private DnsSecVerifier mVerifier;
private Logger log = Logger.getLogger(this.getClass());
+ private List<String> mErrorList;
+
public CaptiveValidator() {
- mVerifier = new DnsSecVerifier();
- mValUtils = new ValUtils(mVerifier);
- mTrustedKeys = new TrustAnchorStore();
+ mVerifier = new DnsSecVerifier();
+ mValUtils = new ValUtils(mVerifier);
+ mTrustedKeys = new TrustAnchorStore();
+ mErrorList = new ArrayList<String>();
}
// ---------------- Module Initialization -------------------
// Follow the CNAME chain.
if (type == Type.CNAME) {
if (rrset.size() > 1) {
- log.debug("Found CNAME rrset with size > 1: " + rrset);
+ mErrorList.add("Found CNAME rrset with size > 1: " + rrset);
m.setStatus(SecurityStatus.INVALID);
return m;
// If the (answer) rrset failed to validate, then this message is
// BAD.
if (status != SecurityStatus.SECURE) {
- log.debug("Positive response has failed ANSWER rrset: "
- + rrsets[i]);
+ mErrorList.add("Positive response has failed ANSWER rrset: " +
+ rrsets[i]);
m.setStatus(SecurityStatus.BOGUS);
return;
int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
// If anything in the authority section fails to be secure, we have
- // a
- // bad message.
+ // a bad message.
if (status != SecurityStatus.SECURE) {
- log.debug("Positive response has failed AUTHORITY rrset: "
- + rrsets[i]);
+ mErrorList.add("Positive response has failed AUTHORITY rrset: " +
+ rrsets[i]);
m.setStatus(SecurityStatus.BOGUS);
return;
Name nsec_wc = ValUtils.nsecWildcard(qname, nsec);
if (!wc.equals(nsec_wc)) {
- // log.debug("Positive wildcard response wasn't generated "
- // + "by the correct wildcard");
+ mErrorList.add("Positive wildcard response wasn't generated by the correct wildcard");
m.setStatus(SecurityStatus.BOGUS);
return;
// records.
if ((wc != null) && !wcNSEC_ok && (nsec3s != null)) {
if (NSEC3ValUtils.proveWildcard(nsec3s, qname, key_rrset.getName(),
- wc)) {
+ wc, mErrorList)) {
wcNSEC_ok = true;
}
}
// have
// a bad message.
if (status != SecurityStatus.SECURE) {
- log.debug("Positive response has failed AUTHORITY rrset: "
- + rrsets[i]);
+ mErrorList.add("Positive response has failed AUTHORITY rrset: " +
+ rrsets[i]);
m.setStatus(SecurityStatus.BOGUS);
return;
// Now to check to see if we have a valid combination of things.
if (delegation == null) {
// somehow we have a referral without an NS rrset.
+ mErrorList.add("Apparent referral does not contain NS RRset");
m.setStatus(SecurityStatus.BOGUS);
return;
if (secure_delegation) {
if ((nsec != null) || ((nsec3s != null) && (nsec3s.size() > 0))) {
// we found both a DS rrset *and* NSEC/NSEC3 rrsets!
+ mErrorList.add("Referral contains both DS and NSEC/NSEC3 RRsets");
m.setStatus(SecurityStatus.BOGUS);
return;
if (status != SecurityStatus.SECURE) {
// The NSEC *must* prove that there was no DS record. The
// INSECURE state here is still bogus.
+ mErrorList.add("Referral does not contain a NSEC record proving no DS");
m.setStatus(SecurityStatus.BOGUS);
return;
}
if (nsec3s.size() > 0) {
- byte status = NSEC3ValUtils
- .proveNoDS(nsec3s, delegation, nsec3zone);
+ byte status = NSEC3ValUtils.proveNoDS(nsec3s, delegation, nsec3zone, mErrorList);
if (status != SecurityStatus.SECURE) {
// the NSEC3 RRs MUST prove no DS, so the INDETERMINATE state is
// actually bogus
+ mErrorList.add("Referral does not contain NSEC3 record(s) proving no DS");
m.setStatus(SecurityStatus.BOGUS);
return;
}
// failed to find proof either way.
+ mErrorList.add("Referral does not contain proof of no DS");
m.setStatus(SecurityStatus.BOGUS);
}
- private void validateCNAMEResponse(SMessage message, SRRset key_rrset) {
- }
+ // FIXME: write CNAME validation code.
+ private void validateCNAMEResponse(SMessage message, SRRset key_rrset) {}
/**
* Given an "ANY" response -- a response that contains an answer to a
// If the (answer) rrset failed to validate, then this message is
// BAD.
if (status != SecurityStatus.SECURE) {
- log.debug("Positive response has failed ANSWER rrset: "
- + rrsets[i]);
+ mErrorList.add("Positive response has failed ANSWER rrset: " +
+ rrsets[i]);
m.setStatus(SecurityStatus.BOGUS);
return;
int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
// If anything in the authority section fails to be secure, we have
- // a
- // bad message.
+ // a bad message.
if (status != SecurityStatus.SECURE) {
- log.debug("Positive response has failed AUTHORITY rrset: "
- + rrsets[i]);
+ mErrorList.add("Positive response has failed AUTHORITY rrset: " +
+ rrsets[i]);
m.setStatus(SecurityStatus.BOGUS);
return;
* @param key_rrset
* The trusted DNSKEY rrset that signs this response.
*/
- private void validateNodataResponse(SMessage message, SRRset key_rrset) {
- Name qname = message.getQName();
- int qtype = message.getQType();
+ private void validateNodataResponse(SMessage message, SRRset key_rrset, List<String> errorList) {
+ Name qname = message.getQName();
+ int qtype = message.getQType();
SMessage m = message;
int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
if (status != SecurityStatus.SECURE) {
- log.debug("NODATA response has failed AUTHORITY rrset: "
- + rrsets[i]);
+ mErrorList.add("NODATA response has failed AUTHORITY rrset: " +
+ rrsets[i]);
m.setStatus(SecurityStatus.BOGUS);
return;
if (!hasValidNSEC && (nsec3s != null) && (nsec3s.size() > 0)) {
// try to prove NODATA with our NSEC3 record(s)
hasValidNSEC = NSEC3ValUtils.proveNodata(nsec3s, qname, qtype,
- nsec3Signer);
+ nsec3Signer, errorList);
}
if (!hasValidNSEC) {
log.debug("NODATA response failed to prove NODATA "
+ "status with NSEC/NSEC3");
log.trace("Failed NODATA:\n" + m);
+ mErrorList.add("NODATA response failed to prove NODATA status with NSEC/NSEC3");
m.setStatus(SecurityStatus.BOGUS);
return;
SMessage m = message;
if (message.getCount(Section.ANSWER) > 0) {
- log
- .warn("NAME ERROR response contained records in the ANSWER SECTION");
+ log.warn(
+ "NameError response contained records in the ANSWER SECTION");
+ mErrorList.add("NameError response contained records in the ANSWER SECTION");
message.setStatus(SecurityStatus.INVALID);
return;
int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
if (status != SecurityStatus.SECURE) {
- log.debug("NameError response has failed AUTHORITY rrset: "
- + rrsets[i]);
+ mErrorList.add("NameError response has failed AUTHORITY rrset: " +
+ rrsets[i]);
m.setStatus(SecurityStatus.BOGUS);
return;
return;
}
- hasValidNSEC = NSEC3ValUtils.proveNameError(nsec3s, qname,
- nsec3Signer);
+ hasValidNSEC = NSEC3ValUtils.proveNameError(nsec3s, qname,
+ nsec3Signer, mErrorList);
// Note that we assume that the NSEC3ValUtils proofs encompass the
// wildcard part of the proof.
// If the message fails to prove either condition, it is bogus.
if (!hasValidNSEC) {
- log.debug("NameError response has failed to prove: "
- + "qname does not exist");
+ mErrorList.add("NameError response has failed to prove qname does not exist");
m.setStatus(SecurityStatus.BOGUS);
return;
}
if (!hasValidWCNSEC) {
- log.debug("NameError response has failed to prove: "
- + "covering wildcard does not exist");
+ mErrorList.add("NameError response has failed to prove covering wildcard does not exist");
m.setStatus(SecurityStatus.BOGUS);
return;
}
public byte validateMessage(SMessage message, Name zone) {
+ mErrorList.clear();
if (!zone.isAbsolute()) {
try {
zone = Name.concatenate(zone, Name.root);
SRRset key_rrset = findKeys(message);
if (key_rrset == null) {
+ mErrorList.add("Failed to find matching DNSKEYs for the response");
return SecurityStatus.BOGUS;
}
break;
- case NODATA:
- log.trace("Validating a NODATA response");
- validateNodataResponse(message, key_rrset);
+ case NODATA:
+ log.trace("Validating a NODATA response");
+ validateNodataResponse(message, key_rrset, mErrorList);
break;
public List<String> listTrustedKeys() {
return mTrustedKeys.listTrustAnchors();
}
-}
+
+ public List<String> getErrorList() {
+ return mErrorList;
+ }
+ }
git://blacka.com / captive-validator.git / blobdiff