dns/nsecx.go

// Copyright 2011 Miek Gieben. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package dns

import (
	"crypto/sha1"
	"hash"
	"io"
	"strings"
)

type saltWireFmt struct {
	Salt string `dns:"size-hex"`
}

// HashName hashes a string (label) according to RFC 5155. It returns the hashed string.
func HashName(label string, ha uint8, iter uint16, salt string) string {
	saltwire := new(saltWireFmt)
	saltwire.Salt = salt
	wire := make([]byte, DefaultMsgSize)
	n, err := PackStruct(saltwire, wire, 0)
	if err != nil {
		return ""
	}
	wire = wire[:n]
	name := make([]byte, 255)
	off, err := PackDomainName(strings.ToLower(label), name, 0, nil, false)
	if err != nil {
		return ""
	}
	name = name[:off]
	var s hash.Hash
	switch ha {
	case SHA1:
		s = sha1.New()
	default:
		return ""
	}

	// k = 0
	name = append(name, wire...)
	io.WriteString(s, string(name))
	nsec3 := s.Sum(nil)
	// k > 0
	for k := uint16(0); k < iter; k++ {
		s.Reset()
		nsec3 = append(nsec3, wire...)
		io.WriteString(s, string(nsec3))
		nsec3 = s.Sum(nil)
	}
	return unpackBase32(nsec3)
}

type Denialer interface {
	// Cover will check if the (unhashed) name is being covered by this NSEC or NSEC3.
	Cover(name string) bool
	// Match will check if the ownername matches the (unhashed) name for this NSEC3 or NSEC3.
	Match(name string) bool
}

// Cover implements the Denialer interface.
func (rr *NSEC) Cover(name string) bool {
	return true
}

// Match implements the Denialer interface.
func (rr *NSEC) Match(name string) bool {
	return true
}

// Cover implements the Denialer interface.
func (rr *NSEC3) Cover(name string) bool {
	// FIXME(miek): check if the zones match
	// FIXME(miek): check if we're not dealing with parent nsec3
	hname := HashName(name, rr.Hash, rr.Iterations, rr.Salt)
	labels := Split(rr.Hdr.Name)
	if len(labels) < 2 {
		return false
	}
	hash := strings.ToUpper(rr.Hdr.Name[labels[0] : labels[1]-1]) // -1 to remove the dot
	if hash == rr.NextDomain {
		return false // empty interval
	}
	if hash > rr.NextDomain { // last name, points to apex
		// hname > hash
		// hname > rr.NextDomain
		// TODO(miek)
	}
	if hname <= hash {
		return false
	}
	if hname >= rr.NextDomain {
		return false
	}
	return true
}

// Match implements the Denialer interface.
func (rr *NSEC3) Match(name string) bool {
	// FIXME(miek): Check if we are in the same zone
	hname := HashName(name, rr.Hash, rr.Iterations, rr.Salt)
	labels := Split(rr.Hdr.Name)
	if len(labels) < 2 {
		return false
	}
	hash := strings.ToUpper(rr.Hdr.Name[labels[0] : labels[1]-1]) // -1 to remove the .
	if hash == hname {
		return true
	}
	return false
}

// Proof takes a slice of NSEC or NSEC3 RR, the qname and the qtype and tries
// to proof the authenticated denial of existence. If nil is returned the proof
// succeeded otherwise the error will indicated what was wrong.
func Proof(nsecx []RR, qname string, qtype uint16) error {
	// TODO(miek): wildcard expanded reply
	nsec3 := 0
	nsec := 0
	for i := 0; i < len(nsecx); i++ {
		if _, ok := nsecx[0].(*NSEC3); ok {
			nsec3++
		}
		if _, ok := nsecx[0].(*NSEC); ok {
			nsec++
		}
	}
	if nsec3 == len(nsecx) {
		return proofNSEC3(nsecx, qname, qtype)
	}
	if nsec == len(nsecx) {
		return proofNSEC(nsecx, qname, qtype)
	}
	return ErrSig // ErrNotRRset?
}

