diff options
Diffstat (limited to 'vendor/github.com/miekg/dns/nsecx.go')
-rw-r--r-- | vendor/github.com/miekg/dns/nsecx.go | 74 |
1 files changed, 31 insertions, 43 deletions
diff --git a/vendor/github.com/miekg/dns/nsecx.go b/vendor/github.com/miekg/dns/nsecx.go index 51ce7f8b1..9b908c447 100644 --- a/vendor/github.com/miekg/dns/nsecx.go +++ b/vendor/github.com/miekg/dns/nsecx.go @@ -48,62 +48,50 @@ func HashName(label string, ha uint8, iter uint16, salt string) string { return toBase32(nsec3) } -// Denialer is an interface that should be implemented by types that are used to denial -// answers in DNSSEC. -type Denialer interface { - // Cover will check if the (unhashed) name is being covered by this NSEC or NSEC3. - Cover(name string) bool - // Match will check if the ownername matches the (unhashed) name for this NSEC3 or NSEC3. - Match(name string) bool -} - -// Cover implements the Denialer interface. -func (rr *NSEC) Cover(name string) bool { - return true -} - -// Match implements the Denialer interface. -func (rr *NSEC) Match(name string) bool { - return true -} - -// Cover implements the Denialer interface. +// Cover returns true if a name is covered by the NSEC3 record func (rr *NSEC3) Cover(name string) bool { - // FIXME(miek): check if the zones match - // FIXME(miek): check if we're not dealing with parent nsec3 - hname := HashName(name, rr.Hash, rr.Iterations, rr.Salt) - labels := Split(rr.Hdr.Name) - if len(labels) < 2 { + nameHash := HashName(name, rr.Hash, rr.Iterations, rr.Salt) + owner := strings.ToUpper(rr.Hdr.Name) + labelIndices := Split(owner) + if len(labelIndices) < 2 { return false } - hash := strings.ToUpper(rr.Hdr.Name[labels[0] : labels[1]-1]) // -1 to remove the dot - if hash == rr.NextDomain { - return false // empty interval - } - if hash > rr.NextDomain { // last name, points to apex - // hname > hash - // hname > rr.NextDomain - // TODO(miek) + ownerHash := owner[:labelIndices[1]-1] + ownerZone := owner[labelIndices[1]:] + if !IsSubDomain(ownerZone, strings.ToUpper(name)) { // name is outside owner zone + return false } - if hname <= hash { + + nextHash := rr.NextDomain + if ownerHash == nextHash { // empty interval return false } - if hname >= rr.NextDomain { + if ownerHash > nextHash { // end of zone + if nameHash > ownerHash { // covered since there is nothing after ownerHash + return true + } + return nameHash < nextHash // if nameHash is before beginning of zone it is covered + } + if nameHash < ownerHash { // nameHash is before ownerHash, not covered return false } - return true + return nameHash < nextHash // if nameHash is before nextHash is it covered (between ownerHash and nextHash) } -// Match implements the Denialer interface. +// Match returns true if a name matches the NSEC3 record func (rr *NSEC3) Match(name string) bool { - // FIXME(miek): Check if we are in the same zone - hname := HashName(name, rr.Hash, rr.Iterations, rr.Salt) - labels := Split(rr.Hdr.Name) - if len(labels) < 2 { + nameHash := HashName(name, rr.Hash, rr.Iterations, rr.Salt) + owner := strings.ToUpper(rr.Hdr.Name) + labelIndices := Split(owner) + if len(labelIndices) < 2 { + return false + } + ownerHash := owner[:labelIndices[1]-1] + ownerZone := owner[labelIndices[1]:] + if !IsSubDomain(ownerZone, strings.ToUpper(name)) { // name is outside owner zone return false } - hash := strings.ToUpper(rr.Hdr.Name[labels[0] : labels[1]-1]) // -1 to remove the . - if hash == hname { + if ownerHash == nameHash { return true } return false |