[PR #1145] [MERGED] Fully support ring for all DNSSEC operations. #2008

New issue

Closed

opened 2026-03-16 04:24:35 +03:00 by kerem · 0 comments

kerem commented

2026-03-16 04:24:35 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/hickory-dns/hickory-dns/pull/1145
Author: @bluejekyll
Created: 6/22/2020
Status: ✅ Merged
Merged: 6/23/2020
Merged by: @bluejekyll

Base: main ← Head: fully-support-ring

📝 Commits (5)

79a847d add more debug information to DNSSEC validation
c97bd7a update ring validation to allow 1024bit keys for all Algorithm types
aec009c disable dnssec tests in std builds
08fc404 ensure TrustAnchor is constructed properly in DnsSecSyncClient
c298a8e add key length to DNSKEY display

📊 Changes

12 files changed (+169 additions, -69 deletions)

View changed files

📝 crates/async-std-resolver/src/tests.rs (+2 -2)
📝 crates/client/src/client/client.rs (+9 -2)
📝 crates/client/src/tcp/tcp_client_connection.rs (+4 -4)
📝 crates/proto/src/rr/dnssec/public_key.rs (+3 -3)
📝 crates/proto/src/rr/dnssec/rdata/dnskey.rs (+16 -0)
📝 crates/proto/src/rr/dnssec/rdata/ds.rs (+8 -0)
📝 crates/proto/src/rr/dnssec/rdata/mod.rs (+10 -10)
📝 crates/proto/src/rr/dnssec/trust_anchor.rs (+11 -0)
📝 crates/proto/src/rr/record_data.rs (+20 -20)
📝 crates/proto/src/xfer/dnssec_dns_handle.rs (+73 -21)
📝 crates/resolver/src/async_resolver.rs (+9 -5)
📝 tests/integration-tests/tests/client_tests.rs (+4 -2)

📄 Description

testing with RUST_LOG=trust_dns_proto::xfer::dnssec_dns_handle=debug cargo test --features="dnssec-ring" -- --show-output --ignored --exact async_resolver::tests::test_sec_lookup

Currently the feature dnssec-ring is not passing, but dnssec-openssl does. This is not a "simple" issue of a bad algorithm, as most of the records to validate. It's only the example.com. DS record that fails validation:

[2020-06-22T00:19:57Z DEBUG trust_dns_proto::xfer::dnssec_dns_handle] failed validation of (example.com., DNSSEC(DS)) with (com., DNSKEY(alg:RSASHA256 tag:39844 zk:true scp:false))

Where as dnssec-openssl validates properly:

[2020-06-22T00:18:48Z DEBUG trust_dns_proto::xfer::dnssec_dns_handle] validated (example.com., DNSSEC(DS)) with (com., DNSKEY(alg:RSASHA256 tag:39844 zk:true scp:false))

thanks to @Darkspirit who resolved this discrepancy between openssl and ring.

I had made a bad assumption that sha256 wasn't being used with 1024 bit keys, but it in fact is. This has been corrected.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/hickory-dns/hickory-dns/pull/1145 **Author:** [@bluejekyll](https://github.com/bluejekyll) **Created:** 6/22/2020 **Status:** ✅ Merged **Merged:** 6/23/2020 **Merged by:** [@bluejekyll](https://github.com/bluejekyll) **Base:** `main` ← **Head:** `fully-support-ring` --- ### 📝 Commits (5) - [`79a847d`](https://github.com/hickory-dns/hickory-dns/commit/79a847ddfa9be7c47003fca8a6f860760a264b90) add more debug information to DNSSEC validation - [`c97bd7a`](https://github.com/hickory-dns/hickory-dns/commit/c97bd7a164051104e6bf257c327f7fc667979128) update ring validation to allow 1024bit keys for all Algorithm types - [`aec009c`](https://github.com/hickory-dns/hickory-dns/commit/aec009ca54f4ec927e671124d8216a320a84f0af) disable dnssec tests in std builds - [`08fc404`](https://github.com/hickory-dns/hickory-dns/commit/08fc4048bdded63408e1d75f9510f50b9b3bf292) ensure TrustAnchor is constructed properly in DnsSecSyncClient - [`c298a8e`](https://github.com/hickory-dns/hickory-dns/commit/c298a8ed4fb883451b81b2cf3f29c0270e8ef7c4) add key length to DNSKEY display ### 📊 Changes **12 files changed** (+169 additions, -69 deletions) <details> <summary>View changed files</summary> 📝 `crates/async-std-resolver/src/tests.rs` (+2 -2) 📝 `crates/client/src/client/client.rs` (+9 -2) 📝 `crates/client/src/tcp/tcp_client_connection.rs` (+4 -4) 📝 `crates/proto/src/rr/dnssec/public_key.rs` (+3 -3) 📝 `crates/proto/src/rr/dnssec/rdata/dnskey.rs` (+16 -0) 📝 `crates/proto/src/rr/dnssec/rdata/ds.rs` (+8 -0) 📝 `crates/proto/src/rr/dnssec/rdata/mod.rs` (+10 -10) 📝 `crates/proto/src/rr/dnssec/trust_anchor.rs` (+11 -0) 📝 `crates/proto/src/rr/record_data.rs` (+20 -20) 📝 `crates/proto/src/xfer/dnssec_dns_handle.rs` (+73 -21) 📝 `crates/resolver/src/async_resolver.rs` (+9 -5) 📝 `tests/integration-tests/tests/client_tests.rs` (+4 -2) </details> ### 📄 Description testing with `RUST_LOG=trust_dns_proto::xfer::dnssec_dns_handle=debug cargo test --features="dnssec-ring" -- --show-output --ignored --exact async_resolver::tests::test_sec_lookup` Currently the feature `dnssec-ring` is not passing, but `dnssec-openssl` does. This is not a "simple" issue of a bad algorithm, as most of the records to validate. It's only the `example.com.` DS record that fails validation: ``` [2020-06-22T00:19:57Z DEBUG trust_dns_proto::xfer::dnssec_dns_handle] failed validation of (example.com., DNSSEC(DS)) with (com., DNSKEY(alg:RSASHA256 tag:39844 zk:true scp:false)) ``` Where as `dnssec-openssl` validates properly: ``` [2020-06-22T00:18:48Z DEBUG trust_dns_proto::xfer::dnssec_dns_handle] validated (example.com., DNSSEC(DS)) with (com., DNSKEY(alg:RSASHA256 tag:39844 zk:true scp:false)) ``` ---- thanks to @Darkspirit who resolved this discrepancy between openssl and ring. I had made a bad assumption that sha256 wasn't being used with 1024 bit keys, but it in fact is. This has been corrected. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>