plugin/dnssec: check validityperiod of RRSIGs (#1385)

* plugin/dnssec: check validityperiod of RRSIGs Somehow we missed implementing this. If a sig a retrieved from the cache, but not valid anymore, regenerate it instead of server invalid signatures. Fixes #1378 * drop from cache after 3/4 validity * six days means 6 days

plugin/dnssec: check validityperiod of RRSIGs (#1385)
* plugin/dnssec: check validityperiod of RRSIGs Somehow we missed implementing this. If a sig a retrieved from the cache, but not valid anymore, regenerate it instead of server invalid signatures. Fixes #1378 * drop from cache after 3/4 validity * six days means 6 days
318bab77 · Miek Gieben · GitHub · dd9fc896 · 318bab77 · 318bab77
Commit 318bab77 authored Jan 18, 2018 by Miek Gieben Committed by GitHub Jan 18, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 58 additions and 0 deletions

plugin/dnssec/cache_test.go plugin/dnssec/cache_test.go +48 -0

plugin/dnssec/dnssec.go plugin/dnssec/dnssec.go +10 -0

No files found.
--- a/plugin/dnssec/cache_test.go
+++ b/plugin/dnssec/cache_test.go
@@ -32,3 +32,51 @@ func TestCacheSet(t *testing.T) {
 		t.Errorf("signature was not added to the cache")
 	}
 }
+func TestCacheNotValidExpired(t *testing.T) {
+	fPriv, rmPriv, _ := test.TempFile(".", privKey)
+	fPub, rmPub, _ := test.TempFile(".", pubKey)
+	defer rmPriv()
+	defer rmPub()
+	dnskey, err := ParseKeyFile(fPub, fPriv)
+	if err != nil {
+		t.Fatalf("failed to parse key: %v\n", err)
+	}
+	c := cache.New(defaultCap)
+	m := testMsg()
+	state := request.Request{Req: m, Zone: "miek.nl."}
+	k := hash(m.Answer) // calculate *before* we add the sig
+	d := New([]string{"miek.nl."}, []*DNSKEY{dnskey}, nil, c)
+	d.Sign(state, time.Now().UTC().AddDate(0, 0, -9))
+	_, ok := d.get(k)
+	if ok {
+		t.Errorf("signature was added to the cache even though not valid")
+	}
+}
+func TestCacheNotValidYet(t *testing.T) {
+	fPriv, rmPriv, _ := test.TempFile(".", privKey)
+	fPub, rmPub, _ := test.TempFile(".", pubKey)
+	defer rmPriv()
+	defer rmPub()
+	dnskey, err := ParseKeyFile(fPub, fPriv)
+	if err != nil {
+		t.Fatalf("failed to parse key: %v\n", err)
+	}
+	c := cache.New(defaultCap)
+	m := testMsg()
+	state := request.Request{Req: m, Zone: "miek.nl."}
+	k := hash(m.Answer) // calculate *before* we add the sig
+	d := New([]string{"miek.nl."}, []*DNSKEY{dnskey}, nil, c)
+	d.Sign(state, time.Now().UTC().AddDate(0, 0, +9))
+	_, ok := d.get(k)
+	if ok {
+		t.Errorf("signature was added to the cache even though not valid yet")
+	}
+}
--- a/plugin/dnssec/dnssec.go
+++ b/plugin/dnssec/dnssec.go
@@ -131,6 +131,15 @@ func (d Dnssec) set(key uint32, sigs []dns.RR) {
 func (d Dnssec) get(key uint32) ([]dns.RR, bool) {
 	if s, ok := d.cache.Get(key); ok {
+		// we sign for 8 days, check if a signature in the cache reached 3/4 of that
+		is75 := time.Now().UTC().Add(sixDays)
+		for _, rr := range s.([]dns.RR) {
+			if !rr.(*dns.RRSIG).ValidityPeriod(is75) {
+				cacheMisses.Inc()
+				return nil, false
+			}
+		}
 		cacheHits.Inc()
 		return s.([]dns.RR), true
 	}
@@ -146,5 +155,6 @@ func incepExpir(now time.Time) (uint32, uint32) {
 const (
 	eightDays  = 8 * 24 * time.Hour
+	sixDays    = 6 * 24 * time.Hour
 	defaultCap = 10000 // default capacity of the cache.
 )