feat: add logging
This commit is contained in:
@@ -20,9 +20,9 @@ package dnssec
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"log"
|
||||
"strings"
|
||||
|
||||
"github.com/afonsofrancof/sdns-proxy/common/logger"
|
||||
"github.com/miekg/dns"
|
||||
)
|
||||
|
||||
@@ -57,13 +57,13 @@ func (ac *AuthenticationChain) Populate(domainName string, queryFunc func(string
|
||||
zones = append(zones, zone)
|
||||
}
|
||||
|
||||
log.Printf("Building DNSSEC chain for zones: %v", zones)
|
||||
logger.Debug("Building DNSSEC chain for zones: %v", zones)
|
||||
|
||||
ac.DelegationChain = make([]SignedZone, 0, len(zones))
|
||||
|
||||
// Query each zone from root down
|
||||
for i, zoneName := range zones {
|
||||
log.Printf("Querying zone: %s", zoneName)
|
||||
logger.Debug("Querying zone: %s", zoneName)
|
||||
|
||||
delegation, err := ac.queryDelegation(zoneName, queryFunc)
|
||||
if err != nil {
|
||||
@@ -91,13 +91,13 @@ func (ac *AuthenticationChain) queryDelegation(domainName string, queryFunc func
|
||||
}
|
||||
signedZone.DNSKey = dnskeyRRset
|
||||
|
||||
log.Printf("Found %d DNSKEY records for %s", len(dnskeyRRset.RRs), domainName)
|
||||
logger.Debug("Found %d DNSKEY records for %s", len(dnskeyRRset.RRs), domainName)
|
||||
|
||||
// Populate public key lookup
|
||||
for _, rr := range signedZone.DNSKey.RRs {
|
||||
if dnskey, ok := rr.(*dns.DNSKEY); ok {
|
||||
signedZone.AddPubKey(dnskey)
|
||||
log.Printf("Added DNSKEY for %s: keytag=%d, flags=%d, algorithm=%d", domainName, dnskey.KeyTag(), dnskey.Flags, dnskey.Algorithm)
|
||||
logger.Debug("Added DNSKEY for %s: keytag=%d, flags=%d, algorithm=%d", domainName, dnskey.KeyTag(), dnskey.Flags, dnskey.Algorithm)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -106,17 +106,17 @@ func (ac *AuthenticationChain) queryDelegation(domainName string, queryFunc func
|
||||
dsRRset, _ := ac.queryRRset(domainName, dns.TypeDS, queryFunc)
|
||||
signedZone.DS = dsRRset
|
||||
if dsRRset != nil && len(dsRRset.RRs) > 0 {
|
||||
log.Printf("Found %d DS records for %s", len(dsRRset.RRs), domainName)
|
||||
logger.Debug("Found %d DS records for %s", len(dsRRset.RRs), domainName)
|
||||
for _, rr := range dsRRset.RRs {
|
||||
if ds, ok := rr.(*dns.DS); ok {
|
||||
log.Printf("DS record for %s: keytag=%d", domainName, ds.KeyTag)
|
||||
logger.Debug("DS record for %s: keytag=%d", domainName, ds.KeyTag)
|
||||
}
|
||||
}
|
||||
}
|
||||
} else {
|
||||
// Root zone has no DS records - trusted by default
|
||||
signedZone.DS = NewRRSet()
|
||||
log.Printf("Root zone - no DS records, trusted by default")
|
||||
logger.Debug("Root zone - no DS records, trusted by default")
|
||||
}
|
||||
|
||||
return signedZone, nil
|
||||
@@ -125,12 +125,12 @@ func (ac *AuthenticationChain) queryDelegation(domainName string, queryFunc func
|
||||
func (ac *AuthenticationChain) queryRRset(qname string, qtype uint16, queryFunc func(string, uint16) (*dns.Msg, error)) (*RRSet, error) {
|
||||
r, err := queryFunc(qname, qtype)
|
||||
if err != nil {
|
||||
log.Printf("cannot lookup %v", err)
|
||||
logger.Debug("cannot lookup %v", err)
|
||||
