NSEC3 and multiple key signing support. #416
Conversation
bal-e
force-pushed
the
dnssec-key
branch
2 times, most recently
from
a79aac6 to
0f54a8d
Compare
src/sign/ring.rs
Outdated
| pub fn nsec3_hash<N, SaltOcts, HashOcts>( | ||
| owner: N, | ||
| algorithm: Nsec3HashAlg, | ||
| iterations: u16, | ||
| salt: &Nsec3Salt<SaltOcts>, | ||
| ) -> Result<OwnerHash<HashOcts>, Nsec3HashError> |
There was a problem hiding this comment.
Why not just take the owner name and an Nsec3param?
There was a problem hiding this comment.
nsec3_default_hash can then be replaced by calling this function with default() for the second argument.
There was a problem hiding this comment.
Why not just take the owner name and an
Nsec3param?
I had that but took it out. There was a reason. I'll see if I can remember why.
There was a problem hiding this comment.
Ah I know why. The nsec3s() function takes an Nsec3Param struct which it uses to create the NSEC3PARAM RR at the apex of the zone. For the NSEC3PARAM RR RFC 5155 says that the opt-out flag in the flags field MUST be zero, so for RFC compliance the Nsec3Param struct passed to nsec3s() should have the opt-out flag set to zero.
Honestly I think this is a bit of a foot-gun and perhaps best not to pass an Nsec3Param to nsec3s() but instead only the other fields (algorithm, iterations, salt), however MAYBE in future it will be legal to set some of the other flag bits in the flags field and a user would want to have those set in the created NSEC3PARAM RR... so for that reason nsec3s() currently takes an Nsec3Param as input.
When generating NSEC3 RRs, and when opt-out is enabled, the flags value in the given Nsec3Param cannot be used as-is because the opt-out flag must be set to 1 (but NOT in the NSEC3PARAM RR), and rather than copy the given Nsec3Param or modify it and then pass it to nsec3_hash() I felt it was better to just pass only the values actually needed for hashing in, as NSEC3 hashing doesn't need the flags field at all, and also that way users don't have to think about what value to set the unused Nsec3Param::flags field to when invoking nsec3_hash() directly (as dnst nsec3-hash does).
src/sign/ring.rs
Outdated
| let owner_hash = OwnerHash::from_octets(hash) | ||
| .map_err(|_| Nsec3HashError::OwnerHashError)?; |
There was a problem hiding this comment.
I don't think this should return an OwnerHashError. There are two failure cases for from_octets: if the hash is more than 255 bytes (impossible since NSEC3 doesn't support any such digest algorithms) or if memory could not be allocated (in which case we should return AppendError).
There was a problem hiding this comment.
It's not clear to me from the docs on OwnerHashError that it only fails relating to length, it just says "The hashing process produced an invalid owner hash" and I have no way of knowing when that error might occur or why.
|
@bal-e: I realize that I moved the |
|
@ximon18: yeah, I think this should be moved under |
Done. |
src/sign/records.rs
Outdated
| // the apex and the original owner name." | ||
| let distance_to_root = name.owner().iter_labels().count(); | ||
| let distance_to_apex = distance_to_root - apex_label_count; | ||
| if distance_to_apex > 1 { |
There was a problem hiding this comment.
I don't think the if statement is necessary, the for loop will run for zero iterations if this condition is not true.
There was a problem hiding this comment.
True, but the if statement matches nicely with the RFC text and makes it clear that if we enter this block it is because of the condition identified by the RFC text.
tertsdiepraam
force-pushed
the
initial-nsec3-generation
branch
from
cf2f450 to
e1c1db8
Compare
…-zonemd-remove-replace-plus-pr444
…-zonemd-remove-replace-plus-pr444
…-zonemd-remove-replace-plus-pr444
E.g. LDNS seems to consider DS and CDS and CDNSKEY resource record types as well as DNSKEY when selecting keys.
…rn just the record types they produce.
src/sign/keys/signingkey.rs
Outdated
| /// | ||
| /// The range spans from the inception timestamp up to and including the | ||
| /// expiration timestamp. | ||
| signature_validity_period: Option<RangeInclusive<Timestamp>>, |
There was a problem hiding this comment.
This is not really a property of a key and can get confusing of something is signed by multiple keys. It should be removed and the signature validity should be part of the signing interfaces.
There was a problem hiding this comment.
Hmm, yes, I see what you mean. This was fine for the initial use case of one-shot signing, but makes no sense for using the same key later to re-sign expired signatures. And mabe there are other reasons why it makes no sense. I'll change this.
…y, as the validity period required can change over the lifetime of a key and may be affected by other factors such as current signature expiration time and jitter.
…m the NSEC unit test suite with the changes required for the NSEC3 case.
…enerate_nsecs(). - Added a unit test verifying compliance with the RFC 5155 Appendix A signed zone example. - Imroved and added comments. - Rewrote cryptic slice based NSEC3 next owner hashing loop with initial (untested!) type bit map merging and collision detection support, and removed no longer needed (but added in this branch) SortedRecords::as_mut_slice(). - Removed confusing duplicate storage of NSEC3 opt-out info in GenerateNsec3Config. - Added missing (though not breaking) trailing periods in test data.
There was a problem hiding this comment.
This is a massive PR, @ximon18, well done on getting all this functionality together into a cohesive unit!
-
My primary concern is with the large number of new traits added. I'm worried that they're trying to provide extensibility in a manner that won't actually be helpful for our target use cases. In some places, they can be replaced with simpler concrete data types, and I'd strongly prefer that.
-
A lot of public methods (e.g. in
sign::records) are still missing documentation. Perhaps a Clippy lint can help catch everything? -
There are a number of similarly named types and traits (e.g.
DesignatedSigningKey,DnssecSigningKey, andSigningKey). Can some of these be combined together to reduce ambiguity in the public API? I'm worried users will get lost in the number of types and traits they might have to think about.
src/validate.rs
Outdated
| match self { | ||
| Nsec3HashError::UnsupportedAlgorithm => { | ||
| f.write_str("Unsupported algorithm") | ||
| } | ||
| Nsec3HashError::AppendError => { | ||
| f.write_str("Append error: out of memory?") | ||
| } | ||
| Nsec3HashError::OwnerHashError => { | ||
| f.write_str("Hashing produced an invalid owner hash") | ||
| } | ||
| Nsec3HashError::CollisionDetected => { | ||
| f.write_str("Hash collision detected") | ||
| } | ||
| } |
There was a problem hiding this comment.
Factor the f.write_str() out of the match expression.
| itertools = "0.13.0" | ||
| lazy_static = { version = "1.4.0" } | ||
| pretty_assertions = "1.4.1" | ||
| rstest = "0.19.0" | ||
| rustls-pemfile = { version = "2.1.2" } | ||
| serde_test = "1.0.130" | ||
| serde_json = "1.0.113" | ||
| serde_yaml = "0.9" | ||
| socket2 = { version = "0.5.5" } | ||
| tokio = { version = "1.37", features = ["rt-multi-thread", "io-util", "net", "test-util"] } | ||
| tokio-rustls = { version = "0.26", default-features = false, features = [ "ring", "logging", "tls12" ] } | ||
| tokio-test = "0.4" | ||
| tokio-tfo = { version = "0.2.0" } | ||
| webpki-roots = { version = "0.26" } |
There was a problem hiding this comment.
Could you make this more consistent between the { version = "..." } and "..." cases?
| /// the [ZONEMD]. | ||
| /// | ||
| /// For the currently registered values see the [IANA registration]. This | ||
| /// type is complete as of 2024-11-29. |
There was a problem hiding this comment.
Reword "complete" to "up-to-date"? "Complete" makes it sound like no more additions are expected.
There was a problem hiding this comment.
I think this was copied from existing domain code, i.e. aimed to be consistent.
| /// Specifies that the SHA-384 algorithm is used. | ||
| (SHA384 => 1, "SHA384") | ||
|
|
||
| /// Specifies that the SHA-512 algorithm is used. | ||
| (SHA512 => 2, "SHA512") |
There was a problem hiding this comment.
Perhaps the doc comments should be phrased as "Use the SHA-xxx algorithm." That would be consistent with other documentation (e.g. we document what a function does, not what it is).
There was a problem hiding this comment.
I think this was copied from existing domain code, i.e. aimed to be consistent.
| impl<Octs> Default for Nsec3param<Octs> | ||
| where | ||
| Octs: From<&'static [u8]>, | ||
| { | ||
| /// Best practice default values for NSEC3 hashing. | ||
| /// | ||
| /// Per [RFC 9276] section 3.1: | ||
| /// | ||
| /// - _SHA-1, no extra iterations, empty salt._ | ||
| /// | ||
| /// Per [RFC 5155] section 4.1.2: | ||
| /// | ||
| /// - _The Opt-Out flag is not used and is set to zero._ | ||
| /// - _All other flags are reserved for future use, and must be zero._ | ||
| /// | ||
| /// [RFC 5155]: https://www.rfc-editor.org/rfc/rfc5155.html | ||
| /// [RFC 9276]: https://www.rfc-editor.org/rfc/rfc9276.html | ||
| fn default() -> Self { | ||
| Self { | ||
| hash_algorithm: Nsec3HashAlg::SHA1, | ||
| flags: 0, | ||
| iterations: 0, | ||
| salt: Nsec3Salt::empty(), | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
I'm not entirely comfortable with the "best-practice" value being default(). If the best practices for NSEC3 ever change, we'd have to change the default() implementation or (to avoid breaking changes) introduce a new fn new_best_practices() -> Self, and end up with a confusing interface. I'd rather have a fn best_practices() method from the beginning, and no Default impl. This also makes it more clear to end users that they're opting into a best-practices value rather than a default inherent to the type. They're also more likely to find and read the documentation, rather than just calling Default::default() and assuming that will work.
There was a problem hiding this comment.
I think you make a good point.
My intent was to provide good defaults.
| /// The hash provider did not provide a hash for the given owner name. | ||
| MissingHash, |
There was a problem hiding this comment.
In what context could such an error occur? Can't the hash provider interface just guarantee that a hash will always be provided?
| /// The hashing process produced an invalid owner hash. | ||
| /// | ||
| /// See: [OwnerHashError](crate::rdata::nsec3::OwnerHashError) | ||
| OwnerHashError, |
There was a problem hiding this comment.
There isn't a good way for an end user to respond to this error. Can we find a way to guarantee that it can't happen? I'm pretty sure that any SHA-256 or SHA-384 hash will satisfy the requirements of OwnerHash.
|
|
||
| pub rrsig_validity_period_strategy: ValidityStrat, | ||
|
|
||
| _phantom: PhantomData<(Inner, KeyStrat, Sort)>, |
There was a problem hiding this comment.
Sort doesn't have to be included here, it's already used in DenialConfig.
There was a problem hiding this comment.
I think I tried that and it didn't compile.
| pub fn fixed(ttl: Ttl) -> Self { | ||
| Self::Fixed(ttl) | ||
| } | ||
|
|
||
| pub fn soa() -> Self { | ||
| Self::Soa | ||
| } | ||
|
|
||
| pub fn soa_minimum() -> Self { | ||
| Self::SoaMinimum | ||
| } |
There was a problem hiding this comment.
Why do these exist? Self::Fixed, Self::Soa, and Self::SoaMinimum are exactly equivalent.
There was a problem hiding this comment.
No they are not.
The RFCs don't state how the TTL of the NSEC3PARAM RR should be chosen and different tools do it at least these three different ways.
| /// | ||
| /// [`sign_zone()`]: SignableZone::sign_zone | ||
| pub trait SignableZone<N, Octs, Sort>: | ||
| Deref<Target = [Record<N, ZoneRecordData<Octs, N>>]> |
There was a problem hiding this comment.
This bound is incredibly restrictive -- it prevents the use of this trait with any zone representation beyond those already provided (e.g. an efficient zone representation where records are stored in a B-tree). In order to be useful, these traits need to be loosened significantly, or should not be expressed as traits at all.
There was a problem hiding this comment.
Ideally there would be no reference to slices or arrays at all, only iterators. This evolved out of the existing code but isn't a desirable end state. Currently it is whatever compiles and works.
|
The missing docs are just not written yet. |
|
Re strategy traits, maybe. However, we use them in |
|
Re similarly named types, yes it would be good to see how to improve this. |
… requirement that the input be sorted. - Return an error on collision. - Add a collision test. - More unwrap -> Err. - More comments.
Currently lacks collision detection and tests, though has been manually tested using
ldns-verify-zone,dnssec-verifyandnamed-checkzoneboth with and without opt-out and also including both signed and unsigned delegations.I'm posting this here as a draft to allow for alignment and early feedback from the team working on various pieces of DNSSEC support for
domain.Note: This PR includes the content of #444.