Changeset 842

Timestamp:

04/28/22 17:42:39 (2 years ago)

Author:

Kris Deugau

Message:

/trunk

Add CAA record validation, publication, and AXFR import

File:

• trunk/DNSDB.pm (modified) (3 diffs)

trunk/DNSDB.pm

@@ -1166 +1166 @@
   return ('OK','OK');
 } # done SRV record
+
+# CAA record
+sub _validate_257 {
+  my $self = shift;
+  my $dbh = $self->{dbh};
+
+  my %args = @_;
+
+  my $code = 'OK';
+  my $msg = '';    # Default to no message, because there are a lot of handwavy warning cases.
+
+  if ($args{revrec} eq 'n') {
+    # Coerce all hostnames to end in ".DOMAIN" for group/default records,
+    # or the intended parent domain for live records.
+    my $pname = ($args{defrec} eq 'y' ? 'DOMAIN' : $self->domainName($args{id}));
+    ${$args{host}} =~ s/\.*$/\.$pname/ if ${$args{host}} !~ /$pname$/i;
+
+    my ($caaflag, $caatag, $caadetail) = (${$args{val}} =~ /(\d+)\s+(\w+)\s+(.+)/);
+
+    return ('FAIL', "Poorly formed CAA record missing one or more of flag, tag, or detail")
+      if (!defined($caaflag) || !defined($caatag) || !defined($caadetail));
+
+    # flag is a bitfield, only bit 0 currently has meaning as "Issuer Critical"
+    # Not 100% clear if this flag is permitted on known tags, or if it's
+    # semantically null since the known tags are already defined.  We'll allow it.
+    return ('FAIL', "CAA flags other than 0 or 128 not currently supported in DNS") if $caaflag ne '0' && $caaflag ne '128';
+
+    # known tags:
+    #    issue
+    #    issuewild
+    #    iodef  (RFC5070)
+    #    auth (reserved, do not use)
+    #    path (reserved, do not use)
+    #    policy (reserved, do not use)
+    return ('FAIL', "CAA tags may only use a-z, A-Z, and 0-9") if $caatag !~ /^[a-zA-Z0-9]+$/;
+    return ('FAIL', "Can't use reserved CAA tag '$caatag'") if $caatag =~ /^(?:auth|path|policy)$/;
+    if ($caatag !~ /^(?:issue|issuewild|iodef)$/) {
+      $code = 'WARN';
+      $msg = ($msg ? $msg."  " : '')."Unknown CAA tag '$caatag' will be published as-is.";
+    }
+    if (length($caatag) > 15) {
+      $code = 'WARN';
+      $msg = ($msg ? $msg."  " : '').'Custom CAA tag > 15 characters may not behave as intended.';
+    }
+
+    if ($caatag eq 'issue' || $caatag eq 'issuewild') {
+      # Detail format is possibly as complex as:
+      # [;|cert-authority [; key=value[ key=value ...]]
+      # but arguably a strict reading says there can only be one key, and the
+      # rest of the string after first = is the value, even if it appears to
+      # contain extra key=value pairs.
+      # See https://datatracker.ietf.org/doc/html/rfc6844 for full ABNF definition.
+      # Either way all we need to validate is that it's within the specified characters.
+      if ($caadetail eq ';') {
+        # No certs permitted
+      } else {
+        my ($certauth,$remainder) = ($caadetail =~ /^\s*([a-zA-Z0-9.-]+)\s*((?:;|\s|$).*)?$/);
+        if (!$certauth) {
+          # We can't reasonably validate individual domains, just that it's well-formed
+          return ('FAIL', "CAA authority domain must be a valid domain name");
+        }
+        if ($remainder) {
+          return ('FAIL', "CAA authority domain and optional key=value entry or entries must be separated by a ';'")
+            if $remainder !~ /^\s*;/;
+          $remainder =~ s/\s*;\s*//;
+          # Just validate the characters in the remainder.  Any details are CA-specific and not sanely validateable.
+          return ('FAIL', "Invalid characters in optional key=value entry or entries")
+            if $remainder !~ /^[a-zA-Z0-9]+\s*=[\x21-\x7e\s]+$/;
+        }
+      }
+    } # issue/isseuewild
+
+    elsif ($caatag eq 'iodef') {
+      # Two valid forms:
+      # mailto:address@example.com
+      # http://iodef.example.com/
+      # RFC seems a little handwavy whether https:// is valid or not, but the chained
+      # RFC for the HTTP-based reporting protocol says that this should be assumed to
+      # be a dedicated port (4590) and service, requiring TLS.  Allowing https:// per
+      # the detail description in https://datatracker.ietf.org/doc/html/rfc6844#section-5.4.
+      return ('FAIL', "iodef tag data must reference a mailto: or http: URI") if $caadetail !~ /^(mailto|https?):/;
+      if ($1 eq 'mailto') {
+        # not going full RFC on validating form, just "reasonably sane"
+        return ('FAIL', "Poorly formed email for iodef tag") if $caadetail !~ /^mailto:[^\s]+\@[a-zA-z0-9._-]+$/
+      } else {
+        return ('FAIL', "Poorly formed URI for iodef tag") if $caadetail !~ m,^https?://[a-zA-z0-9._-]+/?$,
+      }
+    } # iodef
+
+  } else {
+    # CAA records don't make much sense in reverse zones
+    return ('FAIL', "CAA records not supported in reverse zones");
+  }
+
+  # Allow CAA records in default record sets for now, but it's a bit iffy
+  # whether this makes any sense.  Not nice to publish a default "issue ;"
+  # record, then go through a support mess trying to figure out why a
+  # customer can't register a cert somewhere.
+#  if ($args{defrec} eq 'n') {
+#  } else {
+#  }
+
+  return ($code, $msg);
+} # done CAA record
+
 
 # Now the custom types
@@ -5943 +6048 @@
         $warnmsg .= "Suspect record '".$rr->string."' may not be imported correctly: SRV records may not be bare IP addresses\n"
           if $val =~ /^(?:(?:\d+\.){3}\d+|[a-fA-F0-9:]+)$/;
-      } elsif ($type eq 'KEY') {
+      }
+
+      elsif ($type eq 'CAA') {
+        # Store CAA records without the syntactic quotes
+        $val = join(" ", $rr->flags, $rr->tag, $rr->value);
+      }
+
+      elsif ($type eq 'KEY') {
         # we don't actually know what to do with these...
         $val = $rr->flags.":".$rr->protocol.":".$rr->algorithm.":".$rr->key.":".$rr->keytag.":".$rr->privatekeyname;
@@ -6835 +6947 @@
   } # SRV
 
+  elsif ($typemap{$type} eq 'CAA') {
+    # CAA records really don't make much sense in reverse zones
+    #($host,$val) = __revswap($host,$val) if $revrec eq 'y';
+    return if $revrec eq 'y';
+
+    # data is a bitfield byte, length byte+string, then "everything else"
+
+    my $prefix = ":$host:257:";
+
+    my ($caaflags, $caatag, $caadetail) = ($val =~ /(\d+)\s+(\w+)\s+(.+)/);
+    $prefix .= sprintf "\\%0.3o", $caaflags;
+    $prefix .= sprintf "\\%0.3o%s", length($caatag), $caatag;
+    $caadetail =~ s/:/\\072/g;
+    $caadetail =~ s/;/\\073/g;  # Not strictly necessary but may be helpful validating records by eye
+    $caadetail =~ s/^\s*"\s*//; # AXFR imports may produce strings with embedded quotes;  these
+    $caadetail =~ s/\s*"\s*$//; # are purely a syntactic crutch for BIND-style zone files
+    print $datafile "$prefix$caadetail:$ttl:$stamp:$loc\n" or die $!;
+  } # CAA
+
   elsif ($typemap{$type} eq 'RP') {
     ($host,$val) = __revswap($host,$val) if $revrec eq 'y';