mirror of
https://github.com/coredns/coredns.git
synced 2025-11-01 10:43:17 -04:00
plugin/sign: fix signing of authoritative data (#3479)
Don't sign data we are not authoritative for. This adds an AuthWalk which skips names we should not authoritative for. Adds a few tests to check this is the case. Generates zones have been compared to dnssec-signzone. A number of changes have been made: * don't add DS records to the apex * NSEC TTL is the SOA's minttl value (copying bind9) * Various cleanups * signer struct was cleaned up: doesn't need ttl, nor expiration or inception. * plugin/sign: remove apex stuff from names() This is never used because we will always have other types in the apex, because we *ADD* them ourselves, before we sign (DNSKEY, CDS and CDNSKEY). Signed-off-by: Miek Gieben <miek@miek.nl> Co-Authored-By: Chris O'Haver <cohaver@infoblox.com>
This commit is contained in:
Miek Gieben
GitHub
@@ -1,6 +1,7 @@
|
||||
package sign
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"io/ioutil"
|
||||
"os"
|
||||
"testing"
|
||||
@@ -29,8 +30,8 @@ func TestSign(t *testing.T) {
|
||||
}
|
||||
|
||||
apex, _ := z.Search("miek.nl.")
|
||||
if x := apex.Type(dns.TypeDS); len(x) != 2 {
|
||||
t.Errorf("Expected %d DS records, got %d", 2, len(x))
|
||||
if x := apex.Type(dns.TypeDS); len(x) != 0 {
|
||||
t.Errorf("Expected %d DS records, got %d", 0, len(x))
|
||||
}
|
||||
if x := apex.Type(dns.TypeCDS); len(x) != 2 {
|
||||
t.Errorf("Expected %d CDS records, got %d", 2, len(x))
|
||||
@@ -75,14 +76,14 @@ $ORIGIN example.org.
|
||||
if x := nsec[0].(*dns.NSEC).NextDomain; x != "example.org." {
|
||||
t.Errorf("Expected NSEC NextDomain %s, got %s", "example.org.", x)
|
||||
}
|
||||
if x := nsec[0].(*dns.NSEC).TypeBitMap; len(x) != 8 {
|
||||
t.Errorf("Expected NSEC bitmap to be %d elements, got %d", 8, x)
|
||||
if x := nsec[0].(*dns.NSEC).TypeBitMap; len(x) != 7 {
|
||||
t.Errorf("Expected NSEC bitmap to be %d elements, got %d", 7, x)
|
||||
}
|
||||
if x := nsec[0].(*dns.NSEC).TypeBitMap; x[7] != dns.TypeCDNSKEY {
|
||||
t.Errorf("Expected NSEC bitmap element 6 to be %d, got %d", dns.TypeCDNSKEY, x[7])
|
||||
if x := nsec[0].(*dns.NSEC).TypeBitMap; x[6] != dns.TypeCDNSKEY {
|
||||
t.Errorf("Expected NSEC bitmap element 5 to be %d, got %d", dns.TypeCDNSKEY, x[6])
|
||||
}
|
||||
if x := nsec[0].(*dns.NSEC).TypeBitMap; x[5] != dns.TypeDNSKEY {
|
||||
t.Errorf("Expected NSEC bitmap element 5 to be %d, got %d", dns.TypeDNSKEY, x[5])
|
||||
if x := nsec[0].(*dns.NSEC).TypeBitMap; x[4] != dns.TypeDNSKEY {
|
||||
t.Errorf("Expected NSEC bitmap element 4 to be %d, got %d", dns.TypeDNSKEY, x[4])
|
||||
}
|
||||
dnskey := el.Type(dns.TypeDNSKEY)
|
||||
if x := dnskey[0].Header().Ttl; x != 1800 {
|
||||
@@ -100,3 +101,82 @@ $ORIGIN example.org.
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestSignGlue(t *testing.T) {
|
||||
input := `sign testdata/db.miek.nl miek.nl {
|
||||
key file testdata/Kmiek.nl.+013+59725
|
||||
directory testdata
|
||||
}`
|
||||
c := caddy.NewTestController("dns", input)
|
||||
sign, err := parse(c)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if len(sign.signers) != 1 {
|
||||
t.Fatalf("Expected 1 signer, got %d", len(sign.signers))
|
||||
}
|
||||
z, err := sign.signers[0].Sign(time.Now().UTC())
|
||||
if err != nil {
|
||||
t.Error(err)
|
||||
}
|
||||
|
||||
e, _ := z.Search("ns2.bla.miek.nl.")
|
||||
sigs := e.Type(dns.TypeRRSIG)
|
||||
if len(sigs) != 0 {
|
||||
t.Errorf("Expected no RRSIG for %s, got %d", "ns2.bla.miek.nl.", len(sigs))
|
||||
}
|
||||
}
|
||||
|
||||
func TestSignDS(t *testing.T) {
|
||||
input := `sign testdata/db.miek.nl_ns miek.nl {
|
||||
key file testdata/Kmiek.nl.+013+59725
|
||||
directory testdata
|
||||
}`
|
||||
c := caddy.NewTestController("dns", input)
|
||||
sign, err := parse(c)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if len(sign.signers) != 1 {
|
||||
t.Fatalf("Expected 1 signer, got %d", len(sign.signers))
|
||||
}
|
||||
z, err := sign.signers[0].Sign(time.Now().UTC())
|
||||
if err != nil {
|
||||
t.Error(err)
|
||||
}
|
||||
|
||||
// dnssec-signzone outputs this for db.miek.nl_ns:
|
||||
//
|
||||
// child.miek.nl. 1800 IN NS ns.child.miek.nl.
|
||||
// child.miek.nl. 1800 IN DS 34385 13 2 fc7397c77afbccb6742fc....
|
||||
// child.miek.nl. 1800 IN RRSIG DS 13 3 1800 20191223121229 20191123121229 59725 miek.nl. ZwptLzVVs....
|
||||
// child.miek.nl. 14400 IN NSEC www.miek.nl. NS DS RRSIG NSEC
|
||||
// child.miek.nl. 14400 IN RRSIG NSEC 13 3 14400 20191223121229 20191123121229 59725 miek.nl. w+CcA8...
|
||||
|
||||
name := "child.miek.nl."
|
||||
e, _ := z.Search(name)
|
||||
if x := len(e.Types()); x != 4 { // NS DS NSEC and 2x RRSIG
|
||||
t.Errorf("Expected 4 records for %s, got %d", name, x)
|
||||
}
|
||||
|
||||
ds := e.Type(dns.TypeDS)
|
||||
if len(ds) != 1 {
|
||||
t.Errorf("Expected DS for %s, got %d", name, len(ds))
|
||||
}
|
||||
sigs := e.Type(dns.TypeRRSIG)
|
||||
if len(sigs) != 2 {
|
||||
t.Errorf("Expected no RRSIG for %s, got %d", name, len(sigs))
|
||||
}
|
||||
nsec := e.Type(dns.TypeNSEC)
|
||||
if x := nsec[0].(*dns.NSEC).NextDomain; x != "www.miek.nl." {
|
||||
t.Errorf("Expected no NSEC NextDomain to be %s for %s, got %s", "www.miek.nl.", name, x)
|
||||
}
|
||||
minttl := z.Apex.SOA.Minttl
|
||||
if x := nsec[0].Header().Ttl; x != minttl {
|
||||
t.Errorf("Expected no NSEC TTL to be %d for %s, got %d", minttl, "www.miek.nl.", x)
|
||||
}
|
||||
// print zone on error
|
||||
buf := &bytes.Buffer{}
|
||||
write(buf, z)
|
||||
t.Logf("%s\n", buf)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user