Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DnssecDnsHandle: check RRSIG validity as per RFC4035 #2213

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

DnssecDnsHandle: check RRSIG validity as per RFC4035 #2213

wants to merge 3 commits into from
+245 −113

Conversation

japaric
Copy link
Collaborator

@japaric japaric commented May 15, 2024

this PR adds the validity checks specified in section 5.3.1 of RFC4035, including the time check that was reported as missing in issue #2209

these new checks overlap with some of the existing ones but I opted for not removing the existing ones because I do not know how well the existing code is covered by tests.

I checked that I did not break this query:

let config = ResolverConfig::default();
let mut opts = ResolverOpts::default();
opts.validate = true;

let resolver = Resolver::new(config, opts)?;

let lookup = resolver.lookup("example.com.", RecordType::A)?;
lookup.record_iter().for_each(|record| {
    assert_eq!(Proof::Secure, record.proof());
});

It would be good to check that expired signatures are rejected. There are plans to add those kind of tests to the conformance test suite (ferrous-systems/dnssec-tests#61) but given that Recursor does not use DnssecDnsHandle those tests won't exercise the code paths added here. I'm looking into reusing some of the existing code in DnssecDnsHandle to implement DNSSEC validation in Recursor (then conformance tests will cover some of DnssecDnsHandle code) but that's still ways off time-wise.

Another way to check the code here end to end would be to modify util/src/bin/resolve.rs to do DNSSEC validation (e.g. via a new CLI flag) then it would behave just like delv. That updated resolve could be comparatively against delv using the dns-test framework, that is without relying on external services / the internet.

I'm leaving this in draft state because the implementation will be cleaner when #2211 is implemented.

@japaric japaric mentioned this pull request Jun 10, 2024
Merged
japaric and others added 3 commits June 11, 2024 11:00
@japaric
refactor Rrset into its own module
7e60b54 
for better type safety. its fields are not meant to be mutated after
fully constructed

as `dns_class` comes from the (response) records themselves,
`verify_rrsets` no longer needs a `Query` argument
@japaric
use RecordRef to simplify dnssec_dns_handle
bd4d764
@japaric
check RRSIG validity
f52e5f8 
including inception and expiration times

closes hickory-dns#2209
@japaric japaric marked this pull request as ready for review June 11, 2024 10:50
@japaric
Copy link
Collaborator Author

japaric commented Jun 11, 2024

rebased and ready for review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bluejekyll bluejekyll Awaiting requested review from bluejekyll bluejekyll is a code owner

@djc djc Awaiting requested review from djc djc is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@japaric