summaryrefslogtreecommitdiffstats
path: root/modules/experimental_dot_auth
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--modules/experimental_dot_auth/.packaging/centos/7/rundeps1
-rw-r--r--modules/experimental_dot_auth/.packaging/centos/8/rundeps1
-rw-r--r--modules/experimental_dot_auth/.packaging/debian/10/rundeps1
-rw-r--r--modules/experimental_dot_auth/.packaging/debian/9/rundeps1
-rw-r--r--modules/experimental_dot_auth/.packaging/fedora/31/rundeps1
-rw-r--r--modules/experimental_dot_auth/.packaging/fedora/32/rundeps1
-rw-r--r--modules/experimental_dot_auth/.packaging/leap/15.2/NOTSUPPORTED6
-rwxr-xr-xmodules/experimental_dot_auth/.packaging/leap/15.2/pre-test.sh1
-rw-r--r--modules/experimental_dot_auth/.packaging/leap/15.2/rundeps4
-rw-r--r--modules/experimental_dot_auth/.packaging/test.config4
-rw-r--r--modules/experimental_dot_auth/.packaging/ubuntu/16.04/NOTSUPPORTED0
-rw-r--r--modules/experimental_dot_auth/.packaging/ubuntu/18.04/rundeps1
-rw-r--r--modules/experimental_dot_auth/.packaging/ubuntu/20.04/rundeps1
-rw-r--r--modules/experimental_dot_auth/README.rst91
-rw-r--r--modules/experimental_dot_auth/experimental_dot_auth.lua122
-rw-r--r--modules/experimental_dot_auth/meson.build13
16 files changed, 249 insertions, 0 deletions
diff --git a/modules/experimental_dot_auth/.packaging/centos/7/rundeps b/modules/experimental_dot_auth/.packaging/centos/7/rundeps
new file mode 100644
index 0000000..36b83e1
--- /dev/null
+++ b/modules/experimental_dot_auth/.packaging/centos/7/rundeps
@@ -0,0 +1 @@
+lua-basexx
diff --git a/modules/experimental_dot_auth/.packaging/centos/8/rundeps b/modules/experimental_dot_auth/.packaging/centos/8/rundeps
new file mode 100644
index 0000000..984c7ce
--- /dev/null
+++ b/modules/experimental_dot_auth/.packaging/centos/8/rundeps
@@ -0,0 +1 @@
+lua5.1-basexx
diff --git a/modules/experimental_dot_auth/.packaging/debian/10/rundeps b/modules/experimental_dot_auth/.packaging/debian/10/rundeps
new file mode 100644
index 0000000..36b83e1
--- /dev/null
+++ b/modules/experimental_dot_auth/.packaging/debian/10/rundeps
@@ -0,0 +1 @@
+lua-basexx
diff --git a/modules/experimental_dot_auth/.packaging/debian/9/rundeps b/modules/experimental_dot_auth/.packaging/debian/9/rundeps
new file mode 100644
index 0000000..36b83e1
--- /dev/null
+++ b/modules/experimental_dot_auth/.packaging/debian/9/rundeps
@@ -0,0 +1 @@
+lua-basexx
diff --git a/modules/experimental_dot_auth/.packaging/fedora/31/rundeps b/modules/experimental_dot_auth/.packaging/fedora/31/rundeps
new file mode 100644
index 0000000..984c7ce
--- /dev/null
+++ b/modules/experimental_dot_auth/.packaging/fedora/31/rundeps
@@ -0,0 +1 @@
+lua5.1-basexx
diff --git a/modules/experimental_dot_auth/.packaging/fedora/32/rundeps b/modules/experimental_dot_auth/.packaging/fedora/32/rundeps
new file mode 100644
index 0000000..984c7ce
--- /dev/null
+++ b/modules/experimental_dot_auth/.packaging/fedora/32/rundeps
@@ -0,0 +1 @@
+lua5.1-basexx
diff --git a/modules/experimental_dot_auth/.packaging/leap/15.2/NOTSUPPORTED b/modules/experimental_dot_auth/.packaging/leap/15.2/NOTSUPPORTED
new file mode 100644
index 0000000..682eff0
--- /dev/null
+++ b/modules/experimental_dot_auth/.packaging/leap/15.2/NOTSUPPORTED
@@ -0,0 +1,6 @@
+
+ERROR:test_packaging:Installing https://luarocks.org/basexx-0.4.1-1.rockspec
+Error: Failed extracting v0.4.1.tar.gz
+
+Doesn't works on GitLab CI/CD, but works on localhost.
