remove incorrect dnssec validation
This commit is contained in:
parent
126454c0e6
commit
538846ee0b
|
@ -7,34 +7,6 @@ import bitcoin
|
||||||
from util import StoreDict, print_error
|
from util import StoreDict, print_error
|
||||||
from i18n import _
|
from i18n import _
|
||||||
|
|
||||||
# Import all of the rdtypes, as py2app and similar get confused with the dnspython
|
|
||||||
# autoloader and won't include all the rdatatypes
|
|
||||||
try:
|
|
||||||
import dns.name
|
|
||||||
import dns.query
|
|
||||||
import dns.dnssec
|
|
||||||
import dns.message
|
|
||||||
import dns.resolver
|
|
||||||
import dns.rdatatype
|
|
||||||
import dns.rdtypes.ANY.NS
|
|
||||||
import dns.rdtypes.ANY.CNAME
|
|
||||||
import dns.rdtypes.ANY.DLV
|
|
||||||
import dns.rdtypes.ANY.DNSKEY
|
|
||||||
import dns.rdtypes.ANY.DS
|
|
||||||
import dns.rdtypes.ANY.NSEC
|
|
||||||
import dns.rdtypes.ANY.NSEC3
|
|
||||||
import dns.rdtypes.ANY.NSEC3PARAM
|
|
||||||
import dns.rdtypes.ANY.RRSIG
|
|
||||||
import dns.rdtypes.ANY.SOA
|
|
||||||
import dns.rdtypes.ANY.TXT
|
|
||||||
import dns.rdtypes.IN.A
|
|
||||||
import dns.rdtypes.IN.AAAA
|
|
||||||
from dns.exception import DNSException
|
|
||||||
OA_READY = True
|
|
||||||
except ImportError:
|
|
||||||
OA_READY = False
|
|
||||||
|
|
||||||
|
|
||||||
class Contacts(StoreDict):
|
class Contacts(StoreDict):
|
||||||
|
|
||||||
def __init__(self, config):
|
def __init__(self, config):
|
||||||
|
@ -58,11 +30,7 @@ class Contacts(StoreDict):
|
||||||
out = self.resolve_openalias(k)
|
out = self.resolve_openalias(k)
|
||||||
if out:
|
if out:
|
||||||
address, name = out
|
address, name = out
|
||||||
try:
|
validated = False
|
||||||
validated = self.validate_dnssec(k)
|
|
||||||
except:
|
|
||||||
validated = False
|
|
||||||
traceback.print_exc(file=sys.stderr)
|
|
||||||
return {
|
return {
|
||||||
'address': address,
|
'address': address,
|
||||||
'name': name,
|
'name': name,
|
||||||
|
@ -122,51 +90,3 @@ class Contacts(StoreDict):
|
||||||
except AttributeError:
|
except AttributeError:
|
||||||
return None
|
return None
|
||||||
|
|
||||||
def validate_dnssec(self, url):
|
|
||||||
print_error('Checking DNSSEC trust chain for ' + url)
|
|
||||||
default = dns.resolver.get_default_resolver()
|
|
||||||
ns = default.nameservers[0]
|
|
||||||
parts = url.split('.')
|
|
||||||
|
|
||||||
for i in xrange(len(parts), 0, -1):
|
|
||||||
sub = '.'.join(parts[i - 1:])
|
|
||||||
query = dns.message.make_query(sub, dns.rdatatype.NS)
|
|
||||||
response = dns.query.udp(query, ns, 3)
|
|
||||||
if response.rcode() != dns.rcode.NOERROR:
|
|
||||||
print_error("query error")
|
|
||||||
return False
|
|
||||||
|
|
||||||
if len(response.authority) > 0:
|
|
||||||
rrset = response.authority[0]
|
|
||||||
else:
|
|
||||||
rrset = response.answer[0]
|
|
||||||
|
|
||||||
rr = rrset[0]
|
|
||||||
if rr.rdtype == dns.rdatatype.SOA:
|
|
||||||
#Same server is authoritative, don't check again
|
|
||||||
continue
|
|
||||||
|
|
||||||
query = dns.message.make_query(sub,
|
|
||||||
dns.rdatatype.DNSKEY,
|
|
||||||
want_dnssec=True)
|
|
||||||
response = dns.query.udp(query, ns, 3)
|
|
||||||
if response.rcode() != 0:
|
|
||||||
self.print_error("query error")
|
|
||||||
return False
|
|
||||||
# HANDLE QUERY FAILED (SERVER ERROR OR NO DNSKEY RECORD)
|
|
||||||
|
|
||||||
# answer should contain two RRSET: DNSKEY and RRSIG(DNSKEY)
|
|
||||||
answer = response.answer
|
|
||||||
if len(answer) != 2:
|
|
||||||
print_error("answer error", answer)
|
|
||||||
return False
|
|
||||||
|
|
||||||
# the DNSKEY should be self signed, validate it
|
|
||||||
name = dns.name.from_text(sub)
|
|
||||||
try:
|
|
||||||
dns.dnssec.validate(answer[0], answer[1], {name: answer[0]})
|
|
||||||
except dns.dnssec.ValidationFailure:
|
|
||||||
print_error("validation error")
|
|
||||||
return False
|
|
||||||
|
|
||||||
return True
|
|
||||||
|
|
Loading…
Reference in New Issue