electrum/dnssec.py

#!/usr/bin/env python
#
# Electrum - lightweight Bitcoin client
# Copyright (C) 2015 Thomas Voegtlin
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation files
# (the "Software"), to deal in the Software without restriction,
# including without limitation the rights to use, copy, modify, merge,
# publish, distribute, sublicense, and/or sell copies of the Software,
# and to permit persons to whom the Software is furnished to do so,
# subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.

# Check DNSSEC trust chain.
# Todo: verify expiration dates
#
# Based on
#  http://backreference.org/2010/11/17/dnssec-verification-with-dig/
#  https://github.com/rthalley/dnspython/blob/master/tests/test_dnssec.py


import dns
import dns.name
import dns.asyncquery
import dns.dnssec
import dns.message
import dns.asyncresolver
import dns.rdatatype
import dns.rdtypes.ANY.NS
import dns.rdtypes.ANY.CNAME
import dns.rdtypes.ANY.DLV
import dns.rdtypes.ANY.DNSKEY
import dns.rdtypes.ANY.DS
import dns.rdtypes.ANY.NSEC
import dns.rdtypes.ANY.NSEC3
import dns.rdtypes.ANY.NSEC3PARAM
import dns.rdtypes.ANY.RRSIG
import dns.rdtypes.ANY.SOA
import dns.rdtypes.ANY.TXT
import dns.rdtypes.IN.A
import dns.rdtypes.IN.AAAA

from .logging import get_logger
from typing import Tuple


_logger = get_logger(__name__)


# hard-coded trust anchors (root KSKs)
trust_anchors = [
    # KSK-2017:
    dns.rrset.from_text('.', 1    , 'IN', 'DNSKEY', '257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU='),
    # KSK-2010:
    dns.rrset.from_text('.', 15202, 'IN', 'DNSKEY', '257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0='),
]


async def _check_query(ns, sub, _type, keys) -> dns.rrset.RRset:
    q = dns.message.make_query(sub, _type, want_dnssec=True)
    response = await dns.asyncquery.tcp(q, ns, timeout=5)
    assert response.rcode() == 0, 'No answer'
    answer = response.answer
    assert len(answer) != 0, ('No DNS record found', sub, _type)
    assert len(answer) != 1, ('No DNSSEC record found', sub, _type)
    if answer[0].rdtype == dns.rdatatype.RRSIG:
        rrsig, rrset = answer
    elif answer[1].rdtype == dns.rdatatype.RRSIG:
        rrset, rrsig = answer
    else:
        raise Exception('No signature set in record')
    if keys is None:
        keys = {dns.name.from_text(sub):rrset}
    dns.dnssec.validate(rrset, rrsig, keys)
    return rrset


async def _get_and_validate(ns, url, _type) -> dns.rrset.RRset:
    # get trusted root key
    root_rrset = None
    for dnskey_rr in trust_anchors:
        try:
            # Check if there is a valid signature for the root dnskey
            root_rrset = await _check_query(ns, '', dns.rdatatype.DNSKEY, {dns.name.root: dnskey_rr})
            break
        except dns.dnssec.ValidationFailure:
            # It's OK as long as one key validates
            continue
    if not root_rrset:
        raise dns.dnssec.ValidationFailure('None of the trust anchors found in DNS')
    keys = {dns.name.root: root_rrset}
    # top-down verification
    parts = url.split('.')
    for i in range(len(parts), 0, -1):
        sub = '.'.join(parts[i-1:])
        name = dns.name.from_text(sub)
        # If server is authoritative, don't fetch DNSKEY
        query = dns.message.make_query(sub, dns.rdatatype.NS)
        response = await dns.asyncquery.udp(query, ns, 3)
        assert response.rcode() == dns.rcode.NOERROR, "query error"
        rrset = response.authority[0] if len(response.authority) > 0 else response.answer[0]
        rr = rrset[0]
        if rr.rdtype == dns.rdatatype.SOA:
            continue
        # get DNSKEY (self-signed)
        rrset = await _check_query(ns, sub, dns.rdatatype.DNSKEY, None)
        # get DS (signed by parent)
        ds_rrset = await _check_query(ns, sub, dns.rdatatype.DS, keys)
        # verify that a signed DS validates DNSKEY
        for ds in ds_rrset:
            for dnskey in rrset:
                htype = 'SHA256' if ds.digest_type == 2 else 'SHA1'
                good_ds = dns.dnssec.make_ds(name, dnskey, htype)
                if ds == good_ds:
                    break
            else:
                continue
            break
        else:
            raise Exception("DS does not match DNSKEY")
        # set key for next iteration
        keys = {name: rrset}
    # get TXT record (signed by zone)
    rrset = await _check_query(ns, url, _type, keys)
    return rrset


