First stab at DNSSEC validation
This commit is contained in:
parent
d0d1847b61
commit
c1d45f507e
2
TODO
2
TODO
|
@ -2,7 +2,7 @@ Todo:
|
|||
* DNSSEC validation
|
||||
* NSEC(3) secure denial of existence
|
||||
* Unknown RRs
|
||||
* fix os.Erros usage
|
||||
* fix os.Erros usage, add DNSSEC related errors
|
||||
* AXFR/IXFR support
|
||||
|
||||
Tesing:
|
||||
|
|
14
dnssec.go
14
dnssec.go
|
@ -106,8 +106,18 @@ func (k *RR_DNSKEY) KeyTag() uint16 {
|
|||
|
||||
// Validate an rrset with the signature and key. This is the
|
||||
// cryptographic test, the validity period most be check separately.
|
||||
func (s *RR_RRSIG) Secure(rrset []RR, key *RR_DNSKEY) bool {
|
||||
return false
|
||||
func (s *RR_RRSIG) Secure(rrset []RR, k *RR_DNSKEY) bool {
|
||||
// Frist the easy checks
|
||||
if s.KeyTag != k.KeyTag() {
|
||||
return false
|
||||
}
|
||||
if s.Hdr.Class != k.Hdr.Class {
|
||||
return false
|
||||
}
|
||||
if s.Algorithm != k.Algorithm {
|
||||
return false
|
||||
}
|
||||
return true
|
||||
}
|
||||
|
||||
// Using RFC1982 calculate if a signature period is valid
|
||||
|
|
|
@ -20,4 +20,18 @@ func TestSecure(t *testing.T) {
|
|||
sig.SignerName = "miek.nl."
|
||||
sig.Sig = "AwEAAaHIwpx3w4VHKi6i1LHnTaWeHCL154Jug0Rtc9ji5qwPXpBo6A5sRv7cSsPQKPIwxLpyCrbJ4mr2L0EPOdvP6z6YfljK2ZmTbogU9aSU2fiq/4wjxbdkLyoDVgtO+JsxNN4bjr4WcWhsmk1Hg93FV9ZpkWb0Tbad8DFqNDzr//kZ"
|
||||
|
||||
key := new(RR_DNSKEY)
|
||||
key.Hdr.Name = "miek.nl"
|
||||
key.Hdr.Rrtype = TypeDNSKEY
|
||||
key.Hdr.Class = ClassINET
|
||||
key.Hdr.Ttl = 3600
|
||||
key.Flags = 256
|
||||
key.Protocol = 3
|
||||
key.Algorithm = AlgRSASHA256
|
||||
key.PubKey = "AwEAAcNEU67LJI5GEgF9QLNqLO1SMq1EdoQ6E9f85ha0k0ewQGCblyW2836GiVsm6k8Kr5ECIoMJ6fZWf3CQSQ9ycWfTyOHfmI3eQ/1Covhb2y4bAmL/07PhrL7ozWBW3wBfM335Ft9xjtXHPy7ztCbV9qZ4TVDTW/Iyg0PiwgoXVesz"
|
||||
|
||||
if ! sig.Secure(nil, key) {
|
||||
t.Log("It is not secure")
|
||||
t.Fail()
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue