Add message checking to q

2012-01-21 12:16:35 +01:00 · 2012-01-21 12:16:35 +01:00 · 5f0914413c
parent c9fc2ea493
commit 5f0914413c
2 changed files with 28 additions and 21 deletions
--- a/examples/q/q.go
+++ b/examples/q/q.go
@ -144,12 +144,18 @@ forever:
 				if *short {
 					r.Reply = shortMsg(r.Reply)
 				}
+
+				fmt.Printf("%v\n", r.Reply)
+
                                if *check {
                                        sigCheck(r.Reply, nameserver)
-                                        r.Reply.Nsec3Verify(r.Reply.Question[0])
+                                        if err := r.Reply.Nsec3Verify(r.Reply.Question[0]); err == nil {
+                                                fmt.Printf(";+ Correct authenticated denial of existence (NSEC3)\n")
+                                        } else {
+                                                fmt.Printf(";- Incorrect authenticated denial of existence (NSEC3): %s\n",err.Error())
+                                        }

                                }
-				fmt.Printf("%v", r.Reply)
 			}
 			i++
 			if i == len(qname) {
@ -166,13 +172,13 @@ func sigCheck(in *dns.Msg, server string) {
                if rr.Header().Rrtype == dns.TypeRRSIG {
                        rrset := getRRset(in.Answer, rr.Header().Name, rr.(*dns.RR_RRSIG).TypeCovered)
                        key := getKey(rr.(*dns.RR_RRSIG).SignerName, rr.(*dns.RR_RRSIG).KeyTag, server)
-                        fmt.Printf(key.String()+ "\n")
-                        fmt.Printf(rr.String()+ "\n")
-                        for _, k := range rrset {
-                                fmt.Printf(k.String()+ "\n")
+                        if key == nil {
+                                fmt.Printf(";? DNSKEY %s/%d not found\n", rr.(*dns.RR_RRSIG).SignerName, rr.(*dns.RR_RRSIG).KeyTag)
                        }
                        if err := rr.(*dns.RR_RRSIG).Verify(key, rrset); err != nil {
-                                fmt.Printf("Did not verify %s\n", err.Error())
+                                fmt.Printf(";- Bogus signature,  %s does not RRSet with DNSKEY %s/%d\n", shortSig(rr.(*dns.RR_RRSIG)), key.Header().Name, key.KeyTag())
+                        } else {
+                                fmt.Printf(";+ Secure signature, %s validates RRSet with DNSKEY %s/%d\n", shortSig(rr.(*dns.RR_RRSIG)), key.Header().Name, key.KeyTag())
                        }
                }
        }
@ -180,13 +186,13 @@ func sigCheck(in *dns.Msg, server string) {
                if rr.Header().Rrtype == dns.TypeRRSIG {
                        rrset := getRRset(in.Ns, rr.Header().Name, rr.(*dns.RR_RRSIG).TypeCovered)
                        key := getKey(rr.(*dns.RR_RRSIG).SignerName, rr.(*dns.RR_RRSIG).KeyTag, server)
-                        fmt.Printf(key.String()+ "\n")
-                        fmt.Printf(rr.String()+ "\n")
-                        for _, k := range rrset {
-                                fmt.Printf(k.String()+ "\n")
+                        if key == nil {
+                                fmt.Printf(";? DNSKEY %s/%d not found\n", rr.(*dns.RR_RRSIG).SignerName, rr.(*dns.RR_RRSIG).KeyTag)
                        }
                        if err := rr.(*dns.RR_RRSIG).Verify(key, rrset); err != nil {
-                                fmt.Printf("Did not verify %s\n", err.Error())
+                                fmt.Printf(";- Bogus signature,  %s does not RRSet with DNSKEY %s/%d\n", shortSig(rr.(*dns.RR_RRSIG)), key.Header().Name, key.KeyTag())
+                        } else {
+                                fmt.Printf(";+ Secure signature, %s validates RRSet with DNSKEY %s/%d\n", shortSig(rr.(*dns.RR_RRSIG)), key.Header().Name, key.KeyTag())
                        }
                }
        }
@ -194,13 +200,13 @@ func sigCheck(in *dns.Msg, server string) {
                if rr.Header().Rrtype == dns.TypeRRSIG {
                        rrset := getRRset(in.Extra, rr.Header().Name, rr.(*dns.RR_RRSIG).TypeCovered)
                        key := getKey(rr.(*dns.RR_RRSIG).SignerName, rr.(*dns.RR_RRSIG).KeyTag, server)
-                        fmt.Printf(key.String()+ "\n")
-                        fmt.Printf(rr.String()+ "\n")
-                        for _, k := range rrset {
-                                fmt.Printf(k.String()+ "\n")
+                        if key == nil {
+                                fmt.Printf(";? DNSKEY %s/%d not found\n", rr.(*dns.RR_RRSIG).SignerName, rr.(*dns.RR_RRSIG).KeyTag)
                        }
                        if err := rr.(*dns.RR_RRSIG).Verify(key, rrset); err != nil {
-                                fmt.Printf("Did not verify %s\n", err.Error())
+                                fmt.Printf(";- Bogus signature,  %s does not RRSet with DNSKEY %s/%d\n", shortSig(rr.(*dns.RR_RRSIG)), key.Header().Name, key.KeyTag())
+                        } else {
+                                fmt.Printf(";+ Secure signature, %s validates RRSet with DNSKEY %s/%d\n", shortSig(rr.(*dns.RR_RRSIG)), key.Header().Name, key.KeyTag())
                        }
                }
        }
@ -237,6 +243,11 @@ func getKey(name string, keytag uint16, server string) *dns.RR_DNSKEY {
        return nil
 }

+// shorten RRSIG to "miek.nl RRSIG(NS)"
+func shortSig(sig *dns.RR_RRSIG) string {
+        return sig.Header().Name + " RRSIG(" + dns.Rr_str[sig.TypeCovered] + ")"
+}
+
 // Walk trough message and short Key data and Sig data
 func shortMsg(in *dns.Msg) *dns.Msg {
 	for i := 0; i < len(in.Answer); i++ {
--- a/nsec3.go
+++ b/nsec3.go
@ -149,11 +149,7 @@ func (m *Msg) Nsec3Verify(q Question) error {
 		if !sodenied {
 			return ErrDenialSo
 		}
-		println("NSEC3 proof succesfully proofed")
 		return nil
 	}
-
-	/*
-	 */
 	return nil
 }