Skip to content

Commit

Permalink
fix(dnstap source): support DNSSEC RRSIG record data (#18878)
Browse files Browse the repository at this point in the history
* fix(dnstap source): support DNSSEC RRSIG record data

* update codeowners
  • Loading branch information
neuronull authored Oct 20, 2023
1 parent 0b27019 commit ed97f0d
Show file tree
Hide file tree
Showing 2 changed files with 51 additions and 1 deletion.
1 change: 1 addition & 0 deletions .github/CODEOWNERS
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
docs/ @vectordotdev/ux-team
lib/dnsmsg-parser/ @vectordotdev/integrations-team
lib/file-source/ @vectordotdev/integrations-team
lib/k8s-e2e-tests/ @vectordotdev/integrations-team
lib/k8s-test-framework/ @vectordotdev/integrations-team
Expand Down
51 changes: 50 additions & 1 deletion lib/dnsmsg-parser/src/dns_message_parser.rs
Original file line number Diff line number Diff line change
Expand Up @@ -744,6 +744,26 @@ fn format_rdata(rdata: &RData) -> DnsParserResult<(Option<String>, Option<Vec<u8
);
Ok((Some(sig_rdata), None))
}
// RSIG is a derivation of SIG but choosing to keep this duplicate code in lieu of the alternative
// which is to allocate to the heap with Box in order to deref.
DNSSECRData::RRSIG(sig) => {
let sig_rdata = format!(
"{} {} {} {} {} {} {} {} {}",
match format_record_type(sig.type_covered()) {
Some(record_type) => record_type,
None => String::from("Unknown record type"),
},
u8::from(sig.algorithm()),
sig.num_labels(),
sig.original_ttl(),
sig.sig_expiration(), // currently in epoch convert to human readable ?
sig.sig_inception(), // currently in epoch convert to human readable ?
sig.key_tag(),
sig.signer_name(),
BASE64.encode(sig.sig())
);
Ok((Some(sig_rdata), None))
}
DNSSECRData::Unknown { code: _, rdata } => Ok((None, Some(rdata.anything().to_vec()))),
_ => Err(DnsMessageParserError::SimpleError {
cause: format!("Unsupported rdata {:?}", rdata),
Expand Down Expand Up @@ -1117,7 +1137,7 @@ mod tests {
dnssec::{
rdata::{
dnskey::DNSKEY, ds::DS, nsec::NSEC, nsec3::NSEC3, nsec3param::NSEC3PARAM, sig::SIG,
DNSSECRData,
DNSSECRData, RRSIG,
},
Algorithm as DNSSEC_Algorithm, DigestType, Nsec3HashAlgorithm,
},
Expand Down Expand Up @@ -1555,6 +1575,35 @@ mod tests {
}
}

// rsig is a derivation of the SIG record data, but the upstream crate does not handle that with an trait
// so there isn't really a great way to reduce code duplication here.
#[test]
fn test_format_rdata_for_rsig_type() {
let rdata = RData::DNSSEC(DNSSECRData::RRSIG(RRSIG::new(
RecordType::NULL,
DNSSEC_Algorithm::RSASHA256,
0,
0,
2,
1,
5,
Name::from_str("www.example.com").unwrap(),
vec![
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22,
23, 24, 25, 26, 27, 28, 29, 29, 31,
],
)));
let rdata_text = format_rdata(&rdata);
assert!(rdata_text.is_ok());
if let Ok((parsed, raw_rdata)) = rdata_text {
assert!(raw_rdata.is_none());
assert_eq!(
"NULL 8 0 0 2 1 5 www.example.com AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHR8=",
parsed.unwrap()
);
}
}

#[test]
fn test_format_rdata_for_ds_type() {
let rdata = RData::DNSSEC(DNSSECRData::DS(DS::new(
Expand Down

0 comments on commit ed97f0d

Please sign in to comment.