From 4f6e4ce082922771c2cf6d45e4fda1ba97644be7 Mon Sep 17 00:00:00 2001 From: Neerav Kumar Date: Thu, 19 Nov 2020 11:46:53 -0600 Subject: [PATCH] Resolve #12 : Add support for dnssec validation --- setup.go | 9 +++++++++ unbound.go | 21 ++++++++++++++++++++- 2 files changed, 29 insertions(+), 1 deletion(-) diff --git a/setup.go b/setup.go index 1c82e70..933a833 100644 --- a/setup.go +++ b/setup.go @@ -93,6 +93,15 @@ func unboundParse(c *caddy.Controller) (*Unbound, error) { if err = u.config(args[0]); err != nil { return nil, err } + case "anchor": + args = c.RemainingArgs() + if len(args) != 1 { + return nil, c.ArgErr() + } + if err = u.setAnchor(args[0]); err != nil { + return nil, err + } + u.strict = true default: return nil, c.ArgErr() } diff --git a/unbound.go b/unbound.go index 2107f2a..d85265b 100644 --- a/unbound.go +++ b/unbound.go @@ -23,6 +23,7 @@ type Unbound struct { from []string except []string + strict bool Next plugin.Handler } @@ -86,6 +87,22 @@ func (u *Unbound) config(f string) error { return nil } +// anchor reads the file f and sets it as anchor +func (u *Unbound) setAnchor(f string) error { + var err error + + err = u.u.AddTaFile(f) + if err != nil { + return fmt.Errorf("failed to read trust anchor file (%s) UDP context: %s", f, err) + } + + err = u.t.AddTaFile(f) + if err != nil { + return fmt.Errorf("failed to read trust anchor file (%s) TCP context: %s", f, err) + } + return nil +} + // ServeDNS implements the plugin.Handler interface. func (u *Unbound) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg) (int, error) { state := request.Request{W: w, Req: r} @@ -121,7 +138,9 @@ func (u *Unbound) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg if err != nil { return dns.RcodeServerFailure, err } - + if u.strict && !res.Secure { + return dns.RcodeServerFailure, "dnssec validation failed" + } // If the client *didn't* set the opt record, and specifically not the DO bit, // strip this from the reply (unbound default to setting DO). if !state.Do() {