mod-authsignal: implementation, docs, tests

Thanks to Joeri de Ruiter <joeri.deruiter@surf.nl> and Daniel Salzman for coding support.
2026-05-28 04:02:31 -04:00 · 2024-01-18 00:28:18 +01:00 · 2024-01-18 00:28:18 +01:00 · 93b1ca2bbe
commit 93b1ca2bbe
parent 172f47de03
10 changed files with 231 additions and 0 deletions
--- a/Knot.files
+++ b/Knot.files
@ -266,6 +266,7 @@ src/knot/journal/knot_lmdb.c
 src/knot/journal/knot_lmdb.h
 src/knot/journal/serialization.c
 src/knot/journal/serialization.h
+src/knot/modules/authsignal/authsignal.c
 src/knot/modules/cookies/cookies.c
 src/knot/modules/dnsproxy/dnsproxy.c
 src/knot/modules/dnstap/dnstap.c
--- a/configure.ac
+++ b/configure.ac
@ -334,6 +334,7 @@ static_modules_declars=""
 static_modules_init=""
 doc_modules=""

+KNOT_MODULE([authsignal],  "yes")
 KNOT_MODULE([cookies],     "yes")
 KNOT_MODULE([dnsproxy],    "yes", "non-shareable")
 KNOT_MODULE([dnstap],      "no")
--- a/src/knot/Makefile.inc
+++ b/src/knot/Makefile.inc
@ -240,6 +240,7 @@ KNOTD_MOD_LDFLAGS  = $(AM_LDFLAGS) -module -shared -avoid-version
 pkglibdir = $(module_instdir)
 pkglib_LTLIBRARIES =

+include $(srcdir)/knot/modules/authsignal/Makefile.inc
 include $(srcdir)/knot/modules/cookies/Makefile.inc
 include $(srcdir)/knot/modules/dnsproxy/Makefile.inc
 include $(srcdir)/knot/modules/dnstap/Makefile.inc
--- a/src/knot/modules/authsignal/Makefile.inc
+++ b/src/knot/modules/authsignal/Makefile.inc
@ -0,0 +1,12 @@
+knot_modules_authsignal_la_SOURCES = knot/modules/authsignal/authsignal.c
+EXTRA_DIST +=                        knot/modules/authsignal/authsignal.rst
+
+if STATIC_MODULE_authsignal
+libknotd_la_SOURCES += $(knot_modules_authsignal_la_SOURCES)
+endif
+
+if SHARED_MODULE_authsignal
+knot_modules_authsignal_la_LDFLAGS = $(KNOTD_MOD_LDFLAGS)
+knot_modules_authsignal_la_CPPFLAGS = $(KNOTD_MOD_CPPFLAGS)
+pkglib_LTLIBRARIES += knot/modules/authsignal.la
+endif
--- a/src/knot/modules/authsignal/authsignal.c
+++ b/src/knot/modules/authsignal/authsignal.c
@ -0,0 +1,88 @@
+/*  Copyright (C) 2024 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#include "knot/include/module.h"
+
+static knotd_in_state_t signal_query(knotd_in_state_t state, knot_pkt_t *pkt,
+                                     knotd_qdata_t *qdata, knotd_mod_t *mod)
+{
+	assert(pkt && qdata && mod);
+
+	// Applicable when search in zone fails.
+	if (!(state == KNOTD_IN_STATE_MISS || state == KNOTD_IN_STATE_NODATA)) {
+		return state;
+	}
+
+	const unsigned name_len = knot_dname_size(qdata->name);
+
+	// Check for prefix mismatch.
