Some more tweaks into verifying nsec3 messages
This commit is contained in:
parent
1171215fc9
commit
6d5fd7f975
|
@ -15,6 +15,11 @@ things that need to be fixed.
|
|||
settings just like that -- need to look at them.
|
||||
-edns NSID is another
|
||||
|
||||
## BUGS
|
||||
|
||||
* NSEC3 record with no bitmap (empty non-terminals) are not correctly verified
|
||||
* This means they are not correctly put in wirefmt also
|
||||
|
||||
## Examples to add
|
||||
|
||||
* Nameserver, with a small zone, 1 KSK and online signing;
|
||||
|
|
52
dnssec.go
52
dnssec.go
|
@ -87,9 +87,9 @@ type dnskeyWireFmt struct {
|
|||
|
||||
// KeyTag calculates the keytag (or key-id) of the DNSKEY.
|
||||
func (k *RR_DNSKEY) KeyTag() uint16 {
|
||||
if k == nil {
|
||||
return 0
|
||||
}
|
||||
if k == nil {
|
||||
return 0
|
||||
}
|
||||
var keytag int
|
||||
switch k.Algorithm {
|
||||
case RSAMD5:
|
||||
|
@ -121,9 +121,9 @@ func (k *RR_DNSKEY) KeyTag() uint16 {
|
|||
|
||||
// ToDS converts a DNSKEY record to a DS record.
|
||||
func (k *RR_DNSKEY) ToDS(h int) *RR_DS {
|
||||
if k == nil {
|
||||
return nil
|
||||
}
|
||||
if k == nil {
|
||||
return nil
|
||||
}
|
||||
ds := new(RR_DS)
|
||||
ds.Hdr.Name = k.Hdr.Name
|
||||
ds.Hdr.Class = k.Hdr.Class
|
||||
|
@ -202,6 +202,7 @@ func (s *RR_RRSIG) Sign(k PrivateKey, rrset RRset) error {
|
|||
s.TypeCovered = rrset[0].Header().Rrtype
|
||||
s.TypeCovered = rrset[0].Header().Rrtype
|
||||
s.Labels, _ = IsDomainName(rrset[0].Header().Name)
|
||||
// ...
|
||||
if strings.HasPrefix(rrset[0].Header().Name, "*") {
|
||||
s.Labels-- // wildcard, remove from label count
|
||||
}
|
||||
|
@ -486,39 +487,16 @@ func rawSignatureData(rrset RRset, s *RR_RRSIG) (buf []byte) {
|
|||
wires := make(wireSlice, len(rrset))
|
||||
for i, r := range rrset {
|
||||
h := r.Header()
|
||||
// RFC 4034: 6.2. Canonical RR Form. (2) - domain name to lowercase
|
||||
name := h.Name
|
||||
h.Name = strings.ToLower(h.Name)
|
||||
// 6.2. Canonical RR Form. (3) - domain rdata to lowercaser
|
||||
/*
|
||||
switch h.Rrtype {
|
||||
case TypeNS:
|
||||
r.(*RR_NS).Ns = strings.ToLower(r.(*RR_NS).Ns)
|
||||
case TypeCNAME:
|
||||
r.(*RR_CNAME).Cname = strings.ToLower(r.(*RR_CNAME).Cname)
|
||||
case TypeSOA:
|
||||
r.(*RR_SOA).Ns = strings.ToLower(r.(*RR_SOA).Ns)
|
||||
r.(*RR_SOA).Mbox = strings.ToLower(r.(*RR_SOA).Mbox)
|
||||
case TypeMB:
|
||||
case TypeMG:
|
||||
case TypeMR:
|
||||
case TypePTR:
|
||||
r.(*RR_PTR).Ptr = strings.ToLower(r.(*RR_PTR).Ptr)
|
||||
case TypeMINFO:
|
||||
case TypeMX:
|
||||
r.(*RR_MX).Mx = strings.ToLower(r.(*RR_MX).Mx)
|
||||
case TypeSIG:
|
||||
case TypeRRSIG:
|
||||
case TypeSRV:
|
||||
case TypeNSEC:
|
||||
r.(*RR_NSEC).NextDomain = strings.ToLower(r.(*RR_NSEC).NextDomain)
|
||||
case TypeNSEC3:
|
||||
r.(*RR_NSEC3).NextDomain = strings.ToLower(r.(*RR_NSEC3).NextDomain)
|
||||
}
|
||||
*/
|
||||
labels := SplitLabels(h.Name)
|
||||
// 6.2. Canonical RR Form. (4) - wildcards
|
||||
// dont have to do anything
|
||||
|
||||
if len(labels) > int(s.Labels) {
|
||||
// Wildcard
|
||||
h.Name = strings.Join(labels[len(labels)-int(s.Labels):], ".") + "."
|
||||
}
|
||||
// RFC 4034: 6.2. Canonical RR Form. (2) - domain name to lowercase
|
||||
h.Name = strings.ToLower(h.Name)
|
||||
// 6.2. Canonical RR Form. (3) - domain rdata to lowercase. -- Deprecated.
|
||||
// 6.2. Canonical RR Form. (5) - origTTL
|
||||
ttl := h.Ttl
|
||||
wire := make([]byte, r.Len()*2)
|
||||
|
|
26
nsec3.go
26
nsec3.go
|
@ -73,18 +73,18 @@ func (nsec3 *RR_NSEC3) Match(domain string) bool {
|
|||
func (nsec3 *RR_NSEC3) Cover(domain string) bool {
|
||||
hashdom := strings.ToUpper(HashName(domain, nsec3.Hash, nsec3.Iterations, nsec3.Salt))
|
||||
nextdom := strings.ToUpper(nsec3.NextDomain)
|
||||
owner := strings.ToUpper(SplitLabels(nsec3.Header().Name)[0]) // The hashed part
|
||||
apex := strings.ToUpper(HashName(strings.Join(SplitLabels(nsec3.Header().Name)[1:], "."), nsec3.Hash, nsec3.Iterations, nsec3.Salt)) // The name of the zone
|
||||
// if nextdomain equals the apex, it is considered The End. So in that case hashdom is always less then nextdomain
|
||||
if hashdom > owner && nextdom == apex {
|
||||
return true
|
||||
}
|
||||
owner := strings.ToUpper(SplitLabels(nsec3.Header().Name)[0]) // The hashed part
|
||||
apex := strings.ToUpper(HashName(strings.Join(SplitLabels(nsec3.Header().Name)[1:], "."), nsec3.Hash, nsec3.Iterations, nsec3.Salt)) + "." // The name of the zone
|
||||
// if nextdomain equals the apex, it is considered The End. So in that case hashdom is always less then nextdomain
|
||||
if hashdom > owner && nextdom == apex {
|
||||
return true
|
||||
}
|
||||
|
||||
if hashdom > owner && hashdom <= nextdom {
|
||||
return true
|
||||
}
|
||||
return true
|
||||
}
|
||||
|
||||
return false
|
||||
return false
|
||||
}
|
||||
|
||||
// NsecVerify verifies an denial of existence response with NSECs
|
||||
|
@ -156,10 +156,10 @@ func (m *Msg) Nsec3Verify(q Question) (int, error) {
|
|||
}
|
||||
}
|
||||
if !ncdenied {
|
||||
if m.MsgHdr.Rcode == RcodeNameError {
|
||||
// For NXDOMAIN this is a problem
|
||||
return 0, ErrDenialNc // add next closer name here
|
||||
}
|
||||
if m.MsgHdr.Rcode == RcodeNameError {
|
||||
// For NXDOMAIN this is a problem
|
||||
return 0, ErrDenialNc // add next closer name here
|
||||
}
|
||||
// For NODATA we need to to check if the matching nsec3 has to correct type bit map
|
||||
goto NoData
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue