Changeset 1555

Timestamp:

04/18/10 15:52:44 (3 years ago)

Author:

ahu

Message:

commit more DNSSEC infrastructure, plus NSEC3 builder

Location:

trunk/pdns/pdns

Files:

• Makefile.am (modified) (2 diffs)
• common_startup.cc (modified) (1 diff)
• dnsrecords.cc (modified) (5 diffs)
• dnsrecords.hh (modified) (6 diffs)
• nsecrecords.cc (modified) (4 diffs)
• rcpgenerator.cc (modified) (2 diffs)
• rcpgenerator.hh (modified) (2 diffs)

trunk/pdns/pdns/Makefile.am

@@ -21 +21 @@
 
 EXTRA_PROGRAMS=pdns_recursor sdig tsig-tests speedtest dnspbench pdns_control dnsscope dnsgram \
- dnsdemog dnswasher dnsreplay dnsscan dnslog nproxy notify
+ dnsdemog dnswasher dnsreplay dnsscan dnslog nproxy notify 
 
 pdns_server_SOURCES=dnspacket.cc nameserver.cc tcpreceiver.hh \
@@ -43 +43 @@
 aes/aescrypt.c aes/aes.h aes/aeskey.c aes/aes_modes.c aes/aesopt.h \
 aes/aestab.c aes/aestab.h aes/brg_endian.h aes/brg_types.h aes/dns_random.cc \
-randomhelper.cc namespaces.hh
+randomhelper.cc namespaces.hh nsecrecords.cc base32.cc
 
 #

trunk/pdns/pdns/common_startup.cc

@@ -100 +100 @@
   ::arg().set("webserver-port","Port of webserver to listen on")="8081";
   ::arg().set("webserver-password","Password required for accessing the webserver")="";
+  ::arg().set("key-repository", "Where DNSSEC keying material lives")="./keys";
 
   ::arg().setSwitch("out-of-zone-additional-processing","Do out of zone additional processing")="yes";

trunk/pdns/pdns/dnsrecords.cc

@@ -91 +91 @@
 
 
-void NSECRecordContent::report(void)
-{
-  regist(1, 47, &make, &make, "NSEC");
-}
-
-DNSRecordContent* NSECRecordContent::make(const string& content)
-{
-  return new NSECRecordContent(content);
-}
-
-NSECRecordContent::NSECRecordContent(const string& content, const string& zone) : DNSRecordContent(47)
-{
-  RecordTextReader rtr(content, zone);
-  rtr.xfrLabel(d_next);
-
-  while(!rtr.eof()) {
-    uint16_t type;
-    rtr.xfrType(type);
-    d_set.insert(type);
-  }
-}
-
-void NSECRecordContent::toPacket(DNSPacketWriter& pw)
-{
-  pw.xfrLabel(d_next);
-
-  uint8_t res[34];
-  memset(res, 0, sizeof(res));
-
-  set<uint16_t>::const_iterator i;
-  for(i=d_set.begin(); i != d_set.end() && *i<255; ++i){
-    res[2+*i/8] |= 1 << (7-(*i%8));
-  }
-  int len=0;
-  if(!d_set.empty()) 
-    len=1+*--i/8;
-
-  res[1]=len;
-
-  string tmp;
-  tmp.assign(res, res+len+2);
-  pw.xfrBlob(tmp);
-}
-
-NSECRecordContent::DNSRecordContent* NSECRecordContent::make(const DNSRecord &dr, PacketReader& pr) 
-{
-  NSECRecordContent* ret=new NSECRecordContent();
-  pr.xfrLabel(ret->d_next);
-  string bitmap;
-  pr.xfrBlob(bitmap);
-  
-  // 00 06 20 00 00 00 00 03  -> NS RRSIG NSEC  ( 2, 46, 47 ) counts from left
-  
-  if(bitmap.size() < 2)
-    throw MOADNSException("NSEC record with impossibly small bitmap");
-  
-  if(bitmap[0])
-    throw MOADNSException("Can't deal with NSEC mappings > 255 yet");
-  
-  unsigned int len=bitmap[1];
-  if(bitmap.size()!=2+len)
-    throw MOADNSException("Can't deal with multi-part NSEC mappings yet");
-  
-  for(unsigned int n=0 ; n < len ; ++n) {
-    uint8_t val=bitmap[2+n];
-    for(int bit = 0; bit < 8 ; ++bit , val>>=1)
-      if(val & 1) {
-        ret->d_set.insert((7-bit) + 8*(n));
-      }
-  }
-  
-  return ret;
-}
-
-string NSECRecordContent::getZoneRepresentation() const
-{
-  string ret;
-  RecordTextWriter rtw(ret);
-  rtw.xfrLabel(d_next);
-  
-  for(set<uint16_t>::const_iterator i=d_set.begin(); i!=d_set.end(); ++i) {
-    ret+=" ";
-    ret+=NumberToType(*i);
-  }
-  
-  return ret;
-}
 
