From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Mon, 2 Oct 2017 11:20:38 +0000 (+0200)
Subject: rec: support trustanchor.server CH TXT queries
X-Git-Tag: dnsdist-1.4.0-rc1~108^2~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c1d92d739bf6bfb543ec78dfe3e8eaa628836766;p=thirdparty%2Fpdns.git

rec: support trustanchor.server CH TXT queries
---

diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index 9be6586872..671307dad4 100644
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -3305,6 +3305,7 @@ int main(int argc, char **argv)
     ::arg().set("single-socket", "If set, only use a single socket for outgoing queries")="off";
     ::arg().set("auth-zones", "Zones for which we have authoritative data, comma separated domain=file pairs ")="";
     ::arg().set("lua-config-file", "More powerful configuration options")="";
+    ::arg().setSwitch("allow-trust-anchor-query", "Allow queries for trustanchor.server CH TXT")="yes";
 
     ::arg().set("forward-zones", "Zones for which we forward queries, comma separated domain=ip pairs")="";
     ::arg().set("forward-zones-recurse", "Zones for which we forward queries with recursion bit, comma separated domain=ip pairs")="";
diff --git a/pdns/recursordist/docs/dnssec.rst b/pdns/recursordist/docs/dnssec.rst
index 110a820413..028cdaaee0 100644
--- a/pdns/recursordist/docs/dnssec.rst
+++ b/pdns/recursordist/docs/dnssec.rst
@@ -74,6 +74,9 @@ Trust Anchor Management
 In the PowerDNS Recursor, both positive and negative trust anchors can be configured during startup (from a persistent configuration file) and at runtime (which is volatile).
 However, all trust anchors are configurable.
 
+Current trust anchors can be queried from the recursor by sending a query for "trustanchor.server CH TXT".
+This query will (if :ref:`setting-allow-trust-anchor-query` is enabled) return a TXT record per trust-anchor in the format ``"DOMAIN KEYTAG [KEYTAG]..."``.
+
 Trust Anchors
 ^^^^^^^^^^^^^
 The PowerDNS Recursor ships with the DNSSEC Root key built-in.
diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst
index 1ae0d71c1f..5a9aeac718 100644
--- a/pdns/recursordist/docs/settings.rst
+++ b/pdns/recursordist/docs/settings.rst
@@ -54,6 +54,17 @@ Overrides the `allow-from`_ setting. To use this feature, supply one netmask per
 Answer questions for the ANY type on UDP with a truncated packet that refers the remote server to TCP.
 Useful for mitigating ANY reflection attacks.
 
+.. _setting-allow-trust-anchor-query:
+
+``allow-trust-anchor-query``
+----------------------------
+.. versionadded:: 4.1.0
+
+-  Boolean
+-  Default: yes
+
+Allow ``trustanchor.server CH TXT`` queries to view the configured :doc:`DNSSEC <dnssec>` trust anchors.
+
 .. _setting-api-config-dir:
 
 ``api-config-dir``
diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index c75c21901f..6888ec9041 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -159,11 +159,12 @@ int SyncRes::beginResolve(const DNSName &qname, const QType &qtype, uint16_t qcl
  * - version.bind. CH TXT
  * - version.pdns. CH TXT
  * - id.server. CH TXT
+ * - trustanchor.server CH TXT
  */
 bool SyncRes::doSpecialNamesResolve(const DNSName &qname, const QType &qtype, const uint16_t qclass, vector<DNSRecord> &ret)
 {
   static const DNSName arpa("1.0.0.127.in-addr.arpa."), ip6_arpa("1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa."),
-    localhost("localhost."), versionbind("version.bind."), idserver("id.server."), versionpdns("version.pdns.");
+    localhost("localhost."), versionbind("version.bind."), idserver("id.server."), versionpdns("version.pdns."), trustanchorserver("trustanchor.server.");
 
   bool handled = false;
   vector<pair<QType::typeenum, string> > answers;
@@ -195,6 +196,25 @@ bool SyncRes::doSpecialNamesResolve(const DNSName &qname, const QType &qtype, co
     }
   }
 
+  if (qname == trustanchorserver && qclass == QClass::CHAOS &&
+      ::arg().mustDo("allow-trust-anchor-query")) {
+    handled = true;
+    if (qtype == QType::TXT || qtype == QType::ANY) {
+      auto luaLocal = g_luaconfs.getLocal();
+      for (auto const &dsAnchor : luaLocal->dsAnchors) {
+        ostringstream ans;
+        ans<<"\"";
+        ans<<dsAnchor.first.toString(); // Explicit toString to have a trailing dot
+        for (auto const &dsRecord : dsAnchor.second) {
+          ans<<" ";
+          ans<<dsRecord.d_tag;
+        }
+        ans << "\"";
+        answers.push_back({QType::TXT, ans.str()});
+      }
+    }
+  }
+
   if (handled && !answers.empty()) {
     ret.clear();
     d_wasOutOfBand=true;
diff --git a/regression-tests.recursor-dnssec/test_TrustAnchors.py b/regression-tests.recursor-dnssec/test_TrustAnchors.py
new file mode 100644
index 0000000000..bb761ef3e5
--- /dev/null
+++ b/regression-tests.recursor-dnssec/test_TrustAnchors.py
@@ -0,0 +1,46 @@
+import dns
+from recursortests import RecursorTest
+
+
+class testTrustAnchorsEnabled(RecursorTest):
+    """This test will do a query for "trustanchor.server CH TXT" and hopes to get
+    a proper answer"""
+
+    _auth_zones = None
+    _confdir = 'TrustAnchorsEnabled'
+    _roothints = None
+    _root_DS = None
+    _lua_config_file = """
+addDS("powerdns.com", "44030 8 1 B763646757DF621DD1204AD3BFA0675B49BE3279")
+"""
+
+    def testTrustanchorDotServer(self):
+        expected = dns.rrset.from_text_list(
+            'trustanchor.server.', 86400, dns.rdataclass.CH, 'TXT',
+            ['". 19036 20326"', '"powerdns.com. 44030"'])
+        query = dns.message.make_query('trustanchor.server', 'TXT',
+                                       dns.rdataclass.CH)
+        result = self.sendUDPQuery(query)
+
+        self.assertRcodeEqual(result, dns.rcode.NOERROR)
+        self.assertRRsetInAnswer(result, expected)
+
+
+class testTrustAnchorsDisabled(RecursorTest):
+    """This test will do a query for "trustanchor.server CH TXT" and hopes to get
+    a proper answer"""
+
+    _auth_zones = None
+    _confdir = 'TrustAnchorsDisabled'
+    _roothints = None
+    _root_DS = None
+    _config_template = """
+    allow-trust-anchor-query=no
+"""
+
+    def testTrustanchorDotServer(self):
+        query = dns.message.make_query('trustanchor.server', 'TXT',
+                                       dns.rdataclass.CH)
+        result = self.sendUDPQuery(query)
+
+        self.assertRcodeEqual(result, dns.rcode.SERVFAIL)