5735552722403328

Committed 16 May 2025 10:28AM UTC coverage: 59.722% (+0.002%) from 59.72%

Build # 5735552722403328

Build Type

Pull #9833

CirrusCI

Committed by

f321x

Commit Message

make lightning dns seed fetching async

Pull Request Pull Request #9833: dns: use async dnspython interface

Run Details

22 of 50 new or added lines in 7 files covered. (44.0%)

1107 existing lines in 11 files now uncovered.

21549 of 36082 relevant lines covered (59.72%)

2.39 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

31.03

/electrum/dnssec.py

#!/usr/bin/env python
#
# Electrum - lightweight Bitcoin client
# Copyright (C) 2015 Thomas Voegtlin
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation files
# (the "Software"), to deal in the Software without restriction,
# including without limitation the rights to use, copy, modify, merge,
# publish, distribute, sublicense, and/or sell copies of the Software,
# and to permit persons to whom the Software is furnished to do so,
# subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.

# Check DNSSEC trust chain.
# Todo: verify expiration dates
#
# Based on
#  http://backreference.org/2010/11/17/dnssec-verification-with-dig/
#  https://github.com/rthalley/dnspython/blob/master/tests/test_dnssec.py


import dns
import dns.name
import dns.asyncquery
import dns.dnssec
import dns.message
import dns.asyncresolver
import dns.rdatatype
import dns.rdtypes.ANY.NS
import dns.rdtypes.ANY.CNAME
import dns.rdtypes.ANY.DLV
import dns.rdtypes.ANY.DNSKEY
import dns.rdtypes.ANY.DS
import dns.rdtypes.ANY.NSEC
import dns.rdtypes.ANY.NSEC3
import dns.rdtypes.ANY.NSEC3PARAM
import dns.rdtypes.ANY.RRSIG
import dns.rdtypes.ANY.SOA
import dns.rdtypes.ANY.TXT
import dns.rdtypes.IN.A
import dns.rdtypes.IN.AAAA

from .logging import get_logger
from typing import Tuple


_logger = get_logger(__name__)


# hard-coded trust anchors (root KSKs)
trust_anchors = [
    # KSK-2017:
    dns.rrset.from_text('.', 1    , 'IN', 'DNSKEY', '257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU='),
    # KSK-2010:
    dns.rrset.from_text('.', 15202, 'IN', 'DNSKEY', '257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0='),
]


async def _check_query(ns, sub, _type, keys) -> dns.rrset.RRset:
    q = dns.message.make_query(sub, _type, want_dnssec=True)
    response = await dns.asyncquery.tcp(q, ns, timeout=5)
    assert response.rcode() == 0, 'No answer'
    answer = response.answer
    assert len(answer) != 0, ('No DNS record found', sub, _type)
    assert len(answer) != 1, ('No DNSSEC record found', sub, _type)
    if answer[0].rdtype == dns.rdatatype.RRSIG:
        rrsig, rrset = answer
    elif answer[1].rdtype == dns.rdatatype.RRSIG:
        rrset, rrsig = answer
    else:
        raise Exception('No signature set in record')
    if keys is None:
        keys = {dns.name.from_text(sub):rrset}
    dns.dnssec.validate(rrset, rrsig, keys)
    return rrset


async def _get_and_validate(ns, url, _type) -> dns.rrset.RRset:
    # get trusted root key
    root_rrset = None
    for dnskey_rr in trust_anchors:
        try:
            # Check if there is a valid signature for the root dnskey
            root_rrset = await _check_query(ns, '', dns.rdatatype.DNSKEY, {dns.name.root: dnskey_rr})
            break
        except dns.dnssec.ValidationFailure:
            # It's OK as long as one key validates
            continue
    if not root_rrset:
        raise dns.dnssec.ValidationFailure('None of the trust anchors found in DNS')
    keys = {dns.name.root: root_rrset}
    # top-down verification
    parts = url.split('.')
    for i in range(len(parts), 0, -1):
        sub = '.'.join(parts[i-1:])
        name = dns.name.from_text(sub)
        # If server is authoritative, don't fetch DNSKEY
        query = dns.message.make_query(sub, dns.rdatatype.NS)
        response = await dns.asyncquery.udp(query, ns, 3)
        assert response.rcode() == dns.rcode.NOERROR, "query error"
        rrset = response.authority[0] if len(response.authority) > 0 else response.answer[0]
        rr = rrset[0]
        if rr.rdtype == dns.rdatatype.SOA:
            continue
        # get DNSKEY (self-signed)
        rrset = await _check_query(ns, sub, dns.rdatatype.DNSKEY, None)
        # get DS (signed by parent)
        ds_rrset = await _check_query(ns, sub, dns.rdatatype.DS, keys)
        # verify that a signed DS validates DNSKEY
        for ds in ds_rrset:
            for dnskey in rrset:
                htype = 'SHA256' if ds.digest_type == 2 else 'SHA1'
                good_ds = dns.dnssec.make_ds(name, dnskey, htype)
                if ds == good_ds:
                    break
            else:
                continue
            break
        else:
            raise Exception("DS does not match DNSKEY")
        # set key for next iteration
        keys = {name: rrset}
    # get TXT record (signed by zone)
    rrset = await _check_query(ns, url, _type, keys)
    return rrset


async def query(url, rtype) -> Tuple[dns.rrset.RRset, bool]:
    # FIXME this method is not using the network proxy. (although the proxy might not support UDP?)
    # 8.8.8.8 is Google's public DNS server
    nameservers = ['8.8.8.8']
    ns = nameservers[0]
    try:
        out = await _get_and_validate(ns, url, rtype)
        validated = True
    except Exception as e:
        _logger.info(f"DNSSEC error: {repr(e)}")
        out = await dns.asyncresolver.resolve(url, rtype)
        validated = False
    return out, validated

