+ /**
+ * Given a List of nsec3 RRs, find and prove the closest encloser to qname.
+ *
+ * @param qname
+ * The qname in question.
+ * @param zonename
+ * The name of the zone that the NSEC3 RRs come from.
+ * @param nsec3s
+ * The list of NSEC3s found the this response (already verified).
+ * @param params
+ * The NSEC3 parameters found in the response.
+ * @param bac
+ * A pre-allocated comparator. May be null.
+ * @param proveDoesNotExist
+ * If true, then if the closest encloser turns out to be qname,
+ * then null is returned.
+ * @return null if the proof isn't completed. Otherwise, return a CEResponse
+ * object which contains the closest encloser name and the NSEC3
+ * that matches it.
+ */
+ private static CEResponse proveClosestEncloser(Name qname, Name zonename,
+ List<NSEC3Record> nsec3s,
+ NSEC3Parameters params,
+ ByteArrayComparator bac,
+ boolean proveDoesNotExist) {
+ CEResponse candidate = findClosestEncloser(qname, zonename, nsec3s,
+ params, bac);
+
+ if (candidate == null) {
+ // st_log.debug("proveClosestEncloser: could not find a "
+ // + "candidate for the closest encloser.");
+ return null;
+ }
+
+ if (candidate.closestEncloser.equals(qname)) {
+ if (proveDoesNotExist) {
+ // st_log.debug("proveClosestEncloser: proved that qname existed!");
+ return null;
+ }
+ // otherwise, we need to nothing else to prove that qname is its own
+ // closest encloser.
+ return candidate;
+ }
+
+ // If the closest encloser is actually a delegation, then the response
+ // should have been a referral. If it is a DNAME, then it should have
+ // been
+ // a DNAME response.
+ if (candidate.ce_nsec3.hasType(Type.NS)
+ && !candidate.ce_nsec3.hasType(Type.SOA)) {
+ // st_log.debug("proveClosestEncloser: closest encloser "
+ // + "was a delegation!");
+ return null;
+ }
+ if (candidate.ce_nsec3.hasType(Type.DNAME)) {
+ // st_log.debug("proveClosestEncloser: closest encloser was a DNAME!");
+ return null;
+ }
+
+ // Otherwise, we need to show that the next closer name is covered.
+ Name nextClosest = nextClosest(qname, candidate.closestEncloser);
+
+ byte[] nc_hash = hash(nextClosest, params);
+ candidate.nc_nsec3 = findCoveringNSEC3(nc_hash, zonename, nsec3s,
+ params, bac);
+ if (candidate.nc_nsec3 == null) {
+ // st_log.debug("Could not find proof that the "
+ // + "closest encloser was the closest encloser");
+ return null;
+ }
+
+ return candidate;
+ }
+
+ private static int maxIterations(int baseAlg, int keysize) {
+ switch (baseAlg) {
+ case DnsSecVerifier.RSA:
+ if (keysize == 0) return 2500; // the max at 4096
+ if (keysize > 2048) return 2500;
+ if (keysize > 1024) return 500;
+ if (keysize > 0) return 150;
+ break;
+ case DnsSecVerifier.DSA:
+ if (keysize == 0) return 5000; // the max at 2048;
+ if (keysize > 1024) return 5000;
+ if (keysize > 0) return 1500;
+ break;
+ }
+ return -1;
+ }
+
+ @SuppressWarnings("unchecked")
+ private static boolean validIterations(NSEC3Parameters nsec3params,
+ RRset dnskey_rrset,
+ DnsSecVerifier verifier) {
+ // for now, we return the maximum iterations based simply on the key
+ // algorithms that may have been used to sign the NSEC3 RRsets.
+
+ int max_iterations = 0;
+ for (Iterator i = dnskey_rrset.rrs(); i.hasNext();) {
+ DNSKEYRecord dnskey = (DNSKEYRecord) i.next();
+ int baseAlg = verifier.baseAlgorithm(dnskey.getAlgorithm());
+ int iters = maxIterations(baseAlg, 0);
+ max_iterations = max_iterations < iters ? iters : max_iterations;
+ }
+
+ if (nsec3params.iterations > max_iterations) return false;
+
+ return true;
+ }
+
+ /**
+ * Determine if all of the NSEC3s in a response are legally ignoreable
+ * (i.e., their presence should lead to an INSECURE result). Currently, this
+ * is solely based on iterations.
+ *
+ * @param nsec3s
+ * The list of NSEC3s. If there is more than one set of NSEC3
+ * parameters present, this test will not be performed.
+ * @param dnskey_rrset
+ * The set of validating DNSKEYs.
+ * @param verifier
+ * The verifier used to verify the NSEC3 RRsets. This is solely
+ * used to map algorithm aliases.
+ * @return true if all of the NSEC3s can be legally ignored, false if not.
+ */
+ public static boolean allNSEC3sIgnoreable(List<NSEC3Record> nsec3s,
+ RRset dnskey_rrset,
+ DnsSecVerifier verifier) {
+ NSEC3Parameters params = nsec3Parameters(nsec3s);
+ if (params == null) return false;
+
+ return !validIterations(params, dnskey_rrset, verifier);
+ }
+
+ /**
+ * Determine if the set of NSEC3 records provided with a response prove NAME
+ * ERROR. This means that the NSEC3s prove a) the closest encloser exists,
+ * b) the direct child of the closest encloser towards qname doesn't exist,
+ * and c) *.closest encloser does not exist.
+ *
+ * @param nsec3s
+ * The list of NSEC3s.
+ * @param qname
+ * The query name to check against.
+ * @param zonename
+ * This is the name of the zone that the NSEC3s belong to. This
+ * may be discovered in any number of ways. A good one is to use
+ * the signerName from the NSEC3 record's RRSIG.
+ * @return SecurityStatus.SECURE of the Name Error is proven by the NSEC3
+ * RRs, BOGUS if not, INSECURE if all of the NSEC3s could be validly
+ * ignored.
+ */
+ public static boolean proveNameError(List<NSEC3Record> nsec3s, Name qname,
+ Name zonename) {
+ if (nsec3s == null || nsec3s.size() == 0) return false;
+
+ NSEC3Parameters nsec3params = nsec3Parameters(nsec3s);
+ if (nsec3params == null) {
+ // st_log.debug("Could not find a single set of " +
+ // "NSEC3 parameters (multiple parameters present).");
+ return false;
+ }
+
+ ByteArrayComparator bac = new ByteArrayComparator();
+
+ // First locate and prove the closest encloser to qname. We will use the
+ // variant that fails if the closest encloser turns out to be qname.
+ CEResponse ce = proveClosestEncloser(qname, zonename, nsec3s,
+ nsec3params, bac, true);
+
+ if (ce == null) {
+ // st_log.debug("proveNameError: failed to prove a closest encloser.");
+ return false;
+ }
+
+ // At this point, we know that qname does not exist. Now we need to
+ // prove
+ // that the wildcard does not exist.
+ Name wc = ceWildcard(ce.closestEncloser);
+ byte[] wc_hash = hash(wc, nsec3params);
+ NSEC3Record nsec3 = findCoveringNSEC3(wc_hash, zonename, nsec3s,
+ nsec3params, bac);
+ if (nsec3 == null) {
+ // st_log.debug("proveNameError: could not prove that the "
+ // + "applicable wildcard did not exist.");
+ return false;
+ }
+
+ return true;
+ }
+
+
+ /**
+ * Determine if the NSEC3s provided in a response prove the NOERROR/NODATA
+ * status. There are a number of different variants to this:
+ *
+ * 1) Normal NODATA -- qname is matched to an NSEC3 record, type is not
+ * present.
+ *
+ * 2) ENT NODATA -- because there must be NSEC3 record for
+ * empty-non-terminals, this is the same as #1.
+ *
+ * 3) NSEC3 ownername NODATA -- qname matched an existing, lone NSEC3
+ * ownername, but qtype was not NSEC3. NOTE: as of nsec-05, this case no
+ * longer exists.
+ *
+ * 4) Wildcard NODATA -- A wildcard matched the name, but not the type.
+ *
+ * 5) Opt-In DS NODATA -- the qname is covered by an opt-in span and qtype
+ * == DS. (or maybe some future record with the same parent-side-only
+ * property)
+ *
+ * @param nsec3s
+ * The NSEC3Records to consider.
+ * @param qname
+ * The qname in question.
+ * @param qtype
+ * The qtype in question.
+ * @param zonename
+ * The name of the zone that the NSEC3s came from.
+ * @return true if the NSEC3s prove the proposition.
+ */
+ public static boolean proveNodata(List<NSEC3Record> nsec3s, Name qname,
+ int qtype, Name zonename) {
+ if (nsec3s == null || nsec3s.size() == 0) return false;
+
+ NSEC3Parameters nsec3params = nsec3Parameters(nsec3s);
+ if (nsec3params == null) {
+ // st_log.debug("could not find a single set of "
+ // + "NSEC3 parameters (multiple parameters present)");
+ return false;
+ }
+ ByteArrayComparator bac = new ByteArrayComparator();
+
+ NSEC3Record nsec3 = findMatchingNSEC3(hash(qname, nsec3params),
+ zonename, nsec3s, nsec3params,
+ bac);
+ // Cases 1 & 2.
+ if (nsec3 != null) {
+ if (nsec3.hasType(qtype)) {
+ // st_log.debug("proveNodata: Matching NSEC3 proved that type existed!");
+ return false;
+ }
+ if (nsec3.hasType(Type.CNAME)) {
+ // st_log.debug("proveNodata: Matching NSEC3 proved "
+ // + "that a CNAME existed!");
+ return false;
+ }
+ return true;
+ }
+
+ // For cases 3 - 5, we need the proven closest encloser, and it can't
+ // match qname. Although, at this point, we know that it won't since we
+ // just checked that.
+ CEResponse ce = proveClosestEncloser(qname, zonename, nsec3s,
+ nsec3params, bac, true);
+
+ // At this point, not finding a match or a proven closest encloser is a
+ // problem.
+ if (ce == null) {
+ // st_log.debug("proveNodata: did not match qname, "
+ // + "nor found a proven closest encloser.");
+ return false;
+ }
+
+ // Case 3: REMOVED
+
+ // Case 4:
+ Name wc = ceWildcard(ce.closestEncloser);
+ nsec3 = findMatchingNSEC3(hash(wc, nsec3params), zonename, nsec3s,
+ nsec3params, bac);
+
+ if (nsec3 != null) {
+ if (nsec3.hasType(qtype)) {
+ // st_log.debug("proveNodata: matching wildcard had qtype!");
+ return false;
+ }
+ return true;
+ }
+
+ // Case 5.
+ if (qtype != Type.DS) {
+ // st_log.debug("proveNodata: could not find matching NSEC3, "
+ // +
+ // "nor matching wildcard, and qtype is not DS -- no more options.");
+ return false;
+ }
+
+ // We need to make sure that the covering NSEC3 is opt-in.
+ if (!ce.nc_nsec3.getOptInFlag()) {
+ // st_log.debug("proveNodata: covering NSEC3 was not "
+ // + "opt-in in an opt-in DS NOERROR/NODATA case.");
+ return false;
+ }
+
+ return true;
+ }
+
+ /**
+ * Prove that a positive wildcard match was appropriate (no direct match
+ * RRset).
+ *
+ * @param nsec3s
+ * The NSEC3 records to work with.
+ * @param qname
+ * The qname that was matched to the wildcard
+ * @param zonename
+ * The name of the zone that the NSEC3s come from.
+ * @param wildcard
+ * The purported wildcard that matched.
+ * @return true if the NSEC3 records prove this case.
+ */
+ public static boolean proveWildcard(List<NSEC3Record> nsec3s, Name qname,
+ Name zonename, Name wildcard) {
+ if (nsec3s == null || nsec3s.size() == 0) return false;
+ if (qname == null || wildcard == null) return false;
+
+ NSEC3Parameters nsec3params = nsec3Parameters(nsec3s);
+ if (nsec3params == null) {
+ // st_log.debug("couldn't find a single set of NSEC3 parameters (multiple parameters present).");
+ return false;
+ }
+
+ ByteArrayComparator bac = new ByteArrayComparator();
+
+ // We know what the (purported) closest encloser is by just looking at
+ // the
+ // supposed generating wildcard.
+ CEResponse candidate = new CEResponse(new Name(wildcard, 1), null);
+
+ // Now we still need to prove that the original data did not exist.
+ // Otherwise, we need to show that the next closer name is covered.
+ Name nextClosest = nextClosest(qname, candidate.closestEncloser);
+ candidate.nc_nsec3 = findCoveringNSEC3(hash(nextClosest, nsec3params),
+ zonename, nsec3s, nsec3params,
+ bac);
+
+ if (candidate.nc_nsec3 == null) {
+ // st_log.debug("proveWildcard: did not find a covering NSEC3 "
+ // + "that covered the next closer name to " + qname + " from "
+ // + candidate.closestEncloser + " (derived from wildcard " +
+ // wildcard
+ // + ")");
+ return false;
+ }
+
+ return true;
+ }
+
+ /**
+ * Prove that a DS response either had no DS, or wasn't a delegation point.
+ *
+ * Fundamentally there are two cases here: normal NODATA and Opt-In NODATA.
+ *
+ * @param nsec3s
+ * The NSEC3 RRs to examine.
+ * @param qname
+ * The name of the DS in question.
+ * @param zonename
+ * The name of the zone that the NSEC3 RRs come from.
+ *
+ * @return SecurityStatus.SECURE if it was proven that there is no DS in a
+ * secure (i.e., not opt-in) way, SecurityStatus.INSECURE if there
+ * was no DS in an insecure (i.e., opt-in) way,
+ * SecurityStatus.INDETERMINATE if it was clear that this wasn't a
+ * delegation point, and SecurityStatus.BOGUS if the proofs don't
+ * work out.
+ */
+ public static int proveNoDS(List<NSEC3Record> nsec3s, Name qname,
+ Name zonename) {
+ if (nsec3s == null || nsec3s.size() == 0) return SecurityStatus.BOGUS;
+
+ NSEC3Parameters nsec3params = nsec3Parameters(nsec3s);
+ if (nsec3params == null) {
+ // st_log.debug("couldn't find a single set of " +
+ // "NSEC3 parameters (multiple parameters present).");
+ return SecurityStatus.BOGUS;
+ }
+ ByteArrayComparator bac = new ByteArrayComparator();
+
+ // Look for a matching NSEC3 to qname -- this is the normal NODATA case.
+ NSEC3Record nsec3 = findMatchingNSEC3(hash(qname, nsec3params),
+ zonename, nsec3s, nsec3params,
+ bac);
+
+ if (nsec3 != null) {
+ // If the matching NSEC3 has the SOA bit set, it is from the wrong
+ // zone
+ // (the child instead of the parent). If it has the DS bit set, then
+ // we
+ // were lied to.
+ if (nsec3.hasType(Type.SOA) || nsec3.hasType(Type.DS)) {
+ return SecurityStatus.BOGUS;
+ }
+ // If the NSEC3 RR doesn't have the NS bit set, then this wasn't a
+ // delegation point.
+ if (!nsec3.hasType(Type.NS)) return SecurityStatus.INDETERMINATE;
+
+ // Otherwise, this proves no DS.
+ return SecurityStatus.SECURE;
+ }
+
+ // Otherwise, we are probably in the opt-in case.
+ CEResponse ce = proveClosestEncloser(qname, zonename, nsec3s,
+ nsec3params, bac, true);
+ if (ce == null) {
+ return SecurityStatus.BOGUS;
+ }
+
+ // If we had the closest encloser proof, then we need to check that the
+ // covering NSEC3 was opt-in -- the proveClosestEncloser step already
+ // checked to see if the closest encloser was a delegation or DNAME.
+ if (ce.nc_nsec3.getOptInFlag()) {
+ return SecurityStatus.SECURE;
+ }