async def query(url, rtype) -> Tuple[dns.rrset.RRset, bool]:
    # FIXME this method is not using the network proxy. (although the proxy might not support UDP?)
    # 8.8.8.8 is Google's public DNS server
    nameservers = ['8.8.8.8']
    ns = nameservers[0]
    try:
        out = await _get_and_validate(ns, url, rtype)
        validated = True
    except Exception as e:
        _logger.info(f"DNSSEC error: {repr(e)}")
        out = await dns.asyncresolver.resolve(url, rtype)
        validated = False
    return out, validated
add DNSSEC chain validation 2015-07-08 19:20:54 +02:00			`#!/usr/bin/env python`
			`#`
			`# Electrum - lightweight Bitcoin client`
			`# Copyright (C) 2015 Thomas Voegtlin`
			`#`
Relicensing 2016-02-23 11:36:42 +01:00			`# Permission is hereby granted, free of charge, to any person`
			`# obtaining a copy of this software and associated documentation files`
			`# (the "Software"), to deal in the Software without restriction,`
			`# including without limitation the rights to use, copy, modify, merge,`
			`# publish, distribute, sublicense, and/or sell copies of the Software,`
			`# and to permit persons to whom the Software is furnished to do so,`
			`# subject to the following conditions:`
add DNSSEC chain validation 2015-07-08 19:20:54 +02:00			`#`
Relicensing 2016-02-23 11:36:42 +01:00			`# The above copyright notice and this permission notice shall be`
			`# included in all copies or substantial portions of the Software.`
add DNSSEC chain validation 2015-07-08 19:20:54 +02:00			`#`
Relicensing 2016-02-23 11:36:42 +01:00			`# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,`
			`# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF`
			`# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND`
			`# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS`
			`# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN`
			`# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN`
			`# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE`
			`# SOFTWARE.`
add DNSSEC chain validation 2015-07-08 19:20:54 +02:00
			`# Check DNSSEC trust chain.`
			`# Todo: verify expiration dates`
			`#`
			`# Based on`
			`# http://backreference.org/2010/11/17/dnssec-verification-with-dig/`
			`# https://github.com/rthalley/dnspython/blob/master/tests/test_dnssec.py`
do not use pycrypto for DNSSEC validation 2015-07-29 22:06:44 +02:00
add DNSSEC chain validation 2015-07-08 19:20:54 +02:00
dnssec: trivial clean-up - rm unused imports - mark private API as private - don't catch BaseException 2021-04-08 19:49:43 +02:00			`import dns`
add DNSSEC chain validation 2015-07-08 19:20:54 +02:00			`import dns.name`
Use async dnspython methods for openalias/dnssec 2025-05-15 14:31:00 +02:00			`import dns.asyncquery`
add DNSSEC chain validation 2015-07-08 19:20:54 +02:00			`import dns.dnssec`
			`import dns.message`
Use async dnspython methods for openalias/dnssec 2025-05-15 14:31:00 +02:00			`import dns.asyncresolver`
add DNSSEC chain validation 2015-07-08 19:20:54 +02:00			`import dns.rdatatype`
			`import dns.rdtypes.ANY.NS`
			`import dns.rdtypes.ANY.CNAME`
			`import dns.rdtypes.ANY.DLV`
			`import dns.rdtypes.ANY.DNSKEY`
			`import dns.rdtypes.ANY.DS`
			`import dns.rdtypes.ANY.NSEC`
			`import dns.rdtypes.ANY.NSEC3`
			`import dns.rdtypes.ANY.NSEC3PARAM`
			`import dns.rdtypes.ANY.RRSIG`
			`import dns.rdtypes.ANY.SOA`
			`import dns.rdtypes.ANY.TXT`
			`import dns.rdtypes.IN.A`
			`import dns.rdtypes.IN.AAAA`

logging: basics 2019-04-26 18:52:26 +02:00			`from .logging import get_logger`
Use async dnspython methods for openalias/dnssec 2025-05-15 14:31:00 +02:00			`from typing import Tuple`
logging: basics 2019-04-26 18:52:26 +02:00

