Recursor: implement Negative Trust Anchor management and runtime Trust Anchor management #3910

Merged
merged 8 commits into from Jun 7, 2016

Projects

None yet

3 participants

@pieterlexis
Member

This implementation might be a bit blunt, but it works. Please review.

Closes #3902

@rgacogne rgacogne and 1 other commented on an outdated diff May 27, 2016
pdns/rec_channel_rec.cc
@@ -341,6 +342,62 @@ string doSetCarbonServer(T begin, T end)
return ret;
}
+template<typename T>
+string doAddNTA(T begin, T end)
+{
+ if(begin == end)
+ return "No NTA specified, doing nothing\n";
+
+ auto luaconf = g_luaconfs.getLocal();
@rgacogne
rgacogne May 27, 2016 Member

It looks like luaconf is unused.

@pieterlexis
pieterlexis May 27, 2016 Member

a leftover of an earlier incantation, removed

@rgacogne rgacogne commented on an outdated diff May 30, 2016
pdns/validate.cc
@@ -165,6 +165,19 @@ cspmap_t harvestCSPFromRecs(const vector<DNSRecord>& recs)
vState getKeysFor(DNSRecordOracle& dro, const DNSName& zone, keyset_t &keyset)
{
+ auto luaLocal = g_luaconfs.getLocal();
+
+ /* shortcut to insecure if there is negative trust anchor somewhere up in the
+ * tree
+ */
+ auto negAnchors = luaLocal->negAnchors;
+ if (!negAnchors.empty())
+ for (auto negAnchor : negAnchors)
+ if (zone.isPartOf(negAnchor.first)) {
+ LOG("Found a Negative Trust Anchor for "<<negAnchor.first<<", which was added with the message '"<<negAnchor.second<<"'. Returning Insecure."<<endl);
+ return NTA;
+ }
+
@rgacogne
rgacogne May 30, 2016 Member

Shouldn't we check whether there is a (positive) trust anchor below? If I understand correctly section 1.1 of rfc7646, we would be expected to resume validation starting with this trust anchor, right?

@pieterlexis
Member

Fixed @rgacogne's comments and added a bugfix that ensures the use of the correct, configured trust anchor (we only used the root trust anchor before)

@pieterlexis
Member

an addition on the bugfix regarding positive trust anchors: this makes the Recursor behave as specified in RFC 6840 §C.1. i.e. using the closest encounter when validating responses.

@pieterlexis pieterlexis changed the title from Recursor: implement Negative Trust Anchor management to Recursor: implement Negative Trust Anchor management and runtime Trust Anchor management Jun 3, 2016
@pieterlexis
Member

Updated to also add runtime trust anchor management

@Habbie Habbie commented on an outdated diff Jun 7, 2016
docs/manpages/rec_control.1.md
current-queries
: Shows the currently active queries.
+clear-nta [*DOMAIN*]...
+: Remove Negative Trust Anchor for one or more *DOMAIN*s. If *DOMAIN* is
+ empty, remove all configured Negative Trust Anchors.
@Habbie
Habbie Jun 7, 2016 Member

'empty' or 'no domain specified'? I think we might want to be explicit here, use '*' or something. If somebody automates setting/clearing of NTAs it's pretty easy to accidentally pass an empty list

@Habbie
Member
Habbie commented Jun 7, 2016

I approve of this PR!

@Habbie
Member
Habbie commented Jun 7, 2016

(one nit)

@pieterlexis pieterlexis merged commit 669f297 into PowerDNS:master Jun 7, 2016

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
@pieterlexis pieterlexis deleted the pieterlexis:recursor-NTA branch Jun 7, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment