remove incorrect dnssec validation
This commit is contained in:
parent
126454c0e6
commit
538846ee0b
|
@ -7,34 +7,6 @@ import bitcoin
|
|||
from util import StoreDict, print_error
|
||||
from i18n import _
|
||||
|
||||
# Import all of the rdtypes, as py2app and similar get confused with the dnspython
|
||||
# autoloader and won't include all the rdatatypes
|
||||
try:
|
||||
import dns.name
|
||||
import dns.query
|
||||
import dns.dnssec
|
||||
import dns.message
|
||||
import dns.resolver
|
||||
import dns.rdatatype
|
||||
import dns.rdtypes.ANY.NS
|
||||
import dns.rdtypes.ANY.CNAME
|
||||
import dns.rdtypes.ANY.DLV
|
||||
import dns.rdtypes.ANY.DNSKEY
|
||||
import dns.rdtypes.ANY.DS
|
||||
import dns.rdtypes.ANY.NSEC
|
||||
import dns.rdtypes.ANY.NSEC3
|
||||
import dns.rdtypes.ANY.NSEC3PARAM
|
||||
import dns.rdtypes.ANY.RRSIG
|
||||
import dns.rdtypes.ANY.SOA
|
||||
import dns.rdtypes.ANY.TXT
|
||||
import dns.rdtypes.IN.A
|
||||
import dns.rdtypes.IN.AAAA
|
||||
from dns.exception import DNSException
|
||||
OA_READY = True
|
||||
except ImportError:
|
||||
OA_READY = False
|
||||
|
||||
|
||||
class Contacts(StoreDict):
|
||||
|
||||
def __init__(self, config):
|
||||
|
@ -58,11 +30,7 @@ class Contacts(StoreDict):
|
|||
out = self.resolve_openalias(k)
|
||||
if out:
|
||||
address, name = out
|
||||
try:
|
||||
validated = self.validate_dnssec(k)
|
||||
except:
|
||||
validated = False
|
||||
traceback.print_exc(file=sys.stderr)
|
||||
validated = False
|
||||
return {
|
||||
'address': address,
|
||||
'name': name,
|
||||
|
@ -122,51 +90,3 @@ class Contacts(StoreDict):
|
|||
except AttributeError:
|
||||
return None
|
||||
|
||||
def validate_dnssec(self, url):
|
||||
print_error('Checking DNSSEC trust chain for ' + url)
|
||||
default = dns.resolver.get_default_resolver()
|
||||
ns = default.nameservers[0]
|
||||
parts = url.split('.')
|
||||
|
||||
for i in xrange(len(parts), 0, -1):
|
||||
sub = '.'.join(parts[i - 1:])
|
||||
query = dns.message.make_query(sub, dns.rdatatype.NS)
|
||||
response = dns.query.udp(query, ns, 3)
|
||||
if response.rcode() != dns.rcode.NOERROR:
|
||||
print_error("query error")
|
||||
return False
|
||||
|
||||
if len(response.authority) > 0:
|
||||
rrset = response.authority[0]
|
||||
else:
|
||||
rrset = response.answer[0]
|
||||
|
||||
rr = rrset[0]
|
||||
if rr.rdtype == dns.rdatatype.SOA:
|
||||
#Same server is authoritative, don't check again
|
||||
continue
|
||||
|
||||
query = dns.message.make_query(sub,
|
||||
dns.rdatatype.DNSKEY,
|
||||
want_dnssec=True)
|
||||
response = dns.query.udp(query, ns, 3)
|
||||
if response.rcode() != 0:
|
||||
self.print_error("query error")
|
||||
return False
|
||||
# HANDLE QUERY FAILED (SERVER ERROR OR NO DNSKEY RECORD)
|
||||
|
||||
# answer should contain two RRSET: DNSKEY and RRSIG(DNSKEY)
|
||||
answer = response.answer
|
||||
if len(answer) != 2:
|
||||
print_error("answer error", answer)
|
||||
return False
|
||||
|
||||
# the DNSKEY should be self signed, validate it
|
||||
name = dns.name.from_text(sub)
|
||||
try:
|
||||
dns.dnssec.validate(answer[0], answer[1], {name: answer[0]})
|
||||
except dns.dnssec.ValidationFailure:
|
||||
print_error("validation error")
|
||||
return False
|
||||
|
||||
return True
|
||||
|
|
Loading…
Reference in New Issue