+	const char *prefix = "\x07_dsboot";
+	const size_t prefix_len = 8;
+	if (name_len < prefix_len || memcmp(qdata->name, prefix, prefix_len) != 0) {
+		// promote NXDOMAIN to NODATA to accommodate synthesis below (= may be ENT)
+		qdata->rcode = KNOT_RCODE_NOERROR;
+		return KNOTD_IN_STATE_NODATA;
+	}
+
+	// Check for qtype match
+	const uint16_t qtype = knot_pkt_qtype(qdata->query);
+	if (!(qtype == KNOT_RRTYPE_CDS || qtype == KNOT_RRTYPE_CDNSKEY)) {
+		// promote NXDOMAIN to NODATA to accommodate CDS/CDNSKEY synthesis
+		qdata->rcode = KNOT_RCODE_NOERROR;
+		return KNOTD_IN_STATE_NODATA;
+	}
+
+	// Copy target zone name
+	knot_dname_storage_t target;
+	unsigned target_len = name_len - knot_dname_size(knotd_qdata_zone_name(qdata)) - prefix_len;
+	memcpy(target, qdata->name + prefix_len, target_len);
+	target[target_len] = '\0';
+
+	// Fetch CDS/CDNSKEY rrset
+	knot_rrset_t rrset;
+	int ret = knotd_qdata_zone_rrset(qdata, target, NULL, qtype, &rrset);
+	if (ret == KNOT_ENOZONE) { // unknown zone
+		return state;
+	} else if (ret != KNOT_EOK) { // something weird (zone empty, apex missing, ...)
+		qdata->rcode = KNOT_RCODE_SERVFAIL;
+		return KNOTD_IN_STATE_ERROR;
+	} else if (knot_rrset_empty(&rrset)) { // zone apex doesn't have requested type
+		// promote NXDOMAIN to NODATA to accommodate synthesis of other qtype
+		qdata->rcode = KNOT_RCODE_NOERROR;
+		return KNOTD_IN_STATE_NODATA;
+	}
+
+	// Replace owner
+	rrset.owner = (knot_dname_t *)qdata->name;
+
+	// Insert synthetic response into packet.
+	if (knot_pkt_put(pkt, 0, &rrset, KNOT_PF_FREE) != KNOT_EOK) {
+		return KNOTD_IN_STATE_ERROR;
+	}
+
+	// Authoritative response.
+	knot_wire_set_aa(pkt->wire);
+
+	return KNOTD_IN_STATE_HIT;
+}
+
+int auth_signal_load(knotd_mod_t *mod)
+{
+	return knotd_mod_in_hook(mod, KNOTD_STAGE_ANSWER, signal_query);
+}
+
+KNOTD_MOD_API(authsignal, KNOTD_MOD_FLAG_SCOPE_ZONE | KNOTD_MOD_FLAG_OPT_CONF,
+              auth_signal_load, NULL, NULL, NULL);
--- a/src/knot/modules/authsignal/authsignal.rst
+++ b/src/knot/modules/authsignal/authsignal.rst
@ -0,0 +1,41 @@
+.. _mod-authsignal:
+
+``authsignal`` – Automatic Authenticated DNSSEC Bootstrapping records
+=====================================================================
+
+This module is able to synthesize records for automatic DNSSEC bootstrapping
+(draft-ietf-dnsop-dnssec-bootstrapping).
+
+Records are synthesized only if the query can't be satisfied from the zone.
+
+Synthesized records also need to be signed. Typically, this would be done
+using the :ref:`onlinesign<mod-onlinesign>` module.
+
+Example
+-------
+
+Automatic forward records
+.........................
+
+::
+   mod-onlinesign:
+     - id: authsignal
+       nsec-bitmap: [CDS, CDNSKEY]
+
+   zone:
+     - domain: example.net
+       dnssec-signing: on
+     - domain: _signal.ns1.example.com
+       module: [mod-authsignal, mod-onlinesign/authsignal]
+
+Result:
+
+.. code-block:: console
+
+   $ kdig CDS _dsboot.example.net._signal.ns1.example.com.
+   ...
+   ;; QUESTION SECTION:
+   ;; _dsboot.example.net._signal.ns1.example.com. 	IN	CDS
+
+   ;; ANSWER SECTION:
+   _dsboot.example.net._signal.ns1.example.com. 0	IN	CDS	45504 13 2 2F2D518FD9DBB2B1403F51398A9931F2832B89F0F85C146B130D383FC23584FA
--- a/tests-extra/tests/modules/authsignal/data/_signal.dns1.zone
+++ b/tests-extra/tests/modules/authsignal/data/_signal.dns1.zone
@ -0,0 +1,5 @@
+$ORIGIN _signal.dns1.
+$TTL 7200
+
+@	SOA	dns1 hostmaster 2010111213 10800 3600 1209600 7200
+	NS	dns1
--- a/tests-extra/tests/modules/authsignal/data/example.net.zone
+++ b/tests-extra/tests/modules/authsignal/data/example.net.zone
@ -0,0 +1,9 @@
+$ORIGIN example.net.
+$TTL 7200
+
+@	SOA	dns1 hostmaster 2010111213 10800 3600 1209600 7200
+	NS	dns1
+	NS	dns2
+
+@	CDS	45985 13 2 84C852BE675B452191673019B3B5D81C211F22BC3B9DC3C0848A6379CB0261A4
+@	CDNSKEY	257 3 13 1d5lDu1o1HEn2lx+YAi2xsjOVE44wjBca/NMlKORpL7C4QERGUztd9SLo0r55+j5P7uHFoeGEnLM+ppwWwdH5A==
--- a/tests-extra/tests/modules/authsignal/test.py
+++ b/tests-extra/tests/modules/authsignal/test.py
@ -0,0 +1,67 @@
+#!/usr/bin/env python3
+
+''' Check 'authsignal' query module synthetic responses. '''
+
+from dnstest.test import Test
+from dnstest.module import ModAuthSignal, ModOnlineSign
+import random
+
+t = Test()
+
+ModAuthSignal.check()
+
+onlinesign = random.choice([True, False])
+try:
+    ModOnlineSign.check()
+except:
+    onlinesign = False
+
+# Initialize server configuration
+knot = t.server("knot")
+zone = t.zone("_signal.dns1.", storage=".") + \
+       t.zone("example.net.", storage=".")
+t.link(zone, knot)
+
+# Configure 'authsignal' module
+knot.add_module(zone[0], ModAuthSignal())
+if onlinesign:
+    knot.add_module(zone[0], ModOnlineSign())
+
+def check_rrsig(resp, expect):
+    resp.check_count(expect if onlinesign else 0, rtype="RRSIG", section="answer")
+
+def check_nsec(resp, expect):
+    resp.check_count(expect if onlinesign else 0, rtype="NSEC", section="authority")
+    resp.check_count(expect + 1 if onlinesign else 0, rtype="RRSIG", section="authority") # +1 for SOA
+
+t.start()
+
+# example.net CDS/CDNSKEY mapping
+records = [("CDS", "45985 13 2 84C852BE675B452191673019B3B5D81C211F22BC3B9DC3C0848A6379CB0261A4"),
+           ("CDNSKEY", "257 3 13 1d5lDu1o1HEn2lx+YAi2xsjOVE44wjBca/NMlKORpL7C4QERGUztd9SLo0r55+j5P7uHFoeGEnLM+ppwWwdH5A==")]
+
+# Check CDS/CDNSKEY synthesis
+for (rdtype, result) in records:
+    resp = knot.dig("_dsboot.example.net._signal.dns1.", rdtype, dnssec=True)
+    resp.check(result, rcode="NOERROR", flags="QR AA", ttl=7200)
+    check_rrsig(resp, 1)
+
+# Check
+resp = knot.dig("_dsboot.example.net._signal.dns1.", "AAAA", dnssec=True)
+resp.check(rcode="NOERROR", flags="QR AA")
+check_nsec(resp, 1)
+
+# Check NODATA on potential empty non-terminals
+for (rdtype, _) in records:
+    resp = knot.dig("example.net._signal.dns1.", rdtype, dnssec=True)
+    resp.check(rcode="NOERROR", flags="QR AA")
+    check_nsec(resp, 1)
+
+# Check NXDOMAIN on unknown domains
+for (rdtype, _) in records:
+    resp = knot.dig("_dsboot.example.com._signal.dns1.", rdtype, dnssec=True)
+    exp_rcode = "NXDOMAIN" if not onlinesign else "NOERROR"  # Onlinesign promotes NXDOMAIN to NODATA
+    resp.check(rcode=exp_rcode, flags="QR AA")
+    check_nsec(resp, 1)
+
+t.end()
--- a/tests-extra/tools/dnstest/module.py
+++ b/tests-extra/tools/dnstest/module.py
@ -425,3 +425,9 @@ class ModProbe(KnotModule):
        conf.end()

        return conf
+
+class ModAuthSignal(KnotModule):
+    '''AuthSignal module'''
+
+    mod_name = "authsignal"
+    empty = True