Skip to content

Commit b53ba2c

Browse files
mimuretmimuret
committed
add: add cds & cdnskey
1 parent d71b6bc commit b53ba2c

File tree

4 files changed

+128
-42
lines changed

4 files changed

+128
-42
lines changed

nsec_test.go

Lines changed: 12 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -21,14 +21,18 @@ var _ = Describe("Test nsec.go", func() {
2121
inception = uint32(1704067200)
2222
expiration = uint32(1893456000)
2323
nsecSignOption = dnsutils.SignOption{
24-
DoEMethod: dnsutils.DenialOfExistenceMethodNSEC,
25-
Inception: &inception,
26-
Expiration: &expiration,
24+
DoEMethod: dnsutils.DenialOfExistenceMethodNSEC,
25+
Inception: &inception,
26+
Expiration: &expiration,
27+
ZONEMDEnabled: &False,
28+
CDSEnabled: &False,
2729
}
2830
nsec3SignOption = dnsutils.SignOption{
29-
DoEMethod: dnsutils.DenialOfExistenceMethodNSEC3,
30-
Inception: &inception,
31-
Expiration: &expiration,
31+
DoEMethod: dnsutils.DenialOfExistenceMethodNSEC3,
32+
Inception: &inception,
33+
Expiration: &expiration,
34+
ZONEMDEnabled: &False,
35+
CDSEnabled: &False,
3236
}
3337
zsk *dnsutils.DNSKEY
3438
ksk *dnsutils.DNSKEY
@@ -87,7 +91,7 @@ var _ = Describe("Test nsec.go", func() {
8791
z = &dnsutils.Zone{}
8892
err = z.Read(bytes.NewBuffer(testSignZone))
8993
Expect(err).To(Succeed())
90-
err = dnsutils.AddDNSKEY(z, dnskeys, uint32(0), nil)
94+
err = dnsutils.AddDNSKEY(z, nsecSignOption, dnskeys, nil)
9195
Expect(err).To(Succeed())
9296
err = dnsutils.CreateDoE(z, nsecSignOption, nil)
9397
Expect(err).To(Succeed())
@@ -129,7 +133,7 @@ var _ = Describe("Test nsec.go", func() {
129133
z = &dnsutils.Zone{}
130134
err = z.Read(bytes.NewBuffer(testSignZone))
131135
Expect(err).To(Succeed())
132-
err = dnsutils.AddDNSKEY(z, dnskeys, uint32(0), nil)
136+
err = dnsutils.AddDNSKEY(z, nsec3SignOption, dnskeys, nil)
133137
Expect(err).To(Succeed())
134138
err = dnsutils.CreateDoE(z, nsec3SignOption, nil)
135139
Expect(err).To(Succeed())

sign.go

Lines changed: 70 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -22,17 +22,19 @@ var (
2222
)
2323

2424
type SignOption struct {
25-
BeforeSign *time.Duration
26-
Expiry *time.Duration
27-
Inception *uint32
28-
Expiration *uint32
29-
// TODO: AddCDS bool
30-
// TODO: AddCDNSKEY bool
25+
BeforeSign *time.Duration
26+
Expiry *time.Duration
27+
Inception *uint32
28+
Expiration *uint32
3129
DoEMethod DenialOfExistenceMethod
3230
NSEC3Salt string
3331
NSEC3Iterate uint16
3432

35-
ZONEMDEnabled bool
33+
DNSKEYTTL *uint32
34+
35+
ZONEMDEnabled *bool
36+
CDSEnabled *bool
37+
CDNSKEYEnabled *bool
3638
}
3739

3840
func (o *SignOption) GetBeforSign() time.Duration {
@@ -63,6 +65,13 @@ func (o *SignOption) GetExpiration() uint32 {
6365
return *o.Expiration
6466
}
6567

68+
func (o *SignOption) GetDNSKEYTTL() uint32 {
69+
if o.DNSKEYTTL == nil {
70+
return uint32(3600)
71+
}
72+
return *o.DNSKEYTTL
73+
}
74+
6675
func (o *SignOption) GetNSEC3Salt() string {
6776
return o.NSEC3Salt
6877
}
@@ -71,6 +80,26 @@ func (o *SignOption) GetNSEC3Iterate() uint16 {
7180
return o.NSEC3Iterate
7281
}
7382

83+
func (o *SignOption) GetZONEMDEnabled() bool {
84+
if o.ZONEMDEnabled == nil {
85+
return true
86+
}
87+
return *o.ZONEMDEnabled
88+
}
89+
90+
func (o *SignOption) GetCDSEnabled() bool {
91+
if o.CDSEnabled == nil {
92+
return true
93+
}
94+
return *o.CDSEnabled
95+
}
96+
func (o *SignOption) GetCDNSKEYEnabled() bool {
97+
if o.CDSEnabled == nil {
98+
return true
99+
}
100+
return *o.CDSEnabled
101+
}
102+
74103
type DNSKEY struct {
75104
rr *dns.DNSKEY
76105
signer crypto.Signer
@@ -115,10 +144,10 @@ func (d *DNSKEY) IsZSK() bool {
115144
}
116145

117146
func Sign(z ZoneInterface, opt SignOption, dnskeys []*DNSKEY, generator Generator) error {
118-
if err := AddDNSKEY(z, dnskeys, uint32(0), generator); err != nil {
147+
if err := AddDNSKEY(z, opt, dnskeys, generator); err != nil {
119148
return fmt.Errorf("failed to add DNSKEY: %w", err)
120149
}
121-
if opt.ZONEMDEnabled {
150+
if opt.GetZONEMDEnabled() {
122151
if err := AddZONEMDPlaceholder(z, nil, generator); err != nil {
123152
return fmt.Errorf("failed to add ZONEMD: %w", err)
124153
}
@@ -129,7 +158,7 @@ func Sign(z ZoneInterface, opt SignOption, dnskeys []*DNSKEY, generator Generato
129158
if err := SignZone(z, opt, dnskeys, generator); err != nil {
130159
return fmt.Errorf("failed to sign zone: %w", err)
131160
}
132-
if opt.ZONEMDEnabled {
161+
if opt.GetZONEMDEnabled() {
133162
if err := UpdateZONEMDDigest(z, generator); err != nil {
134163
return fmt.Errorf("failed to update ZONEMD digest: %w", err)
135164
}
@@ -140,27 +169,52 @@ func Sign(z ZoneInterface, opt SignOption, dnskeys []*DNSKEY, generator Generato
140169
return nil
141170
}
142171

143-
func AddDNSKEY(z ZoneInterface, dnskeys []*DNSKEY, ttl uint32, generator Generator) error {
172+
func AddDNSKEY(z ZoneInterface, opt SignOption, dnskeys []*DNSKEY, generator Generator) error {
144173
if len(dnskeys) == 0 {
145174
return fmt.Errorf("empty DNSKEYs")
146175
}
147-
if ttl == 0 {
148-
ttl = 3600
149-
}
150-
rrset, err := GetRRSetOrCreate(z.GetRootNode(), dns.TypeDNSKEY, ttl, generator)
176+
rrset, err := GetRRSetOrCreate(z.GetRootNode(), dns.TypeDNSKEY, opt.GetDNSKEYTTL(), generator)
151177
if err != nil {
152178
return fmt.Errorf("failed to create DNSKEY rrset: %w", err)
153179
}
180+
cdsRRSet, err := GetRRSetOrCreate(z.GetRootNode(), dns.TypeCDS, opt.GetDNSKEYTTL(), generator)
181+
if err != nil {
182+
return fmt.Errorf("failed to create CDS rrset: %w", err)
183+
}
184+
cdnskeyRRset, err := GetRRSetOrCreate(z.GetRootNode(), dns.TypeCDNSKEY, opt.GetDNSKEYTTL(), generator)
185+
if err != nil {
186+
return fmt.Errorf("failed to create CDNSKEY rrset: %w", err)
187+
}
154188
for _, dnskey := range dnskeys {
155189
rr := dnskey.GetRR()
156190
rr.Hdr.Ttl = rrset.GetTTL()
157191
if err := rrset.AddRR(rr); err != nil {
158-
return fmt.Errorf("failed to add DNSKEY RR: %w", err)
192+
return fmt.Errorf("failed to add DNSKEY RR to rrset: %w", err)
193+
}
194+
if opt.GetCDSEnabled() && dnskey.IsKSK() {
195+
if err := cdsRRSet.AddRR(rr.ToDS(dns.SHA256).ToCDS()); err != nil {
196+
return fmt.Errorf("failed to add CDS RR to rrset: %w", err)
197+
}
198+
}
199+
if opt.GetCDNSKEYEnabled() && dnskey.IsKSK() {
200+
if err := cdnskeyRRset.AddRR(rr.ToCDNSKEY()); err != nil {
201+
return fmt.Errorf("failed to add CDNSKEY RR to rrset: %w", err)
202+
}
159203
}
160204
}
161205
if err := z.GetRootNode().SetRRSet(rrset); err != nil {
162206
return fmt.Errorf("failed to set DNSKEY rrset: %w", err)
163207
}
208+
if opt.GetCDSEnabled() {
209+
if err := z.GetRootNode().SetRRSet(cdsRRSet); err != nil {
210+
return fmt.Errorf("failed to set CDS rrset: %w", err)
211+
}
212+
}
213+
if opt.GetCDNSKEYEnabled() {
214+
if err := z.GetRootNode().SetRRSet(cdnskeyRRset); err != nil {
215+
return fmt.Errorf("failed to set CDNSKEY rrset: %w", err)
216+
}
217+
}
164218
return nil
165219
}
166220

sign_test.go

Lines changed: 34 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -6,12 +6,16 @@ import (
66
"errors"
77
"time"
88

9+
"github.com/miekg/dns"
910
"github.com/mimuret/dnsutils"
1011
"github.com/mimuret/dnsutils/testtool"
1112
. "github.com/onsi/ginkgo"
1213
. "github.com/onsi/gomega"
1314
)
1415

16+
var True = true
17+
var False = false
18+
1519
//go:embed testdata/sign/example.jp.source
1620
var testSignZone []byte
1721

