diff options
Diffstat (limited to 'plugin/dnssec')
| -rw-r--r-- | plugin/dnssec/dnssec.go | 21 | ||||
| -rw-r--r-- | plugin/dnssec/handler.go | 8 | ||||
| -rw-r--r-- | plugin/dnssec/handler_test.go | 14 | ||||
| -rw-r--r-- | plugin/dnssec/responsewriter.go | 12 |
4 files changed, 14 insertions, 41 deletions
diff --git a/plugin/dnssec/dnssec.go b/plugin/dnssec/dnssec.go index 3baea569c..1ebcb13af 100644 --- a/plugin/dnssec/dnssec.go +++ b/plugin/dnssec/dnssec.go @@ -46,21 +46,6 @@ func (d Dnssec) Sign(state request.Request, now time.Time, server string) *dns.M mt, _ := response.Typify(req, time.Now().UTC()) // TODO(miek): need opt record here? if mt == response.Delegation { - // This reverts 11203e44. Reverting with git revert leads to conflicts in dnskey.go, and I'm - // not sure yet if we just should fiddle with inserting DSs or not. - // Easy way to, see #1211 for discussion. - /* - ttl := req.Ns[0].Header().Ttl - - ds := []dns.RR{} - for i := range d.keys { - ds = append(ds, d.keys[i].D) - } - if sigs, err := d.sign(ds, zone, ttl, incep, expir); err == nil { - req.Ns = append(req.Ns, ds...) - req.Ns = append(req.Ns, sigs...) - } - */ return req } @@ -98,7 +83,7 @@ func (d Dnssec) Sign(state request.Request, now time.Time, server string) *dns.M for _, r := range rrSets(req.Extra) { ttl := r[0].Header().Ttl if sigs, err := d.sign(r, state.Zone, ttl, incep, expir, server); err == nil { - req.Extra = append(sigs, req.Extra...) // prepend to leave OPT alone + req.Extra = append(req.Extra, sigs...) } } return req @@ -125,9 +110,7 @@ func (d Dnssec) sign(rrs []dns.RR, signerName string, ttl, incep, expir uint32, return sigs.([]dns.RR), err } -func (d Dnssec) set(key uint32, sigs []dns.RR) { - d.cache.Add(key, sigs) -} +func (d Dnssec) set(key uint32, sigs []dns.RR) { d.cache.Add(key, sigs) } func (d Dnssec) get(key uint32, server string) ([]dns.RR, bool) { if s, ok := d.cache.Get(key); ok { diff --git a/plugin/dnssec/handler.go b/plugin/dnssec/handler.go index 159c19533..573f7371d 100644 --- a/plugin/dnssec/handler.go +++ b/plugin/dnssec/handler.go @@ -41,8 +41,12 @@ func (d Dnssec) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg) } } - drr := &ResponseWriter{w, d, server} - return plugin.NextOrFailure(d.Name(), d.Next, ctx, drr, r) + if do { + drr := &ResponseWriter{w, d, server} + return plugin.NextOrFailure(d.Name(), d.Next, ctx, drr, r) + } + + return plugin.NextOrFailure(d.Name(), d.Next, ctx, w, r) } var ( diff --git a/plugin/dnssec/handler_test.go b/plugin/dnssec/handler_test.go index a1c35c635..ed9ddc5a5 100644 --- a/plugin/dnssec/handler_test.go +++ b/plugin/dnssec/handler_test.go @@ -56,7 +56,6 @@ var dnsTestCases = []test.Case{ test.NS("miek.nl. 1800 IN NS linode.atoom.net."), test.RRSIG("miek.nl. 1800 IN RRSIG NS 13 2 3600 20161217114912 20161209084912 18512 miek.nl. ad9gA8VWgF1H8ze9/0Rk2Q=="), }, - Extra: []dns.RR{test.OPT(4096, true)}, }, { Qname: "www.miek.nl.", Qtype: dns.TypeAAAA, Do: true, @@ -70,7 +69,6 @@ var dnsTestCases = []test.Case{ test.NS("miek.nl. 1800 IN NS linode.atoom.net."), test.RRSIG("miek.nl. 