diff options
Diffstat (limited to 'modules/ta_sentinel')
-rw-r--r-- | modules/ta_sentinel/.packaging/test.config | 4 | ||||
-rw-r--r-- | modules/ta_sentinel/README.rst | 18 | ||||
-rw-r--r-- | modules/ta_sentinel/ta_sentinel.lua | 80 |
3 files changed, 102 insertions, 0 deletions
diff --git a/modules/ta_sentinel/.packaging/test.config b/modules/ta_sentinel/.packaging/test.config new file mode 100644 index 0000000..4bb6ac9 --- /dev/null +++ b/modules/ta_sentinel/.packaging/test.config @@ -0,0 +1,4 @@ +-- SPDX-License-Identifier: GPL-3.0-or-later +modules.load('ta_sentinel') +assert(ta_sentinel) +quit() diff --git a/modules/ta_sentinel/README.rst b/modules/ta_sentinel/README.rst new file mode 100644 index 0000000..aa9d733 --- /dev/null +++ b/modules/ta_sentinel/README.rst @@ -0,0 +1,18 @@ +.. SPDX-License-Identifier: GPL-3.0-or-later + +.. _mod-ta_sentinel: + +Sentinel for Detecting Trusted Root Keys +======================================== + +The module ``ta_sentinel`` implements A Root Key Trust Anchor Sentinel for DNSSEC +according to standard :rfc:`8509`. + +This feature allows users of DNSSEC validating resolver to detect which root keys +are configured in resolver's chain of trust. The data from such +signaling are necessary to monitor the progress of the DNSSEC root key rollover +and to detect potential breakage before it affect users. One example of research enabled by this module `is available here <https://www.potaroo.net/ispcol/2018-11/kskpm.html>`_. + +This module is enabled by default and we urge users not to disable it. +If it is absolutely necessary you may add ``modules.unload('ta_sentinel')`` +to your configuration to disable it. diff --git a/modules/ta_sentinel/ta_sentinel.lua b/modules/ta_sentinel/ta_sentinel.lua new file mode 100644 index 0000000..5a2654b --- /dev/null +++ b/modules/ta_sentinel/ta_sentinel.lua @@ -0,0 +1,80 @@ +-- SPDX-License-Identifier: GPL-3.0-or-later +local M = {} +M.layer = {} +local ffi = require('ffi') + +function M.layer.finish(state, req, pkt) + if pkt == nil then return end + -- fast filter by the length of the first QNAME label + if pkt.wire[5] == 0 then return state end -- QDCOUNT % 256 == 0, in case we produced that + local label_len = pkt.wire[12] + if label_len ~= 29 and label_len ~= 30 then + return state end + -- end of hot path + + local qtype = pkt:qtype() + if not (qtype == kres.type.A or qtype == kres.type.AAAA) then + return state end + if bit.band(state, kres.FAIL) ~= 0 then + return state end + + -- check the label name + local qry = req:resolved() + local qname = kres.dname2str(qry:name()):lower() + local sentype, keytag + if label_len == 29 then + sentype = true + keytag = qname:match('^root%-key%-sentinel%-is%-ta%-(%x+)%.') + elseif label_len == 30 then + sentype = false + keytag = qname:match('^root%-key%-sentinel%-not%-ta%-(%x+)%.') + end + if not keytag then return state end + + if req.rank ~= ffi.C.KR_RANK_SECURE or req.answer:cd() then + log_info(ffi.C.LOG_GRP_TASENTINEL, 'name+type OK but not AD+CD conditions') + return state + end + + -- check keytag from the label + keytag = tonumber(keytag) + if not keytag or math.floor(keytag) ~= keytag then + return state end -- pattern did not match, exit + if keytag < 0 or keytag > 0xffff then + return state end -- invalid keytag?!, exit + + log_info(ffi.C.LOG_GRP_TASENTINEL, 'key tag: ' .. keytag .. ', sentinel: ' .. tostring(sentype)) + + local found = false + local ds_set = ffi.C.kr_ta_get(kres.context().trust_anchors, '\0') + if ds_set ~= nil then + for i = 0, ds_set:rdcount() - 1 do + -- Find the key tag in rdata and compare + -- https://tools.ietf.org/html/rfc4034#section-5.1 + local rdata = ds_set:rdata_pt(i) + local tag = rdata.data[0] * 256 + rdata.data[1] + if tag == keytag then + found = true + end + end + end + log_info(ffi.C.LOG_GRP_TASENTINEL, 'matching trusted TA found: ' .. tostring(found)) + if not found then -- print matching TAs in *other* states than Valid + for i = 1, #(trust_anchors.keysets['\0'] or {}) do + local key = trust_anchors.keysets['\0'][i] + if key.key_tag == keytag and key.state ~= 'Valid' then + log_info(ffi.C.LOG_GRP_TASENTINEL, 'matching UNtrusted TA found in state: ' + .. key.state) + end + end + end + + if sentype ~= found then -- expected key is not there, or unexpected key is there + pkt:clear_payload() + pkt:rcode(kres.rcode.SERVFAIL) + pkt:ad(false) + end + return state -- do not break resolution process +end + +return M |