Fix nsec3 checking
This commit is contained in:
parent
00ec6a144a
commit
5d57ab340d
|
@ -144,16 +144,6 @@ forever:
|
||||||
if *check {
|
if *check {
|
||||||
sigCheck(r.Reply, nameserver)
|
sigCheck(r.Reply, nameserver)
|
||||||
nsecCheck(r.Reply)
|
nsecCheck(r.Reply)
|
||||||
/*
|
|
||||||
if err := r.Reply.Nsec3Verify(r.Reply.Question[0]); err == nil {
|
|
||||||
//Could be: no nsec3 records
|
|
||||||
//fmt.Printf(";+ Correct authenticated denial of existence (NSEC3)\n")
|
|
||||||
} else {
|
|
||||||
fmt.Printf(";- Incorrect authenticated denial of existence (NSEC3): %s\n",err.Error())
|
|
||||||
}
|
|
||||||
println()
|
|
||||||
*/
|
|
||||||
|
|
||||||
}
|
}
|
||||||
if *short {
|
if *short {
|
||||||
r.Reply = shortMsg(r.Reply)
|
r.Reply = shortMsg(r.Reply)
|
||||||
|
@ -186,7 +176,30 @@ func sectionCheck(set []dns.RR, server string) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Check if we have nsec3 records and if so, check them
|
||||||
func nsecCheck(in *dns.Msg) {
|
func nsecCheck(in *dns.Msg) {
|
||||||
|
for _, r := range in.Answer {
|
||||||
|
if r.Header().Rrtype == dns.TypeNSEC3 {
|
||||||
|
goto Check
|
||||||
|
}
|
||||||
|
}
|
||||||
|
for _, r := range in.Ns {
|
||||||
|
if r.Header().Rrtype == dns.TypeNSEC3 {
|
||||||
|
goto Check
|
||||||
|
}
|
||||||
|
}
|
||||||
|
for _, r := range in.Extra {
|
||||||
|
if r.Header().Rrtype == dns.TypeNSEC3 {
|
||||||
|
goto Check
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return
|
||||||
|
Check:
|
||||||
|
if err := in.Nsec3Verify(in.Question[0]); err == nil {
|
||||||
|
fmt.Printf(";+ Correct authenticated denial of existence (NSEC3)\n")
|
||||||
|
} else {
|
||||||
|
fmt.Printf(";- Incorrect authenticated denial of existence (NSEC3): %s\n",err.Error())
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check the sigs in the msg, get the signer's key (additional query), get the
|
// Check the sigs in the msg, get the signer's key (additional query), get the
|
||||||
|
|
Loading…
Reference in New Issue