Merge PR #299 from 'tynes/sig0-config'

CHANGELOG.md

@@ -38,6 +38,10 @@ boolean parameter "own" (default: `false`) that filters out names the wallet doe
 - DNSSEC proofs from the root name server were fixed, particularly around non-existent
 domains. The empty zone proofs were replaced with minimally covering NSEC records.
 
+- `FullNode` and `SPVNode` parse new option `--no-sig0` which disables SIG0 signing
+in the root nameserver and recursive resolver. The current SIG0 algorithm uses Blake2b
+and is identified as `PRIVATEDNS` which is incompatible with most legacy DNS software.
+
 ### Other changes
 
 - The logging module `blgr` has been updated. Log files will now be rolled over

lib/dns/server.js

@@ -105,6 +105,7 @@ class RootServer extends DNSServer {
     this.ra = false;
     this.edns = true;
     this.dnssec = true;
+    this.noSig0 = false;
     this.icann = new RootResolver(RES_OPT);
 
     this.logger = Logger.global;
@@ -175,6 +176,11 @@ class RootServer extends DNSServer {
       this.lookup = options.lookup;
     }
 
+    if (options.noSig0 != null) {
+      assert(typeof options.noSig0 === 'boolean');
+      this.noSig0 = options.noSig0;
+    }
+
     if (options.publicHost != null) {
       assert(typeof options.publicHost === 'string');
       this.publicHost = IP.normalize(options.publicHost);
@@ -209,11 +215,17 @@ class RootServer extends DNSServer {
   }
 
   signSize() {
-    return 94;
+    if (!this.sig0)
+      return 94;
+
+    return 0;
   }
 
   sign(msg, host, port) {
-    return hsig.sign(msg, this.key);
+    if (!this.noSig0)
+      return hsig.sign(msg, this.key);
+
+    return msg;
   }
 
   async lookupName(name) {
@@ -599,6 +611,7 @@ class RecursiveServer extends DNSServer {
     this.ra = true;
     this.edns = true;
     this.dnssec = true;
+    this.noSig0 = false;
     this.noAny = true;
 
     this.logger = Logger.global;
@@ -667,6 +680,11 @@ class RecursiveServer extends DNSServer {
       this.stubPort = options.stubPort;
     }
 
+    if (options.noSig0 != null) {
+      assert(typeof options.noSig0 === 'boolean');
+      this.noSig0 = options.noSig0;
+    }
+
     if (options.noUnbound != null) {
       assert(typeof options.noUnbound === 'boolean');
       if (options.noUnbound) {
@@ -713,11 +731,17 @@ class RecursiveServer extends DNSServer {
   }
 
   signSize() {
-    return 94;
+    if (!this.noSig0)
+      return 94;
+
+    return 0;
   }
 
   sign(msg, host, port) {
-    return hsig.sign(msg, this.key);
+    if (!this.noSig0)
+      return hsig.sign(msg, this.key);
+
+    return msg;
   }
 
   async open(...args) {

lib/node/fullnode.js

@@ -165,7 +165,8 @@ class FullNode extends Node {
         host: this.config.str('ns-host'),
         port: this.config.uint('ns-port', this.network.nsPort),
         lookup: key => this.chain.db.tree.get(key),
-        publicHost: this.config.str('public-host')
+        publicHost: this.config.str('public-host'),
+        noSig0: this.config.bool('no-sig0')
       });
 
       if (!this.config.bool('no-rs')) {
@@ -176,7 +177,8 @@ class FullNode extends Node {
           port: this.config.uint('rs-port', this.network.rsPort),
           stubHost: this.ns.host,
           stubPort: this.ns.port,
-          noUnbound: this.config.bool('rs-no-unbound')
+          noUnbound: this.config.bool('rs-no-unbound'),
+          noSig0: this.config.bool('no-sig0')
         });
       }
     }

lib/node/spvnode.js

@@ -100,7 +100,8 @@ class SPVNode extends Node {
         host: this.config.str('ns-host'),
         port: this.config.uint('ns-port', this.network.nsPort),
         lookup: key => this.pool.resolve(key),
-        publicHost: this.config.str('public-host')
+        publicHost: this.config.str('public-host'),
+        noSig0: this.config.bool('no-sig0')
       });
 
       if (!this.config.bool('no-rs')) {
@@ -111,7 +112,8 @@ class SPVNode extends Node {
           port: this.config.uint('rs-port', this.network.rsPort),
           stubHost: this.ns.host,
           stubPort: this.ns.port,
-          noUnbound: this.config.bool('rs-no-unbound')
+          noUnbound: this.config.bool('rs-no-unbound'),
+          noSig0: this.config.bool('no-sig0')
         });
       }
     }

test/ns-test.js

@@ -3,7 +3,7 @@
 const assert = require('bsert');
 const IP = require('binet');
 const base32 = require('bcrypto/lib/encoding/base32');
-const {wire, util, encoding} = require('bns');
+const {wire, util, encoding, StubResolver} = require('bns');
 const {RootServer} = require('../lib/dns/server');
 const {Resource} = require('../lib/dns/resource');
 const NameState = require('../lib/covenants/namestate');
@@ -611,6 +611,51 @@ describe('RootServer DNSSEC', function () {
   });
 });
 
+describe('RootServer SIG0', function() {
+  let ns;
+
+  afterEach(async () => {
+    await ns.close();
+  });
+
+  it('should answer with SIG0', async () => {
+    ns = new RootServer({
+      port: 25349
+    });
+
+    const stub = new StubResolver();
+    stub.setServers(['127.0.0.1:25349']);
+
+    // Use a synth name for this so no Urkel Tree or ICANN DNS is required
+    const name = '_fs0000g._synth.';
+
+    await ns.open();
+    const res = await stub.lookup(name);
+
+    assert(res.sig0);
+    const json = res.getJSON();
+    assert.strictEqual(json.sig0.algName, 'PRIVATEDNS');
+  });
+
+  it('should not answer with SIG0', async () => {
+    ns = new RootServer({
+      port: 25349,
+      noSig0: true
+    });
+
+    const stub = new StubResolver();
+    stub.setServers(['127.0.0.1:25349']);
+
+    // Use a synth name for this so no Urkel Tree or ICANN DNS is required
+    const name = '_fs0000g._synth.';
+
+    await ns.open();
+    const res = await stub.lookup(name);
+
+    assert(!res.sig0);
+  });
+});
+
 /*
  * Helpers
  */