use alloc::borrow::ToOwned;
use alloc::vec::Vec;
use alloc::vec;
-use core::cmp;
+use core::cmp::{self, Ordering};
use ring::signature;
+use crate::base32;
+use crate::crypto;
use crate::rr::*;
use crate::ser::write_name;
for record in records.iter() {
let record_labels = record.name().labels() as usize;
let labels = sig.labels.into();
- if record_labels != labels {
+ // For NSec types, the name should already match the wildcard, so we don't do any
+ // filtering here. This is relied upon in `verify_rr_stream` to check whether an
+ // NSec record is matching via wildcard (as otherwise we'd allow a resolver to
+ // change the name out from under us and change the wildcard to something else).
+ if record.ty() != NSec::TYPE && record_labels != labels {
if record_labels < labels { return Err(ValidationError::Invalid); }
let signed_name = record.name().trailing_n_labels(sig.labels);
debug_assert!(signed_name.is_some());
return Ok(());
}
}
+
+ // Note that technically there could be a key tag collision here, causing spurious
+ // verification failure. In most zones, there's only 2-4 DNSKEY entries, meaning a
+ // spurious collision shouldn't be much more often than one every billion zones. Much
+ // more likely in such a case, someone is just trying to do a KeyTrap attack, so we
+ // simply hard-fail and return an error immediately.
sig_validation?;
return Ok(());
Err(ValidationError::Invalid)
}
-fn verify_dnskey_rrsig<'a, T, I>(sig: &RRSig, dses: T, records: Vec<&DnsKey>)
--> Result<(), ValidationError>
-where T: IntoIterator<IntoIter = I>, I: Iterator<Item = &'a DS> + Clone {
+/// Verify [`RRSig`]s over [`DnsKey`], returning a reference to the [`RRSig`] that matched, if any.
+fn verify_dnskeys<'r, 'd, RI, R, DI, D>(sigs: RI, dses: DI, records: Vec<&DnsKey>)
+-> Result<&'r RRSig, ValidationError>
+where RI: IntoIterator<IntoIter = R>, R: Iterator<Item = &'r RRSig>,
+ DI: IntoIterator<IntoIter = D>, D: Iterator<Item = &'d DS> + Clone {
let mut validated_dnskeys = Vec::with_capacity(records.len());
let dses = dses.into_iter();
for ds in dses.clone() {
if ds.alg != dnskey.alg { continue; }
if dnskey.key_tag() == ds.key_tag {
- let alg = match ds.digest_type {
- 1 if trust_sha1 => &ring::digest::SHA1_FOR_LEGACY_USE_ONLY,
- 2 => &ring::digest::SHA256,
- 4 => &ring::digest::SHA384,
+ let mut ctx = match ds.digest_type {
+ 1 if trust_sha1 => crypto::hash::Hasher::sha1(),
+ 2 => crypto::hash::Hasher::sha256(),
+ 4 => crypto::hash::Hasher::sha384(),
_ => continue,
};
- let mut ctx = ring::digest::Context::new(alg);
write_name(&mut ctx, &dnskey.name);
ctx.update(&dnskey.flags.to_be_bytes());
ctx.update(&dnskey.protocol.to_be_bytes());
}
}
}
- verify_rrsig(sig, validated_dnskeys.iter().map(|k| *k), records)
+
+ let mut found_unsupported_alg = false;
+ for sig in sigs {
+ match verify_rrsig(sig, validated_dnskeys.iter().map(|k| *k), records.clone()) {
+ Ok(()) => return Ok(sig),
+ Err(ValidationError::UnsupportedAlgorithm) => {
+ // There may be redundant signatures by different keys, where one we don't
+ // supprt and another we do. Ignore ones we don't support, but if there are
+ // no more, return UnsupportedAlgorithm
+ found_unsupported_alg = true;
+ },
+ Err(ValidationError::Invalid) => {
+ // If a signature is invalid, just immediately fail, avoiding KeyTrap issues.
+ return Err(ValidationError::Invalid);
+ },
+ }
+ }
+
+ if found_unsupported_alg {
+ Err(ValidationError::UnsupportedAlgorithm)
+ } else {
+ Err(ValidationError::Invalid)
+ }
}
/// Given a set of [`RR`]s, [`verify_rr_stream`] checks what it can and returns the set of
/// contained records verified.
#[derive(Debug, Clone)]
pub struct VerifiedRRStream<'a> {
- /// The set of verified [`RR`]s.
+ /// The set of verified [`RR`]s, not including [`DnsKey`], [`RRSig`], [`NSec`], and [`NSec3`]
+ /// records.
///
/// These are not valid unless the current UNIX time is between [`Self::valid_from`] and
/// [`Self::expires`].
}
}
+fn nsec_ord(a: &str, b: &str) -> Ordering {
+ let mut a_label_iter = a.rsplit(".");
+ let mut b_label_iter = b.rsplit(".");
+ loop {
+ match (a_label_iter.next(), b_label_iter.next()) {
+ (Some(_), None) => return Ordering::Greater,
+ (None, Some(_)) => return Ordering::Less,
+ (Some(a_label), Some(b_label)) => {
+ let mut a_bytes = a_label.bytes();
+ let mut b_bytes = b_label.bytes();
+ loop {
+ match (a_bytes.next(), b_bytes.next()) {
+ (Some(_), None) => return Ordering::Greater,
+ (None, Some(_)) => return Ordering::Less,
+ (Some(mut a), Some(mut b)) => {
+ if a >= 'A' as u8 && a <= 'Z' as u8 {
+ a += 'a' as u8 - 'A' as u8;
+ }
+ if b >= 'A' as u8 && b <= 'Z' as u8 {
+ b += 'a' as u8 - 'A' as u8;
+ }
+ if a != b { return a.cmp(&b); }
+ },
+ (None, None) => break,
+ }
+ }
+ },
+ (None, None) => return Ordering::Equal,
+ }
+ }
+}
+fn nsec_ord_extra<T, U>(a: &(&str, T, U), b: &(&str, T, U)) -> Ordering {
+ nsec_ord(a.0, b.0)
+}
+
+#[cfg(test)]
+#[test]
+fn rfc4034_sort_test() {
+ // Test nsec_ord based on RFC 4034 section 6.1's example
+ // Note that we replace the \200 example with \7f as I have no idea what \200 is
+ let v = vec!["example.", "a.example.", "yljkjljk.a.example.", "Z.a.example.",
+ "zABC.a.EXAMPLE.", "z.example.", "\001.z.example.", "*.z.example.", "\x7f.z.example."];
+ let mut sorted = v.clone();
+ sorted.sort_unstable_by(|a, b| nsec_ord(*a, *b));
+ assert_eq!(sorted, v);
+}
+
/// Verifies the given set of resource records.
///
/// Given a set of arbitrary records, this attempts to validate DNSSEC data from the [`root_hints`]
pub fn verify_rr_stream<'a>(inp: &'a [RR]) -> Result<VerifiedRRStream<'a>, ValidationError> {
let mut zone = ".";
let mut res = Vec::new();
+ let mut rrs_needing_non_existence_proofs = Vec::new();
let mut pending_ds_sets = Vec::with_capacity(1);
let mut latest_inception = 0;
let mut earliest_expiry = u64::MAX;
let mut min_ttl = u32::MAX;
'next_zone: while zone == "." || !pending_ds_sets.is_empty() {
- let mut found_unsupported_alg = false;
let next_ds_set;
if let Some((next_zone, ds_set)) = pending_ds_sets.pop() {
next_ds_set = Some(ds_set);
next_ds_set = None;
}
+ let dnskey_rrsigs = inp.iter()
+ .filter_map(|rr| if let RR::RRSig(sig) = rr { Some(sig) } else { None })
+ .filter(|rrsig| rrsig.name.as_str() == zone && rrsig.ty == DnsKey::TYPE);
+ let dnskeys = inp.iter()
+ .filter_map(|rr| if let RR::DnsKey(dnskey) = rr { Some(dnskey) } else { None })
+ .filter(move |dnskey| dnskey.name.as_str() == zone);
+ let root_hints = root_hints();
+ let verified_dnskey_rrsig = if zone == "." {
+ verify_dnskeys(dnskey_rrsigs, &root_hints, dnskeys.clone().collect())?
+ } else {
+ debug_assert!(next_ds_set.is_some());
+ if next_ds_set.is_none() { break 'next_zone; }
+ verify_dnskeys(dnskey_rrsigs, next_ds_set.clone().unwrap(), dnskeys.clone().collect())?
+ };
+ latest_inception = cmp::max(latest_inception, resolve_time(verified_dnskey_rrsig.inception));
+ earliest_expiry = cmp::min(earliest_expiry, resolve_time(verified_dnskey_rrsig.expiration));
+ min_ttl = cmp::min(min_ttl, verified_dnskey_rrsig.orig_ttl);
for rrsig in inp.iter()
.filter_map(|rr| if let RR::RRSig(sig) = rr { Some(sig) } else { None })
- .filter(|rrsig| rrsig.name.as_str() == zone && rrsig.ty == DnsKey::TYPE)
+ .filter(move |rrsig| rrsig.key_name.as_str() == zone && rrsig.ty != DnsKey::TYPE)
{
- let dnskeys = inp.iter()
- .filter_map(|rr| if let RR::DnsKey(dnskey) = rr { Some(dnskey) } else { None })
- .filter(move |dnskey| dnskey.name.as_str() == zone);
- let dnskeys_verified = if zone == "." {
- verify_dnskey_rrsig(rrsig, &root_hints(), dnskeys.clone().collect())
- } else {
- debug_assert!(next_ds_set.is_some());
- if next_ds_set.is_none() { break 'next_zone; }
- verify_dnskey_rrsig(rrsig, next_ds_set.clone().unwrap(), dnskeys.clone().collect())
- };
- if dnskeys_verified.is_ok() {
- latest_inception = cmp::max(latest_inception, resolve_time(rrsig.inception));
- earliest_expiry = cmp::min(earliest_expiry, resolve_time(rrsig.expiration));
- min_ttl = cmp::min(min_ttl, rrsig.orig_ttl);
- for rrsig in inp.iter()
- .filter_map(|rr| if let RR::RRSig(sig) = rr { Some(sig) } else { None })
- .filter(move |rrsig| rrsig.key_name.as_str() == zone && rrsig.ty != DnsKey::TYPE)
- {
- if !rrsig.name.ends_with(zone) { return Err(ValidationError::Invalid); }
- let signed_records = inp.iter()
- .filter(|rr| rr.name() == &rrsig.name && rr.ty() == rrsig.ty);
- verify_rrsig(rrsig, dnskeys.clone(), signed_records.clone().collect())?;
- latest_inception = cmp::max(latest_inception, resolve_time(rrsig.inception));
- earliest_expiry = cmp::min(earliest_expiry, resolve_time(rrsig.expiration));
- min_ttl = cmp::min(min_ttl, rrsig.orig_ttl);
- match rrsig.ty {
- // RRSigs shouldn't cover child `DnsKey`s or other `RRSig`s
- RRSig::TYPE|DnsKey::TYPE => return Err(ValidationError::Invalid),
- DS::TYPE => {
- if !pending_ds_sets.iter().any(|(pending_zone, _)| pending_zone == &rrsig.name.as_str()) {
- pending_ds_sets.push((
- &rrsig.name,
- signed_records.filter_map(|rr|
- if let RR::DS(ds) = rr { Some(ds) }
- else { debug_assert!(false, "We already filtered by type"); None })
- ));
- }
- },
- _ => {
- for record in signed_records {
- if !res.contains(&record) { res.push(record); }
- }
- },
- }
+ if !rrsig.name.ends_with(zone) { return Err(ValidationError::Invalid); }
+ let signed_records = inp.iter()
+ .filter(|rr| rr.name() == &rrsig.name && rr.ty() == rrsig.ty);
+ match verify_rrsig(rrsig, dnskeys.clone(), signed_records.clone().collect()) {
+ Ok(()) => {},
+ Err(ValidationError::UnsupportedAlgorithm) => continue,
+ Err(ValidationError::Invalid) => {
+ // If a signature is invalid, just immediately fail, avoiding KeyTrap issues.
+ return Err(ValidationError::Invalid);
}
- continue 'next_zone;
- } else if dnskeys_verified == Err(ValidationError::UnsupportedAlgorithm) {
- // There may be redundant signatures by different keys, where one we don't supprt
- // and another we do. Ignore ones we don't support, but if there are no more,
- // return UnsupportedAlgorithm
- found_unsupported_alg = true;
- } else {
- // We don't explicitly handle invalid signatures here, instead we move on to the
- // next RRSig (if there is one) and return `Invalid` if no `RRSig`s match.
+ }
+ latest_inception = cmp::max(latest_inception, resolve_time(rrsig.inception));
+ earliest_expiry = cmp::min(earliest_expiry, resolve_time(rrsig.expiration));
+ min_ttl = cmp::min(min_ttl, rrsig.orig_ttl);
+ match rrsig.ty {
+ // RRSigs shouldn't cover child `DnsKey`s or other `RRSig`s
+ RRSig::TYPE|DnsKey::TYPE => return Err(ValidationError::Invalid),
+ DS::TYPE => {
+ if !pending_ds_sets.iter().any(|(pending_zone, _)| pending_zone == &rrsig.name.as_str()) {
+ pending_ds_sets.push((
+ &rrsig.name,
+ signed_records.filter_map(|rr|
+ if let RR::DS(ds) = rr { Some(ds) }
+ else { debug_assert!(false, "We already filtered by type"); None })
+ ));
+ }
+ },
+ _ => {
+ if rrsig.labels != rrsig.name.labels() && rrsig.ty != NSec::TYPE {
+ if rrsig.ty == NSec3::TYPE {
+ // NSEC3 records should never appear on wildcards, so treat the
+ // whole proof as invalid
+ return Err(ValidationError::Invalid);
+ }
+ // If the RR used a wildcard, we need an NSEC/NSEC3 proof, which we
+ // check for at the end. Note that the proof should be for the
+ // "next closest" name, i.e. if the name here is a.b.c and it was
+ // signed as *.c, we want a proof for nothing being in b.c.
+ // Alternatively, if it was signed as *.b.c, we'd want a proof for
+ // a.b.c.
+ let proof_name = rrsig.name.trailing_n_labels(rrsig.labels + 1)
+ .ok_or(ValidationError::Invalid)?;
+ rrs_needing_non_existence_proofs.push((proof_name, &rrsig.key_name, rrsig.ty));
+ }
+ for record in signed_records {
+ if !res.contains(&record) { res.push(record); }
+ }
+ },
}
}
- // No RRSigs were able to verify our DnsKey set
- if found_unsupported_alg {
- return Err(ValidationError::UnsupportedAlgorithm);
- } else {
- return Err(ValidationError::Invalid);
- }
+ continue 'next_zone;
}
- if res.is_empty() { Err(ValidationError::Invalid) }
- else if latest_inception >= earliest_expiry { Err(ValidationError::Invalid) }
- else {
- Ok(VerifiedRRStream {
- verified_rrs: res, valid_from: latest_inception, expires: earliest_expiry,
- max_cache_ttl: min_ttl,
- })
+ if res.is_empty() { return Err(ValidationError::Invalid) }
+ if latest_inception >= earliest_expiry { return Err(ValidationError::Invalid) }
+
+ // First sort the proofs we're looking for so that the retains below avoid shifting.
+ rrs_needing_non_existence_proofs.sort_unstable_by(nsec_ord_extra);
+ 'proof_search_loop: while let Some((name, zone, ty)) = rrs_needing_non_existence_proofs.pop() {
+ let nsec_search = res.iter()
+ .filter_map(|rr| if let RR::NSec(nsec) = rr { Some(nsec) } else { None })
+ .filter(|nsec| nsec.name.ends_with(zone.as_str()));
+ for nsec in nsec_search {
+ let name_matches = nsec.name.as_str() == name;
+ let name_contained = nsec_ord(&nsec.name, &name) != Ordering::Greater &&
+ nsec_ord(&nsec.next_name, name) == Ordering::Greater;
+ if (name_matches && !nsec.types.contains_type(ty)) || name_contained {
+ rrs_needing_non_existence_proofs
+ .retain(|(n, _, t)| *n != name || (name_matches && nsec.types.contains_type(*t)));
+ continue 'proof_search_loop;
+ }
+ }
+ let nsec3_search = res.iter()
+ .filter_map(|rr| if let RR::NSec3(nsec3) = rr { Some(nsec3) } else { None })
+ .filter(|nsec3| nsec3.name.ends_with(zone.as_str()));
+
+ // Because we will only ever have two entries, a Vec is simpler than a map here.
+ let mut nsec3params_to_name_hash = Vec::new();
+ for nsec3 in nsec3_search.clone() {
+ if nsec3.hash_iterations > 2500 {
+ // RFC 5115 places different limits on the iterations based on the signature key
+ // length, but we just use 2500 for all key types
+ continue;
+ }
+ if nsec3.hash_algo != 1 { continue; }
+ if nsec3params_to_name_hash.iter()
+ .any(|(iterations, salt, _)| *iterations == nsec3.hash_iterations && *salt == &nsec3.salt)
+ { continue; }
+
+ let mut hasher = crypto::hash::Hasher::sha1();
+ write_name(&mut hasher, &name);
+ hasher.update(&nsec3.salt);
+ for _ in 0..nsec3.hash_iterations {
+ let res = hasher.finish();
+ hasher = crypto::hash::Hasher::sha1();
+ hasher.update(res.as_ref());
+ hasher.update(&nsec3.salt);
+ }
+ nsec3params_to_name_hash.push((nsec3.hash_iterations, &nsec3.salt, hasher.finish()));
+
+ if nsec3params_to_name_hash.len() >= 2 {
+ // We only allow for up to two sets of hash_iterations/salt per zone. Beyond that
+ // we assume this is a malicious DoSing proof and give up.
