import java.util.*;
-
/**
* This resolver module implements a "captive" DNSSEC validator. The captive
* validator does not have direct access to the Internet and DNS system --
// The local verification utility.
private DnsSecVerifier mVerifier;
- private Logger log = Logger.getLogger(this.getClass());
+ private Logger log = Logger.getLogger(this.getClass());
+ private List<String> mErrorList;
+
public CaptiveValidator() {
- mVerifier = new DnsSecVerifier();
- mValUtils = new ValUtils(mVerifier);
- mTrustedKeys = new TrustAnchorStore();
+ mVerifier = new DnsSecVerifier();
+ mValUtils = new ValUtils(mVerifier);
+ mTrustedKeys = new TrustAnchorStore();
+ mErrorList = new ArrayList<String>();
}
// ---------------- Module Initialization -------------------
/**
* Add a set of trusted keys from a file. The file should be in DNS master
* zone file format. Only DNSKEY records will be added.
- *
+ *
* @param filename
* The file contains the trusted keys.
* @throws IOException
*/
@SuppressWarnings("unchecked")
- public void addTrustedKeysFromFile(String filename)
- throws IOException {
+ public void addTrustedKeysFromFile(String filename) throws IOException {
// First read in the whole trust anchor file.
- Master master = new Master(filename, Name.root, 0);
+ Master master = new Master(filename, Name.root, 0);
ArrayList<Record> records = new ArrayList<Record>();
- Record r = null;
+ Record r = null;
while ((r = master.nextRecord()) != null) {
records.add(r);
}
// If this record matches our current RRset, we can just add it.
- if (cur_rrset.getName().equals(rec.getName()) &&
- (cur_rrset.getType() == rec.getType()) &&
- (cur_rrset.getDClass() == rec.getDClass())) {
+ if (cur_rrset.getName().equals(rec.getName())
+ && (cur_rrset.getType() == rec.getType())
+ && (cur_rrset.getDClass() == rec.getDClass())) {
cur_rrset.addRR(rec);
continue;
}
public void addTrustedKeysFromResponse(Message m) {
- RRset [] rrsets = m.getSectionRRsets(Section.ANSWER);
+ RRset[] rrsets = m.getSectionRRsets(Section.ANSWER);
for (int i = 0; i < rrsets.length; ++i) {
if (rrsets[i].getType() == Type.DNSKEY) {
* This routine normalizes a response. This includes removing "irrelevant"
* records from the answer and additional sections and (re)synthesizing
* CNAMEs from DNAMEs, if present.
- *
+ *
* @param response
*/
private SMessage normalize(SMessage m) {
return m;
}
- if ((m.getRcode() != Rcode.NOERROR) &&
- (m.getRcode() != Rcode.NXDOMAIN)) {
+ if ((m.getRcode() != Rcode.NOERROR) && (m.getRcode() != Rcode.NXDOMAIN)) {
return m;
}
- Name qname = m.getQuestion().getName();
- int qtype = m.getQuestion().getType();
+ Name qname = m.getQuestion().getName();
+ int qtype = m.getQuestion().getType();
- Name sname = qname;
+ Name sname = qname;
// For the ANSWER section, remove all "irrelevant" records and add
// synthesized CNAMEs from DNAMEs
// This will strip out-of-order CNAMEs as well.
- List<SRRset> rrset_list = m.getSectionList(Section.ANSWER);
- Set<Name> additional_names = new HashSet<Name>();
+ List<SRRset> rrset_list = m.getSectionList(Section.ANSWER);
+ Set<Name> additional_names = new HashSet<Name>();
for (ListIterator<SRRset> i = rrset_list.listIterator(); i.hasNext();) {
SRRset rrset = i.next();
- int type = rrset.getType();
- Name n = rrset.getName();
+ int type = rrset.getType();
+ Name n = rrset.getName();
// Handle DNAME synthesis; DNAME synthesis does not occur at the
// DNAME name itself.
Name cname_alias = sname.fromDNAME(dname);
// Note that synthesized CNAMEs should have a TTL of zero.
