First stab at DNSSEC validation

2010-12-28 09:49:45 +01:00 · 2010-12-28 09:49:45 +01:00 · c1d45f507e
parent d0d1847b61
commit c1d45f507e
3 changed files with 27 additions and 3 deletions
--- a/2
+++ b/2
@ -2,7 +2,7 @@ Todo:
 * DNSSEC validation
 * NSEC(3) secure denial of existence
 * Unknown RRs
-* fix os.Erros usage 
+* fix os.Erros usage, add DNSSEC related errors
 * AXFR/IXFR support

 Tesing:
--- a/dnssec.go
+++ b/dnssec.go
@ -106,8 +106,18 @@ func (k *RR_DNSKEY) KeyTag() uint16 {

 // Validate an rrset with the signature and key. This is the
 // cryptographic test, the validity period most be check separately.
-func (s *RR_RRSIG) Secure(rrset []RR, key *RR_DNSKEY) bool {
-	return false
+func (s *RR_RRSIG) Secure(rrset []RR, k *RR_DNSKEY) bool {
+        // Frist the easy checks
+        if s.KeyTag != k.KeyTag() {
+                return false
+        }
+        if s.Hdr.Class != k.Hdr.Class {
+                return false
+        }
+        if s.Algorithm != k.Algorithm {
+                return false
+        }
+	return true
 }

 // Using RFC1982 calculate if a signature period is valid
--- a/dnssec_test.go
+++ b/dnssec_test.go
@ -20,4 +20,18 @@ func TestSecure(t *testing.T) {
 	sig.SignerName = "miek.nl."
 	sig.Sig = "AwEAAaHIwpx3w4VHKi6i1LHnTaWeHCL154Jug0Rtc9ji5qwPXpBo6A5sRv7cSsPQKPIwxLpyCrbJ4mr2L0EPOdvP6z6YfljK2ZmTbogU9aSU2fiq/4wjxbdkLyoDVgtO+JsxNN4bjr4WcWhsmk1Hg93FV9ZpkWb0Tbad8DFqNDzr//kZ"

+	key := new(RR_DNSKEY)
+	key.Hdr.Name = "miek.nl"
+	key.Hdr.Rrtype = TypeDNSKEY
+	key.Hdr.Class = ClassINET
+	key.Hdr.Ttl = 3600
+	key.Flags = 256
+	key.Protocol = 3
+	key.Algorithm = AlgRSASHA256
+	key.PubKey = "AwEAAcNEU67LJI5GEgF9QLNqLO1SMq1EdoQ6E9f85ha0k0ewQGCblyW2836GiVsm6k8Kr5ECIoMJ6fZWf3CQSQ9ycWfTyOHfmI3eQ/1Covhb2y4bAmL/07PhrL7ozWBW3wBfM335Ft9xjtXHPy7ztCbV9qZ4TVDTW/Iyg0PiwgoXVesz"
+
+        if ! sig.Secure(nil, key) {
+                t.Log("It is not secure")
+                t.Fail()
+        }
 }