return NewRRSet(), nil // Return empty RRSet instead of nil
|
||||
}
|
||||
|
||||
if r.Rcode == dns.RcodeNameError {
|
||||
log.Printf("no such domain %s", qname)
|
||||
logger.Debug("no such domain %s", qname)
|
||||
return NewRRSet(), nil // Return empty RRSet instead of nil
|
||||
}
|
||||
|
||||
@@ -167,60 +167,60 @@ func (ac *AuthenticationChain) Verify(answerRRset *RRSet) error {
|
||||
// Verify the answer RRset against target zone's keys
|
||||
err := targetZone.VerifyRRSIG(answerRRset)
|
||||
if err != nil {
|
||||
log.Printf("Answer RRSIG verification failed: %v", err)
|
||||
logger.Debug("Answer RRSIG verification failed: %v", err)
|
||||
return ErrInvalidRRsig
|
||||
}
|
||||
|
||||
// Validate the chain from root down
|
||||
for _, zone := range ac.DelegationChain {
|
||||
log.Printf("Validating zone: %s", zone.Zone)
|
||||
logger.Debug("Validating zone: %s", zone.Zone)
|
||||
|
||||
// Verify DNSKEY RRset signature
|
||||
if !zone.HasDNSKeys() {
|
||||
log.Printf("No DNSKEYs for zone %s", zone.Zone)
|
||||
logger.Debug("No DNSKEYs for zone %s", zone.Zone)
|
||||
return ErrDnskeyNotAvailable
|
||||
}
|
||||
|
||||
err := zone.VerifyRRSIG(zone.DNSKey)
|
||||
if err != nil {
|
||||
log.Printf("DNSKEY validation failed for %s: %v", zone.Zone, err)
|
||||
logger.Debug("DNSKEY validation failed for %s: %v", zone.Zone, err)
|
||||
return ErrRrsigValidationError
|
||||
}
|
||||
|
||||
// Skip ALL validation for root - just trust it
|
||||
if zone.Zone == "." {
|
||||
log.Printf("Root zone - trusted by default, no validation performed")
|
||||
logger.Debug("Root zone - trusted by default, no validation performed")
|
||||
continue
|
||||
}
|
||||
|
||||
// For non-root zones, validate DS records against parent zone
|
||||
if zone.ParentZone == nil {
|
||||
log.Printf("Non-root zone %s has no parent", zone.Zone)
|
||||
logger.Debug("Non-root zone %s has no parent", zone.Zone)
|
||||
return fmt.Errorf("non-root zone %s has no parent", zone.Zone)
|
||||
}
|
||||
|
||||
if zone.DS == nil || zone.DS.IsEmpty() {
|
||||
log.Printf("No DS records for zone %s", zone.Zone)
|
||||
logger.Debug("No DS records for zone %s", zone.Zone)
|
||||
return ErrDsNotAvailable
|
||||
}
|
||||
|
||||
// Verify DS signature using parent's key
|
||||
err = zone.ParentZone.VerifyRRSIG(zone.DS)
|
||||
if err != nil {
|
||||
log.Printf("DS signature validation failed for %s: %v", zone.Zone, err)
|
||||
logger.Debug("DS signature validation failed for %s: %v", zone.Zone, err)
|
||||
return ErrRrsigValidationError
|
||||
}
|
||||
|
||||
// Verify DS matches this zone's DNSKEY
|
||||
err = zone.VerifyDS(zone.DS.RRs)
|
||||
if err != nil {
|
||||
log.Printf("DS-DNSKEY validation failed for %s: %v", zone.Zone, err)
|
||||
logger.Debug("DS-DNSKEY validation failed for %s: %v", zone.Zone, err)
|
||||
return ErrDsInvalid
|
||||
}
|
||||
|
||||
log.Printf("Zone %s validated successfully", zone.Zone)
|
||||
logger.Debug("Zone %s validated successfully", zone.Zone)
|
||||
}
|
||||
|
||||
log.Printf("DNSSEC validation successful for entire chain!")
|
||||
logger.Debug("DNSSEC validation successful for entire chain!")
