Deckard: support negative trust anchors

parent 387e8845
......@@ -416,6 +416,7 @@ Format is list of "key: value" pairs, one pair per line. There is no explicit st
config option default meaning
========================== ======= =====================================================================
do-not-query-localhost on on = queries cannot be sent to 127.0.0.1/8 or ::1/128 addresses
domain-insecure (none) domain name specifying DNS sub-tree with explicitly disabled DNSSEC validation
force-ipv6 off use a IPv6 address as ``stub-addr``
harden-glue on additional checks on glue addresses
query-minimization on RFC 7816 query algorithm enabled; default inherited from QMIN environment variable
......
......@@ -190,6 +190,7 @@ DNS specifics:
- ``HARDEN_GLUE`` [bool]_ - enables or disables additional checks on glue addresses
- ``QMIN`` [bool]_ - enables or disables query minimization respectively
- ``TRUST_ANCHORS`` - list of trust anchors in form of a DS records, see `scenario guide <doc/scenario_guide.rst>`_
- ``NEGATIVE_TRUST_ANCHORS`` - list of domain names with explicitly disabled DNSSEC validation
.. [bool] boolean expressed as string ``true``/``false``
......
......@@ -935,6 +935,7 @@ def parse_config(scn_cfg, qmin, installdir):
sockfamily = 0 # auto-select value for socket.getaddrinfo
trust_anchor_list = []
trust_anchor_files = {}
negative_ta_list = []
stub_addr = None
override_timestamp = None
......@@ -946,6 +947,8 @@ def parse_config(scn_cfg, qmin, installdir):
# Enable selectively for some tests
if k == 'do-not-query-localhost':
do_not_query_localhost = str2bool(v)
if k == 'domain-insecure':
negative_ta_list.append(v)
if k == 'harden-glue':
harden_glue = str2bool(v)
if k == 'query-minimization':
......@@ -1003,6 +1006,7 @@ def parse_config(scn_cfg, qmin, installdir):
ctx = {
"DO_NOT_QUERY_LOCALHOST": str(do_not_query_localhost).lower(),
"NEGATIVE_TRUST_ANCHORS": negative_ta_list,
"FEATURES": features,
"HARDEN_GLUE": str(harden_glue).lower(),
"INSTALL_DIR": installdir,
......
......@@ -28,6 +28,12 @@ option('NO_THROTTLE', true)
{% for TAF in TRUST_ANCHOR_FILES %}
trust_anchors.add_file('{{TAF}}')
{% endfor %}
trust_anchors.set_insecure({
{% for DI in NEGATIVE_TRUST_ANCHORS %}
"{{DI}}",
{% endfor %}
})
{% if FEATURES.min_ttl is defined %}
cache.min_ttl({{FEATURES.min_ttl}})
......
......@@ -483,6 +483,10 @@ server:
# Ignore chain of trust. Domain is treated as insecure.
# domain-insecure: "example.com"
{% for DI in NEGATIVE_TRUST_ANCHORS %}
domain-insecure: "{{DI}}"
{% endfor %}
# Override the date for validation with a specific fixed date.
# Do not set this unless you are debugging signature inception
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment