From eb94be22bbef238e70c3210c8727f8d20394030c Mon Sep 17 00:00:00 2001 From: Miek Gieben Date: Mon, 18 Jun 2012 14:09:01 +0200 Subject: [PATCH] more lookup stuff --- ex/q/q.go | 1 + lookup.go | 58 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 59 insertions(+) diff --git a/ex/q/q.go b/ex/q/q.go index 26c1a6df..674adc18 100644 --- a/ex/q/q.go +++ b/ex/q/q.go @@ -258,6 +258,7 @@ forever: if *check { sigCheck(r.Reply, nameserver, *tcp) nsecCheck(r.Reply) +// dns.AssertDelegationSigner(r.Reply, nil) } if *short { r.Reply = shortMsg(r.Reply) diff --git a/lookup.go b/lookup.go index 0e7f5c81..f04f36c1 100644 --- a/lookup.go +++ b/lookup.go @@ -1,5 +1,7 @@ package dns +// This file is in flux + import ( "math/rand" "strings" @@ -15,6 +17,55 @@ const ( INDETERMINATE ) +// Check if the returned message has a delegation signer record +// Algo: +// The auth section's owner name (should be all equal) - seperate check! +// The ownername of the DS records must match the right side of the qname +// +func AssertDelegationSigner(m *Msg, trustdb []*RR_DNSKEY) error { + + // look for the DS(s) + dss := make([]*RR_DS, 0) + // If there are ddssen, there should also be a SIG (what if not?) + var sig *RR_RRSIG + for _, r := range m.Ns { + if d, ok := r.(*RR_DS); ok { + dss = append(dss ,d) + continue + } + if s, ok := r.(*RR_RRSIG); ok { + if s.TypeCovered == TypeDS { + sig = s + } + } + } + if len(dss) == 0 { + // No DSs found ... + return nil + } + println("DSs found", len(dss)) + if sig == nil { + // No SIG found ... + return nil + } + println("SIG found") + + + // Ownername of the DSs should match the qname + if CompareLabels(dss[0].Header().Name, m.Question[0].Name) == 0 { + // No match + } + // Optionally keep track of these comparison, it should increase + println("Match found between delegation DS and qname") + println(dss[0].String()) + println(sig.String()) + + + return nil + +} + + // Types of answers (without looking the RFCs) // len(m.Ns) > 0 // NS records in there? -> delegation (rcode should be rcode.Success) @@ -106,6 +157,13 @@ func primingZone() (a, aaaa []string) { return } +// Validate the root key with the DS records we've gotten offline +func createTrustDB(dss []*RR_DS, a, aaaa []string) *[]RR_DNSKEY { + // Query a root server, get the DNSKEY, toDS() and check + return nil + +} + // Parse the builtin trust anchor and return the DS records func primingTrust() []*RR_DS { ta, _ := ReadTrustAnchor(strings.NewReader(RootAnchorXML))