aboutsummaryrefslogtreecommitdiff
path: root/pkg/dns
diff options
context:
space:
mode:
Diffstat (limited to 'pkg/dns')
-rw-r--r--pkg/dns/dns.go40
1 files changed, 40 insertions, 0 deletions
diff --git a/pkg/dns/dns.go b/pkg/dns/dns.go
new file mode 100644
index 0000000..7979119
--- /dev/null
+++ b/pkg/dns/dns.go
@@ -0,0 +1,40 @@
+package dns
+
+import (
+ "context"
+ "fmt"
+ "net"
+
+ "encoding/hex"
+
+ "git.sigsum.org/sigsum-log-go/pkg/types"
+)
+
+// Verifier can verify that a domain name is aware of a public key
+type Verifier interface {
+ Verify(ctx context.Context, name string, key *[types.VerificationKeySize]byte) error
+}
+
+// DefaultResolver implements the Verifier interface with Go's default resolver
+type DefaultResolver struct {
+ resolver net.Resolver
+}
+
+func NewDefaultResolver() Verifier {
+ return &DefaultResolver{}
+}
+
+func (dr *DefaultResolver) Verify(ctx context.Context, name string, key *[types.VerificationKeySize]byte) error {
+ rsp, err := dr.resolver.LookupTXT(ctx, name)
+ if err != nil {
+ return fmt.Errorf("domain name look-up failed: %v", err)
+ }
+
+ want := hex.EncodeToString(types.Hash(key[:])[:])
+ for _, got := range rsp {
+ if got == want {
+ return nil
+ }
+ }
+ return fmt.Errorf("%q is not aware of key hash %q", name, want)
+}