// NSEC3 Helper
func proofNSEC3(nsec3 []RR, qname string, qtype uint16) error {
	indx := Split(qname)
	ce := "" // Closest Encloser
	nc := "" // Next Closer
	wc := "" // Source of Synthesis (wildcard)
ClosestEncloser:
	for i := 0; i < len(indx); i++ {
		for j := 0; j < len(nsec3); j++ {
			if nsec3[j].(*NSEC3).Match(qname[indx[i]:]) {
				ce = qname[indx[i]:]
				wc = "*." + ce
				if i == 0 {
					nc = qname
				} else {
					nc = qname[indx[i-1]:]
				}
				break ClosestEncloser
			}
		}
	}
	if ce == "" {
		return ErrSig // ErrNoMatchingNSEC3
	}
	covered := 0 // Both nc and wc must be covered
	for i := 0; i < len(nsec3); i++ {
		if nsec3[i].(*NSEC3).Cover(nc) {
			covered++
		}
		if nsec3[i].(*NSEC3).Cover(wc) {
			covered++
		}
	}
	if covered != 2 {
		return ErrSig
	}
	return nil
}

// NSEC Helper
func proofNSEC(nsecx []RR, qname string, qtype uint16) error { return nil }
Update all copyright notices 2013-05-13 00:15:52 +10:00			`// Copyright 2011 Miek Gieben. All rights reserved.`
			`// Use of this source code is governed by a BSD-style`
			`// license that can be found in the LICENSE file.`

add start for nsec3 2011-01-28 01:52:58 +11:00			`package dns`

More NSEC3 stuff 2011-03-08 07:56:36 +11:00			`import (`
gofmt 2011-12-10 07:45:57 +11:00			`"crypto/sha1"`
Add nsec3 hashing (non working atm) 2011-03-08 08:47:20 +11:00			`"hash"`
Fix the hashing I mis applied the Gofix that created the correct fix. 2011-12-17 01:08:44 +11:00			`"io"`
Add nsec3 hashing (non working atm) 2011-03-08 08:47:20 +11:00			`"strings"`
More NSEC3 stuff 2011-03-08 07:56:36 +11:00			`)`

Add nsec3 hashing (non working atm) 2011-03-08 08:47:20 +11:00			`type saltWireFmt struct {`
Use go vetted struct tags They had the form: "domain-name", now they are key value pairs (key is always dns: `dns:"domain-name"` 2012-04-30 05:55:29 +10:00			Salt string `dns:"size-hex"`
Add nsec3 hashing (non working atm) 2011-03-08 08:47:20 +11:00			`}`
add start for nsec3 2011-01-28 01:52:58 +11:00
more documentation 2012-12-02 20:14:53 +11:00			`// HashName hashes a string (label) according to RFC 5155. It returns the hashed string.`
Add a nsec3 Match() function 2012-01-22 20:52:06 +11:00			`func HashName(label string, ha uint8, iter uint16, salt string) string {`
Add nsec3 hashing (non working atm) 2011-03-08 08:47:20 +11:00			`saltwire := new(saltWireFmt)`
			`saltwire.Salt = salt`
			`wire := make([]byte, DefaultMsgSize)`
Use proper error in packing and unpacking All the relevant functions now return an error instead of a simple boolean. This greatly approves the feedback to coders. Spotted some fishy error handling along the way and fix that too. 2012-10-10 06:17:54 +11:00			`n, err := PackStruct(saltwire, wire, 0)`
			`if err != nil {`
Add nsec3 hashing (non working atm) 2011-03-08 08:47:20 +11:00			`return ""`
			`}`
			`wire = wire[:n]`
implement nsec3 label hashing 2011-03-10 00:27:41 +11:00			`name := make([]byte, 255)`
Use proper error in packing and unpacking All the relevant functions now return an error instead of a simple boolean. This greatly approves the feedback to coders. Spotted some fishy error handling along the way and fix that too. 2012-10-10 06:17:54 +11:00			`off, err := PackDomainName(strings.ToLower(label), name, 0, nil, false)`
			`if err != nil {`
Add nsec3 hashing (non working atm) 2011-03-08 08:47:20 +11:00			`return ""`
			`}`
implement nsec3 label hashing 2011-03-10 00:27:41 +11:00			`name = name[:off]`
Add nsec3 hashing (non working atm) 2011-03-08 08:47:20 +11:00			`var s hash.Hash`
			`switch ha {`
Drop the Alg and Hash prefixes 2011-07-09 01:27:44 +10:00			`case SHA1:`
Add nsec3 hashing (non working atm) 2011-03-08 08:47:20 +11:00			`s = sha1.New()`
Formatting 2011-03-24 19:24:49 +11:00			`default:`
			`return ""`
Add nsec3 hashing (non working atm) 2011-03-08 08:47:20 +11:00			`}`