- CNAMERecord cname = new CNAMERecord(sname,
- dname.getDClass(), 0, cname_alias);
- SRRset cname_rrset = new SRRset();
+ CNAMERecord cname = new CNAMERecord(sname, dname
+ .getDClass(), 0, cname_alias);
+ SRRset cname_rrset = new SRRset();
cname_rrset.addRR(cname);
i.add(cname_rrset);
sname = cname_alias;
} catch (NameTooLongException e) {
- log.debug("not adding synthesized CNAME -- " +
- "generated name is too long", e);
+ log.debug("not adding synthesized CNAME -- "
+ + "generated name is too long", e);
}
continue;
// Follow the CNAME chain.
if (type == Type.CNAME) {
if (rrset.size() > 1) {
- log.debug("Found CNAME rrset with size > 1: " + rrset);
+ mErrorList.add("Found CNAME rrset with size > 1: " + rrset);
m.setStatus(SecurityStatus.INVALID);
return m;
for (Iterator<SRRset> i = rrset_list.iterator(); i.hasNext();) {
SRRset rrset = i.next();
- int type = rrset.getType();
+ int type = rrset.getType();
- if (((type == Type.A) || (type == Type.AAAA)) &&
- !additional_names.contains(rrset.getName())) {
+ if (((type == Type.A) || (type == Type.AAAA))
+ && !additional_names.contains(rrset.getName())) {
i.remove();
}
}
/**
* Extract additional names from the records in an rrset.
- *
+ *
* @param additional_names
* The set to add the additional names to, if any.
* @param rrset
}
for (Iterator<Record> i = rrset.rrs(); i.hasNext();) {
- Record r = i.next();
- Name add_name = r.getAdditionalName();
+ Record r = i.next();
+ Name add_name = r.getAdditionalName();
if (add_name != null) {
additional_names.add(add_name);
}
private SRRset findKeys(SMessage message) {
- Name qname = message.getQName();
- int qclass = message.getQClass();
+ Name qname = message.getQName();
+ int qclass = message.getQClass();
return mTrustedKeys.find(qname, qclass);
}
* on in the original request, the response was already validated, or the
* response is a kind of message that is unvalidatable (i.e., SERVFAIL,
* REFUSED, etc.)
- *
+ *
* @param message
* The message to check.
* @param origRequest
* The original request received from the client.
- *
+ *
* @return true if the response could use validation (although this does not
* mean we can actually validate this response).
*/
return false;
}
- if (!mTrustedKeys.isBelowTrustAnchor(message.getQName(),
- message.getQClass())) {
+ if (!mTrustedKeys.isBelowTrustAnchor(message.getQName(), message
+ .getQClass())) {
return false;
}
* Given a "positive" response -- a response that contains an answer to the
* question, and no CNAME chain, validate this response. This generally
* consists of verifying the answer RRset and the authority RRsets.
- *
+ *
* Note that by the time this method is called, the process of finding the
* trusted DNSKEY rrset that signs this response must already have been
* completed.
- *
+ *
* @param response
* The response to validate.
* @param request
* answer.
*/
private void validatePositiveResponse(SMessage message, SRRset key_rrset) {
- Name qname = message.getQName();
- int qtype = message.getQType();
+ Name qname = message.getQName();
+ int qtype = message.getQType();
- SMessage m = message;
+ SMessage m = message;
// validate the ANSWER section - this will be the answer itself
- SRRset [] rrsets = m.getSectionRRsets(Section.ANSWER);
+ SRRset[] rrsets = m.getSectionRRsets(Section.ANSWER);
- Name wc = null;
- boolean wcNSEC_ok = false;
- boolean dname = false;
- List<NSEC3Record> nsec3s = null;
+ Name wc = null;
+ boolean wcNSEC_ok = false;
+ boolean dname = false;
+ List<NSEC3Record> nsec3s = null;
for (int i = 0; i < rrsets.length; i++) {
// Skip the CNAME following a (validated) DNAME.
// If the (answer) rrset failed to validate, then this message is
// BAD.
if (status != SecurityStatus.SECURE) {
- log.debug("Positive response has failed ANSWER rrset: "
- + rrsets[i]);
+ mErrorList.add("Positive response has failed ANSWER rrset: " +
+ rrsets[i]);
m.setStatus(SecurityStatus.BOGUS);
return;
int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
// If anything in the authority section fails to be secure, we have
- // a
- // bad message.
+ // a bad message.
if (status != SecurityStatus.SECURE) {
- log.debug("Positive response has failed AUTHORITY rrset: "
- + rrsets[i]);
+ mErrorList.add("Positive response has failed AUTHORITY rrset: " +
+ rrsets[i]);
m.setStatus(SecurityStatus.BOGUS);
return;
if ((wc != null) && (rrsets[i].getType() == Type.NSEC)) {
NSECRecord nsec = (NSECRecord) rrsets[i].first();
- if (ValUtils.nsecProvesNameError(nsec, qname,
- key_rrset.getName())) {
+ if (ValUtils.nsecProvesNameError(nsec, qname, key_rrset
+ .getName())) {
Name nsec_wc = ValUtils.nsecWildcard(qname, nsec);
if (!wc.equals(nsec_wc)) {
- // log.debug("Positive wildcard response wasn't generated "
- // + "by the correct wildcard");
+ mErrorList.add("Positive wildcard response wasn't generated by the correct wildcard");
m.setStatus(SecurityStatus.BOGUS);
return;
// records.
if ((wc != null) && !wcNSEC_ok && (nsec3s != null)) {
if (NSEC3ValUtils.proveWildcard(nsec3s, qname, key_rrset.getName(),
- wc)) {
+ wc, mErrorList)) {
wcNSEC_ok = true;
}
}
}
// validate the AUTHORITY section.
- SRRset [] rrsets = m.getSectionRRsets(Section.AUTHORITY);
+ SRRset[] rrsets = m.getSectionRRsets(Section.AUTHORITY);
- boolean secure_delegation = false;
- Name delegation = null;
- Name nsec3zone = null;
- NSECRecord nsec = null;
- List<NSEC3Record> nsec3s = null;
+ boolean secure_delegation = false;
+ Name delegation = null;
+ Name nsec3zone = null;
+ NSECRecord nsec = null;
+ List<NSEC3Record> nsec3s = null;
// validate the AUTHORITY section as well - this will generally be the
// NS rrset, plus proof of a secure delegation or not
// have
// a bad message.
if (status != SecurityStatus.SECURE) {
- log.debug("Positive response has failed AUTHORITY rrset: "
- + rrsets[i]);
+ mErrorList.add("Positive response has failed AUTHORITY rrset: " +
+ rrsets[i]);
m.setStatus(SecurityStatus.BOGUS);
return;
}
switch (type) {
- case Type.DS:
- secure_delegation = true;
+ case Type.DS:
+ secure_delegation = true;
- break;
+ break;
- case Type.NS:
- delegation = rrsets[i].getName();
+ case Type.NS:
+ delegation = rrsets[i].getName();
- break;
+ break;
- case Type.NSEC:
- nsec = (NSECRecord) rrsets[i].first();
+ case Type.NSEC:
+ nsec = (NSECRecord) rrsets[i].first();
- break;
+ break;
- case Type.NSEC3:
+ case Type.NSEC3:
- if (nsec3s == null) {
- nsec3s = new ArrayList<NSEC3Record>();
- }
+ if (nsec3s == null) {
+ nsec3s = new ArrayList<NSEC3Record>();
+ }
- NSEC3Record nsec3 = (NSEC3Record) rrsets[i].first();
- nsec3s.add(nsec3);
- nsec3zone = rrsets[i].getSignerName(); // this is a hack of
- // sorts.
+ NSEC3Record nsec3 = (NSEC3Record) rrsets[i].first();
+ nsec3s.add(nsec3);
+ nsec3zone = rrsets[i].getSignerName(); // this is a hack of
+ // sorts.
- break;
+ break;
- default:
- log.warn(
- "Encountered unexpected type in a REFERRAL response: " +
- Type.string(type));
+ default:
+ log.warn("Encountered unexpected type in a REFERRAL response: "
+ + Type.string(type));
- break;
+ break;
}
}
// Now to check to see if we have a valid combination of things.
if (delegation == null) {
// somehow we have a referral without an NS rrset.
+ mErrorList.add("Apparent referral does not contain NS RRset");
m.setStatus(SecurityStatus.BOGUS);
return;
if (secure_delegation) {
if ((nsec != null) || ((nsec3s != null) && (nsec3s.size() > 0))) {
// we found both a DS rrset *and* NSEC/NSEC3 rrsets!
+ mErrorList.add("Referral contains both DS and NSEC/NSEC3 RRsets");
m.setStatus(SecurityStatus.BOGUS);
return;
if (status != SecurityStatus.SECURE) {
// The NSEC *must* prove that there was no DS record. The
// INSECURE state here is still bogus.
+ mErrorList.add("Referral does not contain a NSEC record proving no DS");
m.setStatus(SecurityStatus.BOGUS);
return;
}
if (nsec3s.size() > 0) {
- byte status = NSEC3ValUtils
- .proveNoDS(nsec3s, delegation, nsec3zone);
+ byte status = NSEC3ValUtils.proveNoDS(nsec3s, delegation, nsec3zone, mErrorList);
if (status != SecurityStatus.SECURE) {
// the NSEC3 RRs MUST prove no DS, so the INDETERMINATE state is
// actually bogus
+ mErrorList.add("Referral does not contain NSEC3 record(s) proving no DS");
m.setStatus(SecurityStatus.BOGUS);
return;
}
// failed to find proof either way.
+ mErrorList.add("Referral does not contain proof of no DS");
m.setStatus(SecurityStatus.BOGUS);
}
- private void validateCNAMEResponse(SMessage message, SRRset key_rrset) {
- }
+ // FIXME: write CNAME validation code.
+ private void validateCNAMEResponse(SMessage message, SRRset key_rrset) {}
/**
* Given an "ANY" response -- a response that contains an answer to a
* qtype==ANY question, with answers. This consists of simply verifying all
* present answer/auth RRsets, with no checking that all types are present.
- *
+ *
* NOTE: it may be possible to get parent-side delegation point records
* here, which won't all be signed. Right now, this routine relies on the
* upstream iterative resolver to not return these responses -- instead
* treating them as referrals.
- *
+ *
* NOTE: RFC 4035 is silent on this issue, so this may change upon
* clarification.
- *
+ *
* Note that by the time this method is called, the process of finding the
* trusted DNSKEY rrset that signs this response must already have been
* completed.
- *
+ *
* @param message
* The response to validate.
* @param key_rrset
if (qtype != Type.ANY) {
throw new IllegalArgumentException(
- "ANY validation called on non-ANY response.");
+ "ANY validation called on non-ANY response.");
}
SMessage m = message;
// validate the ANSWER section.
- SRRset [] rrsets = m.getSectionRRsets(Section.ANSWER);
+ SRRset[] rrsets = m.getSectionRRsets(Section.ANSWER);
for (int i = 0; i < rrsets.length; i++) {
int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
// If the (answer) rrset failed to validate, then this message is
// BAD.
if (status != SecurityStatus.SECURE) {
- log.debug("Positive response has failed ANSWER rrset: "
- + rrsets[i]);
+ mErrorList.add("Positive response has failed ANSWER rrset: " +
+ rrsets[i]);
m.setStatus(SecurityStatus.BOGUS);
return;
int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
// If anything in the authority section fails to be secure, we have
- // a
- // bad message.
+ // a bad message.
if (status != SecurityStatus.SECURE) {
- log.debug("Positive response has failed AUTHORITY rrset: "
- + rrsets[i]);
+ mErrorList.add("Positive response has failed AUTHORITY rrset: " +
+ rrsets[i]);
m.setStatus(SecurityStatus.BOGUS);
return;
* the authority section rrsets and making certain that the authority
* section NSEC/NSEC3s proves that the qname does exist and the qtype
* doesn't.
- *
+ *
* Note that by the time this method is called, the process of finding the
* trusted DNSKEY rrset that signs this response must already have been
* completed.
