diff options
Diffstat (limited to 'modules/experimental_dot_auth')
16 files changed, 249 insertions, 0 deletions
diff --git a/modules/experimental_dot_auth/.packaging/centos/7/rundeps b/modules/experimental_dot_auth/.packaging/centos/7/rundeps new file mode 100644 index 0000000..36b83e1 --- /dev/null +++ b/modules/experimental_dot_auth/.packaging/centos/7/rundeps @@ -0,0 +1 @@ +lua-basexx diff --git a/modules/experimental_dot_auth/.packaging/centos/8/rundeps b/modules/experimental_dot_auth/.packaging/centos/8/rundeps new file mode 100644 index 0000000..984c7ce --- /dev/null +++ b/modules/experimental_dot_auth/.packaging/centos/8/rundeps @@ -0,0 +1 @@ +lua5.1-basexx diff --git a/modules/experimental_dot_auth/.packaging/debian/10/rundeps b/modules/experimental_dot_auth/.packaging/debian/10/rundeps new file mode 100644 index 0000000..36b83e1 --- /dev/null +++ b/modules/experimental_dot_auth/.packaging/debian/10/rundeps @@ -0,0 +1 @@ +lua-basexx diff --git a/modules/experimental_dot_auth/.packaging/debian/9/rundeps b/modules/experimental_dot_auth/.packaging/debian/9/rundeps new file mode 100644 index 0000000..36b83e1 --- /dev/null +++ b/modules/experimental_dot_auth/.packaging/debian/9/rundeps @@ -0,0 +1 @@ +lua-basexx diff --git a/modules/experimental_dot_auth/.packaging/fedora/31/rundeps b/modules/experimental_dot_auth/.packaging/fedora/31/rundeps new file mode 100644 index 0000000..984c7ce --- /dev/null +++ b/modules/experimental_dot_auth/.packaging/fedora/31/rundeps @@ -0,0 +1 @@ +lua5.1-basexx diff --git a/modules/experimental_dot_auth/.packaging/fedora/32/rundeps b/modules/experimental_dot_auth/.packaging/fedora/32/rundeps new file mode 100644 index 0000000..984c7ce --- /dev/null +++ b/modules/experimental_dot_auth/.packaging/fedora/32/rundeps @@ -0,0 +1 @@ +lua5.1-basexx diff --git a/modules/experimental_dot_auth/.packaging/leap/15.2/NOTSUPPORTED b/modules/experimental_dot_auth/.packaging/leap/15.2/NOTSUPPORTED new file mode 100644 index 0000000..682eff0 --- /dev/null +++ b/modules/experimental_dot_auth/.packaging/leap/15.2/NOTSUPPORTED @@ -0,0 +1,6 @@ + +ERROR:test_packaging:Installing https://luarocks.org/basexx-0.4.1-1.rockspec +Error: Failed extracting v0.4.1.tar.gz + +Doesn't works on GitLab CI/CD, but works on localhost. +gzip and tar packages are installed, all packages has same version as packages on localhost's docker container. diff --git a/modules/experimental_dot_auth/.packaging/leap/15.2/pre-test.sh b/modules/experimental_dot_auth/.packaging/leap/15.2/pre-test.sh new file mode 100755 index 0000000..df5d784 --- /dev/null +++ b/modules/experimental_dot_auth/.packaging/leap/15.2/pre-test.sh @@ -0,0 +1 @@ +luarocks --lua-version 5.1 install basexx --from=https://mah0x211.github.io/rocks/ diff --git a/modules/experimental_dot_auth/.packaging/leap/15.2/rundeps b/modules/experimental_dot_auth/.packaging/leap/15.2/rundeps new file mode 100644 index 0000000..9e636d8 --- /dev/null +++ b/modules/experimental_dot_auth/.packaging/leap/15.2/rundeps @@ -0,0 +1,4 @@ +lua51-luarocks +git +tar +gzip diff --git a/modules/experimental_dot_auth/.packaging/test.config b/modules/experimental_dot_auth/.packaging/test.config new file mode 100644 index 0000000..39e9aed --- /dev/null +++ b/modules/experimental_dot_auth/.packaging/test.config @@ -0,0 +1,4 @@ +-- SPDX-License-Identifier: GPL-3.0-or-later +modules.load('experimental_dot_auth') +assert(experimental_dot_auth) +quit() diff --git a/modules/experimental_dot_auth/.packaging/ubuntu/16.04/NOTSUPPORTED b/modules/experimental_dot_auth/.packaging/ubuntu/16.04/NOTSUPPORTED new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/modules/experimental_dot_auth/.packaging/ubuntu/16.04/NOTSUPPORTED diff --git a/modules/experimental_dot_auth/.packaging/ubuntu/18.04/rundeps b/modules/experimental_dot_auth/.packaging/ubuntu/18.04/rundeps new file mode 100644 index 0000000..36b83e1 --- /dev/null +++ b/modules/experimental_dot_auth/.packaging/ubuntu/18.04/rundeps @@ -0,0 +1 @@ +lua-basexx diff --git a/modules/experimental_dot_auth/.packaging/ubuntu/20.04/rundeps b/modules/experimental_dot_auth/.packaging/ubuntu/20.04/rundeps new file mode 100644 index 0000000..36b83e1 --- /dev/null +++ b/modules/experimental_dot_auth/.packaging/ubuntu/20.04/rundeps @@ -0,0 +1 @@ +lua-basexx diff --git a/modules/experimental_dot_auth/README.rst b/modules/experimental_dot_auth/README.rst new file mode 100644 index 0000000..a93f516 --- /dev/null +++ b/modules/experimental_dot_auth/README.rst @@ -0,0 +1,91 @@ +.. SPDX-License-Identifier: GPL-3.0-or-later + +.. _mod-experimental_dot_auth: + +Experimental DNS-over-TLS Auto-discovery +======================================== + +This experimental module provides automatic discovery of authoritative servers' supporting DNS-over-TLS. +The module uses magic NS names to detect SPKI_ fingerprint which is very similar to `dnscurve`_ mechanism. + +.. warning:: This protocol and module is experimental and can be changed or removed at any time. Use at own risk, security properties were not analyzed! + +How it works +------------ + +The module will look for NS target names formatted as: +``dot-{base32(sha256(SPKI))}....`` + +For instance, Knot Resolver will detect NS names formatted like this + +.. code-block:: none + + example.com NS dot-tpwxmgqdaurcqxqsckxvdq5sty3opxlgcbjj43kumdq62kpqr72a.example.com + +and automatically discover that example.com NS supports DoT with the base64-encoded SPKI digest of ``m+12GgMFIiheEhKvUcOynjbn3WYQUp5tVGDh7Snwj/Q=`` +and will associate it with the IPs of ``dot-tpwxmgqdaurcqxqsckxvdq5sty3opxlgcbjj43kumdq62kpqr72a.example.com``. + +In that example, the base32 encoded (no padding) version of the sha256 PIN is ``tpwxmgqdaurcqxqsckxvdq5sty3opxlgcbjj43kumdq62kpqr72a``, which when +converted to base64 translates to ``m+12GgMFIiheEhKvUcOynjbn3WYQUp5tVGDh7Snwj/Q=``. + +Generating NS target names +-------------------------- + +To generate the NS target name, use the following command to generate the base32 encoded string of the SPKI fingerprint: + +.. code-block:: bash + + openssl x509 -in /path/to/cert.pem -pubkey -noout | \ + openssl pkey -pubin -outform der | \ + openssl dgst -sha256 -binary | \ + base32 | tr -d '=' | tr '[:upper:]' '[:lower:]' + tpwxmgqdaurcqxqsckxvdq5sty3opxlgcbjj43kumdq62kpqr72a + +Then add a target to your NS with: ``dot-${b32}.a.example.com`` + +Finally, map ``dot-${b32}.a.example.com`` to the right set of IPs. + +.. code-block:: bash + + ... + ... + ;; QUESTION SECTION: + ;example.com. IN NS + + ;; AUTHORITY SECTION: + example.com. 3600 IN NS dot-tpwxmgqdaurcqxqsckxvdq5sty3opxlgcbjj43kumdq62kpqr72a.a.example.com. + example.com. 3600 IN NS dot-tpwxmgqdaurcqxqsckxvdq5sty3opxlgcbjj43kumdq62kpqr72a.b.example.com. + + ;; ADDITIONAL SECTION: + dot-tpwxmgqdaurcqxqsckxvdq5sty3opxlgcbjj43kumdq62kpqr72a.a.example.com. 3600 IN A 192.0.2.1 + dot-tpwxmgqdaurcqxqsckxvdq5sty3opxlgcbjj43kumdq62kpqr72a.b.example.com. 3600 IN AAAA 2001:DB8::1 + ... + ... + +Example configuration +--------------------- + +To enable the module, add this snippet to your config: + +.. code-block:: lua + + -- Start an experiment, use with caution + modules.load('experimental_dot_auth') + +This module requires standard ``basexx`` Lua library which is typically provided by ``lua-basexx`` package. + +Caveats +------- + +The module relies on seeing the reply of the NS query and as such will not work +if Knot Resolver uses data from its cache. You may need to delete the cache before starting ``kresd`` to work around this. + +The module also assumes that the NS query answer will return both the NS targets in the Authority section as well as the glue records in the Additional section. + +Dependencies +------------ + +* `lua-basexx <https://github.com/aiq/basexx>`_ available in LuaRocks + +.. _dnscurve: https://dnscurve.org/ +.. _SPKI: https://en.wikipedia.org/wiki/Simple_public-key_infrastructure diff --git a/modules/experimental_dot_auth/experimental_dot_auth.lua b/modules/experimental_dot_auth/experimental_dot_auth.lua new file mode 100644 index 0000000..08c5080 --- /dev/null +++ b/modules/experimental_dot_auth/experimental_dot_auth.lua @@ -0,0 +1,122 @@ +-- SPDX-License-Identifier: GPL-3.0-or-later +-- Module interface + +local ffi = require('ffi') +local basexx = require('basexx') +local C = ffi.C + +-- Export module interface +local M = {} +M.layer = {} +local base32 = {} +local str = {} +local AF_INET = 2 +local AF_INET6 = 10 +local INET_ADDRSTRLEN = 16 +local INET6_ADDRSTRLEN = 46 + +ffi.cdef[[ +/* + * Data structures + */ +typedef int socklen_t; + struct sockaddr_storage{ + unsigned short int ss_family; + unsigned long int __ss_align; + char __ss_padding[128 - (2 *sizeof(unsigned long int))]; + }; + struct in_addr{ + unsigned char s_addr[4]; + }; + struct in6_addr{ + unsigned char s6_addr[16]; + }; + struct sockaddr_in{ + short sin_family; + unsigned short sin_port; + struct in_addr sin_addr; + char sin_zero[8]; + } __attribute__ ((__packed__)); + struct sockaddr_in6{ + unsigned short sin6_family; + unsigned short sin6_port; + unsigned int sin6_flowinfo; + struct in6_addr sin6_addr; + unsigned int sin6_scope_id; + }; + typedef unsigned short sa_family_t; + struct sockaddr_un { + sa_family_t sun_family; + char sun_path[108]; + }; + const char *inet_ntop( + int af, + const void *cp, + char *buf, + socklen_t len); +]] + +function base32.pad(b32) + local m = #b32 % 8 + if m ~= 0 then + b32 = b32 .. string.rep("=", 8 - m) + end + return b32 +end + +function str.starts(String,Start) + return string.sub(String,1,string.len(Start))==Start +end + +-- Handle DoT signalling NS domains. +function M.layer.consume(state, _, pkt) + -- Only successful answers + if state == kres.FAIL then return state end + -- log_debug(ffi.C.LOG_GRP_DOTAUTH, "%s", pkt:tostring()) + local authority = pkt:section(kres.section.AUTHORITY) + local additional = pkt:section(kres.section.ADDITIONAL) + for _, rr in ipairs(authority) do + --log_debug(ffi.C.LOG_GRP_DOTAUTH, "%d %s", rr.type, kres.dname2str(rr.rdata)) + if rr.type == kres.type.NS then + local name = kres.dname2str(rr.rdata):upper() + -- log_debug(ffi.C.LOG_GRP_DOTAUTH, "NS %d", name:len()) + if name:len() > 56 and str.starts(name, "DOT-") then + local k = basexx.to_base64( + basexx.from_base32( + base32.pad(string.sub(name, 5, string.find(name, '[.]') - 1)) + ) + ) + for _, rr_add in ipairs(additional) do + if rr_add.type == kres.type.A or rr_add.type == kres.type.AAAA then + local name_add = kres.dname2str(rr_add.owner):upper() + if name == name_add then + local addrbuf + if rr_add.type == kres.type.A then + local ns_addr = ffi.new("struct sockaddr_in") + ns_addr.sin_family = AF_INET + + ns_addr.sin_addr.s_addr = rr_add.rdata + addrbuf = ffi.new("char[?]", INET_ADDRSTRLEN) + C.inet_ntop(AF_INET, ns_addr.sin_addr, addrbuf, INET_ADDRSTRLEN) + else + local ns_addr = ffi.new("struct sockaddr_in6") + ns_addr.sin6_family = AF_INET6 + + ns_addr.sin6_addr.s6_addr = rr_add.rdata + addrbuf = ffi.new("char[?]", INET6_ADDRSTRLEN) + C.inet_ntop(AF_INET6, ns_addr.sin6_addr, addrbuf, INET6_ADDRSTRLEN) + end + net.tls_client(ffi.string(addrbuf).."@853", {k}) + log_info(ffi.C.LOG_GRP_DOTAUTH, "Adding %s IP %s %s", name_add, ffi.string(addrbuf).."@853", k) + end + end + end + end + end + end + + return state + +end + +return M diff --git a/modules/experimental_dot_auth/meson.build b/modules/experimental_dot_auth/meson.build new file mode 100644 index 0000000..e2e1edf --- /dev/null +++ b/modules/experimental_dot_auth/meson.build @@ -0,0 +1,13 @@ +# LUA module: experimental_dot_auth +# SPDX-License-Identifier: GPL-3.0-or-later + +lua_mod_src += [ + files('experimental_dot_auth.lua'), +] + +# install static files +install_subdir( + 'static', + strip_directory: true, + install_dir: modules_dir / 'http', +) |