s", peer1b32, peer1.Endpoint.IP.String())),
+				test.A(fmt.Sprintf("%s._wireguard._udp.example.com. 0 IN A %s", selfb32, "127.0.0.1")),
 			},
 		},
 		{
-			Qname: fmt.Sprintf("%s.example.com.", peer2b32),
+			Qname: fmt.Sprintf("%s._wireguard._udp.example.com.", peer1b32),
+			Qtype: dns.TypeA,
+			Rcode: dns.RcodeSuccess,
+			Answer: []dns.RR{
+				test.A(fmt.Sprintf("%s._wireguard._udp.example.com. 0 IN A %s", peer1b32, peer1.Endpoint.IP.String())),
+			},
+		},
+		{
+			Qname: fmt.Sprintf("%s._wireguard._udp.example.com.", peer2b32),
 			Qtype: dns.TypeAAAA,
 			Rcode: dns.RcodeSuccess,
 			Answer: []dns.RR{
-				test.AAAA(fmt.Sprintf("%s.example.com. 0 IN AAAA %s", peer2b32, peer2.Endpoint.IP.String())),
+				test.AAAA(fmt.Sprintf("%s._wireguard._udp.example.com. 0 IN AAAA %s", peer2b32, peer2.Endpoint.IP.String())),
+			},
+		},
+		{
+			Qname: fmt.Sprintf("%s._wireguard._udp.example.com.", selfb32),
+			Qtype: dns.TypeTXT,
+			Rcode: dns.RcodeSuccess,
+			Answer: []dns.RR{
+				test.TXT(fmt.Sprintf(`%s._wireguard._udp.example.com. 0 IN TXT "txtvers=%d" "pub=%s" "allowed=%s"`, selfb32, txtVersion, selfb64, selfAllowedString)),
+			},
+		},
+		{
+			Qname: fmt.Sprintf("%s._wireguard._udp.example.com.", peer1b32),
+			Qtype: dns.TypeTXT,
+			Rcode: dns.RcodeSuccess,
+			Answer: []dns.RR{
+				test.TXT(fmt.Sprintf(`%s._wireguard._udp.example.com. 0 IN TXT "txtvers=%d" "pub=%s" "allowed=%s"`, peer1b32, txtVersion, peer1b64, peer1AllowedString)),
+			},
+		},
+		{
+			Qname: fmt.Sprintf("%s._wireguard._udp.example.com.", peer2b32),
+			Qtype: dns.TypeTXT,
+			Rcode: dns.RcodeSuccess,
+			Answer: []dns.RR{
+				test.TXT(fmt.Sprintf(`%s._wireguard._udp.example.com. 0 IN TXT "txtvers=%d" "pub=%s" "allowed=%s"`, peer2b32, txtVersion, peer2b64, peer2AllowedString)),
 			},
 		},
 		{
@@ -116,6 +214,46 @@ func TestWGSD(t *testing.T) {
 			Qtype: dns.TypeAAAA,
 			Rcode: dns.RcodeServerFailure,
 		},
+		{
+			Qname: fmt.Sprintf("%s._wireguard._udp.example.com.", peer3b32),
+			Qtype: dns.TypeSRV,
+			Rcode: dns.RcodeNameError,
+			Ns: []dns.RR{
+				test.SOA(soa("example.com.").String()),
+			},
+			Answer: []dns.RR{},
+			Extra:  []dns.RR{},
+		},
+		{
+			Qname: fmt.Sprintf("%s._wireguard._udp.example.com.", peer3b32),
+			Qtype: dns.TypeA,
+			Rcode: dns.RcodeNameError,
+			Ns: []dns.RR{
+				test.SOA(soa("example.com.").String()),
+			},
+			Answer: []dns.RR{},
+			Extra:  []dns.RR{},
+		},
+		{
+			Qname: fmt.Sprintf("%s._wireguard._udp.example.com.", peer3b32),
+			Qtype: dns.TypeAAAA,
+			Rcode: dns.RcodeNameError,
+			Ns: []dns.RR{
+				test.SOA(soa("example.com.").String()),
+			},
+			Answer: []dns.RR{},
+			Extra:  []dns.RR{},
+		},
+		{
+			Qname: fmt.Sprintf("%s._wireguard._udp.example.com.", peer3b32),
+			Qtype: dns.TypeTXT,
+			Rcode: dns.RcodeNameError,
+			Ns: []dns.RR{
+				test.SOA(soa("example.com.").String()),
+			},
+			Answer: []dns.RR{},
+			Extra:  []dns.RR{},
+		},
 	}
 	for _, tc := range testCases {
 		t.Run(fmt.Sprintf("%s %s", tc.Qname, dns.TypeToString[tc.Qtype]), func(t *testing.T) {