Sign BIND to test DNSSEC

Author: spevnev

.clang-tidy

@@ -7,6 +7,7 @@ Checks: >
   modernize-*,
   -modernize-use-trailing-return-type,
   -modernize-avoid-c-arrays,
+  -modernize-raw-string-literal,
   performance-*,
   -performance-enum-size,
   portability-*,

src/main.cc

@@ -1,5 +1,6 @@
 #include <cstdlib>
 #include <memory>
+#include <optional>
 #include <print>
 #include <string>
 #include "dns.hh"
@@ -85,9 +86,14 @@ int main(int argc, char **argv) {
             return EXIT_FAILURE;
         }
 
+        std::optional<NameserverConfig> nameserver = std::nullopt;
+        if (result.contains("server")) {
+            nameserver = NameserverConfig{.address = result["server"].as<std::string>()};
+        }
+
         Resolver resolver{{
             .timeout_ms = result["timeout"].as<uint64_t>() * 1000,
-            .nameserver = result["server"].as_optional<std::string>(),
+            .nameserver = nameserver,
             .use_root_nameservers = result["use-root"].as<bool>(),
             .use_resolve_config = result["use-config"].as<bool>(),
             .port = result["port"].as<uint16_t>(),

src/resolve.cc

@@ -26,7 +26,6 @@ struct Nameserver {
 };
 
 struct Zone {
-    // Do not use the zone whose nameserver is being resolved.
     bool is_being_resolved{false};
     std::string domain;
     bool enable_edns;
@@ -195,11 +194,11 @@ std::shared_ptr<Zone> Resolver::SafetyBelt::next() {
 std::queue<std::shared_ptr<Zone>> Resolver::init_safety_belt(const ResolverConfig &config) const {
     std::queue<std::shared_ptr<Zone>> zones;
 
-    if (dnssec != FeatureState::Require) {
-        // Only the root zone can be used with DNSSEC because it is the only trust anchor.
-        if (config.nameserver.has_value()) zones.push(new_zone_from_nameserver(config.nameserver.value()));
-        if (config.use_resolve_config) zones.push(load_resolve_config());
+    if (config.nameserver.has_value()) {
+        auto zone = new_zone_from_config(config.nameserver.value());
+        if (zone->enable_dnssec || dnssec != FeatureState::Require) zones.push(std::move(zone));
     }
+    if (config.use_resolve_config && dnssec != FeatureState::Require) zones.push(load_resolve_config());
     if (config.use_root_nameservers) zones.push(new_root_zone());
 
     if (zones.empty()) throw std::runtime_error("No nameserver is specified");
@@ -255,13 +254,18 @@ std::shared_ptr<Zone> Resolver::load_resolve_config() const {
     return zone;
 }
 
-std::shared_ptr<Zone> Resolver::new_zone_from_nameserver(const std::string &address_or_domain) const {
-    auto zone = new_zone(".", false);
+std::shared_ptr<Zone> Resolver::new_zone_from_config(const NameserverConfig &config) const {
+    auto zone_domain = config.zone_domain.has_value() ? fully_qualify_domain(config.zone_domain.value()) : ".";
+    bool enable_dnssec = config.zone_domain.has_value() && (!config.dss.empty() || !config.dnskeys.empty());
+    auto zone = new_zone(zone_domain, enable_dnssec);
+    zone->dss = config.dss;
+    zone->dnskeys = config.dnskeys;
+
     in_addr_t ip_address;
-    if (inet_pton(AF_INET, address_or_domain.c_str(), &ip_address) == 1) {
+    if (inet_pton(AF_INET, config.address.c_str(), &ip_address) == 1) {
         zone->add_nameserver(ip_address);
     } else {
-        zone->add_nameserver(address_or_domain);
+        zone->add_nameserver(fully_qualify_domain(config.address));
     }
     return zone;
 }
@@ -343,17 +347,17 @@ bool Resolver::authenticate_rrset(const std::vector<RR> &rrset, RRType rr_type,
                                   const Zone &zone) const {
     if (rrset.empty()) return true;
 
-    if (rr_type != RRType::DNSKEY) {
-        return dnssec::authenticate_rrset(rrset, rrsigs, zone.dnskeys, nsec3_rrset, nsec_rrset, zone.domain);
-    }
+    if (rr_type == RRType::DNSKEY && zone.dnskeys.empty()) {
+        if (!zone.dss.empty()) {
+            return dnssec::authenticate_delegation(rrset, zone.dss, rrsigs, nsec3_rrset, nsec_rrset, zone.domain);
+        }
 
