From 156bc6ca9136b34b2dbf3cec3d11eab8455d1ce3 Mon Sep 17 00:00:00 2001
From: Uli Heilmeier <uh@heilmeier.eu>
Date: Wed, 10 Feb 2021 22:02:42 +0100
Subject: [PATCH] DNS: Support for ZONEMD RR (RFC8976)

Adding support for RFC 8976 Message Digest for DNS Zones (ZONEMD RR)
---
 epan/dissectors/packet-dns.c | 63 +++++++++++++++++++++++++++++++++++-
 1 file changed, 62 insertions(+), 1 deletion(-)

diff --git a/epan/dissectors/packet-dns.c b/epan/dissectors/packet-dns.c
index 68a81e72af..99bbf845ba 100644
--- a/epan/dissectors/packet-dns.c
+++ b/epan/dissectors/packet-dns.c
@@ -246,6 +246,10 @@ static int hf_dns_csync_flags = -1;
 static int hf_dns_csync_flags_immediate = -1;
 static int hf_dns_csync_flags_soaminimum = -1;
 static int hf_dns_csync_type_bitmap = -1;
+static int hf_dns_zonemd_serial = -1;
+static int hf_dns_zonemd_scheme = -1;
+static int hf_dns_zonemd_hash_algo = -1;
+static int hf_dns_zonemd_digest = -1;
 static int hf_dns_svcb_priority = -1;
 static int hf_dns_svcb_target = -1;
 static int hf_dns_svcb_param_key = -1;
@@ -624,6 +628,7 @@ typedef struct _dns_conv_info_t {
 #define T_CDNSKEY       60              /* DNSKEY(s) the Child wants reflected in DS ( [RFC7344])*/
 #define T_OPENPGPKEY    61              /* OPENPGPKEY draft-ietf-dane-openpgpkey-00 */
 #define T_CSYNC         62              /* Child To Parent Synchronization (RFC7477) */
+#define T_ZONEMD        63              /* Message Digest for DNS Zones (RFC8976) */
 #define T_SVCB          64              /* draft-ietf-dnsop-svcb-https-01 */
 #define T_HTTPS         65              /* draft-ietf-dnsop-svcb-https-01 */
 #define T_SPF           99              /* SPF RR (RFC 4408) section 3 */
@@ -993,7 +998,8 @@ static const value_string dns_types_vals[] = {
   { T_CDS,        "CDS"        }, /* RFC 7344 */
   { T_CDNSKEY,    "CDNSKEY"    }, /* RFC 7344*/
   { T_OPENPGPKEY, "OPENPGPKEY" }, /* draft-ietf-dane-openpgpkey */
-  { T_CSYNC,      "CSYNC "     }, /* RFC 7477 */
+  { T_CSYNC,      "CSYNC"      }, /* RFC 7477 */
+  { T_ZONEMD,     "ZONEMD"     }, /* RFC 8976 */
   { T_SVCB,       "SVCB"       }, /* draft-ietf-dnsop-svcb-https-01 */
   { T_HTTPS,      "HTTPS"      }, /* draft-ietf-dnsop-svcb-https-01 */
   { T_SPF,        "SPF"        }, /* RFC 4408 */
@@ -1090,6 +1096,7 @@ static const value_string dns_types_description_vals[] = {
   { T_CDNSKEY,    "CDNSKEY (DNSKEY(s) the Child wants reflected in DS)" }, /* RFC 7344 */
   { T_OPENPGPKEY, "OPENPGPKEY (OpenPGP Key)" }, /* draft-ietf-dane-openpgpkey */
   { T_CSYNC,      "CSYNC (Child-to-Parent Synchronization)" }, /* RFC 7477 */
+  { T_ZONEMD,     "ZONEMD" }, /* RFC 8976 */
   { T_SVCB,       "SVCB (General Purpose Service Endpoints)" }, /*  draft-ietf-dnsop-svcb-https*/
   { T_HTTPS,      "HTTPS (HTTPS Specific Service Endpoints)" }, /*  draft-ietf-dnsop-svcb-https*/
   { T_SPF,        "SPF" }, /* RFC 4408 */
@@ -1267,6 +1274,28 @@ static int * const dns_csync_flags[] = {
     NULL
 };
 
+#define DNS_ZONEMD_SCHEME_SIMPLE  1
+
+static const range_string dns_zonemd_scheme[] = {
+  {                        0,                         0, "Reserved"     },
+  { DNS_ZONEMD_SCHEME_SIMPLE,  DNS_ZONEMD_SCHEME_SIMPLE, "SIMPLE"       },
+  {                        2,                       239, "Unassigned"   },
+  {                      240,                       254, "Private Use"  },
+  {                      255,                       255, "Reserved"     },
+  {                        0,                         0, NULL           } };
+
+#define DNS_ZONEMD_HASH_SHA384  1
+#define DNS_ZONEMD_HASH_SHA512  2
+
+static const range_string dns_zonemd_hash_algo[] = {
+  {                      0,                       0, "Reserved"     },
+  { DNS_ZONEMD_HASH_SHA384,  DNS_ZONEMD_HASH_SHA384, "SHA-384"      },
+  { DNS_ZONEMD_HASH_SHA512,  DNS_ZONEMD_HASH_SHA512, "SHA-512"      },
+  {                      3,                     239, "Unassigned"   },
+  {                    240,                     254, "Private Use"  },
+  {                    255,                     255, "Reserved"     },
+  {                      0,                       0, NULL           } };
+
 static const range_string dns_ext_err_info_code[] = {
   {     0,     0, "Other Error"        },
   {     1,     1, "Unsupported DNSKEY Algorithm" },
@@ -3450,6 +3479,18 @@ dissect_dns_answer(tvbuff_t *tvb, int offsetx, int dns_data_offset,
     }
     break;
 
+    case T_ZONEMD: /* Message Digest for DNS Zones (63) */
+    {
+      proto_tree_add_item(rr_tree, hf_dns_zonemd_serial, tvb, cur_offset, 4, ENC_BIG_ENDIAN);
+      cur_offset += 4;
+      proto_tree_add_item(rr_tree, hf_dns_zonemd_scheme, tvb, cur_offset, 1, ENC_NA);
+      cur_offset += 1;
+      proto_tree_add_item(rr_tree, hf_dns_zonemd_hash_algo, tvb, cur_offset, 1, ENC_NA);
+      cur_offset += 1;
+      proto_tree_add_item(rr_tree, hf_dns_zonemd_digest, tvb, cur_offset, data_len - 6 , ENC_NA);
+    }
+    break;
+
     case T_SVCB: /* Service binding and parameter specification (64) */
     case T_HTTPS: /* Service binding and parameter specification (65) */
     {
@@ -5138,6 +5179,26 @@ proto_register_dns(void)
         FT_BYTES, BASE_NONE, NULL, 0x0,
         NULL, HFILL }},
 
+    { &hf_dns_zonemd_serial,
+      { "Serial", "dns.zonemd.serial",
+        FT_UINT32, BASE_DEC, NULL, 0x0,
+        NULL, HFILL }},
+
+    { &hf_dns_zonemd_scheme,
+      { "Scheme", "dns.zonemd.scheme",
+        FT_UINT8, BASE_DEC | BASE_RANGE_STRING, RVALS(dns_zonemd_scheme), 0x0,
+        NULL, HFILL }},
+
+    { &hf_dns_zonemd_hash_algo,
+      { "Hash Algorithm", "dns.zonemd.hash_algo",
+        FT_UINT8, BASE_DEC | BASE_RANGE_STRING, RVALS(dns_zonemd_hash_algo), 0x0,
+        NULL, HFILL }},
+
+    { &hf_dns_zonemd_digest,
+      { "Digest", "dns.zonemd.digest",
+        FT_BYTES, BASE_NONE, NULL, 0x0,
+        NULL, HFILL }},
+
     { &hf_dns_svcb_priority,
       { "SvcPriority", "dns.svcb.svcpriority",
         FT_UINT16, BASE_DEC, NULL, 0x0,