			`_logger = get_logger(__name__)`
add DNSSEC chain validation 2015-07-08 19:20:54 +02:00

Add KSK-2017 to trust anchors and accept either of the two 2017-03-16 14:57:36 +01:00			`# hard-coded trust anchors (root KSKs)`
			`trust_anchors = [`
			`# KSK-2017:`
			`dns.rrset.from_text('.', 1 , 'IN', 'DNSKEY', '257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU='),`
			`# KSK-2010:`
			`dns.rrset.from_text('.', 15202, 'IN', 'DNSKEY', '257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0='),`
			`]`
add DNSSEC chain validation 2015-07-08 19:20:54 +02:00

Use async dnspython methods for openalias/dnssec 2025-05-15 14:31:00 +02:00			`async def _check_query(ns, sub, _type, keys) -> dns.rrset.RRset:`
add DNSSEC chain validation 2015-07-08 19:20:54 +02:00			`q = dns.message.make_query(sub, _type, want_dnssec=True)`
Use async dnspython methods for openalias/dnssec 2025-05-15 14:31:00 +02:00			`response = await dns.asyncquery.tcp(q, ns, timeout=5)`
add DNSSEC chain validation 2015-07-08 19:20:54 +02:00			`assert response.rcode() == 0, 'No answer'`
			`answer = response.answer`
dnssec: fix hash, and skip SOA 2015-07-09 09:02:39 +02:00			`assert len(answer) != 0, ('No DNS record found', sub, _type)`
			`assert len(answer) != 1, ('No DNSSEC record found', sub, _type)`
add DNSSEC chain validation 2015-07-08 19:20:54 +02:00			`if answer[0].rdtype == dns.rdatatype.RRSIG:`
			`rrsig, rrset = answer`
dnssec: fix hash, and skip SOA 2015-07-09 09:02:39 +02:00			`elif answer[1].rdtype == dns.rdatatype.RRSIG:`
add DNSSEC chain validation 2015-07-08 19:20:54 +02:00			`rrset, rrsig = answer`
dnssec: fix hash, and skip SOA 2015-07-09 09:02:39 +02:00			`else:`
do not raise BaseException 2018-04-07 17:10:30 +02:00			`raise Exception('No signature set in record')`
add DNSSEC chain validation 2015-07-08 19:20:54 +02:00			`if keys is None:`
			`keys = {dns.name.from_text(sub):rrset}`
			`dns.dnssec.validate(rrset, rrsig, keys)`
			`return rrset`


