feat: cache DS in referrals

zmap · Nov 1, 2024 · bf18c4c · bf18c4c
1 parent 4682155
commit bf18c4c
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 2 deletions.
diff --git a/src/zdns/cache.go b/src/zdns/cache.go
@@ -309,6 +309,32 @@ func (s *Cache) SafeAddCachedAuthority(res *SingleQueryResult, ns *NameServer, d
 		nsString = ns.String()
 	}
 
+	// Referrals may contain DS records in the authority section. These need to be cached under the child name.
+	var dsRRs []interface{}
+	var otherRRs []interface{}
+	for _, rr := range res.Authorities {
+		if dsRR, ok := rr.(DSAnswer); ok {
+			dsRRs = append(dsRRs, dsRR)
+		} else {
+			otherRRs = append(otherRRs, rr)
+		}
+	}
+
+	if len(dsRRs) > 0 {
+		dsRes := &SingleQueryResult{
+			Answers:            dsRRs,
+			Protocol:           res.Protocol,
+			Resolver:           res.Resolver,
+			Flags:              res.Flags,
+			TLSServerHandshake: res.TLSServerHandshake,
+		}
+		dsRes.Flags.Authoritative = true
+		delegateName := removeTrailingDotIfNotRoot(dsRRs[0].(DSAnswer).BaseAns().Name)
+		dsCachedRes := s.buildCachedResult(dsRes, depth, layer)
+		s.addCachedAnswer(Question{Name: delegateName, Type: dns.TypeDS, Class: dns.ClassINET}, nsString, false, dsCachedRes, depth)
+	}
+
+	res.Authorities = otherRRs
 	cachedRes := s.buildCachedResult(res, depth, layer)
 	if len(cachedRes.Answers) == 0 && len(cachedRes.Authorities) == 0 && len(cachedRes.Additionals) == 0 {
 		s.VerboseLog(depth+1, "SafeAddCachedAnswer: no cacheable records found, aborting")

diff --git a/src/zdns/dnssec.go b/src/zdns/dnssec.go
@@ -129,7 +129,7 @@ func (r *Resolver) getDNSKEYs(ctx context.Context, signerDomain string, nameServ
 	zsks := make(map[uint16]*dns.DNSKEY)
 
 	retries := r.retries
-	nameWithoutTrailingDot := strings.TrimSuffix(dns.CanonicalName(signerDomain), rootZone)
+	nameWithoutTrailingDot := removeTrailingDotIfNotRoot(signerDomain)
 	if signerDomain == rootZone {
 		nameWithoutTrailingDot = rootZone
 	}
@@ -199,7 +199,7 @@ func (r *Resolver) getDNSKEYs(ctx context.Context, signerDomain string, nameServ
 // - error: If validation fails for any DS record, returns an error with details.
 func (r *Resolver) validateDSRecords(ctx context.Context, signerDomain string, dnskeyMap map[uint16]*dns.DNSKEY, nameServer *NameServer, isIterative bool, trace Trace, depth int) (bool, Trace, error) {
 	retries := r.retries
-	nameWithoutTrailingDot := strings.TrimSuffix(dns.CanonicalName(signerDomain), rootZone)
+	nameWithoutTrailingDot := removeTrailingDotIfNotRoot(signerDomain)
 
 	dsQuestion := QuestionWithMetadata{
 		Q: Question{

diff --git a/src/zdns/util.go b/src/zdns/util.go
@@ -40,6 +40,13 @@ func dotName(name string) string {
 	return strings.Join([]string{name, "."}, "")
 }
 
+func removeTrailingDotIfNotRoot(name string) string {
+	if name == "." {
+		return name
+	}
+	return strings.TrimSuffix(name, ".")
+}
+
 func TranslateMiekgErrorCode(err int) Status {
 	return Status(dns.RcodeToString[err])
 }