Mirrors/coredns
1
0
Fork 0
mirror of https://github.com/coredns/coredns.git synced 2025-10-28 08:44:17 -04:00
Code Issues Packages Projects Releases Wiki Activity

plugin/dnssec: check validityperiod of RRSIGs (#1385)

Browse Source 
* plugin/dnssec: check validityperiod of RRSIGs

Somehow we missed implementing this. If a sig a retrieved from the
cache, but not valid anymore, regenerate it instead of server invalid
signatures.

Fixes #1378

* drop from cache after 3/4 validity

* six days means 6 days
This commit is contained in:
Miek Gieben
2018-01-18 10:39:22 +00:00
committed by GitHub
parent dd9fc8962c
commit 318bab7795
2 changed files with 58 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
plugin/dnssec/cache_test.go
View File

@@ -32,3 +32,51 @@ func TestCacheSet(t *testing.T) {
t.Errorf("signature was not added to the cache") t.Errorf("signature was not added to the cache")
} }
} }
func TestCacheNotValidExpired(t *testing.T) {
fPriv, rmPriv, _ := test.TempFile(".", privKey)
fPub, rmPub, _ := test.TempFile(".", pubKey)
defer rmPriv()
defer rmPub()
dnskey, err := ParseKeyFile(fPub, fPriv)
if err != nil {
t.Fatalf("failed to parse key: %v\n", err)
}
c := cache.New(defaultCap)
m := testMsg()
state := request.Request{Req: m, Zone: "miek.nl."}
k := hash(m.Answer) // calculate *before* we add the sig
d := New([]string{"miek.nl."}, []*DNSKEY{dnskey}, nil, c)
d.Sign(state, time.Now().UTC().AddDate(0, 0, -9))
_, ok := d.get(k)
if ok {
t.Errorf("signature was added to the cache even though not valid")
}
}
func TestCacheNotValidYet(t *testing.T) {
fPriv, rmPriv, _ := test.TempFile(".", privKey)
fPub, rmPub, _ := test.TempFile(".", pubKey)
defer rmPriv()
defer rmPub()
dnskey, err := ParseKeyFile(fPub, fPriv)
if err != nil {
t.Fatalf("failed to parse key: %v\n", err)
}
c := cache.New(defaultCap)
m := testMsg()
state := request.Request{Req: m, Zone: "miek.nl."}
k := hash(m.Answer) // calculate *before* we add the sig
d := New([]string{"miek.nl."}, []*DNSKEY{dnskey}, nil, c)
d.Sign(state, time.Now().UTC().AddDate(0, 0, +9))
_, ok := d.get(k)
if ok {
t.Errorf("signature was added to the cache even though not valid yet")
}
}

10
plugin/dnssec/dnssec.go
View File

@@ -131,6 +131,15 @@ func (d Dnssec) set(key uint32, sigs []dns.RR) {
func (d Dnssec) get(key uint32) ([]dns.RR, bool) { func (d Dnssec) get(key uint32) ([]dns.RR, bool) {
if s, ok := d.cache.Get(key); ok { if s, ok := d.cache.Get(key); ok {
// we sign for 8 days, check if a signature in the cache reached 3/4 of that
is75 := time.Now().UTC().Add(sixDays)
for _, rr := range s.([]dns.RR) {
if !rr.(*dns.RRSIG).ValidityPeriod(is75) {
cacheMisses.Inc()
return nil, false
}
}
cacheHits.Inc() cacheHits.Inc()
return s.([]dns.RR), true return s.([]dns.RR), true
} }
@@ -146,5 +155,6 @@ func incepExpir(now time.Time) (uint32, uint32) {
const ( const (
eightDays = 8 * 24 * time.Hour eightDays = 8 * 24 * time.Hour
sixDays = 6 * 24 * time.Hour
defaultCap = 10000 // default capacity of the cache. defaultCap = 10000 // default capacity of the cache.
) )