mirror of
https://github.com/coredns/coredns.git
synced 2025-11-18 09:52:17 -05:00
Add middleware/dnssec (#133)
This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies.
This commit is contained in:
Miek Gieben
24
middleware/dnssec/black_lies.go
Normal file
24
middleware/dnssec/black_lies.go
Normal file
@@ -0,0 +1,24 @@
|
||||
package dnssec
|
||||
|
||||
import "github.com/miekg/dns"
|
||||
|
||||
// nsec returns an NSEC useful for NXDOMAIN respsones.
|
||||
// See https://tools.ietf.org/html/draft-valsorda-dnsop-black-lies-00
|
||||
// For example, a request for the non-existing name a.example.com would
|
||||
// cause the following NSEC record to be generated:
|
||||
// a.example.com. 3600 IN NSEC \000.a.example.com. ( RRSIG NSEC )
|
||||
// This inturn makes every NXDOMAIN answer a NODATA one, don't forget to flip
|
||||
// the header rcode to NOERROR.
|
||||
func (d Dnssec) nsec(name, zone string, ttl, incep, expir uint32) ([]dns.RR, error) {
|
||||
nsec := &dns.NSEC{}
|
||||
nsec.Hdr = dns.RR_Header{Name: name, Ttl: ttl, Class: dns.ClassINET, Rrtype: dns.TypeNSEC}
|
||||
nsec.NextDomain = "\\000." + name
|
||||
nsec.TypeBitMap = []uint16{dns.TypeRRSIG, dns.TypeNSEC}
|
||||
|
||||
sigs, err := d.sign([]dns.RR{nsec}, zone, ttl, incep, expir)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return append(sigs, nsec), nil
|
||||
}
|
||||
Reference in New Issue
Block a user