Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
plugin/sign: fix signing of authoritative data #3479
Don't sign data we are not authoritative for. This adds an AuthWalk
A number of changes have been made:
Bulk of the code is new tests cases. The gist is file/tree/authwalk.go and sign/signer.go
Signed-off-by: Miek Gieben firstname.lastname@example.org
Thank you for your contribution. I've just checked the OWNERS files to find a suitable reviewer. This search was successful and I've asked chrisohaver (via
@@ Coverage Diff @@ ## master #3479 +/- ## ========================================== - Coverage 56.66% 56.64% -0.03% ========================================== Files 221 222 +1 Lines 11027 11041 +14 ========================================== + Hits 6249 6254 +5 - Misses 4294 4308 +14 + Partials 484 479 -5
Don't sign data we are not authoritative for. This adds an AuthWalk which skips names we should not authoritative for. Adds a few tests to check this is the case. Generates zones have been compared to dnssec-signzone. A number of changes have been made: * don't add DS records to the apex * NSEC TTL is the SOA's minttl value (copying bind9) * Various cleanups * signer struct was cleaned up: doesn't need ttl, nor expiration or inception. * plugin/sign: remove apex stuff from names() This is never used because we will always have other types in the apex, because we *ADD* them ourselves, before we sign (DNSKEY, CDS and CDNSKEY). Signed-off-by: Miek Gieben <email@example.com> Co-Authored-By: Chris O'Haver <firstname.lastname@example.org>
[ Quoting <email@example.com> in "Re: [coredns/coredns] plugin/sign: ..." ]
chrisohaver approved this pull request. LGTM - Although I don't yet fully understand NSEC type bitmaps, and therefore can't verify that change. But otherwise LGTM.
Thanks. I'm running this on my personal server and done some checks. I'll inspect more, but it should be good (fingers crossed).