Signaling Trust Anchor Knowledge in DNSSEC using Key Tag Query

Implementation of RFC 8145 section 5 as module.

Fixes: #383
fixup! Signaling Trust Anchor Knowledge in DNSSEC using Key Tag Query

diff --git a/NEWS b/NEWS
index ad218cb6287bb2fa1235f450a2099dc6265a478d..08c426b3f0ec8897d789b8800cca2ac1f9293c49 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,10 +1,15 @@
-Knot Resolver 1.4.1 (2017-10-xx)
+Knot Resolver 1.5.0 (2017-11-xx)
 ================================
 
 Bugfixes
 --------
 - fix loading modules on Darwin
 
+Improvements
+------------
+- new module ta_signal_query supporting Signaling Trust Anchor Knowledge
+  using Keytag Query (RFC 8145 section 5)
+
 
 Knot Resolver 1.4.0 (2017-09-22)
 ================================

diff --git a/daemon/lua/kres.lua.in b/daemon/lua/kres.lua.in
index ebf5ff259e6b010160e463825cb4f2d8e37bab55..43a062fb1d195a1e157ba8c36cd4136be97d78be 100644 (file)
--- a/daemon/lua/kres.lua.in
+++ b/daemon/lua/kres.lua.in
@@ -27,6 +27,7 @@ struct rr_type {
        static const int NS         =   2;
        static const int CNAME      =   5;
        static const int SOA        =   6;
+       static const int NULL       =  10;
        static const int PTR        =  12;
        static const int HINFO      =  13;
        static const int MINFO      =  14;

diff --git a/doc/modules.rst b/doc/modules.rst
index dade86c986869c518c77dfb594b96b205eeb9186..4b463fff9f70ea23f04343abacade54aaabf947f 100644 (file)
--- a/doc/modules.rst
+++ b/doc/modules.rst
@@ -25,3 +25,4 @@ Knot DNS Resolver modules
 .. include:: ../modules/version/README.rst
 .. include:: ../modules/workarounds/README.rst
 .. include:: ../modules/dnstap/README.rst
+.. include:: ../modules/ta_signal_query/README.rst

diff --git a/modules/modules.mk b/modules/modules.mk
index dfbbec071a596da79f08536025cc53426df001a2..157648df669ad75ad5fe7fad4aff5a92de6b2c33 100644 (file)
--- a/modules/modules.mk
+++ b/modules/modules.mk
@@ -32,7 +32,8 @@ modules_TARGETS += ketcd \
                    http \
                    daf \
                    workarounds \
-                   version
+                   version \
+                   ta_signal_query
 endif
 
 # Make C module

diff --git a/modules/ta_signal_query/README.rst b/modules/ta_signal_query/README.rst
new file mode 100644 (file)
index 0000000..93db257
--- /dev/null
+++ b/modules/ta_signal_query/README.rst
@@ -0,0 +1,29 @@
+.. _mod-ta_signal_query:
+
+Signaling Trust Anchor Knowledge in DNSSEC
+------------------------------------------
+
+The module for Signaling Trust Anchor Knowledge in DNSSEC Using Key Tag Query,
+implemented according to RFC 8145 section 5.
+
+This feature allows validating resolvers to signal to authoritative servers
+which keys are referenced in their chain of trust. The data from such
+signaling allow zone administrators to monitor the progress of rollovers
+in a DNSSEC-signed zone.
+
+This mechanism serve to measure the acceptance and use of new DNSSEC
+trust anchors and key signing keys (KSKs). This signaling data can be
+used by zone administrators as a gauge to measure the successful deployment
+of new keys. This is of particular interest for the DNS root zone in the event
+of key and/or algorithm rollovers that rely on RFC 5011 to automatically
+update a validating DNS resolver’s trust anchor.
+
+.. tip:: It is recommended to always keep this module enabled.
+
+Example configuration
+^^^^^^^^^^^^^^^^^^^^^
+
+.. code-block:: lua
+
+       -- Signal trust anchor keys configured in the validator
+       modules = { 'ta_signal_query' }

diff --git a/modules/ta_signal_query/ta_signal_query.lua b/modules/ta_signal_query/ta_signal_query.lua
new file mode 100644 (file)
index 0000000..8face1d
--- /dev/null
+++ b/modules/ta_signal_query/ta_signal_query.lua
@@ -0,0 +1,62 @@
+-- Module implementing RFC 8145 section 5
+-- Signaling Trust Anchor Knowledge in DNS using Key Tag Query
+local kres = require('kres')
+
+local mod = {}
+mod.layer = {}
+
+-- transform trust anchor keyset structure for one domain name (in wire format)
+-- to signalling query name like _ta-keytag1-keytag2.example.com.
+-- Returns:
+--   string constructed from valid keytags
+--   nil if no valid keytag is present in keyset
+local function prepare_query_name(keyset, name)
+       if not keyset then return nil end
+       local keytags = {}
+       for i, key in ipairs(keyset) do
+               if key.state == "Valid" then
+                       table.insert(keytags, key.key_tag)
+               end
+       end
+       if next(keytags) == nil then return nil end
+
+       table.sort(keytags)
+       local query = "_ta"
+       for i, tag in pairs(keytags) do
+               query = string.format("%s-%04x", query, tag)
+       end
+       if name == "\0" then
+               return query .. "."
+       else
+               return query .. "." .. kres.dname2str(name)
+       end
+end
+
+-- construct keytag query for valid keys and send it as asynchronous query
+-- (does nothing if no valid keys are present at given domain name)
+local function send_ta_query(domain)
+       local keyset = trust_anchors.keysets[domain]
+       local qname = prepare_query_name(keyset, domain)
+       if qname ~= nil then
+               if verbose() then
+                       log("[ta_query_signal] signalling query trigered: %s", qname)
+               end
+               -- asynchronous query
+               -- we do not care about result or from where it was obtained
+               event.after(0, function (ev)
+                       resolve(qname, kres.type.NULL, kres.class.IN, "NONAUTH")
+               end)
+       end
+end
+
+-- act on DNSKEY queries which were not answered from cache
+function mod.layer.consume(state, req, pkt)
+       local req = kres.request_t(req)
+       local qry = req:current()
+       if qry.stype == kres.type.DNSKEY and not qry.flags.CACHED then
+               send_ta_query(qry:name())
+       end
+       return state  -- do not interfere with normal query processing
+end
+
+return mod

diff --git a/modules/ta_signal_query/ta_signal_query.mk b/modules/ta_signal_query/ta_signal_query.mk
new file mode 100644 (file)
index 0000000..0adf179
--- /dev/null
+++ b/modules/ta_signal_query/ta_signal_query.mk
@@ -0,0 +1,2 @@
+ta_signal_query_SOURCES := ta_signal_query.lua
+$(call make_lua_module,ta_signal_query)