Dnssec

[LeonardWalter]

This is to start the process of integrating a DNSSEC validator to routedns.
This implementation is inspired by uw-ictd/DNSSEC-Validator and peterzen/goresolver, but adds concurrency and is adapted to work with the other routedns modules.

Currently, only validated DNS responses are forwarded. DNS responses that are not singed or have an invalid signature are dropped.

Example config file:

[resolvers.my-doh]
protocol = "doh"
address = "https://d.adguard-dns.com/dns-query{?dns}"

[groups.dnssec]
type = "dnssec"
resolvers = ["my-doh"]

[listeners.local-udp]
address = "127.0.0.1:9009"
protocol = "udp"
resolver = "dnssec"

[folbricht]

What happens when a domain isn't signed? Will this fail? I'm wondering if there should be a flag or so to switch into a more permissive mode where DNSSEC responses are validated, but responses for unsigned domains are passed through.

[folbricht]

Technically you don't need this as SetQuestion() below does it already (see https://github.com/miekg/dns/blob/v1.1.63/defaults.go#L35).

[folbricht]

getRRSet() can return nil, nil which would trigger a panic here

[folbricht]

Suggested change

	result := &RRSet{RrSet: make([]dns.RR, 0)}
	result := &RRSet{}

No need to initialize an empty list, you can read from and append to a nil list.

[folbricht]

Suggested change

	return r, err
	return r, nil

err has already been checked and must be nil here.

[folbricht]

Do we really need this? Seems more like we don't trust our own code to handle all nil pointers correctly.

[folbricht]

Rather than logging from within, might be better to extend the error and pass it back to the caller to handle. Something like

return fmt.Errorf("DS query failed for %q: %w", domainName, err)

[folbricht]

Suggested change

	if err := g.Wait(); err != nil {
	return err
	}
	return nil
	return g.Wait()

[folbricht]

Again, there should be a better way to deal with panics, i.e. avoid them at all.

[folbricht]

Is there anything else you're planning to add to this PR?

Overall my main concern is around calling it DNSSEC when it really is just a partial implementation. There are several more safeguards in the spec that aren't really handled by this implementation. It gets complex fast, which is also why I haven't tried it myself yet. Including, but probably not limited to:

• Root key management (didn't notice anything around that)
• Verifying NXDOMAIN responses, there is a dnssec-way of proving the domain doesn't exist vs a fake response
• Pretty sure there is also a way to prove that a domain isn't signed by checking the parent, rather than assuming it's not when the keys are missing in the response.

Perhaps we should call out that this is just a partial/experimental implementation? There are quite a few weaknesses in it and users shouldn't fully rely on it.

[LeonardWalter]

I am currently on vacation, so I won't be able to work on this until the end of the month. I should have some time then to dive deeper into DNSSEC and extend this PR.

You can decide if you want to merge it already, but I agree with your point that some additional information should be included.

[LeonardWalter]

I added support for loading in trust-anchor root-keys from a XML file. (Currently it only supports loading in the root zone "." )

And in the latest commit I added support for NSEC and NSEC3 Proof of Non-Existence. I am not confident about my code here, but it seemed to work for all domains I tested so far.

I couldn't find anything on how to prove unsigned domains are to be unsigned.