summaryrefslogtreecommitdiffstats
path: root/modules/ta_sentinel
diff options
context:
space:
mode:
Diffstat (limited to 'modules/ta_sentinel')
-rw-r--r--modules/ta_sentinel/.packaging/test.config4
-rw-r--r--modules/ta_sentinel/README.rst18
-rw-r--r--modules/ta_sentinel/ta_sentinel.lua86
3 files changed, 108 insertions, 0 deletions
diff --git a/modules/ta_sentinel/.packaging/test.config b/modules/ta_sentinel/.packaging/test.config
new file mode 100644
index 0000000..4bb6ac9
--- /dev/null
+++ b/modules/ta_sentinel/.packaging/test.config
@@ -0,0 +1,4 @@
+-- SPDX-License-Identifier: GPL-3.0-or-later
+modules.load('ta_sentinel')
+assert(ta_sentinel)
+quit()
diff --git a/modules/ta_sentinel/README.rst b/modules/ta_sentinel/README.rst
new file mode 100644
index 0000000..aa9d733
--- /dev/null
+++ b/modules/ta_sentinel/README.rst
@@ -0,0 +1,18 @@
+.. SPDX-License-Identifier: GPL-3.0-or-later
+
+.. _mod-ta_sentinel:
+
+Sentinel for Detecting Trusted Root Keys
+========================================
+
+The module ``ta_sentinel`` implements A Root Key Trust Anchor Sentinel for DNSSEC
+according to standard :rfc:`8509`.
+
+This feature allows users of DNSSEC validating resolver to detect which root keys
+are configured in resolver's chain of trust. The data from such
+signaling are necessary to monitor the progress of the DNSSEC root key rollover
+and to detect potential breakage before it affect users. One example of research enabled by this module `is available here <https://www.potaroo.net/ispcol/2018-11/kskpm.html>`_.
+
+This module is enabled by default and we urge users not to disable it.
+If it is absolutely necessary you may add ``modules.unload('ta_sentinel')``
+to your configuration to disable it.
diff --git a/modules/ta_sentinel/ta_sentinel.lua b/modules/ta_sentinel/ta_sentinel.lua
new file mode 100644
index 0000000..a0fb67e
--- /dev/null
+++ b/modules/ta_sentinel/ta_sentinel.lua
@@ -0,0 +1,86 @@
+-- SPDX-License-Identifier: GPL-3.0-or-later
+local M = {}
+M.layer = {}
+local ffi = require('ffi')
+
+function M.layer.finish(state, req, pkt)
+ if pkt == nil then return end
+ -- fast filter by the length of the first QNAME label
+ if pkt.wire[5] == 0 then return state end -- QDCOUNT % 256 == 0, in case we produced that
+ local label_len = pkt.wire[12]
+ if label_len ~= 29 and label_len ~= 30 then
+ return state end
+ -- end of hot path
+
+ local qtype = pkt:qtype()
+ if not (qtype == kres.type.A or qtype == kres.type.AAAA) then
+ return state end
+ if bit.band(state, kres.FAIL) ~= 0 then
+ return state end
+
+ -- check the label name
+ local qry = req:resolved()
+ local qname = kres.dname2str(qry:name()):lower()
+ local sentype, keytag
+ if label_len == 29 then
+ sentype = true
+ keytag = qname:match('^root%-key%-sentinel%-is%-ta%-(%x+)%.')
+ elseif label_len == 30 then
+ sentype = false
+ keytag = qname:match('^root%-key%-sentinel%-not%-ta%-(%x+)%.')
+ end
+ if not keytag then return state end
+
+ if req.rank ~= ffi.C.KR_RANK_SECURE or req.answer:cd() then
+ if verbose() then
+ log('[ta_sentinel] name+type OK but not AD+CD conditions')
+ end
+ return state
+ end
+
+ -- check keytag from the label
+ keytag = tonumber(keytag)
+ if not keytag or math.floor(keytag) ~= keytag then
+ return state end -- pattern did not match, exit
+ if keytag < 0 or keytag > 0xffff then
+ return state end -- invalid keytag?!, exit
+
+ if verbose() then
+ log('[ta_sentinel] key tag: ' .. keytag .. ', sentinel: ' .. tostring(sentype))
+ end
+
+ local found = false
+ local ds_set = ffi.C.kr_ta_get(kres.context().trust_anchors, '\0')
+ if ds_set ~= nil then
+ for i = 0, ds_set:rdcount() - 1 do
+ -- Find the key tag in rdata and compare
+ -- https://tools.ietf.org/html/rfc4034#section-5.1
+ local rdata = ds_set:rdata_pt(i)
+ local tag = rdata.data[0] * 256 + rdata.data[1]
+ if tag == keytag then
+ found = true
+ end
+ end
+ end
+ if verbose() then
+ log('[ta_sentinel] matching trusted TA found: ' .. tostring(found))
+ if not found then -- print matching TAs in *other* states than Valid
+ for i = 1, #(trust_anchors.keysets['\0'] or {}) do
+ local key = trust_anchors.keysets['\0'][i]
+ if key.key_tag == keytag and key.state ~= 'Valid' then
+ log('[ta_sentinel] matching UNtrusted TA found in state: '
+ .. key.state)
+ end
+ end
+ end
+ end
+
+ if sentype ~= found then -- expected key is not there, or unexpected key is there
+ pkt:clear_payload()
+ pkt:rcode(kres.rcode.SERVFAIL)
+ pkt:ad(false)
+ end
+ return state -- do not break resolution process
+end
+
+return M