@@ -37,9 +41,11 @@ var _ = Describe("Test sign.go", func() {
3741
inception = uint32(1704067200)
3842
expiration = uint32(1893456000)
3943
nsecSignOption = dnsutils.SignOption{
40-
DoEMethod: dnsutils.DenialOfExistenceMethodNSEC,
41-
Inception: &inception,
42-
Expiration: &expiration,
44+
DoEMethod: dnsutils.DenialOfExistenceMethodNSEC,
45+
Inception: &inception,
46+
Expiration: &expiration,
47+
ZONEMDEnabled: &False,
48+
CDSEnabled: &False,
4349
}
4450
zsk *dnsutils.DNSKEY
4551
ksk *dnsutils.DNSKEY
@@ -161,26 +167,44 @@ var _ = Describe("Test sign.go", func() {
161167
})
162168
When("empty key", func() {
163169
BeforeEach(func() {
164-
err = dnsutils.AddDNSKEY(z, nil, uint32(0), nil)
170+
err = dnsutils.AddDNSKEY(z, dnsutils.SignOption{}, nil, nil)
165171
})
166172
It("returns err", func() {
167173
Expect(err).To(HaveOccurred())
168174
})
169175
})
170176
When("failed to create DNSKEY rrset", func() {
171177
BeforeEach(func() {
172-
err = dnsutils.AddDNSKEY(z, nil, uint32(0), &testtool.TestGenerator{NewRRSetErr: errors.New("")})
178+
err = dnsutils.AddDNSKEY(z, dnsutils.SignOption{}, nil, &testtool.TestGenerator{NewRRSetErr: errors.New("")})
173179
})
174180
It("returns err", func() {
175181
Expect(err).To(HaveOccurred())
176182
})
177183
})
178184
When("add valid DNSKEY", func() {
179-
BeforeEach(func() {
180-
err = dnsutils.AddDNSKEY(z, []*dnsutils.DNSKEY{ksk}, uint32(0), nil)
185+
When("cds/cdnskey disabled", func() {
186+
BeforeEach(func() {
187+
err = dnsutils.AddDNSKEY(z, dnsutils.SignOption{CDSEnabled: &False, CDNSKEYEnabled: &False}, []*dnsutils.DNSKEY{ksk}, nil)
188+
})
189+
It("succeed", func() {
190+
Expect(err).To(Succeed())
191+
cdsRRSet := z.GetRootNode().GetRRSet(dns.TypeCDS)
192+
Expect(cdsRRSet).To(BeNil())
193+
cdnskeyRRSet := z.GetRootNode().GetRRSet(dns.TypeCDNSKEY)
194+
Expect(cdnskeyRRSet).To(BeNil())
195+
})
181196
})
182-
It("succeed", func() {
183-
Expect(err).To(Succeed())
197+
When("cds/cdnskey enabled", func() {
198+
BeforeEach(func() {
199+
err = dnsutils.AddDNSKEY(z, dnsutils.SignOption{}, []*dnsutils.DNSKEY{ksk}, nil)
200+
})
201+
It("succeed", func() {
202+
Expect(err).To(Succeed())
203+
cdsRRSet := z.GetRootNode().GetRRSet(dns.TypeCDS)
204+
Expect(cdsRRSet).NotTo(BeNil())
205+
cdnskeyRRSet := z.GetRootNode().GetRRSet(dns.TypeCDNSKEY)
206+
Expect(cdnskeyRRSet).NotTo(BeNil())
207+
})
184208
})
185209
})
186210
})
@@ -190,7 +214,7 @@ var _ = Describe("Test sign.go", func() {
190214
z = &dnsutils.Zone{}
191215
err = z.Read(testZoneNormalBuf)
192216
Expect(err).To(Succeed())
193-
err = dnsutils.AddDNSKEY(z, dnskeys, uint32(0), nil)
217+
err = dnsutils.AddDNSKEY(z, nsecSignOption, dnskeys, nil)
194218
Expect(err).To(Succeed())
195219
err = dnsutils.CreateDoE(z, nsecSignOption, nil)
196220
Expect(err).To(Succeed())

zonemd_test.go

Lines changed: 12 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -294,16 +294,20 @@ var _ = Describe("zonemd", func() {
294294
inception = uint32(1704067200)
295295
expiration = uint32(1893456000)
296296
nsecSignOption = dnsutils.SignOption{
297-
DoEMethod: dnsutils.DenialOfExistenceMethodNSEC,
298-
Inception: &inception,
299-
Expiration: &expiration,
300-
ZONEMDEnabled: true,
297+
DoEMethod: dnsutils.DenialOfExistenceMethodNSEC,
298+
Inception: &inception,
299+
Expiration: &expiration,
300+
ZONEMDEnabled: &True,
301+
CDSEnabled: &False,
302+
CDNSKEYEnabled: &False,
301303
}
302304
nsec3SignOption = dnsutils.SignOption{
303-
DoEMethod: dnsutils.DenialOfExistenceMethodNSEC3,
304-
Inception: &inception,
305-
Expiration: &expiration,
306-
ZONEMDEnabled: true,
305+
DoEMethod: dnsutils.DenialOfExistenceMethodNSEC3,
306+
Inception: &inception,
307+
Expiration: &expiration,
308+
ZONEMDEnabled: &True,
309+
CDSEnabled: &False,
310+
CDNSKEYEnabled: &False,
307311
}
308312
zsk *dnsutils.DNSKEY
309313
ksk *dnsutils.DNSKEY

0 commit comments

Comments
 (0)