-    if (!zone.dss.empty()) {
-        return dnssec::authenticate_delegation(rrset, zone.dss, rrsigs, nsec3_rrset, nsec_rrset, zone.domain);
+        // There is no secure delegation, so just verify that the RRSIG was signed with one of these DNSKEYs.
+        auto dnskeys = rrset_to_data<DNSKEY>(rrset);
+        return dnssec::authenticate_rrset(rrset, rrsigs, dnskeys, nsec3_rrset, nsec_rrset, zone.domain);
     }
 
-    // There is no secure delegation, so just verify that the RRSIG was signed with one of these DNSKEYs.
-    auto dnskeys = rrset_to_data<DNSKEY>(rrset);
-    return dnssec::authenticate_rrset(rrset, rrsigs, dnskeys, nsec3_rrset, nsec_rrset, zone.domain);
+    return dnssec::authenticate_rrset(rrset, rrsigs, zone.dnskeys, nsec3_rrset, nsec_rrset, zone.domain);
 }
 
 std::vector<RR> Resolver::get_unauthenticated_rrset(std::vector<RR> &rrset, RRType rr_type) {
@@ -472,8 +476,11 @@ std::optional<std::vector<RR>> Resolver::resolve_rec(const std::string &domain,
         next_zone = nullptr;
 
         // Get zone's DNSKEYs.
-        if (zone->enable_dnssec && zone->dnskeys.empty() && rr_type != RRType::DNSKEY) {
+        if (zone->enable_dnssec && zone->dnskeys.empty() && !zone->is_being_resolved) {
+            zone->is_being_resolved = true;
             auto dnskey_rrset = resolve_rec(zone->domain, RRType::DNSKEY, depth + 1, zone);
+            zone->is_being_resolved = false;
+
             if (dnskey_rrset.has_value() && !dnskey_rrset->empty()) {
                 zone->dnskeys = rrset_to_data<DNSKEY>(std::move(dnskey_rrset.value()));
             } else {
@@ -633,7 +640,7 @@ std::optional<std::vector<RR>> Resolver::resolve_rec(const std::string &domain,
                         }
                         referral_zone = new_zone(ns_rr.domain);
                     } else if (ns_rr.domain != referral_zone->domain) {
-                        throw std::runtime_error(std::format("Authority contains multiple referrals: {} and {}",
+                        throw std::runtime_error(std::format("Authority contains multiple referrals: \"{}\" and \"{}\"",
                                                              ns_rr.domain, referral_zone->domain));
                     }
 
@@ -693,9 +700,8 @@ std::optional<std::vector<RR>> Resolver::resolve_rec(const std::string &domain,
                     // Retry the same nameserver with the new server cookie once.
                     i--;
                     nameserver->sent_bad_cookie = true;
-                } else {
-                    // Try a different nameserver.
                 }
+                // Try a different nameserver.
             } catch (const std::exception &e) {
                 // Nameserver error, try asking the different nameserver if there are any left.
                 if (verbose) std::println(stderr, "Failed to resolve the domain: {}.", e.what());

src/resolve.hh

@@ -32,9 +32,16 @@ struct Zone;
 
 enum class FeatureState { Disable, Enable, Require };
 
+struct NameserverConfig {
+    std::string address;
+    std::optional<std::string> zone_domain{std::nullopt};
+    std::vector<DS> dss{};
+    std::vector<DNSKEY> dnskeys{};
+};
+
 struct ResolverConfig {
     uint64_t timeout_ms{5000};
-    std::optional<std::string> nameserver{std::nullopt};
+    std::optional<NameserverConfig> nameserver{std::nullopt};
     bool use_root_nameservers{true};
     bool use_resolve_config{true};
     uint16_t port{DNS_PORT};
@@ -79,7 +86,7 @@ private:
     std::shared_ptr<Zone> new_zone(const std::string &domain, bool enable_dnssec = true) const;
     std::shared_ptr<Zone> new_root_zone() const;
     std::shared_ptr<Zone> load_resolve_config() const;
-    std::shared_ptr<Zone> new_zone_from_nameserver(const std::string &address_or_domain) const;
+    std::shared_ptr<Zone> new_zone_from_config(const NameserverConfig &config) const;
     std::shared_ptr<Zone> find_zone(const std::string &domain) const;
     void zone_disable_dnssec(Zone &zone) const;
 

tests/bind/test.zone.base renamed to tests/bind/base.db

@@ -1,5 +1,5 @@
-$TTL 0
-@ SOA @ @ 0 1d 1h 1w 0
+$TTL 1d
+@ SOA mname rname 100 200 300 400 500
 
 ; Nameservers
 @      NS     ns1

tests/bind/keys/Ksigned.com.+013+22197.key

@@ -0,0 +1,5 @@
+; This is a key-signing key, keyid 22197, for signed.com.
+; Created: 20250810141814 (Sun Aug 10 10:18:14 2025)
+; Publish: 20250810141814 (Sun Aug 10 10:18:14 2025)
+; Activate: 20250810141814 (Sun Aug 10 10:18:14 2025)
+signed.com. IN DNSKEY 257 3 13 co1i7ik/vkvjVF57saB+qrWubkFKliRH7TCypWOlFn/z9btaFk4toSyn csa4Lay0p6xe2OckNWXs7KMMtZQWjw==

tests/bind/keys/Ksigned.com.+013+22197.private

@@ -0,0 +1,6 @@
+Private-key-format: v1.3
+Algorithm: 13 (ECDSAP256SHA256)
+PrivateKey: 9kPRAu6eIPpyrcz2JLdqtHjuY29BK2VYv0ZSzHPV0jA=
+Created: 20250810141814
+Publish: 20250810141814
+Activate: 20250810141814

tests/bind/named.conf

@@ -1,12 +1,36 @@
 options {
   listen-on { 127.0.0.1; };
   port 1053;
+
   directory "./build/named";
+  key-directory "keys";
   pid-file "named.pid";
+
+  max-cache-size 20%;
+  session-keyfile none;
+  recursion no;
 };
 
-zone "test.com" {
+# Disable rndc
+controls {};
+
+zone "unsigned.com" {
   type primary;
-  file "test.zone";
+  file "unsigned.com.db";
   notify no;
 };
+
+zone "signed.com" {
+  type primary;
+  file "signed.com.db";
+  notify no;
+  dnssec-policy "nsec-policy";
+  inline-signing yes;
+};
+
+dnssec-policy "nsec-policy" {
+  keys {
+    ksk lifetime unlimited algorithm ECDSAP256SHA256;
+    zsk lifetime 60d algorithm ECDSAP256SHA256;
+  };
+};

tests/cases/bind/a.cc

@@ -2,18 +2,25 @@
 #include "config.hh"
 #include "resolve.hh"
 
-int main() {
-    /// a A 1.2.3.4
-    Resolver resolver{TEST_RESOLVER_CONFIG};
-    auto opt_rrset = resolver.resolve("a." TEST_DOMAIN, RRType::A);
-    ASSERT(opt_rrset.has_value());
+/// a A 1.2.3.4
+
+namespace {
+void check_response(const std::optional<std::vector<RR>> &response) {
+    ASSERT(response.has_value());
 
-    auto &rrset = opt_rrset.value();
+    const auto &rrset = response.value();
     ASSERT(rrset.size() == 1);
 
-    auto &rr = rrset[0];
+    const auto &rr = rrset[0];
     ASSERT(rr.type == RRType::A);
     ASSERT(std::get<A>(rr.data).address == get_ip4("1.2.3.4"));
+}
+}  // namespace
 
+int main() {
+    Resolver unsigned_resolver{UNSIGNED_RESOLVER_CONFIG};
+    Resolver signed_resolver{SIGNED_RESOLVER_CONFIG};
+    check_response(unsigned_resolver.resolve("a." UNSIGNED_DOMAIN, RRType::A));
+    check_response(signed_resolver.resolve("a." SIGNED_DOMAIN, RRType::A));
     return EXIT_SUCCESS;
 }

tests/cases/bind/aaaa.cc

@@ -2,18 +2,25 @@
 #include "config.hh"
 #include "resolve.hh"
 
-int main() {
-    /// aaaa AAAA 1:2:3:4::
-    Resolver resolver{TEST_RESOLVER_CONFIG};
-    auto opt_rrset = resolver.resolve("aaaa." TEST_DOMAIN, RRType::AAAA);
-    ASSERT(opt_rrset.has_value());
+/// aaaa AAAA 1:2:3:4::
+
+namespace {
+void check_response(const std::optional<std::vector<RR>> &response) {
+    ASSERT(response.has_value());
 
-    auto &rrset = opt_rrset.value();
+    const auto &rrset = response.value();
     ASSERT(rrset.size() == 1);
 
-    auto &rr = rrset[0];
+    const auto &rr = rrset[0];
     ASSERT(rr.type == RRType::AAAA);
     ASSERT(ip6_equals(std::get<AAAA>(rr.data).address, "1:2:3:4::"));
+}
+}  // namespace
 
+int main() {
+    Resolver unsigned_resolver{UNSIGNED_RESOLVER_CONFIG};
+    Resolver signed_resolver{SIGNED_RESOLVER_CONFIG};
+    check_response(unsigned_resolver.resolve("aaaa." UNSIGNED_DOMAIN, RRType::AAAA));
+    check_response(signed_resolver.resolve("aaaa." SIGNED_DOMAIN, RRType::AAAA));
     return EXIT_SUCCESS;
 }