-
Notifications
You must be signed in to change notification settings - Fork 126
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: DNSSEC Validation #470
base: main
Are you sure you want to change the base?
Conversation
63f8763
to
414dc59
Compare
dnssec related functions now sit in their own file
revert depth change. depth can't be carried to subqueries
d907ca8
to
4d62421
Compare
Additionally, let's add integration tests to |
2d4c764
to
148eb28
Compare
Have this super weird case where additionals from dnssec-tools.org contains an A and RRSIG for each of (nsm|nsw).dnssec-tools.org. If identify by only type, these two will be clustered under the same set and could not validate.
What have we done to test this? Can we run this against the top million websites or such and see how it goes? A lot of code. |
At this point it's just manual and unit tests performed against the above domains shared by Phillip, and I monitored request sanity with Wireshark. I can look into large scale test later. |
This reverts commit 2b074a2.
@@ -67,6 +67,7 @@ type QueryOptions struct { | |||
ClassString string `long:"class" default:"INET" description:"DNS class to query. Options: INET, CSNET, CHAOS, HESIOD, NONE, ANY."` | |||
ClientSubnetString string `long:"client-subnet" description:"Client subnet in CIDR format for EDNS0."` | |||
Dnssec bool `long:"dnssec" description:"Requests DNSSEC records by setting the DNSSEC OK (DO) bit"` | |||
ValidateDNSSEC bool `long:"validate-dnssec" description:"Validate DNSSEC records, only applicable with --iterative"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we discussed allowing this even when not in `--iterative``.
DS []*DSAnswer `json:"ds" groups:"dnssec,long,trace"` | ||
DNSKEY []*DNSKEYAnswer `json:"dnskey" groups:"dnssec,long,trace"` | ||
Answer []DNSSECPerSetResult `json:"answer" groups:"dnssec,long,trace"` | ||
Additionals []DNSSECPerSetResult `json:"additionals" groups:"dnssec,long,trace"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this should be Additional
not Additionals
per RFC and in matching the other types.
resolves #441
The level of detail in the validation results depends on the
--result-verbosity=
flag. In theshort
mode, validation results are not output (equivalent to no validation). In thenormal
mode, only the overall validation status is output. In thelong
mode, all relevant records used for validating this specific result (DS, DNSKEY, RRSIG) and the validation results for each individual RRset are printed. In thetrace
mode, all validation details for the entire query chain are available along the trace.Since we are a DNS scanning tool, the resolution results may still hold value even in cases of DNSSEC validation failure. Therefore, a validation failure does not lead to a resolution failure - i.e., the resolution results will still be output normally. It is the responsibility of data consumers to check the DNSSEC validation status before using the results.
Example usage:
go run . A example.com --iterative --validate-dnssec --result-verbosity=long
Example output (long):
Example output (normal):