plugin/tls: Add the keylog option to configure TLSConfig.KeyLogWriter

[Kentzo]

1. Why is this pull request needed and what does it do?

In order to debug DNS-over-TLS it's helpful to export TLS master secrets so tools like Wireshark could decrypt traffic.

This PR adds the keylog option to the tls plugin which the user can set. It behaves similarly to the SSLKEYLOGFILE environment variable in other applications.

2. Which issues (if any) are related?

None

3. Which documentation changes (if any) need to be made?

The keylog option should be added to the tls plugin description.

4. Does this introduce a backward incompatible change or deprecation?

No

[Kentzo]

No interest in this one?

[thevilledev]

Hey @Kentzo, sorry for the delay. I'm catching up with open PRs now. Some comments below.

[thevilledev]

The CircleCI test failure is weird. Can you try to rebase this branch against the latest in master?

[Kentzo]

@thevilledev

Closing the file will cause TLS handshake to fail on connections that still has this config: https://cs.opensource.google/go/go/+/refs/tags/go1.26.1:src/crypto/tls/handshake_server_tls13.go (search for writerKeyLog).

This is fine if we expect OnShutdown to get called after underlying dns.Server is closed and doesn't accept new connections.

[thevilledev]

On restart/reload, Caddy starts the new instance first (taking over the listeners), then calls Stop() on the old instance to drain, and only then calls OnShutdown.

For SIGTERM/SIGINT, the server is dying anyway. Probably fine for the handshake to fail in a debug tool?

[Kentzo]

IIRC dns.Server should not accept new connections by the time OnShutdown is called.

OTOH one might say it's fine for an file descriptor to wait for GC event in a debug tool :)

[Kentzo]

The CircleCI test failure is weird. Can you try to rebase this branch against the latest in master?

I don't have CircleCI as an authorized OAuth App on my GitHub account.