coredns/plugin/dnssec/dnskey.go

package dnssec

import (
	"crypto"
	"crypto/ecdsa"
	"crypto/rsa"
	"errors"
	"os"
	"time"

	"github.com/coredns/coredns/request"

	"github.com/miekg/dns"
)

// DNSKEY holds a DNSSEC public and private key used for on-the-fly signing.
type DNSKEY struct {
	K   *dns.DNSKEY
	D   *dns.DS
	s   crypto.Signer
	tag uint16
}

// ParseKeyFile read a DNSSEC keyfile as generated by dnssec-keygen or other
// utilities. It adds ".key" for the public key and ".private" for the private key.
func ParseKeyFile(pubFile, privFile string) (*DNSKEY, error) {
	f, e := os.Open(pubFile)
	if e != nil {
		return nil, e
	}
	defer f.Close()
	k, e := dns.ReadRR(f, pubFile)
	if e != nil {
		return nil, e
	}

	f, e = os.Open(privFile)
	if e != nil {
		return nil, e
	}
	defer f.Close()

	dk, ok := k.(*dns.DNSKEY)
	if !ok {
		return nil, errors.New("no public key found")
	}
	p, e := dk.ReadPrivateKey(f, privFile)
	if e != nil {
		return nil, e
	}

	if s, ok := p.(*rsa.PrivateKey); ok {
		return &DNSKEY{K: dk, D: dk.ToDS(dns.SHA256), s: s, tag: dk.KeyTag()}, nil
	}
	if s, ok := p.(*ecdsa.PrivateKey); ok {
		return &DNSKEY{K: dk, D: dk.ToDS(dns.SHA256), s: s, tag: dk.KeyTag()}, nil
	}
	return &DNSKEY{K: dk, D: dk.ToDS(dns.SHA256), s: nil, tag: 0}, errors.New("no private key found")
}

// getDNSKEY returns the correct DNSKEY to the client. Signatures are added when do is true.
func (d Dnssec) getDNSKEY(state request.Request, zone string, do bool, server string) *dns.Msg {
	keys := make([]dns.RR, len(d.keys))
	for i, k := range d.keys {
		keys[i] = dns.Copy(k.K)
		keys[i].Header().Name = zone
	}
	m := new(dns.Msg)
	m.SetReply(state.Req)
	m.Answer = keys
	if !do {
		return m
	}

	incep, expir := incepExpir(time.Now().UTC())
	if sigs, err := d.sign(keys, zone, 3600, incep, expir, server); err == nil {
		m.Answer = append(m.Answer, sigs...)
	}
	return m
}

// Return true iff this is a zone key with the SEP bit unset. This implies a ZSK (rfc4034 2.1.1).
func (k DNSKEY) isZSK() bool {
	return k.K.Flags&(1<<8) == (1<<8) && k.K.Flags&1 == 0
}

// Return true iff this is a zone key with the SEP bit set. This implies a KSK (rfc4034 2.1.1).
func (k DNSKEY) isKSK() bool {
	return k.K.Flags&(1<<8) == (1<<8) && k.K.Flags&1 == 1
}
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`package dnssec`

			`import (`
			`"crypto"`
			`"crypto/ecdsa"`
			`"crypto/rsa"`
			`"errors"`
			`"os"`
			`"time"`

Fix import path `github.com/miekg/coredns` -> `github.com/coredns/coredns` (#547) This fix fixes import path from `github.com/miekg/coredns` -> `github.com/coredns/coredns` 2017-02-21 22:51:47 -08:00			`"github.com/coredns/coredns/request"`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00
			`"github.com/miekg/dns"`
			`)`

Golint2 (#280) * Fix linter errors * More linting fixes * More docs and making members private that dont need to be public * Fix linter errors * More linting fixes * More docs and making members private that dont need to be public * More lint fixes This leaves: ~~~ middleware/kubernetes/nametemplate/nametemplate.go:64:6: exported type NameTemplate should have comment or be unexported middleware/kubernetes/nametemplate/nametemplate.go:71:1: exported method NameTemplate.SetTemplate should have comment or be unexported middleware/kubernetes/nametemplate/nametemplate.go:108:1: exported method NameTemplate.GetZoneFromSegmentArray should have comment or be unexported middleware/kubernetes/nametemplate/nametemplate.go:116:1: exported method NameTemplate.GetNamespaceFromSegmentArray should have comment or be unexported middleware/kubernetes/nametemplate/nametemplate.go:120:1: exported method NameTemplate.GetServiceFromSegmentArray should have comment or be unexported middleware/kubernetes/nametemplate/nametemplate.go:124:1: exported method NameTemplate.GetTypeFromSegmentArray should have comment or be unexported middleware/kubernetes/nametemplate/nametemplate.go:135:1: exported method NameTemplate.GetSymbolFromSegmentArray should have comment or be unexported middleware/kubernetes/nametemplate/nametemplate.go:167:1: exported method NameTemplate.IsValid should have comment or be unexported middleware/kubernetes/nametemplate/nametemplate.go:182:6: exported type NameValues should have comment or be unexported middleware/kubernetes/util/util.go:1:1: package comment should be of the form "Package util ..." middleware/kubernetes/util/util.go:27:2: exported const WildcardStar should have comment (or a comment on this block) or be unexported middleware/proxy/lookup.go:66:1: exported method Proxy.Forward should have comment or be unexported middleware/proxy/proxy.go:24:6: exported type Client should have comment or be unexported middleware/proxy/proxy.go:107:1: exported function Clients should have comment or be unexported middleware/proxy/reverseproxy.go:10:6: exported type ReverseProxy should have comment or be unexported middleware/proxy/reverseproxy.go:16:1: exported method ReverseProxy.ServeDNS should have comment or be unexported middleware/proxy/upstream.go:42:6: exported type Options should have comment or be unexported ~~~ I plan on reworking the proxy anyway, so I'll leave that be. 2016-09-23 09:14:12 +01:00			`// DNSKEY holds a DNSSEC public and private key used for on-the-fly signing.`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`type DNSKEY struct {`
plugin/dnssec; insert and sign DS records (#1153) * plugin/dnssec; insert and sign DS records Sign a delegation as well and insert DS records. Fixes #698 * better 2017-10-20 09:22:02 +01:00			`K *dns.DNSKEY`
			`D *dns.DS`
			`s crypto.Signer`
			`tag uint16`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`}`

			`// ParseKeyFile read a DNSSEC keyfile as generated by dnssec-keygen or other`
			`// utilities. It adds ".key" for the public key and ".private" for the private key.`
			`func ParseKeyFile(pubFile, privFile string) (*DNSKEY, error) {`
			`f, e := os.Open(pubFile)`
			`if e != nil {`
			`return nil, e`
			`}`
plugin/dnssec: Add support for KSK/ZSK split key setups (#2196) * plugin/dnssec: Add support for KSK/ZSK split key setups * plugin/dnssec: Update README to document split ZSK/KSK operation 2018-10-20 17:35:59 +02:00			`defer f.Close()`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`k, e := dns.ReadRR(f, pubFile)`
			`if e != nil {`
			`return nil, e`
			`}`

			`f, e = os.Open(privFile)`
			`if e != nil {`
			`return nil, e`
			`}`
plugin/dnssec: Add support for KSK/ZSK split key setups (#2196) * plugin/dnssec: Add support for KSK/ZSK split key setups * plugin/dnssec: Update README to document split ZSK/KSK operation 2018-10-20 17:35:59 +02:00			`defer f.Close()`
plugin/dnssec; insert and sign DS records (#1153) * plugin/dnssec; insert and sign DS records Sign a delegation as well and insert DS records. Fixes #698 * better 2017-10-20 09:22:02 +01:00
readme: more tests (#1184) * readme: more tests Add dnssec and file plugin to the test readme. This requires creating a bunch of files with the right content. Doing so already unconvered an unconditional type assertion in DNSSEC. This PR will include the fix for that as well. Also extended the snippets in the file plugin README, so that they are whole Corefile - showing more value and checking all corefile snippets. Create outliner right now is the kubernetes plugin, because even setting the right env vars will result in: open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory": Which we can't create for a test. * lint 2017-10-31 07:14:49 +00:00			`dk, ok := k.(*dns.DNSKEY)`
			`if !ok {`
			`return nil, errors.New("no public key found")`
			`}`
plugin/dnssec; insert and sign DS records (#1153) * plugin/dnssec; insert and sign DS records Sign a delegation as well and insert DS records. Fixes #698 * better 2017-10-20 09:22:02 +01:00			`p, e := dk.ReadPrivateKey(f, privFile)`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`if e != nil {`
			`return nil, e`
			`}`

plugin/dnssec; insert and sign DS records (#1153) * plugin/dnssec; insert and sign DS records Sign a delegation as well and insert DS records. Fixes #698 * better 2017-10-20 09:22:02 +01:00			`if s, ok := p.(*rsa.PrivateKey); ok {`
			`return &DNSKEY{K: dk, D: dk.ToDS(dns.SHA256), s: s, tag: dk.KeyTag()}, nil`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`}`
plugin/dnssec; insert and sign DS records (#1153) * plugin/dnssec; insert and sign DS records Sign a delegation as well and insert DS records. Fixes #698 * better 2017-10-20 09:22:02 +01:00			`if s, ok := p.(*ecdsa.PrivateKey); ok {`
			`return &DNSKEY{K: dk, D: dk.ToDS(dns.SHA256), s: s, tag: dk.KeyTag()}, nil`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`}`
readme: more tests (#1184) * readme: more tests Add dnssec and file plugin to the test readme. This requires creating a bunch of files with the right content. Doing so already unconvered an unconditional type assertion in DNSSEC. This PR will include the fix for that as well. Also extended the snippets in the file plugin README, so that they are whole Corefile - showing more value and checking all corefile snippets. Create outliner right now is the kubernetes plugin, because even setting the right env vars will result in: open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory": Which we can't create for a test. * lint 2017-10-31 07:14:49 +00:00			`return &DNSKEY{K: dk, D: dk.ToDS(dns.SHA256), s: nil, tag: 0}, errors.New("no private key found")`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`}`

			`// getDNSKEY returns the correct DNSKEY to the client. Signatures are added when do is true.`
plugin/dnssec: add per server metrics (#1743) * plugin/dnssec: add per server metrics final plugin. Fixes #1696 #1492 #1189 * Move cache cap into handler so we can access the server label * Remove cache-capacity from it entirely 2018-04-27 19:37:31 +01:00			`func (d Dnssec) getDNSKEY(state request.Request, zone string, do bool, server string) *dns.Msg {`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`keys := make([]dns.RR, len(d.keys))`
			`for i, k := range d.keys {`
			`keys[i] = dns.Copy(k.K)`
			`keys[i].Header().Name = zone`
			`}`
			`m := new(dns.Msg)`
			`m.SetReply(state.Req)`
			`m.Answer = keys`
			`if !do {`
			`return m`
			`}`

			`incep, expir := incepExpir(time.Now().UTC())`
plugin/dnssec: add per server metrics (#1743) * plugin/dnssec: add per server metrics final plugin. Fixes #1696 #1492 #1189 * Move cache cap into handler so we can access the server label * Remove cache-capacity from it entirely 2018-04-27 19:37:31 +01:00			`if sigs, err := d.sign(keys, zone, 3600, incep, expir, server); err == nil {`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`m.Answer = append(m.Answer, sigs...)`
			`}`
			`return m`
			`}`
plugin/dnssec: Add support for KSK/ZSK split key setups (#2196) * plugin/dnssec: Add support for KSK/ZSK split key setups * plugin/dnssec: Update README to document split ZSK/KSK operation 2018-10-20 17:35:59 +02:00
			`// Return true iff this is a zone key with the SEP bit unset. This implies a ZSK (rfc4034 2.1.1).`
			`func (k DNSKEY) isZSK() bool {`
fix formatting (#2302) 2018-11-13 16:46:48 -05:00			`return k.K.Flags&(1<<8) == (1<<8) && k.K.Flags&1 == 0`
plugin/dnssec: Add support for KSK/ZSK split key setups (#2196) * plugin/dnssec: Add support for KSK/ZSK split key setups * plugin/dnssec: Update README to document split ZSK/KSK operation 2018-10-20 17:35:59 +02:00			`}`

			`// Return true iff this is a zone key with the SEP bit set. This implies a KSK (rfc4034 2.1.1).`
			`func (k DNSKEY) isKSK() bool {`
fix formatting (#2302) 2018-11-13 16:46:48 -05:00			`return k.K.Flags&(1<<8) == (1<<8) && k.K.Flags&1 == 1`
plugin/dnssec: Add support for KSK/ZSK split key setups (#2196) * plugin/dnssec: Add support for KSK/ZSK split key setups * plugin/dnssec: Update README to document split ZSK/KSK operation 2018-10-20 17:35:59 +02:00			`}`