bns
Advanced tools
Comparing version 0.0.4 to 0.0.5
@@ -164,2 +164,3 @@ #!/usr/bin/env node | ||
| process.stdout.write(`; <<>> bns ${pkg.version} <<>> ${argv}\n`); | ||
| process.stdout.write(';; Got answer:\n'); | ||
| process.stdout.write(res.toString(ms) + '\n'); | ||
@@ -166,0 +167,0 @@ } |
@@ -19,3 +19,2 @@ #!/usr/bin/env node | ||
| let dnssec = false; | ||
| let nsec3 = false; | ||
| let debug = false; | ||
@@ -78,8 +77,2 @@ | ||
| break; | ||
| case '+nsec3': | ||
| nsec3 = true; | ||
| break; | ||
| case '+nonsec3': | ||
| nsec3 = false; | ||
| break; | ||
| case '+debug': | ||
@@ -123,3 +116,2 @@ debug = true; | ||
| resolver.dnssec = Boolean(options.dnssec); | ||
| resolver.nsec3 = Boolean(options.nsec3); | ||
@@ -160,3 +152,2 @@ if (options.debug) { | ||
| dnssec, | ||
| nsec3, | ||
| debug | ||
@@ -174,2 +165,3 @@ }); | ||
| process.stdout.write(`; <<>> bns ${pkg.version} <<>> ${argv}\n`); | ||
| process.stdout.write(';; Got answer:\n'); | ||
| process.stdout.write(res.toString(ms) + '\n'); | ||
@@ -176,0 +168,0 @@ } |
@@ -8,6 +8,6 @@ [ | ||
| "data": { | ||
| "keyTag": 20326, | ||
| "keyTag": 19036, | ||
| "algorithm": 8, | ||
| "digestType": 2, | ||
| "digest": "e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d" | ||
| "digest": "49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5" | ||
| } | ||
@@ -21,20 +21,8 @@ }, | ||
| "data": { | ||
| "keyTag": 41824, | ||
| "keyTag": 20326, | ||
| "algorithm": 8, | ||
| "digestType": 2, | ||
| "digest": "2895fff34928abec636d02553ccf6d807cfb6442d946a74dbd276c97b3118aff" | ||
| "digest": "e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d" | ||
| } | ||
| }, | ||
| { | ||
| "name": ".", | ||
| "ttl": 172800, | ||
| "class": "INET", | ||
| "type": "DS", | ||
| "data": { | ||
| "keyTag": 19036, | ||
| "algorithm": 8, | ||
| "digestType": 2, | ||
| "digest": "49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5" | ||
| } | ||
| } | ||
| ] |
@@ -359,6 +359,6 @@ [ | ||
| "data": { | ||
| "keyTag": 20326, | ||
| "keyTag": 19036, | ||
| "algorithm": 8, | ||
| "digestType": 2, | ||
| "digest": "e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d" | ||
| "digest": "49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5" | ||
| } | ||
@@ -372,20 +372,8 @@ }, | ||
| "data": { | ||
| "keyTag": 41824, | ||
| "keyTag": 20326, | ||
| "algorithm": 8, | ||
| "digestType": 2, | ||
| "digest": "2895fff34928abec636d02553ccf6d807cfb6442d946a74dbd276c97b3118aff" | ||
| "digest": "e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d" | ||
| } | ||
| }, | ||
| { | ||
| "name": ".", | ||
| "ttl": 172800, | ||
| "class": "INET", | ||
| "type": "DS", | ||
| "data": { | ||
| "keyTag": 19036, | ||
| "algorithm": 8, | ||
| "digestType": 2, | ||
| "digest": "49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5" | ||
| } | ||
| } | ||
| ] |
@@ -14,2 +14,3 @@ /*! | ||
| const Hosts = require('./hosts'); | ||
| const hsig = require('./hsig'); | ||
| const nsec3 = require('./nsec3'); | ||
@@ -19,2 +20,3 @@ const ResolvConf = require('./resolvconf'); | ||
| const server = require('./server'); | ||
| const sig0 = require('./sig0'); | ||
| const util = require('./util'); | ||
@@ -28,2 +30,3 @@ const wire = require('./wire'); | ||
| exports.Hosts = Hosts; | ||
| exports.hsig = hsig; | ||
| exports.nsec3 = nsec3; | ||
@@ -44,3 +47,4 @@ exports.ResolvConf = ResolvConf; | ||
| exports.sig0 = sig0; | ||
| exports.util = util; | ||
| exports.wire = wire; |
@@ -321,3 +321,3 @@ /*! | ||
| const classes = { | ||
| UNKNOWN: 0, | ||
| UNKNOWN: 0, // RESERVED0 | ||
| INET: 1, | ||
@@ -338,3 +338,3 @@ CSNET: 2, | ||
| const classesByVal = { | ||
| [classes.UNKNOWN]: 'UNKNOWN', | ||
| [classes.UNKNOWN]: 'UNKNOWN', // RESERVED0 | ||
| [classes.INET]: 'INET', | ||
@@ -355,9 +355,9 @@ [classes.CSNET]: 'CSNET', | ||
| const short = { | ||
| UN: classes.UNKNOWN, | ||
| UNKNOWN: classes.UNKNOWN, // RESERVED0 | ||
| IN: classes.INET, | ||
| CS: classes.CSNET, | ||
| CS: classes.CSNET, // CLASS2 | ||
| CH: classes.CHAOS, | ||
| HE: classes.HESIOD, | ||
| NO: classes.NONE, | ||
| AN: classes.ANY | ||
| HS: classes.HESIOD, | ||
| NONE: classes.NONE, | ||
| ANY: classes.ANY | ||
| }; | ||
@@ -372,9 +372,9 @@ | ||
| const shortByVal = { | ||
| [short.UN]: 'UN', | ||
| [short.UNKNOWN]: 'UNKNOWN', // RESERVED0 | ||
| [short.IN]: 'IN', | ||
| [short.CS]: 'CS', | ||
| [short.CS]: 'CS', // CLASS2 | ||
| [short.CH]: 'CH', | ||
| [short.HE]: 'HE', | ||
| [short.NO]: 'NO', | ||
| [short.AN]: 'AN' | ||
| [short.HS]: 'HS', | ||
| [short.NONE]: 'NONE', | ||
| [short.ANY]: 'ANY' | ||
| }; | ||
@@ -381,0 +381,0 @@ |
@@ -9,4 +9,2 @@ /*! | ||
| const assert = require('assert'); | ||
| /* | ||
@@ -13,0 +11,0 @@ * Hashes |
@@ -15,2 +15,3 @@ /*! | ||
| const assert = require('assert'); | ||
| const bio = require('bufio'); | ||
@@ -36,2 +37,3 @@ const encoding = require('./encoding'); | ||
| types, | ||
| Message, | ||
| Record, | ||
@@ -104,3 +106,3 @@ DSRecord, | ||
| const hashByVal = { | ||
| const hashesByVal = { | ||
| [hashes.SHA1]: 'SHA1', | ||
@@ -133,2 +135,6 @@ [hashes.SHA256]: 'SHA256', | ||
| dnssec.createDS = function createDS(dnskey, digestType) { | ||
| assert(dnskey instanceof Record); | ||
| assert(dnskey.type === types.DNSKEY); | ||
| assert((digestType & 0xff) === digestType); | ||
| const dk = dnskey.data; // DNSKEY | ||
@@ -167,2 +173,4 @@ const hash = hashToHash[digestType]; | ||
| dnssec.signMessage = function signMessage(msg, name, key, priv, lifespan) { | ||
| assert(msg instanceof Message); | ||
| for (const section of msg.sections()) { | ||
@@ -173,2 +181,3 @@ const sigs = dnssec.signSection(section, name, key, priv, lifespan); | ||
| } | ||
| return msg; | ||
@@ -178,2 +187,4 @@ }; | ||
| dnssec.signSection = function signSection(section, name, key, priv, lifespan) { | ||
| assert(Array.isArray(section)); | ||
| const set = new Set(); | ||
@@ -186,4 +197,7 @@ const sigs = []; | ||
| for (const type of set) { | ||
| if (type === types.OPT) | ||
| if (type === types.OPT | ||
| || type === types.RRSIG | ||
| || type === types.SIG) { | ||
| continue; | ||
| } | ||
@@ -206,2 +220,7 @@ const rrset = extractSet(section, name, type); | ||
| assert(key instanceof Record); | ||
| assert(key.type === types.DNSKEY); | ||
| assert(Array.isArray(rrset)); | ||
| assert((lifespan >>> 0) === lifespan); | ||
| const sig = new Record(); | ||
@@ -226,2 +245,7 @@ const s = new RRSIGRecord(); | ||
| dnssec.sign = function sign(sig, priv, rrset) { | ||
| assert(sig instanceof Record); | ||
| assert(sig.type === types.RRSIG); | ||
| assert(Buffer.isBuffer(priv)); | ||
| assert(Array.isArray(rrset)); | ||
| const s = sig.data; // RRSIG | ||
@@ -254,3 +278,3 @@ | ||
| s.signature = dnssec.signature(priv, data, s.algorithm); | ||
| s.signature = dnssec.signData(priv, data, s.algorithm); | ||
@@ -260,7 +284,11 @@ return sig; | ||
| dnssec.signature = function signature(priv, data, algorithm) { | ||
| dnssec.signData = function signData(priv, data, algorithm) { | ||
| assert(Buffer.isBuffer(priv)); | ||
| assert(Buffer.isBuffer(data)); | ||
| assert((algorithm & 0xff) === algorithm); | ||
| const keybuf = priv; | ||
| const hash = algToHash[algorithm]; | ||
| if (hash === undefined) | ||
| if (!hash) | ||
| throw new Error('Unknown hash algorithm.'); | ||
@@ -292,2 +320,8 @@ | ||
| dnssec.verify = function verify(sig, key, rrset) { | ||
| assert(sig instanceof Record); | ||
| assert(sig.type === types.RRSIG); | ||
| assert(key instanceof Record); | ||
| assert(key.type === types.DNSKEY); | ||
| assert(Array.isArray(rrset)); | ||
| const s = sig.data; // RRSIG | ||
@@ -325,6 +359,13 @@ const k = key.data; // DNSKEY | ||
| return dnssec._verify(sig, key, data, s.algorithm); | ||
| return dnssec.verifyData(sig, key, data, s.algorithm); | ||
| }; | ||
| dnssec._verify = function _verify(sig, key, data, algorithm) { | ||
| dnssec.verifyData = function verifyData(sig, key, data, algorithm) { | ||
| assert(sig instanceof Record); | ||
| assert(sig.type === types.RRSIG); | ||
| assert(key instanceof Record); | ||
| assert(key.type === types.DNSKEY); | ||
| assert(Buffer.isBuffer(data)); | ||
| assert((algorithm & 0xff) === algorithm); | ||
| const keybuf = key.data.publicKey; | ||
@@ -334,3 +375,3 @@ const sigbuf = sig.data.signature; | ||
| if (hash === undefined) | ||
| if (!hash) | ||
| return false; | ||
@@ -362,2 +403,6 @@ | ||
| dnssec.signatureHash = function signatureHash(sig, rrset) { | ||
| assert(sig instanceof Record); | ||
| assert(sig.type === types.RRSIG); | ||
| assert(Array.isArray(rrset)); | ||
| const s = sig.data; // RRSIG | ||
@@ -488,9 +533,42 @@ const records = []; | ||
| dnssec.verifyDS = function verifyDS(keyMap, ds) { | ||
| dnssec.verifyDS = function verifyDS(msg, ds, name) { | ||
| assert(msg instanceof Message); | ||
| assert(Array.isArray(ds)); | ||
| assert(typeof name === 'string'); | ||
| if (ds.length === 0) | ||
| return false; | ||
| const kskMap = new Map(); | ||
| for (const rr of msg.answer) { | ||
| if (rr.type !== types.DNSKEY) | ||
| continue; | ||
| const rd = rr.data; | ||
| if (rd.flags & flags.REVOKE) | ||
| continue; | ||
| if (!(rd.flags & flags.ZONE)) | ||
| continue; | ||
| if (!util.equal(rr.name, name)) | ||
| continue; | ||
| if (rd.flags & dnssec.flags.SEP) | ||
| kskMap.set(rd.keyTag(), rr); | ||
| } | ||
| const valid = new Map(); | ||
| for (const rr of ds) { | ||
| assert(rr instanceof Record); | ||
| assert(rr.type === types.DS); | ||
| const rd = rr.data; | ||
| const dnskey = keyMap.get(rd.keyTag); | ||
| const dnskey = kskMap.get(rd.keyTag); | ||
| if (!dnskey) | ||
| continue; | ||
| return null; // Someone is hiding keys from us. | ||
@@ -500,32 +578,124 @@ const ds = dnssec.createDS(dnskey, rd.digestType); | ||
| if (!ds) | ||
| return false; // Failed to convert KSK | ||
| continue; // Failed to convert KSK (unknown alg). | ||
| if (!ds.data.digest.equals(rd.digest)) | ||
| return false; // Mismatching DS | ||
| return null; // Mismatching DS. | ||
| return true; | ||
| valid.set(rd.keyTag, dnskey); | ||
| continue; | ||
| } | ||
| return false; | ||
| if (valid.size === 0) | ||
| return null; | ||
| return valid; | ||
| }; | ||
| dnssec.verifyRRSIG = function verifyRRSIG(msg, keyMap) { | ||
| const sections = [msg.answer, msg.authority]; | ||
| dnssec.verifyZSK = function verifyZSK(msg, kskMap, name) { | ||
| assert(msg instanceof Message); | ||
| assert(kskMap instanceof Map); | ||
| assert(typeof name === 'string'); | ||
| for (const section of sections) { | ||
| if (section.length === 0) | ||
| if (msg.answer.length === 0) | ||
| return false; // No keys | ||
| if (kskMap.size === 0) | ||
| return false; // No keys | ||
| const keys = []; | ||
| const sigs = []; | ||
| for (const rr of msg.answer) { | ||
| const rd = rr.data; | ||
| if (rr.type === types.DNSKEY) { | ||
| if (!util.equal(rr.name, name)) | ||
| continue; | ||
| keys.push(rr); | ||
| continue; | ||
| } | ||
| const set = new Set(); | ||
| if (rr.type === types.RRSIG) { | ||
| if (rd.typeCovered !== types.DNSKEY) | ||
| continue; | ||
| for (const rr of section) { | ||
| if (rr.type === types.RRSIG) | ||
| if (!util.equal(rr.name, name)) | ||
| continue; | ||
| if (rr.type === types.NS) | ||
| if (!kskMap.has(rd.keyTag)) | ||
| continue; | ||
| set.add(rr.type); | ||
| sigs.push(rr); | ||
| continue; | ||
| } | ||
| } | ||
| if (keys.length === 0) | ||
| return false; // No keys | ||
| if (sigs.length === 0) | ||
| return false; // No sigs | ||
| for (const sig of sigs) { | ||
| const s = sig.data; | ||
| const dnskey = kskMap.get(s.keyTag); | ||
| if (!dnskey) | ||
| return false; // Missing DNS Key | ||
| if (!s.validityPeriod()) | ||
| return false; // Invalid Signature Period | ||
| if (!dnssec.verify(sig, dnskey, keys)) | ||
| return false; // Invalid Signature | ||
| } | ||
| return true; | ||
| }; | ||
| dnssec.verifyRRSIG = function verifyRRSIG(msg, zskMap) { | ||
| assert(msg instanceof Message); | ||
| assert(zskMap instanceof Map); | ||
| const sections = []; | ||
| if (msg.isAnswer()) { | ||
| sections.push(msg.answer); | ||
| if (msg.authority.length > 0) | ||
| sections.push(msg.authority); | ||
| } else if (msg.isReferral()) { | ||
| sections.push(msg.authority); | ||
| } else { | ||
| return true; | ||
| } | ||
| for (const section of sections) { | ||
| const set = new Set(); | ||
| if (msg.isReferral()) { | ||
| assert(sections.length === 1); | ||
| assert(section === msg.authority); | ||
| // We need a signed DS, NSEC3, | ||
| // or NS record for a referral. | ||
| if (util.hasType(section, types.DS)) | ||
| set.add(types.DS); | ||
| if (util.hasType(section, types.NSEC3)) | ||
| set.add(types.NSEC3); | ||
| } | ||
| if (set.size === 0) { | ||
| for (const rr of section) { | ||
| // No signed signatures. | ||
| if (rr.type === types.RRSIG | ||
| || rr.type === types.SIG) { | ||
| continue; | ||
| } | ||
| set.add(rr.type); | ||
| } | ||
| } | ||
| const sigs = extractSet(section, '', types.RRSIG); | ||
@@ -538,11 +708,11 @@ | ||
| const s = sig.data; | ||
| const rest = extractSet(section, sig.name, s.typeCovered); | ||
| const rrset = extractSet(section, sig.name, s.typeCovered); | ||
| if (rest.length === 0) | ||
| if (rrset.length === 0) | ||
| return false; // Missing Signed | ||
| const dnskey = keyMap.get(s.keyTag); | ||
| const dnskey = zskMap.get(s.keyTag); | ||
| if (!dnskey) | ||
| return false; // Mising DNS Key | ||
| return false; // Missing DNS Key | ||
@@ -552,3 +722,3 @@ if (!s.validityPeriod()) | ||
| if (!dnssec.verify(sig, dnskey, rest)) | ||
| if (!dnssec.verify(sig, dnskey, rrset)) | ||
| return false; // Invalid Signature | ||
@@ -566,2 +736,58 @@ | ||
| dnssec.filterMessage = function filterMessage(msg, type) { | ||
| assert(msg instanceof Message); | ||
| assert((type & 0xffff) === type); | ||
| msg.answer = dnssec.filterSection(msg.answer, type); | ||
| msg.authority = dnssec.filterSection(msg.authority, type); | ||
| msg.additional = dnssec.filterSection(msg.additional, type); | ||
| return msg; | ||
| }; | ||
| dnssec.filterSection = function filterSection(section, type) { | ||
| assert(Array.isArray(section)); | ||
| assert((type & 0xffff) === type); | ||
| const filtered = []; | ||
| for (const rr of section) { | ||
| assert(rr instanceof Record); | ||
| if (type !== types.RRSIG) { | ||
| if (rr.type === types.RRSIG) | ||
| continue; | ||
| } | ||
| if (type !== types.DNSKEY) { | ||
| if (rr.type === types.DNSKEY) | ||
| continue; | ||
| } | ||
| if (type !== types.DS) { | ||
| if (rr.type === types.DS) | ||
| continue; | ||
| } | ||
| if (type !== types.NSEC3) { | ||
| if (rr.type === types.NSEC3) | ||
| continue; | ||
| } | ||
| if (type !== types.NSEC3PARAM) { | ||
| if (rr.type === types.NSEC3PARAM) | ||
| continue; | ||
| } | ||
| if (type !== types.NSEC) { | ||
| if (rr.type === types.NSEC) | ||
| continue; | ||
| } | ||
| filtered.push(rr); | ||
| } | ||
| return filtered; | ||
| }; | ||
| /* | ||
@@ -587,4 +813,4 @@ * Helpers | ||
| dnssec.hashes = hashes; | ||
| dnssec.hashByVal = hashByVal; | ||
| dnssec.hashesByVal = hashesByVal; | ||
| dnssec.algToHash = algToHash; | ||
| dnssec.hashToHash = hashToHash; |
@@ -66,5 +66,4 @@ 'use strict'; | ||
| . 172800 IN DS 19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5 | ||
| . 172800 IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d | ||
| . 172800 IN DS 41824 8 2 2895fff34928abec636d02553ccf6d807cfb6442d946a74dbd276c97b3118aff | ||
| . 172800 IN DS 19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5 | ||
| `; |
@@ -15,2 +15,3 @@ /*! | ||
| const assert = require('assert'); | ||
| const base32 = require('bs32'); | ||
@@ -22,4 +23,3 @@ const crypto = require('./crypto'); | ||
| const {hasType, packName} = encoding; | ||
| const {types} = wire; | ||
| const {types, Question, Record} = wire; | ||
| const nsec3 = exports; | ||
@@ -32,2 +32,11 @@ | ||
| nsec3.hashName = function hashName(name, ha, iter, salt) { | ||
| assert(typeof name === 'string'); | ||
| assert((ha & 0xff) === ha); | ||
| assert((iter & 0xffff) === iter); | ||
| assert(Buffer.isBuffer(salt)); | ||
| // DoS vector. | ||
| if (iter > 1024) | ||
| return null; | ||
| const nameRaw = packName(name.toLowerCase()); | ||
@@ -65,2 +74,5 @@ const saltRaw = salt; | ||
| nsec3.cover = function cover(rr, name) { | ||
| assert(rr instanceof Record); | ||
| assert(rr.type === types.NSEC3); | ||
| const rd = rr.data; | ||
@@ -103,2 +115,5 @@ const nameHash = nsec3.hashName(name, rd.hash, rd.iterations, rd.salt); | ||
| nsec3.match = function match(rr, name) { | ||
| assert(rr instanceof Record); | ||
| assert(rr.type === types.NSEC3); | ||
| const rd = rr.data; | ||
@@ -130,2 +145,5 @@ const nameHash = nsec3.hashName(name, rd.hash, rd.iterations, rd.salt); | ||
| nsec3.findClosestEncloser = function findClosestEncloser(name, nsec) { | ||
| assert(typeof name === 'string'); | ||
| assert(Array.isArray(nsec)); | ||
| const label = util.split(name); | ||
@@ -152,2 +170,5 @@ | ||
| nsec3.findMatching = function findMatching(name, nsec) { | ||
| assert(typeof name === 'string'); | ||
| assert(Array.isArray(nsec)); | ||
| for (const rr of nsec) { | ||
@@ -157,2 +178,3 @@ if (nsec3.match(rr, name)) | ||
| } | ||
| return null; // NSEC missing coverage | ||
@@ -162,2 +184,5 @@ }; | ||
| nsec3.findCoverer = function findCoverer(name, nsec) { | ||
| assert(typeof name === 'string'); | ||
| assert(Array.isArray(nsec)); | ||
| for (const rr of nsec) { | ||
@@ -169,2 +194,3 @@ if (nsec3.cover(rr, name)) { | ||
| } | ||
| return [null, false]; // NSEC missing coverage | ||
@@ -188,2 +214,4 @@ }; | ||
| nsec3.verifyNoData = function verifyNoData(qs, nsec) { | ||
| assert(qs instanceof Question); | ||
| const bm = nsec3.findMatching(qs.name, nsec); | ||
@@ -190,0 +218,0 @@ |
@@ -130,6 +130,2 @@ /*! | ||
| error(msg) { | ||
| this.emit('error', new Error(msg)); | ||
| } | ||
| verify(msg, host, port) { | ||
@@ -139,6 +135,2 @@ return true; | ||
| append(msg, host, port) { | ||
| return msg; | ||
| } | ||
| retry(item, forceTCP) { | ||
@@ -179,3 +171,3 @@ const {rinfo} = item; | ||
| if (msg.length < 2) { | ||
| this.error(`Malformed message (${address}).`); | ||
| this.log('Malformed message (%s).', address); | ||
| return; | ||
@@ -188,3 +180,3 @@ } | ||
| if (!item) { | ||
| this.error(`Unsolicited message (${address}): ${id}.`); | ||
| this.log('Unsolicited message (%s): %d.', address, id); | ||
| return; | ||
@@ -195,3 +187,3 @@ } | ||
| || item.rinfo.port !== port) { | ||
| this.error(`Possible reflection attack (${address}): ${id}.`); | ||
| this.log('Possible reflection attack (%s): %d.', address, id); | ||
| return; | ||
@@ -294,3 +286,3 @@ } | ||
| const msg = this.append(req.encode(), host, port); | ||
| const msg = req.encode(); | ||
| const tcp = msg.length >= 4096; | ||
@@ -468,2 +460,3 @@ | ||
| this.anchors.length = 0; | ||
| this.port = 53; | ||
| } | ||
@@ -530,2 +523,3 @@ | ||
| } | ||
| case types.DS: { | ||
@@ -535,2 +529,8 @@ this.anchors.push(rr); | ||
| } | ||
| case types.DNSKEY: { | ||
| const ds = dnssec.createDS(rr, dnssec.hashes.SHA256); | ||
| this.anchors.push(ds); | ||
| break; | ||
| } | ||
| } | ||
@@ -584,3 +584,2 @@ } | ||
| this.hints = Hints.fromZone(rootZone); | ||
| this.nsec3 = false; | ||
| } | ||
@@ -647,24 +646,8 @@ | ||
| const [res, hit] = await this.ask(qs, auth); | ||
| const keyMap = new Map(); | ||
| if (res.answer.length === 0 | ||
| || res.code !== codes.NOERROR) { | ||
| return keyMap; | ||
| return new Map(); | ||
| } | ||
| for (const rr of res.answer) { | ||
| if (rr.type !== types.DNSKEY) | ||
| continue; | ||
| const rd = rr.data; | ||
| if (rd.flags & dnssec.flags.REVOKE) | ||
| continue; | ||
| if (!(rd.flags & dnssec.flags.ZONE)) | ||
| continue; | ||
| keyMap.set(rd.keyTag(), rr); | ||
| } | ||
| if (auth.zone === '.') { | ||
@@ -680,15 +663,17 @@ assert(ds.length === 0); | ||
| // Pick out the valid KSK's. | ||
| const valid = dnssec.verifyDS(res, ds, qs.name); | ||
| if (!valid) { | ||
| this.log('Invalid KSKs (DS mismatch).'); | ||
| return null; | ||
| } | ||
| if (!hit) { | ||
| if (!dnssec.verifyDS(keyMap, ds)) { | ||
| this.log('Invalid DNSKEY (DS mismatch).'); | ||
| // Verify all ZSK's with KSK's if we're not cached. | ||
| if (!dnssec.verifyZSK(res, valid, qs.name)) { | ||
| this.log('Invalid KSKs (verification failure).'); | ||
| return null; | ||
| } | ||
| if (!dnssec.verifyRRSIG(res, keyMap)) { | ||
| this.log('Invalid RRSIG (keys).'); | ||
| return null; | ||
| } | ||
| } | ||
| if (!hit) { | ||
| const eternal = auth.zone === '.'; | ||
@@ -698,3 +683,26 @@ this.cache.insert(qs, auth.zone, res, true, eternal); | ||
| return keyMap; | ||
| for (const rr of res.answer) { | ||
| if (rr.type !== types.DNSKEY) | ||
| continue; | ||
| const rd = rr.data; | ||
| if (rd.flags & dnssec.flags.REVOKE) | ||
| continue; | ||
| if (!(rd.flags & dnssec.flags.ZONE)) | ||
| continue; | ||
| if (!util.equal(rr.name, qs.name)) | ||
| continue; | ||
| if (rd.flags & dnssec.flags.SEP) | ||
| continue; | ||
| // Allow KSK's to sign the zone too | ||
| // (why not as long as they're valid?). | ||
| valid.set(rd.keyTag(), rr); | ||
| } | ||
| return valid; | ||
| } | ||
@@ -707,14 +715,14 @@ | ||
| const qs = new Question(auth.zone, types.DNSKEY); | ||
| const keyMap = await this.lookupDNSKEY(qs, auth, ds); | ||
| const zskMap = await this.lookupDNSKEY(qs, auth, ds); | ||
| if (!keyMap) | ||
| if (!zskMap) | ||
| return false; | ||
| if (keyMap.size === 0) { | ||
| this.log('No DNSKEY found.'); | ||
| if (zskMap.size === 0) { | ||
| this.log('No ZSKs found.'); | ||
| return false; | ||
| } | ||
| if (!dnssec.verifyRRSIG(msg, keyMap)) { | ||
| this.log('Invalid RRSIG.'); | ||
| if (!dnssec.verifyRRSIG(msg, zskMap)) { | ||
| this.log('Invalid RRSIGs.'); | ||
| return false; | ||
@@ -876,8 +884,12 @@ } | ||
| if (rc.res.authority.length === nsec.length) { | ||
| if (this.nsec3 && rc.chain) { | ||
| if (nsec.length === 0) | ||
| throw new Error('No NSEC records.'); | ||
| if (!nsec3.verifyNoData(rc.qs, nsec)) | ||
| throw new Error('NSEC missing coverage.'); | ||
| if (rc.chain) { | ||
| if (nsec.length === 0) { | ||
| this.log('Trust chain broken due to no NSEC records.'); | ||
| rc.chain = false; | ||
| } else if (!nsec3.verifyNoData(rc.qs, nsec)) { | ||
| this.log('Trust chain broken due to missing NSEC coverage.'); | ||
| rc.chain = false; | ||
| } else { | ||
| this.log('Validated NSEC3 nodata.'); | ||
| } | ||
| } | ||
@@ -896,5 +908,9 @@ this.insert(rc); | ||
| if (this.nsec3 && rc.chain && nsec.length > 0) { | ||
| if (!nsec3.verifyDelegation(auth.zone, nsec)) | ||
| throw new Error('NSEC bad delegation.'); | ||
| if (rc.chain && nsec.length > 0) { | ||
| if (!nsec3.verifyDelegation(auth.zone, nsec)) { | ||
| this.log('Trust chain broken due to bad delegation.'); | ||
| rc.chain = false; | ||
| } else { | ||
| this.log('Validated NSEC3 delegation.'); | ||
| } | ||
| } | ||
@@ -934,20 +950,18 @@ | ||
| if (this.nsec3 && rc.chain && rc.res.code === codes.NXDOMAIN) { | ||
| if (rc.chain && rc.res.code === codes.NXDOMAIN) { | ||
| const nsec = extractSet(rc.res.authority, '', types.NSEC3); | ||
| if (!nsec3.verifyNameError(rc.qs, nsec)) | ||
| throw new Error('NSEC missing coverage'); | ||
| if (!nsec3.verifyNameError(rc.qs, nsec)) { | ||
| this.log('Trust chain broken due to bad NX proof.'); | ||
| rc.chain = false; | ||
| } else { | ||
| this.log('Validated NSEC3 NX proof.'); | ||
| } | ||
| } | ||
| if (rc.res.answer.length > 0 | ||
| && (rc.res.code === codes.NOERROR | ||
| || rc.res.code === codes.YXDOMAIN | ||
| || rc.res.code === codes.NXDOMAIN)) { | ||
| if (rc.res.isAnswer()) | ||
| return this.handleAnswer(rc); | ||
| } | ||
| if (rc.res.authority.length > 0 | ||
| && (rc.res.code === codes.NOERROR | ||
| || rc.res.code === codes.YXDOMAIN)) { | ||
| if (rc.res.isReferral()) | ||
| return this.handleAuthority(rc); | ||
| } | ||
@@ -954,0 +968,0 @@ return false; |
@@ -142,3 +142,3 @@ /*! | ||
| const SIGSchema = [ | ||
| ['typeCovered', 'type'], | ||
| ['typeCovered', 'u16'], | ||
| ['algorithm', 'u8'], | ||
@@ -270,3 +270,13 @@ ['labels', 'u8'], | ||
| const RRSIGSchema = SIGSchema; | ||
| const RRSIGSchema = [ | ||
| ['typeCovered', 'type'], | ||
| ['algorithm', 'u8'], | ||
| ['labels', 'u8'], | ||
| ['origTTL', 'u32'], | ||
| ['expiration', 'time'], | ||
| ['inception', 'time'], | ||
| ['keyTag', 'u16'], | ||
| ['signerName', 'name'], | ||
| ['signature', 'base64-end'] | ||
| ]; | ||
@@ -273,0 +283,0 @@ const NSECSchema = [ |
@@ -189,5 +189,13 @@ /*! | ||
| this.resolver.on('log', (...a) => this.emit('log', ...a)); | ||
| this.resolver.on('error', e => this.emit('error', e)); | ||
| this.ra = true; | ||
| } | ||
| getServers() { | ||
| return this.resolver.getServers(); | ||
| } | ||
| setServers(servers) { | ||
| this.resolver.setServers(servers); | ||
| return this; | ||
| } | ||
| } | ||
@@ -205,3 +213,2 @@ | ||
| this.resolver.on('log', (...a) => this.emit('log', ...a)); | ||
| this.resolver.on('error', e => this.emit('error', e)); | ||
| this.ra = true; | ||
@@ -208,0 +215,0 @@ } |
| { | ||
| "name": "bns", | ||
| "version": "0.0.4", | ||
| "version": "0.0.5", | ||
| "description": "DNS bike-shed", | ||
@@ -5,0 +5,0 @@ "keywords": [ |
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is too big to display
No alert changes
Improved metrics
- Total package byte prevSize
- increased by4.85%
296783
- Number of package files
- increased by6.45%
33
- Lines of code
- increased by4.22%
12003
No dependency changes