summaryrefslogtreecommitdiff
path: root/src/v1.erl
diff options
context:
space:
mode:
authorLinus Nordberg <linus@nordu.net>2016-04-13 10:57:23 +0200
committerLinus Nordberg <linus@nordu.net>2016-04-13 10:57:23 +0200
commit49d8ed9587b1363f2feddc39f31442fd292798f2 (patch)
treeb761d6a9aa998b5b93a1053c10134cd13a09f16f /src/v1.erl
parentfc16553ab4f5f956de7e4633d7dc92ea20c118e3 (diff)
DNSSEC validation improvements.
Use DS signature inception time as the DNSSEC validation time. Validate input data a bit more. Set TTL in DS to "Original TTL" of RRSIG (this time for real).
Diffstat (limited to 'src/v1.erl')
-rw-r--r--src/v1.erl26
1 files changed, 16 insertions, 10 deletions
diff --git a/src/v1.erl b/src/v1.erl
index 72d0112..c1b07e6 100644
--- a/src/v1.erl
+++ b/src/v1.erl
@@ -157,17 +157,23 @@ add_rr_chain(Input) ->
{'EXIT', _} ->
err400("add-rr-chain: invalid base64-encoding:", B64);
Data ->
- case dnssecport:validate(Data) of
- {ok, [DS | Chain]} ->
- lager:debug("succesful DNSSEC validation"),
- success(catlfish:add_chain(DS, Chain, normal));
- {error, ErrorCode} ->
- err400(io_lib:format(
- "add-rr-chain: invalid DS record: ~p",
- [ErrorCode]),
- Data)
- end
+ add_chain_helper(Data)
end;
_ ->
err400("add-rr-chain: missing input: chain", Input)
end.
+
+add_chain_helper(Data) ->
+ case dnssecport:validate(Data) of
+ {valid, [DS | Chain]} ->
+ lager:debug("succesful DNSSEC validation"),
+ success(catlfish:add_chain(DS, Chain, normal));
+ {invalid, Reason} ->
+ lager:debug("DNSSEC validation failed with ~p", [Reason]),
+ err400(io_lib:format("add-rr-chain: invalid DS record: ~p",
+ [Reason]), Data);
+ {error, Reason} ->
+ lager:debug("DNSSEC validation error: ~p", [Reason]),
+ err400(io_lib:format("add-rr-chain: unable to validate record: ~p",
+ [Reason]), Data)
+ end.
generated by cgit v1.1 at 2024-12-29 09:37:08 +0000