middleware/file/closest.go

package file

import "github.com/miekg/dns"

// ClosestEncloser returns the closest encloser for rr.
func (z *Zone) ClosestEncloser(qname string, qtype uint16) string {
	// tree/tree.go does not store a parent *Node pointer, so we can't
	// just follow up the tree. TODO(miek): fix.
	offset, end := dns.NextLabel(qname, 0)
	for !end {
		elem, _ := z.Tree.Search(qname, qtype)
		if elem != nil {
			return elem.Name()
		}
		qname = qname[offset:]

		offset, end = dns.NextLabel(qname, offset)
	}

	return z.Apex.SOA.Header().Name
}

// nameErrorProof finds the closest encloser and return an NSEC that proofs
// the wildcard does not exist and an NSEC that proofs the name does no exist.
func (z *Zone) nameErrorProof(qname string, qtype uint16) []dns.RR {
	elem := z.Tree.Prev(qname)
	if elem == nil {
		return nil
	}
	nsec := z.lookupNSEC(elem, true)
	nsecIndex := 0
	for i := 0; i < len(nsec); i++ {
		if nsec[i].Header().Rrtype == dns.TypeNSEC {
			nsecIndex = i
			break
		}
	}

	// We do this lookup twice, once for wildcard and once for the name proof. TODO(miek): fix
	ce := z.ClosestEncloser(qname, qtype)
	elem = z.Tree.Prev("*." + ce)
	if elem == nil {
		// Root?
		return nil
	}
	nsec1 := z.lookupNSEC(elem, true)
	nsec1Index := 0
	for i := 0; i < len(nsec1); i++ {
		if nsec1[i].Header().Rrtype == dns.TypeNSEC {
			nsec1Index = i
			break
		}
	}

	if len(nsec) == 0 || len(nsec1) == 0 {
		return nsec
	}

	// Check for duplicate NSEC.
	if nsec[nsecIndex].Header().Name == nsec1[nsec1Index].Header().Name &&
		nsec[nsecIndex].(*dns.NSEC).NextDomain == nsec1[nsec1Index].(*dns.NSEC).NextDomain {
		return nsec
	}

	return append(nsec, nsec1...)
}
add closest encloser stuff 2016-03-30 16:45:02 +00:00			`package file`

			`import "github.com/miekg/dns"`

			`// ClosestEncloser returns the closest encloser for rr.`
Use qname/qtype for lookups Drop the use of dns.RR when in fact the only thing we use is the name and type of the RR. Cleans up a bunch of stuff and also stops the weird making of dns.RRs just for a lookup. Should safe some memory as well. Fixes: #66 2016-04-02 17:49:13 +01:00			`func (z *Zone) ClosestEncloser(qname string, qtype uint16) string {`
Fix closest encloser 2016-03-30 20:13:48 +01:00			`// tree/tree.go does not store a parent *Node pointer, so we can't`
			`// just follow up the tree. TODO(miek): fix.`
Use qname/qtype for lookups Drop the use of dns.RR when in fact the only thing we use is the name and type of the RR. Cleans up a bunch of stuff and also stops the weird making of dns.RRs just for a lookup. Should safe some memory as well. Fixes: #66 2016-04-02 17:49:13 +01:00			`offset, end := dns.NextLabel(qname, 0)`
Fix closest encloser 2016-03-30 20:13:48 +01:00			`for !end {`
Use qname/qtype for lookups Drop the use of dns.RR when in fact the only thing we use is the name and type of the RR. Cleans up a bunch of stuff and also stops the weird making of dns.RRs just for a lookup. Should safe some memory as well. Fixes: #66 2016-04-02 17:49:13 +01:00			`elem, _ := z.Tree.Search(qname, qtype)`
Fix closest encloser 2016-03-30 20:13:48 +01:00			`if elem != nil {`
			`return elem.Name()`
			`}`
Use qname/qtype for lookups Drop the use of dns.RR when in fact the only thing we use is the name and type of the RR. Cleans up a bunch of stuff and also stops the weird making of dns.RRs just for a lookup. Should safe some memory as well. Fixes: #66 2016-04-02 17:49:13 +01:00			`qname = qname[offset:]`
Fix closest encloser 2016-03-30 20:13:48 +01:00
Use qname/qtype for lookups Drop the use of dns.RR when in fact the only thing we use is the name and type of the RR. Cleans up a bunch of stuff and also stops the weird making of dns.RRs just for a lookup. Should safe some memory as well. Fixes: #66 2016-04-02 17:49:13 +01:00			`offset, end = dns.NextLabel(qname, offset)`
add closest encloser stuff 2016-03-30 16:45:02 +00:00			`}`
Fix closest encloser 2016-03-30 20:13:48 +01:00
middleware/file: Support delegations (#124) Return a delegation when seeing one while traversing the tree in search of an answer. Put the SOA and NS record in the zone.Apex as these are to be handled somewhat special. Lowercase record on insert to make compares easier. This lowercases all RR that have domain names in their rdata as well. 2016-04-16 16:16:52 +01:00			`return z.Apex.SOA.Header().Name`
add closest encloser stuff 2016-03-30 16:45:02 +00:00			`}`
Add nameerror proof 2016-03-30 20:47:38 +01:00
			`// nameErrorProof finds the closest encloser and return an NSEC that proofs`
			`// the wildcard does not exist and an NSEC that proofs the name does no exist.`
Use qname/qtype for lookups Drop the use of dns.RR when in fact the only thing we use is the name and type of the RR. Cleans up a bunch of stuff and also stops the weird making of dns.RRs just for a lookup. Should safe some memory as well. Fixes: #66 2016-04-02 17:49:13 +01:00			`func (z *Zone) nameErrorProof(qname string, qtype uint16) []dns.RR {`
			`elem := z.Tree.Prev(qname)`
Add nameerror proof 2016-03-30 20:47:38 +01:00			`if elem == nil {`
			`return nil`
			`}`
			`nsec := z.lookupNSEC(elem, true)`
			`nsecIndex := 0`
			`for i := 0; i < len(nsec); i++ {`
			`if nsec[i].Header().Rrtype == dns.TypeNSEC {`
			`nsecIndex = i`
			`break`
			`}`
			`}`

Positive wildcare replies Reply to queries when you have a wildcard in the zone. This works for DNS and DNSSEC. Thing missing is NODATA responses for that specific wildcard. Add wildcard_test.go as well. 2016-03-31 09:25:22 +00:00			`// We do this lookup twice, once for wildcard and once for the name proof. TODO(miek): fix`
Use qname/qtype for lookups Drop the use of dns.RR when in fact the only thing we use is the name and type of the RR. Cleans up a bunch of stuff and also stops the weird making of dns.RRs just for a lookup. Should safe some memory as well. Fixes: #66 2016-04-02 17:49:13 +01:00			`ce := z.ClosestEncloser(qname, qtype)`
			`elem = z.Tree.Prev("*." + ce)`
Add nameerror proof 2016-03-30 20:47:38 +01:00			`if elem == nil {`
			`// Root?`
			`return nil`
			`}`
			`nsec1 := z.lookupNSEC(elem, true)`
			`nsec1Index := 0`
			`for i := 0; i < len(nsec1); i++ {`
			`if nsec1[i].Header().Rrtype == dns.TypeNSEC {`
			`nsec1Index = i`
			`break`
			`}`
			`}`

Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`if len(nsec) == 0 \|\| len(nsec1) == 0 {`
			`return nsec`
			`}`

Add nameerror proof 2016-03-30 20:47:38 +01:00			`// Check for duplicate NSEC.`
			`if nsec[nsecIndex].Header().Name == nsec1[nsec1Index].Header().Name &&`
			`nsec[nsecIndex].(dns.NSEC).NextDomain == nsec1[nsec1Index].(dns.NSEC).NextDomain {`
			`return nsec`
			`}`

			`return append(nsec, nsec1...)`
			`}`