bns - npm Package Compare versions

Comparing version 0.0.6 to 0.0.7

lib/dnssec.js

@@ -498,3 +498,3 @@ /*!
     if (!dnskey)
-      return null; // Someone is hiding keys from us.
+      continue;
 
@@ -586,72 +586,77 @@ const ds = dnssec.createDS(dnskey, rd.digestType);
 
-  const sections = [];
+  const isAnswer = msg.isAnswer();
+  const isReferral = msg.isReferral();
 
-  if (msg.isAnswer()) {
-    sections.push(msg.answer);
-    if (msg.authority.length > 0)
-      sections.push(msg.authority);
-  } else if (msg.isReferral()) {
-    sections.push(msg.authority);
-  } else {
+  if (!isAnswer && !isReferral)
     return true;
-  }
 
-  for (const section of sections) {
-    const set = new Set();
+  const set = new Set();
 
-    if (msg.isReferral()) {
-      assert(sections.length === 1);
-      assert(section === msg.authority);
+  let section = msg.answer;
 
-      // We need a signed DS, NSEC3,
-      // or NS record for a referral.
-      if (util.hasType(section, types.DS))
-        set.add(types.DS);
+  if (isReferral) {
+    section = msg.authority;
 
-      if (util.hasType(section, types.NSEC3))
-        set.add(types.NSEC3);
-    }
+    // We need a signed DS, NSEC3,
+    // or NS record for a referral.
+    if (util.hasType(section, types.DS))
+      set.add(types.DS);
 
-    if (set.size === 0) {
-      for (const rr of section) {
-        // No signed signatures.
-        if (rr.type === types.RRSIG
-            || rr.type === types.SIG) {
-          continue;
-        }
+    if (util.hasType(section, types.NSEC3))
+      set.add(types.NSEC3);
+  }
 
-        set.add(rr.type);
+  // If we don't have any specific
+  // types to look for, verify
+  // everything in the section.
+  if (set.size === 0) {
+    for (const rr of section) {
+      // No signed signatures.
+      if (rr.type === types.RRSIG
+          || rr.type === types.SIG) {
+        continue;
       }
+
+      // No special records.
+      if (rr.type === types.OPT
+          || rr.type === types.TSIG) {
+        continue;
+      }
+
+      set.add(rr.type);
     }
+  }
 
-    const sigs = extractSet(section, '', types.RRSIG);
+  // Some kind of error.
+  // Verify elsewhere.
+  if (set.size === 0)
+    return true;
 
-    if (sigs.length === 0)
-      return false; // No Signatures
+  for (const rr of section) {
+    if (rr.type !== types.RRSIG)
+      continue;
 
-    for (const sig of sigs) {
-      const s = sig.data;
-      const rrset = extractSet(section, sig.name, s.typeCovered);
+    const s = rr.data;
+    const dnskey = zskMap.get(s.keyTag);
 
-      if (rrset.length === 0)
-        return false; // Missing Signed
+    if (!dnskey)
+      continue; // Missing DNS Key
 
-      const dnskey = zskMap.get(s.keyTag);
+    if (!s.validityPeriod())
+      continue; // Invalid Signature Period
 
-      if (!dnskey)
-        return false; // Missing DNS Key
+    const rrset = extractSet(section, rr.name, s.typeCovered);
 
-      if (!s.validityPeriod())
-        return false; // Invalid Signature Period
+    if (rrset.length === 0)
+      continue; // Missing Signed
 
-      if (!dnssec.verify(sig, dnskey, rrset))
-        return false; // Invalid Signature
+    if (!dnssec.verify(rr, dnskey, rrset))
+      continue; // Invalid Signature
 
-      set.delete(s.typeCovered);
-    }
-
-    if (set.size !== 0)
-      return false; // Unsigned Data
+    set.delete(s.typeCovered);
   }
 
+  if (set.size !== 0)
+    return false; // Unsigned Data
+
   return true;
@@ -658,0 +663,0 @@ };

lib/nsec3.js

@@ -212,2 +212,3 @@ /*!
   assert(qs instanceof Question);
+  assert(Array.isArray(nsec));
 
@@ -214,0 +215,0 @@ const bm = nsec3.findMatching(qs.name, nsec);

lib/resolver/recursive.js

@@ -35,2 +35,3 @@ /*!
   hasAll,
+  hasType,
   random,
@@ -372,10 +373,11 @@ randomItem,
   async handleAuthority(rc) {
-    const nsec = extractSet(rc.res.authority, '', types.NSEC3);
+    const {authority, additional} = rc.res;
 
-    if (rc.res.authority.length === nsec.length) {
+    const hasNS = hasType(authority, types.NS);
+
+    if (!hasNS) {
       if (rc.chain) {
-        if (nsec.length === 0) {
-          this.log('Trust chain broken due to no NSEC records.');
-          rc.chain = false;
-        } else if (!nsec3.verifyNoData(rc.qs, nsec)) {
+        const nsec = extractSet(authority, '', types.NSEC3);
+
+        if (!nsec3.verifyNoData(rc.qs, nsec)) {
           this.log('Trust chain broken due to missing NSEC coverage.');
@@ -387,7 +389,8 @@ rc.chain = false;
       }
+
       this.insert(rc);
+
       return false;
     }
 
-    const {authority, additional} = rc.res;
     const auth = await this.pickAuthority(rc, authority, additional);
@@ -400,3 +403,7 @@
 
-    if (rc.chain && nsec.length > 0) {
+    const hasNSEC3 = hasType(authority, types.NSEC3);
+
+    if (rc.chain && hasNSEC3) {
+      const nsec = extractSet(authority, '', types.NSEC3);
+
       if (!nsec3.verifyDelegation(auth.zone, nsec)) {
@@ -417,3 +424,4 @@ this.log('Trust chain broken due to bad delegation.');
       // Grab DS records for the _next_ zone.
-      rc.ds = extractSet(rc.res.authority, auth.zone, types.DS);
+      rc.ds = extractSet(authority, auth.zone, types.DS);
+
       if (rc.ds.length === 0) {
@@ -420,0 +428,0 @@ rc.chain = false;

package.json

 {
   "name": "bns",
-  "version": "0.0.6",
+  "version": "0.0.7",
   "description": "DNS bike-shed",
@@ -5,0 +5,0 @@ "keywords": [

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Lines of code

14636

increased by0.03%

Worsened metrics

Total package byte prevSize

368554

decreased by-0.01%

No dependency changes