{resolver,validator}: provide more EDE codes.
- Sep 06, 2024
-
-
-
Vladimír Čunát authored -
-
-
If the tag and algorithm of DS and DNSKEY do not correspond, or in case the DNSKEY is revoked, set EDE code "DNSKEY Missing". If both match, but the algorithm is not supported, set EDE code "Unsupported DNSKEY Algorithm". In case RRSIGs for DNSKEY exist, but can't be validated due to a key error, set EDE code "RRSIGs Missing".
-
dnssec: * Provide a way to retrieve whether a DNSKEY has the Zone Key bit set, and add bindings for Lua modules (kr_dnssec_key_zonekey_flag), like kr_dnssec_key_sep_flag. * In kr_ds_algo_support() provide a way to retrieve what is wrong with the keys. * Check if a RRSIG RR has the signature expired already before inception time. validator: * Set EDE "Unsupported NSEC3 Iterations Value" when downgrading. * Set EDE "Signature Expired before Valid" when checking RRSIGs. * Set EDE "No Zone Key Bit Set" when a DNSKEY with the Zone Key Bit set to 0 is discarded. * Instead of the generic "Other Error" with extra text "unsupported digest/key", set appropriate EDEs "Unsupported DNSKEY Algorithm" and "Unsupported DS Digest Type". resolver: * Set EDE "No Reachable Authority" when it is decided that all authoritative servers are unreachable or misbehaving. Some parts adjusted by vcunat, in particular construction of EDE messages. -
Vladimír Čunát authored
It's trivial really, and I'd like to use it now.
-
