dnsruby 1.52 → 1.53

data/DNSSEC

@@ -1,19 +1,19 @@
-DNSSEC support in Dnsruby
-=========================
-
-DNSSEC defines a set of security extensions to DNS which provide a way for a resolver to verify cryptographically the DNS RRSets returned by an upstream resolver. The main standard is defined in RFCs 4033, 4034 and 4035.
-
+DNSSEC support in Dnsruby
+=========================
+
+DNSSEC defines a set of security extensions to DNS which provide a way for a resolver to verify cryptographically the DNS RRSets returned by an upstream resolver. The main standard is defined in RFCs 4033, 4034 and 4035.
+
 Dnsruby provides a recursive, validating security-aware stub resolver which maintains a cache of trusted keys and verifies RRSIG-signed messages with those keys (adding new trusted keys from signed DNSKEY RRSets and DS records). If dnsruby does not currently have the required key, it will attempt to walk the tree from the nearest known trusted key.
 
 The dnssec security status of a message is stored in Message#security_level (defined by Message::SecurityLevel).
 
 It is possible to tell Dnsruby to use a Recursor or a defined (or system default) Resolver to perform the validation. The default is to use a Recursor, as many systems are behind dodgy servers which mangle the DNS records. Using a Recursor means that only authoritative nameservers are queried for the DNSSEC records.
 
-In the absence of a signed root, Dnsruby has no trust anchor to validate messages against. It is possible to manually configure dnsruby with individual trust ancors. It is also possible to import a trust anchor repository (such as the one maintained by IANA), and configure the ISC DLV registry. Dnsruby contains basic methods to do this, although they are not currently secured. Clients are recommended to develop their own means of obtaining the initial trust anchors.
-
+In the absence of a signed root, Dnsruby has no trust anchor to validate messages against. It is possible to manually configure dnsruby with individual trust ancors. It is also possible to import a trust anchor repository (such as the one maintained by IANA), and configure the ISC DLV registry. Dnsruby contains basic methods to do this, although they are not currently secured. Clients are recommended to develop their own means of obtaining the initial trust anchors.
+
 It is possible to turn off dnssec validation on a per-message basis. Simply set Message#do_validation to false.
-
+
 DNSSEC is on by default - if desired, you can turn it off with the dnssec flag in Dnsruby::(Single)Resolver if desired. EDNS0 support is also enabled by default - if desired, you can turn this off by setting the Dnsruby::(Single)Resolver#udp_packet_size property to be 512. There should generally be no need to do this.
 
-Dnsruby maintains a cache of responses, and a cache of trusted keys. Once the initial keys have been downloaded, and a set of trusted keys built up, very little overhead is required to enjoy the benefits of DNSSEC. There is, however, some initial cost (to build up the caches).
-
+Dnsruby maintains a cache of responses, and a cache of trusted keys. Once the initial keys have been downloaded, and a set of trusted keys built up, very little overhead is required to enjoy the benefits of DNSSEC. There is, however, some initial cost (to build up the caches).
+

data/README

@@ -1,59 +1,59 @@
-Dnsruby
-=======
-
-Dnsruby is a pure Ruby DNS client library which implements a
-stub resolver. It aims to comply with all DNS RFCs, including
-DNSSEC NSEC3 support.
-
-Dnsruby presents a new API for DNS. It is based on Ruby's core
-resolv.rb Resolv API, but has been much extended to provide a
-complete DNS implementation.
-
-Dnsruby runs a single I/O thread to handle all concurrent
-queries. It is therefore suitable for high volume DNS applications.
-
-The following is a (non-exhaustive) list of features :
-
-o Implemented RRs :  A, AAAA, AFSDB, ANY, CERT, CNAME, DNAME,
-     HINFO, ISDN, LOC, MB, MG, MINFO, MR, MX, NAPTR, NS, NSAP,
-     OPT, PTR, PX, RP, RT, SOA, SPF, SRV, TKEY, TSIG, TXT, WKS,
-     X25, DNSKEY, RRSIG, NSEC, NSEC3, NSEC3PARAM, DS, DLV
-
-o Generic RR types supported (RFC3597)
-
-o (Signed) Zone transfer (AXFR and IXFR) supported
-
-o (Signed) Dyamic updates supported
-
-o DNSSEC validation supported
-
-Dependencies
-============
-
-Dnsruby can run with no dependencies. However, if you wish to
-use TSIG or DNSSEC then the OpenSSL library must be available.
-This is a part of the Ruby standard library, but appears not to
-be present on all Ruby platforms. If it is not available, then 
-the test code will not run the tests which require it. Code which
-attempts to use the library (if it is not present) will raise an
-exception.
-
-Demo code
-=========
-
-The demo folder contains some example programs using Dnsruby.
-These examples include a basic dig tool (rubydig) and a tool to
-concurrently resolve many names, amongst others.
-
-Online tests
-============
-
-Nominet operate a test server which the Dnsruby test code queries.
-If this server is not available then some of the online tests will 
-not be run.
-
-
-Contact
-=======
-
-Use dnsruby rubyforge forums, or contact : alexd@nominet.org.uk
+Dnsruby
+=======
+
+Dnsruby is a pure Ruby DNS client library which implements a
+stub resolver. It aims to comply with all DNS RFCs, including
+DNSSEC NSEC3 support.
+
+Dnsruby presents a new API for DNS. It is based on Ruby's core
+resolv.rb Resolv API, but has been much extended to provide a
+complete DNS implementation.
+
+Dnsruby runs a single I/O thread to handle all concurrent
+queries. It is therefore suitable for high volume DNS applications.
+
+The following is a (non-exhaustive) list of features :
+
+o Implemented RRs :  A, AAAA, AFSDB, ANY, CERT, CNAME, DNAME,
+     HINFO, ISDN, LOC, MB, MG, MINFO, MR, MX, NAPTR, NS, NSAP,
+     OPT, PTR, PX, RP, RT, SOA, SPF, SRV, TKEY, TSIG, TXT, WKS,
+     X25, DNSKEY, RRSIG, NSEC, NSEC3, NSEC3PARAM, DS, DLV
+
+o Generic RR types supported (RFC3597)
+
+o (Signed) Zone transfer (AXFR and IXFR) supported
+
+o (Signed) Dyamic updates supported
+
+o DNSSEC validation supported
+
+Dependencies
+============
+
+Dnsruby can run with no dependencies. However, if you wish to
+use TSIG or DNSSEC then the OpenSSL library must be available.
+This is a part of the Ruby standard library, but appears not to
+be present on all Ruby platforms. If it is not available, then 
+the test code will not run the tests which require it. Code which
+attempts to use the library (if it is not present) will raise an
+exception.
+
+Demo code
+=========
+
+The demo folder contains some example programs using Dnsruby.
+These examples include a basic dig tool (rubydig) and a tool to
+concurrently resolve many names, amongst others.
+
+Online tests
+============
+
+Nominet operate a test server which the Dnsruby test code queries.
+If this server is not available then some of the online tests will 
+not be run.
+
+
+Contact
+=======
+
+Use dnsruby rubyforge forums, or contact : alexd@nominet.org.uk

data/lib/Dnsruby/Recursor.rb

@@ -162,6 +162,7 @@ module Dnsruby
     @@hints = nil
     @@authority_cache = Hash.new
     @@zones_cache = nil
+    @@nameservers = nil
         
     def initialize(res = nil)
       if (res)
@@ -234,28 +235,41 @@ module Dnsruby
               hints[server] = AddressCache.new
             end
           end
-          # @TODO@ Some resolvers (e.g. 8.8.8.8) do not send an additional section -
-          # need to make explicit queries for these :(
-          packet.additional.each do |rr|
-            TheLog.debug(";; ADDITIONAL: "+rr.inspect+"\n")
-            server = rr.name.to_s.downcase
-            server.sub!(/\.$/,"")
-            if (server)
-              if ( rr.type == Types::A)
-                #print ";; ADDITIONAL HELP: $server -> [".$rr->rdatastr."]\n" if $self->{'debug'};
-                if (hints[server]!=nil)
-                  TheLog.debug(";; STORING IP: #{server} IN A "+rr.address.to_s+"\n")
-                  hints[server].push([rr.address.to_s, rr.ttl])
-                end
-              end
-              if ( rr.type == Types::AAAA)
-                #print ";; ADDITIONAL HELP: $server -> [".$rr->rdatastr."]\n" if $self->{'debug'};
-                if (hints[server])
-                  TheLog.debug(";; STORING IP6: #{server} IN AAAA "+rr.address.to_s+"\n")
-                  hints[server].push([rr.address.to_s, rr.ttl])
+          if ((packet.additional.length == 0) ||
+                 ((packet.additional.length == 1) && (packet.additional()[0].type == Types.OPT)))
+            # Some resolvers (e.g. 8.8.8.8) do not send an additional section -
+            # need to make explicit queries for these :(
+            # Probably best to limit the number of outstanding queries - extremely bursty behaviour otherwise
+            # What happens if we select only name
+            q = Queue.new
+            hints.keys.each {|server|
+              # Query for the server address and add it to hints.
+              ['A', 'AAAA'].each {|type|
+                msg = Message.new
+                msg.do_caching = @do_caching
+                msg.header.rd = false
+                msg.do_validation = false
+                msg.add_question(server, type, 'IN')
+                if (@dnssec)
+                  msg.header.cd = true # We do our own validation by default
                 end
+                resolver.send_async(msg, q)
+              }
+            }
+            (hints.length * 2).times {
+              id, result, error = q.pop
+              if (result)
+                result.answer.each {|rr|
+                  TheLog.debug(";; NS address: " + rr.inspect+"\n")
+                  add_to_hints(hints, rr)
+                }
               end
-                  
+            }
+          else
+            packet.additional.each do |rr|
+              TheLog.debug(";; ADDITIONAL: "+rr.inspect+"\n")
+              add_to_hints(hints, rr)
+
             end
           end
         end
@@ -307,6 +321,28 @@ module Dnsruby
       @@nameservers = @@hints.values
       return @@nameservers
     end
+
+    def Recursor.add_to_hints(hints, rr)
+      server = rr.name.to_s.downcase
+      server.sub!(/\.$/,"")
+      if (server)
+        if ( rr.type == Types::A)
+          #print ";; ADDITIONAL HELP: $server -> [".$rr->rdatastr."]\n" if $self->{'debug'};
+          if (hints[server]!=nil)
+            TheLog.debug(";; STORING IP: #{server} IN A "+rr.address.to_s+"\n")
+            hints[server].push([rr.address.to_s, rr.ttl])
+          end
+        end
+        if ( rr.type == Types::AAAA)
+          #print ";; ADDITIONAL HELP: $server -> [".$rr->rdatastr."]\n" if $self->{'debug'};
+          if (hints[server])
+            TheLog.debug(";; STORING IP6: #{server} IN AAAA "+rr.address.to_s+"\n")
+            hints[server].push([rr.address.to_s, rr.ttl])
+          end
+        end
+
+      end
+    end
         
         
     #This method takes a code reference, which is then invoked each time a
@@ -315,9 +351,9 @@ module Dnsruby
     #
     # res.recursion_callback(Proc.new { |packet|
     #     print packet.additional.inspect
-    #		
-    #     print";; Received %d bytes from %s\n\n", 
-    #         packetanswersize, 
+    #
+    #     print";; Received %d bytes from %s\n\n",
+    #         packetanswersize,
     #         packet.answerfrom);
     # })
     #
@@ -325,7 +361,7 @@ module Dnsruby
       #          if (sub && UNIVERSAL::isa(sub, 'CODE'))
       @callback = sub
       #          end
-    end  
+    end
         
     def recursion_callback
       return @callback
@@ -405,7 +441,7 @@ module Dnsruby
             return name
           end
         }
-        return false if name=="." 
+        return false if name=="."
         # strip the name up to the first dot
         first_dot = name.index(".")
         if (first_dot == (name.length-1))

data/lib/Dnsruby/Resolver.rb

@@ -59,8 +59,8 @@ module Dnsruby
   #Support for EventMachine has been deprecated.
   class Resolver
     DefaultQueryTimeout = 0 
-    DefaultPacketTimeout = 10
-    DefaultRetryTimes = 4
+    DefaultPacketTimeout = 5
+    DefaultRetryTimes = 1
     DefaultRetryDelay = 5
     DefaultPort = 53
     DefaultDnssec = true

data/lib/Dnsruby/code_mapper.rb

@@ -99,7 +99,7 @@ module Dnsruby
     def initialize(arg) #:nodoc: all
       array = @@arrays[self.class]
       if (arg.kind_of?String)
-        arg.gsub!("_", "-")
+        arg = arg.gsub("_", "-")
         code = array.stringsdown[arg.downcase]
         if (code != nil)
           @code = code

data/lib/Dnsruby/ipv4.rb

@@ -16,7 +16,7 @@
 module Dnsruby
   class IPv4
     # Regular expression IPv4 addresses must match
-    Regex = /\A(\d+)\.(\d+)\.(\d+)\.(\d+)\z/
+    Regex = /\A(\d\d?\d?)\.(\d\d?\d?)\.(\d\d?\d?)\.(\d\d?\d?)\z/
     
     def self.create(arg)
       case arg

data/lib/Dnsruby/message.rb

@@ -1124,9 +1124,11 @@ module Dnsruby
     def initialize(*args)
       @qtype = Types::A
       @qclass = Classes::IN
+      type_given = false
       if (args.length > 0)
         if (args.length > 1)
           @qtype = Types.new(args[1])
+          type_given = true
           if (args.length > 2)
             @qclass = Classes.new(args[2])
           end
@@ -1135,22 +1137,40 @@ module Dnsruby
         raise ArgumentError.new("Must pass at least a name!")
       end
       # If the name looks like an IP address then do an appropriate
-      # PTR query.
+      # PTR query, unless the user specified the qtype
       @qname=args[0]
-      case @qname.to_s
-      when IPv4::Regex
-        @qname = IPv4.create(@qname).to_name
-        @qtype = Types.PTR
-      when IPv6::Regex
-        @qname = IPv6.create(@qname).to_name
-        @qtype = Types.PTR
-      when Name
-      when IPv6
-        @qtype = Types.PTR
-      when IPv4
-        @qtype = Types.PTR
+      if (!type_given)
+        case @qname.to_s
+        when IPv4::Regex
+          @qname = IPv4.create(@qname).to_name
+          @qtype = Types.PTR
+        when IPv6::Regex
+          @qname = IPv6.create(@qname).to_name
+          @qtype = Types.PTR
+        when Name
+        when IPv6
+          @qtype = Types.PTR
+        when IPv4
+          @qtype = Types.PTR
+        else
+          @qname = Name.create(@qname)
+        end
       else
-        @qname = Name.create(@qname)
+        case @qtype
+        when Types.PTR
+          case @qname.to_s
+          when IPv4::Regex
+            @qname = IPv4.create(@qname).to_name
+          when IPv6::Regex
+            @qname = IPv6.create(@qname).to_name
+          when IPv6
+          when IPv4
+          else
+            @qname = Name.create(@qname)
+          end
+        else
+          @qname = Name.create(@qname)
+        end
       end
     end
     

data/lib/Dnsruby/resource/SOA.rb

@@ -49,11 +49,11 @@ module Dnsruby
       def from_hash(hash)
         @mname = Name.create(hash[:mname])
         @rname = Name.create(hash[:rname])
-        @serial = hash[:serial]
-        @refresh = hash[:refresh]
-        @retry = hash[:retry]
-        @expire = hash[:expire]
-        @minimum = hash[:minimum]
+        @serial = hash[:serial].to_i
+        @refresh = hash[:refresh].to_i
+        @retry = hash[:retry].to_i
+        @expire = hash[:expire].to_i
+        @minimum = hash[:minimum].to_i
       end
       
       def from_string(input)

data/lib/Dnsruby/resource/SSHFP.rb

@@ -65,7 +65,11 @@ module Dnsruby
           rescue ArgumentError
             @fptype = FpTypes.new(names[1])
           end
-          @fp = [names[2]].pack("H*")
+          remaining = ""
+          for i in 2..(names.length + 1)
+            remaining += names[i].to_s
+          end
+          @fp = [remaining].pack("H*")
         end
       end
 

data/lib/Dnsruby/resource/TXT.rb

@@ -63,6 +63,8 @@ module Dnsruby
         unquoted = false
         seen_strings = false
         pos = 0
+        input.sub!(/^\s*\(\s*/, "")
+        input.sub!(/\s*\)\s*$/, "")
         input.each_char {|c|
           if (((c == "'") || (c == '"')) && (!in_escaped) && (!unquoted))
             if (!in_string)

data/lib/Dnsruby/resource/resource.rb

@@ -390,7 +390,7 @@ module Dnsruby
       # strip out comments
       # Test for non escaped ";" by means of the look-behind assertion
       # (the backslash is escaped)
-      rrstring.gsub!(/(\?<!\\);.*/o, "");
+      rrstring = rrstring.gsub(/(\?<!\\);.*/o, "");
       
       if ((rrstring =~/#{@@RR_REGEX}/xo) == nil)
         raise Exception, "#{rrstring} did not match RR pat.\nPlease report this to the author!\n"

data/lib/Dnsruby/single_verifier.rb

@@ -60,24 +60,24 @@ module Dnsruby
       if (!defined?@@recursor)
         if (defined?@@hints)
           Recursor.set_hints(@@hints, Resolver.new)
-        @@recursor = Recursor.new()
+          @@recursor = Recursor.new()
         else
-        @@recursor = Recursor.new
+          @@recursor = Recursor.new
         end
       end
       return @@recursor
     end
 
     def get_dlv_resolver # :nodoc:
-#      if (Dnssec.do_validation_with_recursor?)
-#        return Recursor.new
-#      else
-        if (Dnssec.default_resolver)
-          return Dnssec.default_resolver
-        else
-          return Resolver.new
-        end
-#      end
+      #      if (Dnssec.do_validation_with_recursor?)
+      #        return Recursor.new
+      #      else
+      if (Dnssec.default_resolver)
+        return Dnssec.default_resolver
+      else
+        return Resolver.new
+      end
+      #      end
     end
     def add_dlv_key(key)
       # Is this a ZSK or a KSK?
@@ -121,7 +121,7 @@ module Dnsruby
     # Add the
     def add_trust_anchor_with_expiration(k, expiration)
       if (k.type == Types.DNSKEY)
-#        k.flags = k.flags | RR::IN::DNSKEY::SEP_KEY
+        #        k.flags = k.flags | RR::IN::DNSKEY::SEP_KEY
         @trust_anchors.add_key_with_expiration(k, expiration)
         #        print "Adding trust anchor for #{k.name}\n"
         TheLog.info("Adding trust anchor for #{k.name}")
@@ -706,7 +706,7 @@ module Dnsruby
         check_rr_data(rrset, sigrec)
       end
       raise ArgumentError.new("Expecting DNSKEY, DLV, DS, RRSet, Array or nil for keys : got #{keys.class} instead") if
-          (keys && (![Array, RR::IN::DNSKEY, RR::IN::DLV, RR::IN::DS].include?keys.class) && (keys.class != RRSet))
+      (keys && (![Array, RR::IN::DNSKEY, RR::IN::DLV, RR::IN::DS].include?keys.class) && (keys.class != RRSet))
 
       keyrec = nil
       sigrec = nil
@@ -941,7 +941,7 @@ module Dnsruby
       #      print "Follow chain from #{anchor.name} to #{name}\n"
       TheLog.debug("Follow chain from #{anchor.name} to #{name}")
 
-#      res = nil
+      #      res = nil
       res = Dnssec.default_resolver
       #      while ((next_step != name) || (next_key.type != Types.DNSKEY))
       while (true)
@@ -951,7 +951,7 @@ module Dnsruby
           dont_move_on = true
         end
         next_key, res = get_anchor_for(next_step, parent, next_key, res)
-        if (next_step == name)
+        if (next_step.canonical.to_s == name.canonical.to_s)
           #      print "Returning #{next_key.type} for #{next_step}, #{(next_key.type != Types.DNSKEY)}\n"
           return next_key
         end
@@ -983,11 +983,12 @@ module Dnsruby
       child_res = nil
       if (Dnssec.do_validation_with_recursor?)
         parent_res = get_recursor
+        child_res = get_recursor
       end
       begin
         if (child!=parent)
           if (!parent_res)
-#                      print "No res passed - try to get nameservers for #{parent}\n"
+            #                      print "No res passed - try to get nameservers for #{parent}\n"
             parent_res = get_nameservers_for(parent)
             if (!parent_res)
               if (Dnssec.do_validation_with_recursor?)
@@ -1021,12 +1022,14 @@ module Dnsruby
             if (ds_rrset.rrs.length == 0)
               # @TODO@ Check NSEC(3) records - still need to verify there are REALLY no ds records!
               #              print "NO DS RECORDS RETURNED FOR #{parent}\n"
-#              child_res = parent_res
+              #              child_res = parent_res
             else
               begin
-                if (verify(ds_rrset, current_anchor))
+                if (verify(ds_rrset, current_anchor) || verify(ds_rrset))
                   # Try to make the resolver from the authority/additional NS RRSets in DS response
-                  child_res = get_nameservers_from_message(child, ds_ret)
+                  if (!Dnssec.do_validation_with_recursor?)
+                    child_res = get_nameservers_from_message(child, ds_ret)
+                  end
                 end
               rescue VerifyError => e
                 #                print "FAILED TO VERIFY DS RRSET FOR #{child}\n"
@@ -1099,13 +1102,6 @@ module Dnsruby
               verified = false
             end
           end
-          #          if (!verify(key_rrset, ds_rrset))
-          #            if (!verify(key_rrset))
-          #              #        if (!verify(key_ret))
-          #              verified = false
-          #            end
-          #          end
-
         end
         
         # Try to make the resolver from the authority/additional NS RRSets in DNSKEY response
@@ -1115,14 +1111,14 @@ module Dnsruby
         end
         if (!verified)
           TheLog.info("Failed to verify DNSKEY for #{child}")
-          return false, new_res
+          return false, nil # new_res
         end
         #        Cache.add(key_ret)
         return key_rrset, new_res
       rescue VerifyError => e
         #        print "Verification error : #{e}\n"
         TheLog.info("Verification error : #{e}\n")
-        return false, new_res
+        return false, nil # new_res
       end
     end