dnsruby 1.60.1 → 1.61.4

data/lib/dnsruby/recursor.rb

@@ -153,7 +153,7 @@ module Dnsruby
       end
     end
     attr_accessor :nameservers, :callback, :recurse, :ipv6_ok
-    attr_reader :hints
+    attr_reader :hints, :dnssec
     #  The resolver to use for the queries
     attr_accessor :resolver
 
@@ -164,6 +164,11 @@ module Dnsruby
     @@zones_cache = nil
     @@nameservers = nil
 
+    def dnssec=(dnssec_on)
+      @dnssec = dnssec_on
+      @resolver.dnssec = dnssec_on
+    end
+
     def initialize(res = nil)
       if (res)
         @resolver = res
@@ -174,6 +179,7 @@ module Dnsruby
           @resolver = Resolver.new
         end
       end
+      @resolver.dnssec = @dnssec
       @ipv6_ok = false
     end
     # Initialize the hint servers.  Recursive queries need a starting name
@@ -196,6 +202,7 @@ module Dnsruby
       @resolver = resolver
       if (resolver.single_resolvers.length == 0)
         resolver = Resolver.new()
+        resolver.dnssec = @dnssec
       end
       if (hints && hints.length > 0)
         resolver.nameservers=hints
@@ -372,6 +379,7 @@ module Dnsruby
     end
 
     def Recursor.clear_caches(resolver = Resolver.new)
+      resolver.dnssec = @dnssec
       Recursor.set_hints(Hash.new, resolver)
       @@zones_cache = Hash.new # key zone_name, values Hash of servers and AddressCaches
       @@zones_cache["."] = @@hints
@@ -613,6 +621,7 @@ module Dnsruby
         }
       end
       resolver = Resolver.new({:nameserver=>nameservers})
+      resolver.dnssec = @dnssec
       servers = []
       resolver.single_resolvers.each {|s|
         servers.push(s.server)

data/lib/dnsruby/resolver.rb

@@ -487,6 +487,7 @@ module Dnsruby
         @config.nameserver.each do |ns|
           res = PacketSender.new({
               server:             ns,
+              port:               @port,
               dnssec:             @dnssec,
               use_tcp:            @use_tcp,
               no_tcp:             @no_tcp,
@@ -890,6 +891,14 @@ module Dnsruby
         return
       end
 
+      begin
+        msg.encode
+      rescue EncodeError => err
+        Dnsruby.log.error { "Can't encode " + msg.to_s + " : #{err}" }
+        client_queue.push([client_query_id, err])
+        return
+      end
+
       tick_needed = false
       #  add to our data structures
       #       @mutex.synchronize{
@@ -1123,6 +1132,9 @@ module Dnsruby
         increment_resolver_priority(resolver) unless response.cached
         stop_querying(client_query_id)
         #  @TODO@ Does the client want notified at this point?
+      elsif error.kind_of?(EncodeError)
+        Dnsruby.log.debug{'Encode error - sending to client'}
+        send_result_and_stop_querying(client_queue, client_query_id, select_queue, response, error)
       else
         #    - if it was any other error, then remove that server from the list for that query
         #    If a Too Many Open Files error, then don't remove, but let retry work.

data/lib/dnsruby/resource/CAA.rb

@@ -54,15 +54,17 @@ module Dnsruby
       end
 
       def encode_rdata(msg, canonical=false) #:nodoc: all
-        msg.put_pack('n', flag)
+        msg.put_pack('C', flag)
         msg.put_string(@property_tag)
-        msg.put_string(@property_value)
+        # We don't put a length byte on the final string.
+        msg.put_bytes(@property_value)
       end
 
       def self.decode_rdata(msg) #:nodoc: all
-        flag, = msg.get_unpack('n')
+        flag, = msg.get_unpack('C')
         property_tag = msg.get_string
-        property_value = msg.get_string
+        # The final string has no length byte - its length is implicit as the remainder of the packet length
+        property_value = msg.get_bytes
         return self.new("#{flag} #{property_tag} \"#{property_value}\"")
       end
     end

data/lib/dnsruby/resource/CDNSKEY.rb

@@ -0,0 +1,17 @@
+module Dnsruby
+  class RR
+    # RFC4034, section 2
+    # DNSSEC uses public key cryptography to sign and authenticate DNS
+    # resource record sets (RRsets).  The public keys are stored in DNSKEY
+    # resource records and are used in the DNSSEC authentication process
+    # described in [RFC4035]: A zone signs its authoritative RRsets by
+    # using a private key and stores the corresponding public key in a
+    # DNSKEY RR.  A resolver can then use the public key to validate
+    # signatures covering the RRsets in the zone, and thus to authenticate
+    # them.
+    class CDNSKEY < DNSKEY
+      ClassValue = nil #:nodoc: all
+      TypeValue = Types::CDNSKEY #:nodoc: all
+    end
+  end
+end

data/lib/dnsruby/resource/CDS.rb

@@ -0,0 +1,35 @@
+# --
+# Copyright 2018 Caerketton Tech Ltd
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ++
+module Dnsruby
+  class RR
+    # RFC4034, section 4
+    # The DS Resource Record refers to a DNSKEY RR and is used in the DNS
+    # DNSKEY authentication process.  A DS RR refers to a DNSKEY RR by
+    # storing the key tag, algorithm number, and a digest of the DNSKEY RR.
+    # Note that while the digest should be sufficient to identify the
+    # public key, storing the key tag and key algorithm helps make the
+    # identification process more efficient.  By authenticating the DS
+    # record, a resolver can authenticate the DNSKEY RR to which the DS
+    # record points.  The key authentication process is described in
+    # [RFC4035].
+
+    class CDS < DS
+
+      ClassValue = nil #:nodoc: all
+      TypeValue = Types::CDS #:nodoc: all
+    end
+  end
+end

data/lib/dnsruby/resource/DNSKEY.rb

@@ -313,6 +313,8 @@ module Dnsruby
           elsif [Algorithms.DSA,
               Algorithms.DSA_NSEC3_SHA1].include?(@algorithm)
             @public_key = dsa_key
+          elsif [Algorithms.ECDSAP256SHA256, Algorithms.ECDSAP384SHA384].include?(@algorithm)
+            @public_key = ec_key(Algorithms.ECDSAP256SHA256 == @algorithm ? 'prime256v1' : 'secp384r1')
           end
         end
         #  @TODO@ Support other key encodings!
@@ -340,8 +342,12 @@ module Dnsruby
         @key_length = (@key.length - pos) * 8
 
         pkey = OpenSSL::PKey::RSA.new
-        pkey.e = exponent
-        pkey.n = modulus
+        begin
+          pkey.set_key(modulus, exponent, nil) # use set_key, present in later versions of openssl gem
+        rescue NoMethodError
+          pkey.e = exponent # set_key not available in earlier versions, use this approach instead
+          pkey.n = modulus
+        end
         return pkey
       end
 
@@ -361,10 +367,31 @@ module Dnsruby
         @key_length = (pgy_len * 8)
 
         pkey = OpenSSL::PKey::DSA.new
-        pkey.p = p
-        pkey.q = q
-        pkey.g = g
-        pkey.pub_key = y
+        begin
+          pkey.set_pgq(p,g,q)
+          pkey.set_key(y, nil) # use set_pgq and set_key, present in later versions of openssl gem
+        rescue NoMethodError
+          pkey.p = p # set_key not available in earlier versions, use this approach instead
+          pkey.q = q
+          pkey.g = g
+          pkey.pub_key = y
+        end
+
+        pkey
+      end
+
+      # RFC6605, section 4
+      # ECDSA public keys consist of a single value, called "Q" in FIPS
+      # 186-3.  In DNSSEC keys, Q is a simple bit string that represents the
+      # uncompressed form of a curve point, "x | y".
+      def ec_key(curve = 'prime256v1')
+        group = OpenSSL::PKey::EC::Group.new(curve)
+        pkey = OpenSSL::PKey::EC.new(group)
+
+        # DNSSEC pub does not have first octet that determines whether it's uncompressed
+        # or compressed form, but it's required by OpenSSL to parse EC point correctly
+        point_from_pub = "\x04" + @key.to_s # octet string, \x04 prefix determines uncompressed
+        pkey.public_key = OpenSSL::PKey::EC::Point.new(group, point_from_pub)
 
