BIND 9.8.0 Patch for `dig' to support TLSA RRtype [DANE]
Jan-Piet Mens
jpmens.dns at gmail.com
Wed Apr 13 20:56:45 UTC 2011
Hello,
the attached patches are probably a bit naive, but they appear to work
here, at least with `dig'. They (hopefully) add support for the TLSA
RRtype (65468) as forseen in the DANE draft [1] and used in [2].
What I basically did was to "copy" the definitions for the DLV record
and adjust accordingly as far as I understand the code (there are most
likely incorrect bits left over from DLV copy in tlsa_65468.c).
The result looks like this:
$ dig _443._tcp.www.xelerance.com tlsa
;; ANSWER SECTION:
_443._tcp.www.xelerance.com. 3282 IN TLSA 1 1 30102FA54AE5CD5852D0CFAF1FE5F467C547D766A13410079BB2B013 19B702B9
Hope it helps. :)
Kind regards,
-JP
[1]: https://datatracker.ietf.org/doc/draft-ietf-dane-protocol/
[2]: http://www.ietf.org/mail-archive/web/dane/current/msg02402.html
-------------- next part --------------
*** bind-9.8.0/lib/dns/code.h.original Wed Apr 13 22:02:23 2011
--- bind-9.8.0/lib/dns/code.h Wed Apr 13 22:40:57 2011
***************
*** 87,92 ****
--- 87,93 ----
#include "rdata/generic/tkey_249.c"
#include "rdata/any_255/tsig_250.c"
#include "rdata/generic/dlv_32769.c"
+ #include "rdata/generic/tlsa_65468.c"
#include "rdata/generic/keydata_65533.c"
***************
*** 200,205 ****
--- 201,207 ----
} \
break; \
case 32769: result = fromtext_dlv(rdclass, type, lexer, origin, options, target, callbacks); break; \
+ case 65468: result = fromtext_tlsa(rdclass, type, lexer, origin, options, target, callbacks); break; \
case 65533: result = fromtext_keydata(rdclass, type, lexer, origin, options, target, callbacks); break; \
default: result = DNS_R_UNKNOWN; break; \
}
***************
*** 313,318 ****
--- 315,321 ----
} \
break; \
case 32769: result = totext_dlv(rdata, tctx, target); break; \
+ case 65468: result = totext_tlsa(rdata, tctx, target); break; \
case 65533: result = totext_keydata(rdata, tctx, target); break; \
default: use_default = ISC_TRUE; break; \
}
***************
*** 426,431 ****
--- 429,435 ----
} \
break; \
case 32769: result = fromwire_dlv(rdclass, type, source, dctx, options, target); break; \
+ case 65468: result = fromwire_tlsa(rdclass, type, source, dctx, options, target); break; \
case 65533: result = fromwire_keydata(rdclass, type, source, dctx, options, target); break; \
default: use_default = ISC_TRUE; break; \
}
***************
*** 539,544 ****
--- 543,549 ----
} \
break; \
case 32769: result = towire_dlv(rdata, cctx, target); break; \
+ case 65468: result = towire_tlsa(rdata, cctx, target); break; \
case 65533: result = towire_keydata(rdata, cctx, target); break; \
default: use_default = ISC_TRUE; break; \
}
***************
*** 652,657 ****
--- 657,663 ----
} \
break; \
case 32769: result = compare_dlv(rdata1, rdata2); break; \
+ case 65468: result = compare_tlsa(rdata1, rdata2); break; \
case 65533: result = compare_keydata(rdata1, rdata2); break; \
default: use_default = ISC_TRUE; break; \
}
***************
*** 765,770 ****
--- 771,777 ----
} \
break; \
case 32769: result = casecompare_dlv(rdata1, rdata2); break; \
+ case 65468: result = casecompare_tlsa(rdata1, rdata2); break; \
case 65533: result = casecompare_keydata(rdata1, rdata2); break; \
default: use_default = ISC_TRUE; break; \
}
***************
*** 878,883 ****
--- 885,891 ----
} \
break; \
case 32769: result = fromstruct_dlv(rdclass, type, source, target); break; \
+ case 65468: result = fromstruct_tlsa(rdclass, type, source, target); break; \
case 65533: result = fromstruct_keydata(rdclass, type, source, target); break; \
default: use_default = ISC_TRUE; break; \
}
***************
*** 991,996 ****
--- 999,1005 ----
} \
break; \
case 32769: result = tostruct_dlv(rdata, target, mctx); break; \
+ case 65468: result = tostruct_tlsa(rdata, target, mctx); break; \
case 65533: result = tostruct_keydata(rdata, target, mctx); break; \
default: use_default = ISC_TRUE; break; \
}
***************
*** 1104,1109 ****
--- 1113,1119 ----
} \
break; \
case 32769: freestruct_dlv(source); break; \
+ case 65468: freestruct_tlsa(source); break; \
case 65533: freestruct_keydata(source); break; \
default: break; \
}
***************
*** 1217,1222 ****
--- 1227,1233 ----
} \
break; \
case 32769: result = additionaldata_dlv(rdata, add, arg); break; \
+ case 65468: result = additionaldata_tlsa(rdata, add, arg); break; \
case 65533: result = additionaldata_keydata(rdata, add, arg); break; \
default: use_default = ISC_TRUE; break; \
}
***************
*** 1443,1448 ****
--- 1454,1460 ----
} \
break; \
case 32769: result = checkowner_dlv(name, rdclass, type, wildcard); break; \
+ case 65468: result = checkowner_tlsa(name, rdclass, type, wildcard); break; \
case 65533: result = checkowner_keydata(name, rdclass, type, wildcard); break; \
default: result = ISC_TRUE; break; \
}
***************
*** 1556,1561 ****
--- 1568,1574 ----
} \
break; \
case 32769: result = checknames_dlv(rdata, owner, bad); break; \
+ case 65468: result = checknames_tlsa(rdata, owner, bad); break; \
case 65533: result = checknames_keydata(rdata, owner, bad); break; \
default: result = ISC_TRUE; break; \
}
***************
*** 1747,1752 ****
--- 1760,1768 ----
RDATATYPE_COMPARE("maila", 254, _typename, _length, _typep); \
RDATATYPE_COMPARE("keydata", 65533, _typename, _length, _typep); \
break; \
+ case 120: \
+ RDATATYPE_COMPARE("tlsa", 65468, _typename, _length, _typep); \
+ break; \
case 68: \
RDATATYPE_COMPARE("any", 255, _typename, _length, _typep); \
break; \
***************
*** 1818,1823 ****
--- 1834,1840 ----
case 254: return (DNS_RDATATYPEATTR_META | DNS_RDATATYPEATTR_QUESTIONONLY); \
case 255: return (DNS_RDATATYPEATTR_META | DNS_RDATATYPEATTR_QUESTIONONLY); \
case 32769: return (RRTYPE_DLV_ATTRIBUTES); \
+ case 65468: return (RRTYPE_TLSA_ATTRIBUTES); \
case 65533: return (RRTYPE_KEYDATA_ATTRIBUTES); \
}
#define RDATATYPE_TOTEXT_SW \
***************
*** 1887,1892 ****
--- 1904,1910 ----
case 254: return (str_totext("MAILA", target)); \
case 255: return (str_totext("ANY", target)); \