+ break;
+ }
+ }
+ for nsec3 in nsec3_search {
+ if nsec3.flags != 0 {
+ // This is an opt-out NSEC3 (or has unknown flags set). Thus, we shouldn't rely on
+ // it as proof that some record doesn't exist.
+ continue;
+ }
+ if nsec3.hash_algo != 1 { continue; }
+ let name_hash = if let Some((_, _, hash)) =
+ nsec3params_to_name_hash.iter()
+ .find(|(iterations, salt, _)| *iterations == nsec3.hash_iterations && *salt == &nsec3.salt)
+ {
+ hash
+ } else { continue };
+
+ let (start_hash_base32, _) = nsec3.name.split_once(".")
+ .unwrap_or_else(|| { debug_assert!(false); ("", "")});
+ let start_hash = if let Ok(start_hash) = base32::decode(start_hash_base32) {
+ start_hash
+ } else { continue };
+ if start_hash.len() != 20 || nsec3.next_name_hash.len() != 20 { continue; }
+
+ let hash_matches = &start_hash[..] == name_hash.as_ref();
+ let hash_contained =
+ &start_hash[..] <= name_hash.as_ref() && &nsec3.next_name_hash[..] > name_hash.as_ref();
+ if (hash_matches && !nsec3.types.contains_type(ty)) || hash_contained {
+ rrs_needing_non_existence_proofs
+ .retain(|(n, _, t)| *n != name || (hash_matches && nsec3.types.contains_type(*t)));
+ continue 'proof_search_loop;
+ }
+ }
+ return Err(ValidationError::Invalid);
}
+
+ res.retain(|rr| rr.ty() != NSec::TYPE && rr.ty() != NSec3::TYPE);
+
+ Ok(VerifiedRRStream {
+ verified_rrs: res, valid_from: latest_inception, expires: earliest_expiry,
+ max_cache_ttl: min_ttl,
+ })
}
impl<'a> VerifiedRRStream<'a> {
}];
let dnskey_rrsig = RRSig {
name: ".".try_into().unwrap(), ty: DnsKey::TYPE, alg: 8, labels: 0, orig_ttl: 172800,
- expiration: 1709337600, inception: 1707523200, key_tag: 20326, key_name: ".".try_into().unwrap(),
- signature: base64::decode("QXPpi2A4jXgS6/aH5ZPCT/iOr75XYdk9kxemYrLaVaUAiaOVLDcArPOC8vyv6BKrK0Mq/lht2ql/XARVokC97n1W7B7tpzTpsZle7Z9cTSvbQefI/vVmFZwp+4+mad2f+Tqa0ApQLWaFXEdrJ4IThswbIwpNp8e1w9HwTZHT/B5Jve+v3CLf8o73ScYaVebC5c76Ifh6M5lAknazUWJ9/j5vQ6yInQpcUR3t520HL+KPEcDfmDXB6GOLr/Psdk8QCfB3LJ4heDCaI0H+ae/YPzedpnihAVP+hzhlOzZ0vpj7QOh4lTQjN7UzWNY9XbK+EhZHXRQmCmYydAUP6FpMmQ==").unwrap(),
+ expiration: 1710201600, inception: 1708387200, key_tag: 20326, key_name: ".".try_into().unwrap(),
+ signature: base64::decode("GIgwndRLXgt7GX/JNEqSvpYw5ij6EgeQivdC/hmNNuOd2MCQRSxZx2DdLZUoK0tmn2XmOd0vYP06DgkIMUpIXcBstw/Um55WQhvBkBTPIhuB3UvKYJstmq+8hFHWVJwKHTg9xu38JA43VgCV2AbzurbzNOLSgq+rDPelRXzpLr5aYE3y+EuvL+I5gusm4MMajnp5S+ioWOL+yWOnQE6XKoDmlrfcTrYfRSxRtJewPmGeCbNdwEUBOoLUVdkCjQG4uFykcKL40cY8EOhVmM3kXAyuPuNe2Xz1QrIcVad/U4FDns+hd8+W+sWnr8QAtIUFT5pBjXooGS02m6eMdSeU6g==").unwrap(),
};
let root_hints = root_hints();
- verify_dnskey_rrsig(&dnskey_rrsig, &root_hints, dnskeys.iter().collect()).unwrap();
+ verify_dnskeys([&dnskey_rrsig], &root_hints, dnskeys.iter().collect()).unwrap();
let rrs = vec![dnskeys[0].clone().into(), dnskeys[1].clone().into(), dnskey_rrsig.into()];
(dnskeys, rrs)
}
}];
let ds_rrsig = RRSig {
name: "com.".try_into().unwrap(), ty: DS::TYPE, alg: 8, labels: 1, orig_ttl: 86400,
- expiration: 1708794000, inception: 1707667200, key_tag: 30903, key_name: ".".try_into().unwrap(),
- signature: base64::decode("RT9N7xNToOdDHGw+/gvWCeEk+HXR/VBlAymFR2OWaYCVD6FUXlAw4OZkvJPqpsA465R1+CApbWu0vsG3Op949QNqU0tDOZcnO3+dyf0vimQX8pI0XMwtrUM/KHkHHb+EWKywNHsMqOo83+b428YHtkidVXeToz/xjFTJLbAlgNJCAiq3FGuHo/x2fnccBiZB2spfW7Og6nhOBqAy5tUualgaCxMX3j5ZDoQ259HhVgbYdQvjd7H9sj0C4UHxm8Y0XY5J1gRnWIuylN1oLzwIqizGFPbknvFXA/GXfk3KInlpQoCnXWwHe8ZBEgxqcgJ8YLRDU8bj+bJ4nol53yntcA==").unwrap(),
+ expiration: 1710133200, inception: 1709006400, key_tag: 30903, key_name: ".".try_into().unwrap(),
+ signature: base64::decode("WEf7UPqoulxab83nVy/518TpZcC3og0paZ7Lag5iOqGdmGvZnB0yQ42s25iqB/mL6ZU+sSUwYoclcW36Tv/yHgS813T2wOgQ4Jh01aCsjkjvpgpbtnDTxg8bL30LV1obhQhOBFu5SqD4FOMeaV9Fqcff7Z72vC1UdVy0us2Kbhti3uQYrKQlGYcDMlgQAyOE0WEaLT74YfKFTpZvIK0UfUfdUAAiM0Z6PUi7BoyToIN+eKKPvny/+4BP9iVvAOmPMgr+kq/qIWOdsvUaq/S+k7VEPTJEi+i2gODgbMC+3EZZpZie9kv1EEAwGwBtGjE7bLlA1QUbuVeTgczIzrYriQ==").unwrap(),
};
verify_rrsig(&ds_rrsig, &root_dnskeys, com_ds.iter().collect()).unwrap();
let dnskeys = vec![DnsKey {
}];
let dnskey_rrsig = RRSig {
name: "com.".try_into().unwrap(), ty: DnsKey::TYPE, alg: 13, labels: 1, orig_ttl: 86400,
- expiration: 1708614155, inception: 1707317855, key_tag: 19718, key_name: "com.".try_into().unwrap(),
- signature: base64::decode("z1l579YFyZ1bD345+zwNUiGJQ9SAoSBdhfelmo9+cLFHF9wwtr/rJnsHt/T/75zCxzAXZGHw6FFcH5ZCe/mH4A==").unwrap(),
+ expiration: 1710342155, inception: 1709045855, key_tag: 19718, key_name: "com.".try_into().unwrap(),
+ signature: base64::decode("lF2B9nXZn0CgytrHH6xB0NTva4G/aWvg/ypnSxJ8+ZXlvR0C4974yB+nd2ZWzWMICs/oPYMKoQHqxVjnGyu8nA==").unwrap(),
};
- verify_dnskey_rrsig(&dnskey_rrsig, &com_ds, dnskeys.iter().collect()).unwrap();
+ verify_dnskeys([&dnskey_rrsig], &com_ds, dnskeys.iter().collect()).unwrap();
let rrs = vec![com_ds.pop().unwrap().into(), ds_rrsig.into(),
dnskeys[0].clone().into(), dnskeys[1].clone().into(), dnskey_rrsig.into()];
(dnskeys, rrs)
}];
let ds_rrsig = RRSig {
name: "ninja.".try_into().unwrap(), ty: DS::TYPE, alg: 8, labels: 1, orig_ttl: 86400,
- expiration: 1708794000, inception: 1707667200, key_tag: 30903, key_name: ".".try_into().unwrap(),
- signature: base64::decode("FO6kj+2lJF/VSDwkwh+h8NpkCzk9x7DES/3LQFnJf4NOnY7W+m86Usy79CP5t8YMiKZweOlUd8rmd1PkrX1zf0sQxqdWFPpKiDxh/tyhkyV/FiN8vvtXMaIUeDFWXTBM/Rap2oHigiRDsHwOd8fnG1+8bkY7HtXx54EZvieRZAvZd17wBj3L75UQHwIxJwpzbeZOF3583wcWoPOX70pp4Xzeryok0P++Qr7VPUpzEHAe4v4JePlODau38qyI1Bzr2pBQiTSgpBUI5vTtoGC4+aEMXjc0OBt6kMjncQA6B8GNqUqnBgfTdNNhXYFTWekBAres5w5SvVOKeS3no1eIRw==").unwrap(),
+ expiration: 1710133200, inception: 1709006400, key_tag: 30903, key_name: ".".try_into().unwrap(),
+ signature: base64::decode("4fLiekxJy1tHW3sMzmPA/i4Mn6TYoCHDKbcvk3t3N6IXMkACSgU+6P5NxSMxo5Xa7YL5UuE1ICDKxel5o5WzyvjaRQA//hZomjwnCzqyG2XoS6Va8cULSOA5jOU153NSCvos39iHeJnuPINzbMAfsKcg6Ib/IDmNnpouQF53hQzVy+5MGLlGPUZjSO6b4GIslyKpLG0tBLKXM5rZXREPJClEY+LWKOtAS1iARqdsWmSnKxZCpgnEjmkqJBtjCus+s6AtMteBHIFyebwA7oUDNtJ3Im1dO5b6sUoGP8gUgnqdFELSLEeEhKYKpO+jSruI8g/gjNIb5C9vDwAtcSoAew==").unwrap(),
};
verify_rrsig(&ds_rrsig, &root_dnskeys, ninja_ds.iter().collect()).unwrap();
let dnskeys = vec![DnsKey {
name: "ninja.".try_into().unwrap(), flags: 256, protocol: 3, alg: 8,
- pubkey: base64::decode("AwEAAZlkeshgX2Q9i/X4zZMc2ciKO2a3+mOiOCuYHYbwt/43XXdcHdjtOUrWFFJkGBBWsHQZ/Bg0CeUGqvUGywd3ndY5IAX+e7PnuIUlhKDcNmntcQbxhrH+cpmOoB3Xo/96JoVjurPxTuJE23I1oA+0aESc581f4pKEbTp4WI7m5xNn").unwrap(),
+ pubkey: base64::decode("AwEAAb6FWe0O0qxUkA+LghF71OPWt0WNqBaCi34HCV6Agjz70RN/j7yGi3xCExM8MkzyrbXd5yYFP4X7TCGEzI5ofLNq7GVIj9laZO0WYS8DNdCMN7qkVVaYeR2UeeGsdvIJqRWzlynABAKnCzX+y5np77FBsle4cAIGxJE/0F5kn61F").unwrap(),
}, DnsKey {
name: "ninja.".try_into().unwrap(), flags: 256, protocol: 3, alg: 8,
- pubkey: base64::decode("AwEAAb6FWe0O0qxUkA+LghF71OPWt0WNqBaCi34HCV6Agjz70RN/j7yGi3xCExM8MkzyrbXd5yYFP4X7TCGEzI5ofLNq7GVIj9laZO0WYS8DNdCMN7qkVVaYeR2UeeGsdvIJqRWzlynABAKnCzX+y5np77FBsle4cAIGxJE/0F5kn61F").unwrap(),
+ pubkey: base64::decode("AwEAAZlkeshgX2Q9i/X4zZMc2ciKO2a3+mOiOCuYHYbwt/43XXdcHdjtOUrWFFJkGBBWsHQZ/Bg0CeUGqvUGywd3ndY5IAX+e7PnuIUlhKDcNmntcQbxhrH+cpmOoB3Xo/96JoVjurPxTuJE23I1oA+0aESc581f4pKEbTp4WI7m5xNn").unwrap(),
}, DnsKey {
name: "ninja.".try_into().unwrap(), flags: 257, protocol: 3, alg: 8,
pubkey: base64::decode("AwEAAcceTJ3Ekkmiez70L8uNVrTDrHZxXHrQHEHQ1DJZDRXDxizuSy0prDXy1yybMqcKAkPL0IruvJ9vHg5j2eHN/hM8RVqCQ1wHgLdQASyUL37VtmLuyNmuiFpYmT+njXVh/tzRHZ4cFxrLAtACWDe6YaPApnVkJ0FEcMnKCQaymBaLX02WQOYuG3XdBr5mQQTtMs/kR/oh83QBcSxyCg3KS7G8IPP6MQPK0za94gsW9zlI5rgN2gpSjbU2qViGjDhw7N3PsC37PLTSLirUmkufeMkP9sfhDjAbP7Nv6FmpTDAIRmBmV0HBT/YNBTUBP89DmEDsrYL8knjkrOaLqV5wgkk=").unwrap(),
}];
let dnskey_rrsig = RRSig {
name: "ninja.".try_into().unwrap(), ty: DnsKey::TYPE, alg: 8, labels: 1, orig_ttl: 3600,
- expiration: 1709309122, inception: 1707491122, key_tag: 46082, key_name: "ninja.".try_into().unwrap(),
- signature: base64::decode("tZjyFUaRDCFZ8heFd5qWQs5CKAZHEzdv3OcR3IRcyfIebRkpPjXM/Wi/0cPnKkEh7PQx+GK3ZRsSz8Sd0VEmmH/DapTh5Fn+ZR7znnGVGDU7xvHRQZaIB33MMTqLBkKkjDkWi+G7cYe7PbfWRh5JOvcyUSZ21eKlAInaOJYrc9WNydN6EnXhDoMZJK8GWrM8AJdKJjpopqH3iEuu73WI9JZJQtzo4vdGyYwHvYAu9x14zCY1uKcBoCaohjP4K7KRvl+aRQETY175yFBfeCneExb2SJI6wMVEWwlQbeMImn2jmPjGcm0cZjYL6v+jj4T7Yq2xZirdvHoCtIeCXwv5Dg==").unwrap(),
+ expiration: 1710689605, inception: 1708871605, key_tag: 46082, key_name: "ninja.".try_into().unwrap(),
+ signature: base64::decode("kYxV1z+9Ikxqbr13N+8HFWWnAUcvHkr/dmkdf21mliUhH4cxeYCXC6a95X+YzjYQEQi3fU+S346QBDJkbFYCca5q/TzUdE7ej1B/0uTzhgNrQznm0O6sg6DI3HuqDfZp2oaBQm2C/H4vjkcUW9zxgKP8ON0KKLrZUuYelGazeGSOscjDDlmuNMD7tHhFrmK9BiiX+8sp8Cl+IE5ArP+CPXsII+P+R2QTmTqw5ovJch2FLRMRqCliEzTR/IswBI3FfegZR8h9xJ0gfyD2rDqf6lwJhD1K0aS5wxia+bgzpRIKwiGfP87GDYzkygHr83QbmZS2YG1nxlnQ2rgkqTGgXA==").unwrap(),
};
- verify_dnskey_rrsig(&dnskey_rrsig, &ninja_ds, dnskeys.iter().collect()).unwrap();
+ verify_dnskeys([&dnskey_rrsig], &ninja_ds, dnskeys.iter().collect()).unwrap();
let rrs = vec![ninja_ds.pop().unwrap().into(), ds_rrsig.into(),
dnskeys[0].clone().into(), dnskeys[1].clone().into(), dnskeys[2].clone().into(),
dnskey_rrsig.into()];
}];
let ds_rrsig = RRSig {
name: "mattcorallo.com.".try_into().unwrap(), ty: DS::TYPE, alg: 13, labels: 2, orig_ttl: 86400,
- expiration: 1707976967, inception: 1707367967, key_tag: 4534, key_name: "com.".try_into().unwrap(),
- signature: base64::decode("QtgzO1czEOcGxvjuSqW4AlEMYr1gDSPRwYPvhmZOe06QU3dfXppv/+wEr1DNKY6BCjQ7fVXx0YFb7T3NfmLbHQ==").unwrap(),
+ expiration: 1709359258, inception: 1708750258, key_tag: 4534, key_name: "com.".try_into().unwrap(),
+ signature: base64::decode("VqYztN78+g170QPeFOqWFkU1ZrKIsndUYj3Y+8x1ZR1v/YGJXLQe5qkcLWjrl/vMyCgknC3Q/dhcS2ag0a7W1w==").unwrap(),
};
verify_rrsig(&ds_rrsig, &com_dnskeys, mattcorallo_ds.iter().collect()).unwrap();
let dnskeys = vec![DnsKey {
}, DnsKey {
name: "mattcorallo.com.".try_into().unwrap(), flags: 256, protocol: 3, alg: 13,
pubkey: base64::decode("AhUlQ8qk7413R0m4zKfTDHb/FQRlKag+ncGXxNxT+qTzSZTb9E5IGjo9VCEp6+IMqqpkd4GrXpN9AzDvlcU9Ig==").unwrap(),
+ }, DnsKey {
+ name: "mattcorallo.com.".try_into().unwrap(), flags: 256, protocol: 3, alg: 13,
+ pubkey: base64::decode("s165ZpubX31FC2CVeIVVvnPpTnJUoOM8CGt3wk4AtxPftYadgI8uFM43F4QaD67v8B8Vshl63frxN50dc44VHQ==").unwrap(),
}];
let dnskey_rrsig = RRSig {
name: "mattcorallo.com.".try_into().unwrap(), ty: DnsKey::TYPE, alg: 13, labels: 2, orig_ttl: 604800,
- expiration: 1708794127, inception: 1707579127, key_tag: 25630, key_name: "mattcorallo.com.".try_into().unwrap(),
- signature: base64::decode("aYgXNubpwB8RJMiE+pFl1/p40gfE6ov9riMGdIl+H7Ys+hvX+NYR+cJNBpfSeqOIXqPJqxnbEyZ1HE8LvK7i8g==").unwrap(),
+ expiration:1710262250, inception: 1709047250, key_tag: 25630, key_name: "mattcorallo.com.".try_into().unwrap(),
+ signature: base64::decode("dMLDvNU96m+tfgpDIQPxMBJy7T0xyZDj3Wws4b4E6+g3nt5iULdWJ8Eqrj+86KLerOVt7KH4h/YcHP18hHdMGA==").unwrap(),
};
- verify_dnskey_rrsig(&dnskey_rrsig, &mattcorallo_ds, dnskeys.iter().collect()).unwrap();
+ verify_dnskeys([&dnskey_rrsig], &mattcorallo_ds, dnskeys.iter().collect()).unwrap();
let rrs = vec![mattcorallo_ds.pop().unwrap().into(), ds_rrsig.into(),
- dnskeys[0].clone().into(), dnskeys[1].clone().into(), dnskey_rrsig.into()];
+ dnskeys[0].clone().into(), dnskeys[1].clone().into(), dnskeys[2].clone().into(),
+ dnskey_rrsig.into()];
(dnskeys, rrs)
}
};
let txt_rrsig = RRSig {
name: "matt.user._bitcoin-payment.mattcorallo.com.".try_into().unwrap(),
- ty: Txt::TYPE, alg: 13, labels: 5, orig_ttl: 3600, expiration: 1708638126,
- inception: 1707423126, key_tag: 47959, key_name: "mattcorallo.com.".try_into().unwrap(),
- signature: base64::decode("DsVKNjv4e3m2sJyTPw9b4tpoDW/o/TrwLfFEQe1zOUn43kGqqCNUX1DqsaAtOeLlBuCVWEo1uT2qVc8MijH5ig==").unwrap(),
+ ty: Txt::TYPE, alg: 13, labels: 5, orig_ttl: 3600, expiration: 1710182540,
+ inception: 1708967540, key_tag: 47959, key_name: "mattcorallo.com.".try_into().unwrap(),
+ signature: base64::decode("vwI89CkCzWI2Iwgl3UeiSo4GKSaKCh7/E/7nE8Hbb1WQvdpwdKSB6jE4nwM1BN4wdPhi7kxd7hyS/uGiKZjxsg==").unwrap(),
};
(txt_resp, txt_rrsig)
}
}];
let ds_rrsig = RRSig {
name: "bitcoin.ninja.".try_into().unwrap(), ty: DS::TYPE, alg: 8, labels: 2, orig_ttl: 3600,
- expiration: 1709309122, inception: 1707491122, key_tag: 34164, key_name: "ninja.".try_into().unwrap(),
- signature: base64::decode("QDFgNQkC5IWkMH8VaOifnIbA+K/OnrPwQwAEwlTTtvXwElC+spF6rKSE1O26+vAIiGbY3LkwcVQHf3pQcgwS3gR3jbzaxyDAQ2RjshLaBJ/gA5BJA0lWyHKsQpmzBpcKf2XnRK6ZY6sUDrWURMoZp3+8qhWJux/3X3aKkr7ADU0=").unwrap(),
+ expiration: 1710689605, inception: 1708871605, key_tag: 34164, key_name: "ninja.".try_into().unwrap(),
+ signature: base64::decode("g/Xyv6cwrGlpEyhXDV1vdKpoy9ZH7HF6MK/41q0GyCrd9wL8BrzKQgwvLqOBhvfUWACJd66CJpEMZnSwH8ZDEcWYYsd8nY2giGX7In/zGz+PA35HlFqy2BgvQcWCaN5Ht/+BUTgZXHbJBEko1iWLZ1yhciD/wA+XTqS7ScQUu88=").unwrap(),
};
verify_rrsig(&ds_rrsig, &ninja_dnskeys, bitcoin_ninja_ds.iter().collect()).unwrap();
let dnskeys = vec![DnsKey {
}];
let dnskey_rrsig = RRSig {
name: "bitcoin.ninja.".try_into().unwrap(), ty: DnsKey::TYPE, alg: 13, labels: 2, orig_ttl: 604800,
- expiration: 1708917507, inception: 1707702507, key_tag: 63175, key_name: "bitcoin.ninja.".try_into().unwrap(),
- signature: base64::decode("h969M0tQu+hRyxhJi5aXroNIiyy2BbKpryAoMxZonuYC+orG6R5rIDE1EUzrp7rTZBKnykgHqkSF1klUK/OMyQ==").unwrap(),
+ expiration: 1709947337, inception: 1708732337, key_tag: 63175, key_name: "bitcoin.ninja.".try_into().unwrap(),
+ signature: base64::decode("Y3To5FZoZuBDUMtIBZXqzRtufyRqOlDqbHVcoZQitXxerCgNQ1CsVdmoFVMmZqRV5n4itINX2x+9G/31j410og==").unwrap(),
};
- verify_dnskey_rrsig(&dnskey_rrsig, &bitcoin_ninja_ds, dnskeys.iter().collect()).unwrap();
+ verify_dnskeys([&dnskey_rrsig], &bitcoin_ninja_ds, dnskeys.iter().collect()).unwrap();
let rrs = vec![bitcoin_ninja_ds.pop().unwrap().into(), ds_rrsig.into(),
dnskeys[0].clone().into(), dnskeys[1].clone().into(), dnskey_rrsig.into()];
(dnskeys, rrs)
};
let txt_rrsig = RRSig {
name: "txt_test.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap(),
- ty: Txt::TYPE, alg: 13, labels: 4, orig_ttl: 30, expiration: 1708920243,
- inception: 1707705243, key_tag: 37639, key_name: "bitcoin.ninja.".try_into().unwrap(),
- signature: base64::decode("CTAs/BSUfZP6+L0MRBVigK03q3M/2APkWlI9gJFkcwFKtDG53c9vcqSqLvv/IMIulDb3pNIj5UpxoRYNAJcVkA==").unwrap(),
+ ty: Txt::TYPE, alg: 13, labels: 4, orig_ttl: 30, expiration: 1709950937,
+ inception: 1708735937, key_tag: 37639, key_name: "bitcoin.ninja.".try_into().unwrap(),
+ signature: base64::decode("S5swe6BMTqwLBU6FH2D50j5A9i5hzli79Vlf5xB515s6YhmcqodbPZnFlN49RdBE43PKi9MJcXpHTiBxvTYBeQ==").unwrap(),
};
(txt_resp, txt_rrsig)
}
};
let cname_rrsig = RRSig {
name: "cname_test.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap(),
- ty: CName::TYPE, alg: 13, labels: 4, orig_ttl: 30, expiration: 1708920243,
- inception: 1707705243, key_tag: 37639, key_name: "bitcoin.ninja.".try_into().unwrap(),
- signature: base64::decode("/xlq2qPB/BaXrUgpz66iIIVh6u2Qsg5oTE8LbDr01D6uvufVJZOl4qvSwbMpYw/+8Lv26etrT1xP53bc/7OyoA==").unwrap(),
+ ty: CName::TYPE, alg: 13, labels: 4, orig_ttl: 30, expiration: 1709950937,
+ inception: 1708735937, key_tag: 37639, key_name: "bitcoin.ninja.".try_into().unwrap(),
+ signature: base64::decode("S8AYftjBADKutt4XKVzqfY7EpvbanpwOGhMDk0lEDFpvNRjl0fZ1k/FEW6AXSUyX2wOaX8hvwXUuZjpr5INuMw==").unwrap(),
};
(cname_resp, cname_rrsig)
}
- fn bitcoin_ninja_wildcard_record() -> (Txt, RRSig) {
- let txt_resp = Txt {
- name: "test.wildcard_test.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap(),
- data: "wildcard_test".to_owned().into_bytes(),
- };
- let txt_rrsig = RRSig {
- name: "test.wildcard_test.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap(),
- ty: Txt::TYPE, alg: 13, labels: 4, orig_ttl: 30, expiration: 1708920243,
- inception: 1707705243, key_tag: 37639, key_name: "bitcoin.ninja.".try_into().unwrap(),
- signature: base64::decode("GznihIpcboZZXG2wf/yyq1TVcNAl9iHiQeI7H6v15VzZFYhzljWFLolZPB86lKGywYC7PRH4OL0wNvrknJpp/g==").unwrap(),
- };
- (txt_resp, txt_rrsig)
- }
-
- fn bitcoin_ninja_cname_wildcard_record() -> (CName, RRSig, Txt, RRSig) {
- let cname_resp = CName {
- name: "test.cname_wildcard_test.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap(),
- canonical_name: "cname.wildcard_test.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap(),
- };
- let txt_resp = Txt {
- name: "cname.wildcard_test.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap(),
- data: "wildcard_test".to_owned().into_bytes(),
- };
- let cname_rrsig = RRSig {
- name: "test.cname_wildcard_test.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap(),
- ty: CName::TYPE, alg: 13, labels: 4, orig_ttl: 30, expiration: 1708920243,
- inception: 1707705243, key_tag: 37639, key_name: "bitcoin.ninja.".try_into().unwrap(),
- signature: base64::decode("PrII3i0K7H8RKoAmBSgSrPSmrNVNDmEf/d2h//zIKW0LE4gtt85mXP8pwEl8Ar5CbObAsWgmGI16/MMgQtqVZA==").unwrap(),
- };
- let txt_rrsig = RRSig {
- name: "cname.wildcard_test.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap(),
- ty: Txt::TYPE, alg: 13, labels: 4, orig_ttl: 30, expiration: 1708920243,
- inception: 1707705243, key_tag: 37639, key_name: "bitcoin.ninja.".try_into().unwrap(),
- signature: base64::decode("GznihIpcboZZXG2wf/yyq1TVcNAl9iHiQeI7H6v15VzZFYhzljWFLolZPB86lKGywYC7PRH4OL0wNvrknJpp/g==").unwrap(),
- };
- (cname_resp, cname_rrsig, txt_resp, txt_rrsig)
- }
-
fn bitcoin_ninja_txt_sort_edge_cases_records() -> (Vec<Txt>, RRSig) {
let txts = vec![Txt {
name: "txt_sort_order.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap(),
}];
let rrsig = RRSig {
name: "txt_sort_order.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap(),
- ty: Txt::TYPE, alg: 13, labels: 4, orig_ttl: 30, expiration: 1708920243,
- inception: 1707705243, key_tag: 37639, key_name: "bitcoin.ninja.".try_into().unwrap(),
- signature: base64::decode("C6myk1EJZ6/y4wClGp201y5EsqrAg4W/oybJ1/P0ss7sYraJC6BNApvHKEHpSBGgF1eJ/NCtpVFeD7+xgU0t3Q==").unwrap(),
+ ty: Txt::TYPE, alg: 13, labels: 4, orig_ttl: 30, expiration: 1709950937,
+ inception: 1708735937, key_tag: 37639, key_name: "bitcoin.ninja.".try_into().unwrap(),
+ signature: base64::decode("kUKbtoNYM6qnu95QJoyUwtzZoMTcRVfNfIIqSwROLdMYqqq70REjCu99ecjOW/Zm2XRsJ9KgGBB/SuiBdunLew==").unwrap(),
};
(txts, rrsig)
}
+ /// Note that the NSEC3 proofs here are for asdf., any other prefix may fail NSEC checks.
+ fn bitcoin_ninja_wildcard_record(pfx: &str) -> (Txt, RRSig, NSec3, RRSig) {
+ let name: Name = (pfx.to_owned() + ".wildcard_test.dnssec_proof_tests.bitcoin.ninja.").try_into().unwrap();
+ let txt_resp = Txt {
+ name: name.clone(),
+ data: "wildcard_test".to_owned().into_bytes(),
+ };
+ let txt_rrsig = RRSig {
+ name: name.clone(),
+ ty: Txt::TYPE, alg: 13, labels: 4, orig_ttl: 30, expiration: 1709950937,
+ inception: 1708735937, key_tag: 37639, key_name: "bitcoin.ninja.".try_into().unwrap(),
+ signature: base64::decode("Y+grWXzbZfrcoHRZC9kfRzWp002jZzBDmpSQx6qbUgN0x3aH9kZIOVy0CtQH2vwmLUxoJ+RlezgunNI6LciBzQ==").unwrap(),
+ };
+ let nsec3 = NSec3 {
+ name: "s5sn15c8lcpo7v7f1p0ms6vlbdejt0kd.bitcoin.ninja.".try_into().unwrap(),
+ hash_algo: 1, flags: 0, hash_iterations: 0, salt: Vec::from_hex("059855BD1077A2EB").unwrap(),
+ next_name_hash: crate::base32::decode("T8QO5GO6M76HBR5Q6T3G6BDR79KBMDSA").unwrap(),
+ types: NSecTypeMask::from_types(&[AAAA::TYPE, RRSig::TYPE]),
+ };
+ let nsec3_rrsig = RRSig {
+ name: "s5sn15c8lcpo7v7f1p0ms6vlbdejt0kd.bitcoin.ninja.".try_into().unwrap(),
+ ty: NSec3::TYPE, alg: 13, labels: 3, orig_ttl: 60, expiration: 1710267741,
+ inception: 1709052741, key_tag: 37639, key_name: "bitcoin.ninja.".try_into().unwrap(),
+ signature: base64::decode("Aiz6My3goWQuIIw/XNUo+kICsp9e4C5XUUs/0Ap+WIEFJsaN/MPGegiR/c5GUGdtHt1GdeP9CU3H1OGkN9MpWQ==").unwrap(),
+ };
+ (txt_resp, txt_rrsig, nsec3, nsec3_rrsig)
+ }
+
+ fn bitcoin_ninja_cname_wildcard_record() -> (CName, RRSig, Txt, RRSig, [(NSec3, RRSig); 3]) {
+ let cname_resp = CName {
+ name: "asdf.cname_wildcard_test.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap(),
+ canonical_name: "cname.wildcard_test.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap(),
+ };
+ let cname_rrsig = RRSig {
+ name: "asdf.cname_wildcard_test.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap(),
+ ty: CName::TYPE, alg: 13, labels: 4, orig_ttl: 30, expiration: 1709950937,
+ inception: 1708735937, key_tag: 37639, key_name: "bitcoin.ninja.".try_into().unwrap(),
+ signature: base64::decode("qR/zy8JyihI4qCAMwn7jGU6FARW/Hl8/u+cajef9raKs5aOxnZpCrp19Tot9qPG6px9PzqaghAIP1EmxfgxtRQ==").unwrap(),
+ };
+ let nsec3_a = NSec3 {
+ name: "2tn37cu4ulmlqqke9a3dc9g8bt8b4f6s.bitcoin.ninja.".try_into().unwrap(),
+ hash_algo: 1, flags: 0, hash_iterations: 0,
+ salt: Vec::from_hex("059855BD1077A2EB").unwrap(),
+ next_name_hash: crate::base32::decode("4OKFHSHS41D00EDL0HNPMT7R6IKMJ48H").unwrap(),
+ types: NSecTypeMask::from_types(&[DName::TYPE, RRSig::TYPE]),
+ };
+ let nsec3_a_rrsig = RRSig {
+ name: "2tn37cu4ulmlqqke9a3dc9g8bt8b4f6s.bitcoin.ninja.".try_into().unwrap(),
+ ty: NSec3::TYPE, alg: 13, labels: 3, orig_ttl: 60, expiration: 1710266541,
+ inception: 1709051541, key_tag: 37639, key_name: "bitcoin.ninja.".try_into().unwrap(),
+ signature: base64::decode("tSsPsYIf1o5+piUZX9YwcWKSZgVQOB37TRdb+VL0PmcPaLpzFGJCwU0snn8tMN/BuILG+KZY+UPmAEZZFz4Fvg==").unwrap(),
+ };
+ let nsec3_b = NSec3 {
+ name: "cjqf7lfu6ev77k9m2o6iih56kbfnshin.bitcoin.ninja.".try_into().unwrap(),
+ hash_algo: 1, flags: 0, hash_iterations: 0,
+ salt: Vec::from_hex("059855BD1077A2EB").unwrap(),
+ next_name_hash: crate::base32::decode("DD3MT23L63OIHQPIMA5O2NULSVIGIJ3N").unwrap(),
+ types: NSecTypeMask::from_types(&[A::TYPE, AAAA::TYPE, RRSig::TYPE]),
+ };
+ let nsec3_b_rrsig = RRSig {
+ name: "cjqf7lfu6ev77k9m2o6iih56kbfnshin.bitcoin.ninja.".try_into().unwrap(),
+ ty: NSec3::TYPE, alg: 13, labels: 3, orig_ttl: 60, expiration: 1710238940,
+ inception: 1709023940, key_tag: 37639, key_name: "bitcoin.ninja.".try_into().unwrap(),
+ signature: base64::decode("CtYriOUI6RzoIG3SigHbBYiTkrEvmSEvP+aOLo1wylqkbBT2iG7pK8VNucKETqMZCROLnmRBw8DHK/8rosKYsA==").unwrap(),
+ };
+ let (txt_resp, txt_rrsig, nsec3_c, nsec3_c_rrsig) = bitcoin_ninja_wildcard_record("asdf");
+ (cname_resp, cname_rrsig, txt_resp, txt_rrsig,
+ [(nsec3_a, nsec3_a_rrsig), (nsec3_b, nsec3_b_rrsig), (nsec3_c, nsec3_c_rrsig)])
+ }
+
+ fn bitcoin_ninja_nsec_dnskey() -> (Vec<DnsKey>, Vec<RR>) {
+ let bitcoin_ninja_dnskeys = bitcoin_ninja_dnskey().0;
+ let mut bitcoin_ninja_ds = vec![DS {
+ name: "nsec_tests.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap(),
+ key_tag: 8036, alg: 13, digest_type: 2,
+ digest: Vec::from_hex("8EC0DAE4501233979196EBED206212BCCC49E40E086EC2E56558EC1F6FB62715").unwrap(),
+ }];
+ let ds_rrsig = RRSig {
+ name: "nsec_tests.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap(),
+ ty: DS::TYPE, alg: 13, labels: 4, orig_ttl: 30, expiration: 1710190967, inception: 1708975967,
+ key_tag: 37639, key_name: "bitcoin.ninja.".try_into().unwrap(),
+ signature: base64::decode("qUexI1yufru0lzkND4uY1r8bsXrXnMVNjPxTLbLauRo/+YW041w9wFu4sl2/cqq3psWvGcBVTltwIdjDJQUcZQ==").unwrap(),
+ };
+ verify_rrsig(&ds_rrsig, &bitcoin_ninja_dnskeys, bitcoin_ninja_ds.iter().collect()).unwrap();
+ let dnskeys = vec![DnsKey {
+ name: "nsec_tests.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap(), flags: 257, protocol: 3, alg: 13,
+ pubkey: base64::decode("MUnIhm31ySIr9WXIBVQc38wlSHHvYaKIOFR8WYl4O9MJBlywWeUdx16oGinCe2FjjMkUkKn9kV5zzWhGmrdIbQ==").unwrap(),
+ }, DnsKey {
+ name: "nsec_tests.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap(), flags: 256, protocol: 3, alg: 13,
+ pubkey: base64::decode("GGZP8k44sro2iTzWKFoHOnbvrAhNiQv+Ng2hr0WNyb24aA5rLYLFac3N7B82xRU2odd60utYJkmU0yA//zyOzw==").unwrap(),
+ }];
+ let dnskey_rrsig = RRSig {
+ name: "nsec_tests.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap(),
+ ty: DnsKey::TYPE, alg: 13, labels: 4, orig_ttl: 604800, expiration: 1710190613, inception: 1708975613,
+ key_tag: 8036, key_name: "nsec_tests.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap(),
+ signature: base64::decode("nX+hkH14Kvjp26Z8x/pjYh5CQW3p9lZQQ+FVJcKHyfjAilEubpw6ihlPpb3Ddh9BbyxhCEFhXDMG2g4od9Y2ow==").unwrap(),
+ };
+ verify_dnskeys([&dnskey_rrsig], &bitcoin_ninja_ds, dnskeys.iter().collect()).unwrap();
+ let rrs = vec![bitcoin_ninja_ds.pop().unwrap().into(), ds_rrsig.into(),
+ dnskeys[0].clone().into(), dnskeys[1].clone().into(), dnskey_rrsig.into()];
+ (dnskeys, rrs)
+ }
+
+ fn bitcoin_ninja_nsec_record() -> (Txt, RRSig) {
+ let txt_resp = Txt {
+ name: "a.nsec_tests.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap(),
+ data: "txt_a".to_owned().into_bytes(),
+ };
+ let txt_rrsig = RRSig {
+ name: "a.nsec_tests.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap(),
+ ty: Txt::TYPE, alg: 13, labels: 5, orig_ttl: 30, expiration: 1710201091, inception: 1708986091,
+ key_tag: 42215, key_name: "nsec_tests.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap(),
+ signature: base64::decode("rhDcZvSk4ngyDmMif3oBmoDMO1YoimRrvOp/ErlSaujN+OCMKocgWkssedQCx7hyLxwsFLvaaiNXCr/7ZaSe4Q==").unwrap(),
+ };
+ (txt_resp, txt_rrsig)
+ }
+
+ fn bitcoin_ninja_nsec_wildcard_record(pfx: &str) -> (Txt, RRSig, NSec, RRSig) {
+ let name: Name = (pfx.to_owned() + ".wildcard_test.nsec_tests.dnssec_proof_tests.bitcoin.ninja.").try_into().unwrap();
+ let txt_resp = Txt {
+ name: name.clone(),
+ data: "wildcard_test".to_owned().into_bytes(),
+ };
+ let txt_rrsig = RRSig {
+ name: name.clone(),
+ ty: Txt::TYPE, alg: 13, labels: 5, orig_ttl: 30, expiration: 1710190613, inception: 1708975613,
+ key_tag: 42215, key_name: "nsec_tests.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap(),
+ signature: base64::decode("E3+tEe5TxI8OSNP+LVHsOagjQ/9heD6a4ICYBgS8mkfRuqgFeXhz22n4f2LzssdXe1xzwayt7nROdHdqdfHDYg==").unwrap(),
+ };
+ let nsec = NSec {
+ name: "*.wildcard_test.nsec_tests.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap(),
+ next_name: "override.wildcard_test.nsec_tests.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap(),
+ types: NSecTypeMask::from_types(&[Txt::TYPE, RRSig::TYPE, NSec::TYPE]),
+ };
+ let nsec_rrsig = RRSig {
+ name: "*.wildcard_test.nsec_tests.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap(),
+ ty: NSec::TYPE, alg: 13, labels: 5, orig_ttl: 60, expiration: 1710191561, inception: 1708976561,
+ key_tag: 42215, key_name: "nsec_tests.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap(),
+ signature: base64::decode("ZjQMw1dt1a61d4ls3pMkCnBiWRaMyAwn6UapRaYNtdA8cTbbqbhzJZCvc6ZBhZ90CzxCYR0h/eavowlF1j53Gg==").unwrap(),
+ };
+ (txt_resp, txt_rrsig, nsec, nsec_rrsig)
+ }
+
+ fn bitcoin_ninja_nsec_post_override_wildcard_record(pfx: &str) -> (Txt, RRSig, NSec, RRSig) {
+ let name: Name = (pfx.to_owned() + ".wildcard_test.nsec_tests.dnssec_proof_tests.bitcoin.ninja.").try_into().unwrap();
+ let txt_resp = Txt {
+ name: name.clone(),
+ data: "wildcard_test".to_owned().into_bytes(),
+ };
+ let txt_rrsig = RRSig {
+ name: name.clone(),
+ ty: Txt::TYPE, alg: 13, labels: 5, orig_ttl: 30, expiration: 1710190613, inception: 1708975613,
+ key_tag: 42215, key_name: "nsec_tests.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap(),
+ signature: base64::decode("E3+tEe5TxI8OSNP+LVHsOagjQ/9heD6a4ICYBgS8mkfRuqgFeXhz22n4f2LzssdXe1xzwayt7nROdHdqdfHDYg==").unwrap(),
+ };
+ let nsec = NSec {
+ name: "override.wildcard_test.nsec_tests.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap(),
+ next_name: "nsec_tests.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap(),
+ types: NSecTypeMask::from_types(&[Txt::TYPE, RRSig::TYPE, NSec::TYPE]),
+ };
+ let nsec_rrsig = RRSig {
+ name: "override.wildcard_test.nsec_tests.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap(),
+ ty: NSec::TYPE, alg: 13, labels: 6, orig_ttl: 60, expiration: 1710201063, inception: 1708986063,
+ key_tag: 42215, key_name: "nsec_tests.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap(),
+ signature: base64::decode("pBNXnNPR0fiGEtkm/0PlnDW830JWv8KgnyhnOit6wLHtiWoLhMiS48utji3FbTfelCnePjbLh/t7SF941O2QTA==").unwrap(),
+ };
+ (txt_resp, txt_rrsig, nsec, nsec_rrsig)
+ }
+
#[test]
fn check_txt_record_a() {
let dnskeys = mattcorallo_dnskey().0;
assert_eq!(txt.name.as_str(), "matt.user._bitcoin-payment.mattcorallo.com.");
assert_eq!(txt.data, b"bitcoin:?b12=lno1qsgqmqvgm96frzdg8m0gc6nzeqffvzsqzrxqy32afmr3jn9ggkwg3egfwch2hy0l6jut6vfd8vpsc3h89l6u3dm4q2d6nuamav3w27xvdmv3lpgklhg7l5teypqz9l53hj7zvuaenh34xqsz2sa967yzqkylfu9xtcd5ymcmfp32h083e805y7jfd236w9afhavqqvl8uyma7x77yun4ehe9pnhu2gekjguexmxpqjcr2j822xr7q34p078gzslf9wpwz5y57alxu99s0z2ql0kfqvwhzycqq45ehh58xnfpuek80hw6spvwrvttjrrq9pphh0dpydh06qqspp5uq4gpyt6n9mwexde44qv7lstzzq60nr40ff38u27un6y53aypmx0p4qruk2tf9mjwqlhxak4znvna5y");
} else { panic!(); }
- assert_eq!(verified_rrs.valid_from, 1707667200); // The com. DS RRSig was created last
- assert_eq!(verified_rrs.expires, 1707976967); // The mattcorallo.com DS RRSig expires first
+ assert_eq!(verified_rrs.valid_from, 1709047250); // The mattcorallo.com. DNSKEY RRSig was created last
+ assert_eq!(verified_rrs.expires, 1709359258); // The mattcorallo.com. DS RRSig expires first
assert_eq!(verified_rrs.max_cache_ttl, 3600); // The TXT record had the shortest TTL
}
#[test]
fn check_wildcard_record() {
+ // Wildcard proof works for any name, even multiple names
let dnskeys = bitcoin_ninja_dnskey().0;
- let (txt, txt_rrsig) = bitcoin_ninja_wildcard_record();
+ let (txt, txt_rrsig, _, _) = bitcoin_ninja_wildcard_record("name");
+ let txt_resp = [txt];
+ verify_rrsig(&txt_rrsig, &dnskeys, txt_resp.iter().collect()).unwrap();
+
+ let (txt, txt_rrsig, _, _) = bitcoin_ninja_wildcard_record("anoter_name");
+ let txt_resp = [txt];
