community
/
dns
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add on-the-fly signing 

it works, documentation coming
This commit is contained in:
Miek Gieben 2011-01-22 16:10:18 +01:00
parent 6a75e08368
commit 52c9c3f15e
7 changed files with 195 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
_examples/funkensturm/Kmiek.nl.+005+21798.key Normal file
View File

@ -0,0 +1,5 @@
; This is a zone-signing key, keyid 21798, for miek.nl.
; Created: 20110122104659 (Sat Jan 22 11:46:59 2011)
; Publish: 20110122104659 (Sat Jan 22 11:46:59 2011)
; Activate: 20110122104659 (Sat Jan 22 11:46:59 2011)
miek.nl. IN DNSKEY 256 3 5 AwEAAQGk589980oEiFs1AUicHq2YlHbE5n0DWgfgCqTfBZ1ZYRjn2mye mQotdt4Yzq97nBPy1nzxrZhKabhX9nZriVv8jurPLXeauW/NT1Drfrjz DQRidU+A1DvLDkEKeEl8O+kOyiIHK49kUrjbfar9yQuFZUAeo+24FRfH q9oGysW70Q==

13
_examples/funkensturm/Kmiek.nl.+005+21798.private Normal file
View File

@ -0,0 +1,13 @@
Private-key-format: v1.3
Algorithm: 5 (RSASHA1)
Modulus: AaTnz33zSgSIWzUBSJwerZiUdsTmfQNaB+AKpN8FnVlhGOfabJ6ZCi123hjOr3ucE/LWfPGtmEppuFf2dmuJW/yO6s8td5q5b81PUOt+uPMNBGJ1T4DUO8sOQQp4SXw76Q7KIgcrj2RSuNt9qv3JC4VlQB6j7bgVF8er2gbKxbvR
PublicExponent: AQAB
PrivateExponent: /IkdBCupeEi7uHS5tPnvHAHPtNm5nf4xhWm9fBYpT0wjnlB+JTYbViXgoa+4uAhwK54nPvXxzovZz+UPLfwvFBoG3D0vYS+M9WWOBCnEuDK0MfcBWfTE2hlV13xDll1o7Pj/fvpRQ7paBhjpP6uBwlVI1vH6GR9kNXQRfWK1NQU=
Prime1: AdG+8ixEeDzHKI2GRD7lGhrQ8EzN4Tc0mek1u6ioFZ0imohaPqtqNq7RWVo35cWuvYflhFQYzFn99HGRvfGfDv8=
Prime2: 51psvlotBXuaqzrgfb5I6u7DG9JhU5WO68PZf1RMmq2e2xLvKvDGXCP5oFur9AOsHdbmahnzgFC1s18vg7kFLw==
Exponent1: glXRJ5oxm7CQJKrCRmeOmpqF5Lhooi5SM/UZguUmx0Z7wFSg3Q9oJhvnyVuDLYLs/y63jWEzLqvm0DFc2lUMuQ==
Exponent2: Aq3qan3y3Yhj7y28YdhtUcM4IT9bfzNRN2vKPg5E4Nm36EOc33twYKrN/kxxfl74hFPz0TDBwC+vGwe0LitbYw==
Coefficient: AZX3xIGzo/3fw4ouA6nAjpiWGpTK+OdFRkZtvbmzwgqnFDQopB0SweVnd1shpKCXkPTkdvpLTdmhU/84CW5m7cQ=
Created: 20110122104659
Publish: 20110122104659
Activate: 20110122104659

2
_examples/funkensturm/Makefile
View File

@ -4,7 +4,7 @@
include $(GOROOT)/src/Make.inc
TARG=funkensturm
GOFILES=funkensturm.go\
config.go\
config_sign.go\
DEPS=../../
include $(GOROOT)/src/Make.cmd

