plugin/sign: fix signing of authoritative data (#3479)

Don't sign data we are not authoritative for. This adds an AuthWalk which skips names we should not authoritative for. Adds a few tests to check this is the case. Generates zones have been compared to dnssec-signzone. A number of changes have been made: * don't add DS records to the apex * NSEC TTL is the SOA's minttl value (copying bind9) * Various cleanups * signer struct was cleaned up: doesn't need ttl, nor expiration or inception. * plugin/sign: remove apex stuff from names() This is never used because we will always have other types in the apex, because we *ADD* them ourselves, before we sign (DNSKEY, CDS and CDNSKEY). Signed-off-by: Miek Gieben <miek@miek.nl> Co-Authored-By: Chris O'Haver <cohaver@infoblox.com>
2025-11-01 02:33:14 -04:00 · 2019-12-06 19:54:31 +00:00
parent 799dce4bff
commit a53321d9d6
9 changed files with 235 additions and 70 deletions
--- a/plugin/sign/nsec_test.go
+++ b/plugin/sign/nsec_test.go
@@ -0,0 +1,27 @@
+package sign
+
+import (
+	"os"
+	"testing"
+
+	"github.com/coredns/coredns/plugin/file"
+)
+
+func TestNames(t *testing.T) {
+	f, err := os.Open("testdata/db.miek.nl_ns")
+	if err != nil {
+		t.Error(err)
+	}
+	z, err := file.Parse(f, "db.miek.nl_ns", "miek.nl", 0)
+	if err != nil {
+		t.Error(err)
+	}
+
+	names := names("miek.nl.", z)
+	expected := []string{"miek.nl.", "child.miek.nl.", "www.miek.nl."}
+	for i := range names {
+		if names[i] != expected[i] {
+			t.Errorf("Expected %s, got %s", expected[i], names[i])
+		}
+	}
+}