Add middleware/dnssec (#133)

This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies.
2025-12-07 02:45:11 -05:00 · 2016-04-26 17:57:11 +01:00
parent 8e6c690484
commit 1aa1a92198
39 changed files with 1206 additions and 144 deletions
--- a/middleware/classify.go
+++ b/middleware/classify.go
@@ -0,0 +1,52 @@
+package middleware
+
+import "github.com/miekg/dns"
+
+type MsgType int
+
+const (
+	Success    MsgType = iota
+	NameError          // NXDOMAIN in header, SOA in auth.
+	NoData             // NOERROR in header, SOA in auth.
+	Delegation         // NOERROR in header, NS in auth, optionally fluff in additional (not checked).
+	OtherError         // Don't cache these.
+)
+
+// Classify classifies a message, it returns the MessageType.
+func Classify(m *dns.Msg) (MsgType, *dns.OPT) {
+	opt := m.IsEdns0()
+
+	if len(m.Answer) > 0 && m.Rcode == dns.RcodeSuccess {
+		return Success, opt
+	}
+
+	soa := false
+	ns := 0
+	for _, r := range m.Ns {
+		if r.Header().Rrtype == dns.TypeSOA {
+			soa = true
+			continue
+		}
+		if r.Header().Rrtype == dns.TypeNS {
+			ns++
+		}
+	}
+
+	// Check length of different sections, and drop stuff that is just to large? TODO(miek).
+	if soa && m.Rcode == dns.RcodeSuccess {
+		return NoData, opt
+	}
+	if soa && m.Rcode == dns.RcodeNameError {
+		return NameError, opt
+	}
+
+	if ns > 0 && ns == len(m.Ns) && m.Rcode == dns.RcodeSuccess {
+		return Delegation, opt
+	}
+
+	if m.Rcode == dns.RcodeSuccess {
+		return Success, opt
+	}
+
+	return OtherError, opt
+}