Enable signature checking in messages
This commit is contained in:
parent
5917838cbb
commit
c9fc2ea493
54
dnssec.go
54
dnssec.go
|
@ -485,30 +485,30 @@ func rawSignatureData(rrset RRset, s *RR_RRSIG) (buf []byte) {
|
|||
h.Name = strings.ToLower(h.Name)
|
||||
// 6.2. Canonical RR Form. (3) - domain rdata to lowercaser
|
||||
/*
|
||||
switch h.Rrtype {
|
||||
case TypeNS:
|
||||
r.(*RR_NS).Ns = strings.ToLower(r.(*RR_NS).Ns)
|
||||
case TypeCNAME:
|
||||
r.(*RR_CNAME).Cname = strings.ToLower(r.(*RR_CNAME).Cname)
|
||||
case TypeSOA:
|
||||
r.(*RR_SOA).Ns = strings.ToLower(r.(*RR_SOA).Ns)
|
||||
r.(*RR_SOA).Mbox = strings.ToLower(r.(*RR_SOA).Mbox)
|
||||
case TypeMB:
|
||||
case TypeMG:
|
||||
case TypeMR:
|
||||
case TypePTR:
|
||||
r.(*RR_PTR).Ptr = strings.ToLower(r.(*RR_PTR).Ptr)
|
||||
case TypeMINFO:
|
||||
case TypeMX:
|
||||
r.(*RR_MX).Mx = strings.ToLower(r.(*RR_MX).Mx)
|
||||
case TypeSIG:
|
||||
case TypeRRSIG:
|
||||
case TypeSRV:
|
||||
case TypeNSEC:
|
||||
r.(*RR_NSEC).NextDomain = strings.ToLower(r.(*RR_NSEC).NextDomain)
|
||||
case TypeNSEC3:
|
||||
r.(*RR_NSEC3).NextDomain = strings.ToLower(r.(*RR_NSEC3).NextDomain)
|
||||
}
|
||||
switch h.Rrtype {
|
||||
case TypeNS:
|
||||
r.(*RR_NS).Ns = strings.ToLower(r.(*RR_NS).Ns)
|
||||
case TypeCNAME:
|
||||
r.(*RR_CNAME).Cname = strings.ToLower(r.(*RR_CNAME).Cname)
|
||||
case TypeSOA:
|
||||
r.(*RR_SOA).Ns = strings.ToLower(r.(*RR_SOA).Ns)
|
||||
r.(*RR_SOA).Mbox = strings.ToLower(r.(*RR_SOA).Mbox)
|
||||
case TypeMB:
|
||||
case TypeMG:
|
||||
case TypeMR:
|
||||
case TypePTR:
|
||||
r.(*RR_PTR).Ptr = strings.ToLower(r.(*RR_PTR).Ptr)
|
||||
case TypeMINFO:
|
||||
case TypeMX:
|
||||
r.(*RR_MX).Mx = strings.ToLower(r.(*RR_MX).Mx)
|
||||
case TypeSIG:
|
||||
case TypeRRSIG:
|
||||
case TypeSRV:
|
||||
case TypeNSEC:
|
||||
r.(*RR_NSEC).NextDomain = strings.ToLower(r.(*RR_NSEC).NextDomain)
|
||||
case TypeNSEC3:
|
||||
r.(*RR_NSEC3).NextDomain = strings.ToLower(r.(*RR_NSEC3).NextDomain)
|
||||
}
|
||||
*/
|
||||
// 6.2. Canonical RR Form. (4) - wildcards
|
||||
// dont have to do anything
|
||||
|
@ -518,12 +518,12 @@ func rawSignatureData(rrset RRset, s *RR_RRSIG) (buf []byte) {
|
|||
wire := make([]byte, r.Len())
|
||||
h.Ttl = s.OrigTtl
|
||||
off, ok1 := packRR(r, wire, 0, nil, false)
|
||||
h.Ttl = ttl // restore the order in the universe TODO(mg) work on copy
|
||||
wire = wire[:off]
|
||||
h.Name = name
|
||||
if !ok1 {
|
||||
return nil
|
||||
}
|
||||
h.Ttl = ttl // restore the order in the universe TODO(mg) work on copy
|
||||
wire = wire[:off]
|
||||
h.Name = name
|
||||
wires[i] = wire
|
||||
}
|
||||
sort.Sort(wires)
|
||||
|
|
|
@ -145,6 +145,7 @@ forever:
|
|||
r.Reply = shortMsg(r.Reply)
|
||||
}
|
||||
if *check {
|
||||
sigCheck(r.Reply, nameserver)
|
||||
r.Reply.Nsec3Verify(r.Reply.Question[0])
|
||||
|
||||
}
|
||||
|
@ -160,14 +161,80 @@ forever:
|
|||
|
||||
// Check the sigs in the msg, get the signer's key (additional query), get the
|
||||
// rrset from the message, check the signature(s)
|
||||
func sigCheck(in *dns.Msg) {
|
||||
func sigCheck(in *dns.Msg, server string) {
|
||||
for _, rr := range in.Answer {
|
||||
if rr.Header().Rrtype == dns.TypeRRSIG {
|
||||
rrset := getRRset(in.Answer, rr.Header().Name, rr.(*dns.RR_RRSIG).TypeCovered)
|
||||
key := getKey(rr.(*dns.RR_RRSIG).SignerName, rr.(*dns.RR_RRSIG).KeyTag, server)
|
||||
fmt.Printf(key.String()+ "\n")
|
||||
fmt.Printf(rr.String()+ "\n")
|
||||
for _, k := range rrset {
|
||||
fmt.Printf(k.String()+ "\n")
|
||||
}
|
||||
if err := rr.(*dns.RR_RRSIG).Verify(key, rrset); err != nil {
|
||||
fmt.Printf("Did not verify %s\n", err.Error())
|
||||
}
|
||||
}
|
||||
}
|
||||
for _, rr := range in.Ns {
|
||||
if rr.Header().Rrtype == dns.TypeRRSIG {
|
||||
rrset := getRRset(in.Ns, rr.Header().Name, rr.(*dns.RR_RRSIG).TypeCovered)
|
||||
key := getKey(rr.(*dns.RR_RRSIG).SignerName, rr.(*dns.RR_RRSIG).KeyTag, server)
|
||||
fmt.Printf(key.String()+ "\n")
|
||||
fmt.Printf(rr.String()+ "\n")
|
||||
for _, k := range rrset {
|
||||
fmt.Printf(k.String()+ "\n")
|
||||
}
|
||||
if err := rr.(*dns.RR_RRSIG).Verify(key, rrset); err != nil {
|
||||
fmt.Printf("Did not verify %s\n", err.Error())
|
||||
}
|
||||
}
|
||||
}
|
||||
for _, rr := range in.Extra {
|
||||
if rr.Header().Rrtype == dns.TypeRRSIG {
|
||||
rrset := getRRset(in.Extra, rr.Header().Name, rr.(*dns.RR_RRSIG).TypeCovered)
|
||||
key := getKey(rr.(*dns.RR_RRSIG).SignerName, rr.(*dns.RR_RRSIG).KeyTag, server)
|
||||
fmt.Printf(key.String()+ "\n")
|
||||
fmt.Printf(rr.String()+ "\n")
|
||||
for _, k := range rrset {
|
||||
fmt.Printf(k.String()+ "\n")
|
||||
}
|
||||
if err := rr.(*dns.RR_RRSIG).Verify(key, rrset); err != nil {
|
||||
fmt.Printf("Did not verify %s\n", err.Error())
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Return the RRset belonging to the signature with name and type t
|
||||
func getRRset(l []dns.RR, name string, t uint16) []dns.RR {
|
||||
l1 := make([]dns.RR, 0)
|
||||
for _, rr := range l {
|
||||
if rr.Header().Name == name && rr.Header().Rrtype == t {
|
||||
l1 = append(l1, rr)
|
||||
}
|
||||
}
|
||||
return l1
|
||||
}
|
||||
|
||||
// Get the key from the DNS (uses the local resolver) and return them.
|
||||
// If nothing is found we return nil
|
||||
func getKey(name string) *RR_DNSKEY {
|
||||
// There is no recursive DNS checking here.
|
||||
func getKey(name string, keytag uint16, server string) *dns.RR_DNSKEY {
|
||||
c := dns.NewClient()
|
||||
m := new(dns.Msg)
|
||||
m.SetQuestion(name, dns.TypeDNSKEY)
|
||||
r, err := c.Exchange(m, server)
|
||||
if err != nil {
|
||||
return nil
|
||||
}
|
||||
for _, k := range r.Answer {
|
||||
if k1, ok := k.(*dns.RR_DNSKEY); ok {
|
||||
if k1.KeyTag() == keytag {
|
||||
return k1
|
||||
}
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// Walk trough message and short Key data and Sig data
|
||||
|
|
Loading…
Reference in New Issue