dnssec

package
v0.0.0-...-c2fff64 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 9, 2022 License: MIT Imports: 5 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func VerifyMsgSignature 

func VerifyMsgSignature(msgToVerify *dns.Msg, expectedSignerFqdn string, trustedSignerKeys map[uint16]*dns.DNSKEY) (signedMsg *dns.Msg, err error)

Types

type DNSResolver 

type DNSResolver interface {
	Query(msg *dns.Msg) (resp *dns.Msg, err error)
}

type KeyStore 

type KeyStore struct {
	// contains filtered or unexported fields
}

func NewKeyStore 

func NewKeyStore(keys map[uint16]*dns.DNSKEY) *KeyStore

func (*KeyStore) Add 

func (ks *KeyStore) Add(childZoneFqdn, signingZoneFqdn string, signingZoneKeys map[uint16]*dns.DNSKEY)

func (*KeyStore) Get 

func (ks *KeyStore) Get(fqdn string) (signingZoneFqdn string, signingZoneKeys map[uint16]*dns.DNSKEY)

func (*KeyStore) SetEmptyZone 

func (ks *KeyStore) SetEmptyZone(fqdn string)

type Option 

type Option func(*config)

func WithDNSResolver 

func WithDNSResolver(resolver DNSResolver) Option

func WithTrustAnchors 

func WithTrustAnchors(keys map[uint16]*dns.DNSKEY) Option

type Resolver 

type Resolver struct {
	// contains filtered or unexported fields
}

func New 

func New(options ...Option) (resolver *Resolver, err error)

func (*Resolver) GetVerifiedZoneKeys 

func (resolver *Resolver) GetVerifiedZoneKeys(fqdn string) (signingZoneFQDN string, signingZoneKeys map[uint16]*dns.DNSKEY, err error)

func (*Resolver) Query 

func (resolver *Resolver) Query(name string, typ uint16) (msg *dns.Msg, err error)

type SecurityStatus 

type SecurityStatus error

[rfc4035] 4.3. Determining Security Status of Data

A security-aware resolver MUST be able to determine whether it should expect a particular RRset to be signed. More precisely, a security-aware resolver must be able to distinguish between four cases: 

var (
	// An RRset for which the resolver is able to build a chain of signed DNSKEY
	// and DS RRs from a trusted security anchor to the RRset. In this case, the
	// RRset should be signed and is subject to signature validation.
	Secure SecurityStatus = nil

	// An RRset for which the resolver knows that it has no chain of signed
	// DNSKEY and DS RRs from any trusted starting point to the RRset. This can
	// occur when the target RRset lies in an unsigned zone or in a descendent
	// of an unsigned zone.  In this case, the RRset may or may not be signed,
	// but the resolver will not be able to verify the signature.
	ErrInsecure SecurityStatus = errors.New("insecure RRSet, DNSSEC not enabled in part of the chain of trust")

	// An RRset for which the resolver believes that it ought to be able to
	// establish a chain of trust but for which it is unable to do so, either
	// due to signatures that for some reason fail to validate or due to missing
	// data that the relevant DNSSEC RRs indicate should be present.  This case
	// may indicate an attack but may also indicate a configuration error or
	// some form of data corruption.
	ErrBogus SecurityStatus = errors.New("bogus RRSet, DNSSEC maybe hijacked or misconfigured")

	// An RRset for which the resolver is not able to determine whether the
	// RRset should be signed, as the resolver is not able to obtain the
	// necessary DNSSEC RRs. This can occur when the security-aware resolver is
	// not able to contact security-aware name servers for the relevant zones.
	ErrIndeterminate SecurityStatus = errors.New("indeterminated security status, DNSSEC info not availiable due to network error")
)

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.