fix: route dnssec::name_to_wire through write_qname for escape handling
Closes #55. dnssec::name_to_wire was a parallel implementation of the old write_qname's splitting loop — it iterated qname.split('.') and pushed raw bytes. It predated and duplicated the buffer.rs logic, and it did not understand RFC 1035 §5.1 text escapes. After the read_qname fix in this PR, names that come out of read_qname can contain \., \\, or \DDD sequences; feeding those back into the old name_to_wire would split on the literal '.' inside a \. sequence and produce corrupt RRSIG signed-data blobs. The underlying bug predates this PR — the old read_qname was broken too, so both sides of the DNSSEC canonical form pipeline were silently wrong in the same way. Making read_qname correct exposed the divergence, so it's fixed here in the same PR that introduced the exposure. Reimplement name_to_wire on top of BytePacketBuffer::write_qname: reserve a scratch buffer, let write_qname handle the escape parsing and length-byte framing, copy the emitted bytes into a Vec, then walk the wire once more to lowercase label bodies (length bytes stay untouched). Canonical form per RFC 4034 §6.2 requires the lowercasing, and it has to happen post-escape-resolution — a decimal escape like \065 produces 0x41 ('A'), which must be lowercased to 'a' in the final wire bytes. Call sites in build_signed_data, record_to_canonical_wire, record_rdata_canonical, and nsec3_hash are unchanged — the public signature stays the same, infallible Vec<u8> return. Tests: - name_to_wire_escaped_dot_in_label_is_not_a_separator — verifies the fanf2 example round-trips correctly through canonical form - name_to_wire_decimal_escape_is_lowercased — verifies post-escape lowercasing (the subtle correctness requirement) - existing name_to_wire_root, name_to_wire_domain, ds_verification tests still pass unchanged Test count: 158 → 160. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Razvan Dimescu
@@ -5,6 +5,7 @@ use log::{debug, trace};
|
||||
use ring::digest;
|
||||
use ring::signature;
|
||||
|
||||
use crate::buffer::BytePacketBuffer;
|
||||
use crate::cache::{DnsCache, DnssecStatus};
|
||||
use crate::packet::DnsPacket;
|
||||
use crate::question::QueryType;
|
||||
@@ -720,22 +721,33 @@ pub fn verify_ds(ds: &DnsRecord, dnskey: &DnsRecord, owner: &str) -> bool {
|
||||
|
||||
// -- Canonical wire format --
|
||||
|
||||
/// Encode a DNS name in canonical wire form per RFC 4034 §6.2:
|
||||
/// uncompressed, with all ASCII letters lowercased.
|
||||
///
|
||||
/// Delegates label parsing and RFC 1035 §5.1 escape handling to
|
||||
/// `BytePacketBuffer::write_qname`, then post-processes the emitted bytes
|
||||
/// to lowercase label bodies (length bytes stay untouched). This keeps
|
||||
/// the escape logic in exactly one place — see #55.
|
||||
pub fn name_to_wire(name: &str) -> Vec<u8> {
|
||||
let mut wire = Vec::with_capacity(name.len() + 2);
|
||||
if name == "." || name.is_empty() {
|
||||
wire.push(0);
|
||||
return wire;
|
||||
}
|
||||
for label in name.split('.') {
|
||||
if label.is_empty() {
|
||||
continue;
|
||||
let mut buf = BytePacketBuffer::new();
|
||||
buf.write_qname(name)
|
||||
.expect("DNSSEC canonical form: name must be a well-formed DNS name");
|
||||
let mut wire = buf.filled().to_vec();
|
||||
|
||||
let mut i = 0;
|
||||
while i < wire.len() {
|
||||
let label_len = wire[i] as usize;
|
||||
if label_len == 0 {
|
||||
break;
|
||||
}
|
||||
wire.push(label.len() as u8);
|
||||
for &b in label.as_bytes() {
|
||||
wire.push(b.to_ascii_lowercase());
|
||||
i += 1;
|
||||
let end = i + label_len;
|
||||
for b in &mut wire[i..end] {
|
||||
*b = b.to_ascii_lowercase();
|
||||
}
|
||||
i = end;
|
||||
}
|
||||
wire.push(0);
|
||||
|
||||
wire
|
||||
}
|
||||
|
||||
@@ -1475,6 +1487,23 @@ mod tests {
|
||||
);
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn name_to_wire_escaped_dot_in_label_is_not_a_separator() {
|
||||
// `exa\.mple.com` is two labels: `exa.mple` (8 bytes including the 0x2E) and `com`.
|
||||
let wire = name_to_wire("exa\\.mple.com");
|
||||
assert_eq!(
|
||||
wire,
|
||||
vec![8, b'e', b'x', b'a', b'.', b'm', b'p', b'l', b'e', 3, b'c', b'o', b'm', 0]
|
||||
);
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn name_to_wire_decimal_escape_is_lowercased() {
|
||||
// `\065` is the byte 0x41 ('A'), which canonical form must lowercase to 'a'.
|
||||
let wire = name_to_wire("\\065bc.com");
|
||||
assert_eq!(wire, vec![3, b'a', b'b', b'c', 3, b'c', b'o', b'm', 0]);
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn parent_zone_cases() {
|
||||
assert_eq!(parent_zone("example.com"), "com");
|
||||
|
||||
Reference in New Issue
Block a user