Use async dnspython methods for openalias/dnssec 2025-05-15 14:31:00 +02:00			`async def _get_and_validate(ns, url, _type) -> dns.rrset.RRset:`
Add KSK-2017 to trust anchors and accept either of the two 2017-03-16 14:57:36 +01:00			`# get trusted root key`
			`root_rrset = None`
			`for dnskey_rr in trust_anchors:`
			`try:`
			`# Check if there is a valid signature for the root dnskey`
Use async dnspython methods for openalias/dnssec 2025-05-15 14:31:00 +02:00			`root_rrset = await _check_query(ns, '', dns.rdatatype.DNSKEY, {dns.name.root: dnskey_rr})`
Add KSK-2017 to trust anchors and accept either of the two 2017-03-16 14:57:36 +01:00			`break`
			`except dns.dnssec.ValidationFailure:`
			`# It's OK as long as one key validates`
			`continue`
			`if not root_rrset:`
			`raise dns.dnssec.ValidationFailure('None of the trust anchors found in DNS')`
add DNSSEC chain validation 2015-07-08 19:20:54 +02:00			`keys = {dns.name.root: root_rrset}`
			`# top-down verification`
			`parts = url.split('.')`
			`for i in range(len(parts), 0, -1):`
			`sub = '.'.join(parts[i-1:])`
			`name = dns.name.from_text(sub)`
dnssec: fix hash, and skip SOA 2015-07-09 09:02:39 +02:00			`# If server is authoritative, don't fetch DNSKEY`
			`query = dns.message.make_query(sub, dns.rdatatype.NS)`
Use async dnspython methods for openalias/dnssec 2025-05-15 14:31:00 +02:00			`response = await dns.asyncquery.udp(query, ns, 3)`
dnssec: fix hash, and skip SOA 2015-07-09 09:02:39 +02:00			`assert response.rcode() == dns.rcode.NOERROR, "query error"`
			`rrset = response.authority[0] if len(response.authority) > 0 else response.answer[0]`
			`rr = rrset[0]`
			`if rr.rdtype == dns.rdatatype.SOA:`
			`continue`
add DNSSEC chain validation 2015-07-08 19:20:54 +02:00			`# get DNSKEY (self-signed)`
Use async dnspython methods for openalias/dnssec 2025-05-15 14:31:00 +02:00			`rrset = await _check_query(ns, sub, dns.rdatatype.DNSKEY, None)`
add DNSSEC chain validation 2015-07-08 19:20:54 +02:00			`# get DS (signed by parent)`
Use async dnspython methods for openalias/dnssec 2025-05-15 14:31:00 +02:00			`ds_rrset = await _check_query(ns, sub, dns.rdatatype.DS, keys)`
add DNSSEC chain validation 2015-07-08 19:20:54 +02:00			`# verify that a signed DS validates DNSKEY`
			`for ds in ds_rrset:`
			`for dnskey in rrset:`
dnssec: fix hash, and skip SOA 2015-07-09 09:02:39 +02:00			`htype = 'SHA256' if ds.digest_type == 2 else 'SHA1'`
			`good_ds = dns.dnssec.make_ds(name, dnskey, htype)`
add DNSSEC chain validation 2015-07-08 19:20:54 +02:00			`if ds == good_ds:`
			`break`
			`else:`
			`continue`
			`break`
			`else:`
do not raise BaseException 2018-04-07 17:10:30 +02:00			`raise Exception("DS does not match DNSKEY")`
add DNSSEC chain validation 2015-07-08 19:20:54 +02:00			`# set key for next iteration`
			`keys = {name: rrset}`
			`# get TXT record (signed by zone)`
Use async dnspython methods for openalias/dnssec 2025-05-15 14:31:00 +02:00			`rrset = await _check_query(ns, url, _type, keys)`
add DNSSEC chain validation 2015-07-08 19:20:54 +02:00			`return rrset`


Use async dnspython methods for openalias/dnssec 2025-05-15 14:31:00 +02:00			`async def query(url, rtype) -> Tuple[dns.rrset.RRset, bool]:`
add FIXMEs to instances where we don't use the network proxy so that it at least does not get forgotten related https://github.com/spesmilo/electrum/issues/4754 2023-11-30 19:31:14 +00:00			`# FIXME this method is not using the network proxy. (although the proxy might not support UDP?)`
add DNSSEC chain validation 2015-07-08 19:20:54 +02:00			`# 8.8.8.8 is Google's public DNS server`
dnssec: don't call get_default_resolver 2015-07-31 20:02:55 +02:00			`nameservers = ['8.8.8.8']`
			`ns = nameservers[0]`
add DNSSEC chain validation 2015-07-08 19:20:54 +02:00			`try:`
Use async dnspython methods for openalias/dnssec 2025-05-15 14:31:00 +02:00			`out = await _get_and_validate(ns, url, rtype)`
add DNSSEC chain validation 2015-07-08 19:20:54 +02:00			`validated = True`
dnssec: trivial clean-up - rm unused imports - mark private API as private - don't catch BaseException 2021-04-08 19:49:43 +02:00			`except Exception as e:`
change many str(e) to repr(e) as some exceptions were cryptic it's often valuable to see the type of the exception (especially as for some exceptions str(e) == '') 2019-07-17 20:12:52 +02:00			`_logger.info(f"DNSSEC error: {repr(e)}")`
Use async dnspython methods for openalias/dnssec 2025-05-15 14:31:00 +02:00			`out = await dns.asyncresolver.resolve(url, rtype)`
add DNSSEC chain validation 2015-07-08 19:20:54 +02:00			`validated = False`
			`return out, validated`