Dnssec #429
Dnssec #429
Conversation
dnssec-backend.go
Outdated
| MsgHdr: dns.MsgHdr{ | ||
| RecursionDesired: true, | ||
| }, |
There was a problem hiding this comment.
Technically you don't need this as SetQuestion() below does it already (see https://github.com/miekg/dns/blob/v1.1.63/defaults.go#L35).
| return err | ||
| } | ||
|
|
||
| for _, rr := range signedZone.Dnskey.RrSet { |
There was a problem hiding this comment.
getRRSet() can return nil, nil which would trigger a panic here
dnssec-backend.go
Outdated
| } | ||
|
|
||
| func extractRRset(r *dns.Msg) (*RRSet, error) { | ||
| result := &RRSet{RrSet: make([]dns.RR, 0)} |
There was a problem hiding this comment.
| result := &RRSet{RrSet: make([]dns.RR, 0)} | |
| result := &RRSet{} |
No need to initialize an empty list, you can read from and append to a nil list.
dnssec-backend.go
Outdated
| return nil, ErrNoResult | ||
| } | ||
| if r == nil || r.Rcode == dns.RcodeSuccess { | ||
| return r, err |
There was a problem hiding this comment.
| return r, err | |
| return r, nil |
err has already been checked and must be nil here.
dnssec-backend.go
Outdated
| defer func() { | ||
| if r := recover(); r != nil { | ||
| Log.Warn("panic occurred", | ||
| slog.String("domainName", domainName), | ||
| slog.Any("panic", r), | ||
| ) | ||
| } | ||
| }() |
There was a problem hiding this comment.
Do we really need this? Seems more like we don't trust our own code to handle all nil pointers correctly.
dnssec-backend.go
Outdated
| Log.Error("DS query failed", | ||
| slog.String("domainName", domainName), | ||
| "error", err, | ||
| ) | ||
|
|
||
| return err |
There was a problem hiding this comment.
Rather than logging from within, might be better to extend the error and pass it back to the caller to handle. Something like
return fmt.Errorf("DS query failed for %q: %w", domainName, err)
dnssec-backend.go
Outdated
| if err := g.Wait(); err != nil { | ||
| return err | ||
| } | ||
| return nil |
There was a problem hiding this comment.
| if err := g.Wait(); err != nil { | |
| return err | |
| } | |
| return nil | |
| return g.Wait() |
dnssec-backend.go
Outdated
| defer func() { | ||
| if err := recover(); err != nil { | ||
| Log.Error("AuthChain panic occurred", "error", err) | ||
| } | ||
| }() |
There was a problem hiding this comment.
Again, there should be a better way to deal with panics, i.e. avoid them at all.
This is to start the process of integrating a DNSSEC validator to routedns.
This implementation is inspired by uw-ictd/DNSSEC-Validator and peterzen/goresolver, but adds concurrency and is adapted to work with the other routedns modules.
Currently, only validated DNS responses are forwarded. DNS responses that are not singed or have an invalid signature are dropped.
Example config file: