Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix root server proofs, and just that (big fix 3/4) #86

Open
wants to merge 12 commits into
base: master
Choose a base branch
from
Open

Fix root server proofs, and just that (big fix 3/4) #86

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
a2a3be0
rs: respond with servfail if bogus
buffrr Sep 12, 2020
d00cb17
resource: add no ds proof
buffrr Mar 6, 2021
5a8611f
resource: move all NSEC type maps to resource.h
pinheadmz Nov 18, 2021
635b17c
resource: implement prev/next name for NSEC
pinheadmz Dec 22, 2021
6053c6a
resource/ns: replace to_empty proofs with minimally-covering NSEC
pinheadmz Dec 22, 2021
1025a33
resource/ns: replace to_nx proofs with minimally-covering NSEC
pinheadmz Nov 22, 2021
0cbbc8a
ns: remove DS record from root zone apex
pinheadmz Nov 22, 2021
61296c8
resource: nsec proofs for root zone
pinheadmz Nov 22, 2021
b53eba3
resource: use default TTL for NSEC
pinheadmz Nov 22, 2021
de6ced8
resource: fix aa flag when querying root
pinheadmz Nov 23, 2021
7d2c7e1
ns/resource: fix NSEC handling for _synth
pinheadmz Dec 13, 2021
5e01487
rs: disable checking when requested
pinheadmz Jan 11, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 28 additions & 24 deletions src/ns.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,16 +25,6 @@
#include "uv.h"
#include "dnssec.h"

// A RRSIG NSEC
static const uint8_t hsk_type_map_a[] = {
0x00, 0x06, 0x40, 0x00, 0x00, 0x00, 0x00, 0x03
};

// AAAA RRSIG NSEC
static const uint8_t hsk_type_map_aaaa[] = {
0x00, 0x06, 0x00, 0x00, 0x00, 0x80, 0x00, 0x03
};

/*
* Types
*/
Expand Down Expand Up @@ -333,7 +323,9 @@ hsk_ns_onrecv(
// The synth name then resolves to an A/AAAA record that is derived
// by decoding the name itself (it does not have to be looked up).
bool should_cache = true;
if (strcmp(req->tld, "_synth") == 0 && req->labels <= 2) {
if (strcmp(req->tld, "_synth") == 0 &&
req->labels <= 2 &&
req->name[0] == '_') {
msg = hsk_dns_msg_alloc();
should_cache = false;

Expand All @@ -342,18 +334,26 @@ hsk_ns_onrecv(

hsk_dns_rrs_t *an = &msg->an;
hsk_dns_rrs_t *rrns = &msg->ns;
hsk_dns_rrs_t *ar = &msg->ar;

uint8_t ip[16];
uint16_t family;
char synth[HSK_DNS_MAX_LABEL + 1];
hsk_dns_label_from(req->name, -2, synth);

if (req->labels == 1) {
hsk_resource_to_empty(req->tld, NULL, 0, rrns);
hsk_dnssec_sign_zsk(rrns, HSK_DNS_NSEC);
// TLD '._synth' is being queried on its own, send SOA
// so recursive asks again with complete synth record.
hsk_resource_root_to_soa(rrns);
hsk_dnssec_sign_zsk(rrns, HSK_DNS_SOA);
// Empty non-terminal proof:
hsk_resource_to_nsec(
"_synth.",
"\\000._synth.",
hsk_type_map_empty,
sizeof(hsk_type_map_empty),
rrns
);
hsk_dnssec_sign_zsk(rrns, HSK_DNS_NSEC);
}

if (pointer_to_ip(synth, ip, &family)) {
Expand All @@ -372,19 +372,20 @@ hsk_ns_onrecv(
}

if (!match) {
// Needs SOA.
// TODO: Make the reverse pointers TLDs.
// Empty proof:
char next[HSK_DNS_MAX_NAME] = "\\000.";
strcat(next, req->name);
if (family == HSK_DNS_A) {
hsk_resource_to_empty(
hsk_resource_to_nsec(
req->name,
next,
hsk_type_map_a,
sizeof(hsk_type_map_a),
rrns
);
} else {
hsk_resource_to_empty(
hsk_resource_to_nsec(
req->name,
next,
hsk_type_map_aaaa,
sizeof(hsk_type_map_aaaa),
rrns
Expand Down Expand Up @@ -418,7 +419,7 @@ hsk_ns_onrecv(

hsk_dns_rrs_push(an, rr);

hsk_dnssec_sign_zsk(ar, rrtype);
hsk_dnssec_sign_zsk(an, rrtype);
}
}

Expand All @@ -445,7 +446,7 @@ hsk_ns_onrecv(
|| strcmp(req->tld, "onion") == 0 // Tor
|| strcmp(req->tld, "tor") == 0 // OnioNS
|| strcmp(req->tld, "zkey") == 0) { // GNS
msg = hsk_resource_to_nx();
msg = hsk_resource_to_nx(req->tld);
} else {
req->ns = (void *)ns;

Expand Down Expand Up @@ -538,9 +539,12 @@ hsk_ns_respond(
// not possible for SPV nodes since they
// can't arbitrarily iterate over the tree.
//
// Instead, we give a phony proof, which
// makes the root zone look empty.
msg = hsk_resource_to_nx();
// Instead, we give a minimally covering
// NSEC record based on rfc4470
// https://tools.ietf.org/html/rfc4470

// Proving the name doesn't exist
msg = hsk_resource_to_nx(req->tld);

if (!msg)
hsk_ns_log(ns, "could not create nx response (%u)\n", req->id);
Expand Down
Loading