a53321d9d6
Don't sign data we are not authoritative for. This adds an AuthWalk which skips names we should not authoritative for. Adds a few tests to check this is the case. Generates zones have been compared to dnssec-signzone. A number of changes have been made: * don't add DS records to the apex * NSEC TTL is the SOA's minttl value (copying bind9) * Various cleanups * signer struct was cleaned up: doesn't need ttl, nor expiration or inception. * plugin/sign: remove apex stuff from names() This is never used because we will always have other types in the apex, because we *ADD* them ourselves, before we sign (DNSKEY, CDS and CDNSKEY). Signed-off-by: Miek Gieben <miek@miek.nl> Co-Authored-By: Chris O'Haver <cohaver@infoblox.com>
36 lines
1,020 B
Go
36 lines
1,020 B
Go
package sign
|
|
|
|
import (
|
|
"sort"
|
|
|
|
"github.com/coredns/coredns/plugin/file"
|
|
"github.com/coredns/coredns/plugin/file/tree"
|
|
|
|
"github.com/miekg/dns"
|
|
)
|
|
|
|
// names returns the elements of the zone in nsec order.
|
|
func names(origin string, z *file.Zone) []string {
|
|
// There will also be apex records other than NS and SOA (who are kept separate), as we
|
|
// are adding DNSKEY and CDS/CDNSKEY records in the apex *before* we sign.
|
|
n := []string{}
|
|
z.AuthWalk(func(e *tree.Elem, _ map[uint16][]dns.RR, auth bool) error {
|
|
if !auth {
|
|
return nil
|
|
}
|
|
n = append(n, e.Name())
|
|
return nil
|
|
})
|
|
return n
|
|
}
|
|
|
|
// NSEC returns an NSEC record according to name, next, ttl and bitmap. Note that the bitmap is sorted before use.
|
|
func NSEC(name, next string, ttl uint32, bitmap []uint16) *dns.NSEC {
|
|
sort.Slice(bitmap, func(i, j int) bool { return bitmap[i] < bitmap[j] })
|
|
|
|
return &dns.NSEC{
|
|
Hdr: dns.RR_Header{Name: name, Ttl: ttl, Rrtype: dns.TypeNSEC, Class: dns.ClassINET},
|
|
NextDomain: next,
|
|
TypeBitMap: bitmap,
|
|
}
|
|
}
|