TSIG support?

[PenelopeFudd]

Describe the feature
We'd like to benchmark using TSIG on requests to see if it's faster that DoH or any of the other encrypted protocols.

Why do you need this feature
We've got a client who's worried about replay attacks, and requests that we support 200,000 requests per second with 100ms latency. We've achieved that with plain UDP, now we just have to get some sort of replay protection set up. DoH, DoT, DoQ and DNSSEC all provide that, but we're having problems reaching the necessary speed, and are hoping that TSIG will do the trick.

Since "Hope is Not a Plan", we're going to have to benchmark it.

The equivalent dig command is:

$ pdnsutil generate-tsig-key foobar hmac-sha512
Create new TSIG key foobar hmac-sha512 asdfasdfYpM2nUHdJtC3mDJnbBIXzUGgDU2/dwz8cDAfEQQ1O9OEON3+5aqTjQlHzXTyZwU

$ pdnsutil activate-tsig-key example.com foobar primary

$ cat > /tmp/foobar.tsig <<< 'EOF'
key "foobar" {
	algorithm hmac-sha512;
	secret "asdfasdfYpM2nUHdJtC3mDJnbBIXzUGgDU2/dwz8cDAfEQQ1O9OEON3+5aqTjQlHzXTyZwU";
};
EOF

$ dig +short -k /tmp/foobar.tsig txt testing.example.com @127.0.0.4
"this is a test"
"this is another test"

$ dig +short -k /tmp/snafu.tsig txt testing.example.com @127.0.0.4
;; Couldn't verify signature: expected a TSIG or SIG(0)

[PenelopeFudd]

Benchmarking one client:

$ time dig +short +nokeepopen -k /tmp/foobar.tsig @127.0.0.2 txt $(yes hello.doh-test.com |head -20000) | wc -l

20000

real	0m12.557s
user	0m7.154s
sys	0m4.883s

Benchmarking 100 clients with 2000 requests each:

$ time parallel -j 100 dig +short +nokeepopen -k /tmp/foobar.tsig @127.0.0.2 txt $(yes hello.doh-test.com |head -2000) > /dev/null  ::: $(seq 1 100)

real	0m21.112s
user	0m30.589s
sys	1m21.671s

Looks like 9473 QPS