Add a zlutser program
validate an rrsig without checking the chain of trust
This commit is contained in:
Miek Gieben
parent
ffe027b4b9
commit
df4dde5ad5
9
TODO
9
TODO
|
|
@ -1,19 +1,18 @@
|
|||
Todo:
|
||||
Short term:
|
||||
* fix os.Erros usage, add DNSSEC related errors
|
||||
* DNSSEC validation
|
||||
* NSEC(3) secure denial of existence, support the type bitmap
|
||||
* TKEY -- RFC 2930
|
||||
* TSIG -- RFC 4635
|
||||
* TKEY -- RFC 2930 - validation
|
||||
* TSIG -- RFC 4635 - validation
|
||||
Long term:
|
||||
* IDN?
|
||||
* Unknown RRs?
|
||||
* Parsing from strings
|
||||
* Server support (signing, receiving queries)
|
||||
* Key generation
|
||||
* Unknown RRs?
|
||||
|
||||
Issues:
|
||||
* Better sized buffers
|
||||
* DNSSEC validation - fix up the code and add other algs.
|
||||
* Check the network order, it works now, but this is on Intel
|
||||
* Make the testsuite work with public DNS servers
|
||||
* shortened ipv6 addresses are not parsed correctly (maby net issue)
|
||||
|
|
|
|||
|
|
@ -4,6 +4,7 @@ all:
|
|||
gomake -C chaos
|
||||
gomake -C dnssectest
|
||||
gomake -C axfr
|
||||
gomake -C zlutser
|
||||
|
||||
clean:
|
||||
gomake -C mx clean
|
||||
|
|
@ -11,3 +12,4 @@ clean:
|
|||
gomake -C chaos clean
|
||||
gomake -C dnssectest clean
|
||||
gomake -C axfr clean
|
||||
gomake -C zlutser clean
|
||||
|
|
|
|||
Binary file not shown.
|
|
@ -0,0 +1,8 @@
|
|||
# Copyright 2009 The Go Authors. All rights reserved.
|
||||
# Use of this source code is governed by a BSD-style
|
||||
# license that can be found in the LICENSE file.
|
||||
include $(GOROOT)/src/Make.inc
|
||||
TARG=zlutser
|
||||
GOFILES=zlutser.go
|
||||
DEPS=../../
|
||||
include $(GOROOT)/src/Make.cmd
|
||||
|
|
@ -0,0 +1,116 @@
|
|||
package main
|
||||
|
||||
// Simple prog that "validates" a reply from a
|
||||
// server, but DOES NOT check the chain of trust!
|
||||
|
||||
// lutser is Dutch for prutser and looser combined
|
||||
// so zlutser does that with zones
|
||||
|
||||
import (
|
||||
"net"
|
||||
"dns"
|
||||
"dns/resolver"
|
||||
"os"
|
||||
"flag"
|
||||
"fmt"
|
||||
"strings"
|
||||
)
|
||||
|
||||
func main() {
|
||||
var tcp *bool = flag.Bool("tcp", true, "TCP mode")
|
||||
var port *string = flag.String("port", "53", "Set the query port")
|
||||
var zone *string = flag.String("zone", "", "Zone to ask the DNSKEYs for")
|
||||
|
||||
flag.Usage = func() {
|
||||
fmt.Fprintf(os.Stderr, "Usage: %s -z zone [@server] [qtype] [name ...]\n", os.Args[0])
|
||||
// extend this a little
|
||||
flag.PrintDefaults()
|
||||
}
|
||||
|
||||
nameserver := "@127.0.0.1" // Default nameserver
|
||||
qtype := uint16(dns.TypeA) // Default qtype
|
||||
var qname []string
|
||||
|
||||
flag.Parse()
|
||||
|
||||
if *zone == "" {
|
||||
fmt.Fprintf(os.Stderr, "%s: -zone is mandatory\n", os.Args[0])
|
||||
os.Exit(1)
|
||||
}
|
||||
|
||||
FLAGS:
|
||||
for i := 0; i < flag.NArg(); i++ {
|
||||
// If it starts with @ it is a nameserver
|
||||
if flag.Arg(i)[0] == '@' {
|
||||
nameserver = flag.Arg(i)
|
||||
continue FLAGS
|
||||
}
|
||||
// If it looks like type, it is a type
|
||||
for k, v := range dns.Rr_str {
|
||||
if v == strings.ToUpper(flag.Arg(i)) {
|
||||
qtype = k
|
||||
continue FLAGS
|
||||
}
|
||||
}
|
||||
// Anything else is a qname
|
||||
qname = append(qname, flag.Arg(i))
|
||||
}
|
||||
r := new(resolver.Resolver)
|
||||
r.Timeout = 2
|
||||
r.Port = *port
|
||||
r.Tcp = *tcp
|
||||
r.Attempts = 1
|
||||
|
||||
qr := r.NewQuerier()
|
||||
// @server may be a name, resolv that
|
||||
var err os.Error
|
||||
nameserver = string([]byte(nameserver)[1:]) // chop off @
|
||||
_, addr, err := net.LookupHost(nameserver)
|
||||
if err == nil {
|
||||
r.Servers = addr
|
||||
} else {
|
||||
r.Servers = []string{nameserver}
|
||||
}
|
||||
|
||||
m := new(dns.Msg)
|
||||
// m.MsgHdr.Authoritative = *aa
|
||||
// m.MsgHdr.AuthenticatedData = *ad
|
||||
m.MsgHdr.CheckingDisabled = true
|
||||
m.MsgHdr.RecursionDesired = true
|
||||
m.Question = make([]dns.Question, 1)
|
||||
// set the do bit
|
||||
opt := new(dns.RR_OPT)
|
||||
opt.Hdr = dns.RR_Header{Name: "", Rrtype: dns.TypeOPT}
|
||||
opt.Version(0, true)
|
||||
opt.DoBit(true, true)
|
||||
opt.UDPSize(4096, true)
|
||||
m.Extra = make([]dns.RR, 1)
|
||||
m.Extra[0] = opt
|
||||
|
||||
for _, v := range qname {
|
||||
// Ask the Keys
|
||||
m.Question[0] = dns.Question{*zone, dns.TypeDNSKEY, dns.ClassINET}
|
||||
qr <- resolver.DnsMsg{m, nil}
|
||||
in := <-qr
|
||||
if in.Dns != nil {
|
||||
fmt.Printf("%v\n", in.Dns)
|
||||
}
|
||||
|
||||
m.Question[0] = dns.Question{v, qtype, dns.ClassINET}
|
||||
qr <- resolver.DnsMsg{m, nil}
|
||||
in = <-qr
|
||||
if in.Dns != nil {
|
||||
fmt.Printf("%v\n", in.Dns)
|
||||
}
|
||||
|
||||
// Ask the question
|
||||
// Get the sig(s)
|
||||
|
||||
// Use the key(s)
|
||||
|
||||
// Validate
|
||||
|
||||
}
|
||||
qr <- resolver.DnsMsg{nil, nil}
|
||||
<-qr
|
||||
}
|
||||
|
|
@ -97,6 +97,7 @@ func query(res *Resolver, msg chan DnsMsg) {
|
|||
} else {
|
||||
c, cerr = net.Dial("udp", "", server)
|
||||
}
|
||||
//need fix for non-reachable servers TODO(MG)
|
||||
defer c.Close()
|
||||
if cerr != nil {
|
||||
err = cerr
|
||||
|
|
|
|||
Loading…
Reference in New Issue