Split off stuff to package chain
Create a resolver package called chain, to keep in the spririt of Bind, Unbound, Drill and Knot (and maybe others)
This commit is contained in:
Miek Gieben
parent
2c460e62ed
commit
ec304aeaa7
69
nsecx.go
69
nsecx.go
|
|
@ -111,72 +111,3 @@ func (rr *NSEC3) Match(name string) bool {
|
|||
}
|
||||
return false
|
||||
}
|
||||
|
||||
// VerifyNameError takes a slice of NSEC or NSEC3 RR, the qname and the qtype and tries
|
||||
// to verify the authenticated denial of existence. If nil is returned the proof
|
||||
// succeeded otherwise the error will indicated what was wrong.
|
||||
func VerifyNameError(nsecx []RR, qname string, qtype uint16) error {
|
||||
// TODO(miek): wildcard expanded reply
|
||||
nsec3 := 0
|
||||
nsec := 0
|
||||
for i := 0; i < len(nsecx); i++ {
|
||||
if _, ok := nsecx[0].(*NSEC3); ok {
|
||||
nsec3++
|
||||
}
|
||||
if _, ok := nsecx[0].(*NSEC); ok {
|
||||
nsec++
|
||||
}
|
||||
}
|
||||
if nsec3 == len(nsecx) {
|
||||
return verifyNameError3(nsecx, qname, qtype)
|
||||
}
|
||||
if nsec == len(nsecx) {
|
||||
return verifyNameError(nsecx, qname, qtype)
|
||||
}
|
||||
return ErrSig // ErrNotRRset?
|
||||
}
|
||||
|
||||
// NSEC3 Helper
|
||||
func verifyNameError3(nsec3 []RR, qname string, qtype uint16) error {
|
||||
indx := Split(qname)
|
||||
ce := "" // Closest Encloser
|
||||
nc := "" // Next Closer
|
||||
wc := "" // Source of Synthesis (wildcard)
|
||||
ClosestEncloser:
|
||||
for i := 0; i < len(indx); i++ {
|
||||
for j := 0; j < len(nsec3); j++ {
|
||||
if nsec3[j].(*NSEC3).Match(qname[indx[i]:]) {
|
||||
ce = qname[indx[i]:]
|
||||
wc = "*." + ce
|
||||
if i == 0 {
|
||||
nc = qname
|
||||
} else {
|
||||
nc = qname[indx[i-1]:]
|
||||
}
|
||||
break ClosestEncloser
|
||||
}
|
||||
}
|
||||
}
|
||||
if ce == "" {
|
||||
return ErrSig // ErrNoMatchingNSEC3
|
||||
}
|
||||
covered := 0 // Both nc and wc must be covered
|
||||
for i := 0; i < len(nsec3); i++ {
|
||||
if nsec3[i].(*NSEC3).Cover(nc) {
|
||||
covered++
|
||||
}
|
||||
if nsec3[i].(*NSEC3).Cover(wc) {
|
||||
covered++
|
||||
}
|
||||
}
|
||||
if covered != 2 {
|
||||
return ErrSig
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// NSEC Helper
|
||||
func verifyNameError(nsecx []RR, qname string, qtype uint16) error { return nil }
|
||||
|
||||
// VerifyNoData
|
||||
func VerifyNoData(nsecx []RR, qname string, qtype uint16) error { return nil}
|
||||
|
|
|
|||
|
|
@ -35,52 +35,3 @@ func TestNsec3(t *testing.T) {
|
|||
t.Fail()
|
||||
}
|
||||
}
|
||||
|
||||
func newNSEC3(rr string) *NSEC3 {
|
||||
rr1, _ := NewRR(rr)
|
||||
return rr1.(*NSEC3)
|
||||
}
|
||||
|
||||
func TestNsec3Proof(t *testing.T) {
