plugin/dnssec; insert and sign DS records (#1153)

* plugin/dnssec; insert and sign DS records Sign a delegation as well and insert DS records. Fixes #698 * better
2025-10-27 16:24:19 -04:00 · 2017-10-20 09:22:02 +01:00
parent 73d702c052
commit 11203e440d
6 changed files with 57 additions and 33 deletions
--- a/plugin/dnssec/dnssec.go
+++ b/plugin/dnssec/dnssec.go
@@ -35,20 +35,30 @@ func New(zones []string, keys []*DNSKEY, next plugin.Handler, c *cache.Cache) Dn
 }

 // Sign signs the message in state. it takes care of negative or nodata responses. It
-// uses NSEC black lies for authenticated denial of existence. Signatures
-// creates will be cached for a short while. By default we sign for 8 days,
+// uses NSEC black lies for authenticated denial of existence. For delegations it
+// will insert DS records and sign those.
+// Signatures will be cached for a short while. By default we sign for 8 days,
 // starting 3 hours ago.
 func (d Dnssec) Sign(state request.Request, zone string, now time.Time) *dns.Msg {
 	req := state.Req

+	incep, expir := incepExpir(now)
+
 	mt, _ := response.Typify(req, time.Now().UTC()) // TODO(miek): need opt record here?
 	if mt == response.Delegation {
-		// TODO(miek): uh, signing DS record?!?!
+		ttl := req.Ns[0].Header().Ttl
+
+		ds := []dns.RR{}
+		for i := range d.keys {
+			ds = append(ds, d.keys[i].D)
+		}
+		if sigs, err := d.sign(ds, zone, ttl, incep, expir); err == nil {
+			req.Ns = append(req.Ns, ds...)
+			req.Ns = append(req.Ns, sigs...)
+		}
 		return req
 	}

-	incep, expir := incepExpir(now)
-
 	if mt == response.NameError || mt == response.NoData {
 		if req.Ns[0].Header().Rrtype != dns.TypeSOA || len(req.Ns) > 1 {
 			return req