private async Task <DnsSecValidationResult> VerifyAsync <TRecord>(RrSigRecord rrSigRecord, List <TRecord> coveredRecords, RecordClass recordClass, TState state, CancellationToken token)
            where TRecord : DnsRecordBase
        {
            if (rrSigRecord.TypeCovered == RecordType.DnsKey)
            {
                List <DsRecord> dsRecords;

                if (rrSigRecord.SignersName.Equals(DomainName.Root))
                {
                    dsRecords = _resolverHintStore.RootKeys;
                }
                else
                {
                    var dsRecordResults = await _resolver.ResolveSecureAsync <DsRecord>(rrSigRecord.SignersName, RecordType.Ds, recordClass, state, token);

                    if ((dsRecordResults.ValidationResult == DnsSecValidationResult.Bogus) || (dsRecordResults.ValidationResult == DnsSecValidationResult.Indeterminate))
                    {
                        throw new DnsSecValidationException("DS records could not be retrieved");
                    }

                    if (dsRecordResults.ValidationResult == DnsSecValidationResult.Unsigned)
                    {
                        return(DnsSecValidationResult.Unsigned);
                    }

                    dsRecords = dsRecordResults.Records;
                }

                return(dsRecords.Any(dsRecord => rrSigRecord.Verify(coveredRecords, coveredRecords.Cast <DnsKeyRecord>().Where(dsRecord.IsCovering).ToList())) ? DnsSecValidationResult.Signed : DnsSecValidationResult.Bogus);
            }
            else
            {
                var dnsKeyRecordResults = await _resolver.ResolveSecureAsync <DnsKeyRecord>(rrSigRecord.SignersName, RecordType.DnsKey, recordClass, state, token);

                if ((dnsKeyRecordResults.ValidationResult == DnsSecValidationResult.Bogus) || (dnsKeyRecordResults.ValidationResult == DnsSecValidationResult.Indeterminate))
                {
                    throw new DnsSecValidationException("DNSKEY records could not be retrieved");
                }

                if (dnsKeyRecordResults.ValidationResult == DnsSecValidationResult.Unsigned)
                {
                    return(DnsSecValidationResult.Unsigned);
                }

                return(rrSigRecord.Verify(coveredRecords, dnsKeyRecordResults.Records) ? DnsSecValidationResult.Signed : DnsSecValidationResult.Bogus);
            }
        }
Example #2
0
        public static RrSigRecord SignRecord(List <DnsRecordBase> records, DnsKeyRecord key, DateTime inception, DateTime expiration)
        {
            RrSigRecord record = new RrSigRecord(records, key, inception, expiration);

            record.TypeCovered         = records[0].RecordType;
            record.Algorithm           = key.Algorithm;
            record.Labels              = (byte)(records[0].Name.Labels[0] == DomainName.Asterisk.Labels[0] ? records[0].Name.LabelCount - 1 : records[0].Name.LabelCount);
            record.OriginalTimeToLive  = records[0].TimeToLive;
            record.SignatureExpiration = expiration;
            record.SignatureInception  = inception;
            record.KeyTag              = key.CalculateKeyTag();
            record.SignersName         = key.Name;
            record.Signature           = new byte[] { };

            // byte[] signBuffer;
            // int signBufferLength;
            record.EncodeSigningBuffer(records, out byte[] signBuffer, out int signBufferLength);
            record.Signature = key.Sign(signBuffer, signBufferLength);

            return(record);
        }