2
_examples/funkensturm/config.go
View File

@ -3,6 +3,7 @@ package main
// This is a transparant proxy config. All recevied pkt are just forwarded to the
// nameserver, hardcoded to 127.0.0.1 and then return to the original querier
import (
"fmt"
"dns"
"dns/resolver"
)
@ -11,6 +12,7 @@ func match(m *dns.Msg, d int) (*dns.Msg, bool) {
// Matching criteria
switch d {
case IN:
fmt.Printf("%v\n", m)
// nothing
case OUT:
// Note that when sending back only the mangling is important

59
_examples/funkensturm/config_delay.go Normal file
View File

@ -0,0 +1,59 @@
package main
// This is a transparant proxy config. All recevied pkt are just forwarded to the
// nameserver, hardcoded to 127.0.0.1 and then return to the original querier
import (
"dns"
"dns/resolver"
)
func match(m *dns.Msg, d int) (*dns.Msg, bool) {
// Matching criteria
switch d {
case IN:
// nothing
case OUT:
// Note that when sending back only the mangling is important
// the actual return code of these function isn't checked by
// funkensturm
}
// Packet Mangling functions
switch d {
case IN:
// nothing
case OUT:
// nothing
}
return m, true
}
func send(m *dns.Msg, ok bool) (*dns.Msg, bool) {
switch ok {
case true, false:
qr <- resolver.Msg{m, nil, nil}
in := <-qr
return in.Dns, true
}
return nil, false // Bug in Go, yes BUG IN GO
}
// qr is global and started by Funkensturm. If you
// need 2 or more resolvers, you'll need to start
// them yourself. This needs to be a global variable
//var qr1 chan resolver.Msg
// Return the configration
func funkensturm() *Funkensturm {
f := new(Funkensturm)
f.Setup = func() bool { return true }
f.Matches = make([]Match, 1)
f.Matches[0].Op = AND
f.Matches[0].Func = match
f.Actions = make([]Action, 1)
f.Actions[0].Func = send
return f
}