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -2,11 +2,11 @@ package dnssec
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"log"
|
||||
"net"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/afonsofrancof/sdns-proxy/common/logger"
|
||||
"github.com/miekg/dns"
|
||||
)
|
||||
|
||||
@@ -28,13 +28,13 @@ func NewAuthoritativeQuerier() *AuthoritativeQuerier {
|
||||
}
|
||||
|
||||
func (aq *AuthoritativeQuerier) QueryAuthoritative(qname string, qtype uint16) (*dns.Msg, error) {
|
||||
log.Printf("Querying authoritative servers for %s type %d", qname, qtype)
|
||||
logger.Debug("Querying authoritative servers for %s type %d", qname, qtype)
|
||||
|
||||
var zone string
|
||||
if qtype == dns.TypeDS {
|
||||
zone = aq.getParentZone(qname)
|
||||
if zone == "" {
|
||||
log.Printf("No parent zone for %s - returning NXDOMAIN for DS query", qname)
|
||||
logger.Debug("No parent zone for %s - returning NXDOMAIN for DS query", qname)
|
||||
msg := &dns.Msg{}
|
||||
msg.SetRcode(&dns.Msg{}, dns.RcodeNameError)
|
||||
return msg, nil
|
||||
@@ -43,7 +43,7 @@ func (aq *AuthoritativeQuerier) QueryAuthoritative(qname string, qtype uint16) (
|
||||
zone = aq.findZone(qname)
|
||||
}
|
||||
|
||||
log.Printf("Determined zone: %s for query %s type %d", zone, qname, qtype)
|
||||
logger.Debug("Determined zone: %s for query %s type %d", zone, qname, qtype)
|
||||
|
||||
// Get NS names (not IPs yet)
|
||||
nsNames, err := aq.findAuthoritativeNSNames(zone)
|
||||
@@ -59,15 +59,15 @@ func (aq *AuthoritativeQuerier) QueryAuthoritative(qname string, qtype uint16) (
|
||||
continue
|
||||
}
|
||||
|
||||
log.Printf("Trying server: %s (%s)", server, nsName)
|
||||
logger.Debug("Trying server: %s (%s)", server, nsName)
|
||||
msg, err := aq.queryServer(server, qname, qtype)
|
||||
if err != nil {
|
||||
log.Printf("Server %s failed: %v", server, err)
|
||||
logger.Debug("Server %s failed: %v", server, err)
|
||||
lastErr = err
|
||||
continue
|
||||
}
|
||||
|
||||
log.Printf("Server %s responded, authoritative: %v, rcode: %d, answers: %d", server, msg.Authoritative, msg.Rcode, len(msg.Answer))
|
||||
logger.Debug("Server %s responded, authoritative: %v, rcode: %d, answers: %d", server, msg.Authoritative, msg.Rcode, len(msg.Answer))
|
||||
if (msg.Rcode == dns.RcodeSuccess && len(msg.Answer) > 0) || msg.Rcode == dns.RcodeNameError {
|
||||
return msg, nil
|
||||
}
|
||||
@@ -82,11 +82,11 @@ func (aq *AuthoritativeQuerier) QueryAuthoritative(qname string, qtype uint16) (
|
||||
func (aq *AuthoritativeQuerier) findAuthoritativeNSNames(zone string) ([]string, error) {
|
||||
|
||||
if nsNames, exists := aq.nsCache[zone]; exists {
|
||||
log.Printf("Using cached NS names for %s: %v", zone, nsNames)
|
||||
logger.Debug("Using cached NS names for %s: %v", zone, nsNames)
|
||||
return nsNames, nil
|
||||
}
|
||||
|
||||
log.Printf("Looking for NS records for zone: %s", zone)
|
||||
logger.Debug("Looking for NS records for zone: %s", zone)
|
||||
|
||||
// Use a public resolver to find the NS records
|
||||
resolver := &dns.Client{Timeout: 5 * time.Second}
|
||||
@@ -125,35 +125,35 @@ func (aq *AuthoritativeQuerier) findAuthoritativeNSNames(zone string) ([]string,
|
||||
return nil, fmt.Errorf("no NS servers found for %s", zone)
|
||||
}
|
||||
|
||||
log.Printf("Found NS names for %s: %v", zone, nsNames)
|
||||
logger.Debug("Found NS names for %s: %v", zone, nsNames)
|
||||
aq.nsCache[zone] = nsNames
|
||||
log.Printf("Cached NS names for %s: %v", zone, nsNames)
|
||||
logger.Debug("Cached NS names for %s: %v", zone, nsNames)
|
||||
return nsNames, nil
|
||||
}
|
||||
|
||||
func (aq *AuthoritativeQuerier) getParentZone(qname string) string {
|
||||
log.Printf("Getting parent zone for: %s", qname)
|
||||
logger.Debug("Getting parent zone for: %s", qname)
|
||||
|
||||
// Clean the qname
|
||||
qname = strings.TrimSuffix(qname, ".")
|
||||
|
||||
// Root zone has no parent
|
||||
if qname == "" || qname == "." {
|
||||
log.Printf("Root zone has no parent")
|
||||
logger.Debug("Root zone has no parent")
|
||||
return ""
|
||||
}
|
||||
|
||||
labels := dns.SplitDomainName(qname)
|
||||
log.Printf("Labels for %s: %v", qname, labels)
|
||||
logger.Debug("Labels for %s: %v", qname, labels)
|
||||
|
||||
if len(labels) <= 1 {
|
||||
log.Printf("Parent of TLD %s is root", qname)
|
||||
logger.Debug("Parent of TLD %s is root", qname)
|
||||
return "." // Parent of TLD is root
|
||||
}
|
||||
|
||||
parentLabels := labels[1:]
|
||||
parent := dns.Fqdn(strings.Join(parentLabels, "."))
|
||||
log.Printf("Parent zone of %s is %s", qname, parent)
|
||||
logger.Debug("Parent zone of %s is %s", qname, parent)
|
||||
return parent
|
||||
}
|
||||
|
||||
@@ -167,27 +167,26 @@ func (aq *AuthoritativeQuerier) findZone(qname string) string {
|
||||
return qname
|
||||
}
|
||||
|
||||
|
||||
func (aq *AuthoritativeQuerier) resolveNSToIP(nsName string) string {
|
||||
if ip, exists := aq.ipCache[nsName]; exists {
|
||||
log.Printf("Using cached IP for %s: %s", nsName, ip)
|
||||
logger.Debug("Using cached IP for %s: %s", nsName, ip)
|
||||
return ip
|
||||
}
|
||||
|
||||
nsName = strings.TrimSuffix(nsName, ".")
|
||||
log.Printf("Resolving NS %s to IP", nsName)
|
||||
logger.Debug("Resolving NS %s to IP", nsName)
|
||||
|
||||
ips, err := net.LookupIP(nsName)
|
||||
if err != nil {
|
||||
log.Printf("Failed to resolve %s: %v", nsName, err)
|
||||
logger.Debug("Failed to resolve %s: %v", nsName, err)
|
||||
return ""
|
||||
}
|
||||
|
||||
for _, ip := range ips {
|
||||
if ip.To4() != nil { // Prefer IPv4
|
||||
result := ip.String() + ":53"
|
||||
log.Printf("Resolved %s to %s", nsName, result)
|
||||
|
||||
logger.Debug("Resolved %s to %s", nsName, result)
|
||||
|
||||
// Cache the result before returning
|
||||
aq.ipCache[nsName] = result
|
||||
return result
|
||||
@@ -202,12 +201,12 @@ func (aq *AuthoritativeQuerier) queryServer(server, qname string, qtype uint16)
|
||||
m.SetQuestion(dns.Fqdn(qname), qtype)
|
||||
m.SetEdns0(4096, true) // Enable DNSSEC
|
||||
|
||||
log.Printf("Querying %s for %s type %d", server, qname, qtype)
|
||||
logger.Debug("Querying %s for %s type %d", server, qname, qtype)
|
||||
msg, _, err := aq.client.Exchange(m, server)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
log.Printf("Response from %s: rcode=%d, answers=%d", server, msg.Rcode, len(msg.Answer))
|
||||
logger.Debug("Response from %s: rcode=%d, answers=%d", server, msg.Rcode, len(msg.Answer))
|
||||
return msg, err
|
||||
}
|
||||
|
||||
@@ -19,9 +19,9 @@ package dnssec
|
||||
// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
import (
|
||||
"log"
|
||||
"time"
|
||||
|
||||
"github.com/afonsofrancof/sdns-proxy/common/logger"
|
||||
"github.com/miekg/dns"
|
||||
)
|
||||
|
||||
@@ -65,7 +65,7 @@ func (r *RRSet) ValidateSignature(key *dns.DNSKEY) error {
|
||||
|
||||
err := r.RRSig.Verify(key, r.RRs)
|
||||
if err != nil {
|
||||
log.Printf("RRSIG verification failed: %v", err)
|
||||
logger.Debug("RRSIG verification failed: %v", err)
|
||||
return ErrRrsigValidationError
|
||||
}
|
||||
|
||||
|
||||
@@ -19,9 +19,9 @@ package dnssec
|
||||
// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
import (
|
||||
"log"
|
||||
"strings"
|
||||
|
||||
"github.com/afonsofrancof/sdns-proxy/common/logger"
|
||||
"github.com/miekg/dns"
|
||||
)
|
||||
|
||||
@@ -61,7 +61,7 @@ func (z *SignedZone) VerifyRRSIG(signedRRset *RRSet) error {
|
||||
|
||||
key := z.LookupPubKey(signedRRset.RRSig.KeyTag)
|
||||
if key == nil {
|
||||
log.Printf("DNSKEY keytag %d not found in zone %s", signedRRset.RRSig.KeyTag, z.Zone)
|
||||
logger.Debug("DNSKEY keytag %d not found in zone %s", signedRRset.RRSig.KeyTag, z.Zone)
|
||||
return ErrDnskeyNotAvailable
|
||||
}
|
||||
|
||||
@@ -69,36 +69,36 @@ func (z *SignedZone) VerifyRRSIG(signedRRset *RRSet) error {
|
||||
}
|
||||
|
||||
func (z *SignedZone) VerifyDS(dsRRset []dns.RR) error {
|
||||
log.Printf("Verifying DS for zone %s with %d DS records", z.Zone, len(dsRRset))
|
||||
logger.Debug("Verifying DS for zone %s with %d DS records", z.Zone, len(dsRRset))
|
||||
for _, rr := range dsRRset {
|
||||
ds, ok := rr.(*dns.DS)
|
||||
if !ok {
|
||||
continue
|
||||
}
|
||||
|
||||
log.Printf("Checking DS keytag %d, digestType %d", ds.KeyTag, ds.DigestType)
|
||||
logger.Debug("Checking DS keytag %d, digestType %d", ds.KeyTag, ds.DigestType)
|
||||
|
||||
if ds.DigestType != dns.SHA256 {
|
||||
log.Printf("Unknown digest type (%d) on DS RR", ds.DigestType)
|
||||
logger.Debug("Unknown digest type (%d) on DS RR", ds.DigestType)
|
||||
continue
|
||||
}
|
||||
|
||||
parentDsDigest := strings.ToUpper(ds.Digest)
|
||||
key := z.LookupPubKey(ds.KeyTag)
|
||||
if key == nil {
|
||||
log.Printf("DNSKEY keytag %d not found in zone %s", ds.KeyTag, z.Zone)
|
||||
logger.Debug("DNSKEY keytag %d not found in zone %s", ds.KeyTag, z.Zone)
|
||||
return ErrDnskeyNotAvailable
|
||||
}
|
||||
|
||||
dsDigest := strings.ToUpper(key.ToDS(ds.DigestType).Digest)
|
||||
log.Printf("Parent DS digest: %s, Computed digest: %s", parentDsDigest, dsDigest)
|
||||
logger.Debug("Parent DS digest: %s, Computed digest: %s", parentDsDigest, dsDigest)
|
||||
if parentDsDigest == dsDigest {
|
||||
log.Printf("DS validation successful for keytag %d", ds.KeyTag)
|
||||
logger.Debug("DS validation successful for keytag %d", ds.KeyTag)
|
||||
return nil
|
||||
}
|
||||
|
||||
log.Printf("DS does not match DNSKEY for keytag %d", ds.KeyTag)
|
||||
logger.Debug("DS does not match DNSKEY for keytag %d", ds.KeyTag)
|
||||
}
|
||||
log.Printf("No matching DS found")
|
||||
logger.Debug("No matching DS found")
|
||||
return ErrDsInvalid
|
||||
}
|
||||
|
||||
@@ -17,10 +17,10 @@ package dnssec
|
||||
// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
// ./common/dnssec/validator.go
|
||||
|
||||
import (
|
||||
"log"
|
||||
|
||||
"github.com/afonsofrancof/sdns-proxy/common/logger"
|
||||
"github.com/miekg/dns"
|
||||
)
|
||||
|
||||
@@ -35,7 +35,10 @@ func NewValidator(queryFunc func(string, uint16) (*dns.Msg, error)) *Validator {
|
||||
}
|
||||
|
||||
func (v *Validator) ValidateResponse(msg *dns.Msg, qname string, qtype uint16) error {
|
||||
logger.Debug("Starting DNSSEC validation for %s %s", qname, dns.TypeToString[qtype])
|
||||
|
||||
if msg == nil || len(msg.Answer) == 0 {
|
||||
logger.Debug("No result for %s %s", qname, dns.TypeToString[qtype])
|
||||
return ErrNoResult
|
||||
}
|
||||
|
||||
@@ -46,41 +49,48 @@ func (v *Validator) ValidateResponse(msg *dns.Msg, qname string, qtype uint16) e
|
||||
case *dns.RRSIG:
|
||||
if t.TypeCovered == qtype {
|
||||
rrset.RRSig = t
|
||||
logger.Debug("Found RRSIG for %s %s (keytag: %d)", qname, dns.TypeToString[qtype], t.KeyTag)
|
||||
}
|
||||
default:
|
||||
if rr.Header().Rrtype == qtype {
|
||||
rrset.RRs = append(rrset.RRs, rr)
|
||||
logger.Debug("Found RR for %s %s: %s", qname, dns.TypeToString[qtype], rr.String())
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if rrset.IsEmpty() {
|
||||
logger.Debug("Empty RRSet for %s %s", qname, dns.TypeToString[qtype])
|
||||
return ErrNoResult
|
||||
}
|
||||
|
||||
if !rrset.IsSigned() {
|
||||
logger.Debug("RRSet for %s %s is not signed", qname, dns.TypeToString[qtype])
|
||||
return ErrResourceNotSigned
|
||||
}
|
||||
|
||||
// Check header integrity
|
||||
if err := rrset.CheckHeaderIntegrity(qname); err != nil {
|
||||
logger.Debug("Header integrity check failed for %s %s: %v", qname, dns.TypeToString[qtype], err)
|
||||
return err
|
||||
}
|
||||
|
||||
// Build and verify authentication chain
|
||||
signerName := rrset.SignerName()
|
||||
logger.Debug("Building authentication chain for signer: %s", signerName)
|
||||
authChain := NewAuthenticationChain()
|
||||
|
||||
if err := authChain.Populate(signerName, v.queryFunc); err != nil {
|
||||
log.Printf("Cannot populate authentication chain: %s", err)
|
||||
logger.Debug("Cannot populate authentication chain for %s: %v", signerName, err)
|
||||
return err
|
||||
}
|
||||
|
||||
if err := authChain.Verify(rrset); err != nil {
|
||||
log.Printf("DNSSEC validation failed: %s", err)
|
||||
logger.Debug("DNSSEC validation failed for %s %s: %v", qname, dns.TypeToString[qtype], err)
|
||||
return err
|
||||
}
|
||||
|
||||
logger.Debug("DNSSEC validation successful for %s %s", qname, dns.TypeToString[qtype])
|
||||
return nil
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user