         pkey
       end

data/lib/dnsruby/resource/IN.rb

@@ -19,7 +19,11 @@ module Dnsruby
       Types::NS => NS,
       Types::CNAME => CNAME,
       Types::DNAME => DNAME,
+      Types::URI => URI,
+      Types::DS => DS,
+      Types::CDS => CDS,
       Types::DNSKEY => DNSKEY,
+      Types::CDNSKEY => CDNSKEY,
       Types::SOA => SOA,
       Types::PTR => PTR,
       Types::HINFO => HINFO,
@@ -45,7 +49,6 @@ module Dnsruby
       Types::ANY => ANY,
       Types::RRSIG => RRSIG,
       Types::NSEC => NSEC,
-      Types::DS => DS,
       Types::NSEC3 => NSEC3,
       Types::NSEC3PARAM => NSEC3PARAM,
       Types::DLV => DLV,

data/lib/dnsruby/resource/NAPTR.rb

@@ -52,7 +52,7 @@ module Dnsruby
       end
 
       def from_string(input) #:nodoc: all
-        if (input.length > 0)
+        if (input.strip.length > 0)
           values = input.split(" ")
           @order = values [0].to_i
           @preference = values [1].to_i
@@ -76,12 +76,14 @@ module Dnsruby
       end
 
       def encode_rdata(msg, canonical=false) #:nodoc: all
-        msg.put_pack('n', @order)
-        msg.put_pack('n', @preference)
-        msg.put_string(@flags)
-        msg.put_string(@service)
-        msg.put_string(@regexp)
-        msg.put_name(@replacement, true)
+        if (@order != nil)
+          msg.put_pack('n', @order)
+          msg.put_pack('n', @preference)
+          msg.put_string(@flags)
+          msg.put_string(@service)
+          msg.put_string(@regexp)
+          msg.put_name(@replacement, true)
+        end
       end
 
       def self.decode_rdata(msg) #:nodoc: all

data/lib/dnsruby/resource/URI.rb

@@ -0,0 +1,57 @@
+module Dnsruby
+  class RR
+      class URI < RR
+        ClassValue = nil #:nodoc: all
+        TypeValue= Types::URI #:nodoc: all
+
+        #  The NAPTR RR order field
+        attr_accessor :priority
+
+        #  The NAPTR RR order field
+        attr_accessor :weight
+
+        #  The NAPTR RR order field
+        attr_accessor :target
+
+        def from_hash(hash) #:nodoc: all
+          @priority = hash[:priority]
+          @weight = hash[:weight]
+          @target = hash[:target]
+        end
+
+        def from_data(data) #:nodoc: all
+          @priority,  @weight, @target = data
+        end
+
+        def from_string(input) #:nodoc: all
+          if (input.strip.length > 0)
+            values = input.split(" ")
+            @priority = values [0].to_i
+            @weight = values [1].to_i
+            @target = values [2].gsub!("\"", "")
+          end
+        end
+
+        def rdata_to_string #:nodoc: all
+            "#{@priority} #{@weight} \"#{@target}\""
+        end
+
+        def encode_rdata(msg, canonical=false) #:nodoc: all
+          if (@priority != nil)
+            msg.put_pack('n', @priority)
+            msg.put_pack('n', @weight)
+            msg.put_bytes(@target)
+          end
+        end
+
+        def self.decode_rdata(msg) #:nodoc: all
+          priority, = msg.get_unpack('n')
+          weight, = msg.get_unpack('n')
+          target = msg.get_bytes
+          return self.new([priority, weight, target])
+        end
+
+
+      end
+  end
+end

