mirrors/hello-dns
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

move most DNSSEC things into tdnssec.cc so they don't hurt your eyes

Browse Source
This commit is contained in:
bert hubert 2018-04-29 10:18:58 +02:00
parent 531d82d8db
commit 56f416054b
4 changed files with 107 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
tdns/Makefile
View File

@ -13,7 +13,7 @@ check: testrunner tdns tdig
-include *.d
tdns: tdns.o record-types.o dns-storage.o dnsmessages.o contents.o ext/simplesocket/comboaddress.o ext/simplesocket/sclasses.o ext/simplesocket/swrappers.o
tdns: tdns.o record-types.o dns-storage.o dnsmessages.o contents.o ext/simplesocket/comboaddress.o ext/simplesocket/sclasses.o ext/simplesocket/swrappers.o tdnssec.o
g++ -std=gnu++14 $^ -o $@ -pthread
tdig: tdig.o record-types.o dns-storage.o dnsmessages.o ext/simplesocket/comboaddress.o ext/simplesocket/sclasses.o ext/simplesocket/swrappers.o

89
tdns/tdns.cc
View File

@ -15,6 +15,7 @@
#include <signal.h>
#include "record-types.hh"
#include "dns-storage.hh"
#include "tdnssec.hh"
using namespace std;
@ -125,6 +126,7 @@ bool processQuestion(const DNSNode& zones, DNSMessageReader& dm, const ComboAddr
auto bestzone = fnd->zone.get(); // this loads a pointer to the zone contents
// if they wanted DNSSEC and we got it!
bool mustDoDNSSEC= doBit && !bestzone->rrsets[DNSType::SOA].signatures.empty();
DNSName searchname(qname), lastnode;
@ -134,7 +136,7 @@ bool processQuestion(const DNSNode& zones, DNSMessageReader& dm, const ComboAddr
loopCNAME:;
/* search for the best node, where we want to benefit from wildcard synthesis
note that this is the same 'find' we used to find the best zone, but we did not
want any wildcard procssing there */
want any wildcard processing there */
auto node = bestzone->find(searchname, lastnode, true, &passedZonecut, &passedWcard);
if(passedZonecut) {
@ -154,18 +156,9 @@ bool processQuestion(const DNSNode& zones, DNSMessageReader& dm, const ComboAddr
toresolve.push_back(dynamic_cast<NSGen*>(rr.get())->d_name);
}
}
if(mustDoDNSSEC) {
if(iter = passedZonecut->rrsets.find(DNSType::DS), iter != passedZonecut->rrsets.end()) {
cout<<"\tDNSSEC OK query delegation, found a DS at "<<(passedZonecut->getName() + zonename)<<endl;
const auto& rrset = iter->second;
response.putRR(DNSSection::Authority, passedZonecut->getName() + zonename, rrset.ttl, rrset.contents[0]);
cout<<"\tAdding signatures for DS (have "<<rrset.signatures.size()<<")"<<endl;
for(const auto& sig : rrset.signatures) {
response.putRR(DNSSection::Authority, passedZonecut->getName()+zonename, rrset.ttl, sig);
}
}
}
if(mustDoDNSSEC)
addDSToDelegation(response, passedZonecut, zonename);
addAdditional(bestzone, zonename, toresolve, response);
}
else if(!searchname.empty()) { // we had parts of the qname that did not match
@ -177,34 +170,10 @@ bool processQuestion(const DNSNode& zones, DNSMessageReader& dm, const ComboAddr
response.putRR(DNSSection::Authority, zonename, ttl, rrset.contents[0]);
if(mustDoDNSSEC) { // should do DNSSEC
for(const auto& sig : rrset.signatures) {
response.putRR(DNSSection::Authority, passedZonecut->getName()+zonename, rrset.ttl, sig);
}
cout<<"\tAt the last node, we have "<< node->children.size()<< " children\n";
cout<<"\tLast node left "<<qname.back()<<endl;
auto prev = node->children.lower_bound(qname.back())->prev();
for(;;) {
if(!prev) {
cout<<"\tNSEC should maybe loop? there is no previous???"<<endl;
}
cout<<"\tNSEC should start at "<<prev->getName()<<endl;
if(!prev->rrsets.count(DNSType::NSEC)) {
cout<<"\tCould not find NSEC record at "<<prev->getName()<<", it is an ENT, going back further"<<endl;
}
break;
}
const auto& nsecrr = prev->rrsets.find(DNSType::NSEC);
cout<<"\tAdding NSEC & signatures (have "<<nsecrr->second.signatures.size()<<")"<<endl;
response.putRR(DNSSection::Authority, prev->getName()+zonename, nsecrr->second.ttl, nsecrr->second.contents[0]);
for(const auto& sig : nsecrr->second.signatures) {
response.putRR(DNSSection::Authority, prev->getName()+zonename, nsecrr->second.ttl, sig);
}
addNXDOMAINDNSSEC(response, rrset, qname, node, passedZonecut, zonename);
}
if(!CNAMELoopCount) // RFC 1034, 4.3.2, step 3.c
response.dh.rcode = (int)RCode::Nxdomain;
}
else {
cout<<"\tFound node in zone '"<<zonename<<"' for lhs '"<<qname<<"', searchname now '"<<searchname<<"', lastnode '"<<lastnode<<"', passedZonecut="<<passedZonecut<<endl;
@ -218,9 +187,7 @@ bool processQuestion(const DNSNode& zones, DNSMessageReader& dm, const ComboAddr
const auto& rrset = iter->second;
response.putRR(DNSSection::Answer, lastnode+zonename, rrset.ttl, rrset.contents[0]);
if(mustDoDNSSEC) {
for(const auto& sig : rrset.signatures) {
response.putRR(DNSSection::Answer, lastnode+zonename, rrset.ttl, sig);
}
addSignatures(response, rrset, lastnode, passedWcard, zonename);
}
DNSName target=dynamic_cast<CNAMEGen*>(rrset.contents[0].get())->d_name;
@ -252,24 +219,8 @@ bool processQuestion(const DNSNode& zones, DNSMessageReader& dm, const ComboAddr
if(i2->first == DNSType::MX)
additional.push_back(dynamic_cast<MXGen*>(rr.get())->d_name);
}
if(mustDoDNSSEC) {
cout<<"\tAdding signatures for "<<i2->first<<" (have "<<rrset.signatures.size()<<")"<<endl;
for(const auto& sig : rrset.signatures) {
response.putRR(DNSSection::Answer, lastnode+zonename, rrset.ttl, sig);
}
if(passedWcard) {
cout<<"\tAdding the wildcard NSEC at "<<passedWcard->getName()<<endl;
auto nseciter = passedWcard->rrsets.find(DNSType::NSEC);
if(nseciter != passedWcard->rrsets.end()) {
response.putRR(DNSSection::Authority, passedWcard->getName()+zonename, nseciter->second.ttl, nseciter->second.contents[0]);
for(const auto& sig : nseciter->second.signatures) {
response.putRR(DNSSection::Authority, passedWcard->getName()+zonename, nseciter->second.ttl, sig);
}
}
}
}
if(mustDoDNSSEC)
addSignatures(response, rrset, lastnode, passedWcard, zonename);
}
}
else {
@ -278,22 +229,8 @@ bool processQuestion(const DNSNode& zones, DNSMessageReader& dm, const ComboAddr
auto ttl = min(rrset.ttl, dynamic_cast<SOAGen*>(rrset.contents[0].get())->d_minimum); // 2308 3
response.putRR(DNSSection::Authority, zonename, ttl, rrset.contents[0]);
if(mustDoDNSSEC) {
cout<<"\tAdding signatures for SOA (have "<<rrset.signatures.size()<<")"<<endl;
for(const auto& sig : rrset.signatures) {
response.putRR(DNSSection::Authority, zonename, rrset.ttl, sig);
}
if(node->rrsets.count(DNSType::NSEC)) {
const auto& nsecrr = *node->rrsets.find(DNSType::NSEC);
cout<<"\tAdding NSEC & signatures (have "<<nsecrr.second.signatures.size()<<")"<<endl;
response.putRR(DNSSection::Authority, node->getName()+zonename, rrset.ttl, nsecrr.second.contents[0]);
for(const auto& sig : nsecrr.second.signatures) {
response.putRR(DNSSection::Authority, node->getName()+zonename, rrset.ttl, sig);
}
}
}
if(mustDoDNSSEC)
addNoErrorDNSSEC(response, node, rrset, zonename);
}
addAdditional(bestzone, zonename, additional, response);
}
@ -379,6 +316,8 @@ catch(std::out_of_range& e) { // exceeded packet size
cout<<"\tAdditional records would have overflowed the packet, stopped adding them, not truncating yet\n";
}
/*! \brief Writes a DNSMessageWriter to a TCP/IP socket, with length envelope
helper function which encapsulates a DNS message within an 'envelope'

83
tdns/tdnssec.cc Normal file
View File

@ -0,0 +1,83 @@
#include "tdnssec.hh"
#include <iostream>
using namespace std;
void addDSToDelegation(DNSMessageWriter& response, const DNSNode* passedZonecut, const DNSName& zonename)
{
auto iter = passedZonecut->rrsets.find(DNSType::DS);
if( iter != passedZonecut->rrsets.end()) {
cout<<"\tDNSSEC OK query delegation, found a DS at "<<(passedZonecut->getName() + zonename)<<endl;
const auto& rrset = iter->second;
response.putRR(DNSSection::Authority, passedZonecut->getName() + zonename, rrset.ttl, rrset.contents[0]);
cout<<"\tAdding signatures for DS (have "<<rrset.signatures.size()<<")"<<endl;
for(const auto& sig : rrset.signatures) {
response.putRR(DNSSection::Authority, passedZonecut->getName()+zonename, rrset.ttl, sig);
}
}
}
void addNoErrorDNSSEC(DNSMessageWriter& response, const DNSNode* node, const RRSet& rrset, const DNSName& zonename)
{
cout<<"\tAdding signatures for SOA (have "<<rrset.signatures.size()<<")"<<endl;
for(const auto& sig : rrset.signatures) {
response.putRR(DNSSection::Authority, zonename, rrset.ttl, sig);
}
if(node->rrsets.count(DNSType::NSEC)) {
const auto& nsecrr = *node->rrsets.find(DNSType::NSEC);
cout<<"\tAdding NSEC & signatures (have "<<nsecrr.second.signatures.size()<<")"<<endl;
response.putRR(DNSSection::Authority, node->getName()+zonename, rrset.ttl, nsecrr.second.contents[0]);
for(const auto& sig : nsecrr.second.signatures) {
response.putRR(DNSSection::Authority, node->getName()+zonename, rrset.ttl, sig);
}
}
}
void addSignatures(DNSMessageWriter& response, const RRSet& rrset, const DNSName& lastnode, const DNSNode* passedWcard, const DNSName& zonename)
{
for(const auto& sig : rrset.signatures) {
response.putRR(DNSSection::Answer, lastnode+zonename, rrset.ttl, sig);
}
if(passedWcard) {
cout<<"\tAdding the wildcard NSEC at "<<passedWcard->getName()<<endl;
auto nseciter = passedWcard->rrsets.find(DNSType::NSEC);
if(nseciter != passedWcard->rrsets.end()) {
response.putRR(DNSSection::Authority, passedWcard->getName()+zonename, nseciter->second.ttl, nseciter->second.contents[0]);
for(const auto& sig : nseciter->second.signatures) {
response.putRR(DNSSection::Authority, passedWcard->getName()+zonename, nseciter->second.ttl, sig);
}
}
}
}
void addNXDOMAINDNSSEC(DNSMessageWriter& response, const RRSet& rrset, const DNSName& qname, const DNSNode* node, const DNSNode* passedZonecut, const DNSName& zonename)
{
for(const auto& sig : rrset.signatures) {
response.putRR(DNSSection::Authority, passedZonecut->getName()+zonename, rrset.ttl, sig);
}
cout<<"\tAt the last node, we have "<< node->children.size()<< " children\n";
cout<<"\tLast node left "<<qname.back()<<endl;
auto prev = node->children.lower_bound(qname.back())->prev();
for(;;) {
if(!prev) {
cout<<"\tNSEC should maybe loop? there is no previous???"<<endl;
}
cout<<"\tNSEC should start at "<<prev->getName()<<endl;
if(!prev->rrsets.count(DNSType::NSEC)) {
cout<<"\tCould not find NSEC record at "<<prev->getName()<<", it is an ENT, going back further"<<endl;
}
break;
}
const auto& nsecrr = prev->rrsets.find(DNSType::NSEC);
cout<<"\tAdding NSEC & signatures (have "<<nsecrr->second.signatures.size()<<")"<<endl;
response.putRR(DNSSection::Authority, prev->getName()+zonename, nsecrr->second.ttl, nsecrr->second.contents[0]);
for(const auto& sig : nsecrr->second.signatures) {
response.putRR(DNSSection::Authority, prev->getName()+zonename, nsecrr->second.ttl, sig);
}
}

9
tdns/tdnssec.hh Normal file
View File

@ -0,0 +1,9 @@
#pragma once
#include "dnsmessages.hh"
#include "dns-storage.hh"
void addDSToDelegation(DNSMessageWriter& response, const DNSNode* passedZonecut, const DNSName& zonename);
void addNoErrorDNSSEC(DNSMessageWriter& response, const DNSNode* node, const RRSet& rrset, const DNSName& zonename);
void addSignatures(DNSMessageWriter& response, const RRSet& rrset, const DNSName& lastnode, const DNSNode* passedWcard, const DNSName& zonename);
void addNXDOMAINDNSSEC(DNSMessageWriter& response, const RRSet& rrset, const DNSName& qname, const DNSNode* node, const DNSNode* passedZonecut, const DNSName& zonename);