- *
+ *
* @param response
* The response to validate.
* @param request
* @param key_rrset
* The trusted DNSKEY rrset that signs this response.
*/
- private void validateNodataResponse(SMessage message, SRRset key_rrset) {
- Name qname = message.getQName();
- int qtype = message.getQType();
+ private void validateNodataResponse(SMessage message, SRRset key_rrset, List<String> errorList) {
+ Name qname = message.getQName();
+ int qtype = message.getQType();
- SMessage m = message;
+ SMessage m = message;
// Since we are here, there must be nothing in the ANSWER section to
// validate. (Note: CNAME/DNAME responses will not directly get here --
// responses.)
// validate the AUTHORITY section
- SRRset [] rrsets = m.getSectionRRsets(Section.AUTHORITY);
+ SRRset[] rrsets = m.getSectionRRsets(Section.AUTHORITY);
- boolean hasValidNSEC = false; // If true, then the NODATA has been
- // proven.
+ boolean hasValidNSEC = false; // If true, then the NODATA has been
+ // proven.
- Name ce = null; // for wildcard NODATA responses. This is the proven
- // closest encloser.
+ Name ce = null; // for wildcard NODATA responses. This is the proven
+ // closest encloser.
- NSECRecord wc = null; // for wildcard NODATA responses. This is the
- // wildcard NSEC.
+ NSECRecord wc = null; // for wildcard NODATA responses. This is the
+ // wildcard NSEC.
- List<NSEC3Record> nsec3s = null; // A collection of NSEC3 RRs found in
- // the authority
- // section.
+ List<NSEC3Record> nsec3s = null; // A collection of NSEC3 RRs found in
+ // the authority
+ // section.
- Name nsec3Signer = null; // The RRSIG signer field for the NSEC3 RRs.
+ Name nsec3Signer = null; // The RRSIG signer field for the NSEC3 RRs.
for (int i = 0; i < rrsets.length; i++) {
int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
if (status != SecurityStatus.SECURE) {
- log.debug("NODATA response has failed AUTHORITY rrset: "
- + rrsets[i]);
+ mErrorList.add("NODATA response has failed AUTHORITY rrset: " +
+ rrsets[i]);
m.setStatus(SecurityStatus.BOGUS);
return;
if (nsec.getName().isWild()) {
wc = nsec;
}
- } else if (ValUtils.nsecProvesNameError(nsec, qname,
- rrsets[i].getSignerName())) {
+ } else if (ValUtils.nsecProvesNameError(nsec, qname, rrsets[i]
+ .getSignerName())) {
ce = ValUtils.closestEncloser(qname, nsec);
}
}
if (!hasValidNSEC && (nsec3s != null) && (nsec3s.size() > 0)) {
// try to prove NODATA with our NSEC3 record(s)
hasValidNSEC = NSEC3ValUtils.proveNodata(nsec3s, qname, qtype,
- nsec3Signer);
+ nsec3Signer, errorList);
}
if (!hasValidNSEC) {
- log.debug("NODATA response failed to prove NODATA " +
- "status with NSEC/NSEC3");
+ log.debug("NODATA response failed to prove NODATA "
+ + "status with NSEC/NSEC3");
log.trace("Failed NODATA:\n" + m);
+ mErrorList.add("NODATA response failed to prove NODATA status with NSEC/NSEC3");
m.setStatus(SecurityStatus.BOGUS);
return;
* Rcode. This consists of verifying the authority section rrsets and making
* certain that the authority section NSEC proves that the qname doesn't
* exist and the covering wildcard also doesn't exist..
- *
+ *
* Note that by the time this method is called, the process of finding the
* trusted DNSKEY rrset that signs this response must already have been
* completed.
- *
+ *
* @param response
* The response to validate.
* @param request
* The trusted DNSKEY rrset that signs this response.
