diff options
Diffstat (limited to 'vendor/github.com/miekg/dns/dnssec.go')
| -rw-r--r-- | vendor/github.com/miekg/dns/dnssec.go | 19 |
1 files changed, 13 insertions, 6 deletions
diff --git a/vendor/github.com/miekg/dns/dnssec.go b/vendor/github.com/miekg/dns/dnssec.go index 900f6e0..8539aae 100644 --- a/vendor/github.com/miekg/dns/dnssec.go +++ b/vendor/github.com/miekg/dns/dnssec.go @@ -4,12 +4,13 @@ import ( "bytes" "crypto" "crypto/ecdsa" + "crypto/ed25519" "crypto/elliptic" "crypto/rand" "crypto/rsa" - _ "crypto/sha1" - _ "crypto/sha256" - _ "crypto/sha512" + _ "crypto/sha1" // need its init function + _ "crypto/sha256" // need its init function + _ "crypto/sha512" // need its init function "encoding/asn1" "encoding/binary" "encoding/hex" @@ -17,8 +18,6 @@ import ( "sort" "strings" "time" - - "golang.org/x/crypto/ed25519" ) // DNSSEC encryption algorithm codes. @@ -373,6 +372,8 @@ func sign(k crypto.Signer, hashed []byte, hash crypto.Hash, alg uint8) ([]byte, // Verify validates an RRSet with the signature and key. This is only the // cryptographic test, the signature validity period must be checked separately. // This function copies the rdata of some RRs (to lowercase domain names) for the validation to work. +// It also checks that the Zone Key bit (RFC 4034 2.1.1) is set on the DNSKEY +// and that the Protocol field is set to 3 (RFC 4034 2.1.2). func (rr *RRSIG) Verify(k *DNSKEY, rrset []RR) error { // First the easy checks if !IsRRset(rrset) { @@ -393,6 +394,12 @@ func (rr *RRSIG) Verify(k *DNSKEY, rrset []RR) error { if k.Protocol != 3 { return ErrKey } + // RFC 4034 2.1.1 If bit 7 has value 0, then the DNSKEY record holds some + // other type of DNS public key and MUST NOT be used to verify RRSIGs that + // cover RRsets. + if k.Flags&ZONE == 0 { + return ErrKey + } // IsRRset checked that we have at least one RR and that the RRs in // the set have consistent type, class, and name. Also check that type and @@ -500,7 +507,7 @@ func (rr *RRSIG) ValidityPeriod(t time.Time) bool { return ti <= utc && utc <= te } -// Return the signatures base64 encodedig sigdata as a byte slice. +// Return the signatures base64 encoding sigdata as a byte slice. func (rr *RRSIG) sigBuf() []byte { sigbuf, err := fromBase64([]byte(rr.Signature)) if err != nil { |