...
 
Commits (2)
......@@ -55,8 +55,27 @@
"trust-anchors": [
{
"domain": ".",
"key-file": "/var/tmp/root.keys",
"auto-update": true
"auto-update": true,
"trust-anchor": [
{
"id": 0,
"ds": {
"algorithm": "RSASHA256",
"digest": "49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5",
"digest-type": "SHA-256",
"key-tag": 19036
}
},
{
"id": 1,
"ds": {
"algorithm": "RSASHA256",
"digest": "E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D",
"digest-type": "SHA-256",
"key-tag": 20326
}
}
]
}
],
"negative-trust-anchors": [
......
......@@ -85,8 +85,36 @@
"trust-anchors": [
{
"domain": ".",
"key-file": "/var/tmp/root.keys",
"auto-update": true
"auto-update": true,
"trust-anchor": [
{
"id": 0,
"ds": {
"algorithm": "RSASHA256",
"digest": "49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5",
"digest-type": "SHA-256",
"key-tag": 19036
}
},
{
"id": 1,
"ds": {
"algorithm": "RSASHA256",
"digest": "E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D",
"digest-type": "SHA-256",
"key-tag": 20326
}
},
{
"id": 2,
"dnskey": {
"algorithm": "RSASHA256",
"flags": "ZONE SEP",
"protocol": 3,
"public-key": "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0="
}
}
]
}
],
"negative-trust-anchors": [
......
......@@ -28,7 +28,7 @@ if json_data:
model_data = model.from_raw(json_data)
# validate data against DataModel
#model_data.validate()
# model_data.validate()
# save model_data to json
with open(data_json_path, 'w') as json_file:
......
......@@ -4,6 +4,7 @@ Module for generating Unbound and Knot Resolver configuration files from valid l
from re import compile, sub
from socket import gethostbyname
from .parser import TrustAnchorRR as ta_parser
ip_address = compile('^((\d{1,3}\.){3}\d{1,3})|(([\dA-Fa-f]{1,4})|(:)|(:[\dA-Fa-f]{1,4})){2,7}[\dA-Fa-f]$')
......@@ -218,13 +219,25 @@ class Generator:
pass
# file
if 'key-file' in ta:
pass
# read-only
if 'auto-update' in ta:
self.kresd_conf += str("trust_anchors.add_file('{0}',{1})\n".format(ta['key-file'],
not ta['auto-update']))
#if 'auto-update' in ta:
# self.kresd_conf += str("trust_anchors.add_file('{0}',{1})\n".format(ta['key-file'],
# not ta['auto-update']))
#else:
# self.kresd_conf += str("trust_anchors.add_file('{0}')\n".format(ta['key-file']))
if 'trust-anchor' in ta:
for anchor in ta['trust-anchor']:
if 'ds' in anchor:
ta_string = ta_parser.create_ds_string(ta['domain'], anchor['ds'])
elif 'dnskey' in anchor:
ta_string = ta_parser.create_dnskey_string(ta['domain'], anchor['dnskey'])
else:
self.kresd_conf += str("trust_anchors.add_file('{0}')\n".format(ta['key-file']))
break
self.kresd_conf += str("trust_anchors.add('{0}')\n".format(ta_string))
# negative-trust-anchors
if 'negative-trust-anchors' in dnssec_conf:
......@@ -471,10 +484,20 @@ class Generator:
pass
# file
if 'key-file' in ta:
self.server_unbound_conf += str("\tauto-trust-anchor-file: \"{}\"\n".format(ta['key-file']))
self.server_unbound_conf += str("\tauto-trust-anchor-file: \"{0}\"\n".format(ta['key-file']))
# read-only
if 'read-only' in ta:
pass
if 'trust-anchor' in ta:
for anchor in ta['trust-anchor']:
if 'ds' in anchor:
ta_string = ta_parser.create_ds_string(ta['domain'], anchor['ds'])
elif 'dnskey' in anchor:
ta_string = ta_parser.create_dnskey_string(ta['domain'], anchor['dnskey'])
else:
break
self.server_unbound_conf += str("\ttrust-anchor: \"{0}\"\n".format(ta_string))
# negative-trust-anchors
if 'negative-trust-anchors' in dnssec_conf:
......
class TrustAnchorRR:
alg_enum = {
1: "RSAMD5",
2: "DH",
3: "DSA",
5: "RSASHA1",
6: "DSA-NSEC3-SHA1",
7: "RSASHA1-NSEC3-SHA1",
8: "RSASHA256",
10: "RSASHA512",
12: "ECC-GOST",
13: "ECDSAP256SHA256",
14: "ECDSAP384SHA384"
}
alg_enum_inv = {v: k for k, v in alg_enum.items()}
digest_type_enum = {
1: "SHA-1",
2: "SHA-256",
3: "GOST-R-34.11-94",
4: "SHA-384"
}
digest_type_enum_inv = {v: k for k, v in digest_type_enum.items()}
@staticmethod
def parse_ds(ds_ta: str)-> dict:
ds_ta.strip()
owner = ds_ta.split()[0]
i = 1
if ds_ta.split()[i] == "IN":
i = i + 1
if ds_ta.split()[i] == "DS":
i = i + 1
ta_id = 0
key_tag = ds_ta.split()[i]
algorithm = TrustAnchorRR.alg_enum.get(ds_ta.split()[i+1])
digest_type = TrustAnchorRR.digest_type_enum.get(int(ds_ta.split()[i+2]))
digest = ds_ta.split()[i+3]
ds_dict = {
"owner": owner,
"ds": {
"id": ta_id,
"algorithm": algorithm,
"digest": digest,
"digest-type": digest_type,
"key-tag": int(key_tag)
}
}
return ds_dict
@staticmethod
def parse_dnskey(dnskey_ta: str)-> dict:
dnskey_ta.strip()
owner = dnskey_ta.split()[0]
i = 1
if dnskey_ta.split()[i] != "IN" and dnskey_ta.split()[i] != "DNSKEY":
i = i+1
if dnskey_ta.split()[i] == "IN":
i = i + 1
if dnskey_ta.split()[i] == "DNSKEY":
i = i + 1
ta_id = 0
#flags = dnskey_ta.split()[i]
flags = "ZONE SEP"
protocol = dnskey_ta.split()[i+1]
algorithm = dnskey_ta.split()[i+2]
public_key = dnskey_ta.split()[i+3]
public_key = public_key.lstrip('(')
public_key = public_key.rstrip(')')
dnskey_dict = {
"owner": owner,
"dnskey": {
"id": ta_id,
"algorithm": algorithm,
"flags": flags,
"protocol": protocol,
"public-key": public_key
}
}
return dnskey_dict
@staticmethod
def create_ds_string(domain: str, ds_ta: dict)-> str:
algorithm = TrustAnchorRR.alg_enum_inv.get(str(ds_ta['algorithm']))
digest_type = TrustAnchorRR.digest_type_enum_inv.get(str(ds_ta['digest-type']))
ds_str = "{0} IN DS {1} {2} {3} {4}".format(domain,
ds_ta['key-tag'],
algorithm,
digest_type,
ds_ta['digest'])
return ds_str
@staticmethod
def create_dnskey_string(domain: str, dnskey_ta: dict)-> str:
algorithm = TrustAnchorRR.alg_enum_inv.get(str(dnskey_ta['algorithm']))
flags = None
# 257 is KSK, 256 is ZSK
if 'flags' in dnskey_ta:
# TODO: dont know mapping between SEP, ZONE, REVOKE <-> 257, 256
if 'SEP' in str(dnskey_ta['flags']):
flags = 256
else:
flags = 257
if flags is not None:
dnskey_str = "{0} IN DNSKEY {1} {2} {3} {4}".format(domain,
flags,
dnskey_ta['protocol'], algorithm,
dnskey_ta['public-key'])
else:
dnskey_str = "{0} IN DNSKEY {1} {2} {3}".format(domain,
dnskey_ta['protocol'], algorithm,
dnskey_ta['public-key'])
return dnskey_str
......@@ -10,7 +10,7 @@
},
{
"name": "cznic-resolver-common",
"revision": "2018-12-10",
"revision": "2018-12-13",
"feature": [
"set-group"
],
......