ECDSA public keys consist of a single value, called "Q" in FIPS
186-3. In DNSSEC keys, Q is a simple bit string that represents the
uncompressed form of a curve point, "x | y".
The ECDSA signature is the combination of two non-negative integers,
called "r" and "s" in FIPS 186-3. The two integers, each of which is
formatted as a simple octet string, are combined into a single longer
octet string for DNSSEC as the concatenation "r | s". (Conversion of
the integers to bit strings is described in Section C.2 of FIPS
186-3.) For P-256, each integer MUST be encoded as 32 octets; for
P-384, each integer MUST be encoded as 48 octets.
This stops it from checking if the incoming requests have the QR bit
unset, so be careful when enabling this. This can be useful in
combination with mDNS.
Also the check for only 1 question in the question section is relaxed
to be "at least one", even without setting Unsafe!
Also update TestServingResponse to test for Unsafe vs not using Unsafe.
Added a bunch a long running test function to the list of skipped
tests when giving -short to go test. Tests are bascially *all*
DNSSEC key generation tests and 1 serving test.
PASS
ok github.com/miekg/dns 0.782s
Compared to 13+ s, so quite a bit faster.
Instead of going through the fmt package, we can use append int,
which saves an allocation.
benchmark old ns/op new ns/op delta
BenchmarkUnpackDomainNameUnprintable 2147 506 -76.43%
Some records are copies from others: DNSKEY, CDNSKEY and KEY are
identical. DS, CDS and DLV are too and even RRSIG and SIG.
The parsing functions and the definition can all be used for parsing
all these identical types.
When printing unknown records it is best to print the entire thing
as unknown, instead of relying on the internal defined type. An
example A record, printed as an unknown one:
miek.nl. 3600 CLASS1 TYPE1 \# 4 0a000101
Tests message signing and verification against
itself, that altered messages don't pass and that
expired messages don't pass.
Static samples generated by something else would
be good to add at some point.
This is based on @miekg's sig0 branch. That branch diverged from master
and I didn't want to wander off on a rebase.
As implemented there's no allowance for multi-envelope (TCP) support.
TODO:
* unpackUint32() could be moved out and used elsewhere
* tests
* multi-envelope support (if useful)