First part of ZONEMD support

[omoerbeek]

Short description

1. Define record type
2. Verification according to RFC, including many failure cases and RSIG handling. Support sha384 and sha512
3. Unit tests, including all examples from RFC and a few failure cases.
4. Command line for pdnsutil: zonemd-verify-file

Based on POC from @Habbie, with many changes.

Things to be done I can think of (details to be decided):

For the Recursor:

• validation of incoming zones (potentially Zone to Cache, RPZ, Auth-Zones). Those cases need to consider DNSSEC validation of ZONEMD records as well per RFC. Also config of zone should indicate if ZONEMD verification is required. For Zone to Cache and RPZ we can do that from Lua, for Auth Zones it is not immediately clear how.

For the Authoritative Server:

• verify/insert/update/remove ZONEMD in DB
• send ZONEMD out on AXFR.
• verify incoming AXFR ZONEMD.

Both should be handled in separate PRs imo.

Checklist

I have:

• read the CONTRIBUTING.md document
• compiled this code
• tested this code
• included documentation (including possible behaviour changes)
• documented the code
• added or modified regression test(s)
• added or modified unit test(s)

[github-actions]

@check-spelling-bot Report

Unrecognized words, please review:

• zonemd

To accept these unrecognized words as correct, run the following commands

... in a clone of the git@github.com:omoerbeek/pdns.git repository
on the zonemd branch:

update_files() {
perl -e '
my $new_expect_file=".github/actions/spell-check/expect.txt";
use File::Path qw(make_path);
use File::Basename qw(dirname);
make_path (dirname($new_expect_file));
open FILE, q{<}, $new_expect_file; chomp(my @words = <FILE>); close FILE;
my @add=qw('"$patch_add"');
my %items; @items{@words} = @words x (1); @items{@add} = @add x (1);
@words = sort {lc($a)."-".$a cmp lc($b)."-".$b} keys %items;
open FILE, q{>}, $new_expect_file; for my $word (@words) { print FILE "$word\n" if $word =~ /\w/; };
close FILE;
system("git", "add", $new_expect_file);
'
}

comment_json=$(mktemp)
curl -L -s -S \
  --header "Content-Type: application/json" \
  "https://api.github.com/repos/PowerDNS/pdns/issues/comments/994681988" > "$comment_json"
comment_body=$(mktemp)
jq -r .body < "$comment_json" > $comment_body
rm $comment_json

patch_add=$(perl -e '$/=undef;
$_=<>;
s{<details>.*}{}s;
s{^#.*}{};
s{\n##.*}{};
s{(?:^|\n)\s*\*}{}g;
s{\s+}{ }g;
print' < "$comment_body")
  
update_files
rm $comment_body
git add -u

If the flagged items do not appear to be text

If items relate to a ...

• well-formed pattern.

  If you can write a pattern that would match it,
  try adding it to the patterns.txt file.

  Patterns are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your lines.

  Note that patterns can't match multiline strings.

• binary file.

  Please add a file path to the excludes.txt file matching the containing file.

  File paths are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your files.

  ^ refers to the file's path from the root of the repository, so ^README\.md$ would exclude README.md (on whichever branch you're using).

[pieterlexis]

maybe use std::out_of_range?

[omoerbeek]

It reports errors that are consequence of attempt to access elements out of defined range.
So close, but not really it. std::invalid_argument fits better imo.

[chbruyand]

Didn't dive too much into zonemdVerify() as I don't know ZONEMD and found it a bit hard to read (lots of abbreviations that are lowercased/uppercased), but LGTM as it's tested and the API is clear and speaks for itself

[omoerbeek]

Didn't dive too much into zonemdVerify() as I don't know ZONEMD and found it a bit hard to read (lots of abbreviations that are lowercased/uppercased), but LGTM as it's tested and the API is clear and speaks for itself

Good point, I'll rename some vars

[Habbie]

Awesome work. I posted a few nits, but nothing major.

[Habbie]

I believe this is my FIXME, I'll have a go at it

[Habbie]

Ah yes, can't use std::tie because of the custom comparison function. I'll leave it for now..