aboutsummaryrefslogtreecommitdiff
path: root/plugin/dnssec/dnssec.go
diff options
context:
space:
mode:
Diffstat (limited to 'plugin/dnssec/dnssec.go')
-rw-r--r--plugin/dnssec/dnssec.go20
1 files changed, 15 insertions, 5 deletions
diff --git a/plugin/dnssec/dnssec.go b/plugin/dnssec/dnssec.go
index 9a20776fe..b4f738691 100644
--- a/plugin/dnssec/dnssec.go
+++ b/plugin/dnssec/dnssec.go
@@ -35,20 +35,30 @@ func New(zones []string, keys []*DNSKEY, next plugin.Handler, c *cache.Cache) Dn
}
// Sign signs the message in state. it takes care of negative or nodata responses. It
-// uses NSEC black lies for authenticated denial of existence. Signatures
-// creates will be cached for a short while. By default we sign for 8 days,
+// uses NSEC black lies for authenticated denial of existence. For delegations it
+// will insert DS records and sign those.
+// Signatures will be cached for a short while. By default we sign for 8 days,
// starting 3 hours ago.
func (d Dnssec) Sign(state request.Request, zone string, now time.Time) *dns.Msg {
req := state.Req
+ incep, expir := incepExpir(now)
+
mt, _ := response.Typify(req, time.Now().UTC()) // TODO(miek): need opt record here?
if mt == response.Delegation {
- // TODO(miek): uh, signing DS record?!?!
+ ttl := req.Ns[0].Header().Ttl
+
+ ds := []dns.RR{}
+ for i := range d.keys {
+ ds = append(ds, d.keys[i].D)
+ }
+ if sigs, err := d.sign(ds, zone, ttl, incep, expir); err == nil {
+ req.Ns = append(req.Ns, ds...)
+ req.Ns = append(req.Ns, sigs...)
+ }
return req
}
- incep, expir := incepExpir(now)
-
if mt == response.NameError || mt == response.NoData {
if req.Ns[0].Header().Rrtype != dns.TypeSOA || len(req.Ns) > 1 {
return req
generated by cgit v1.2.3 (git 2.39.1) at 2025-07-28 17:28:22 +0000