Update resolver interface

* Pass ctx to resolver functions * Allow specifying network ip, ip4 or ip6 similar to Go's built-in resolver * Return security status of ip lookups (needed for issue #13) * Use a common implemenation for lookup ip/tlsa in recursive and stub resolvers * Use more suitable names * Add more tests
buffrr · May 8, 2021 · 5386654 · 5386654
1 parent 32f69c8
commit 5386654
Show file tree

Hide file tree

Showing 15 changed files with 1,202 additions and 948 deletions.
diff --git a/cmd/letsdane/main.go b/cmd/letsdane/main.go
@@ -184,8 +184,8 @@ func exportCA() {
 	}
 }
 
-func setupUnbound() (u *rs.Unbound, err error) {
-	u, err = rs.NewUnbound()
+func setupUnbound() (u *rs.Recursive, err error) {
+	u, err = rs.NewRecursive()
 	if err == rs.ErrUnboundNotAvail {
 		return nil, errors.New("letsdane has not been compiled with unbound. " +
 			"if you have a local dnssec capable resolver, run with -skip-dnssec")
@@ -265,15 +265,15 @@ func main() {
 	}
 
 	var resolver rs.Resolver
-	var sig0, tls bool
+	var sig0, secure bool
 
 	hostport, key, err := splitHostPortKey(*raddr)
 	switch err {
 	case errNoKey:
 		sig0 = false
 		u, err := url.Parse(*raddr)
 		if err == nil {
-			tls = u.Scheme == "https" || u.Scheme == "tls"
+			secure = u.Scheme == "https" || u.Scheme == "tls"
 		}
 	case nil:
 		sig0 = true
@@ -284,12 +284,12 @@ func main() {
 	}
 
 	if *ad {
-		if !sig0 && !tls && !isLoopback(*raddr) {
+		if !sig0 && !secure && !isLoopback(*raddr) {
 			log.Printf("You must have a local dnssec capable resolver to use letsdane securely")
 			log.Printf("'%s' is not a loopback address (insecure)!", *raddr)
 		}
 
-		ad, err := rs.NewAD(*raddr)
+		ad, err := rs.NewStub(*raddr)
 		if err != nil {
 			log.Fatal(err)
 		}

diff --git a/dialer.go b/dialer.go
@@ -59,7 +59,7 @@ func (d *dialer) dialTLSContext(ctx context.Context, network string, dst *addrLi
 
 // dialContext attempts to connect to the given named address.
 func (d *dialer) dialContext(ctx context.Context, network, addr string) (net.Conn, error) {
-	addrs, err := d.resolveAddr(addr)
+	addrs, err := d.resolveAddr(ctx, addr)
 	if err != nil {
 		return nil, err
 	}
@@ -83,13 +83,13 @@ func (d *dialer) dialAddrList(ctx context.Context, network string, dst *addrList
 
 // resolveAddr resolves the named address by performing a dns lookup returning a list
 // of ipv4 and ipv6 addresses
-func (d *dialer) resolveAddr(addr string) (addrs *addrList, err error) {
+func (d *dialer) resolveAddr(ctx context.Context, addr string) (addrs *addrList, err error) {
 	addrs = &addrList{}
 	addrs.Host, addrs.Port, err = net.SplitHostPort(addr)
 	if err != nil {
 		return
 	}
-	addrs.IPs, err = d.resolver.LookupIP(addrs.Host)
+	addrs.IPs, _, err = d.resolver.LookupIP(ctx, "ip", addrs.Host)
 	if err != nil {
 		return
 	}
@@ -103,7 +103,7 @@ func (d *dialer) resolveAddr(addr string) (addrs *addrList, err error) {
 
 // resolveDANE resolves the given host by performing a dns lookup returning
 // an address list of ipv4 and ipv6 addresses and TLSA resource records.
-func (d *dialer) resolveDANE(network, host string, constraints bool) (addrs *addrList, tlsa []*dns.TLSA, err error) {
+func (d *dialer) resolveDANE(ctx context.Context, network, host string, constraints bool) (addrs *addrList, tlsa []*dns.TLSA, err error) {
 	addrs = &addrList{}
 	tlsa = []*dns.TLSA{}
 	addrs.Host, addrs.Port, err = net.SplitHostPort(host)
@@ -119,12 +119,16 @@ func (d *dialer) resolveDANE(network, host string, constraints bool) (addrs *add
 	var tlsaErr, ipErr error
 
 	go func() {
-		addrs.IPs, ipErr = d.resolver.LookupIP(addrs.Host)
+		addrs.IPs, _, ipErr = d.resolver.LookupIP(ctx, "ip", addrs.Host)
 		done <- struct{}{}
 	}()
 
 	if !constraints || !inConstraints(addrs.Host) {
-		tlsa, tlsaErr = d.resolver.LookupTLSA(addrs.Port, network, addrs.Host)
+		var secure bool
+		tlsa, secure, tlsaErr = d.resolver.LookupTLSA(ctx, addrs.Port, network, addrs.Host)
+		if !secure {
+			tlsa = []*dns.TLSA{}
+		}
 	}
 	<-done