			`// k = 0`
implement nsec3 label hashing 2011-03-10 00:27:41 +11:00			`name = append(name, wire...)`
Gofmt 2011-12-17 05:42:30 +11:00			`io.WriteString(s, string(name))`
Fix the hashing I mis applied the Gofix that created the correct fix. 2011-12-17 01:08:44 +11:00			`nsec3 := s.Sum(nil)`
Formatting 2011-03-24 19:24:49 +11:00			`// k > 0`
Add a nsec3 Match() function 2012-01-22 20:52:06 +11:00			`for k := uint16(0); k < iter; k++ {`
Formatting 2011-03-24 19:24:49 +11:00			`s.Reset()`
			`nsec3 = append(nsec3, wire...)`
Gofmt 2011-12-17 05:42:30 +11:00			`io.WriteString(s, string(nsec3))`
Nsec3: fix hashing here also 2011-12-17 01:12:01 +11:00			`nsec3 = s.Sum(nil)`
Formatting 2011-03-24 19:24:49 +11:00			`}`
Add nsec3 hashing (non working atm) 2011-03-08 08:47:20 +11:00			`return unpackBase32(nsec3)`
More NSEC3 stuff 2011-03-08 07:56:36 +11:00			`}`
Add NSEC3 helper function back in I'm going to use this in 'q', but it may came in handy for other developers too. This is the first ramp up to a full blown Go only recursive resolver. 2013-12-25 03:52:39 +11:00
Add Proof function for NSEC/NSEC3 2013-12-26 03:01:39 +11:00			`type Denialer interface {`
			`// Cover will check if the (unhashed) name is being covered by this NSEC or NSEC3.`
			`Cover(name string) bool`
			`// Match will check if the ownername matches the (unhashed) name for this NSEC3 or NSEC3.`
			`Match(name string) bool`
			`}`

Add NSEC3 helper function back in I'm going to use this in 'q', but it may came in handy for other developers too. This is the first ramp up to a full blown Go only recursive resolver. 2013-12-25 03:52:39 +11:00			`// Cover implements the Denialer interface.`
			`func (rr *NSEC) Cover(name string) bool {`
Add NSEC prototype 2013-12-25 03:54:20 +11:00			`return true`
			`}`
Add NSEC3 helper function back in I'm going to use this in 'q', but it may came in handy for other developers too. This is the first ramp up to a full blown Go only recursive resolver. 2013-12-25 03:52:39 +11:00
Add NSEC prototype 2013-12-25 03:54:20 +11:00			`// Match implements the Denialer interface.`
			`func (rr *NSEC) Match(name string) bool {`
Add NSEC3 helper function back in I'm going to use this in 'q', but it may came in handy for other developers too. This is the first ramp up to a full blown Go only recursive resolver. 2013-12-25 03:52:39 +11:00			`return true`
			`}`

Add NSEC prototype 2013-12-25 03:54:20 +11:00			`// Cover implements the Denialer interface.`
Add NSEC3 helper function back in I'm going to use this in 'q', but it may came in handy for other developers too. This is the first ramp up to a full blown Go only recursive resolver. 2013-12-25 03:52:39 +11:00			`func (rr *NSEC3) Cover(name string) bool {`
			`// FIXME(miek): check if the zones match`
			`// FIXME(miek): check if we're not dealing with parent nsec3`
			`hname := HashName(name, rr.Hash, rr.Iterations, rr.Salt)`
			`labels := Split(rr.Hdr.Name)`
			`if len(labels) < 2 {`
			`return false`
			`}`
Add Proof function for NSEC/NSEC3 2013-12-26 03:01:39 +11:00			`hash := strings.ToUpper(rr.Hdr.Name[labels[0] : labels[1]-1]) // -1 to remove the dot`
			`if hash == rr.NextDomain {`
			`return false // empty interval`
Add NSEC3 helper function back in I'm going to use this in 'q', but it may came in handy for other developers too. This is the first ramp up to a full blown Go only recursive resolver. 2013-12-25 03:52:39 +11:00			`}`
			`if hash > rr.NextDomain { // last name, points to apex`
			`// hname > hash`
			`// hname > rr.NextDomain`
			`// TODO(miek)`
			`}`
			`if hname <= hash {`
			`return false`
			`}`
			`if hname >= rr.NextDomain {`
			`return false`
			`}`
			`return true`
			`}`

Add NSEC prototype 2013-12-25 03:54:20 +11:00			`// Match implements the Denialer interface.`
Add NSEC3 helper function back in I'm going to use this in 'q', but it may came in handy for other developers too. This is the first ramp up to a full blown Go only recursive resolver. 2013-12-25 03:52:39 +11:00			`func (rr *NSEC3) Match(name string) bool {`
			`// FIXME(miek): Check if we are in the same zone`
			`hname := HashName(name, rr.Hash, rr.Iterations, rr.Salt)`
			`labels := Split(rr.Hdr.Name)`
			`if len(labels) < 2 {`
			`return false`
			`}`
			`hash := strings.ToUpper(rr.Hdr.Name[labels[0] : labels[1]-1]) // -1 to remove the .`
			`if hash == hname {`
			`return true`
			`}`
			`return false`
			`}`
Add Proof function for NSEC/NSEC3 2013-12-26 03:01:39 +11:00
			`// Proof takes a slice of NSEC or NSEC3 RR, the qname and the qtype and tries`
			`// to proof the authenticated denial of existence. If nil is returned the proof`
			`// succeeded otherwise the error will indicated what was wrong.`
			`func Proof(nsecx []RR, qname string, qtype uint16) error {`
			`// TODO(miek): wildcard expanded reply`
			`nsec3 := 0`
			`nsec := 0`
			`for i := 0; i < len(nsecx); i++ {`
			`if _, ok := nsecx[0].(*NSEC3); ok {`
			`nsec3++`
			`}`
			`if _, ok := nsecx[0].(*NSEC); ok {`
			`nsec++`
			`}`
			`}`
Add NSEC3 NXDOMAIN proof 2013-12-26 06:44:17 +11:00			`if nsec3 == len(nsecx) {`
Add Proof function for NSEC/NSEC3 2013-12-26 03:01:39 +11:00			`return proofNSEC3(nsecx, qname, qtype)`
			`}`
Add NSEC3 NXDOMAIN proof 2013-12-26 06:44:17 +11:00			`if nsec == len(nsecx) {`
Add Proof function for NSEC/NSEC3 2013-12-26 03:01:39 +11:00			`return proofNSEC(nsecx, qname, qtype)`
			`}`
			`return ErrSig // ErrNotRRset?`
			`}`

			`// NSEC3 Helper`
Add NSEC3 NXDOMAIN proof 2013-12-26 06:44:17 +11:00			`func proofNSEC3(nsec3 []RR, qname string, qtype uint16) error {`
			`indx := Split(qname)`
			`ce := "" // Closest Encloser`
			`nc := "" // Next Closer`
			`wc := "" // Source of Synthesis (wildcard)`
			`ClosestEncloser:`
			`for i := 0; i < len(indx); i++ {`
			`for j := 0; j < len(nsec3); j++ {`
			`if nsec3[j].(*NSEC3).Match(qname[indx[i]:]) {`
			`ce = qname[indx[i]:]`
			`wc = "*." + ce`
			`if i == 0 {`
			`nc = qname`
			`} else {`
			`nc = qname[indx[i-1]:]`
			`}`
			`break ClosestEncloser`
			`}`
			`}`
			`}`
			`if ce == "" {`
			`return ErrSig // ErrNoMatchingNSEC3`
			`}`
			`covered := 0 // Both nc and wc must be covered`
			`for i := 0; i < len(nsec3); i++ {`
			`if nsec3[i].(*NSEC3).Cover(nc) {`
			`covered++`
			`}`
			`if nsec3[i].(*NSEC3).Cover(wc) {`
			`covered++`
			`}`
			`}`
			`if covered != 2 {`
			`return ErrSig`
			`}`
			`return nil`
			`}`
Add Proof function for NSEC/NSEC3 2013-12-26 03:01:39 +11:00
			`// NSEC Helper`
			`func proofNSEC(nsecx []RR, qname string, qtype uint16) error { return nil }`