middleware/file: add DNSSEC support (#697)

* middleware/file: add DNSSEC support Add tests for DNSSEC and check if everything is working. * add signatures * tweak * Add DNSSEC signing tests for DNAME * Just sign it all
2025-11-02 10:13:14 -05:00 · 2017-06-02 17:18:58 +01:00
parent d684dedfd3
commit 7be066e4de
4 changed files with 207 additions and 2 deletions
--- a/middleware/dnssec/dnssec.go
+++ b/middleware/dnssec/dnssec.go
@@ -43,6 +43,7 @@ func (d Dnssec) Sign(state request.Request, zone string, now time.Time) *dns.Msg

 	mt, _ := response.Typify(req, time.Now().UTC()) // TODO(miek): need opt record here?
 	if mt == response.Delegation {
+		// TODO(miek): uh, signing DS record?!?!
 		return req
 	}

--- a/middleware/dnssec/dnssec_test.go
+++ b/middleware/dnssec/dnssec_test.go
@@ -113,6 +113,20 @@ func TestZoneSigningDelegation(t *testing.T) {
 	}
 }

+func TestSigningDname(t *testing.T) {
+	d, rm1, rm2 := newDnssec(t, []string{"miek.nl."})
+	defer rm1()
+	defer rm2()
+
+	m := testMsgDname()
+	state := request.Request{Req: m}
+	// We sign *everything* we see, also the synthesized CNAME.
+	m = d.Sign(state, "miek.nl.", time.Now().UTC())
+	if !section(m.Answer, 3) {
+		t.Errorf("answer section should have 3 sig")
+	}
+}
+
 func section(rss []dns.RR, nrSigs int) bool {
 	i := 0
 	for _, r := range rss {
@@ -157,6 +171,16 @@ func testDelegationMsg() *dns.Msg {
 	}
 }

+func testMsgDname() *dns.Msg {
+	return &dns.Msg{
+		Answer: []dns.RR{
+			test.CNAME("a.dname.miek.nl.	1800	IN	CNAME	a.test.miek.nl."),
+			test.A("a.test.miek.nl.	1800	IN	A	139.162.196.78"),
+			test.DNAME("dname.miek.nl.	1800	IN	DNAME	test.miek.nl."),
+		},
+	}
+}
+
 func newDnssec(t *testing.T, zones []string) (Dnssec, func(), func()) {
 	k, rm1, rm2 := newKey(t)
 	cache, _ := lru.New(defaultCap)