|
||||
// denies existence of 'snasajsksasasa.nl. A'
|
||||
nsec3 := []RR{
|
||||
newNSEC3("sk4e8fj94u78smusb40o1n0oltbblu2r.nl. IN NSEC3 1 1 5 F10E9F7EA83FC8F3 SK4F38CQ0ATIEI8MH3RGD0P5I4II6QAN NS SOA TXT RRSIG DNSKEY NSEC3PARAM"),
|
||||
newNSEC3("39p91242oslggest5e6a7cci4iaeqvnk.nl. IN NSEC3 1 1 5 F10E9F7EA83FC8F3 39P99DCGG0MDLARTCRMCF6OFLLUL7PR6 NS DS RRSIG"),
|
||||
newNSEC3("t98kg1p1cjtdoc4ksb7g57jc9vulltcd.nl. IN NSEC3 1 1 5 F10E9F7EA83FC8F3 T98MULSKU3E499AGCTTRJK6H0L3E5T92 NS DS RRSIG")}
|
||||
|
||||
err := VerifyNameError(nsec3, "snasajsksasasa.nl.", TypeA)
|
||||
if err != nil {
|
||||
t.Logf("Failed to validate NSEC3")
|
||||
t.Fail()
|
||||
}
|
||||
nsec3 = []RR{ // closest encloser can not be found, 1st NSEC3
|
||||
newNSEC3("bk4e8fj94u78smusb40o1n0oltbblu2r.nl. IN NSEC3 1 1 5 F10E9F7EA83FC8F3 SK4F38CQ0ATIEI8MH3RGD0P5I4II6QAN NS SOA TXT RRSIG DNSKEY NSEC3PARAM"),
|
||||
newNSEC3("39p91242oslggest5e6a7cci4iaeqvnk.nl. IN NSEC3 1 1 5 F10E9F7EA83FC8F3 39P99DCGG0MDLARTCRMCF6OFLLUL7PR6 NS DS RRSIG"),
|
||||
newNSEC3("t98kg1p1cjtdoc4ksb7g57jc9vulltcd.nl. IN NSEC3 1 1 5 F10E9F7EA83FC8F3 T98MULSKU3E499AGCTTRJK6H0L3E5T92 NS DS RRSIG")}
|
||||
|
||||
err = VerifyNameError(nsec3, "snasajsksasasa.nl.", TypeA)
|
||||
if err == nil {
|
||||
t.Logf("Should fail validate NSEC3")
|
||||
t.Fail()
|
||||
}
|
||||
nsec3 = []RR{ // wildcard not covered, 3rd NSEC3
|
||||
newNSEC3("sk4e8fj94u78smusb40o1n0oltbblu2r.nl. IN NSEC3 1 1 5 F10E9F7EA83FC8F3 SK4F38CQ0ATIEI8MH3RGD0P5I4II6QAN NS SOA TXT RRSIG DNSKEY NSEC3PARAM"),
|
||||
newNSEC3("39p91242oslggest5e6a7cci4iaeqvnk.nl. IN NSEC3 1 1 5 F10E9F7EA83FC8F3 39P99DCGG0MDLARTCRMCF6OFLLUL7PR6 NS DS RRSIG"),
|
||||
newNSEC3("t98kg1p1cjtdoc4ksb7g57jc9vulltcd.nl. IN NSEC3 1 1 5 F10E9F7EA83FC8F3 T98LULSKU3E499AGCTTRJK6H0L3E5T92 NS DS RRSIG")}
|
||||
|
||||
err = VerifyNameError(nsec3, "snasajsksasasa.nl.", TypeA)
|
||||
if err == nil {
|
||||
t.Logf("Should fail validate NSEC3")
|
||||
t.Fail()
|
||||
}
|
||||
nsec3 = []RR{ // nextcloser not covered, 2rd NSEC3
|
||||
newNSEC3("sk4e8fj94u78smusb40o1n0oltbblu2r.nl. IN NSEC3 1 1 5 F10E9F7EA83FC8F3 SK4F38CQ0ATIEI8MH3RGD0P5I4II6QAN NS SOA TXT RRSIG DNSKEY NSEC3PARAM"),
|
||||
newNSEC3("39p91242oslggest5e6a7cci4iaeqvnk.nl. IN NSEC3 1 1 5 F10E9F7EA83FC8F3 39P89DCGG0MDLARTCRMCF6OFLLUL7PR6 NS DS RRSIG"),
|
||||
newNSEC3("t98kg1p1cjtdoc4ksb7g57jc9vulltcd.nl. IN NSEC3 1 1 5 F10E9F7EA83FC8F3 T98LULSKU3E499AGCTTRJK6H0L3E5T92 NS DS RRSIG")}
|
||||
|
||||
err = VerifyNameError(nsec3, "snasajsksasasa.nl.", TypeA)
|
||||
if err == nil {
|
||||
t.Logf("Should fail validate NSEC3")
|
||||
t.Fail()
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue