plugin/dnstap: feature: added incoming connection support (#8086)

* plugin/dnstap: added incoming connection support feature to dnstap plugin

Signed-off-by: Endre Szabo <git@end.re>

* fixed problems pointed out by ci linter

Signed-off-by: Endre Szabo <git@end.re>

---------

Signed-off-by: Endre Szabo <git@end.re>

plugin/dnstap/README.md

@@ -14,6 +14,8 @@ Every message is sent to the socket as soon as it comes in, the *dnstap* plugin
 
 ## Syntax
 
+### Outgoing Connections (Connect to Sink)
+
 ~~~ txt
 dnstap SOCKET [full] [writebuffer] [queue] {
   [identity IDENTITY]
@@ -32,6 +34,28 @@ dnstap SOCKET [full] [writebuffer] [queue] {
 * **EXTRA** to define "extra" field in dnstap payload, [metadata](../metadata/) replacement available here.
 * `skipverify` to skip tls verification during connection. Default to be secure
 
+### Incoming Connections (Accept from Sinks)
+
+~~~ txt
+dnstap listen SOCKET [full] {
+  [identity IDENTITY]
+  [version VERSION]
+  [extra EXTRA]
+  [tls CERT KEY [CA]]
+  [skipverify]
+}
+~~~
+
+* `listen` indicates this is a listening socket that accepts incoming connections from dnstap sinks.
+* **SOCKET** is the socket address to listen on (e.g., `tcp://127.0.0.1:6000`, `unix:///tmp/dnstap.sock`).
+* `full` to include the wire-format DNS message.
+* **IDENTITY** to override the identity of the server. Defaults to the hostname.
+* **VERSION** to override the version field. Defaults to the CoreDNS version.
+* **EXTRA** to define "extra" field in dnstap payload, [metadata](../metadata/) replacement available here.
+* `tls CERT KEY [CA]` to enable TLS for the listener. **CERT** and **KEY** are paths to the server certificate and key files. Optional **CA** is the path to the CA certificate for client verification.
+* `skipverify` to skip client certificate verification. Default is to verify client certificates. Equivalent to the **CA** option above being unspecified.
+
+**Note:** Incoming connections use unbuffered channels to broadcast events. If a connected sink becomes slow or disconnected, messages are dropped for that sink only, and the connection is closed.
 
 ## Examples
 
@@ -92,6 +116,35 @@ dnstap tls://127.0.0.1:6000 full {
 }
 ~~~
 
+Listen for incoming dnstap sink connections on a Unix socket.
+
+~~~ txt
+dnstap listen /tmp/dnstap.sock full
+~~~
+
+Listen for incoming dnstap sink connections on TCP.
+
+~~~ txt
+dnstap listen tcp://127.0.0.1:6000 full
+~~~
+
+Listen for incoming dnstap sink connections on TLS with mTLS client authentication.
+
+~~~ txt
+dnstap listen tls://127.0.0.1:6000 full {
+  tls /path/to/server-cert.pem /path/to/server-key.pem /path/to/ca.pem
+}
+~~~
+
+Listen for incoming dnstap sink connections on TLS without client certificate verification.
+
+~~~ txt
+dnstap listen tls://127.0.0.1:6000 full {
+  tls /path/to/server-cert.pem /path/to/server-key.pem
+  skipverify
+}
+~~~
+
 You can use _dnstap_ more than once to define multiple taps. The following logs information including the
 wire-format DNS message about client requests and responses to */tmp/dnstap.sock*,
 and also sends client requests and responses without wire-format DNS messages to a remote FQDN.
@@ -101,6 +154,13 @@ dnstap /tmp/dnstap.sock full
 dnstap tcp://example.com:6000
 ~~~
 
+You can also combine outgoing connections with incoming listeners:
+
+~~~ txt
+dnstap tcp://remote-collector.example.com:6000 full
+dnstap listen tcp://127.0.0.1:6001 full
+~~~
+
 ## Command Line Tool
 
 Dnstap has a command line tool that can be used to inspect the logging. The tool can be found