Mercurial > prosody-hg
comparison net/resolvers/basic.lua @ 12601:72f7bb3f30d3
net.resolvers.basic: Add opt-out argument for DNSSEC security status
This makes explicit which lookups can accept an unsigned response.
Insecure (unsigned, as before DNSSEC) A and AAAA records can be used as
security would come from TLS, but an insecure TLSA record is worthless.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Tue, 02 Aug 2022 16:08:43 +0200 |
| parents | e155f4509954 |
| children | 2d134201dc55 |
comparison
equal
deleted
inserted
replaced
| 12600:3d3a0c4e2662 | 12601:72f7bb3f30d3 |
|---|---|
| 8 local methods = {}; | 8 local methods = {}; |
| 9 local resolver_mt = { __index = methods }; | 9 local resolver_mt = { __index = methods }; |
| 10 | 10 |
| 11 -- FIXME RFC 6724 | 11 -- FIXME RFC 6724 |
| 12 | 12 |
| 13 local function do_dns_lookup(self, dns_resolver, record_type, name) | 13 local function do_dns_lookup(self, dns_resolver, record_type, name, allow_insecure) |
| 14 return promise.new(function (resolve, reject) | 14 return promise.new(function (resolve, reject) |
| 15 local ipv = (record_type == "A" and "4") or (record_type == "AAAA" and "6") or nil; | 15 local ipv = (record_type == "A" and "4") or (record_type == "AAAA" and "6") or nil; |
| 16 if ipv and self.extra["use_ipv"..ipv] == false then | 16 if ipv and self.extra["use_ipv"..ipv] == false then |
| 17 return reject(("IPv%s disabled - %s lookup skipped"):format(ipv, record_type)); | 17 return reject(("IPv%s disabled - %s lookup skipped"):format(ipv, record_type)); |
| 18 elseif record_type == "TLSA" and self.extra.use_dane ~= true then | 18 elseif record_type == "TLSA" and self.extra.use_dane ~= true then |
| 21 dns_resolver:lookup(function (answer, err) | 21 dns_resolver:lookup(function (answer, err) |
| 22 if not answer then | 22 if not answer then |
| 23 return reject(err); | 23 return reject(err); |
| 24 elseif answer.bogus then | 24 elseif answer.bogus then |
| 25 return reject(("Validation error in %s lookup"):format(record_type)); | 25 return reject(("Validation error in %s lookup"):format(record_type)); |
| 26 elseif not (answer.secure or allow_insecure) then | |
| 27 return reject(("Insecure response in %s lookup"):format(record_type)); | |
| 26 elseif answer.status and #answer == 0 then | 28 elseif answer.status and #answer == 0 then |
| 27 return reject(("%s in %s lookup"):format(answer.status, record_type)); | 29 return reject(("%s in %s lookup"):format(answer.status, record_type)); |
| 28 end | 30 end |
| 29 | 31 |
| 30 local targets = { secure = answer.secure }; | 32 local targets = { secure = answer.secure }; |
| 76 | 78 |
| 77 -- Resolve DNS to target list | 79 -- Resolve DNS to target list |
| 78 local dns_resolver = adns.resolver(); | 80 local dns_resolver = adns.resolver(); |
| 79 | 81 |
| 80 local dns_lookups = { | 82 local dns_lookups = { |
| 81 ipv4 = do_dns_lookup(self, dns_resolver, "A", self.hostname); | 83 ipv4 = do_dns_lookup(self, dns_resolver, "A", self.hostname, true); |
| 82 ipv6 = do_dns_lookup(self, dns_resolver, "AAAA", self.hostname); | 84 ipv6 = do_dns_lookup(self, dns_resolver, "AAAA", self.hostname, true); |
| 83 tlsa = do_dns_lookup(self, dns_resolver, "TLSA", ("_%d._%s.%s"):format(self.port, self.conn_type, self.hostname)); | 85 tlsa = do_dns_lookup(self, dns_resolver, "TLSA", ("_%d._%s.%s"):format(self.port, self.conn_type, self.hostname)); |
| 84 }; | 86 }; |
| 85 | 87 |
| 86 promise.all_settled(dns_lookups):next(function (dns_results) | 88 promise.all_settled(dns_lookups):next(function (dns_results) |
| 87 -- Combine targets, assign to self.targets, self:next(cb) | 89 -- Combine targets, assign to self.targets, self:next(cb) |
