plugin/dnssec/black_lies.go

package dnssec

import (
	"github.com/coredns/coredns/plugin/pkg/response"
	"github.com/coredns/coredns/request"

	"github.com/miekg/dns"
)

// nsec returns an NSEC useful for NXDOMAIN respsones.
// See https://tools.ietf.org/html/draft-valsorda-dnsop-black-lies-00
// For example, a request for the non-existing name a.example.com would
// cause the following NSEC record to be generated:
//	a.example.com. 3600 IN NSEC \000.a.example.com. ( RRSIG NSEC ... )
// This inturn makes every NXDOMAIN answer a NODATA one, don't forget to flip
// the header rcode to NOERROR.
func (d Dnssec) nsec(state request.Request, mt response.Type, ttl, incep, expir uint32, server string) ([]dns.RR, error) {
	nsec := &dns.NSEC{}
	nsec.Hdr = dns.RR_Header{Name: state.QName(), Ttl: ttl, Class: dns.ClassINET, Rrtype: dns.TypeNSEC}
	nsec.NextDomain = "\\000." + state.QName()
	if state.Name() == state.Zone {
		nsec.TypeBitMap = filter18(state.QType(), apexBitmap, mt)
	} else {
		nsec.TypeBitMap = filter14(state.QType(), zoneBitmap, mt)
	}

	sigs, err := d.sign([]dns.RR{nsec}, state.Zone, ttl, incep, expir, server)
	if err != nil {
		return nil, err
	}

	return append(sigs, nsec), nil
}

// The NSEC bit maps we return.
var (
	zoneBitmap = [...]uint16{dns.TypeA, dns.TypeHINFO, dns.TypeTXT, dns.TypeAAAA, dns.TypeLOC, dns.TypeSRV, dns.TypeCERT, dns.TypeSSHFP, dns.TypeRRSIG, dns.TypeNSEC, dns.TypeTLSA, dns.TypeHIP, dns.TypeOPENPGPKEY, dns.TypeSPF}
	apexBitmap = [...]uint16{dns.TypeA, dns.TypeNS, dns.TypeSOA, dns.TypeHINFO, dns.TypeMX, dns.TypeTXT, dns.TypeAAAA, dns.TypeLOC, dns.TypeSRV, dns.TypeCERT, dns.TypeSSHFP, dns.TypeRRSIG, dns.TypeNSEC, dns.TypeDNSKEY, dns.TypeTLSA, dns.TypeHIP, dns.TypeOPENPGPKEY, dns.TypeSPF}
)

// filter14 filters out t from bitmap (if it exists). If mt is not an NODATA response, just return the entire bitmap.
func filter14(t uint16, bitmap [14]uint16, mt response.Type) []uint16 {
	if mt != response.NoData && mt != response.NameError {
		return zoneBitmap[:]
	}
	for i := range bitmap {
		if bitmap[i] == t {
			return append(bitmap[:i], bitmap[i+1:]...)
		}
	}
	return zoneBitmap[:] // make a slice
}

func filter18(t uint16, bitmap [18]uint16, mt response.Type) []uint16 {
	if mt != response.NoData && mt != response.NameError {
		return apexBitmap[:]
	}
	for i := range bitmap {
		if bitmap[i] == t {
			return append(bitmap[:i], bitmap[i+1:]...)
		}
	}
	return apexBitmap[:] // make a slice
}
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`package dnssec`

plugin/dnssec: implement shotgun from CloudFlare (#1305) * plugin/dnssec: implement shotgun from CloudFlare Put a whole bunch of types in the NSEC bitmap and remove the one that's being asked for. Add more records for queries to the apex, SOA, DNSKEY, MX. 2018-01-03 11:11:56 +00:00			`import (`
			`"github.com/coredns/coredns/plugin/pkg/response"`
			`"github.com/coredns/coredns/request"`

			`"github.com/miekg/dns"`
			`)`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00
			`// nsec returns an NSEC useful for NXDOMAIN respsones.`
			`// See https://tools.ietf.org/html/draft-valsorda-dnsop-black-lies-00`
			`// For example, a request for the non-existing name a.example.com would`
			`// cause the following NSEC record to be generated:`
plugin/dnssec: implement shotgun from CloudFlare (#1305) * plugin/dnssec: implement shotgun from CloudFlare Put a whole bunch of types in the NSEC bitmap and remove the one that's being asked for. Add more records for queries to the apex, SOA, DNSKEY, MX. 2018-01-03 11:11:56 +00:00			`// a.example.com. 3600 IN NSEC \000.a.example.com. ( RRSIG NSEC ... )`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`// This inturn makes every NXDOMAIN answer a NODATA one, don't forget to flip`
			`// the header rcode to NOERROR.`
plugin/dnssec: add per server metrics (#1743) * plugin/dnssec: add per server metrics final plugin. Fixes #1696 #1492 #1189 * Move cache cap into handler so we can access the server label * Remove cache-capacity from it entirely 2018-04-27 19:37:31 +01:00			`func (d Dnssec) nsec(state request.Request, mt response.Type, ttl, incep, expir uint32, server string) ([]dns.RR, error) {`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`nsec := &dns.NSEC{}`
plugin/dnssec: implement shotgun from CloudFlare (#1305) * plugin/dnssec: implement shotgun from CloudFlare Put a whole bunch of types in the NSEC bitmap and remove the one that's being asked for. Add more records for queries to the apex, SOA, DNSKEY, MX. 2018-01-03 11:11:56 +00:00			`nsec.Hdr = dns.RR_Header{Name: state.QName(), Ttl: ttl, Class: dns.ClassINET, Rrtype: dns.TypeNSEC}`
			`nsec.NextDomain = "\\000." + state.QName()`
			`if state.Name() == state.Zone {`
			`nsec.TypeBitMap = filter18(state.QType(), apexBitmap, mt)`
			`} else {`
			`nsec.TypeBitMap = filter14(state.QType(), zoneBitmap, mt)`
			`}`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00
plugin/dnssec: add per server metrics (#1743) * plugin/dnssec: add per server metrics final plugin. Fixes #1696 #1492 #1189 * Move cache cap into handler so we can access the server label * Remove cache-capacity from it entirely 2018-04-27 19:37:31 +01:00			`sigs, err := d.sign([]dns.RR{nsec}, state.Zone, ttl, incep, expir, server)`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`if err != nil {`
			`return nil, err`
			`}`

			`return append(sigs, nsec), nil`
			`}`
plugin/dnssec: implement shotgun from CloudFlare (#1305) * plugin/dnssec: implement shotgun from CloudFlare Put a whole bunch of types in the NSEC bitmap and remove the one that's being asked for. Add more records for queries to the apex, SOA, DNSKEY, MX. 2018-01-03 11:11:56 +00:00
			`// The NSEC bit maps we return.`
			`var (`
			`zoneBitmap = [...]uint16{dns.TypeA, dns.TypeHINFO, dns.TypeTXT, dns.TypeAAAA, dns.TypeLOC, dns.TypeSRV, dns.TypeCERT, dns.TypeSSHFP, dns.TypeRRSIG, dns.TypeNSEC, dns.TypeTLSA, dns.TypeHIP, dns.TypeOPENPGPKEY, dns.TypeSPF}`
			`apexBitmap = [...]uint16{dns.TypeA, dns.TypeNS, dns.TypeSOA, dns.TypeHINFO, dns.TypeMX, dns.TypeTXT, dns.TypeAAAA, dns.TypeLOC, dns.TypeSRV, dns.TypeCERT, dns.TypeSSHFP, dns.TypeRRSIG, dns.TypeNSEC, dns.TypeDNSKEY, dns.TypeTLSA, dns.TypeHIP, dns.TypeOPENPGPKEY, dns.TypeSPF}`
			`)`

plugin/dnssec: fix blacklies for NXDOMAIN (#1399) * plugin/dnssec: filter bitmap also for NXDOMAIN responses We change nxdomain to nodata, so at the point when we receive the reply it can be nxdomain or nodata. In both cases we should filter the nsec bitmap. Change the code and add explicit tests for this. * More tests 2018-01-18 13:07:23 +00:00			`// filter14 filters out t from bitmap (if it exists). If mt is not an NODATA response, just return the entire bitmap.`
plugin/dnssec: implement shotgun from CloudFlare (#1305) * plugin/dnssec: implement shotgun from CloudFlare Put a whole bunch of types in the NSEC bitmap and remove the one that's being asked for. Add more records for queries to the apex, SOA, DNSKEY, MX. 2018-01-03 11:11:56 +00:00			`func filter14(t uint16, bitmap [14]uint16, mt response.Type) []uint16 {`
plugin/dnssec: fix blacklies for NXDOMAIN (#1399) * plugin/dnssec: filter bitmap also for NXDOMAIN responses We change nxdomain to nodata, so at the point when we receive the reply it can be nxdomain or nodata. In both cases we should filter the nsec bitmap. Change the code and add explicit tests for this. * More tests 2018-01-18 13:07:23 +00:00			`if mt != response.NoData && mt != response.NameError {`
plugin/dnssec: implement shotgun from CloudFlare (#1305) * plugin/dnssec: implement shotgun from CloudFlare Put a whole bunch of types in the NSEC bitmap and remove the one that's being asked for. Add more records for queries to the apex, SOA, DNSKEY, MX. 2018-01-03 11:11:56 +00:00			`return zoneBitmap[:]`
			`}`
			`for i := range bitmap {`
			`if bitmap[i] == t {`
			`return append(bitmap[:i], bitmap[i+1:]...)`
			`}`
			`}`
			`return zoneBitmap[:] // make a slice`
			`}`

			`func filter18(t uint16, bitmap [18]uint16, mt response.Type) []uint16 {`
plugin/dnssec: fix blacklies for NXDOMAIN (#1399) * plugin/dnssec: filter bitmap also for NXDOMAIN responses We change nxdomain to nodata, so at the point when we receive the reply it can be nxdomain or nodata. In both cases we should filter the nsec bitmap. Change the code and add explicit tests for this. * More tests 2018-01-18 13:07:23 +00:00			`if mt != response.NoData && mt != response.NameError {`
plugin/dnssec: implement shotgun from CloudFlare (#1305) * plugin/dnssec: implement shotgun from CloudFlare Put a whole bunch of types in the NSEC bitmap and remove the one that's being asked for. Add more records for queries to the apex, SOA, DNSKEY, MX. 2018-01-03 11:11:56 +00:00			`return apexBitmap[:]`
			`}`
			`for i := range bitmap {`
			`if bitmap[i] == t {`
			`return append(bitmap[:i], bitmap[i+1:]...)`
			`}`
			`}`
			`return apexBitmap[:] // make a slice`
			`}`