diff options
Diffstat (limited to 'plugin/dnssec/black_lies.go')
| -rw-r--r-- | plugin/dnssec/black_lies.go | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/plugin/dnssec/black_lies.go b/plugin/dnssec/black_lies.go new file mode 100644 index 000000000..527b2fc3e --- /dev/null +++ b/plugin/dnssec/black_lies.go @@ -0,0 +1,24 @@ +package dnssec + +import "github.com/miekg/dns" + +// nsec returns an NSEC useful for NXDOMAIN respsones. +// See https://tools.ietf.org/html/draft-valsorda-dnsop-black-lies-00 +// For example, a request for the non-existing name a.example.com would +// cause the following NSEC record to be generated: +// a.example.com. 3600 IN NSEC \000.a.example.com. ( RRSIG NSEC ) +// This inturn makes every NXDOMAIN answer a NODATA one, don't forget to flip +// the header rcode to NOERROR. +func (d Dnssec) nsec(name, zone string, ttl, incep, expir uint32) ([]dns.RR, error) { + nsec := &dns.NSEC{} + nsec.Hdr = dns.RR_Header{Name: name, Ttl: ttl, Class: dns.ClassINET, Rrtype: dns.TypeNSEC} + nsec.NextDomain = "\\000." + name + nsec.TypeBitMap = []uint16{dns.TypeRRSIG, dns.TypeNSEC} + + sigs, err := d.sign([]dns.RR{nsec}, zone, ttl, incep, expir) + if err != nil { + return nil, err + } + + return append(sigs, nsec), nil +} |