+ verify_rrsig(&txt_rrsig, &dnskeys, txt_resp.iter().collect()).unwrap();
+
+ let (txt, txt_rrsig, _, _) = bitcoin_ninja_wildcard_record("multiple.names");
let txt_resp = [txt];
verify_rrsig(&txt_rrsig, &dnskeys, txt_resp.iter().collect()).unwrap();
}
for rr in root_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); }
for rr in ninja_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); }
for rr in bitcoin_ninja_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); }
- let (cname, cname_rrsig, txt, txt_rrsig) = bitcoin_ninja_cname_wildcard_record();
+ let (cname, cname_rrsig, txt, txt_rrsig, nsec3s) = bitcoin_ninja_cname_wildcard_record();
for rr in [RR::CName(cname), RR::RRSig(cname_rrsig)] { write_rr(&rr, 1, &mut rr_stream); }
for rr in [RR::Txt(txt), RR::RRSig(txt_rrsig)] { write_rr(&rr, 1, &mut rr_stream); }
+ for (rra, rrb) in nsec3s { write_rr(&rra, 1, &mut rr_stream); write_rr(&rrb, 1, &mut rr_stream); }
let mut rrs = parse_rr_stream(&rr_stream).unwrap();
rrs.shuffle(&mut rand::rngs::OsRng);
verified_rrs.verified_rrs.sort();
assert_eq!(verified_rrs.verified_rrs.len(), 2);
if let RR::Txt(txt) = &verified_rrs.verified_rrs[0] {
- assert_eq!(txt.name.as_str(), "cname.wildcard_test.dnssec_proof_tests.bitcoin.ninja.");
+ assert_eq!(txt.name.as_str(), "asdf.wildcard_test.dnssec_proof_tests.bitcoin.ninja.");
assert_eq!(txt.data, b"wildcard_test");
} else { panic!(); }
if let RR::CName(cname) = &verified_rrs.verified_rrs[1] {
- assert_eq!(cname.name.as_str(), "test.cname_wildcard_test.dnssec_proof_tests.bitcoin.ninja.");
+ assert_eq!(cname.name.as_str(), "asdf.cname_wildcard_test.dnssec_proof_tests.bitcoin.ninja.");
assert_eq!(cname.canonical_name.as_str(), "cname.wildcard_test.dnssec_proof_tests.bitcoin.ninja.");
} else { panic!(); }
let filtered_rrs =
- verified_rrs.resolve_name(&"test.cname_wildcard_test.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap());
+ verified_rrs.resolve_name(&"asdf.wildcard_test.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap());
assert_eq!(filtered_rrs.len(), 1);
if let RR::Txt(txt) = &filtered_rrs[0] {
- assert_eq!(txt.name.as_str(), "cname.wildcard_test.dnssec_proof_tests.bitcoin.ninja.");
+ assert_eq!(txt.name.as_str(), "asdf.wildcard_test.dnssec_proof_tests.bitcoin.ninja.");
assert_eq!(txt.data, b"wildcard_test");
} else { panic!(); }
}
+ #[test]
+ fn check_simple_nsec_zone_proof() {
+ let mut rr_stream = Vec::new();
+ for rr in root_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); }
+ for rr in ninja_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); }
+ for rr in bitcoin_ninja_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); }
+ for rr in bitcoin_ninja_nsec_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); }
+ let (txt, txt_rrsig) = bitcoin_ninja_nsec_record();
+ for rr in [RR::Txt(txt), RR::RRSig(txt_rrsig)] { write_rr(&rr, 1, &mut rr_stream); }
+
+ let mut rrs = parse_rr_stream(&rr_stream).unwrap();
+ rrs.shuffle(&mut rand::rngs::OsRng);
+ let verified_rrs = verify_rr_stream(&rrs).unwrap();
+ let filtered_rrs =
+ verified_rrs.resolve_name(&"a.nsec_tests.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap());
+ assert_eq!(filtered_rrs.len(), 1);
+ if let RR::Txt(txt) = &filtered_rrs[0] {
+ assert_eq!(txt.name.as_str(), "a.nsec_tests.dnssec_proof_tests.bitcoin.ninja.");
+ assert_eq!(txt.data, b"txt_a");
+ } else { panic!(); }
+ }
+
+ #[test]
+ fn check_nsec_wildcard_proof() {
+ let check_proof = |pfx: &str, post_override: bool| -> Result<(), ()> {
+ let mut rr_stream = Vec::new();
+ for rr in root_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); }
+ for rr in ninja_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); }
+ for rr in bitcoin_ninja_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); }
+ for rr in bitcoin_ninja_nsec_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); }
+ let (txt, txt_rrsig, nsec, nsec_rrsig) = if post_override {
+ bitcoin_ninja_nsec_post_override_wildcard_record(pfx)
+ } else {
+ bitcoin_ninja_nsec_wildcard_record(pfx)
+ };
+ for rr in [RR::Txt(txt), RR::RRSig(txt_rrsig)] { write_rr(&rr, 1, &mut rr_stream); }
+ for rr in [RR::NSec(nsec), RR::RRSig(nsec_rrsig)] { write_rr(&rr, 1, &mut rr_stream); }
+
+ let mut rrs = parse_rr_stream(&rr_stream).unwrap();
+ rrs.shuffle(&mut rand::rngs::OsRng);
+ // If the post_override flag is wrong (or the pfx is override), this will fail. No
+ // other calls in this lambda should fail.
+ let verified_rrs = verify_rr_stream(&rrs).map_err(|_| ())?;
+ let name: Name =
+ (pfx.to_owned() + ".wildcard_test.nsec_tests.dnssec_proof_tests.bitcoin.ninja.").try_into().unwrap();
+ let filtered_rrs = verified_rrs.resolve_name(&name);
+ assert_eq!(filtered_rrs.len(), 1);
+ if let RR::Txt(txt) = &filtered_rrs[0] {
+ assert_eq!(txt.name, name);
+ assert_eq!(txt.data, b"wildcard_test");
+ } else { panic!(); }
+ Ok(())
+ };
+ // Records up to override will only work with the pre-override NSEC, and afterwards with
+ // the post-override NSEC. The literal override will always fail.
+ check_proof("a", false).unwrap();
+ check_proof("a", true).unwrap_err();
+ check_proof("a.b", false).unwrap();
+ check_proof("a.b", true).unwrap_err();
+ check_proof("o", false).unwrap();
+ check_proof("o", true).unwrap_err();
+ check_proof("a.o", false).unwrap();
+ check_proof("a.o", true).unwrap_err();
+ check_proof("override", false).unwrap_err();
+ check_proof("override", true).unwrap_err();
+ // Subdomains of override are also overridden by the override TXT entry and cannot use the
+ // wildcard record.
+ check_proof("b.override", false).unwrap_err();
+ check_proof("b.override", true).unwrap_err();
+ check_proof("z", false).unwrap_err();
+ check_proof("z", true).unwrap_err();
+ check_proof("a.z", false).unwrap_err();
+ check_proof("a.z", true).unwrap_err();
+ }
+
#[test]
fn check_txt_sort_order() {
let mut rr_stream = Vec::new();
projects / dnssec-prover / blobdiff