data/lib/dnsruby/resource/generic.rb

@@ -152,9 +152,12 @@ require 'dnsruby/resource/OPT'
 require 'dnsruby/resource/TSIG'
 require 'dnsruby/resource/TKEY'
 require 'dnsruby/resource/DNSKEY'
+require 'dnsruby/resource/CDNSKEY'
 require 'dnsruby/resource/RRSIG'
 require 'dnsruby/resource/NSEC'
 require 'dnsruby/resource/DS'
+require 'dnsruby/resource/CDS'
+require 'dnsruby/resource/URI'
 require 'dnsruby/resource/NSEC3'
 require 'dnsruby/resource/NSEC3PARAM'
 require 'dnsruby/resource/DLV'

data/lib/dnsruby/select_thread.rb

@@ -24,7 +24,6 @@ require 'set'
 require 'singleton'
 require 'dnsruby/validator_thread.rb'
 module Dnsruby
-  Thread::abort_on_exception = true
   class SelectThread #:nodoc: all
     class SelectWakeup < RuntimeError; end
     include Singleton
@@ -195,7 +194,7 @@ module Dnsruby
         rescue SelectWakeup
           #  If SelectWakeup, then just restart this loop - the select call will be made with the new data
           next
-        rescue IOError => e
+        rescue IOError, EncodeError => e
           #           print "IO Error  =: #{e}\n"
           exceptions = clean_up_closed_sockets
           exceptions.each { |exception| send_exception_to_client(*exception) }

data/lib/dnsruby/single_verifier.rb

@@ -65,6 +65,7 @@ module Dnsruby
           @@recursor = Recursor.new
         end
       end
+      @@recursor.dnssec = true
       return @@recursor
     end
 
@@ -72,12 +73,15 @@ module Dnsruby
       #       if (Dnssec.do_validation_with_recursor?)
       #         return Recursor.new
       #       else
+      resolver = nil
       if (Dnssec.default_resolver)
-        return Dnssec.default_resolver
+        resolver = Dnssec.default_resolver
       else
-        return Resolver.new
+        resolver = Resolver.new
       end
       #       end
+      resolver.dnssec = true
+      return resolver
     end
     def add_dlv_key(key)
       #  Is this a ZSK or a KSK?
@@ -796,6 +800,19 @@ module Dnsruby
 
         asn1 = OpenSSL::ASN1::Sequence.new([r_asn1, s_asn1]).to_der
         verified = keyrec.public_key.verify(OpenSSL::Digest::DSS1.new, asn1, sig_data)
+      elsif [Algorithms.ECDSAP256SHA256, Algorithms.ECDSAP384SHA384].include?(sigrec.algorithm)
+        byte_size = (keyrec.public_key.group.degree + 7) / 8
+        sig_bytes = sigrec.signature[0..(byte_size - 1)]
+        sig_char = sigrec.signature[byte_size..-1] || ''
+        asn1 = OpenSSL::ASN1::Sequence.new([sig_bytes, sig_char].map { |int| OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(int, 2)) }).to_der
+
+        digest_obj = if sigrec.algorithm == Algorithms.ECDSAP384SHA384
+                       OpenSSL::Digest::SHA384.new
+                     else
+                       OpenSSL::Digest::SHA256.new
+                     end
+
+        verified = keyrec.public_key.dsa_verify_asn1(digest_obj.digest(sig_data), asn1)
       else
         raise RuntimeError.new("Algorithm #{sigrec.algorithm.code} unsupported by Dnsruby")
       end
@@ -848,6 +865,7 @@ module Dnsruby
           end
         end
       end
+      res.dnssec = true
       #       query = Message.new(name, Types.DNSKEY)
       #       query.do_validation = false
       ret = nil
@@ -1011,6 +1029,7 @@ module Dnsruby
                 end
               end
             end
+            parent_res.dnssec = true
           end
           #  Use that Resolver to query for DS record and NS for children
           ds_rrset = current_anchor
@@ -1068,6 +1087,7 @@ module Dnsruby
                 child_res = Resolver.new
               end
             end
+            child_res.dnssec = true
           end
         end
         #  Query for DNSKEY record, and verify against DS in parent.
@@ -1143,11 +1163,14 @@ module Dnsruby
       if (Dnssec.do_validation_with_recursor?)
         return get_recursor
       else
+        resolver = nil
         if (Dnssec.default_resolver)
-          return Dnssec.default_resolver
+          resolver = Dnssec.default_resolver
         else
-          return Resolver.new
+          resolver = Resolver.new
         end
+        resolver.dnssec = true
+        return resolver
       end
     end
 

data/lib/dnsruby/update.rb

@@ -1,12 +1,12 @@
 # --
 # Copyright 2007 Nominet UK
-# 
+#
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
-# 
+#
 #     http://www.apache.org/licenses/LICENSE-2.0
-# 
+#
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -20,81 +20,81 @@ module Dnsruby
 
   # The first example below shows a complete program; subsequent examples
   # show only the creation of the update packet.
-  # 
+  #
   # == Add a new host
-  # 
+  #
   #  require 'Dnsruby'
-  # 
+  #
   #  # Create the update packet.
   #  update = Dnsruby::Update.new('example.com')
-  # 
+  #
   #  # Prerequisite is that no A records exist for the name.
   #  update.absent('foo.example.com.', 'A')
-  # 
+  #
   #  # Add two A records for the name.
   #  update.add('foo.example.com.', 'A', 86400, '192.168.1.2')
   #  update.add('foo.example.com.', 'A', 86400, '172.16.3.4')
-  # 
+  #
   #  # Send the update to the zone's primary master.
   #  res = Dnsruby::Resolver.new({:nameserver => 'primary-master.example.com'})
-  # 
+  #
   #  begin
   #      reply = res.send_message(update)
   #      print "Update succeeded\n"
   #   rescue Exception => e
   #      print 'Update failed: #{e}\n'
   #   end
-  # 
+  #
   # == Add an MX record for a name that already exists
-  # 
+  #
   #     update = Dnsruby::Update.new('example.com')
   #     update.present('example.com')
-  #     update.add('example.com', Dnsruby::Types.MX, 10, 'mailhost.example.com')
-  # 
+  #     update.add('example.com', Dnsruby::Types.MX, 86400, 10, 'mailhost.example.com')
+  #
   # == Add a TXT record for a name that doesn't exist
-  # 
+  #
   #     update = Dnsruby::Update.new('example.com')
   #     update.absent('info.example.com')
   #     update.add('info.example.com', Types.TXT, 86400, "yabba dabba doo"')
-  # 
+  #
   # == Delete all A records for a name
-  # 
+  #
   #     update = Dnsruby::Update.new('example.com')
   #     update.present('foo.example.com', 'A')
   #     update.delete('foo.example.com', 'A')
-  # 
+  #
   # == Delete all RRs for a name
-  # 
+  #
   #     update = Dnsruby::Update.new('example.com')
   #     update.present('byebye.example.com')
   #     update.delete('byebye.example.com')
-  # 
+  #
   # == Perform a signed update
-  # 
+  #
   #     key_name = 'tsig-key'
   #     key      = 'awwLOtRfpGE+rRKF2+DEiw=='
-  # 
+  #
   #     update = Dnsruby::Update.new('example.com')
-  #     update.add('foo.example.com', 'A', 86400, 10.1.2.3'))
-  #     update.add('bar.example.com', 'A', 86400, 10.4.5.6'))
+  #     update.add('foo.example.com', 'A', 86400, '10.1.2.3'))
+  #     update.add('bar.example.com', 'A', 86400, '10.4.5.6'))
   #     res.tsig=(key_name,key)
-  # 
+  #
   class Update < Message
     # Returns a Dnsruby::Update object suitable for performing a DNS
     # dynamic update.  Specifically, it creates a message with the header
     # opcode set to UPDATE and the zone record type to SOA (per RFC 2136,
     # Section 2.3).
-    # 
+    #
     # Programs must use the push method to add RRs to the prerequisite,
     # update, and additional sections before performing the update.
-    # 
+    #
     # Arguments are the zone name and the class.  If the zone is omitted,
     # the default domain will be taken from the resolver configuration.
     # If the class is omitted, it defaults to IN.
     #     packet = Dnsruby::Update.new
     #     packet = Dnsruby::Update.new('example.com')
     #     packet = Dnsruby::Update.new('example.com', 'HS')
-    # 
+    #
     def initialize(zone=nil, klass=nil)
 
       #  sort out the zone section (RFC2136, section 2.3)
@@ -115,25 +115,25 @@ module Dnsruby
     end
 
     # Ways to create the prerequisite records (exists, notexists, inuse, etc. - RFC2136, section 2.4)
-    # 
+    #
     #       (1)  RRset exists (value independent).  At least one RR with a
     #            specified NAME and TYPE (in the zone and class specified by
     #            the Zone Section) must exist.
-    # 
+    #
     #            update.present(name, type)
-    # 
+    #
     #       (2)  RRset exists (value dependent).  A set of RRs with a
     #            specified NAME and TYPE exists and has the same members
     #            with the same RDATAs as the RRset specified here in this
     #            Section.
-    # 
+    #
     #            update.present(name, type, rdata)
-    # 
+    #
     #       (4)  Name is in use.  At least one RR with a specified NAME (in
     #            the zone and class specified by the Zone Section) must exist.
     #            Note that this prerequisite is NOT satisfied by empty
     #            nonterminals.
-    # 
+    #
     #            update.present(name)
     def present(*args)
       ttl = 0
@@ -159,18 +159,18 @@ module Dnsruby
 
     # Ways to create the prerequisite records (exists, notexists, inuse, etc. - RFC2136, section 2.4)
     # Can be called with one arg :
-    # 
+    #
     #    update.absent(name)
     #       (5)  Name is not in use.  No RR of any type is owned by a
     #            specified NAME.  Note that this prerequisite IS satisfied by
     #            empty nonterminals.
-    # 
+    #
     # Or with two :
-    # 
+    #
     #    update.absent(name, type)
     #       (3)  RRset does not exist.  No RRs with a specified NAME and TYPE
     #           (in the zone and class denoted by the Zone Section) can exist.
-    # 
+    #
     def absent(*args)
       ttl = 0
       rdata = ""
@@ -191,16 +191,16 @@ module Dnsruby
 
     # Ways to create the update records (add, delete, RFC2136, section 2.5)
     #   " 2.5.1 - Add To An RRset
-    # 
+    #
     #    RRs are added to the Update Section whose NAME, TYPE, TTL, RDLENGTH
     #    and RDATA are those being added, and CLASS is the same as the zone
     #    class.  Any duplicate RRs will be silently ignored by the primary
     #    master."
-    # 
+    #
     #    update.add(rr)
     #    update.add([rr1, rr2])
     #    update.add(name, type, ttl, rdata)
-    # 
+    #
     def add(*args)
       zoneclass=zone()[0].zclass
       case args[0]
@@ -244,17 +244,17 @@ module Dnsruby
     end
 
     # Ways to create the update records (add, delete, RFC2136, section 2.5)
-    # 
+    #
     # 2.5.2 - Delete An RRset
     #    update.delete(name, type)
-    # 
-    # 
+    #
+    #
     # 2.5.3 - Delete All RRsets From A Name
     #    update.delete(name)
-    # 
+    #
     # 2.5.4 - Delete An RR From An RRset
     #   update.delete(name, type, rdata)
-    # 
+    #
     def delete(*args)
       ttl = 0
       klass = Classes.ANY
@@ -268,11 +268,28 @@ module Dnsruby
         resource = RR.create("#{args[0]} #{ttl} #{klass} #{args[1]} #{rdata}")
         add_update(resource)
       when 3 # name, type, rdata
-        resource = RR.create("#{args[0]} #{ttl} IN #{args[1]} #{args[2]}")
+        name = args[0]
+        type = args[1]
+        rdata = args[2]
+        if (Types.new(type) == Types.TXT)
+          instring = "#{name} #{ttl} IN #{type} ";
+          if (String === rdata)
+            instring += " '#{rdata}'"
+          elsif (Array === rdata)
+            rdata.length.times {|rcounter|
+            instring += " '#{rdata[rcounter]}' "
+            }
+          else
+            instring += rdata
+          end
+          resource = RR.create(instring)
+        else
+          resource = RR.create("#{name} #{ttl} IN #{type} #{rdata}")
+        end
         resource.klass = Classes.NONE
         add_update(resource)
       end
       return resource
     end
   end
-end
+end