// Check the DS with the domain DNSSEC keys and signatures. You need also to inform the // UDP max package size supported to pass into firewalls. Many firewalls don't allow // fragmented UDP packages or UDP packages bigger than 512 bytes. Returns true if DS set // is done checking and can be saved or false otherwise, that indicates that the domain // was postponed func (q *querier) checkDS(domain *model.Domain, index int, udpMaxSize uint16, postponedDomains []postponedDomain) bool { // Check if the domain has DNSSEC, this system will work with both kinds of domain. So // when the domain don't have any DS record we assume that it does not have DNSSEC // configured and check only the DNS configuration if len(domain.DSSet) == 0 { return true } nameserver := domain.Nameservers[index] domainDSPolicy := dspolicy.NewDomainDSPolicy(domain) // We are going to request the DNSSEC keys to validate with the DS information that we // have from the domain var dnsRequestMessage dns.Msg dnsRequestMessage.SetQuestion(domain.FQDN, dns.TypeDNSKEY) dnsRequestMessage.RecursionDesired = false dnsRequestMessage.SetEdns0(udpMaxSize, true) host, err := getHost(domain.FQDN, nameserver) if err == ErrHostTimeout { for index, _ := range domain.DSSet { domain.DSSet[index].ChangeStatus(model.DSStatusTimeout) } return true } else if err == ErrHostQPSExceeded { postponedDomains = append(postponedDomains, postponedDomain{ domain: domain, index: index, }) return false } dnsResponseMessage, err := q.sendDNSRequest(host, &dnsRequestMessage) querierCache.Query(nameserver.Host) if domainDSPolicy.CheckNetworkError(err) { domainDSPolicy.Run(dnsResponseMessage) } return true }
// Retrieve the DNSKEY records of a zone and convert them // to DS records for SHA1, SHA256 and SHA384. func ExampleDS(zone string) { config, _ := dns.ClientConfigFromFile("/etc/resolv.conf") c := new(dns.Client) m := new(dns.Msg) if zone == "" { zone = "miek.nl" } m.SetQuestion(dns.Fqdn(zone), dns.TypeDNSKEY) m.SetEdns0(4096, true) r, _, err := c.Exchange(m, config.Servers[0]+":"+config.Port) if err != nil { return } if r.Rcode != dns.RcodeSuccess { return } for _, k := range r.Answer { if key, ok := k.(*dns.DNSKEY); ok { for _, alg := range []uint8{dns.SHA1, dns.SHA256, dns.SHA384} { fmt.Printf("%s; %d\n", key.ToDS(alg).String(), key.Flags) } } } }