TrueCloudLab/coredns
16
0
Fork 2
Code Issues Pull requests 4 Projects Releases Packages Wiki Activity Actions
coredns/plugin/dnssec/black_lies.go
jeremiejig 13e66918e3
plugin/dnssec: on delegation, sign DS or NSEC of no DS. (#5899) 
* When returning NS for delegation point, we sign any DS Record or if not
  found we generate a NSEC proving absence of DS. This follow behaviour
  describe in rfc4035 (Section 3.1.4)
* DS request at apex behave as before.
* Fix edge case of requesting NSEC which prove that NSEC does not exist.

Signed-off-by: Jeremiejig <me@jeremiejig.fr>
2023-04-22 22:32:01 +02:00

79 lines
3 KiB
Go
Raw Blame History

package dnssec
import (
"strings"
"github.com/coredns/coredns/plugin/pkg/response"
"github.com/coredns/coredns/request"
"github.com/miekg/dns"
)
// nsec returns an NSEC useful for NXDOMAIN responses.
// See https://tools.ietf.org/html/draft-valsorda-dnsop-black-lies-00
// For example, a request for the non-existing name a.example.com would
// cause the following NSEC record to be generated:
//
// a.example.com. 3600 IN NSEC \000.a.example.com. ( RRSIG NSEC ... )
//
// This inturn makes every NXDOMAIN answer a NODATA one, don't forget to flip
// the header rcode to NOERROR.
func (d Dnssec) nsec(state request.Request, mt response.Type, ttl, incep, expir uint32, server string) ([]dns.RR, error) {
nsec := &dns.NSEC{}
nsec.Hdr = dns.RR_Header{Name: state.QName(), Ttl: ttl, Class: dns.ClassINET, Rrtype: dns.TypeNSEC}
nsec.NextDomain = "\\000." + state.QName()
if state.QName() == "." {
nsec.NextDomain = "\\000." // If You want to play as root server
}
if state.Name() == state.Zone {
nsec.TypeBitMap = filter18(state.QType(), apexBitmap, mt)
} else if mt == response.Delegation || state.QType() == dns.TypeDS {
nsec.TypeBitMap = delegationBitmap[:]
if mt == response.Delegation {
labels := dns.SplitDomainName(state.QName())
labels[0] += "\\000"
nsec.NextDomain = strings.Join(labels, ".") + "."
}
} else {
nsec.TypeBitMap = filter14(state.QType(), zoneBitmap, mt)
}
sigs, err := d.sign([]dns.RR{nsec}, state.Zone, ttl, incep, expir, server)
if err != nil {
return nil, err
}
return append(sigs, nsec), nil
}
// The NSEC bit maps we return.
var (
delegationBitmap = [...]uint16{dns.TypeA, dns.TypeNS, dns.TypeHINFO, dns.TypeTXT, dns.TypeAAAA, dns.TypeLOC, dns.TypeSRV, dns.TypeCERT, dns.TypeSSHFP, dns.TypeRRSIG, dns.TypeNSEC, dns.TypeTLSA, dns.TypeHIP, dns.TypeOPENPGPKEY, dns.TypeSPF}
zoneBitmap = [...]uint16{dns.TypeA, dns.TypeHINFO, dns.TypeTXT, dns.TypeAAAA, dns.TypeLOC, dns.TypeSRV, dns.TypeCERT, dns.TypeSSHFP, dns.TypeRRSIG, dns.TypeNSEC, dns.TypeTLSA, dns.TypeHIP, dns.TypeOPENPGPKEY, dns.TypeSPF}
apexBitmap = [...]uint16{dns.TypeA, dns.TypeNS, dns.TypeSOA, dns.TypeHINFO, dns.TypeMX, dns.TypeTXT, dns.TypeAAAA, dns.TypeLOC, dns.TypeSRV, dns.TypeCERT, dns.TypeSSHFP, dns.TypeRRSIG, dns.TypeNSEC, dns.TypeDNSKEY, dns.TypeTLSA, dns.TypeHIP, dns.TypeOPENPGPKEY, dns.TypeSPF}
)
// filter14 filters out t from bitmap (if it exists). If mt is not an NODATA response, just return the entire bitmap.
func filter14(t uint16, bitmap [14]uint16, mt response.Type) []uint16 {
if mt != response.NoData && mt != response.NameError || t == dns.TypeNSEC {
return zoneBitmap[:]
}
for i := range bitmap {
if bitmap[i] == t {
return append(bitmap[:i], bitmap[i+1:]...)
}
}
return zoneBitmap[:] // make a slice
}
func filter18(t uint16, bitmap [18]uint16, mt response.Type) []uint16 {
if mt != response.NoData && mt != response.NameError || t == dns.TypeNSEC {
return apexBitmap[:]
}
for i := range bitmap {
if bitmap[i] == t {
return append(bitmap[:i], bitmap[i+1:]...)
}
}
return apexBitmap[:] // make a slice
}
Reference in a new issue View git blame Copy permalink