Merge branch 'dev'

This commit is contained in:
Miraty 2023-08-13 18:54:46 +02:00
commit 40d6994126
6 changed files with 21 additions and 56 deletions

View file

@ -28,6 +28,7 @@ function kdig(string $name, string $type, string $server = NULL): array {
'+json', '+json',
'+timeout=5', '+timeout=5',
'+retry=0', '+retry=0',
'+noidn',
'-q', '-q',
$name, $name,
'-t', '-t',

View file

@ -7,7 +7,7 @@ set_error_handler(function ($level, $message, $file = '', $line = 0) {
set_exception_handler(function ($e) { set_exception_handler(function ($e) {
error_log((string) $e); error_log((string) $e);
http_response_code(500); http_response_code(500);
echo '<h1>Error</h1><p>An error occured.<p>'; echo '<h1>Error</h1><p>An error occured.<p>' . LF;
}); });
register_shutdown_function(function () { // Also catch fatal errors register_shutdown_function(function () { // Also catch fatal errors
if (($error = error_get_last()) !== NULL) if (($error = error_get_last()) !== NULL)

View file

@ -13,9 +13,8 @@ const SUFFIX = 'test.servnest.test.';
const TOR_PROXY = 'socks5h://127.0.0.1:9050'; const TOR_PROXY = 'socks5h://127.0.0.1:9050';
exescape([CONF['dns']['kdig_path'], 'torproject.org', 'AAAA'], $output, $return_code); if (kdig(name: 'nlnet.nl', type: 'AAAA')['AD'] !== 1)
if (preg_match('/^;; Flags: qr rd ra ad;/Dm', implode("\n", $output)) !== 1) exit('DNS queries don\'t seem to be DNSSEC-validated.' . LF);
exit('Unable to do a DNSSEC-validated DNS query.' . LF);
define('COOKIE_FILE', sys_get_temp_dir() . '/cookie-' . bin2hex(random_bytes(16)) . '.txt'); define('COOKIE_FILE', sys_get_temp_dir() . '/cookie-' . bin2hex(random_bytes(16)) . '.txt');
@ -108,13 +107,8 @@ function testReg(): string {
'domain' => $domain, 'domain' => $domain,
'ns' => 'ns1.servnest.invalid.', 'ns' => 'ns1.servnest.invalid.',
]); ]);
exescape([ $results = kdig(name: $domain, type: 'NS', server: CONF['reg']['address']);
CONF['dns']['kdig_path'], if ($results['authorityRRs'][0]['rdataNS'] !== 'ns1.servnest.invalid.')
'@' . CONF['reg']['address'],
$domain,
'NS',
], $output);
if (preg_match('/[ \t]+ns1\.servnest\.invalid\.$/Dm', implode(LF, $output)) !== 1)
exit('Error: /reg/ns: NS record not set' . LF); exit('Error: /reg/ns: NS record not set' . LF);
curlTest('/reg/ns', [ curlTest('/reg/ns', [
@ -194,13 +188,10 @@ function testNs(string $domain): void {
'tag' => 'issue', 'tag' => 'issue',
'value' => 'letsencrypt.org', 'value' => 'letsencrypt.org',
]); ]);
exescape([ $results = kdig(name: $domain, type: 'CAA', server: CONF['reg']['address']);
CONF['dns']['kdig_path'], if ($results['answerRRs'][0]['TTL'] !== 7200)
'@' . CONF['reg']['address'], exit('Error: /ns/caa: wrong TTL' . LF);
$domain, if ($results['answerRRs'][0]['rdataCAA'] !== '0 issue "letsencrypt.org" ')
'CAA',
], $output);
if (preg_match('/^' . preg_quote($domain, '/') . '[ \t]+7200[ \t]+IN[ \t]+CAA[ \t]+0[ \t]+issue[ \t]+"letsencrypt\.org"$/Dm', implode(LF, $output)) !== 1)
exit('Error: /ns/caa: CAA record not set' . LF); exit('Error: /ns/caa: CAA record not set' . LF);
curlTest('/ns/edit', [ curlTest('/ns/edit', [
@ -208,13 +199,8 @@ function testNs(string $domain): void {
'records' => 'aaaa.' . $domain . ' 3600 AAAA ' . CONF['ht']['ipv6_address'] . "\r\n" 'records' => 'aaaa.' . $domain . ' 3600 AAAA ' . CONF['ht']['ipv6_address'] . "\r\n"
. '@ 86400 NS ' . CONF['ns']['servers'][0] . "\r\n", . '@ 86400 NS ' . CONF['ns']['servers'][0] . "\r\n",
]); ]);
exescape([ $results = kdig(name: 'aaaa.' . $domain, type: 'AAAA', server: CONF['reg']['address']);
CONF['dns']['kdig_path'], if ($results['answerRRs'][0]['rdataAAAA'] !== CONF['ht']['ipv6_address'])
'@' . CONF['reg']['address'],
'aaaa.' . $domain,
'AAAA',
], $output);
if (preg_match('/[ \t]+' . preg_quote(CONF['ht']['ipv6_address'], '/') . '$/Dm', implode(LF, $output)) !== 1)
exit('Error: /ns/edit: AAAA record not set' . LF); exit('Error: /ns/edit: AAAA record not set' . LF);
} }

