summaryrefslogtreecommitdiffstats
path: root/modules/ta_sentinel
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-06 00:55:53 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-06 00:55:53 +0000
commit3d0386f27ca66379acf50199e1d1298386eeeeb8 (patch)
treef87bd4a126b3a843858eb447e8fd5893c3ee3882 /modules/ta_sentinel
parentInitial commit. (diff)
downloadknot-resolver-3d0386f27ca66379acf50199e1d1298386eeeeb8.tar.xz
knot-resolver-3d0386f27ca66379acf50199e1d1298386eeeeb8.zip
Adding upstream version 3.2.1.upstream/3.2.1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'modules/ta_sentinel')
-rw-r--r--modules/ta_sentinel/README.rst17
-rw-r--r--modules/ta_sentinel/ta_sentinel.lua88
-rw-r--r--modules/ta_sentinel/ta_sentinel.mk2
3 files changed, 107 insertions, 0 deletions
diff --git a/modules/ta_sentinel/README.rst b/modules/ta_sentinel/README.rst
new file mode 100644
index 0000000..c3b17a4
--- /dev/null
+++ b/modules/ta_sentinel/README.rst
@@ -0,0 +1,17 @@
+.. _mod-ta_sentinel:
+
+Sentinel for Detecting Trusted Root Keys
+----------------------------------------
+
+The module implementing A Root Key Trust Anchor Sentinel for DNSSEC
+according to `draft-ietf-dnsop-kskroll-sentinel-12`_.
+
+This feature allows users of validating resolver to detect which root keys
+are configured in their chain of trust. The data from such
+signaling are necessary to monitor the progress of the DNSSEC root key rollover.
+
+This module is enabled by default and we urge users not to disable it.
+If it is absolutely necessary you may add ``modules.unload('ta_sentinel')``
+to your configuration to disable it.
+
+.. _`draft-ietf-dnsop-kskroll-sentinel-12`: https://tools.ietf.org/html/draft-ietf-dnsop-kskroll-sentinel-12
diff --git a/modules/ta_sentinel/ta_sentinel.lua b/modules/ta_sentinel/ta_sentinel.lua
new file mode 100644
index 0000000..4ee6348
--- /dev/null
+++ b/modules/ta_sentinel/ta_sentinel.lua
@@ -0,0 +1,88 @@
+local M = {}
+M.layer = {}
+local ffi = require('ffi')
+
+function M.layer.finish(state, req, pkt)
+ local kreq = kres.request_t(req)
+
+ if bit.band(state, kres.DONE) == 0 then
+ return state end -- not resolved yet, exit
+
+ local qry = kreq:resolved()
+ if qry.parent ~= nil then
+ return state end -- an internal query, exit
+
+ local kpkt = kres.pkt_t(pkt)
+ if not (kpkt:qtype() == kres.type.A or kpkt:qtype() == kres.type.AAAA) then
+ return state end
+
+ -- fast filter by the length of the first label
+ local label_len = qry:name():byte(1)
+ if label_len ~= 29 and label_len ~= 30 then
+ return state end
+ -- end of hot path
+ -- check the label name
+ local qname = kres.dname2str(qry:name()):lower()
+ local sentype, keytag
+ if label_len == 29 then
+ sentype = true
+ keytag = qname:match('^root%-key%-sentinel%-is%-ta%-(%x+)%.')
+ elseif label_len == 30 then
+ sentype = false
+ keytag = qname:match('^root%-key%-sentinel%-not%-ta%-(%x+)%.')
+ end
+ if not keytag then return state end
+
+ if kreq.rank ~= ffi.C.KR_RANK_SECURE or kreq.answer:cd() then
+ if verbose() then
+ log('[ta_sentinel] name+type OK but not AD+CD conditions')
+ end
+ return state
+ end
+
+ -- check keytag from the label
+ keytag = tonumber(keytag)
+ if not keytag or math.floor(keytag) ~= keytag then
+ return state end -- pattern did not match, exit
+ if keytag < 0 or keytag > 0xffff then
+ return state end -- invalid keytag?!, exit
+
+ if verbose() then
+ log('[ta_sentinel] key tag: ' .. keytag .. ', sentinel: ' .. tostring(sentype))
+ end
+
+ local found = false
+ local ds_set = ffi.C.kr_ta_get(kres.context().trust_anchors, '\0')
+ if ds_set ~= nil then
+ for i = 0, ds_set:rdcount() - 1 do
+ -- Find the key tag in rdata and compare
+ -- https://tools.ietf.org/html/rfc4034#section-5.1
+ local rdata = ds_set:rdata_pt(i)
+ local tag = rdata.data[0] * 256 + rdata.data[1]
+ if tag == keytag then
+ found = true
+ end
+ end
+ end
+ if verbose() then
+ log('[ta_sentinel] matching trusted TA found: ' .. tostring(found))
+ if not found then -- print matching TAs in *other* states than Valid
+ for i = 1, #(trust_anchors.keysets['\0'] or {}) do
+ local key = trust_anchors.keysets['\0'][i]
+ if key.key_tag == keytag and key.state ~= 'Valid' then
+ log('[ta_sentinel] matching UNtrusted TA found in state: '
+ .. key.state)
+ end
+ end
+ end
+ end
+
+ if sentype ~= found then -- expected key is not there, or unexpected key is there
+ kpkt:clear_payload()
+ kpkt:rcode(kres.rcode.SERVFAIL)
+ kpkt:ad(false)
+ end
+ return state -- do not break resolution process
+end
+
+return M
diff --git a/modules/ta_sentinel/ta_sentinel.mk b/modules/ta_sentinel/ta_sentinel.mk
new file mode 100644
index 0000000..2441ce0
--- /dev/null
+++ b/modules/ta_sentinel/ta_sentinel.mk
@@ -0,0 +1,2 @@
+ta_sentinel_SOURCES := ta_sentinel.lua
+$(call make_lua_module,ta_sentinel)