From: Vladimír Čunát Date: Wed, 30 May 2018 17:01:00 +0000 (+0200) Subject: ta_sentinel: switch to version 14 of the RFC draft X-Git-Tag: v2.4.0~15^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bf17321df78caa30f1cc18b4ac648e9738590d8a;p=thirdparty%2Fknot-resolver.git ta_sentinel: switch to version 14 of the RFC draft Also minor fixes and speed enhancement (not measured). --- diff --git a/NEWS b/NEWS index f05436971..d4f69538a 100644 --- a/NEWS +++ b/NEWS @@ -12,6 +12,10 @@ Bugfixes - avoid turning off qname minimization in some cases, e.g. co.uk. (#339) - fix validation of explicit wildcard queries (#274) +Improvements +------------ +- ta_sentinel: switch to version 14 of the RFC draft (e.g. new label names) + Knot Resolver 2.3.0 (2018-04-23) ================================ diff --git a/lib/rplan.h b/lib/rplan.h index adb67eaeb..ad452303e 100644 --- a/lib/rplan.h +++ b/lib/rplan.h @@ -44,7 +44,7 @@ struct kr_qflags { * i.e. knot_wire_set_cd(request->answer->wire). */ bool DNSSEC_BOGUS : 1; /**< Query response is DNSSEC bogus. */ bool DNSSEC_INSECURE : 1;/**< Query response is DNSSEC insecure. */ - bool DNSSEC_CD : 1; /**< CD bit in query */ + bool DNSSEC_CD : 1; /**< Instruction to set CD bit in request. */ bool STUB : 1; /**< Stub resolution, accept received answer as solved. */ bool ALWAYS_CUT : 1; /**< Always recover zone cut (even if cached). */ bool DNSSEC_WEXPAND : 1; /**< Query response has wildcard expansion. */ diff --git a/modules/ta_sentinel/README.rst b/modules/ta_sentinel/README.rst index a774e2ae1..c3b17a473 100644 --- a/modules/ta_sentinel/README.rst +++ b/modules/ta_sentinel/README.rst @@ -1,10 +1,10 @@ .. _mod-ta_sentinel: -Sentinel for Detecting Trusted Keys ------------------------------------ +Sentinel for Detecting Trusted Root Keys +---------------------------------------- -The module implementing Sentinel for Detecting Trusted Keys in DNSSEC -according to `draft-ietf-dnsop-kskroll-sentinel-00`_. +The module implementing A Root Key Trust Anchor Sentinel for DNSSEC +according to `draft-ietf-dnsop-kskroll-sentinel-12`_. This feature allows users of validating resolver to detect which root keys are configured in their chain of trust. The data from such @@ -14,4 +14,4 @@ This module is enabled by default and we urge users not to disable it. If it is absolutely necessary you may add ``modules.unload('ta_sentinel')`` to your configuration to disable it. -.. _`draft-ietf-dnsop-kskroll-sentinel-00`: https://tools.ietf.org/html/draft-ietf-dnsop-kskroll-sentinel-00 +.. _`draft-ietf-dnsop-kskroll-sentinel-12`: https://tools.ietf.org/html/draft-ietf-dnsop-kskroll-sentinel-12 diff --git a/modules/ta_sentinel/ta_sentinel.lua b/modules/ta_sentinel/ta_sentinel.lua index d84184319..4ee72c804 100644 --- a/modules/ta_sentinel/ta_sentinel.lua +++ b/modules/ta_sentinel/ta_sentinel.lua @@ -1,5 +1,6 @@ local M = {} M.layer = {} +local ffi = require('ffi') function M.layer.finish(state, req, pkt) local kreq = kres.request_t(req) @@ -12,50 +13,59 @@ function M.layer.finish(state, req, pkt) return state end -- an internal query, exit local kpkt = kres.pkt_t(pkt) - if not kpkt:ad() then - return state end -- insecure answer, exit - - if not (kpkt:qtype() == kres.type.A) and not (kpkt:qtype() == kres.type.AAAA) then + local matching = ((kpkt:qtype() == kres.type.A or kpkt:qtype() == kres.type.AAAA) + and kpkt:qclass() == kres.class.IN) + if not matching then return state end - if not (kpkt:qclass() == kres.class.IN) then + -- fast filter by the length of the first label + local label_len = qry:name():byte(1) + if label_len ~= 29 and label_len ~= 30 then return state end - + -- end of hot path + -- check the label name local qname = kres.dname2str(qry:name()):lower() - local sentype, hexkeytag = qname:match('^kskroll%-sentinel%-(is)%-ta%-(%x+)%.') - if not sentype then - sentype, hexkeytag = qname:match('^kskroll%-sentinel%-(not)%-ta%-(%x+)%.') + local sentype, keytag + if label_len == 29 then + sentype = true + keytag = qname:match('^root%-key%-sentinel%-is%-ta%-(%x+)%.') + elseif label_len == 30 then + sentype = false + keytag = qname:match('^root%-key%-sentinel%-not%-ta%-(%x+)%.') end - if not sentype or not hexkeytag then - return state end -- pattern did not match, exit - -- end of hot path - local qkeytag = tonumber(hexkeytag, 16) - if not qkeytag then - return state end -- not a valid hex string, exit + if kreq.rank ~= ffi.C.KR_RANK_SECURE or kreq.answer:cd() then + if verbose() then + log('[ta_sentinel] name+type OK but not AD+CD conditions') + end + return state + end - if (qkeytag < 0) or (qkeytag > 0xffff) then + -- check keytag from the label + keytag = tonumber(keytag) + if not keytag or math.floor(keytag) ~= keytag then + return state end -- pattern did not match, exit + if keytag < 0 or keytag > 0xffff then return state end -- invalid keytag?!, exit + if verbose() then - log('[ta_sentinel] key tag: ' .. qkeytag .. ', sentinel: ' .. sentype) + log('[ta_sentinel] key tag: ' .. keytag .. ', sentinel: ' .. tostring(sentype)) end - assert (sentype == 'is' or sentype == 'not') local found = false for keyidx = 1, #trust_anchors.keysets['\0'] do local key = trust_anchors.keysets['\0'][keyidx] - if qkeytag == key.key_tag then + if keytag == key.key_tag then found = (key.state == "Valid") if verbose() then - log('[ta_sentinel] found keytag ' .. qkeytag .. ', key state ' .. key.state) + log('[ta_sentinel] found keytag ' .. keytag .. ', key state ' .. key.state) end end end - if (sentype == 'is' and not found) -- expected key is not there - or (sentype == 'not' and found) then -- unexpected key is there + if sentype ~= found then -- expected key is not there, or unexpected key is there kpkt:clear_payload() - kpkt:rcode(2) + kpkt:rcode(kres.rcode.SERVFAIL) kpkt:ad(false) end return state -- do not break resolution process diff --git a/tests/README.rst b/tests/README.rst index 17f53e9f9..502347c53 100644 --- a/tests/README.rst +++ b/tests/README.rst @@ -25,5 +25,5 @@ See deckard_ documentation on how to write additional tests. .. _cmocka: https://cmocka.org/ .. _`socket_wrapper`: https://cwrap.org/socket_wrapper.html -.. _libfaketime: https://cwrap.org/socket_wrapper.html +.. _`libfaketime`: https://github.com/wolfcw/libfaketime .. _deckard: https://gitlab.labs.nic.cz/knot/deckard diff --git a/tests/deckard b/tests/deckard index 0164c2a37..314baab23 160000 --- a/tests/deckard +++ b/tests/deckard @@ -1 +1 @@ -Subproject commit 0164c2a37c384fabba57098d4b30e6381c36e581 +Subproject commit 314baab234262eb61a3e6cfd03941be5f3c94c9f