Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NSEC3 generation support. #416

Draft
wants to merge 208 commits into
base: main
Choose a base branch
from
Draft

NSEC3 generation support. #416

wants to merge 208 commits into from

Conversation

ximon18
Copy link
Member

@ximon18 ximon18 commented Oct 15, 2024

Currently lacks collision detection and tests, though has been manually tested using ldns-verify-zone, dnssec-verify and named-checkzone both with and without opt-out and also including both signed and unsigned delegations.

I'm posting this here as a draft to allow for alignment and early feedback from the team working on various pieces of DNSSEC support for domain.

bal-e added 30 commits October 2, 2024 13:42
A private key converted into a 'KeyPair' can be exported in the
conventional DNS format.  This is an important step in implementing
'ldns-keygen' using 'domain'.  It is up to the implementation modules
to provide conversion to and from 'KeyPair'; some impls (e.g. for HSMs)
won't support it at all.
'Sign' is a more generic version of 'sign::key::SigningKey' that does
not provide public key information.  It does not try to abstract over
all the functionality of a keypair, since that can depend on the
underlying cryptographic implementation.
There are probably lots of bugs in this implementation, I'll add some
tests soon.
Also fixes 'cargo clippy' issues, particularly with the MSRV.
I'm going to add a corresponding 'PublicKey' type, at which point it
becomes important to differentiate from the generic representations and
actual cryptographic implementations.
Key generation, for now, will only be provided by the OpenSSL backend
(coming soon).  However, generic keys (for RSA/SHA-256 or Ed25519) can
be imported into the Ring backend and used freely.
The OpenSSL backend supports import from and export to generic secret
keys, making the formatting and parsing machinery for them usable.  The
next step is to implement generation of keys.
There were bugs in the Base64 encoding/decoding that are not worth
trying to debug; there's a perfectly usable Base64 implementation in
the crate already.
I had to swap out the RSA key since 'ring' found it to be too small.
- RSA signatures were being made with an unspecified padding scheme.
- ECDSA signatures were being output in ASN.1 DER format, instead of
  the fixed-size format required by DNSSEC (and output by 'ring').
- Tests for signature failures are now added for both backends.
src/sign/records.rs Outdated Show resolved Hide resolved
// the apex and the original owner name."
let distance_to_root = name.owner().iter_labels().count();
let distance_to_apex = distance_to_root - apex_label_count;
if distance_to_apex > 1 {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think the if statement is necessary, the for loop will run for zero iterations if this condition is not true.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

True, but the if statement matches nicely with the RFC text and makes it clear that if we enter this block it is because of the condition identified by the RFC text.

// It will NOT construct the last name as that will be dealt
// with in the next outer loop iteration.
// - a.b.c.mail.example.com
for n in (1..distance_to_apex - 1).rev() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If distance_to_apex is 2, then this loop will never execute. Could the outer condition have been distance_to_apex > 2, then? Is there an off-by-one error somewhere?

Copy link
Member Author

@ximon18 ximon18 Oct 31, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! I was planning to add proper test cases but for now have extended my test input zone to cover this missing case and realize now why I had some additional logic in there before which I removed because I couldn't see what value it was adding... 😛 Looking at the comments again I see I even left in a description of the additional logic I removed, i.e. tracking the last non-empty non-terminal label.

src/validate.rs Outdated Show resolved Hide resolved
@ximon18 ximon18 changed the base branch from dnssec-key to main November 8, 2024 12:13
@tertsdiepraam tertsdiepraam force-pushed the initial-nsec3-generation branch from cf2f450 to e1c1db8 Compare November 22, 2024 14:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants