Split off stuff to package chain
Create a resolver package called chain, to keep in the spririt of Bind, Unbound, Drill and Knot (and maybe others)
This commit is contained in:
parent
2c460e62ed
commit
ec304aeaa7
69
nsecx.go
69
nsecx.go
|
@ -111,72 +111,3 @@ func (rr *NSEC3) Match(name string) bool {
|
||||||
}
|
}
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
// VerifyNameError takes a slice of NSEC or NSEC3 RR, the qname and the qtype and tries
|
|
||||||
// to verify the authenticated denial of existence. If nil is returned the proof
|
|
||||||
// succeeded otherwise the error will indicated what was wrong.
|
|
||||||
func VerifyNameError(nsecx []RR, qname string, qtype uint16) error {
|
|
||||||
// TODO(miek): wildcard expanded reply
|
|
||||||
nsec3 := 0
|
|
||||||
nsec := 0
|
|
||||||
for i := 0; i < len(nsecx); i++ {
|
|
||||||
if _, ok := nsecx[0].(*NSEC3); ok {
|
|
||||||
nsec3++
|
|
||||||
}
|
|
||||||
if _, ok := nsecx[0].(*NSEC); ok {
|
|
||||||
nsec++
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if nsec3 == len(nsecx) {
|
|
||||||
return verifyNameError3(nsecx, qname, qtype)
|
|
||||||
}
|
|
||||||
if nsec == len(nsecx) {
|
|
||||||
return verifyNameError(nsecx, qname, qtype)
|
|
||||||
}
|
|
||||||
return ErrSig // ErrNotRRset?
|
|
||||||
}
|
|
||||||
|
|
||||||
// NSEC3 Helper
|
|
||||||
func verifyNameError3(nsec3 []RR, qname string, qtype uint16) error {
|
|
||||||
indx := Split(qname)
|
|
||||||
ce := "" // Closest Encloser
|
|
||||||
nc := "" // Next Closer
|
|
||||||
wc := "" // Source of Synthesis (wildcard)
|
|
||||||
ClosestEncloser:
|
|
||||||
for i := 0; i < len(indx); i++ {
|
|
||||||
for j := 0; j < len(nsec3); j++ {
|
|
||||||
if nsec3[j].(*NSEC3).Match(qname[indx[i]:]) {
|
|
||||||
ce = qname[indx[i]:]
|
|
||||||
wc = "*." + ce
|
|
||||||
if i == 0 {
|
|
||||||
nc = qname
|
|
||||||
} else {
|
|
||||||
nc = qname[indx[i-1]:]
|
|
||||||
}
|
|
||||||
break ClosestEncloser
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if ce == "" {
|
|
||||||
return ErrSig // ErrNoMatchingNSEC3
|
|
||||||
}
|
|
||||||
covered := 0 // Both nc and wc must be covered
|
|
||||||
for i := 0; i < len(nsec3); i++ {
|
|
||||||
if nsec3[i].(*NSEC3).Cover(nc) {
|
|
||||||
covered++
|
|
||||||
}
|
|
||||||
if nsec3[i].(*NSEC3).Cover(wc) {
|
|
||||||
covered++
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if covered != 2 {
|
|
||||||
return ErrSig
|
|
||||||
}
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// NSEC Helper
|
|
||||||
func verifyNameError(nsecx []RR, qname string, qtype uint16) error { return nil }
|
|
||||||
|
|
||||||
// VerifyNoData
|
|
||||||
func VerifyNoData(nsecx []RR, qname string, qtype uint16) error { return nil}
|
|
||||||
|
|
|
@ -35,52 +35,3 @@ func TestNsec3(t *testing.T) {
|
||||||
t.Fail()
|
t.Fail()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func newNSEC3(rr string) *NSEC3 {
|
|
||||||
rr1, _ := NewRR(rr)
|
|
||||||
return rr1.(*NSEC3)
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestNsec3Proof(t *testing.T) {
|
|
||||||
// denies existence of 'snasajsksasasa.nl. A'
|
|
||||||
nsec3 := []RR{
|
|
||||||
newNSEC3("sk4e8fj94u78smusb40o1n0oltbblu2r.nl. IN NSEC3 1 1 5 F10E9F7EA83FC8F3 SK4F38CQ0ATIEI8MH3RGD0P5I4II6QAN NS SOA TXT RRSIG DNSKEY NSEC3PARAM"),
|
|
||||||
newNSEC3("39p91242oslggest5e6a7cci4iaeqvnk.nl. IN NSEC3 1 1 5 F10E9F7EA83FC8F3 39P99DCGG0MDLARTCRMCF6OFLLUL7PR6 NS DS RRSIG"),
|
|
||||||
newNSEC3("t98kg1p1cjtdoc4ksb7g57jc9vulltcd.nl. IN NSEC3 1 1 5 F10E9F7EA83FC8F3 T98MULSKU3E499AGCTTRJK6H0L3E5T92 NS DS RRSIG")}
|
|
||||||
|
|
||||||
err := VerifyNameError(nsec3, "snasajsksasasa.nl.", TypeA)
|
|
||||||
if err != nil {
|
|
||||||
t.Logf("Failed to validate NSEC3")
|
|
||||||
t.Fail()
|
|
||||||
}
|
|
||||||
nsec3 = []RR{ // closest encloser can not be found, 1st NSEC3
|
|
||||||
newNSEC3("bk4e8fj94u78smusb40o1n0oltbblu2r.nl. IN NSEC3 1 1 5 F10E9F7EA83FC8F3 SK4F38CQ0ATIEI8MH3RGD0P5I4II6QAN NS SOA TXT RRSIG DNSKEY NSEC3PARAM"),
|
|
||||||
newNSEC3("39p91242oslggest5e6a7cci4iaeqvnk.nl. IN NSEC3 1 1 5 F10E9F7EA83FC8F3 39P99DCGG0MDLARTCRMCF6OFLLUL7PR6 NS DS RRSIG"),
|
|
||||||
newNSEC3("t98kg1p1cjtdoc4ksb7g57jc9vulltcd.nl. IN NSEC3 1 1 5 F10E9F7EA83FC8F3 T98MULSKU3E499AGCTTRJK6H0L3E5T92 NS DS RRSIG")}
|
|
||||||
|
|
||||||
err = VerifyNameError(nsec3, "snasajsksasasa.nl.", TypeA)
|
|
||||||
if err == nil {
|
|
||||||
t.Logf("Should fail validate NSEC3")
|
|
||||||
t.Fail()
|
|
||||||
}
|
|
||||||
nsec3 = []RR{ // wildcard not covered, 3rd NSEC3
|
|
||||||
newNSEC3("sk4e8fj94u78smusb40o1n0oltbblu2r.nl. IN NSEC3 1 1 5 F10E9F7EA83FC8F3 SK4F38CQ0ATIEI8MH3RGD0P5I4II6QAN NS SOA TXT RRSIG DNSKEY NSEC3PARAM"),
|
|
||||||
newNSEC3("39p91242oslggest5e6a7cci4iaeqvnk.nl. IN NSEC3 1 1 5 F10E9F7EA83FC8F3 39P99DCGG0MDLARTCRMCF6OFLLUL7PR6 NS DS RRSIG"),
|
|
||||||
newNSEC3("t98kg1p1cjtdoc4ksb7g57jc9vulltcd.nl. IN NSEC3 1 1 5 F10E9F7EA83FC8F3 T98LULSKU3E499AGCTTRJK6H0L3E5T92 NS DS RRSIG")}
|
|
||||||
|
|
||||||
err = VerifyNameError(nsec3, "snasajsksasasa.nl.", TypeA)
|
|
||||||
if err == nil {
|
|
||||||
t.Logf("Should fail validate NSEC3")
|
|
||||||
t.Fail()
|
|
||||||
}
|
|
||||||
nsec3 = []RR{ // nextcloser not covered, 2rd NSEC3
|
|
||||||
newNSEC3("sk4e8fj94u78smusb40o1n0oltbblu2r.nl. IN NSEC3 1 1 5 F10E9F7EA83FC8F3 SK4F38CQ0ATIEI8MH3RGD0P5I4II6QAN NS SOA TXT RRSIG DNSKEY NSEC3PARAM"),
|
|
||||||
newNSEC3("39p91242oslggest5e6a7cci4iaeqvnk.nl. IN NSEC3 1 1 5 F10E9F7EA83FC8F3 39P89DCGG0MDLARTCRMCF6OFLLUL7PR6 NS DS RRSIG"),
|
|
||||||
newNSEC3("t98kg1p1cjtdoc4ksb7g57jc9vulltcd.nl. IN NSEC3 1 1 5 F10E9F7EA83FC8F3 T98LULSKU3E499AGCTTRJK6H0L3E5T92 NS DS RRSIG")}
|
|
||||||
|
|
||||||
err = VerifyNameError(nsec3, "snasajsksasasa.nl.", TypeA)
|
|
||||||
if err == nil {
|
|
||||||
t.Logf("Should fail validate NSEC3")
|
|
||||||
t.Fail()
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
Loading…
Reference in New Issue