+gzip and tar packages are installed, all packages has same version as packages on localhost's docker container.
diff --git a/modules/experimental_dot_auth/.packaging/leap/15.2/pre-test.sh b/modules/experimental_dot_auth/.packaging/leap/15.2/pre-test.sh
new file mode 100755
index 0000000..df5d784
--- /dev/null
+++ b/modules/experimental_dot_auth/.packaging/leap/15.2/pre-test.sh
@@ -0,0 +1 @@
+luarocks --lua-version 5.1 install basexx --from=https://mah0x211.github.io/rocks/
diff --git a/modules/experimental_dot_auth/.packaging/leap/15.2/rundeps b/modules/experimental_dot_auth/.packaging/leap/15.2/rundeps
new file mode 100644
index 0000000..9e636d8
--- /dev/null
+++ b/modules/experimental_dot_auth/.packaging/leap/15.2/rundeps
@@ -0,0 +1,4 @@
+lua51-luarocks
+git
+tar
+gzip
diff --git a/modules/experimental_dot_auth/.packaging/test.config b/modules/experimental_dot_auth/.packaging/test.config
new file mode 100644
index 0000000..39e9aed
--- /dev/null
+++ b/modules/experimental_dot_auth/.packaging/test.config
@@ -0,0 +1,4 @@
+-- SPDX-License-Identifier: GPL-3.0-or-later
+modules.load('experimental_dot_auth')
+assert(experimental_dot_auth)
+quit()
diff --git a/modules/experimental_dot_auth/.packaging/ubuntu/16.04/NOTSUPPORTED b/modules/experimental_dot_auth/.packaging/ubuntu/16.04/NOTSUPPORTED
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/modules/experimental_dot_auth/.packaging/ubuntu/16.04/NOTSUPPORTED
diff --git a/modules/experimental_dot_auth/.packaging/ubuntu/18.04/rundeps b/modules/experimental_dot_auth/.packaging/ubuntu/18.04/rundeps
new file mode 100644
index 0000000..36b83e1
--- /dev/null
+++ b/modules/experimental_dot_auth/.packaging/ubuntu/18.04/rundeps
@@ -0,0 +1 @@
+lua-basexx
diff --git a/modules/experimental_dot_auth/.packaging/ubuntu/20.04/rundeps b/modules/experimental_dot_auth/.packaging/ubuntu/20.04/rundeps
new file mode 100644
index 0000000..36b83e1
--- /dev/null
+++ b/modules/experimental_dot_auth/.packaging/ubuntu/20.04/rundeps
@@ -0,0 +1 @@
+lua-basexx
diff --git a/modules/experimental_dot_auth/README.rst b/modules/experimental_dot_auth/README.rst
new file mode 100644
index 0000000..a93f516
--- /dev/null
+++ b/modules/experimental_dot_auth/README.rst
@@ -0,0 +1,91 @@
+.. SPDX-License-Identifier: GPL-3.0-or-later
+
+.. _mod-experimental_dot_auth:
+
+Experimental DNS-over-TLS Auto-discovery
+========================================
+
+This experimental module provides automatic discovery of authoritative servers' supporting DNS-over-TLS.
+The module uses magic NS names to detect SPKI_ fingerprint which is very similar to `dnscurve`_ mechanism.
+
+.. warning:: This protocol and module is experimental and can be changed or removed at any time. Use at own risk, security properties were not analyzed!
+
+How it works
+------------
+
+The module will look for NS target names formatted as:
+``dot-{base32(sha256(SPKI))}....``
+
+For instance, Knot Resolver will detect NS names formatted like this
+
+.. code-block:: none
+
+ example.com NS dot-tpwxmgqdaurcqxqsckxvdq5sty3opxlgcbjj43kumdq62kpqr72a.example.com
+
+and automatically discover that example.com NS supports DoT with the base64-encoded SPKI digest of ``m+12GgMFIiheEhKvUcOynjbn3WYQUp5tVGDh7Snwj/Q=``
+and will associate it with the IPs of ``dot-tpwxmgqdaurcqxqsckxvdq5sty3opxlgcbjj43kumdq62kpqr72a.example.com``.
+
+In that example, the base32 encoded (no padding) version of the sha256 PIN is ``tpwxmgqdaurcqxqsckxvdq5sty3opxlgcbjj43kumdq62kpqr72a``, which when
+converted to base64 translates to ``m+12GgMFIiheEhKvUcOynjbn3WYQUp5tVGDh7Snwj/Q=``.
+
+Generating NS target names
+--------------------------
+
+To generate the NS target name, use the following command to generate the base32 encoded string of the SPKI fingerprint:
+
+.. code-block:: bash
+
+ openssl x509 -in /path/to/cert.pem -pubkey -noout | \
+ openssl pkey -pubin -outform der | \
+ openssl dgst -sha256 -binary | \
+ base32 | tr -d '=' | tr '[:upper:]' '[:lower:]'
+ tpwxmgqdaurcqxqsckxvdq5sty3opxlgcbjj43kumdq62kpqr72a
+
+Then add a target to your NS with: ``dot-${b32}.a.example.com``
+
+Finally, map ``dot-${b32}.a.example.com`` to the right set of IPs.
+
+.. code-block:: bash
+
+ ...
+ ...
+ ;; QUESTION SECTION:
+ ;example.com. IN NS
+
+ ;; AUTHORITY SECTION:
+ example.com. 3600 IN NS dot-tpwxmgqdaurcqxqsckxvdq5sty3opxlgcbjj43kumdq62kpqr72a.a.example.com.
+ example.com. 3600 IN NS dot-tpwxmgqdaurcqxqsckxvdq5sty3opxlgcbjj43kumdq62kpqr72a.b.example.com.
+
+ ;; ADDITIONAL SECTION:
+ dot-tpwxmgqdaurcqxqsckxvdq5sty3opxlgcbjj43kumdq62kpqr72a.a.example.com. 3600 IN A 192.0.2.1
+ dot-tpwxmgqdaurcqxqsckxvdq5sty3opxlgcbjj43kumdq62kpqr72a.b.example.com. 3600 IN AAAA 2001:DB8::1
+ ...
+ ...
+
+Example configuration
+---------------------
+
+To enable the module, add this snippet to your config:
+
+.. code-block:: lua
+
+ -- Start an experiment, use with caution
+ modules.load('experimental_dot_auth')
+
+This module requires standard ``basexx`` Lua library which is typically provided by ``lua-basexx`` package.
+
+Caveats
+-------
+
+The module relies on seeing the reply of the NS query and as such will not work
+if Knot Resolver uses data from its cache. You may need to delete the cache before starting ``kresd`` to work around this.
+
+The module also assumes that the NS query answer will return both the NS targets in the Authority section as well as the glue records in the Additional section.
+
+Dependencies
+------------
+
+* `lua-basexx <https://github.com/aiq/basexx>`_ available in LuaRocks
+
+.. _dnscurve: https://dnscurve.org/
+.. _SPKI: https://en.wikipedia.org/wiki/Simple_public-key_infrastructure
diff --git a/modules/experimental_dot_auth/experimental_dot_auth.lua b/modules/experimental_dot_auth/experimental_dot_auth.lua
new file mode 100644
index 0000000..08c5080
--- /dev/null
+++ b/modules/experimental_dot_auth/experimental_dot_auth.lua
@@ -0,0 +1,122 @@
+-- SPDX-License-Identifier: GPL-3.0-or-later
+-- Module interface
+
+local ffi = require('ffi')
+local basexx = require('basexx')
+local C = ffi.C
+
+-- Export module interface
+local M = {}
+M.layer = {}
+local base32 = {}
+local str = {}
+local AF_INET = 2
+local AF_INET6 = 10
+local INET_ADDRSTRLEN = 16
+local INET6_ADDRSTRLEN = 46
+
+ffi.cdef[[
+/*
+ * Data structures
+ */
+typedef int socklen_t;
+ struct sockaddr_storage{
+ unsigned short int ss_family;
+ unsigned long int __ss_align;
+ char __ss_padding[128 - (2 *sizeof(unsigned long int))];
+ };
+ struct in_addr{
+ unsigned char s_addr[4];
+ };
+ struct in6_addr{
+ unsigned char s6_addr[16];
+ };
+ struct sockaddr_in{
+ short sin_family;
+ unsigned short sin_port;
+ struct in_addr sin_addr;
+ char sin_zero[8];
+ } __attribute__ ((__packed__));
+ struct sockaddr_in6{
+ unsigned short sin6_family;
+ unsigned short sin6_port;
+ unsigned int sin6_flowinfo;
+ struct in6_addr sin6_addr;
+ unsigned int sin6_scope_id;
+ };
+ typedef unsigned short sa_family_t;
+ struct sockaddr_un {
+ sa_family_t sun_family;
+ char sun_path[108];
+ };
+ const char *inet_ntop(
+ int af,
+ const void *cp,
+ char *buf,
+ socklen_t len);
+]]
+
+function base32.pad(b32)
+ local m = #b32 % 8
+ if m ~= 0 then
+ b32 = b32 .. string.rep("=", 8 - m)
+ end
+ return b32
+end
+
+function str.starts(String,Start)
+ return string.sub(String,1,string.len(Start))==Start
+end
+
+-- Handle DoT signalling NS domains.
+function M.layer.consume(state, _, pkt)
+ -- Only successful answers
+ if state == kres.FAIL then return state end
+ -- log_debug(ffi.C.LOG_GRP_DOTAUTH, "%s", pkt:tostring())
+ local authority = pkt:section(kres.section.AUTHORITY)
+ local additional = pkt:section(kres.section.ADDITIONAL)
+ for _, rr in ipairs(authority) do
+ --log_debug(ffi.C.LOG_GRP_DOTAUTH, "%d %s", rr.type, kres.dname2str(rr.rdata))
+ if rr.type == kres.type.NS then
+ local name = kres.dname2str(rr.rdata):upper()
+ -- log_debug(ffi.C.LOG_GRP_DOTAUTH, "NS %d", name:len())
+ if name:len() > 56 and str.starts(name, "DOT-") then
+ local k = basexx.to_base64(
+ basexx.from_base32(
+ base32.pad(string.sub(name, 5, string.find(name, '[.]') - 1))
+ )
+ )
+ for _, rr_add in ipairs(additional) do
+ if rr_add.type == kres.type.A or rr_add.type == kres.type.AAAA then
+ local name_add = kres.dname2str(rr_add.owner):upper()
+ if name == name_add then
+ local addrbuf
+ if rr_add.type == kres.type.A then
+ local ns_addr = ffi.new("struct sockaddr_in")
+ ns_addr.sin_family = AF_INET
+
+ ns_addr.sin_addr.s_addr = rr_add.rdata
+ addrbuf = ffi.new("char[?]", INET_ADDRSTRLEN)
+ C.inet_ntop(AF_INET, ns_addr.sin_addr, addrbuf, INET_ADDRSTRLEN)
+ else
+ local ns_addr = ffi.new("struct sockaddr_in6")
+ ns_addr.sin6_family = AF_INET6
+
+ ns_addr.sin6_addr.s6_addr = rr_add.rdata
+ addrbuf = ffi.new("char[?]", INET6_ADDRSTRLEN)
+ C.inet_ntop(AF_INET6, ns_addr.sin6_addr, addrbuf, INET6_ADDRSTRLEN)
+ end
+ net.tls_client(ffi.string(addrbuf).."@853", {k})
+ log_info(ffi.C.LOG_GRP_DOTAUTH, "Adding %s IP %s %s", name_add, ffi.string(addrbuf).."@853", k)
+ end
+ end
+ end
+ end
+ end
+ end
+
+ return state
+
+end
+
+return M
diff --git a/modules/experimental_dot_auth/meson.build b/modules/experimental_dot_auth/meson.build
new file mode 100644
index 0000000..e2e1edf
--- /dev/null
+++ b/modules/experimental_dot_auth/meson.build
@@ -0,0 +1,13 @@
+# LUA module: experimental_dot_auth
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+lua_mod_src += [
+ files('experimental_dot_auth.lua'),
+]
+
+# install static files
+install_subdir(
+ 'static',
+ strip_directory: true,
+ install_dir: modules_dir / 'http',
+)