111
_examples/funkensturm/config_sign.go Normal file
View File

@ -0,0 +1,111 @@
package main
// This is a transparant proxy config. All recevied pkt are just forwarded to the
// nameserver, hardcoded to 127.0.0.1 and then return to the original querier
import (
"dns"
"dns/resolver"
"crypto/rsa"
)
func sign(m *dns.Msg) *dns.Msg {
// Assume miek.nl, just for testing, example.com???
sg := new(dns.RR_RRSIG)
sg.Hdr = dns.RR_Header{"miek.nl.", dns.TypeRRSIG, dns.ClassINET, 14400, 0}
sg.Expiration = 1296534305 // date -u '+%s' -d"2011-02-01 04:25:05"
sg.Inception = 1293942305 // date -u '+%s' -d"2011-01-02 04:25:05"
sg.KeyTag = pubkey.KeyTag() // Get the keyfrom the Key
sg.SignerName = pubkey.Hdr.Name
sg.Algorithm = dns.AlgRSASHA256
if len(m.Answer) > 0 {
// sign the first record
an := m.Answer[0]
sg.TypeCovered = an.Header().Rrtype
sg.Labels = dns.LabelCount(an.Header().Name)
sg.OrigTtl = an.Header().Ttl
switch p:=privkey.(type) {
case *rsa.PrivateKey:
sg.Sign(p, []dns.RR{an})
}
}
m.Answer = append(m.Answer, sg)
return m
}
func match(m *dns.Msg, d int) (*dns.Msg, bool) {
// Matching criteria
switch d {
case IN:
// nothing
case OUT:
// Note that when sending back only the mangling is important
// the actual return code of these function isn't checked by
// funkensturm
}
// Packet Mangling functions
switch d {
case IN:
// nothing
case OUT:
// On the way out sign the packet
m = sign(m) // keys are global
}
return m, true
}
func send(m *dns.Msg, ok bool) (*dns.Msg, bool) {
switch ok {
case true, false:
qr <- resolver.Msg{m, nil, nil}
in := <-qr
return in.Dns, true
}
return nil, false // Bug in Go, yes BUG IN GO
}
// qr is global and started by Funkensturm. If you
// need 2 or more resolvers, you'll need to start
// them yourself. This needs to be a global variable
//var qr1 chan resolver.Msg
var pubkey *dns.RR_DNSKEY
var privkey dns.PrivateKey
func setup() bool {
privdata := `Private-key-format: v1.3
Algorithm: 5 (RSASHA1)
Modulus: AaTnz33zSgSIWzUBSJwerZiUdsTmfQNaB+AKpN8FnVlhGOfabJ6ZCi123hjOr3ucE/LWfPGtmEppuFf2dmuJW/yO6s8td5q5b81PUOt+uPMNBGJ1T4DUO8sOQQp4SXw76Q7KIgcrj2RSuNt9qv3JC4VlQB6j7bgVF8er2gbKxbvR
PublicExponent: AQAB
PrivateExponent: /IkdBCupeEi7uHS5tPnvHAHPtNm5nf4xhWm9fBYpT0wjnlB+JTYbViXgoa+4uAhwK54nPvXxzovZz+UPLfwvFBoG3D0vYS+M9WWOBCnEuDK0MfcBWfTE2hlV13xDll1o7Pj/fvpRQ7paBhjpP6uBwlVI1vH6GR9kNXQRfWK1NQU=
Prime1: AdG+8ixEeDzHKI2GRD7lGhrQ8EzN4Tc0mek1u6ioFZ0imohaPqtqNq7RWVo35cWuvYflhFQYzFn99HGRvfGfDv8=
Prime2: 51psvlotBXuaqzrgfb5I6u7DG9JhU5WO68PZf1RMmq2e2xLvKvDGXCP5oFur9AOsHdbmahnzgFC1s18vg7kFLw==
Exponent1: glXRJ5oxm7CQJKrCRmeOmpqF5Lhooi5SM/UZguUmx0Z7wFSg3Q9oJhvnyVuDLYLs/y63jWEzLqvm0DFc2lUMuQ==
Exponent2: Aq3qan3y3Yhj7y28YdhtUcM4IT9bfzNRN2vKPg5E4Nm36EOc33twYKrN/kxxfl74hFPz0TDBwC+vGwe0LitbYw==
Coefficient: AZX3xIGzo/3fw4ouA6nAjpiWGpTK+OdFRkZtvbmzwgqnFDQopB0SweVnd1shpKCXkPTkdvpLTdmhU/84CW5m7cQ=
Created: 20110122104659
Publish: 20110122104659
Activate: 20110122104659`
pubkey = new(dns.RR_DNSKEY)
privkey, _ = pubkey.PrivateKeySetString(privdata)
pubkey.Hdr = dns.RR_Header{"miek.nl.", dns.TypeDNSKEY, dns.ClassINET, 3600, 0}
pubkey.Protocol = 3
pubkey.Flags = 256
return true
}
// Return the configration
func funkensturm() *Funkensturm {
f := new(Funkensturm)
f.Setup = setup
f.Matches = make([]Match, 1)
f.Matches[0].Op = AND
f.Matches[0].Func = match
f.Actions = make([]Action, 1)
f.Actions[0].Func = send
return f
}

6
_examples/funkensturm/funkensturm.go
View File

@ -88,10 +88,11 @@ func (s *server) ResponderUDP(c *net.UDPConn, a net.Addr, i []byte) {
// loop again for matching, but now with OUT, this is done
// for some last minute packet changing. Note the boolean return
// code isn't used any more
// code isn't used any more, i.e No more actions are allowed
// anymore
pkt1 = resultpkt
for _, m := range f.Matches {
pkt1, _ = m.Func(pkt1, IN)
pkt1, _ = m.Func(pkt1, OUT)
}
out, ok1 := pkt1.Pack()
@ -103,6 +104,7 @@ func (s *server) ResponderUDP(c *net.UDPConn, a net.Addr, i []byte) {
}
func (s *server) ResponderTCP(c *net.TCPConn, in []byte) {
/* todo */
}
// Small helper function