Some more tweaks into verifying nsec3 messages

2012-01-22 16:12:10 +01:00 · 2012-01-22 16:12:10 +01:00 · 6d5fd7f975
parent 1171215fc9
commit 6d5fd7f975
3 changed files with 33 additions and 50 deletions
--- a/TODO.markdown
+++ b/TODO.markdown
@ -15,6 +15,11 @@ things that need to be fixed.
    settings just like that -- need to look at them.
    -edns NSID is another

+## BUGS
+
+* NSEC3 record with no bitmap (empty non-terminals) are not correctly verified
+    * This means they are not correctly put in wirefmt also
+
 ## Examples to add

 * Nameserver, with a small zone, 1 KSK and online signing;
--- a/dnssec.go
+++ b/dnssec.go
@ -87,9 +87,9 @@ type dnskeyWireFmt struct {

 // KeyTag calculates the keytag (or key-id) of the DNSKEY.
 func (k *RR_DNSKEY) KeyTag() uint16 {
-        if k == nil {
-                return 0
-        }
+	if k == nil {
+		return 0
+	}
 	var keytag int
 	switch k.Algorithm {
 	case RSAMD5:
@ -121,9 +121,9 @@ func (k *RR_DNSKEY) KeyTag() uint16 {

 // ToDS converts a DNSKEY record to a DS record.
 func (k *RR_DNSKEY) ToDS(h int) *RR_DS {
-        if k == nil {
-                return nil
-        }
+	if k == nil {
+		return nil
+	}
 	ds := new(RR_DS)
 	ds.Hdr.Name = k.Hdr.Name
 	ds.Hdr.Class = k.Hdr.Class
@ -202,6 +202,7 @@ func (s *RR_RRSIG) Sign(k PrivateKey, rrset RRset) error {
 	s.TypeCovered = rrset[0].Header().Rrtype
 	s.TypeCovered = rrset[0].Header().Rrtype
 	s.Labels, _ = IsDomainName(rrset[0].Header().Name)
+	// ...
 	if strings.HasPrefix(rrset[0].Header().Name, "*") {
 		s.Labels-- // wildcard, remove from label count
 	}
@ -486,39 +487,16 @@ func rawSignatureData(rrset RRset, s *RR_RRSIG) (buf []byte) {
 	wires := make(wireSlice, len(rrset))
 	for i, r := range rrset {
 		h := r.Header()
-		// RFC 4034: 6.2.  Canonical RR Form. (2) - domain name to lowercase
 		name := h.Name
-		h.Name = strings.ToLower(h.Name)
-		// 6.2.  Canonical RR Form. (3) - domain rdata to lowercaser
-		/*
-					switch h.Rrtype {
-			                case TypeNS:
-			                        r.(*RR_NS).Ns = strings.ToLower(r.(*RR_NS).Ns)
-			                case TypeCNAME:
-			                        r.(*RR_CNAME).Cname = strings.ToLower(r.(*RR_CNAME).Cname)
-			                case TypeSOA:
-			                        r.(*RR_SOA).Ns = strings.ToLower(r.(*RR_SOA).Ns)
-			                        r.(*RR_SOA).Mbox = strings.ToLower(r.(*RR_SOA).Mbox)
-			                case TypeMB:
-			                case TypeMG:
-			                case TypeMR:
-			                case TypePTR:
-			                        r.(*RR_PTR).Ptr = strings.ToLower(r.(*RR_PTR).Ptr)
-					case TypeMINFO:
-			                case TypeMX:
-			                        r.(*RR_MX).Mx = strings.ToLower(r.(*RR_MX).Mx)
-			                case TypeSIG:
-			                case TypeRRSIG:
-					case TypeSRV:
-			                case TypeNSEC:
-			                        r.(*RR_NSEC).NextDomain = strings.ToLower(r.(*RR_NSEC).NextDomain)
-			                case TypeNSEC3:
-			                        r.(*RR_NSEC3).NextDomain = strings.ToLower(r.(*RR_NSEC3).NextDomain)
-					}
-		*/
+		labels := SplitLabels(h.Name)
 		// 6.2. Canonical RR Form. (4) - wildcards
-		// dont have to do anything
-
+		if len(labels) > int(s.Labels) {
+			// Wildcard
+			h.Name = strings.Join(labels[len(labels)-int(s.Labels):], ".") + "."
+		}
+		// RFC 4034: 6.2.  Canonical RR Form. (2) - domain name to lowercase
+		h.Name = strings.ToLower(h.Name)
+		// 6.2. Canonical RR Form. (3) - domain rdata to lowercase.  -- Deprecated.
 		// 6.2. Canonical RR Form. (5) - origTTL
 		ttl := h.Ttl
 		wire := make([]byte, r.Len()*2)
--- a/nsec3.go
+++ b/nsec3.go
@ -73,18 +73,18 @@ func (nsec3 *RR_NSEC3) Match(domain string) bool {
 func (nsec3 *RR_NSEC3) Cover(domain string) bool {
 	hashdom := strings.ToUpper(HashName(domain, nsec3.Hash, nsec3.Iterations, nsec3.Salt))
 	nextdom := strings.ToUpper(nsec3.NextDomain)
-	owner := strings.ToUpper(SplitLabels(nsec3.Header().Name)[0])   // The hashed part
-        apex  := strings.ToUpper(HashName(strings.Join(SplitLabels(nsec3.Header().Name)[1:], "."), nsec3.Hash, nsec3.Iterations, nsec3.Salt)) // The name of the zone
-        // if nextdomain equals the apex, it is considered The End. So in that case hashdom is always less then nextdomain
-        if hashdom > owner && nextdom == apex {
-                return true
-        }
+	owner := strings.ToUpper(SplitLabels(nsec3.Header().Name)[0])                                                                              // The hashed part
+	apex := strings.ToUpper(HashName(strings.Join(SplitLabels(nsec3.Header().Name)[1:], "."), nsec3.Hash, nsec3.Iterations, nsec3.Salt)) + "." // The name of the zone
+	// if nextdomain equals the apex, it is considered The End. So in that case hashdom is always less then nextdomain
+	if hashdom > owner && nextdom == apex {
+		return true
+	}

 	if hashdom > owner && hashdom <= nextdom {
-                return true
-        }
+		return true
+	}

-        return false
+	return false
 }

 // NsecVerify verifies an denial of existence response with NSECs
@ -156,10 +156,10 @@ func (m *Msg) Nsec3Verify(q Question) (int, error) {
 			}
 		}
 		if !ncdenied {
-                        if m.MsgHdr.Rcode == RcodeNameError {
-                                // For NXDOMAIN this is a problem
-                                return 0, ErrDenialNc // add next closer name here
-                        }
+			if m.MsgHdr.Rcode == RcodeNameError {
+				// For NXDOMAIN this is a problem
+				return 0, ErrDenialNc // add next closer name here
+			}
 			// For NODATA we need to to check if the matching nsec3 has to correct type bit map
 			goto NoData
 		}