Make the function smaller
This commit is contained in:
parent
f25584e94e
commit
00ec6a144a
136
examples/q/q.go
136
examples/q/q.go
|
@ -22,7 +22,7 @@ func main() {
|
||||||
dnssec := flag.Bool("dnssec", false, "request DNSSEC records")
|
dnssec := flag.Bool("dnssec", false, "request DNSSEC records")
|
||||||
query := flag.Bool("question", false, "show question")
|
query := flag.Bool("question", false, "show question")
|
||||||
short := flag.Bool("short", false, "abbreviate long DNSKEY and RRSIG RRs")
|
short := flag.Bool("short", false, "abbreviate long DNSKEY and RRSIG RRs")
|
||||||
check := flag.Bool("check", false, "check internal DNSSEC consistency")
|
check := flag.Bool("check", false, "check internal DNSSEC consistency")
|
||||||
port := flag.Int("port", 53, "port number to use")
|
port := flag.Int("port", 53, "port number to use")
|
||||||
aa := flag.Bool("aa", false, "set AA flag in query")
|
aa := flag.Bool("aa", false, "set AA flag in query")
|
||||||
ad := flag.Bool("ad", false, "set AD flag in query")
|
ad := flag.Bool("ad", false, "set AD flag in query")
|
||||||
|
@ -141,17 +141,20 @@ forever:
|
||||||
fmt.Printf("Id mismatch\n")
|
fmt.Printf("Id mismatch\n")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if *check {
|
if *check {
|
||||||
sigCheck(r.Reply, nameserver)
|
sigCheck(r.Reply, nameserver)
|
||||||
if err := r.Reply.Nsec3Verify(r.Reply.Question[0]); err == nil {
|
nsecCheck(r.Reply)
|
||||||
//Could be: no nsec3 records
|
/*
|
||||||
//fmt.Printf(";+ Correct authenticated denial of existence (NSEC3)\n")
|
if err := r.Reply.Nsec3Verify(r.Reply.Question[0]); err == nil {
|
||||||
} else {
|
//Could be: no nsec3 records
|
||||||
fmt.Printf(";- Incorrect authenticated denial of existence (NSEC3): %s\n",err.Error())
|
//fmt.Printf(";+ Correct authenticated denial of existence (NSEC3)\n")
|
||||||
}
|
} else {
|
||||||
println()
|
fmt.Printf(";- Incorrect authenticated denial of existence (NSEC3): %s\n",err.Error())
|
||||||
|
}
|
||||||
|
println()
|
||||||
|
*/
|
||||||
|
|
||||||
}
|
}
|
||||||
if *short {
|
if *short {
|
||||||
r.Reply = shortMsg(r.Reply)
|
r.Reply = shortMsg(r.Reply)
|
||||||
}
|
}
|
||||||
|
@ -166,87 +169,68 @@ forever:
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func sectionCheck(set []dns.RR, server string) {
|
||||||
|
for _, rr := range set {
|
||||||
|
if rr.Header().Rrtype == dns.TypeRRSIG {
|
||||||
|
rrset := getRRset(set, rr.Header().Name, rr.(*dns.RR_RRSIG).TypeCovered)
|
||||||
|
key := getKey(rr.(*dns.RR_RRSIG).SignerName, rr.(*dns.RR_RRSIG).KeyTag, server)
|
||||||
|
if key == nil {
|
||||||
|
fmt.Printf(";? DNSKEY %s/%d not found\n", rr.(*dns.RR_RRSIG).SignerName, rr.(*dns.RR_RRSIG).KeyTag)
|
||||||
|
}
|
||||||
|
if err := rr.(*dns.RR_RRSIG).Verify(key, rrset); err != nil {
|
||||||
|
fmt.Printf(";- Bogus signature, %s does not RRSet with DNSKEY %s/%d\n", shortSig(rr.(*dns.RR_RRSIG)), key.Header().Name, key.KeyTag())
|
||||||
|
} else {
|
||||||
|
fmt.Printf(";+ Secure signature, %s validates RRSet with DNSKEY %s/%d\n", shortSig(rr.(*dns.RR_RRSIG)), key.Header().Name, key.KeyTag())
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func nsecCheck(in *dns.Msg) {
|
||||||
|
}
|
||||||
|
|
||||||
// Check the sigs in the msg, get the signer's key (additional query), get the
|
// Check the sigs in the msg, get the signer's key (additional query), get the
|
||||||
// rrset from the message, check the signature(s)
|
// rrset from the message, check the signature(s)
|
||||||
func sigCheck(in *dns.Msg, server string) {
|
func sigCheck(in *dns.Msg, server string) {
|
||||||
for _, rr := range in.Answer {
|
sectionCheck(in.Answer, server)
|
||||||
if rr.Header().Rrtype == dns.TypeRRSIG {
|
sectionCheck(in.Ns, server)
|
||||||
rrset := getRRset(in.Answer, rr.Header().Name, rr.(*dns.RR_RRSIG).TypeCovered)
|
sectionCheck(in.Extra, server)
|
||||||
key := getKey(rr.(*dns.RR_RRSIG).SignerName, rr.(*dns.RR_RRSIG).KeyTag, server)
|
|
||||||
if key == nil {
|
|
||||||
fmt.Printf(";? DNSKEY %s/%d not found\n", rr.(*dns.RR_RRSIG).SignerName, rr.(*dns.RR_RRSIG).KeyTag)
|
|
||||||
}
|
|
||||||
if err := rr.(*dns.RR_RRSIG).Verify(key, rrset); err != nil {
|
|
||||||
