community
/
dns
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Enable signature checking in messages

This commit is contained in:
Miek Gieben 2012-01-21 11:58:26 +01:00
parent 5917838cbb
commit c9fc2ea493
2 changed files with 97 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
dnssec.go
View File

@ -485,30 +485,30 @@ func rawSignatureData(rrset RRset, s *RR_RRSIG) (buf []byte) {
h.Name = strings.ToLower(h.Name)
// 6.2. Canonical RR Form. (3) - domain rdata to lowercaser
/*
switch h.Rrtype {
case TypeNS:
r.(*RR_NS).Ns = strings.ToLower(r.(*RR_NS).Ns)
case TypeCNAME:
r.(*RR_CNAME).Cname = strings.ToLower(r.(*RR_CNAME).Cname)
case TypeSOA:
r.(*RR_SOA).Ns = strings.ToLower(r.(*RR_SOA).Ns)
r.(*RR_SOA).Mbox = strings.ToLower(r.(*RR_SOA).Mbox)
case TypeMB:
case TypeMG:
case TypeMR:
case TypePTR:
r.(*RR_PTR).Ptr = strings.ToLower(r.(*RR_PTR).Ptr)
case TypeMINFO:
case TypeMX:
r.(*RR_MX).Mx = strings.ToLower(r.(*RR_MX).Mx)
case TypeSIG:
case TypeRRSIG:
case TypeSRV:
case TypeNSEC:
r.(*RR_NSEC).NextDomain = strings.ToLower(r.(*RR_NSEC).NextDomain)
case TypeNSEC3:
r.(*RR_NSEC3).NextDomain = strings.ToLower(r.(*RR_NSEC3).NextDomain)
}
switch h.Rrtype {
case TypeNS:
r.(*RR_NS).Ns = strings.ToLower(r.(*RR_NS).Ns)
case TypeCNAME:
r.(*RR_CNAME).Cname = strings.ToLower(r.(*RR_CNAME).Cname)
case TypeSOA:
r.(*RR_SOA).Ns = strings.ToLower(r.(*RR_SOA).Ns)
r.(*RR_SOA).Mbox = strings.ToLower(r.(*RR_SOA).Mbox)
case TypeMB:
case TypeMG:
case TypeMR:
case TypePTR:
r.(*RR_PTR).Ptr = strings.ToLower(r.(*RR_PTR).Ptr)
case TypeMINFO:
case TypeMX:
r.(*RR_MX).Mx = strings.ToLower(r.(*RR_MX).Mx)
case TypeSIG:
case TypeRRSIG:
case TypeSRV:
case TypeNSEC:
r.(*RR_NSEC).NextDomain = strings.ToLower(r.(*RR_NSEC).NextDomain)
case TypeNSEC3:
r.(*RR_NSEC3).NextDomain = strings.ToLower(r.(*RR_NSEC3).NextDomain)
}
*/
// 6.2. Canonical RR Form. (4) - wildcards
// dont have to do anything
@ -518,12 +518,12 @@ func rawSignatureData(rrset RRset, s *RR_RRSIG) (buf []byte) {
wire := make([]byte, r.Len())
h.Ttl = s.OrigTtl
off, ok1 := packRR(r, wire, 0, nil, false)
h.Ttl = ttl // restore the order in the universe TODO(mg) work on copy
wire = wire[:off]
h.Name = name
if !ok1 {
return nil
}
h.Ttl = ttl // restore the order in the universe TODO(mg) work on copy
wire = wire[:off]
h.Name = name
wires[i] = wire
}
sort.Sort(wires)

73
examples/q/q.go
View File

@ -145,6 +145,7 @@ forever:
r.Reply = shortMsg(r.Reply)
}
if *check {
sigCheck(r.Reply, nameserver)
r.Reply.Nsec3Verify(r.Reply.Question[0])
}
@ -160,14 +161,80 @@ forever:
// Check the sigs in the msg, get the signer's key (additional query), get the
// rrset from the message, check the signature(s)
func sigCheck(in *dns.Msg) {
func sigCheck(in *dns.Msg, server string) {
for _, rr := range in.Answer {
if rr.Header().Rrtype == dns.TypeRRSIG {
rrset := getRRset(in.Answer, rr.Header().Name, rr.(*dns.RR_RRSIG).TypeCovered)
key := getKey(rr.(*dns.RR_RRSIG).SignerName, rr.(*dns.RR_RRSIG).KeyTag, server)
fmt.Printf(key.String()+ "\n")
fmt.Printf(rr.String()+ "\n")
for _, k := range rrset {
fmt.Printf(k.String()+ "\n")
}
if err := rr.(*dns.RR_RRSIG).Verify(key, rrset); err != nil {
fmt.Printf("Did not verify %s\n", err.Error())
}
}
}
for _, rr := range in.Ns {
if rr.Header().Rrtype == dns.TypeRRSIG {
rrset := getRRset(in.Ns, rr.Header().Name, rr.(*dns.RR_RRSIG).TypeCovered)
key := getKey(rr.(*dns.RR_RRSIG).SignerName, rr.(*dns.RR_RRSIG).KeyTag, server)
fmt.Printf(key.String()+ "\n")
fmt.Printf(rr.String()+ "\n")
for _, k := range rrset {
fmt.Printf(k.String()+ "\n")
}
if err := rr.(*dns.RR_RRSIG).Verify(key, rrset); err != nil {
fmt.Printf("Did not verify %s\n", err.Error())
}
}
}
for _, rr := range in.Extra {
if rr.Header().Rrtype == dns.TypeRRSIG {
rrset := getRRset(in.Extra, rr.Header().Name, rr.(*dns.RR_RRSIG).TypeCovered)
key := getKey(rr.(*dns.RR_RRSIG).SignerName, rr.(*dns.RR_RRSIG).KeyTag, server)
fmt.Printf(key.String()+ "\n")
fmt.Printf(rr.String()+ "\n")
for _, k := range rrset {
fmt.Printf(k.String()+ "\n")
}
if err := rr.(*dns.RR_RRSIG).Verify(key, rrset); err != nil {
fmt.Printf("Did not verify %s\n", err.Error())
}
}
}
}
// Return the RRset belonging to the signature with name and type t
func getRRset(l []dns.RR, name string, t uint16) []dns.RR {
l1 := make([]dns.RR, 0)
for _, rr := range l {
if rr.Header().Name == name && rr.Header().Rrtype == t {
l1 = append(l1, rr)
}
}
return l1
}
// Get the key from the DNS (uses the local resolver) and return them.
// If nothing is found we return nil
func getKey(name string) *RR_DNSKEY {
// There is no recursive DNS checking here.
func getKey(name string, keytag uint16, server string) *dns.RR_DNSKEY {
c := dns.NewClient()
m := new(dns.Msg)
m.SetQuestion(name, dns.TypeDNSKEY)
r, err := c.Exchange(m, server)
if err != nil {
return nil
}
for _, k := range r.Answer {
if k1, ok := k.(*dns.RR_DNSKEY); ok {
if k1.KeyTag() == keytag {
return k1
}
}
}
return nil
}
// Walk trough message and short Key data and Sig data