Implement draft-ietf-dnsop-kskroll-sentinel-00

It is enabled by default.

diff --git a/daemon/lua/sandbox.lua b/daemon/lua/sandbox.lua
index 7cdc3dc662231b8899e09b054eef10319c4589af..e86ab2391d3448a4929dcac4d4eb5b299e80ae59 100644 (file)
--- a/daemon/lua/sandbox.lua
+++ b/daemon/lua/sandbox.lua
@@ -208,6 +208,7 @@ modules.load('policy')
 modules.load('priming')
 modules.load('detect_time_skew')
 modules.load('detect_time_jump')
+modules.load('ta_sentinel')
 
 -- Interactive command evaluation
 function eval_cmd(line, raw)

diff --git a/doc/modules.rst b/doc/modules.rst
index c68c9584a2ca87bcc07fc4c37a670a9b16fe95da..2b79088a70afccccfa3aa19c8a83c140d8e72e68 100644 (file)
--- a/doc/modules.rst
+++ b/doc/modules.rst
@@ -26,6 +26,7 @@ Knot DNS Resolver modules
 .. include:: ../modules/workarounds/README.rst
 .. include:: ../modules/dnstap/README.rst
 .. include:: ../modules/ta_signal_query/README.rst
+.. include:: ../modules/ta_sentinel/README.rst
 .. include:: ../modules/priming/README.rst
 .. include:: ../modules/detect_time_skew/README.rst
 .. include:: ../modules/detect_time_jump/README.rst

diff --git a/modules/modules.mk b/modules/modules.mk
index 78f24c836c5e1f882a2573dce8df986fc82a756d..8427748ab95fffc3937d9c3adb991e2ada2a980c 100644 (file)
--- a/modules/modules.mk
+++ b/modules/modules.mk
@@ -23,6 +23,7 @@ endif
 # List of Lua modules
 ifeq ($(HAS_lua),yes)
 modules_TARGETS += etcd \
+                   ta_sentinel \
                    graphite \
                    policy \
                    view \

diff --git a/modules/ta_sentinel/README.rst b/modules/ta_sentinel/README.rst
new file mode 100644 (file)
index 0000000..a774e2a
--- /dev/null
+++ b/modules/ta_sentinel/README.rst
@@ -0,0 +1,17 @@
+.. _mod-ta_sentinel:
+
+Sentinel for Detecting Trusted Keys
+-----------------------------------
+
+The module implementing Sentinel for Detecting Trusted Keys in DNSSEC
+according to `draft-ietf-dnsop-kskroll-sentinel-00`_.
+
+This feature allows users of validating resolver to detect which root keys
+are configured in their chain of trust. The data from such
+signaling are necessary to monitor the progress of the DNSSEC root key rollover.
+
+This module is enabled by default and we urge users not to disable it.
+If it is absolutely necessary you may add ``modules.unload('ta_sentinel')``
+to your configuration to disable it.
+
+.. _`draft-ietf-dnsop-kskroll-sentinel-00`: https://tools.ietf.org/html/draft-ietf-dnsop-kskroll-sentinel-00

diff --git a/modules/ta_sentinel/ta_sentinel.lua b/modules/ta_sentinel/ta_sentinel.lua
new file mode 100644 (file)
index 0000000..8ac958e
--- /dev/null
+++ b/modules/ta_sentinel/ta_sentinel.lua
@@ -0,0 +1,65 @@
+local M = {}
+M.layer = {}
+
+function M.layer.finish(state, req, pkt)
+       local kreq = kres.request_t(req)
+
+       if bit.band(state, kres.DONE) == 0 then
+               return state end -- not resolved yet, exit
+
+       local qry = kreq:resolved()
+       if qry.parent ~= nil then
+               return state end -- an internal query, exit
+
+       local kpkt = kres.pkt_t(pkt)
+       if not kpkt:ad() then
+               return state end -- insecure answer, exit
+
+       if not (kpkt:qtype() == kres.type.A) and not (kpkt:qtype() == kres.type.AAAA) then
+               return state end
+
+       if not (kpkt:qclass() == kres.class.IN) then
+               return state end
+
+       local qname = kres.dname2str(qry:name())
+       local sentype, hexkeytag = qname:match('^_([iI][sS])%-[tT][aA]%-(%x+).')
+       if not sentype then
+               sentype, hexkeytag = qname:match('^_([nN][oO][tT])%-[tT][aA]%-(%x+).')
+       end
+       if not sentype or not hexkeytag then
+               return state end -- regex did not match, exit
+       -- end of hot path
+
+       local qkeytag = tonumber(hexkeytag, 16)
+       if not qkeytag then
+               return state end -- not a valid hex string, exit
+
+       if (qkeytag < 0) or (qkeytag > 0xffff) then
+               return state end -- invalid keytag?!, exit
+       sentype = sentype:lower()
+       if verbose() then
+               log('[ta_sentinel] key tag: ' .. qkeytag .. ', sentinel: ' .. sentype)
+       end
+       assert (sentype == 'is' or sentype == 'not')
+
+       local found = false
+       for keyidx = 1, #trust_anchors.keysets['\0'] do
+               local key = trust_anchors.keysets['\0'][keyidx]
+               if qkeytag == key.key_tag then
+                       found = (key.state == "Valid")
+                       if verbose() then
+                               log('[ta_sentinel] found keytag ' .. qkeytag .. ', key state ' .. key.state)
+                       end
+               end
+       end
+
+       if (found and sentype == 'is')
+          or (not found and sentype == 'not') then
+               kpkt:clear_payload()
+               kpkt:rcode(2)
+               kpkt:ad(false)
+       end
+       return state -- do not break resolution process
+end
+
+return M

diff --git a/modules/ta_sentinel/ta_sentinel.mk b/modules/ta_sentinel/ta_sentinel.mk
new file mode 100644 (file)
index 0000000..2441ce0
--- /dev/null
+++ b/modules/ta_sentinel/ta_sentinel.mk
@@ -0,0 +1,2 @@
+ta_sentinel_SOURCES := ta_sentinel.lua
+$(call make_lua_module,ta_sentinel)

diff --git a/tests/deckard b/tests/deckard
index 387e8845a45a7bab6ab1c8e5be55a8d88d0315ae..0a844578608bb0c944880082bcbfce96453dfa98 160000 (submodule)
--- a/tests/deckard
+++ b/tests/deckard
@@ -1 +1 @@
-Subproject commit 387e8845a45a7bab6ab1c8e5be55a8d88d0315ae
+Subproject commit 0a844578608bb0c944880082bcbfce96453dfa98