1800 IN RRSIG NS 13 2 3600 20161217114912 20161209084912 18512 miek.nl. ad9gA8VWgF1H8ze9/0Rk2Q=="), }, - Extra: []dns.RR{test.OPT(4096, true)}, }, { Qname: "wwwww.miek.nl.", Qtype: dns.TypeAAAA, Do: true, @@ -80,7 +78,6 @@ var dnsTestCases = []test.Case{ test.NSEC("wwwww.miek.nl. 1800 IN NSEC \\000.wwwww.miek.nl. A HINFO TXT LOC SRV CERT SSHFP RRSIG NSEC TLSA HIP OPENPGPKEY SPF"), test.RRSIG("wwwww.miek.nl. 1800 IN RRSIG NSEC 13 3 3600 20171220135446 20171212105446 18512 miek.nl. cVUQWs8xw=="), }, - Extra: []dns.RR{test.OPT(4096, true)}, }, { Qname: "miek.nl.", Qtype: dns.TypeHINFO, Do: true, @@ -90,12 +87,10 @@ var dnsTestCases = []test.Case{ test.RRSIG("miek.nl. 1800 IN RRSIG SOA 13 2 3600 20171220141741 20171212111741 18512 miek.nl. 8bLTReqmuQtw=="), test.SOA("miek.nl. 1800 IN SOA linode.atoom.net. miek.miek.nl. 1282630057 14400 3600 604800 14400"), }, - Extra: []dns.RR{test.OPT(4096, true)}, }, { Qname: "www.example.org.", Qtype: dns.TypeAAAA, Do: true, Rcode: dns.RcodeServerFailure, - // Extra: []dns.RR{test.OPT(4096, true)}, // test.ErrorHandler is a simple handler that does not do EDNS on ServerFailure }, } @@ -110,20 +105,18 @@ func TestLookupZone(t *testing.T) { defer rm2() c := cache.New(defaultCap) dh := New([]string{"miek.nl."}, []*DNSKEY{dnskey}, fm, c) - ctx := context.TODO() for _, tc := range dnsTestCases { m := tc.Msg() rec := dnstest.NewRecorder(&test.ResponseWriter{}) - _, err := dh.ServeDNS(ctx, rec, m) + _, err := dh.ServeDNS(context.TODO(), rec, m) if err != nil { t.Errorf("Expected no error, got %v\n", err) return } - resp := rec.Msg - test.SortAndCheck(t, resp, tc) + test.SortAndCheck(t, rec.Msg, tc) } } @@ -133,13 +126,12 @@ func TestLookupDNSKEY(t *testing.T) { defer rm2() c := cache.New(defaultCap) dh := New([]string{"miek.nl."}, []*DNSKEY{dnskey}, test.ErrorHandler(), c) - ctx := context.TODO() for _, tc := range dnssecTestCases { m := tc.Msg() rec := dnstest.NewRecorder(&test.ResponseWriter{}) - _, err := dh.ServeDNS(ctx, rec, m) + _, err := dh.ServeDNS(context.TODO(), rec, m) if err != nil { t.Errorf("Expected no error, got %v\n", err) return diff --git a/plugin/dnssec/responsewriter.go b/plugin/dnssec/responsewriter.go index 0e4af8d1c..852e6f58f 100644 --- a/plugin/dnssec/responsewriter.go +++ b/plugin/dnssec/responsewriter.go @@ -28,12 +28,9 @@ func (d *ResponseWriter) WriteMsg(res *dns.Msg) error { } state.Zone = zone - if state.Do() { - res = d.d.Sign(state, time.Now().UTC(), d.server) - - cacheSize.WithLabelValues(d.server, "signature").Set(float64(d.d.cache.Len())) - } - state.SizeAndDo(res) + res = d.d.Sign(state, time.Now().UTC(), d.server) + cacheSize.WithLabelValues(d.server, "signature").Set(float64(d.d.cache.Len())) + // No need for EDNS0 trickery, as that is handled by the server. return d.ResponseWriter.WriteMsg(res) } @@ -44,6 +41,3 @@ func (d *ResponseWriter) Write(buf []byte) (int, error) { n, err := d.ResponseWriter.Write(buf) return n, err } - -// Hijack implements the dns.ResponseWriter interface. -func (d *ResponseWriter) Hijack() { d.ResponseWriter.Hijack() } |