case 32769: return (str_totext("DLV", target)); \
+ case 65468: return (str_totext("TLSA", target)); \
case 65533: return (str_totext("KEYDATA", target)); \
}
#endif /* DNS_CODE_H */
-------------- next part --------------
*** /dev/null Wed Apr 13 22:40:41 2011
--- bind-9.8.0/lib/dns/rdata/generic/tlsa_65468.h Wed Apr 13 22:23:53 2011
***************
*** 0 ****
--- 1,34 ----
+ /*
+ * Copyright (C) 2004, 2006, 2007 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+ /* $Id: tlsa_65468.h,v 1.5 2007-06-19 23:47:17 tbox Exp $ */
+
+ /* draft-ietf-dnsext-delegation-signer-05.txt */
+ #ifndef GENERIC_TLSA_65468_H
+ #define GENERIC_TLSA_65468_H 1
+
+ /* https://datatracker.ietf.org/doc/draft-ietf-dane-protocol/?include_text=1 */
+
+ typedef struct dns_rdata_tlsa {
+ dns_rdatacommon_t common;
+ isc_mem_t *mctx;
+ isc_uint8_t cert_type;
+ isc_uint8_t hash_type;
+ isc_uint16_t length;
+ unsigned char *digest;
+ } dns_rdata_tlsa_t;
+
+ #endif
-------------- next part --------------
*** /dev/null Wed Apr 13 22:40:41 2011
--- bind-9.8.0/lib/dns/rdata/generic/tlsa_65468.c Wed Apr 13 22:23:39 2011
***************
*** 0 ****
--- 1,322 ----
+ /*
+ * Copyright (C) 2004, 2006, 2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+ /* $Id: tlsa_65468.c,v 1.10 2010-12-23 23:47:08 tbox Exp $ */
+
+ /* draft-ietf-dnsext-delegation-signer-05.txt */
+
+ #ifndef RDATA_GENERIC_TLSA_65468_C
+ #define RDATA_GENERIC_TLSA_65468_C
+
+ #define RRTYPE_TLSA_ATTRIBUTES 0
+
+ #include <isc/sha1.h>
+ #include <isc/sha2.h>
+
+ #include <dns/ds.h>
+ #include <rdata/generic/tlsa_65468.h>
+
+
+ static inline isc_result_t
+ fromtext_tlsa(ARGS_FROMTEXT) {
+ isc_token_t token;
+ unsigned char c;
+ int length;
+
+ REQUIRE(type == 65468);
+
+ UNUSED(type);
+ UNUSED(rdclass);
+ UNUSED(origin);
+ UNUSED(options);
+ UNUSED(callbacks);
+
+ /*
+ * Certificate type.
+ */
+ RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+ ISC_FALSE));
+ if (token.value.as_ulong > 0xffU)
+ RETTOK(ISC_R_RANGE);
+ RETERR(uint8_tobuffer(token.value.as_ulong, target));
+
+ /*
+ * Hash type.
+ */
+ RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+ ISC_FALSE));
+ if (token.value.as_ulong > 0xffU)
+ RETTOK(ISC_R_RANGE);
+ RETERR(uint8_tobuffer(token.value.as_ulong, target));
+ c = (unsigned char) token.value.as_ulong;
+
+ /*
+ * Digest.
+ */
+ switch (c) {
+ case DNS_DSDIGEST_SHA1:
+ length = ISC_SHA1_DIGESTLENGTH;
+ break;
+ case DNS_DSDIGEST_SHA256:
+ length = ISC_SHA256_DIGESTLENGTH;
+ break;
+ case DNS_DSDIGEST_GOST:
+ length = ISC_GOST_DIGESTLENGTH;
+ break;
+ default:
+ length = -1;
+ break;
+ }
+ return (isc_hex_tobuffer(lexer, target, -1));
+ }
+
+ static inline isc_result_t
+ totext_tlsa(ARGS_TOTEXT) {
+ isc_region_t sr;
+ char buf[sizeof("64000 ")];
+ unsigned int n;
+
+ REQUIRE(rdata->type == 65468);
+ REQUIRE(rdata->length != 0);
+
+ UNUSED(tctx);
+
+ dns_rdata_toregion(rdata, &sr);
+
+ /*
+ * Cert type
+ */
+ n = uint8_fromregion(&sr);
+ isc_region_consume(&sr, 1);
+ sprintf(buf, "%u ", n);
+ RETERR(str_totext(buf, target));
+
+ /*
+ * Hash type type.
+ */
+ n = uint8_fromregion(&sr);
+ isc_region_consume(&sr, 1);
+ sprintf(buf, "%u", n);
+ RETERR(str_totext(buf, target));
+
+ /*
+ * Digest.
+ */
+ if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+ RETERR(str_totext(" (", target));
+ RETERR(str_totext(tctx->linebreak, target));
+ RETERR(isc_hex_totext(&sr, tctx->width - 2, tctx->linebreak, target));
+ if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+ RETERR(str_totext(" )", target));
+ return (ISC_R_SUCCESS);
+ }
+
+ static inline isc_result_t
+ fromwire_tlsa(ARGS_FROMWIRE) {
+ isc_region_t sr;
+
+ REQUIRE(type == 65468);
+
+ UNUSED(type);
+ UNUSED(rdclass);
+ UNUSED(dctx);
+ UNUSED(options);
+
+ isc_buffer_activeregion(source, &sr);
+
+ /*
+ * Check digest lengths if we know them.
+ */
+ if (sr.length < 4 ||
+ (sr.base[3] == DNS_DSDIGEST_SHA1 &&
+ sr.length < 4 + ISC_SHA1_DIGESTLENGTH) ||
+ (sr.base[3] == DNS_DSDIGEST_SHA256 &&
+ sr.length < 4 + ISC_SHA256_DIGESTLENGTH) ||
+ (sr.base[3] == DNS_DSDIGEST_GOST &&
+ sr.length < 4 + ISC_GOST_DIGESTLENGTH))
+ return (ISC_R_UNEXPECTEDEND);
+
+ /*
+ * Only copy digest lengths if we know them.
+ * If there is extra data dns_rdata_fromwire() will
+ * detect that.
+ */
+ if (sr.base[3] == DNS_DSDIGEST_SHA1)
+ sr.length = 4 + ISC_SHA1_DIGESTLENGTH;
+ else if (sr.base[3] == DNS_DSDIGEST_SHA256)
+ sr.length = 4 + ISC_SHA256_DIGESTLENGTH;
+ else if (sr.base[3] == DNS_DSDIGEST_GOST)
+ sr.length = 4 + ISC_GOST_DIGESTLENGTH;
+
+ isc_buffer_forward(source, sr.length);
+ return (mem_tobuffer(target, sr.base, sr.length));
+ }
+
+ static inline isc_result_t
+ towire_tlsa(ARGS_TOWIRE) {
+ isc_region_t sr;
+
+ REQUIRE(rdata->type == 65468);
+ REQUIRE(rdata->length != 0);
+
+ UNUSED(cctx);
+
+ dns_rdata_toregion(rdata, &sr);
+ return (mem_tobuffer(target, sr.base, sr.length));
+ }
+
+ static inline int
+ compare_tlsa(ARGS_COMPARE) {
+ isc_region_t r1;
+ isc_region_t r2;
+
+ REQUIRE(rdata1->type == rdata2->type);
+ REQUIRE(rdata1->rdclass == rdata2->rdclass);
+ REQUIRE(rdata1->type == 65468);
+ REQUIRE(rdata1->length != 0);
+ REQUIRE(rdata2->length != 0);
+
+ dns_rdata_toregion(rdata1, &r1);
+ dns_rdata_toregion(rdata2, &r2);
+ return (isc_region_compare(&r1, &r2));
+ }
+
+ static inline isc_result_t
+ fromstruct_tlsa(ARGS_FROMSTRUCT) {
+ dns_rdata_tlsa_t *tlsa = source;
+
+ REQUIRE(type == 65468);
+ REQUIRE(source != NULL);
+ REQUIRE(tlsa->common.rdtype == type);
+ REQUIRE(tlsa->common.rdclass == rdclass);
+ switch (tlsa->hash_type) {
+ case DNS_DSDIGEST_SHA1:
+ REQUIRE(tlsa->length == ISC_SHA1_DIGESTLENGTH);
+ break;
+ case DNS_DSDIGEST_SHA256:
+ REQUIRE(tlsa->length == ISC_SHA256_DIGESTLENGTH);
+ break;
+ case DNS_DSDIGEST_GOST:
+ REQUIRE(tlsa->length == ISC_GOST_DIGESTLENGTH);
+ break;
+ }
+
+ UNUSED(type);
+ UNUSED(rdclass);
+
+ RETERR(uint8_tobuffer(tlsa->cert_type, target));
+ RETERR(uint8_tobuffer(tlsa->hash_type, target));
+
+ return (mem_tobuffer(target, tlsa->digest, tlsa->length));
+ }
+
+ static inline isc_result_t
+ tostruct_tlsa(ARGS_TOSTRUCT) {
+ dns_rdata_tlsa_t *tlsa = target;
+ isc_region_t region;
+
+ REQUIRE(rdata->type == 65468);
+ REQUIRE(target != NULL);
+ REQUIRE(rdata->length != 0);
+
+ tlsa->common.rdclass = rdata->rdclass;
+ tlsa->common.rdtype = rdata->type;
+ ISC_LINK_INIT(&tlsa->common, link);
+
+ dns_rdata_toregion(rdata, ®ion);
+
+ tlsa->cert_type = uint8_fromregion(®ion);
+ isc_region_consume(®ion, 1);
+ tlsa->hash_type = uint8_fromregion(®ion);
+ isc_region_consume(®ion, 1);
+ tlsa->length = region.length;
+
+ tlsa->digest = mem_maybedup(mctx, region.base, region.length);
+ if (tlsa->digest == NULL)
+ return (ISC_R_NOMEMORY);
+
+ tlsa->mctx = mctx;
+ return (ISC_R_SUCCESS);
+ }
+
+ static inline void
+ freestruct_tlsa(ARGS_FREESTRUCT) {
+ dns_rdata_tlsa_t *tlsa = source;
+
+ REQUIRE(tlsa != NULL);
+ REQUIRE(tlsa->common.rdtype == 65468);
+
+ if (tlsa->mctx == NULL)
+ return;
+
+ if (tlsa->digest != NULL)
+ isc_mem_free(tlsa->mctx, tlsa->digest);
+ tlsa->mctx = NULL;
+ }
+
+ static inline isc_result_t
+ additionaldata_tlsa(ARGS_ADDLDATA) {
+ REQUIRE(rdata->type == 65468);
+
+ UNUSED(rdata);
+ UNUSED(add);
+ UNUSED(arg);
+
+ return (ISC_R_SUCCESS);
+ }
+
+ static inline isc_result_t
+ digest_tlsa(ARGS_DIGEST) {
+ isc_region_t r;
+
+ REQUIRE(rdata->type == 65468);
+
+ dns_rdata_toregion(rdata, &r);
+
+ return ((digest)(arg, &r));
+ }
+
+ static inline isc_boolean_t
+ checkowner_tlsa(ARGS_CHECKOWNER) {
+
+ REQUIRE(type == 65468);
+
+ UNUSED(name);
+ UNUSED(type);
+ UNUSED(rdclass);
+ UNUSED(wildcard);
+
+ return (ISC_TRUE);
+ }
+
+ static inline isc_boolean_t
+ checknames_tlsa(ARGS_CHECKNAMES) {
+
+ REQUIRE(rdata->type == 65468);
+
+ UNUSED(rdata);
+ UNUSED(owner);
+ UNUSED(bad);
+
+ return (ISC_TRUE);
+ }
+
+ static inline int
+ casecompare_tlsa(ARGS_COMPARE) {
+ return (compare_tlsa(rdata1, rdata2));
+ }
+
+ #endif /* RDATA_GENERIC_TLSA_65468_C */
More information about the bind-workers
mailing list