BIND 9.8.0 Patch for `dig' to support TLSA RRtype [DANE]

Jan-Piet Mens jpmens.dns at gmail.com
Wed Apr 13 20:56:45 UTC 2011


Hello,

the attached patches are probably a bit naive, but they appear to work
here, at least with `dig'. They (hopefully) add support for the TLSA
RRtype (65468) as forseen in the DANE draft [1] and used in [2].

What I basically did was to "copy" the definitions for the DLV record
and adjust accordingly as far as I understand the code (there are most
likely incorrect bits left over from DLV copy in tlsa_65468.c).

The result looks like this:

$ dig _443._tcp.www.xelerance.com tlsa
;; ANSWER SECTION:
_443._tcp.www.xelerance.com. 3282 IN    TLSA    1 1 30102FA54AE5CD5852D0CFAF1FE5F467C547D766A13410079BB2B013 19B702B9

Hope it helps. :)

Kind regards,

        -JP


[1]: https://datatracker.ietf.org/doc/draft-ietf-dane-protocol/
[2]: http://www.ietf.org/mail-archive/web/dane/current/msg02402.html
-------------- next part --------------
*** bind-9.8.0/lib/dns/code.h.original	Wed Apr 13 22:02:23 2011
--- bind-9.8.0/lib/dns/code.h	Wed Apr 13 22:40:57 2011
***************
*** 87,92 ****
--- 87,93 ----
  #include "rdata/generic/tkey_249.c"
  #include "rdata/any_255/tsig_250.c"
  #include "rdata/generic/dlv_32769.c"
+ #include "rdata/generic/tlsa_65468.c"
  #include "rdata/generic/keydata_65533.c"
  
  
***************
*** 200,205 ****
--- 201,207 ----
  		} \
  		break; \
  	case 32769: result = fromtext_dlv(rdclass, type, lexer, origin, options, target, callbacks); break; \
+ 	case 65468: result = fromtext_tlsa(rdclass, type, lexer, origin, options, target, callbacks); break; \
  	case 65533: result = fromtext_keydata(rdclass, type, lexer, origin, options, target, callbacks); break; \
  	default: result = DNS_R_UNKNOWN; break; \
  	}
***************
*** 313,318 ****
--- 315,321 ----
  		} \
  		break; \
  	case 32769: result = totext_dlv(rdata, tctx, target); break; \
+ 	case 65468: result = totext_tlsa(rdata, tctx, target); break; \
  	case 65533: result = totext_keydata(rdata, tctx, target); break; \
  	default: use_default = ISC_TRUE; break; \
  	}
***************
*** 426,431 ****
--- 429,435 ----
  		} \
  		break; \
  	case 32769: result = fromwire_dlv(rdclass, type, source, dctx, options, target); break; \
+ 	case 65468: result = fromwire_tlsa(rdclass, type, source, dctx, options, target); break; \
  	case 65533: result = fromwire_keydata(rdclass, type, source, dctx, options, target); break; \
  	default: use_default = ISC_TRUE; break; \
  	}
***************
*** 539,544 ****
--- 543,549 ----
  		} \
  		break; \
  	case 32769: result = towire_dlv(rdata, cctx, target); break; \
+ 	case 65468: result = towire_tlsa(rdata, cctx, target); break; \
  	case 65533: result = towire_keydata(rdata, cctx, target); break; \
  	default: use_default = ISC_TRUE; break; \
  	}
***************
*** 652,657 ****
--- 657,663 ----
  		} \
  		break; \
  	case 32769: result = compare_dlv(rdata1, rdata2); break; \
+ 	case 65468: result = compare_tlsa(rdata1, rdata2); break; \
  	case 65533: result = compare_keydata(rdata1, rdata2); break; \
  	default: use_default = ISC_TRUE; break; \
  	}
***************
*** 765,770 ****
--- 771,777 ----
  		} \
  		break; \
  	case 32769: result = casecompare_dlv(rdata1, rdata2); break; \
+ 	case 65468: result = casecompare_tlsa(rdata1, rdata2); break; \
  	case 65533: result = casecompare_keydata(rdata1, rdata2); break; \
  	default: use_default = ISC_TRUE; break; \
  	}
***************
*** 878,883 ****
--- 885,891 ----
  		} \
  		break; \
  	case 32769: result = fromstruct_dlv(rdclass, type, source, target); break; \
+ 	case 65468: result = fromstruct_tlsa(rdclass, type, source, target); break; \
  	case 65533: result = fromstruct_keydata(rdclass, type, source, target); break; \
  	default: use_default = ISC_TRUE; break; \
  	}
***************
*** 991,996 ****
--- 999,1005 ----
  		} \
  		break; \
  	case 32769: result = tostruct_dlv(rdata, target, mctx); break; \
+ 	case 65468: result = tostruct_tlsa(rdata, target, mctx); break; \
  	case 65533: result = tostruct_keydata(rdata, target, mctx); break; \
  	default: use_default = ISC_TRUE; break; \
  	}
***************
*** 1104,1109 ****
--- 1113,1119 ----
  		} \
  		break; \
  	case 32769: freestruct_dlv(source); break; \
+ 	case 65468: freestruct_tlsa(source); break; \
  	case 65533: freestruct_keydata(source); break; \
  	default: break; \
  	}
***************
*** 1217,1222 ****
--- 1227,1233 ----
  		} \
  		break; \
  	case 32769: result = additionaldata_dlv(rdata, add, arg); break; \
+ 	case 65468: result = additionaldata_tlsa(rdata, add, arg); break; \
  	case 65533: result = additionaldata_keydata(rdata, add, arg); break; \
  	default: use_default = ISC_TRUE; break; \
  	}
***************
*** 1443,1448 ****
--- 1454,1460 ----
  		} \
  		break; \
  	case 32769: result = checkowner_dlv(name, rdclass, type, wildcard); break; \
+ 	case 65468: result = checkowner_tlsa(name, rdclass, type, wildcard); break; \
  	case 65533: result = checkowner_keydata(name, rdclass, type, wildcard); break; \
  	default: result = ISC_TRUE; break; \
  	}
***************
*** 1556,1561 ****
--- 1568,1574 ----
  		} \
  		break; \
  	case 32769: result = checknames_dlv(rdata, owner, bad); break; \
+ 	case 65468: result = checknames_tlsa(rdata, owner, bad); break; \
  	case 65533: result = checknames_keydata(rdata, owner, bad); break; \
  	default: result = ISC_TRUE; break; \
  	}
***************
*** 1747,1752 ****
--- 1760,1768 ----
  			RDATATYPE_COMPARE("maila", 254, _typename, _length, _typep); \
  			RDATATYPE_COMPARE("keydata", 65533, _typename, _length, _typep); \
  			break; \
+ 		case 120: \
+ 			RDATATYPE_COMPARE("tlsa", 65468, _typename, _length, _typep); \
+ 			break; \
  		case 68: \
  			RDATATYPE_COMPARE("any", 255, _typename, _length, _typep); \
  			break; \
***************
*** 1818,1823 ****
--- 1834,1840 ----
  	case 254: return (DNS_RDATATYPEATTR_META | DNS_RDATATYPEATTR_QUESTIONONLY); \
  	case 255: return (DNS_RDATATYPEATTR_META | DNS_RDATATYPEATTR_QUESTIONONLY); \
  	case 32769: return (RRTYPE_DLV_ATTRIBUTES); \
+ 	case 65468: return (RRTYPE_TLSA_ATTRIBUTES); \
  	case 65533: return (RRTYPE_KEYDATA_ATTRIBUTES); \
  	}
  #define RDATATYPE_TOTEXT_SW \
***************
*** 1887,1892 ****
--- 1904,1910 ----
  	case 254: return (str_totext("MAILA", target)); \
  	case 255: return (str_totext("ANY", target)); \
  	case 32769: return (str_totext("DLV", target)); \
+ 	case 65468: return (str_totext("TLSA", target)); \
  	case 65533: return (str_totext("KEYDATA", target)); \
  	}
  #endif /* DNS_CODE_H */
-------------- next part --------------
*** /dev/null	Wed Apr 13 22:40:41 2011
--- bind-9.8.0/lib/dns/rdata/generic/tlsa_65468.h	Wed Apr 13 22:23:53 2011
***************
*** 0 ****
--- 1,34 ----
+ /*
+  * Copyright (C) 2004, 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
+  *
+  * Permission to use, copy, modify, and/or distribute this software for any
+  * purpose with or without fee is hereby granted, provided that the above
+  * copyright notice and this permission notice appear in all copies.
+  *
+  * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+  * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+  * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+  * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+  * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+  * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+  * PERFORMANCE OF THIS SOFTWARE.
+  */
+ 
+ /* $Id: tlsa_65468.h,v 1.5 2007-06-19 23:47:17 tbox Exp $ */
+ 
+ /* draft-ietf-dnsext-delegation-signer-05.txt */
+ #ifndef GENERIC_TLSA_65468_H
+ #define GENERIC_TLSA_65468_H 1
+ 
+ /* https://datatracker.ietf.org/doc/draft-ietf-dane-protocol/?include_text=1 */
+ 
+ typedef struct dns_rdata_tlsa {
+ 	dns_rdatacommon_t	common;
+ 	isc_mem_t		*mctx;
+ 	isc_uint8_t		cert_type;
+ 	isc_uint8_t		hash_type;
+ 	isc_uint16_t		length;
+ 	unsigned char		*digest;
+ } dns_rdata_tlsa_t;
+ 
+ #endif
-------------- next part --------------
*** /dev/null	Wed Apr 13 22:40:41 2011
--- bind-9.8.0/lib/dns/rdata/generic/tlsa_65468.c	Wed Apr 13 22:23:39 2011
***************
*** 0 ****
--- 1,322 ----
+ /*
+  * Copyright (C) 2004, 2006, 2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
+  *
+  * Permission to use, copy, modify, and/or distribute this software for any
+  * purpose with or without fee is hereby granted, provided that the above
+  * copyright notice and this permission notice appear in all copies.
+  *
+  * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+  * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+  * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+  * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+  * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+  * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+  * PERFORMANCE OF THIS SOFTWARE.
+  */
+ 
+ /* $Id: tlsa_65468.c,v 1.10 2010-12-23 23:47:08 tbox Exp $ */
+ 
+ /* draft-ietf-dnsext-delegation-signer-05.txt */
+ 
+ #ifndef RDATA_GENERIC_TLSA_65468_C
+ #define RDATA_GENERIC_TLSA_65468_C
+ 
+ #define RRTYPE_TLSA_ATTRIBUTES 0
+ 
+ #include <isc/sha1.h>
+ #include <isc/sha2.h>
+ 
+ #include <dns/ds.h>
+ #include <rdata/generic/tlsa_65468.h>
+ 
+ 
+ static inline isc_result_t
+ fromtext_tlsa(ARGS_FROMTEXT) {
+ 	isc_token_t token;
+ 	unsigned char c;
+ 	int length;
+ 
+ 	REQUIRE(type == 65468);
+ 
+ 	UNUSED(type);
+ 	UNUSED(rdclass);
+ 	UNUSED(origin);
+ 	UNUSED(options);
+ 	UNUSED(callbacks);
+ 
+ 	/*
+ 	 * Certificate type.
+ 	 */
+ 	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+ 				      ISC_FALSE));
+ 	if (token.value.as_ulong > 0xffU)
+ 		RETTOK(ISC_R_RANGE);
+ 	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+ 
+ 	/*
+ 	 * Hash type.
+ 	 */
+ 	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+ 				      ISC_FALSE));
+ 	if (token.value.as_ulong > 0xffU)
+ 		RETTOK(ISC_R_RANGE);
+ 	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+ 	c = (unsigned char) token.value.as_ulong;
+ 
+ 	/*
+ 	 * Digest.
+ 	 */
+ 	switch (c) {
+ 	case DNS_DSDIGEST_SHA1:
+ 		length = ISC_SHA1_DIGESTLENGTH;
+ 		break;
+ 	case DNS_DSDIGEST_SHA256:
+ 		length = ISC_SHA256_DIGESTLENGTH;
+ 		break;
+ 	case DNS_DSDIGEST_GOST:
+ 		length = ISC_GOST_DIGESTLENGTH;
+ 		break;
+ 	default:
+ 		length = -1;
+ 		break;
+ 	}
+ 	return (isc_hex_tobuffer(lexer, target, -1));
+ }
+ 
+ static inline isc_result_t
+ totext_tlsa(ARGS_TOTEXT) {
+ 	isc_region_t sr;
+ 	char buf[sizeof("64000 ")];
+ 	unsigned int n;
+ 
+ 	REQUIRE(rdata->type == 65468);
+ 	REQUIRE(rdata->length != 0);
+ 
+ 	UNUSED(tctx);
+ 
+ 	dns_rdata_toregion(rdata, &sr);
+ 
+ 	/*
+ 	 * Cert type
+ 	 */
+ 	n = uint8_fromregion(&sr);
+ 	isc_region_consume(&sr, 1);
+ 	sprintf(buf, "%u ", n);
+ 	RETERR(str_totext(buf, target));
+ 
+ 	/*
+ 	 * Hash type type.
+ 	 */
+ 	n = uint8_fromregion(&sr);
+ 	isc_region_consume(&sr, 1);
+ 	sprintf(buf, "%u", n);
+ 	RETERR(str_totext(buf, target));
+ 
+ 	/*
+ 	 * Digest.
+ 	 */
+ 	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+ 		RETERR(str_totext(" (", target));
+ 	RETERR(str_totext(tctx->linebreak, target));
+ 	RETERR(isc_hex_totext(&sr, tctx->width - 2, tctx->linebreak, target));
+ 	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+ 		RETERR(str_totext(" )", target));
+ 	return (ISC_R_SUCCESS);
+ }
+ 
+ static inline isc_result_t
+ fromwire_tlsa(ARGS_FROMWIRE) {
+ 	isc_region_t sr;
+ 
+ 	REQUIRE(type == 65468);
+ 
+ 	UNUSED(type);
+ 	UNUSED(rdclass);
+ 	UNUSED(dctx);
+ 	UNUSED(options);
+ 
+ 	isc_buffer_activeregion(source, &sr);
+ 
+ 	/*
+ 	 * Check digest lengths if we know them.
+ 	 */
+ 	if (sr.length < 4 ||
+ 	    (sr.base[3] == DNS_DSDIGEST_SHA1 &&
+ 	     sr.length < 4 + ISC_SHA1_DIGESTLENGTH) ||
+ 	    (sr.base[3] == DNS_DSDIGEST_SHA256 &&
+ 	     sr.length < 4 + ISC_SHA256_DIGESTLENGTH) ||
+ 	    (sr.base[3] == DNS_DSDIGEST_GOST &&
+ 	     sr.length < 4 + ISC_GOST_DIGESTLENGTH))
+ 		return (ISC_R_UNEXPECTEDEND);
+ 
+ 	/*
+ 	 * Only copy digest lengths if we know them.
+ 	 * If there is extra data dns_rdata_fromwire() will
+ 	 * detect that.
+ 	 */
+ 	if (sr.base[3] == DNS_DSDIGEST_SHA1)
+ 		sr.length = 4 + ISC_SHA1_DIGESTLENGTH;
+ 	else if (sr.base[3] == DNS_DSDIGEST_SHA256)
+ 		sr.length = 4 + ISC_SHA256_DIGESTLENGTH;
+ 	else if (sr.base[3] == DNS_DSDIGEST_GOST)
+ 		sr.length = 4 + ISC_GOST_DIGESTLENGTH;
+ 
+ 	isc_buffer_forward(source, sr.length);
+ 	return (mem_tobuffer(target, sr.base, sr.length));
+ }
+ 
+ static inline isc_result_t
+ towire_tlsa(ARGS_TOWIRE) {
+ 	isc_region_t sr;
+ 
+ 	REQUIRE(rdata->type == 65468);
+ 	REQUIRE(rdata->length != 0);
+ 
+ 	UNUSED(cctx);
+ 
+ 	dns_rdata_toregion(rdata, &sr);
+ 	return (mem_tobuffer(target, sr.base, sr.length));
+ }
+ 
+ static inline int
+ compare_tlsa(ARGS_COMPARE) {
+ 	isc_region_t r1;
+ 	isc_region_t r2;
+ 
+ 	REQUIRE(rdata1->type == rdata2->type);
+ 	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+ 	REQUIRE(rdata1->type == 65468);
+ 	REQUIRE(rdata1->length != 0);
+ 	REQUIRE(rdata2->length != 0);
+ 
+ 	dns_rdata_toregion(rdata1, &r1);
+ 	dns_rdata_toregion(rdata2, &r2);
+ 	return (isc_region_compare(&r1, &r2));
+ }
+ 
+ static inline isc_result_t
+ fromstruct_tlsa(ARGS_FROMSTRUCT) {
+ 	dns_rdata_tlsa_t *tlsa = source;
+ 
+ 	REQUIRE(type == 65468);
+ 	REQUIRE(source != NULL);
+ 	REQUIRE(tlsa->common.rdtype == type);
+ 	REQUIRE(tlsa->common.rdclass == rdclass);
+ 	switch (tlsa->hash_type) {
+ 	case DNS_DSDIGEST_SHA1:
+ 		REQUIRE(tlsa->length == ISC_SHA1_DIGESTLENGTH);
+ 		break;
+ 	case DNS_DSDIGEST_SHA256:
+ 		REQUIRE(tlsa->length == ISC_SHA256_DIGESTLENGTH);
+ 		break;
+ 	case DNS_DSDIGEST_GOST:
+ 		REQUIRE(tlsa->length == ISC_GOST_DIGESTLENGTH);
+ 		break;
+ 	}
+ 
+ 	UNUSED(type);
+ 	UNUSED(rdclass);
+ 
+ 	RETERR(uint8_tobuffer(tlsa->cert_type, target));
+ 	RETERR(uint8_tobuffer(tlsa->hash_type, target));
+ 
+ 	return (mem_tobuffer(target, tlsa->digest, tlsa->length));
+ }
+ 
+ static inline isc_result_t
+ tostruct_tlsa(ARGS_TOSTRUCT) {
+ 	dns_rdata_tlsa_t *tlsa = target;
+ 	isc_region_t region;
+ 
+ 	REQUIRE(rdata->type == 65468);
+ 	REQUIRE(target != NULL);
+ 	REQUIRE(rdata->length != 0);
+ 
+ 	tlsa->common.rdclass = rdata->rdclass;
+ 	tlsa->common.rdtype = rdata->type;
+ 	ISC_LINK_INIT(&tlsa->common, link);
+ 
+ 	dns_rdata_toregion(rdata, &region);
+ 
+ 	tlsa->cert_type = uint8_fromregion(&region);
+ 	isc_region_consume(&region, 1);
+ 	tlsa->hash_type = uint8_fromregion(&region);
+ 	isc_region_consume(&region, 1);
+ 	tlsa->length = region.length;
+ 
+ 	tlsa->digest = mem_maybedup(mctx, region.base, region.length);
+ 	if (tlsa->digest == NULL)
+ 		return (ISC_R_NOMEMORY);
+ 
+ 	tlsa->mctx = mctx;
+ 	return (ISC_R_SUCCESS);
+ }
+ 
+ static inline void
+ freestruct_tlsa(ARGS_FREESTRUCT) {
+ 	dns_rdata_tlsa_t *tlsa = source;
+ 
+ 	REQUIRE(tlsa != NULL);
+ 	REQUIRE(tlsa->common.rdtype == 65468);
+ 
+ 	if (tlsa->mctx == NULL)
+ 		return;
+ 
+ 	if (tlsa->digest != NULL)
+ 		isc_mem_free(tlsa->mctx, tlsa->digest);
+ 	tlsa->mctx = NULL;
+ }
+ 
+ static inline isc_result_t
+ additionaldata_tlsa(ARGS_ADDLDATA) {
+ 	REQUIRE(rdata->type == 65468);
+ 
+ 	UNUSED(rdata);
+ 	UNUSED(add);
+ 	UNUSED(arg);
+ 
+ 	return (ISC_R_SUCCESS);
+ }
+ 
+ static inline isc_result_t
+ digest_tlsa(ARGS_DIGEST) {
+ 	isc_region_t r;
+ 
+ 	REQUIRE(rdata->type == 65468);
+ 
+ 	dns_rdata_toregion(rdata, &r);
+ 
+ 	return ((digest)(arg, &r));
+ }
+ 
+ static inline isc_boolean_t
+ checkowner_tlsa(ARGS_CHECKOWNER) {
+ 
+ 	REQUIRE(type == 65468);
+ 
+ 	UNUSED(name);
+ 	UNUSED(type);
+ 	UNUSED(rdclass);
+ 	UNUSED(wildcard);
+ 
+ 	return (ISC_TRUE);
+ }
+ 
+ static inline isc_boolean_t
+ checknames_tlsa(ARGS_CHECKNAMES) {
+ 
+ 	REQUIRE(rdata->type == 65468);
+ 
+ 	UNUSED(rdata);
+ 	UNUSED(owner);
+ 	UNUSED(bad);
+ 
+ 	return (ISC_TRUE);
+ }
+ 
+ static inline int
+ casecompare_tlsa(ARGS_COMPARE) {
+ 	return (compare_tlsa(rdata1, rdata2));
+ }
+ 
+ #endif	/* RDATA_GENERIC_TLSA_65468_C */


More information about the bind-workers mailing list