 boilerplate_conv(NS, ns_t_ns, conv.xfrLabel(d_content, true));
@@ -310 +223 @@
                  )
 #undef DS
+DSRecordContent::DSRecordContent() : DNSRecordContent(43) {}
 boilerplate_conv(DS, 43, 
                  conv.xfr16BitInt(d_tag); 
@@ -336 +250 @@
                  )
                  
+RRSIGRecordContent::RRSIGRecordContent() : DNSRecordContent(46) {}
+
 boilerplate_conv(DNSKEY, 48, 
                  conv.xfr16BitInt(d_flags); 
@@ -342 +258 @@
                  conv.xfrBlob(d_key);
                  )
+DNSKEYRecordContent::DNSKEYRecordContent() : DNSRecordContent(48) {}
+
+uint16_t DNSKEYRecordContent::getTag()
+{
+  string data=this->serialize("");
+  const unsigned char* key=(const unsigned char*)data.c_str();
+  unsigned int keysize=data.length();
+
+  unsigned long ac;     /* assumed to be 32 bits or larger */
+  unsigned int i;                /* loop index */
+  
+  for ( ac = 0, i = 0; i < keysize; ++i )
+    ac += (i & 1) ? key[i] : key[i] << 8;
+  ac += (ac >> 16) & 0xFFFF;
+  return ac & 0xFFFF;
+}
+
+void DNSKEYRecordContent::getExpLen(uint16_t& startPos, uint16_t& expLen) const
+{
+  unsigned char* decoded=(unsigned char*) d_key.c_str();
+  if(decoded[0] != 0) {
+    startPos=1;
+    expLen=decoded[0];
+  }
+  else {
+    startPos=3;
+    expLen=decoded[1]*0xff + decoded[2]; // XXX FIXME
+  }
+}
+
+string DNSKEYRecordContent::getExponent() const
+{
+  uint16_t startPos, expLen;
+  getExpLen(startPos, expLen);
+  return d_key.substr(startPos, expLen);
+}
+
+string DNSKEYRecordContent::getModulus() const
+{
+  uint16_t startPos, expLen;
+  getExpLen(startPos, expLen);
+
+  return d_key.substr(startPos+expLen);
+}
+
 
 // "fancy records" 
@@ -408 +369 @@
    CERTRecordContent::report();
    NSECRecordContent::report();
+   NSEC3RecordContent::report();
+   NSEC3PARAMRecordContent::report();
    DNSRecordContent::regist(0xff, QType::TSIG, &TSIGRecordContent::make, &TSIGRecordContent::make, "TSIG");
    OPTRecordContent::report();

trunk/pdns/pdns/dnsrecords.hh

@@ -1 +1 @@
 /*
     PowerDNS Versatile Database Driven Nameserver
-    Copyright (C) 2005 - 2007  PowerDNS.COM BV
+    Copyright (C) 2005 - 2009  PowerDNS.COM BV
 
     This program is free software; you can redistribute it and/or modify
@@ -228 +228 @@
 {
 public:
+  DNSKEYRecordContent();
   includeboilerplate(DNSKEY)
-
-private:
+  uint16_t getTag();
+  string getExponent() const;
+  string getModulus() const;
+
   uint16_t d_flags;
   uint8_t d_protocol;
   uint8_t d_algorithm;
   string d_key;
+private:
+  void getExpLen(uint16_t& startPos, uint16_t& expLen) const;
 };
 
@@ -240 +245 @@
 {
 public:
+  DSRecordContent();
   includeboilerplate(DS)
 
-private:
   uint16_t d_tag;
   uint8_t d_algorithm, d_digesttype;
@@ -294 +299 @@
 {
 public:
+  RRSIGRecordContent(); 
   includeboilerplate(RRSIG)
 
-private:
   uint16_t d_type;
   uint8_t d_algorithm, d_labels;
@@ -329 +334 @@
 };
 
-class HIPRecordContent : public DNSRecordContent
-{
-public:
-  includeboilerplate(HIP)
-  HIPRecordContent(uint8_t algorithm, const string& hit, const string& key);
-};
-
-
 class NSECRecordContent : public DNSRecordContent
 {
@@ -353 +350 @@
 private:
 };
+
+class NSEC3RecordContent : public DNSRecordContent
+{
+public:
+  static void report(void);
+  NSEC3RecordContent() : DNSRecordContent(50)
+  {}
+  NSEC3RecordContent(const string& content, const string& zone="");
+
+  static DNSRecordContent* make(const DNSRecord &dr, PacketReader& pr);
+  static DNSRecordContent* make(const string& content);
+  string getZoneRepresentation() const;
+  void toPacket(DNSPacketWriter& pw);
+
+  uint8_t d_algorithm, d_flags;
+  uint16_t d_iterations;
+  uint8_t d_saltlength;
+  string d_salt;
+  uint8_t d_nexthashlength;
+  string d_nexthash;
+  std::set<uint16_t> d_set;
+
+private:
+};
+
+
+class NSEC3PARAMRecordContent : public DNSRecordContent
+{
+public:
+  includeboilerplate(NSEC3PARAM)
+
+  uint8_t d_algorithm, d_flags;
+  uint16_t d_iterations;
+  uint8_t d_saltlength;
+  string d_salt;
+};
+
 
 class LOCRecordContent : public DNSRecordContent

trunk/pdns/pdns/nsecrecords.cc

@@ -68 +68 @@
     for(int bit = 0; bit < 8 ; ++bit , val>>=1)
       if(val & 1) {
-        ret->d_set.insert((7-bit) + 8*(n));
+        ret->d_set.insert((7-bit) + 8*(n));
       }
   }
@@ -182 +182 @@
     for(int bit = 0; bit < 8 ; ++bit , val>>=1)
       if(val & 1) {
-        ret->d_set.insert((7-bit) + 8*(n));
+        ret->d_set.insert((7-bit) + 8*(n));
       }
   }
@@ -198 +198 @@
 
   rtw.xfrHexBlob(d_salt);
-  rtw.xfrHexBlob(d_nexthash);
+  rtw.xfrBase32HexBlob(d_nexthash);
   
   for(set<uint16_t>::const_iterator i=d_set.begin(); i!=d_set.end(); ++i) {
@@ -210 +210 @@
 
 boilerplate_conv(NSEC3PARAM, 51, 
-                 conv.xfr8BitInt(d_algorithm); 
-                 conv.xfr8BitInt(d_flags); 
-                 conv.xfr16BitInt(d_iterations); 
-                 conv.xfr8BitInt(d_saltlength); 
-                 conv.xfrHexBlob(d_salt);
-                 )
+                 conv.xfr8BitInt(d_algorithm); 
+                 conv.xfr8BitInt(d_flags); 
+                 conv.xfr16BitInt(d_iterations); 
+                 conv.xfr8BitInt(d_saltlength); 
+                 conv.xfrHexBlob(d_salt);
+                 )

trunk/pdns/pdns/rcpgenerator.cc

@@ -23 +23 @@
 #include <boost/algorithm/string.hpp>
 #include <iostream>
+#include "base32.hh"
 #include "base64.hh"
 #include "namespaces.hh"
@@ -244 +245 @@
   HEXDecode(d_string.c_str()+pos, d_string.c_str() + d_pos, val);
 }
+
+void RecordTextWriter::xfrBase32HexBlob(const string& val)
+{
+  if(!d_string.empty())
+    d_string.append(1,' ');
+
+  d_string.append(toBase32Hex(val));
+}
+
 
 void RecordTextReader::xfrText(string& val, bool multi)

trunk/pdns/pdns/rcpgenerator.hh

@@ -55 +55 @@
   void xfrText(string& val, bool multi=false);
   void xfrHexBlob(string& val);
+
+
   void xfrBlob(string& val, int len=-1);
 
@@ -76 +78 @@
   void xfrIP(const uint32_t& val);
   void xfrTime(const uint32_t& val);
+  void xfrBase32HexBlob(const string& val);
 
   void xfrType(const uint16_t& val);