Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DNSSEC RRSIG Verify Function Fails to Enforce RFC4035 Constraints #1617

Open
developStorm opened this issue Nov 17, 2024 · 0 comments · May be fixed by #1618
Open

DNSSEC RRSIG Verify Function Fails to Enforce RFC4035 Constraints #1617

developStorm opened this issue Nov 17, 2024 · 0 comments · May be fixed by #1618

Comments

@developStorm
Copy link

Description

The Verify function does not fully comply with RFC 4035 Section 5.3.1, leading to improper validation of RRSIG records. Specifically, the following constraints are not enforced:

  1. Owner Name Mismatch:

    • The RRSIG owner name (rr.Hdr.Name) must match the RRset owner name. Currently, this validation is missing.
  2. Signer Name Validation:

    • The RRSIG SignerName must correspond to the zone containing the RRset. The current implementation only checks against the DNSKEY name, which is insufficient.
  3. Labels Field Validation:

    • The number of labels in the RRset owner name must be greater than or equal to the Labels field in the RRSIG. This validation is absent.

Steps to Reproduce

Modify TestSignVerify in dnssec_test.go as one of follows, then run the test:

  1. Change soa.Hdr.Name to example.com..
  2. Change sig.Hdr.Name to example.com..
  3. Change soa.Hdr.Name to nl.

Expected Behavior

The test should fail due to:

  1. Owner name mismatch.
  2. Invalid SignerName.
  3. Labels field mismatch.

Actual Behavior

The test passes incorrectly, indicating the constraints are not being enforced.


References

  • RFC 4035 Section 5.3.1: Link
@developStorm developStorm linked a pull request Nov 17, 2024 that will close this issue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant