[BED-92] Add PTR support (#17)

Valid check host implementation should support PTR, even though it is
not recommended to use.

Author: csucu

parser.go

@@ -249,7 +249,7 @@ func (p *parser) check() (Result, string, unused, error) {
 		case tExists:
 			matches, result, ttl, err = p.parseExists(token)
 		case tPTR:
-			_, _, _ = p.parsePtr(token)
+			matches, result, err = p.parsePtr(token)
 		default:
 			p.fireDirective(token, "")
 		}
@@ -600,9 +600,56 @@ func (p *parser) parseExists(t *token) (bool, Result, time.Duration, error) {
 	}
 }
 
+// https://www.rfc-editor.org/rfc/rfc7208#section-5.5
 func (p *parser) parsePtr(t *token) (bool, Result, error) {
-	p.fireDirective(t, domainSpec(t.value, p.domain))
-	return false, internalError, nil
+	fqdn := domainSpec(t.value, p.domain)
+	fqdn, err := parseMacro(p, fqdn, false)
+	if err == nil {
+		fqdn, err = truncateFQDN(fqdn)
+	}
+	if err == nil && !isDomainName(fqdn) {
+		err = newInvalidDomainError(fqdn)
+	}
+	fqdn = NormalizeFQDN(fqdn)
+	p.fireDirective(t, fqdn)
+	if err != nil {
+		return true, Permerror, SyntaxError{t, err}
+	}
+
+	ptrs, _, err := p.resolver.LookupPTR(p.ip.String())
+	switch err {
+	case nil:
+		// continue
+	case ErrDNSLimitExceeded:
+		return false, Permerror, err
+	case ErrDNSPermerror:
+		return false, None, err
+	default:
+		return false, Temperror, err
+	}
+
+	result, _ := matchingResult(t.qualifier)
+
+	for _, ptrDomain := range ptrs {
+		found, _, err := p.resolver.MatchIP(ptrDomain, func(ip net.IP, host string) (bool, error) {
+			if ip.Equal(p.ip) {
+				// Check if the PTR domain matches the target name or is a subdomain of the target name
+				if strings.HasSuffix(ptrDomain, fqdn) || fqdn == ptrDomain {
+					return true, nil // Match found
+				}
+			}
+			return false, nil
+		})
+		if err != nil {
+			continue
+		}
+
+		if found {
+			return true, result, nil
+		}
+	}
+
+	return false, Fail, nil
 }
 
 func (p *parser) handleRedirect(t *token) (Result, error) {

printer/printer.go

@@ -93,6 +93,13 @@ func (p *Printer) LookupTXTStrict(name string) ([]string, time.Duration, error)
 	return p.r.LookupTXTStrict(name)
 }
 
+func (p *Printer) LookupPTR(name string) ([]string, time.Duration, error) {
+	fmt.Fprintf(p.w, "%s  lookup(PTR) %s\n", strings.Repeat("  ", p.c), name)
+	atomic.AddInt64(&p.lc, 1)
+	p.lc++
+	return p.r.LookupPTR(name)
+}
+
 func (p *Printer) Exists(name string) (bool, time.Duration, error) {
 	fmt.Fprintf(p.w, "%s  lookup(A)\n", strings.Repeat("  ", p.c))
 	atomic.AddInt64(&p.lc, 1)

printer/printer_test.go

@@ -139,9 +139,10 @@ func ExamplePrinter() {
 	//   SPF: v=spf1 ptr ~all
 	//   v=spf1
 	//   ptr (ptr.test.redsift.io.)
+	//     lookup(PTR) 0.0.0.0
 	//   ~all
 	// = softfail, "4m59s", , <nil>
-	// ## of lookups: 13
+	// ## of lookups: 15
 }
 
 // b, _ := spf.CacheDump(c.GetALL(false)).MarshalJSON()

resolver_limited.go

@@ -99,3 +99,12 @@ func (r *LimitedResolver) MatchMX(name string, matcher IPMatcherFunc) (bool, tim
 		return matcher(ip, name)
 	})
 }
+
+// LookupPTR returns the DNS PTR records for the given domain name
+// and the minimum TTL
+func (r *LimitedResolver) LookupPTR(name string) ([]string, time.Duration, error) {
+	if !r.canLookup() {
+		return nil, 0, ErrDNSLimitExceeded
+	}
+	return r.resolver.LookupPTR(name)
+}

resolver_miekg.go

@@ -1,13 +1,14 @@
 package spf
 
 import (
-	"github.com/redsift/spf/v2/z"
 	"net"
+	"strconv"
 	"strings"
 	"sync"
 	"time"
 
 	"github.com/miekg/dns"
+	"github.com/redsift/spf/v2/z"
 )
 
 type MiekgDNSResolverOption func(r *miekgDNSResolver)
@@ -391,3 +392,66 @@ func (r *miekgDNSResolver) MatchMX(name string, matcher IPMatcherFunc) (bool, ti
 
 	return false, 0, nil
 }
+
+// LookupPTR returns the DNS PTR records for the given IP and
+// the minimum TTL
+func (r *miekgDNSResolver) LookupPTR(name string) ([]string, time.Duration, error) {
+	req := new(dns.Msg)
+	req.SetQuestion(NewPTRAddress(name), dns.TypePTR)
+
+	res, err := r.exchange(req)
+	if err != nil {
+		return nil, 0, err
+	}
+
+	var ttl uint32 = 1<<32 - 1
+
+	ptrs := make([]string, 0, len(res.Answer))
+	for _, a := range res.Answer {
+		if r, ok := a.(*dns.PTR); ok {
+			ptrs = append(ptrs, r.Ptr)
+			if d := a.Header().Ttl; d < ttl {
+				ttl = d
+			}
+		}
+	}
+
+	if len(ptrs) == 0 {
+		ttl = 0
+	}
+
+	return ptrs, time.Duration(ttl) * time.Second, nil
+}
+
+func NewPTRAddress(address string) string {
+	ip := net.ParseIP(address)
+	if ip.To4() != nil {
+		return ip4ToLookup(ip)
+	} else {
+		return ip6ToLookup(ip)
+	}
+}
+
+func ip4ToLookup(ip net.IP) string {
+	return strconv.Itoa(int(ip[15])) +
+		"." + strconv.Itoa(int(ip[14])) +
+		"." + strconv.Itoa(int(ip[13])) +
+		"." + strconv.Itoa(int(ip[12])) +
+		"." + "in-addr.arpa."
+}
+
+func ip6ToLookup(ip net.IP) string {
+	// Must be IPv6
+	buf := make([]byte, 0, len(ip)*4+9)
+	// Add it, in reverse, to the buffer
+	for i := len(ip) - 1; i >= 0; i-- {
+		v := ip[i]
+		buf = append(buf, hexDigit[v&0xF])
+		buf = append(buf, '.')
+		buf = append(buf, hexDigit[v>>4])
+		buf = append(buf, '.')
+	}
+	// Append "ip6.arpa." and return (buf already has the final .)
+	buf = append(buf, "ip6.arpa."...)
+	return string(buf)
+}

resolver_retry.go

@@ -94,6 +94,20 @@ func (r *retryResolver) LookupTXT(name string) ([]string, time.Duration, error)
 	}
 }
 
+// LookupPTR returns the DNS PTR records for the given address.
+func (r *retryResolver) LookupPTR(name string) ([]string, time.Duration, error) {
+	expired := r.expiredFunc()
+	for attempt := 0; ; attempt++ {
+		for _, next := range r.rr {
+			v, ttl, err := next.LookupPTR(name)
+			if err != ErrDNSTemperror || expired() {
+				return v, ttl, err
+			}
+		}
+		time.Sleep(r.backoff(attempt))
+	}
+}
+
 // Exists is used for a DNS A RR lookup (even when the
 // connection type is IPv6).  If any A record is returned, this
 // mechanism matches and returns the ttl.

resolver_retry_test.go

@@ -43,6 +43,10 @@ func (r *brokenResolver) MatchMX(name string, matcher IPMatcherFunc) (bool, time
 	return false, 0, r.error()
 }
 
+func (r *brokenResolver) LookupPTR(name string) ([]string, time.Duration, error) {
+	return nil, 0, r.error()
+}
+
 func TestRetryResolver_Exists(t *testing.T) {
 	lastErr := errors.New("last error")
 

resolver_std.go

@@ -143,3 +143,14 @@ func (r *DNSResolver) MatchMX(name string, matcher IPMatcherFunc) (bool, time.Du
 
 	return false, 0, nil
 }
+
+// LookupPTR returns the DNS PTR records for the given name and the TTL.
+func (r *DNSResolver) LookupPTR(name string) ([]string, time.Duration, error) {
+	ptrs, err := net.LookupAddr(name)
+	err = errDNS(err)
+	if err != nil {
+		return nil, 0, err
+	}
+
+	return ptrs, 0, nil
+}

spf.go

@@ -80,6 +80,9 @@ type Resolver interface {
 	// Then IPMatcherFunc used to compare checked IP to the returned address(es).
 	// If any address matches, the mechanism matches and returns the TTL.
 	MatchMX(string, IPMatcherFunc) (bool, time.Duration, error)
+	// LookupPTR returns the DNS PTR records for the given address and
+	// the minimum TTL.
+	LookupPTR(string) ([]string, time.Duration, error)
 }
 
 // Option sets an optional parameter for the evaluating e-mail with regard to SPF