+ (rec :type :txt
+ :data
+ (split-txt-data
+ (with-output-to-string (out)
+ (format out "~{~(~A~)=~A; ~}" plist)
+ (write-string "p=" out)
+ (when file
+ (with-open-file
+ (in (merge-pathnames file *dkim-pathname-defaults*))
+ (loop
+ (when (string= (read-line in)
+ "-----BEGIN PUBLIC KEY-----")
+ (return)))
+ (loop
+ (let ((line (read-line in)))
+ (when (string= line "-----END PUBLIC KEY-----")
+ (return))
+ (write-string line out))))))))))
+
+(defzoneparse :dmarc (name data rec)
+ ":dmarc ({:TAG VALUE}*)"
+ (rec :type :txt
+ :data (split-txt-data (format nil "~{~(~A~)=~A~^; ~}" data))))
+
+(defenum sshfp-algorithm () (:rsa 1) (:dsa 2) (:ecdsa 3) (:ed25519 4))
+(defenum sshfp-type () (:sha-1 1) (:sha-256 2))
+
+(export '*sshfp-pathname-defaults*)
+(defvar *sshfp-pathname-defaults*
+ (make-pathname :directory '(:relative "keys") :type "sshfp")
+ "Default pathname components for SSHFP records.")
+(pushnew '*sshfp-pathname-defaults* *zone-config*)
+
+(defzoneparse :sshfp (name data rec)
+ ":sshfp { FILENAME | ((FPR :alg ALG :type HASH)*) }"
+ (typecase data
+ ((or string pathname)
+ (with-open-file (in (merge-pathnames data *sshfp-pathname-defaults*))
+ (loop (let ((line (read-line in nil)))
+ (unless line (return))
+ (let ((words (str-split-words line)))
+ (pop words)
+ (when (string= (car words) "IN") (pop words))
+ (unless (and (string= (car words) "SSHFP")
+ (= (length words) 4))
+ (error "Invalid SSHFP record."))
+ (pop words)
+ (destructuring-bind (alg type fprhex) words
+ (rec :data (list (parse-integer alg)
+ (parse-integer type)
+ (decode-hex fprhex)))))))))
+ (t
+ (dolist (item (listify data))
+ (destructuring-bind (fprhex &key (alg 'rsa) (type 'sha-1))
+ (listify item)
+ (rec :data (list (lookup-enum alg 'sshfp-algorithm :min 0 :max 255)
+ (lookup-enum type 'sshfp-type :min 0 :max 255)
+ (decode-hex fprhex))))))))
+
+(defmethod zone-record-rrdata ((type (eql :sshfp)) zr)
+ (destructuring-bind (alg type fpr) (zr-data zr)
+ (rec-u8 alg)
+ (rec-u8 type)
+ (rec-octet-vector fpr))
+ 44)
+
+(defenum tlsa-usage ()
+ (:ca-constraint 0)
+ (:service-certificate-constraint 1)
+ (:trust-anchor-assertion 2)
+ (:domain-issued-certificate 3))
+
+(defenum tlsa-selector ()
+ (:certificate 0)
+ (:public-key 1))
+
+(defenum tlsa-match ()
+ (:exact 0)
+ (:sha-256 1)
+ (:sha-512 2))
+
+(defparameter tlsa-pem-alist
+ `(("CERTIFICATE" . ,tlsa-selector/certificate)
+ ("PUBLIC-KEY" . ,tlsa-selector/public-key)))
+
+(defgeneric raw-tlsa-assoc-data (have want file context)
+ (:documentation
+ "Convert FILE, and strip off PEM encoding.
+
+ The FILE contains PEM-encoded data of type HAVE -- one of the
+ `tlsa-selector' codes. Return the name of a file containing binary
+ DER-encoded data of type WANT instead. The CONTEXT is a temporary-files
+ context.")
+
+ (:method (have want file context)
+ (declare (ignore context))
+ (error "Can't convert `~A' from selector type ~S to type ~S" file
+ (reverse-enum 'tlsa-selector have)
+ (reverse-enum 'tlsa-selector want)))
+
+ (:method ((have (eql tlsa-selector/certificate))
+ (want (eql tlsa-selector/certificate))
+ file context)
+ (let ((temp (temporary-file context "cert")))
+ (run-program (list "openssl" "x509" "-outform" "der")
+ :input file :output temp)
+ temp))
+
+ (:method ((have (eql tlsa-selector/public-key))
+ (want (eql tlsa-selector/public-key))
+ file context)
+ (let ((temp (temporary-file context "pubkey-der")))
+ (run-program (list "openssl" "pkey" "-pubin" "-outform" "der")
+ :input file :output temp)
+ temp))
+
+ (:method ((have (eql tlsa-selector/certificate))
+ (want (eql tlsa-selector/public-key))
+ file context)
+ (let ((temp (temporary-file context "pubkey")))
+ (run-program (list "openssl" "x509" "-noout" "-pubkey")
+ :input file :output temp)
+ (raw-tlsa-assoc-data want want temp context))))
+
+(defgeneric tlsa-match-data-valid-p (match data)
+ (:documentation
+ "Check whether the DATA (an octet vector) is valid for the MATCH type.")
+
+ (:method (match data)
+ (declare (ignore match data))
+ ;; We don't know: assume the user knows what they're doing.
+ t)
+
+ (:method ((match (eql tlsa-match/sha-256)) data) (= (length data) 32))
+ (:method ((match (eql tlsa-match/sha-512)) data) (= (length data) 64)))
+
+(defgeneric read-tlsa-match-data (match file context)
+ (:documentation
+ "Read FILE, and return an octet vector for the correct MATCH type.
+
+ CONTEXT is a temporary-files context.")
+ (:method ((match (eql tlsa-match/exact)) file context)
+ (declare (ignore context))
+ (slurp-file file 'octet))
+ (:method ((match (eql tlsa-match/sha-256)) file context)
+ (hash-file "sha256" file context))
+ (:method ((match (eql tlsa-match/sha-512)) file context)
+ (hash-file "sha512" file context)))
+
+(defgeneric tlsa-selector-pem-boundary (selector)
+ (:documentation
+ "Return the PEM boundary string for objects of the SELECTOR type")
+ (:method ((selector (eql tlsa-selector/certificate))) "CERTIFICATE")
+ (:method ((selector (eql tlsa-selector/public-key))) "PUBLIC KEY")
+ (:method (selector) (declare (ignore selector)) nil))
+
+(defun identify-tlsa-selector-file (file)
+ "Return the selector type for the data stored in a PEM-format FILE."
+ (with-open-file (in file)
+ (loop
+ (let* ((line (read-line in nil))
+ (len (length line)))
+ (unless line
+ (error "No PEM boundary in `~A'" file))
+ (when (and (>= len 11)
+ (string= line "-----BEGIN " :end1 11)
+ (string= line "-----" :start1 (- len 5)))
+ (mapenum (lambda (tag value)
+ (declare (ignore tag))
+ (when (string= line
+ (tlsa-selector-pem-boundary value)
+ :start1 11 :end1 (- len 5))
+ (return value)))
+ 'tlsa-selector))))))
+
+(export '*tlsa-pathname-defaults*)
+(defvar *tlsa-pathname-defaults*
+ (list (make-pathname :directory '(:relative "certs") :type "cert")
+ (make-pathname :directory '(:relative "keys") :type "pub"))
+ "Default pathname components for TLSA records.")
+(pushnew '*tlsa-pathname-defaults* *zone-config*)
+
+(defparameter *tlsa-data-cache* (make-hash-table :test #'equal)
+ "Cache for TLSA association data; keys are (DATA SELECTOR MATCH).")
+
+(defun convert-tlsa-selector-data (data selector match)
+ "Convert certificate association DATA as required by SELECTOR and MATCH.
+
+ If DATA is a hex string, we assume that it's already in the appropriate
+ form (but if MATCH specifies a hash then we check that it's the right
+ length). If DATA is a pathname, then it should name a PEM file: we
+ identify the kind of object stored in the file from the PEM header, and
+ convert as necessary.
+
+ The output is an octet vector containing the raw certificate association
+ data to include in rrdata."
+
+ (etypecase data
+ (string
+ (let ((bin (decode-hex data)))
+ (unless (tlsa-match-data-valid-p match bin)
+ (error "Invalid data for match type ~S"
+ (reverse-enum 'tlsa-match match)))
+ bin))
+ (pathname
+ (let ((key (list data selector match)))
+ (or (gethash key *tlsa-data-cache*)
+ (with-temporary-files (context :base (make-pathname :type "tmp"))
+ (let* ((file (or (find-if #'probe-file
+ (mapcar (lambda (template)
+ (merge-pathnames data
+ template))
+ *tlsa-pathname-defaults*))
+ (error "Couldn't find TLSA file `~A'" data)))
+ (kind (identify-tlsa-selector-file file))
+ (raw (raw-tlsa-assoc-data kind selector file context))
+ (binary (read-tlsa-match-data match raw context)))
+ (setf (gethash key *tlsa-data-cache*) binary))))))))
+
+(defzoneparse :tlsa (name data rec)
+ ":tlsa (((SERVICE|PORT &key :protocol)*) (USAGE SELECTOR MATCH DATA)*)"
+
+ (destructuring-bind (services &rest certinfos) data
+
+ ;; First pass: build the raw-format TLSA record data.
+ (let ((records nil))
+ (dolist (certinfo certinfos)
+ (destructuring-bind (usage-tag selector-tag match-tag data) certinfo
+ (let* ((usage (lookup-enum 'tlsa-usage usage-tag :min 0 :max 255))
+ (selector (lookup-enum 'tlsa-selector selector-tag
+ :min 0 :max 255))
+ (match (lookup-enum 'tlsa-match match-tag :min 0 :max 255))
+ (raw (convert-tlsa-selector-data data selector match)))
+ (push (list usage selector match raw) records))))
+ (setf records (nreverse records))
+
+ ;; Second pass: attach records for the requested services.
+ (dolist (service (listify services))
+ (destructuring-bind (svc &key (protocol :tcp)) (listify service)
+ (let* ((port (etypecase svc
+ (integer svc)
+ (keyword (let ((serv (serv-by-name svc protocol)))
+ (unless serv
+ (error "Unknown service `~A'" svc))
+ (serv-port serv)))))
+ (prefixed (domain-name-concat
+ (make-domain-name
+ :labels (list (format nil "_~(~A~)" protocol)
+ (format nil "_~A" port)))
+ name)))
+ (dolist (record records)
+ (rec :name prefixed :data record))))))))
+
+(defmethod zone-record-rrdata ((type (eql :tlsa)) zr)
+ (destructuring-bind (usage selector match data) (zr-data zr)
+ (rec-u8 usage)
+ (rec-u8 selector)
+ (rec-u8 match)
+ (rec-octet-vector data))
+ 52)
+
+(defenum dnssec-algorithm ()
+ (:rsamd5 1)
+ (:dh 2)
+ (:dsa 3)
+ (:rsasha1 5)
+ (:dsa-nsec3-sha1 6)
+ (:rsasha1-nsec3-sha1 7)
+ (:rsasha256 8)
+ (:rsasha512 10)
+ (:ecc-gost 12)
+ (:ecdsap256sha256 13)
+ (:ecdsap384sha384 14))
+
+(defenum dnssec-digest ()
+ (:sha1 1)
+ (:sha256 2))
+
+(defzoneparse :ds (name data rec)
+ ":ds ((TAG ALGORITHM DIGEST-TYPE DIGEST)*)"
+ (dolist (ds data)
+ (destructuring-bind (tag alg hashtype hash) ds
+ (rec :data (list tag
+ (lookup-enum 'dnssec-algorithm alg :min 0 :max 255)
+ (lookup-enum 'dnssec-digest hashtype :min 0 :max 255)
+ (decode-hex hash))))))
+
+(defmethod zone-record-rrdata ((type (eql :ds)) zr)
+ (destructuring-bind (tag alg hashtype hash) zr
+ (rec-u16 tag)
+ (rec-u8 alg)
+ (rec-u8 hashtype)
+ (rec-octet-vector hash)))
~mdw / zone / blobdiff