trust-dns 0.11.0

TRust-DNS is a safe and secure DNS library. This is the Client library with DNSec support. DNSSec with NSEC validation for negative records, is complete. The client supports dynamic DNS with SIG0 authenticated requests, implementing easy to use high level funtions. TRust-DNS is based on the Tokio and Futures libraries, which means it should be easily integrated into other software that also use those libraries.
Documentation 
// Copyright 2015-2016 Benjamin Fry <benjaminfry@me.com>
//
// Licensed under the Apache License, Version 2.0, <LICENSE-APACHE or
// http://apache.org/licenses/LICENSE-2.0> or the MIT license <LICENSE-MIT or
// http://opensource.org/licenses/MIT>, at your option. This file may not be
// copied, modified, or distributed except according to those terms.

use std::clone::Clone;
use std::collections::HashSet;
use std::mem;
use std::rc::Rc;

use futures::*;

use client::ClientHandle;
use error::*;
use op::{Message, OpCode, Query};
use rr::{domain, DNSClass, RData, Record, RecordType};
#[cfg(any(feature = "openssl", feature = "ring"))]
use rr::dnssec::Verifier;
use rr::dnssec::{Algorithm, SupportedAlgorithms, TrustAnchor};
use rr::rdata::{DNSKEY, SIG};
use rr::rdata::opt::EdnsOption;

#[derive(Debug)]
struct Rrset {
    pub name: domain::Name,
    pub record_type: RecordType,
    pub record_class: DNSClass,
    pub records: Vec<Record>,
}

/// Performs DNSSec validation of all DNS responses from the wrapped ClientHandle
///
/// This wraps a ClientHandle, changing the implementation `send()` to validate all
///  message responses for Query operations. Update operation responses are not validated by
///  this process.
#[derive(Clone)]
#[must_use = "queries can only be sent through a ClientHandle"]
pub struct SecureClientHandle<H: ClientHandle + 'static> {
    client: H,
    trust_anchor: Rc<TrustAnchor>,
    request_depth: usize,
    minimum_key_len: usize,
    minimum_algorithm: Algorithm, // used to prevent down grade attacks...
}

impl<H> SecureClientHandle<H>
    where H: ClientHandle + 'static
{
    /// Create a new SecureClientHandle wrapping the speicified client.
    ///
    /// This uses the compiled in TrustAnchor default trusted keys.
    ///
    /// # Arguments
    /// * `client` - client to use for all connections to a remote server.
    pub fn new(client: H) -> SecureClientHandle<H> {
        Self::with_trust_anchor(client, TrustAnchor::default())
    }

    /// Create a new SecureClientHandle wrapping the speicified client.
    ///
    /// This allows a custom TrustAnchor to be define.
    ///
    /// # Arguments
    /// * `client` - client to use for all connections to a remote server.
    /// * `trust_anchor` - custom DNSKEYs that will be trusted, can be used to pin trusted keys.
    pub fn with_trust_anchor(client: H, trust_anchor: TrustAnchor) -> SecureClientHandle<H> {
        SecureClientHandle {
            client: client,
            trust_anchor: Rc::new(trust_anchor),
            request_depth: 0,
            minimum_key_len: 0,
            minimum_algorithm: Algorithm::RSASHA256,
        }
    }

    /// An internal function used to clone the client, but maintain some information back to the
    ///  original client, such as the request_depth such that infinite recurssion does
    ///  not occur.
    fn clone_with_context(&self) -> Self {
        SecureClientHandle {
            client: self.client.clone(),
            trust_anchor: self.trust_anchor.clone(),
            request_depth: self.request_depth + 1,
            minimum_key_len: self.minimum_key_len,
            minimum_algorithm: self.minimum_algorithm,
        }
    }
}

impl<H> ClientHandle for SecureClientHandle<H>
    where H: ClientHandle + 'static
{
    fn send(&mut self, mut message: Message) -> Box<Future<Item = Message, Error = ClientError>> {
        // backstop, this might need to be configurable at some point
        if self.request_depth > 20 {
            return Box::new(failed(ClientErrorKind::Message("exceeded max validation depth")
                                       .into()));
        }

        // dnssec only matters on queries.
        if let OpCode::Query = message.op_code() {
            // This will panic on no queries, that is a very odd type of request, isn't it?
            // TODO: there should only be one
            let query = message.queries().first().cloned().unwrap();
            let client: SecureClientHandle<H> = self.clone_with_context();

            // TODO: cache response of the server about understood algorithms
            #[cfg(any(feature = "openssl", feature = "ring"))]
            {
                let edns = message.edns_mut();

                edns.set_dnssec_ok(true);

                // send along the algorithms which are supported by this client
                let mut algorithms = SupportedAlgorithms::new();
                #[cfg(feature = "openssl")]
                {
                    algorithms.set(Algorithm::RSASHA256);
                    algorithms.set(Algorithm::ECDSAP256SHA256);
                    algorithms.set(Algorithm::ECDSAP384SHA384);
                }
                #[cfg(feature = "ring")]
                algorithms.set(Algorithm::ED25519);

                let dau = EdnsOption::DAU(algorithms);
                let dhu = EdnsOption::DHU(algorithms);

                edns.set_option(dau);
                edns.set_option(dhu);
            }

            message.set_authentic_data(true);
            message.set_checking_disabled(false);
            let dns_class = message
                .queries()
                .first()
                .map_or(DNSClass::IN, |q| q.query_class());

            return Box::new(self.client
                                .send(message)
                                .and_then(move |message_response| {
                                              // group the record sets by name and type
                                              //  each rrset type needs to validated independently
                                              debug!("validating message_response: {}",
                                                     message_response.id());
                                              verify_rrsets(client, message_response, dns_class)
                                          })
                                .and_then(move |verified_message| {
                // at this point all of the message is verified.
                //  This is where NSEC (and possibly NSEC3) validation occurs
                // As of now, only NSEC is supported.
                if verified_message.answers().is_empty() {
                    let nsecs = verified_message
                        .name_servers()
                        .iter()
                        .filter(|rr| rr.rr_type() == RecordType::NSEC)
                        .collect::<Vec<_>>();

                    if !verify_nsec(&query, nsecs) {
                        // TODO change this to remove the NSECs, like we do for the others?
                        return Err(ClientErrorKind::Message("could not validate nxdomain \
                                                                 with NSEC")
                                           .into());
                    }
                }

                Ok(verified_message)
            }));
        }

        self.client.send(message)
    }
}

/// A future to verify all RRSets in a returned Message.
struct VerifyRrsetsFuture {
    message_result: Option<Message>,
    rrsets: SelectAll<Box<Future<Item = Rrset, Error = ClientError>>>,
    verified_rrsets: HashSet<(domain::Name, RecordType)>,
}

/// this pulls all records returned in a Message respons and returns a future which will
///  validate all of them.
fn verify_rrsets<H>(client: SecureClientHandle<H>,
                    message_result: Message,
                    dns_class: DNSClass)
                    -> Box<Future<Item = Message, Error = ClientError>>
    where H: ClientHandle
{
    let mut rrset_types: HashSet<(domain::Name, RecordType)> = HashSet::new();
    for rrset in message_result.answers()
                             .iter()
                             .chain(message_result.name_servers())
                             .filter(|rr| rr.rr_type() != RecordType::RRSIG &&
                             // if we are at a depth greater than 1, we are only interested in proving evaluation chains
                             //   this means that only DNSKEY and DS are intersting at that point.
                             //   this protects against looping over things like NS records and DNSKEYs in responses.
                             // TODO: is there a cleaner way to prevent cycles in the evaluations?
                                          (client.request_depth <= 1 ||
                                           rr.rr_type() == RecordType::DNSKEY ||
                                           rr.rr_type() == RecordType::DS))
                             .map(|rr| (rr.name().clone(), rr.rr_type())) {
    rrset_types.insert(rrset);
  }

    // there was no data returned in that message
    if rrset_types.is_empty() {
        let mut message_result = message_result;

        // there were no returned results, double check by dropping all the results
        message_result.take_answers();
        message_result.take_name_servers();
        message_result.take_additionals();

        return Box::new(failed(ClientErrorKind::Message("no results to verify").into()));
    }