View file

@ -22,7 +22,7 @@ define('PAGES', [
'title' => _('Create account'), 'title' => _('Create account'),
'description' => _('Create a new account, and log in with it'), 'description' => _('Create a new account, and log in with it'),
'require-login' => false, 'require-login' => false,
'tokens_instance_cost' => 7200, 'tokens_instance_cost' => 1800,
], ],
'unregister' => [ 'unregister' => [
'title' => _('Delete account'), 'title' => _('Delete account'),

View file

@ -5,28 +5,14 @@ $_POST['domain'] = formatAbsoluteDomain($_POST['domain']);
if (query('select', 'zones', ['zone' => $_POST['domain']], 'zone') !== []) if (query('select', 'zones', ['zone' => $_POST['domain']], 'zone') !== [])
output(403, _('This zone already exists on the service.')); output(403, _('This zone already exists on the service.'));
exescape([ $parent_authoritatives = array_column(kdig(name: ltrim(strstr($_POST['domain'], '.'), '.'), type: 'NS', server: (CONF['ns']['local_only_check'] ? CONF['reg']['address'] : NULL))['answerRRs'], 'rdataNS');
CONF['dns']['kdig_path'], if ($parent_authoritatives === [])
ltrim(strstr($_POST['domain'], '.'), '.'),
'NS',
'+short',
...(CONF['ns']['local_only_check'] ? ['@' . CONF['reg']['address']] : []),
], $parentAuthoritatives, $code);
if ($code !== 0)
output(500, 'Unable to query parent name servers.');
if ($parentAuthoritatives === [])
output(403, _('Parent zone\'s name servers not found.')); output(403, _('Parent zone\'s name servers not found.'));
foreach ($parentAuthoritatives as $parentAuthoritative) foreach ($parent_authoritatives as $parent_authoritative)
checkAbsoluteDomainFormat($parentAuthoritative); checkAbsoluteDomainFormat($parent_authoritative);
exescape([ $ns_records = array_column(kdig(name: $_POST['domain'], type: 'NS', server: (CONF['ns']['local_only_check'] ? CONF['reg']['address'] : $parentAuthoritatives[0]))['authorityRRs'], 'rdataNS');
CONF['dns']['kdig_path'], if (preg_match('/^(?<salt>[0-9a-f]{8})-(?<hash>[0-9a-f]{32})\._domain-verification\.' . preg_quote(SERVER_NAME, '/') . '\.$/Dm', implode(LF, $ns_records), $matches) !== 1)
$_POST['domain'],
'NS',
'@' . (CONF['ns']['local_only_check'] ? CONF['reg']['address'] : $parentAuthoritatives[0]),
'+noidn'
], $results);
if (preg_match('/^' . preg_quote($_POST['domain'], '/') . '[\t ]+[0-9]{1,8}[\t ]+IN[\t ]+NS[\t ]+(?<salt>[0-9a-f]{8})-(?<hash>[0-9a-f]{32})\._domain-verification\.' . preg_quote(SERVER_NAME, '/') . '\.$/Dm', implode(LF, $results), $matches) !== 1)
output(403, _('NS authentication record not found.')); output(403, _('NS authentication record not found.'));
checkAuthToken($matches['salt'], $matches['hash']); checkAuthToken($matches['salt'], $matches['hash']);

View file

@ -11,16 +11,8 @@ $domain = formatAbsoluteDomain($_POST['subdomain'] . '.' . $_POST['suffix']);
if (query('select', 'registry', ['username' => $_SESSION['id'], 'domain' => $domain], 'domain') !== []) if (query('select', 'registry', ['username' => $_SESSION['id'], 'domain' => $domain], 'domain') !== [])
output(403, _('The current account already owns this domain.')); output(403, _('The current account already owns this domain.'));
exescape([ $ns_records = array_column(kdig(name: $domain, type: 'NS', server: CONF['reg']['address'])['authorityRRs'], 'rdataNS');
CONF['dns']['kdig_path'], if (preg_match('/^(?<salt>[0-9a-f]{8})-(?<hash>[0-9a-f]{32})\._transfer-verification\.' . preg_quote(SERVER_NAME, '/') . '\.$/Dm', implode(LF, $ns_records), $matches) !== 1)
$domain,
'NS',
'@' . CONF['reg']['address'],
'+noidn',
], $results, $code);
if ($code !== 0)
output(500, 'Unable to query registry\'s name servers.');
if (preg_match('/^' . preg_quote($domain, '/') . '[\t ]+[0-9]{1,8}[\t ]+IN[\t ]+NS[\t ]+(?<salt>[0-9a-f]{8})-(?<hash>[0-9a-f]{32})\._transfer-verification\.' . preg_quote(SERVER_NAME, '/') . '\.$/Dm', implode(LF, $results), $matches) !== 1)
output(403, _('NS authentication record not found.')); output(403, _('NS authentication record not found.'));
checkAuthToken($matches['salt'], $matches['hash']); checkAuthToken($matches['salt'], $matches['hash']);