fmt.Printf(";- Bogus signature, %s does not RRSet with DNSKEY %s/%d\n", shortSig(rr.(*dns.RR_RRSIG)), key.Header().Name, key.KeyTag())
|
|
||||||
} else {
|
|
||||||
fmt.Printf(";+ Secure signature, %s validates RRSet with DNSKEY %s/%d\n", shortSig(rr.(*dns.RR_RRSIG)), key.Header().Name, key.KeyTag())
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
for _, rr := range in.Ns {
|
|
||||||
if rr.Header().Rrtype == dns.TypeRRSIG {
|
|
||||||
rrset := getRRset(in.Ns, rr.Header().Name, rr.(*dns.RR_RRSIG).TypeCovered)
|
|
||||||
key := getKey(rr.(*dns.RR_RRSIG).SignerName, rr.(*dns.RR_RRSIG).KeyTag, server)
|
|
||||||
if key == nil {
|
|
||||||
fmt.Printf(";? DNSKEY %s/%d not found\n", rr.(*dns.RR_RRSIG).SignerName, rr.(*dns.RR_RRSIG).KeyTag)
|
|
||||||
}
|
|
||||||
if err := rr.(*dns.RR_RRSIG).Verify(key, rrset); err != nil {
|
|
||||||
fmt.Printf(";- Bogus signature, %s does not RRSet with DNSKEY %s/%d\n", shortSig(rr.(*dns.RR_RRSIG)), key.Header().Name, key.KeyTag())
|
|
||||||
} else {
|
|
||||||
fmt.Printf(";+ Secure signature, %s validates RRSet with DNSKEY %s/%d\n", shortSig(rr.(*dns.RR_RRSIG)), key.Header().Name, key.KeyTag())
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
for _, rr := range in.Extra {
|
|
||||||
if rr.Header().Rrtype == dns.TypeRRSIG {
|
|
||||||
rrset := getRRset(in.Extra, rr.Header().Name, rr.(*dns.RR_RRSIG).TypeCovered)
|
|
||||||
key := getKey(rr.(*dns.RR_RRSIG).SignerName, rr.(*dns.RR_RRSIG).KeyTag, server)
|
|
||||||
if key == nil {
|
|
||||||
fmt.Printf(";? DNSKEY %s/%d not found\n", rr.(*dns.RR_RRSIG).SignerName, rr.(*dns.RR_RRSIG).KeyTag)
|
|
||||||
}
|
|
||||||
if err := rr.(*dns.RR_RRSIG).Verify(key, rrset); err != nil {
|
|
||||||
fmt.Printf(";- Bogus signature, %s does not RRSet with DNSKEY %s/%d\n", shortSig(rr.(*dns.RR_RRSIG)), key.Header().Name, key.KeyTag())
|
|
||||||
} else {
|
|
||||||
fmt.Printf(";+ Secure signature, %s validates RRSet with DNSKEY %s/%d\n", shortSig(rr.(*dns.RR_RRSIG)), key.Header().Name, key.KeyTag())
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Return the RRset belonging to the signature with name and type t
|
// Return the RRset belonging to the signature with name and type t
|
||||||
func getRRset(l []dns.RR, name string, t uint16) []dns.RR {
|
func getRRset(l []dns.RR, name string, t uint16) []dns.RR {
|
||||||
l1 := make([]dns.RR, 0)
|
l1 := make([]dns.RR, 0)
|
||||||
for _, rr := range l {
|
for _, rr := range l {
|
||||||
if rr.Header().Name == name && rr.Header().Rrtype == t {
|
if rr.Header().Name == name && rr.Header().Rrtype == t {
|
||||||
l1 = append(l1, rr)
|
l1 = append(l1, rr)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return l1
|
return l1
|
||||||
}
|
}
|
||||||
|
|
||||||
// Get the key from the DNS (uses the local resolver) and return them.
|
// Get the key from the DNS (uses the local resolver) and return them.
|
||||||
// If nothing is found we return nil
|
// If nothing is found we return nil
|
||||||
func getKey(name string, keytag uint16, server string) *dns.RR_DNSKEY {
|
func getKey(name string, keytag uint16, server string) *dns.RR_DNSKEY {
|
||||||
c := dns.NewClient()
|
c := dns.NewClient()
|
||||||
m := new(dns.Msg)
|
m := new(dns.Msg)
|
||||||
m.SetQuestion(name, dns.TypeDNSKEY)
|
m.SetQuestion(name, dns.TypeDNSKEY)
|
||||||
r, err := c.Exchange(m, server)
|
r, err := c.Exchange(m, server)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
for _, k := range r.Answer {
|
for _, k := range r.Answer {
|
||||||
if k1, ok := k.(*dns.RR_DNSKEY); ok {
|
if k1, ok := k.(*dns.RR_DNSKEY); ok {
|
||||||
if k1.KeyTag() == keytag {
|
if k1.KeyTag() == keytag {
|
||||||
return k1
|
return k1
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// shorten RRSIG to "miek.nl RRSIG(NS)"
|
// shorten RRSIG to "miek.nl RRSIG(NS)"
|
||||||
func shortSig(sig *dns.RR_RRSIG) string {
|
func shortSig(sig *dns.RR_RRSIG) string {
|
||||||
return sig.Header().Name + " RRSIG(" + dns.Rr_str[sig.TypeCovered] + ")"
|
return sig.Header().Name + " RRSIG(" + dns.Rr_str[sig.TypeCovered] + ")"
|
||||||
}
|
}
|
||||||
|
|
||||||
// Walk trough message and short Key data and Sig data
|
// Walk trough message and short Key data and Sig data
|
||||||
|
|
Loading…
Reference in New Issue