1	#!/usr/bin/env python
2	#
3	# Electrum - lightweight Bitcoin client
4	# Copyright (C) 2015 Thomas Voegtlin
5	#
6	# Permission is hereby granted, free of charge, to any person
7	# obtaining a copy of this software and associated documentation files
8	# (the "Software"), to deal in the Software without restriction,
9	# including without limitation the rights to use, copy, modify, merge,
10	# publish, distribute, sublicense, and/or sell copies of the Software,
11	# and to permit persons to whom the Software is furnished to do so,
12	# subject to the following conditions:
13	#
14	# The above copyright notice and this permission notice shall be
15	# included in all copies or substantial portions of the Software.
16	#
17	# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
18	# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
19	# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
20	# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
21	# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
22	# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
23	# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
24	# SOFTWARE.
25
26	# Check DNSSEC trust chain.
27	# Todo: verify expiration dates
28	#
29	# Based on
30	# http://backreference.org/2010/11/17/dnssec-verification-with-dig/
31	# https://github.com/rthalley/dnspython/blob/master/tests/test_dnssec.py
32
33
34	import dns	4✔
35	import dns.name	4✔
36	import dns.asyncquery	4✔
37	import dns.dnssec	4✔
38	import dns.message	4✔
39	import dns.asyncresolver	4✔
40	import dns.rdatatype	4✔
41	import dns.rdtypes.ANY.NS	4✔
42	import dns.rdtypes.ANY.CNAME	4✔
43	import dns.rdtypes.ANY.DLV	4✔
44	import dns.rdtypes.ANY.DNSKEY	4✔
45	import dns.rdtypes.ANY.DS	4✔
46	import dns.rdtypes.ANY.NSEC	4✔
47	import dns.rdtypes.ANY.NSEC3	4✔
48	import dns.rdtypes.ANY.NSEC3PARAM	4✔
49	import dns.rdtypes.ANY.RRSIG	4✔
50	import dns.rdtypes.ANY.SOA	4✔
51	import dns.rdtypes.ANY.TXT	4✔
52	import dns.rdtypes.IN.A	4✔
53	import dns.rdtypes.IN.AAAA	4✔
54
55	from .logging import get_logger	4✔
56	from typing import Tuple	4✔
57
58
59	_logger = get_logger(__name__)	4✔
60
61
62	# hard-coded trust anchors (root KSKs)
63	trust_anchors = [	4✔
64	# KSK-2017:
65	dns.rrset.from_text('.', 1 , 'IN', 'DNSKEY', '257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU='),
66	# KSK-2010:
67	dns.rrset.from_text('.', 15202, 'IN', 'DNSKEY', '257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0='),
68	]
69
70
71	async def _check_query(ns, sub, _type, keys) -> dns.rrset.RRset:	4✔
72	q = dns.message.make_query(sub, _type, want_dnssec=True)	×
NEW 73	response = await dns.asyncquery.tcp(q, ns, timeout=5)	×
74	assert response.rcode() == 0, 'No answer'	×
75	answer = response.answer	×
76	assert len(answer) != 0, ('No DNS record found', sub, _type)	×
77	assert len(answer) != 1, ('No DNSSEC record found', sub, _type)	×
78	if answer[0].rdtype == dns.rdatatype.RRSIG:	×
79	rrsig, rrset = answer	×
80	elif answer[1].rdtype == dns.rdatatype.RRSIG:	×
81	rrset, rrsig = answer	×
82	else:
83	raise Exception('No signature set in record')	×
84	if keys is None:	×
85	keys = {dns.name.from_text(sub):rrset}	×
86	dns.dnssec.validate(rrset, rrsig, keys)	×
87	return rrset	×
88
89
90	async def _get_and_validate(ns, url, _type) -> dns.rrset.RRset:	4✔
91	# get trusted root key
92	root_rrset = None	×
93	for dnskey_rr in trust_anchors:	×
94	try:	×
95	# Check if there is a valid signature for the root dnskey
NEW 96	root_rrset = await _check_query(ns, '', dns.rdatatype.DNSKEY, {dns.name.root: dnskey_rr})	×
97	break	×
98	except dns.dnssec.ValidationFailure:	×
99	# It's OK as long as one key validates
100	continue	×
101	if not root_rrset:	×
102	raise dns.dnssec.ValidationFailure('None of the trust anchors found in DNS')	×
103	keys = {dns.name.root: root_rrset}	×
104	# top-down verification
105	parts = url.split('.')	×
106	for i in range(len(parts), 0, -1):	×
107	sub = '.'.join(parts[i-1:])	×
108	name = dns.name.from_text(sub)	×
109	# If server is authoritative, don't fetch DNSKEY
110	query = dns.message.make_query(sub, dns.rdatatype.NS)	×
NEW 111	response = await dns.asyncquery.udp(query, ns, 3)	×
112	assert response.rcode() == dns.rcode.NOERROR, "query error"	×
113	rrset = response.authority[0] if len(response.authority) > 0 else response.answer[0]	×
114	rr = rrset[0]	×
115	if rr.rdtype == dns.rdatatype.SOA:	×
116	continue	×
117	# get DNSKEY (self-signed)
NEW 118	rrset = await _check_query(ns, sub, dns.rdatatype.DNSKEY, None)	×
119	# get DS (signed by parent)
NEW 120	ds_rrset = await _check_query(ns, sub, dns.rdatatype.DS, keys)	×
121	# verify that a signed DS validates DNSKEY
122	for ds in ds_rrset:	×
123	for dnskey in rrset:	×
124	htype = 'SHA256' if ds.digest_type == 2 else 'SHA1'	×
125	good_ds = dns.dnssec.make_ds(name, dnskey, htype)	×
126	if ds == good_ds:	×
127	break	×
128	else:
129	continue	×
130	break	×
131	else:
132	raise Exception("DS does not match DNSKEY")	×
133	# set key for next iteration
134	keys = {name: rrset}	×
135	# get TXT record (signed by zone)
NEW 136	rrset = await _check_query(ns, url, _type, keys)	×
137	return rrset	×
138
139
140	async def query(url, rtype) -> Tuple[dns.rrset.RRset, bool]:	4✔
141	# FIXME this method is not using the network proxy. (although the proxy might not support UDP?)
142	# 8.8.8.8 is Google's public DNS server
143	nameservers = ['8.8.8.8']	×
144	ns = nameservers[0]	×
145	try:	×
NEW 146	out = await _get_and_validate(ns, url, rtype)	×
147	validated = True	×
148	except Exception as e:	×
149	_logger.info(f"DNSSEC error: {repr(e)}")	×
NEW 150	out = await dns.asyncresolver.resolve(url, rtype)	×
151	validated = False	×
152	return out, validated	×

spesmilo / electrum / 5735552722403328

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous