delegation

Documentation

Index

• func NewForwardProbe(target string) *forwardProbe
• func NewReverseProbe(ptrText string, ipNet *net.IPNet) *reverseProbe
• type Authority
  • func (t *Authority) IsCompletelyLame() bool
• type Finder
  • func NewFinder(r resolver.Resolver) *Finder
  • func (t *Finder) FindAndProbe(pr Probe) (R Results, err error)
• type Probe
• type Results

Functions

func NewForwardProbe

func NewForwardProbe(target string) *forwardProbe

NewForwardProbe creates a conservative, semi-random AAAA RR and corresponding question.

func NewReverseProbe

func NewReverseProbe(ptrText string, ipNet *net.IPNet) *reverseProbe

NewReverseProbe creates a conservative, semi-random PTR and corresponding question which hopefully has the same likelihood of success as that of a forward prone.

The target zone is based on the prefix length of the supplied CIDR. Ultimately the target zone must be a real domain which is delegated back to this program instance for self-identify to work.

For zone cut discovery we start with the first candidate parents of the target which are one label up. For ipv6 it's likely the parent will be multiple labels up, but probes are also used with legacy ipv4 addresses which will typically have parents just one label up.

The supplied ptrText is used to formulate the response PTR text and normally it will be the forward domain name.

Types

type Authority

type Authority struct {
	Source string // Printable and possibly unique identifier
	Domain string // AKA Zone of authority - matched by DNS serving
	SOA    dns.SOA
	NS     []dns.RR
	AAAA   []dns.RR
	A      []dns.RR
}

Authority contains the delegated and synthetic SOA details so our auth server can respond to SOA DNS requests. An Authority is considered valid if there is at least one resolved address for the name servers. If some name servers happen to be "lame", that doesn't invalidate the authority - tho of course it reduces their availability and effectiveness.

func (*Authority) IsCompletelyLame

func (t *Authority) IsCompletelyLame() bool

IsCompletelyLame returns true of none of the name servers have any address records. It is also considered completely lame if there are no name servers to begin with!

type Finder

type Finder struct {
	// contains filtered or unexported fields
}

Finder is the container used to manage FindAndProbe requests. As you can see, it merely contains a resolver which may or may not offer some efficiencies to the find process.

func NewFinder

func NewFinder(r resolver.Resolver) *Finder

NewFinder constructs a Finder struct

func (*Finder) FindAndProbe

func (t *Finder) FindAndProbe(pr Probe) (R Results, err error)

FindAndProbe attempts to find and verify the parent and target delegation material for the name in the probe. There are three steps:

1) Find parents 2) Query parents for target delegation details 3) Probe target name servers to self-identify

As per the usual go idiom, if error is returned nothing can be said about the contents of Results. An error return is pretty catastrophic as it usually means an underlying package has failed unexpectedly. Most "errors" are likely to be lookup or probe failures which are indicated in Results rather than via an error return.

If error is nil, Results contains at least the Parent Authority and potentially the Target Authority if the parent provided that information.

If ProbeSuccess is true, then both Authorities are present as at least one target name server on one ip address responded correctly to the probe.

type Probe

type Probe interface {
	Target() string // Original target at Probe creation time
	Question() dns.Question
	Answer() dns.RR
	QuestionMatches(dns.Question) bool
	AnswerMatches(dns.RR) bool

	Begin() zoneCutIterator
	End() zoneCutIterator
	Next(zoneCutIterator) zoneCutIterator
	Zone(zoneCutIterator) string
}

Probe contains the details for "probing" a name to find the zone cut and self-identify as a particular name server by exchanging a unique-ish question/response. The uniqueness is there to mitigate the risk of possible over-helpful muddle-ware intercepting DNS traffic and perhaps caching or mangling it. Hopefully unlikely in our circumstances but it doesn't hurt to be too careful.

For the self-identifying probe to succeed, ultimately the target domain of the probe must be a real domain on the global DNS which is delegated back to this program instance.

For zone cut discovery the zoneLabels slice contains the first candidate parents of the target which are one label up. To walk up the DNS tree in search of the zone cut use the following "for loop".

for iter := probe.Begin(); iter != probe.End(); iter = probe.Next(iter) {
    zoneName := probe.Zone(iter)
    ...
}

Once created, a Probe is never modified so it can be freely shared between go-routines. Iterators, however, cannot be shared and can only be used on the Probe which creates them.

type Results

type Results struct {
	ProbeSuccess bool   // If probe responded as desired
	Respondent   dns.RR // Name server which answered the probe
	Parent       *Authority
	Target       *Authority
}

Results are return by Finder.Find()