    // collect all the rrsets to verify
    // TODO: is there a way to get rid of this clone() safely?
    let mut rrsets: Vec<Box<Future<Item = Rrset, Error = ClientError>>> =
        Vec::with_capacity(rrset_types.len());
    for (name, record_type) in rrset_types {
        // TODO: should we evaluate the different sections (answers and name_servers) separately?
        let rrset: Vec<Record> = message_result
            .answers()
            .iter()
            .chain(message_result.name_servers())
            .chain(message_result.additionals())
            .filter(|rr| rr.rr_type() == record_type && rr.name() == &name)
            .cloned()
            .collect();

        let rrsigs: Vec<Record> = message_result
            .answers()
            .iter()
            .chain(message_result.name_servers())
            .chain(message_result.additionals())
            .filter(|rr| rr.rr_type() == RecordType::RRSIG)
            .filter(|rr| if let &RData::SIG(ref rrsig) = rr.rdata() {
                        rrsig.type_covered() == record_type
                    } else {
                        false
                    })
            .cloned()
            .collect();

        // if there is already an active validation going on, assume the other validation will
        //  complete properly or error if it is invalid
        let rrset = Rrset {
            name: name,
            record_type: record_type,
            record_class: dns_class,
            records: rrset,
        };

        // TODO: support non-IN classes?
        debug!("verifying: {}, record_type: {:?}, rrsigs: {}",
               rrset.name,
               record_type,
               rrsigs.len());
        rrsets.push(verify_rrset(client.clone_with_context(), rrset, rrsigs));
    }

    // spawn a select_all over this vec, these are the individual RRSet validators
    let rrsets_to_verify = select_all(rrsets);

    // return the full Message validator
    Box::new(VerifyRrsetsFuture {
                 message_result: Some(message_result),
                 rrsets: rrsets_to_verify,
                 verified_rrsets: HashSet::new(),
             })
}

impl Future for VerifyRrsetsFuture {
    type Item = Message;
    type Error = ClientError;

    fn poll(&mut self) -> Poll<Self::Item, Self::Error> {
        if self.message_result.is_none() {
            return Err(ClientErrorKind::Message("message is none").into());
        }

        // loop through all the rrset evaluations, filter all the rrsets in the Message
        //  down to just the ones that were able to be validated
        loop {
            let remaining = match self.rrsets.poll() {
                // one way the loop will stop, nothing is ready...
                Ok(Async::NotReady) => return Ok(Async::NotReady),
                // all rrsets verified! woop!
                Ok(Async::Ready((rrset, _, remaining))) => {
                    debug!("an rrset was verified: {}, {:?}",
                           rrset.name,
                           rrset.record_type);
                    self.verified_rrsets
                        .insert((rrset.name, rrset.record_type));
                    remaining
                }
                // TODO, should we return the Message on errors? Allow the consumer to decide what to do
                //       on a validation failure?
                // any error, is an error for all
                Err((e, _, remaining)) => {
                    debug!("an rrset failed to verify: {}", e);
                    if remaining.is_empty() {
                        return Err(e);
                    }
                    remaining
                }
            };

            if !remaining.is_empty() {
                // continue the evaluation
                drop(mem::replace(&mut self.rrsets, select_all(remaining)));
            } else {
                // validated not none above...
                let mut message_result = mem::replace(&mut self.message_result, None).unwrap();

                // take all the rrsets from the Message, filter down each set to the validated rrsets
                // TODO: does the section in the message matter here?
                //       we could probably end up with record_types in any section.
                //       track the section in the rrset evaluation?
                let answers = message_result
                    .take_answers()
                    .into_iter()
                    .filter(|record| {
                                self.verified_rrsets
                                    .contains(&(record.name().clone(), record.rr_type()))
                            })
                    .collect::<Vec<Record>>();

                let name_servers = message_result
                    .take_name_servers()
                    .into_iter()
                    .filter(|record| {
                                self.verified_rrsets
                                    .contains(&(record.name().clone(), record.rr_type()))
                            })
                    .collect::<Vec<Record>>();

                let additionals = message_result
                    .take_additionals()
                    .into_iter()
                    .filter(|record| {
                                self.verified_rrsets
                                    .contains(&(record.name().clone(), record.rr_type()))
                            })
                    .collect::<Vec<Record>>();

                // add the filtered records back to the message
                message_result.insert_answers(answers);
                message_result.insert_name_servers(name_servers);
                message_result.insert_additionals(additionals);

                // breaks out of the loop... and returns the filtered Message.
                return Ok(Async::Ready(message_result));
            }
        }
    }
}

/// Generic entrypoint to verify any RRSET against the provided signatures.
///
/// Generally, the RRSET will be validated by `verify_default_rrset()`. There are additional
///  checks that happen after the RRSET is successfully validated. In the case of DNSKEYs this
///  triggers `verify_dnskey_rrset()`. If it's an NSEC record, then the NSEC record will be
///  validated to prove it's correctness. There is a special case for DNSKEY, where if the RRSET
///  is unsigned, `rrsigs` is empty, then an immediate `verify_dnskey_rrset()` is triggered. In
///  this case, it's possible the DNSKEY is a trust_anchor and is not self-signed.
fn verify_rrset<H>(client: SecureClientHandle<H>,
                   rrset: Rrset,
                   rrsigs: Vec<Record>)
                   -> Box<Future<Item = Rrset, Error = ClientError>>
    where H: ClientHandle
{
    // Special case for unsigned DNSKEYs, it's valid for a DNSKEY to be bare in the zone if
    //  it's a trust_anchor, though some DNS servers choose to self-sign in this case,
    //  for self-signed KEYS they will drop through to the standard validation logic.
    if let RecordType::DNSKEY = rrset.record_type {
        if rrsigs.is_empty() {
            debug!("unsigned key: {}, {:?}", rrset.name, rrset.record_type);
            // FIXME: validate that this DNSKEY is stronger than the one lower in the chain,
            //  also, set the min algorithm to this algorithm to prevent downgrade attacks.
            return verify_dnskey_rrset(client.clone_with_context(), rrset);
        }
    }

    // standard validation path
    Box::new(verify_default_rrset(client.clone_with_context(), rrset, rrsigs)
        .and_then(|rrset|
          // POST validation
          match rrset.record_type {
            RecordType::DNSKEY => verify_dnskey_rrset(client, rrset),
            // RecordType::DS => verify_ds_rrset(client, name, record_type, record_class, rrset, rrsigs),
            _ => Box::new(finished(rrset)),
          }
        )
        .map_err(|e| {
          debug!("rrset failed validation: {}", e);
          e
        })
      )
}

/// Verifies a dnskey rrset
///
/// This first checks to see if the key is in the set of trust_anchors. If so then it's returned
///  as a success. Otherwise, a query is sent to get the DS record, and the DNSKEY is validated
///  against the DS record.
fn verify_dnskey_rrset<H>(mut client: SecureClientHandle<H>,
                          rrset: Rrset)
                          -> Box<Future<Item = Rrset, Error = ClientError>>
    where H: ClientHandle
{
    debug!("dnskey validation {}, record_type: {:?}",
           rrset.name,
           rrset.record_type);

    // check the DNSKEYS against the trust_anchor, if it's approved allow it.
    {
        let anchored_keys = rrset
            .records
            .iter()
            .enumerate()
            .filter(|&(_, rr)| rr.rr_type() == RecordType::DNSKEY)
            .filter_map(|(i, rr)| if let &RData::DNSKEY(ref rdata) = rr.rdata() {
                            Some((i, rdata))
                        } else {
                            None
                        })
            .filter_map(|(i, rdata)| if client.trust_anchor.contains(rdata.public_key()) {
                            debug!("in trust_anchor");
                            Some(i)
                        } else {
                            None
                        })
            .collect::<Vec<usize>>();

        if !anchored_keys.is_empty() {
            let mut rrset = rrset;
            preserve(&mut rrset.records, anchored_keys);

            debug!("validated dnskey with trust_anchor: {}, {}",
                   rrset.name,
                   rrset.records.len());
            return Box::new(finished((rrset)));
        }
    }

    // need to get DS records for each DNSKEY
    let valid_dnskey = client
        .query(rrset.name.clone(), rrset.record_class, RecordType::DS)
        .and_then(move |ds_message| {
            let valid_keys = rrset
                .records
                .iter()
                .enumerate()
                .filter(|&(_, rr)| rr.rr_type() == RecordType::DNSKEY)
                .filter_map(|(i, rr)| if let &RData::DNSKEY(ref rdata) = rr.rdata() {
                                Some((i, rdata))
                            } else {
                                None
                            })
                .filter(|&(_, key_rdata)| {
                    ds_message.answers()
                              .iter()
                              .filter(|ds| ds.rr_type() == RecordType::DS)
                              .filter_map(|ds| if let &RData::DS(ref ds_rdata) = ds.rdata() {
                                Some(ds_rdata)
                              } else {
                                None
                              })
                              // must be convered by at least one DS record
                              .any(|ds_rdata| ds_rdata.covers(&rrset.name, key_rdata)
                                                      .unwrap_or(false))
                })
                .map(|(i, _)| i)
                .collect::<Vec<usize>>();

            if !valid_keys.is_empty() {
                let mut rrset = rrset;
                preserve(&mut rrset.records, valid_keys);

                debug!("validated dnskey: {}, {}", rrset.name, rrset.records.len());
                Ok(rrset)
            } else {
                Err(ClientErrorKind::Message("Could not validate all DNSKEYs").into())
            }
        });

    Box::new(valid_dnskey)
}

/// Preseves the specified indexes in vec, all others will be removed
///
/// # Arguments
///
/// * `vec` - vec to mutate
/// * `indexes` - ordered list of indexes to remove
fn preserve<T, I>(vec: &mut Vec<T>, indexes: I)
    where I: IntoIterator<Item = usize>,
          <I as IntoIterator>::IntoIter: DoubleEndedIterator
{
    // this removes all indexes theat were not part of the anchored keys
    let mut indexes_iter = indexes.into_iter().rev();
    let mut i = indexes_iter.next();
    for j in (0..vec.len()).rev() {
        // check the next indext to preserve
        if i.map_or(false, |i| i > j) {
            i = indexes_iter.next();
        }
        // if the key is not in the set of anchored_keys, remove it
        if i.map_or(true, |i| i != j) {
            vec.remove(j);
        }
    }
}

#[test]
fn test_preserve() {
    let mut vec = vec![1, 2, 3];
    let indexes = vec![];
    preserve(&mut vec, indexes);
    assert_eq!(vec, vec![]);

    let mut vec = vec![1, 2, 3];
    let indexes = vec![0];
    preserve(&mut vec, indexes);
    assert_eq!(vec, vec![1]);

    let mut vec = vec![1, 2, 3];
    let indexes = vec![1];
    preserve(&mut vec, indexes);
    assert_eq!(vec, vec![2]);

    let mut vec = vec![1, 2, 3];
    let indexes = vec![2];
    preserve(&mut vec, indexes);
    assert_eq!(vec, vec![3]);

    let mut vec = vec![1, 2, 3];
    let indexes = vec![0, 2];
    preserve(&mut vec, indexes);
    assert_eq!(vec, vec![1, 3]);

    let mut vec = vec![1, 2, 3];
    let indexes = vec![0, 1, 2];
    preserve(&mut vec, indexes);
    assert_eq!(vec, vec![1, 2, 3]);
}

/// Verifies that a given RRSET is validly signed by any of the specified RRSIGs.
///
/// Invalid RRSIGs will be ignored. RRSIGs will only be validated against DNSKEYs which can
///  be validated through a chain back to the `trust_anchor`. As long as one RRSIG is valid,
///  then the RRSET will be valid.
fn verify_default_rrset<H>(client: SecureClientHandle<H>,
                           rrset: Rrset,
                           rrsigs: Vec<Record>)
                           -> Box<Future<Item = Rrset, Error = ClientError>>
    where H: ClientHandle
{
    // the record set is going to be shared across a bunch of futures, Rc for that.
    let rrset = Rc::new(rrset);
    debug!("default validation {}, record_type: {:?}",
           rrset.name,
           rrset.record_type);

    // Special case for self-signed DNSKEYS, validate with itself...
    if rrsigs
           .iter()
           .filter(|rrsig| rrsig.rr_type() == RecordType::RRSIG)
           .any(|rrsig| if let &RData::SIG(ref sig) = rrsig.rdata() {
                    return RecordType::DNSKEY == rrset.record_type &&
                           sig.signer_name() == &rrset.name;
                } else {
                    panic!("expected a SIG here");
                }) {
        // in this case it was looks like a self-signed key, first validate the signature
        //  then return rrset. Like the standard case below, the DNSKEY is validated
        //  after this function. This function is only responsible for validating the signature
        //  the DNSKey validation should come after, see verify_rrset().
        return Box::new(done(
            rrsigs.into_iter()
            // this filter is technically unnecessary, can probably remove it...
            .filter(|rrsig| rrsig.rr_type() == RecordType::RRSIG)
            .map(|rrsig|
              if let RData::SIG(sig) = rrsig.unwrap_rdata() {
                // setting up the context explicitly.
                sig
              } else {
                panic!("expected a SIG here");
              }
            )
            .filter_map(|sig| {
              let rrset = rrset.clone();

              if rrset.records.iter()
                              .any(|r| {
                                if let &RData::DNSKEY(ref dnskey) = r.rdata() {
                                  verify_rrset_with_dnskey(dnskey, &sig, &rrset).is_ok()
                                } else {
                                  panic!("expected a DNSKEY here: {:?}", r.rdata());
                                }
                              }) {
                                Some(rrset)
                              } else {
                                None
                              }
                            })
                            .next()
                            .ok_or(ClientErrorKind::Message("self-signed dnskey is invalid").into())
      ).map(move |rrset| Rc::try_unwrap(rrset).expect("unable to unwrap Rc"))
    );
    }

    // we can validate with any of the rrsigs...
    //  i.e. the first that validates is good enough
    //  TODO: could there be a cert downgrade attack here with a MITM stripping stronger RRSIGs?
    //         we could check for the strongest RRSIG and only use that...
    //         though, since the entire package isn't signed any RRSIG could have been injected,
    //         right? meaning if there is an attack on any of the acceptable algorithms, we'd be
    //         succeptable until that algorithm is removed as an option.
    //        dns over TLS will mitigate this.
    //  TODO: strip RRSIGS to accepted algorithms and make algorithms configurable.
    let verifications = rrsigs.into_iter()
                            // this filter is technically unnecessary, can probably remove it...
                            .filter(|rrsig| rrsig.rr_type() == RecordType::RRSIG)
                            .map(|rrsig|
                              if let RData::SIG(sig) = rrsig.unwrap_rdata() {
                                // setting up the context explicitly.
                                sig
                              } else {
                                panic!("expected a SIG here");
                              }
                            )
                            .map(|sig| {
                              let rrset = rrset.clone();
                              let mut client = client.clone_with_context();

                              client.query(sig.signer_name().clone(), rrset.record_class, RecordType::DNSKEY)
                                    .and_then(move |message|
                                      // DNSKEYs are validated by the inner query
                                      message.answers()
                                             .iter()
                                             .filter(|r| r.rr_type() == RecordType::DNSKEY)
                                             .find(|r|
                                               if let &RData::DNSKEY(ref dnskey) = r.rdata() {
                                                 verify_rrset_with_dnskey(dnskey, &sig, &rrset).is_ok()
                                               } else {
                                                 panic!("expected a DNSKEY here: {:?}", r.rdata());
                                               }
                                             )
                                             .map(|_| rrset)
                                             .ok_or(ClientErrorKind::Message("validation failed").into())
                                    )
                            })
                            .collect::<Vec<_>>();

    // if there are no available verifications, then we are in a failed state.
    if verifications.is_empty() {
        return Box::new(failed(ClientErrorKind::Msg(format!("no RRSIGs available for \
                                                             validation: {}, {:?}",
                                                            rrset.name,
                                                            rrset.record_type))
                                       .into()));
    }

    // as long as any of the verifcations is good, then the RRSET is valid.
    let select =
        select_ok(verifications)
                          // getting here means at least one of the rrsigs succeeded...
                          .map(move |(rrset, rest)| {
                              drop(rest); // drop all others, should free up Rc
                              Rc::try_unwrap(rrset).expect("unable to unwrap Rc")
                          });

    Box::new(select)
}

/// Verifies the given SIG of the RRSET with the DNSKEY.
#[cfg(any(feature = "openssl", feature = "ring"))]
fn verify_rrset_with_dnskey(dnskey: &DNSKEY, sig: &SIG, rrset: &Rrset) -> ClientResult<()> {
    if dnskey.revoke() {
        debug!("revoked");
        return Err(ClientErrorKind::Message("revoked").into());
    } // TODO: does this need to be validated? RFC 5011
    if !dnskey.zone_key() {
        return Err(ClientErrorKind::Message("is not a zone key").into());
    }
    if dnskey.algorithm() != sig.algorithm() {
        return Err(ClientErrorKind::Message("mismatched algorithm").into());
    }

    dnskey.verify_rrsig(&rrset.name, rrset.record_class, sig, &rrset.records).map_err(Into::into)
}

/// Will always return an error. To enable record verification compile with the openssl feature.
#[cfg(not(any(feature = "openssl", feature = "ring")))]
fn verify_rrset_with_dnskey(_: &DNSKEY, _: &SIG, _: &Rrset) -> ClientResult<()> {
    Err(ClientErrorKind::Message("openssl or ring feature(s) not enabled").into())
}


/// Verifies NSEC records
///
/// ```text
/// RFC 4035             DNSSEC Protocol Modifications            March 2005
///
/// 5.4.  Authenticated Denial of Existence
///
///  A resolver can use authenticated NSEC RRs to prove that an RRset is
///  not present in a signed zone.  Security-aware name servers should
///  automatically include any necessary NSEC RRs for signed zones in
///  their responses to security-aware resolvers.
///
///  Denial of existence is determined by the following rules:
///
///  o  If the requested RR name matches the owner name of an
///     authenticated NSEC RR, then the NSEC RR's type bit map field lists
///     all RR types present at that owner name, and a resolver can prove
///     that the requested RR type does not exist by checking for the RR
///     type in the bit map.  If the number of labels in an authenticated
///     NSEC RR's owner name equals the Labels field of the covering RRSIG
///     RR, then the existence of the NSEC RR proves that wildcard
///     expansion could not have been used to match the request.
///
///  o  If the requested RR name would appear after an authenticated NSEC
///     RR's owner name and before the name listed in that NSEC RR's Next
///     Domain Name field according to the canonical DNS name order
///     defined in [RFC4034], then no RRsets with the requested name exist
///     in the zone.  However, it is possible that a wildcard could be
///     used to match the requested RR owner name and type, so proving
///     that the requested RRset does not exist also requires proving that
///     no possible wildcard RRset exists that could have been used to
///     generate a positive response.
///
///  In addition, security-aware resolvers MUST authenticate the NSEC
///  RRsets that comprise the non-existence proof as described in Section
///  5.3.
///
///  To prove the non-existence of an RRset, the resolver must be able to
///  verify both that the queried RRset does not exist and that no
///  relevant wildcard RRset exists.  Proving this may require more than
///  one NSEC RRset from the zone.  If the complete set of necessary NSEC
///  RRsets is not present in a response (perhaps due to message
///  truncation), then a security-aware resolver MUST resend the query in
///  order to attempt to obtain the full collection of NSEC RRs necessary
///  to verify the non-existence of the requested RRset.  As with all DNS
///  operations, however, the resolver MUST bound the work it puts into
///  answering any particular query.
///
///  Since a validated NSEC RR proves the existence of both itself and its
///  corresponding RRSIG RR, a validator MUST ignore the settings of the
///  NSEC and RRSIG bits in an NSEC RR.
/// ```
fn verify_nsec(query: &Query, nsecs: Vec<&Record>) -> bool {
    // first look for a record with the same name
    //  if they are, then the query_type should not exist in the NSEC record.
    //  if we got an NSEC record of the same name, but it is listed in the NSEC types,
    //    WTF? is that bad server, bad record
    if nsecs
           .iter()
           .any(|r| {
        query.name() == r.name() &&
        {
            if let &RData::NSEC(ref rdata) = r.rdata() {
                !rdata.type_bit_maps().contains(&query.query_type())
            } else {
                panic!("expected NSEC was {:?}", r.rr_type()) // valid panic, never should happen
            }
        }
    }) {
        return true;
    }

    // based on the WTF? above, we will ignore any NSEC records of the same name
    if nsecs
           .iter()
           .filter(|r| query.name() != r.name())
           .any(|r| {
        query.name() > r.name() &&
        {
            if let &RData::NSEC(ref rdata) = r.rdata() {
                query.name() < rdata.next_domain_name()
            } else {
                panic!("expected NSEC was {:?}", r.rr_type()) // valid panic, never should happen
            }
        }
    }) {
        return true;
    }

    // TODO: need to validate ANY or *.domain record existance, which doesn't make sense since
    //  that would have been returned in the request
    // if we got here, then there are no matching NSEC records, no validation
    false
}