*/
private void validateNameErrorResponse(SMessage message, SRRset key_rrset) {
- Name qname = message.getQName();
+ Name qname = message.getQName();
- SMessage m = message;
+ SMessage m = message;
if (message.getCount(Section.ANSWER) > 0) {
- log
- .warn("NAME ERROR response contained records in the ANSWER SECTION");
+ log.warn(
+ "NameError response contained records in the ANSWER SECTION");
+ mErrorList.add("NameError response contained records in the ANSWER SECTION");
message.setStatus(SecurityStatus.INVALID);
return;
// Validate the authority section -- all RRsets in the authority section
// must be signed and valid.
// In addition, the NSEC record(s) must prove the NXDOMAIN condition.
- boolean hasValidNSEC = false;
- boolean hasValidWCNSEC = false;
- SRRset [] rrsets = m.getSectionRRsets(Section.AUTHORITY);
- List<NSEC3Record> nsec3s = null;
- Name nsec3Signer = null;
+ boolean hasValidNSEC = false;
+ boolean hasValidWCNSEC = false;
+ SRRset[] rrsets = m.getSectionRRsets(Section.AUTHORITY);
+ List<NSEC3Record> nsec3s = null;
+ Name nsec3Signer = null;
for (int i = 0; i < rrsets.length; i++) {
int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
if (status != SecurityStatus.SECURE) {
- log.debug("NameError response has failed AUTHORITY rrset: "
- + rrsets[i]);
+ mErrorList.add("NameError response has failed AUTHORITY rrset: " +
+ rrsets[i]);
m.setStatus(SecurityStatus.BOGUS);
return;
if (rrsets[i].getType() == Type.NSEC) {
NSECRecord nsec = (NSECRecord) rrsets[i].first();
- if (ValUtils.nsecProvesNameError(nsec, qname,
- rrsets[i].getSignerName())) {
+ if (ValUtils.nsecProvesNameError(nsec, qname, rrsets[i]
+ .getSignerName())) {
hasValidNSEC = true;
}
- if (ValUtils.nsecProvesNoWC(nsec, qname,
- rrsets[i].getSignerName())) {
+ if (ValUtils.nsecProvesNoWC(nsec, qname, rrsets[i]
+ .getSignerName())) {
hasValidWCNSEC = true;
}
}
return;
}
- hasValidNSEC = NSEC3ValUtils.proveNameError(nsec3s, qname,
- nsec3Signer);
+ hasValidNSEC = NSEC3ValUtils.proveNameError(nsec3s, qname,
+ nsec3Signer, mErrorList);
// Note that we assume that the NSEC3ValUtils proofs encompass the
// wildcard part of the proof.
- hasValidWCNSEC = hasValidNSEC;
+ hasValidWCNSEC = hasValidNSEC;
}
// If the message fails to prove either condition, it is bogus.
if (!hasValidNSEC) {
- log.debug("NameError response has failed to prove: "
- + "qname does not exist");
+ mErrorList.add("NameError response has failed to prove qname does not exist");
m.setStatus(SecurityStatus.BOGUS);
return;
}
if (!hasValidWCNSEC) {
- log.debug("NameError response has failed to prove: "
- + "covering wildcard does not exist");
+ mErrorList.add("NameError response has failed to prove covering wildcard does not exist");
m.setStatus(SecurityStatus.BOGUS);
return;
}
public byte validateMessage(SMessage message, Name zone) {
+ mErrorList.clear();
if (!zone.isAbsolute()) {
try {
zone = Name.concatenate(zone, Name.root);
SRRset key_rrset = findKeys(message);
if (key_rrset == null) {
+ mErrorList.add("Failed to find matching DNSKEYs for the response");
return SecurityStatus.BOGUS;
}
- ValUtils.ResponseType subtype = ValUtils.classifyResponse(message, zone);
+ ValUtils.ResponseType subtype = ValUtils
+ .classifyResponse(message, zone);
switch (subtype) {
- case POSITIVE:
- log.trace("Validating a positive response");
- validatePositiveResponse(message, key_rrset);
+ case POSITIVE:
+ log.trace("Validating a positive response");
+ validatePositiveResponse(message, key_rrset);
- break;
+ break;
- case REFERRAL:
- validateReferral(message, key_rrset);
+ case REFERRAL:
+ validateReferral(message, key_rrset);
- break;
+ break;
- case NODATA:
