diff options
Diffstat (limited to 'plugin/dnssec/black_lies.go')
| -rw-r--r-- | plugin/dnssec/black_lies.go | 55 |
1 files changed, 48 insertions, 7 deletions
diff --git a/plugin/dnssec/black_lies.go b/plugin/dnssec/black_lies.go index 527b2fc3e..d5541da79 100644 --- a/plugin/dnssec/black_lies.go +++ b/plugin/dnssec/black_lies.go @@ -1,24 +1,65 @@ package dnssec -import "github.com/miekg/dns" +import ( + "github.com/coredns/coredns/plugin/pkg/response" + "github.com/coredns/coredns/request" + + "github.com/miekg/dns" +) // nsec returns an NSEC useful for NXDOMAIN respsones. // See https://tools.ietf.org/html/draft-valsorda-dnsop-black-lies-00 // For example, a request for the non-existing name a.example.com would // cause the following NSEC record to be generated: -// a.example.com. 3600 IN NSEC \000.a.example.com. ( RRSIG NSEC ) +// a.example.com. 3600 IN NSEC \000.a.example.com. ( RRSIG NSEC ... ) // This inturn makes every NXDOMAIN answer a NODATA one, don't forget to flip // the header rcode to NOERROR. -func (d Dnssec) nsec(name, zone string, ttl, incep, expir uint32) ([]dns.RR, error) { +func (d Dnssec) nsec(state request.Request, mt response.Type, ttl, incep, expir uint32) ([]dns.RR, error) { nsec := &dns.NSEC{} - nsec.Hdr = dns.RR_Header{Name: name, Ttl: ttl, Class: dns.ClassINET, Rrtype: dns.TypeNSEC} - nsec.NextDomain = "\\000." + name - nsec.TypeBitMap = []uint16{dns.TypeRRSIG, dns.TypeNSEC} + nsec.Hdr = dns.RR_Header{Name: state.QName(), Ttl: ttl, Class: dns.ClassINET, Rrtype: dns.TypeNSEC} + nsec.NextDomain = "\\000." + state.QName() + if state.Name() == state.Zone { + nsec.TypeBitMap = filter18(state.QType(), apexBitmap, mt) + } else { + nsec.TypeBitMap = filter14(state.QType(), zoneBitmap, mt) + } - sigs, err := d.sign([]dns.RR{nsec}, zone, ttl, incep, expir) + sigs, err := d.sign([]dns.RR{nsec}, state.Zone, ttl, incep, expir) if err != nil { return nil, err } return append(sigs, nsec), nil } + +// The NSEC bit maps we return. +var ( + zoneBitmap = [...]uint16{dns.TypeA, dns.TypeHINFO, dns.TypeTXT, dns.TypeAAAA, dns.TypeLOC, dns.TypeSRV, dns.TypeCERT, dns.TypeSSHFP, dns.TypeRRSIG, dns.TypeNSEC, dns.TypeTLSA, dns.TypeHIP, dns.TypeOPENPGPKEY, dns.TypeSPF} + apexBitmap = [...]uint16{dns.TypeA, dns.TypeNS, dns.TypeSOA, dns.TypeHINFO, dns.TypeMX, dns.TypeTXT, dns.TypeAAAA, dns.TypeLOC, dns.TypeSRV, dns.TypeCERT, dns.TypeSSHFP, dns.TypeRRSIG, dns.TypeNSEC, dns.TypeDNSKEY, dns.TypeTLSA, dns.TypeHIP, dns.TypeOPENPGPKEY, dns.TypeSPF} +) + +// filter14 filters out t from bitmap (if it exists). If mt is not an NODATA response, just +// return the entire bitmap. +func filter14(t uint16, bitmap [14]uint16, mt response.Type) []uint16 { + if mt != response.NoData { + return zoneBitmap[:] + } + for i := range bitmap { + if bitmap[i] == t { + return append(bitmap[:i], bitmap[i+1:]...) + } + } + return zoneBitmap[:] // make a slice +} + +func filter18(t uint16, bitmap [18]uint16, mt response.Type) []uint16 { + if mt != response.NoData { + return apexBitmap[:] + } + for i := range bitmap { + if bitmap[i] == t { + return append(bitmap[:i], bitmap[i+1:]...) + } + } + return apexBitmap[:] // make a slice +} |