dnssec

package
v0.0.0-...-514878e Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 22, 2024 License: MIT Imports: 9 Imported by: 0

Documentation

Index

Constants

View Source
const (
	DefaultRequireAllSignaturesValid = false
)

Variables

View Source
var (
	RootTrustAnchors = anchors.GetValid()

	// RequireAllSignaturesValid
	// If false (default), then one or more RRSIG per RRSET must be valid for the overall state to be valid.
	// If true, _all_ RRSIGs returned must be valid for the overall state to be valid.
	//
	// Note:
	//  https://datatracker.ietf.org/doc/html/rfc4035#section-5.3.3
	//	If other RRSIG RRs also cover this RRset, the local resolver security
	//	policy determines whether the resolver also has to test these RRSIG
	//	RRs and how to resolve conflicts if these RRSIG RRs lead to differing
	//	results.
	RequireAllSignaturesValid = DefaultRequireAllSignaturesValid
)
View Source
var (
	ErrNoParentDSRecords              = errors.New("no DS records passed")
	ErrUnableToFetchDSRecord          = errors.New("unable to fetch missing DS record")
	ErrKeysNotFound                   = errors.New("no dnskey records found for zone")
	ErrKeySigningKeysNotFound         = errors.New("no dnskey records found that match the parent ds records")
	ErrAuthSignerNameMismatch         = errors.New("auth signer name does match the zone's origin")
	ErrSignatureSetEmpty              = errors.New("cannot verify an empty signature set")
	ErrUnableToVerify                 = errors.New("unable to verify signature")
	ErrVerifyFailed                   = errors.New("signature verification failed")
	ErrNoKeyFoundForSignature         = errors.New("no key found for signature")
	ErrInvalidTime                    = errors.New("current time is outside of the msg validity period")
	ErrInvalidSignature               = errors.New("msg signature is invalid")
	ErrInvalidLabelCount              = errors.New("number of labels in the rrset owner name is less the value in the rrsig rr's labels field")
	ErrMultipleVaryingSignerNames     = errors.New("rrsigs in the response contain multiple varying signer names")
	ErrNSRecordsHaveMismatchingOwners = errors.New("the ns records in the authority section do not have matching owners")
	ErrFailsafeResponse               = errors.New("unable to determine if response is delegating, positive or negative. we fail-safe to bogus")
	ErrUnexpectedSignatureCount       = errors.New("an unexpected number of rrsig records were found given the rrsets seen")
	ErrMultipleWildcardSignatures     = errors.New("multiple wildcard signatures seen")
	ErrDSLookupLoop                   = errors.New("the maximum number of ds record lookups has been reached")
	ErrNotSubdomain                   = errors.New("domain is not a subdomain of another")
	ErrSameName                       = errors.New("domain names are the same")
	ErrUnknown                        = errors.New("unknown error: unable to process response")
	ErrSignerNameNotParentOfQName     = errors.New("the signer name is not a parent of the qname")
	ErrNoResults                      = errors.New("no results have been processed")
	ErrBogusResultFound               = errors.New("we've deemed the result bogus")
	ErrBogusDoeRecordsNotFound        = errors.New("denial of existence records missing")
	ErrBogusWildcardDoeNotFound       = errors.New("missing doe for qname when answer synthesised from a wildcard")
	ErrNotAllInputsProcessed          = errors.New("not all inputs have been processed")
	ErrDuplicateInputForZone          = errors.New("duplicate input for zone")
)

Functions

This section is empty.

Types

type AuthenticationResult

type AuthenticationResult uint8
const (
	Unknown AuthenticationResult = iota
	Insecure
	Secure
	Bogus
)

func (AuthenticationResult) Combine

Combine determines the overall AuthenticationResult when merging two authenticated results, such as when a result is based on multiple DNS requests (e.g., following a CNAME chain).

func (AuthenticationResult) String

func (r AuthenticationResult) String() string

type Authenticator

type Authenticator struct {
	// contains filtered or unexported fields
}

func NewAuth

func NewAuth(ctx context.Context, question dns.Question) *Authenticator

func (*Authenticator) AddResponse

func (a *Authenticator) AddResponse(zone Zone, msg *dns.Msg) error

AddResponse receives incoming responses that'll make up the authentication chain. We expect one response per zone in the chain. Responses can be passed in nay order and will be buffered, if needed, so they will be processed in the correct order.

func (*Authenticator) Result

type DenialOfExistenceState

type DenialOfExistenceState uint8
const (
	NotFound DenialOfExistenceState = iota

	NsecMissingDS
	NsecNoData
	NsecNxDomain
	NsecWildcard

	Nsec3MissingDS
	Nsec3NoData
	Nsec3NxDomain
	Nsec3OptOut
	Nsec3Wildcard
)

func (DenialOfExistenceState) String

func (d DenialOfExistenceState) String() string

type Logger

type Logger func(string)
var Debug Logger = func(s string) {}
var Info Logger = func(s string) {}
var Warn Logger = func(s string) {}

type MissingDSRecordError

type MissingDSRecordError struct {
	// contains filtered or unexported fields
}

func (*MissingDSRecordError) Error

func (e *MissingDSRecordError) Error() string

func (*MissingDSRecordError) RName

func (e *MissingDSRecordError) RName() string

type Zone

type Zone interface {
	Name() string
	GetDNSKEYRecords() ([]dns.RR, error)
}

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL