Add NSEC3 helper function back in
I'm going to use this in 'q', but it may came in handy for other developers too. This is the first ramp up to a full blown Go only recursive resolver.
This commit is contained in:
parent
e716c3fe8c
commit
970b2239a1
56
nsecx.go
56
nsecx.go
|
@ -11,6 +11,13 @@ import (
|
||||||
"strings"
|
"strings"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
type Denialer interface {
|
||||||
|
// Cover will check if the (unhashed) name is being covered by this NSEC or NSEC3.
|
||||||
|
Cover(name string) bool
|
||||||
|
// Match will check if the ownername matches the (unhashed) name for this NSEC3 or NSEC3.
|
||||||
|
Match(name string) bool
|
||||||
|
}
|
||||||
|
|
||||||
type saltWireFmt struct {
|
type saltWireFmt struct {
|
||||||
Salt string `dns:"size-hex"`
|
Salt string `dns:"size-hex"`
|
||||||
}
|
}
|
||||||
|
@ -52,3 +59,52 @@ func HashName(label string, ha uint8, iter uint16, salt string) string {
|
||||||
}
|
}
|
||||||
return unpackBase32(nsec3)
|
return unpackBase32(nsec3)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Cover implements the Denialer interface.
|
||||||
|
func (rr *NSEC) Cover(name string) bool {
|
||||||
|
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
|
// Cover implements the Denialer interface.
|
||||||
|
func (rr *NSEC3) Cover(name string) bool {
|
||||||
|
// FIXME(miek): check if the zones match
|
||||||
|
// FIXME(miek): check if we're not dealing with parent nsec3
|
||||||
|
hname := HashName(name, rr.Hash, rr.Iterations, rr.Salt)
|
||||||
|
labels := Split(rr.Hdr.Name)
|
||||||
|
if len(labels) < 2 {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
hash := strings.ToUpper(rr.Hdr.Name[labels[0] : labels[1]-1]) // -1 to remove the .
|
||||||
|
if hash == rr.NextDomain { // empty interval
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
if hash > rr.NextDomain { // last name, points to apex
|
||||||
|
// hname > hash
|
||||||
|
// hname > rr.NextDomain
|
||||||
|
// TODO(miek)
|
||||||
|
}
|
||||||
|
|
||||||
|
if hname <= hash {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
if hname >= rr.NextDomain {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
|
// Match implements the Denialer interface.
|
||||||
|
func (rr *NSEC3) Match(name string) bool {
|
||||||
|
// FIXME(miek): Check if we are in the same zone
|
||||||
|
hname := HashName(name, rr.Hash, rr.Iterations, rr.Salt)
|
||||||
|
labels := Split(rr.Hdr.Name)
|
||||||
|
if len(labels) < 2 {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
hash := strings.ToUpper(rr.Hdr.Name[labels[0] : labels[1]-1]) // -1 to remove the .
|
||||||
|
if hash == hname {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
|
@ -21,3 +21,17 @@ func TestPackNsec3(t *testing.T) {
|
||||||
t.Fail()
|
t.Fail()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestNsec3(t *testing.T) {
|
||||||
|
// examples taken from .nl
|
||||||
|
nsec3, _ := NewRR("39p91242oslggest5e6a7cci4iaeqvnk.nl. IN NSEC3 1 1 5 F10E9F7EA83FC8F3 39P99DCGG0MDLARTCRMCF6OFLLUL7PR6 NS DS RRSIG")
|
||||||
|
if !nsec3.(*NSEC3).Cover("snasajsksasasa.nl.") { // 39p94jrinub66hnpem8qdpstrec86pg3
|
||||||
|
t.Logf("39p94jrinub66hnpem8qdpstrec86pg3. should be covered by 39p91242oslggest5e6a7cci4iaeqvnk.nl. - 39P99DCGG0MDLARTCRMCF6OFLLUL7PR6")
|
||||||
|
t.Fail()
|
||||||
|
}
|
||||||
|
nsec3, _ = NewRR("sk4e8fj94u78smusb40o1n0oltbblu2r.nl. IN NSEC3 1 1 5 F10E9F7EA83FC8F3 SK4F38CQ0ATIEI8MH3RGD0P5I4II6QAN NS SOA TXT RRSIG DNSKEY NSEC3PARAM")
|
||||||
|
if !nsec3.(*NSEC3).Match("nl.") { // sk4e8fj94u78smusb40o1n0oltbblu2r.nl.
|
||||||
|
t.Logf("sk4e8fj94u78smusb40o1n0oltbblu2r.nl. should match sk4e8fj94u78smusb40o1n0oltbblu2r.nl.")
|
||||||
|
t.Fail()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in New Issue