Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
plugin/sign: fix signing of authoritative data
Don't sign data we are not authoritative for. This adds an AuthWalk which skips names we should not authoritative for. Adds a few tests to check this is the case. Generates zones have been compared to dnssec-signzone. A number of changes have been made: * don't add DS records to the apex * NSEC TTL is the SOA's minttl value (copying bind9) * Various cleanups * signer struct was cleaned up: doesn't need ttl, nor expiration or inception. * plugin/sign: remove apex stuff from names() This is never used because we will always have other types in the apex, because we *ADD* them ourselves, before we sign (DNSKEY, CDS and CDNSKEY). Signed-off-by: Miek Gieben <miek@miek.nl>
- Loading branch information
Showing
9 changed files
with
231 additions
and
70 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
package tree | ||
|
||
import ( | ||
"github.com/miekg/dns" | ||
) | ||
|
||
// AuthWalk performs fn on all authoritative values stored in the tree in | ||
// pre-order depth first. If a non-nil error is returned the AuthWalk was interrupted | ||
// by an fn returning that error. If fn alters stored values' sort | ||
// relationships, future tree operation behaviors are undefined. | ||
// | ||
// The fn function will be called with 3 arguments, the current element, a map containing all | ||
// the RRs for this element and a boolean if this name is considered authoritative. | ||
func (t *Tree) AuthWalk(fn func(*Elem, map[uint16][]dns.RR, bool) error) error { | ||
if t.Root == nil { | ||
return nil | ||
} | ||
return t.Root.authwalk(make(map[string]struct{}), fn) | ||
} | ||
|
||
func (n *Node) authwalk(ns map[string]struct{}, fn func(*Elem, map[uint16][]dns.RR, bool) error) error { | ||
if n.Left != nil { | ||
if err := n.Left.authwalk(ns, fn); err != nil { | ||
return err | ||
} | ||
} | ||
|
||
// Check if the current name is a subdomain of *any* of the delegated names we've seen, if so, skip this name. | ||
// The ordering of the tree and how we walk if guarantees we see parents first. | ||
if n.Elem.Type(dns.TypeNS) != nil { | ||
ns[n.Elem.Name()] = struct{}{} | ||
} | ||
|
||
auth := true | ||
i := 0 | ||
for { | ||
j, end := dns.NextLabel(n.Elem.Name(), i) | ||
if end { | ||
break | ||
} | ||
if _, ok := ns[n.Elem.Name()[j:]]; ok { | ||
auth = false | ||
break | ||
} | ||
i++ | ||
} | ||
|
||
if err := fn(n.Elem, n.Elem.m, auth); err != nil { | ||
return err | ||
} | ||
|
||
if n.Right != nil { | ||
if err := n.Right.authwalk(ns, fn); err != nil { | ||
return err | ||
} | ||
} | ||
return nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
package sign | ||
|
||
import ( | ||
"os" | ||
"testing" | ||
|
||
"github.com/coredns/coredns/plugin/file" | ||
) | ||
|
||
func TestNames(t *testing.T) { | ||
f, err := os.Open("testdata/db.miek.nl_ns") | ||
if err != nil { | ||
t.Error(err) | ||
} | ||
z, err := file.Parse(f, "db.miek.nl_ns", "miek.nl", 0) | ||
if err != nil { | ||
t.Error(err) | ||
} | ||
|
||
names := names("miek.nl.", z) | ||
expected := []string{"miek.nl.", "child.miek.nl.", "www.miek.nl."} | ||
for i := range names { | ||
if names[i] != expected[i] { | ||
t.Errorf("Expected %s, got %s", expected[i], names[i]) | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.