parent 64e3bc885a2cb8b46a1aaa4bf4f121ee7f5d44a6

author Karl Erik Õunapuu <karlerik@kreative.ee> 1591359032 +0300 committer Alex Sherman <yul.golem@gmail.com> 1617029320 +0500 CsyncJob: Don't respect IPv6 if nessecary
2025-07-25 03:58:27 +02:00 · 2020-06-05 15:10:32 +03:00 · 2020-06-05 15:10:32 +03:00 · 88e1bc3727
commit 88e1bc3727
parent e46fdd57af
33 changed files with 1475 additions and 119 deletions
--- a/app/models/dnskey.rb
+++ b/app/models/dnskey.rb
@ -28,7 +28,7 @@ class Dnskey < ApplicationRecord
  PROTOCOLS = %w(3)
  FLAGS = %w(0 256 257) # 256 = ZSK, 257 = KSK
  DS_DIGEST_TYPE = [1,2]
-
+  RESOLVERS = ENV['dnssec_resolver_ips'].to_s.strip.split(', ').freeze
  self.ignored_columns = %w[legacy_domain_id]

  def epp_code_map
@ -122,6 +122,26 @@ class Dnskey < ApplicationRecord
    errors.add(:public_key, :invalid)
  end

+  def self.new_from_csync(cdnskey:, domain:)
+    cdnskey ||= '' # avoid strip() issues for gibberish key
+
+    flags, proto, alg, pub = cdnskey.strip.split(' ')
+    Dnskey.new(domain: domain, flags: flags, protocol: proto, alg: alg, public_key: pub)
+  end
+
+  def ds_rr
+    # Break the DNSSEC trust chain as we are not able to fake RRSIG's
+    Dnsruby::Dnssec.clear_trust_anchors
+    Dnsruby::Dnssec.clear_trusted_keys
+
+    # Basically let's configure domain as root anchor. We can still verify
+    # RRSIG's / DNSKEY targeted by DS of this domain
+    generate_digest
+    generate_ds_key_tag
+    Dnsruby::RR.create("#{domain.name}. 3600 IN DS #{ds_key_tag} #{ds_alg} " \
+    "#{ds_digest_type} #{ds_digest}")
+  end
+
  class << self
    def int_to_hex(s)
      s = s.to_s(16)