diff options
| author |  Miek Gieben <miek@miek.nl>
| 2018-01-18 10:39:22 +0000 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2018-01-18 10:39:22 +0000 |
| commit | 318bab77956a8aed04dce8d7a40823bb802282da (patch) | |
| tree | 57ec91004e6d95d8136cd7c690bf06243c04d23f | |
| parent | dd9fc8962c7f51b358c8c127e3efaece559d81f8 (diff) | |
| download | coredns-318bab77956a8aed04dce8d7a40823bb802282da.tar.gz coredns-318bab77956a8aed04dce8d7a40823bb802282da.tar.zst coredns-318bab77956a8aed04dce8d7a40823bb802282da.zip | |
plugin/dnssec: check validityperiod of RRSIGs (#1385)
* plugin/dnssec: check validityperiod of RRSIGs
Somehow we missed implementing this. If a sig a retrieved from the
cache, but not valid anymore, regenerate it instead of server invalid
signatures.
Fixes #1378
* drop from cache after 3/4 validity
* six days means 6 days
| -rw-r--r-- | plugin/dnssec/cache_test.go | 48 | ||||
| -rw-r--r-- | plugin/dnssec/dnssec.go | 10 |
2 files changed, 58 insertions, 0 deletions
diff --git a/plugin/dnssec/cache_test.go b/plugin/dnssec/cache_test.go index ccf588d8e..c3cdb0d6e 100644 --- a/plugin/dnssec/cache_test.go +++ b/plugin/dnssec/cache_test.go @@ -32,3 +32,51 @@ func TestCacheSet(t *testing.T) { t.Errorf("signature was not added to the cache") } } + +func TestCacheNotValidExpired(t *testing.T) { + fPriv, rmPriv, _ := test.TempFile(".", privKey) + fPub, rmPub, _ := test.TempFile(".", pubKey) + defer rmPriv() + defer rmPub() + + dnskey, err := ParseKeyFile(fPub, fPriv) + if err != nil { + t.Fatalf("failed to parse key: %v\n", err) + } + + c := cache.New(defaultCap) + m := testMsg() + state := request.Request{Req: m, Zone: "miek.nl."} + k := hash(m.Answer) // calculate *before* we add the sig + d := New([]string{"miek.nl."}, []*DNSKEY{dnskey}, nil, c) + d.Sign(state, time.Now().UTC().AddDate(0, 0, -9)) + + _, ok := d.get(k) + if ok { + t.Errorf("signature was added to the cache even though not valid") + } +} + +func TestCacheNotValidYet(t *testing.T) { + fPriv, rmPriv, _ := test.TempFile(".", privKey) + fPub, rmPub, _ := test.TempFile(".", pubKey) + defer rmPriv() + defer rmPub() + + dnskey, err := ParseKeyFile(fPub, fPriv) + if err != nil { + t.Fatalf("failed to parse key: %v\n", err) + } + + c := cache.New(defaultCap) + m := testMsg() + state := request.Request{Req: m, Zone: "miek.nl."} + k := hash(m.Answer) // calculate *before* we add the sig + d := New([]string{"miek.nl."}, []*DNSKEY{dnskey}, nil, c) + d.Sign(state, time.Now().UTC().AddDate(0, 0, +9)) + + _, ok := d.get(k) + if ok { + t.Errorf("signature was added to the cache even though not valid yet") + } +} diff --git a/plugin/dnssec/dnssec.go b/plugin/dnssec/dnssec.go index 83e034e6c..e071c5c18 100644 --- a/plugin/dnssec/dnssec.go +++ b/plugin/dnssec/dnssec.go @@ -131,6 +131,15 @@ func (d Dnssec) set(key uint32, sigs []dns.RR) { func (d Dnssec) get(key uint32) ([]dns.RR, bool) { if s, ok := d.cache.Get(key); ok { + // we sign for 8 days, check if a signature in the cache reached 3/4 of that + is75 := time.Now().UTC().Add(sixDays) + for _, rr := range s.([]dns.RR) { + if !rr.(*dns.RRSIG).ValidityPeriod(is75) { + cacheMisses.Inc() + return nil, false + } + } + cacheHits.Inc() return s.([]dns.RR), true } @@ -146,5 +155,6 @@ func incepExpir(now time.Time) (uint32, uint32) { const ( eightDays = 8 * 24 * time.Hour + sixDays = 6 * 24 * time.Hour defaultCap = 10000 // default capacity of the cache. ) |