- log.trace("Validating a NODATA response");
- validateNodataResponse(message, key_rrset);
+ case NODATA:
+ log.trace("Validating a NODATA response");
+ validateNodataResponse(message, key_rrset, mErrorList);
- break;
+ break;
- case NAMEERROR:
- log.trace("Validating a NXDOMAIN response");
- validateNameErrorResponse(message, key_rrset);
+ case NAMEERROR:
+ log.trace("Validating a NXDOMAIN response");
+ validateNameErrorResponse(message, key_rrset);
- break;
+ break;
- case CNAME:
- log.trace("Validating a CNAME response");
- validateCNAMEResponse(message, key_rrset);
+ case CNAME:
+ log.trace("Validating a CNAME response");
+ validateCNAMEResponse(message, key_rrset);
- break;
+ break;
- case ANY:
- log.trace("Validating a positive ANY response");
- validateAnyResponse(message, key_rrset);
+ case ANY:
+ log.trace("Validating a positive ANY response");
+ validateAnyResponse(message, key_rrset);
- break;
+ break;
- default:
- log.error("unhandled response subtype: " + subtype);
+ default:
+ log.error("unhandled response subtype: " + subtype);
}
return message.getSecurityStatus().getStatus();
}
public byte validateMessage(Message message, String zone)
- throws TextParseException {
+ throws TextParseException {
SMessage sm = new SMessage(message);
- Name z = Name.fromString(zone);
+ Name z = Name.fromString(zone);
return validateMessage(sm, z);
}
public List<String> listTrustedKeys() {
return mTrustedKeys.listTrustAnchors();
}
- }
+
+ public List<String> getErrorList() {
+ return mErrorList;
+ }
+ }
import java.util.*;
-
public class NSEC3ValUtils {
// FIXME: should probably refactor to handle different NSEC3 parameters more
// efficiently.
// Given a list of NSEC3 RRs, they should be grouped according to
// parameters. The idea is to hash and compare for each group independently,
// instead of having to skip NSEC3 RRs with the wrong parameters.
- private static Name asterisk_label = Name.fromConstantString("*");
- private static Logger st_log = Logger.getLogger(NSEC3ValUtils.class);
- private static final base32 b32 = new base32(base32.Alphabet.BASE32HEX,
- false, false);
+ private static Name asterisk_label = Name.fromConstantString("*");
+ private static Logger st_log = Logger.getLogger(NSEC3ValUtils.class);
+ private static final base32 b32 = new base32(base32.Alphabet.BASE32HEX,
+ false, false);
public static boolean supportsHashAlgorithm(int alg) {
if (alg == NSEC3Record.SHA1_DIGEST_ID) {
* Given a list of NSEC3Records that are part of a message, determine the
* NSEC3 parameters (hash algorithm, iterations, and salt) present. If there
* is more than one distinct grouping, return null;
- *
+ *
* @param nsec3s
* A list of NSEC3Record object.
* @return A set containing a number of objects (NSEC3Parameter objects)
return null;
}
- NSEC3Parameters params = new NSEC3Parameters((NSEC3Record) nsec3s.get(
- 0));
- ByteArrayComparator bac = new ByteArrayComparator();
+ NSEC3Parameters params = new NSEC3Parameters((NSEC3Record) nsec3s
+ .get(0));
+ ByteArrayComparator bac = new ByteArrayComparator();
for (NSEC3Record nsec3 : nsec3s) {
if (!params.match(nsec3, bac)) {
/**
* Given a hash and an a zone name, construct an NSEC3 ownername.
- *
+ *
* @param hash
* The hash of an original name.
* @param zonename
* The zone to use in constructing the NSEC3 name.
* @return The NSEC3 name.
*/
- private static Name hashName(byte [] hash, Name zonename) {
+ private static Name hashName(byte[] hash, Name zonename) {
try {
return new Name(b32.toString(hash).toLowerCase(), zonename);
} catch (TextParseException e) {
/**
* Given a set of NSEC3 parameters, hash a name.
- *
+ *
* @param name
* The name to hash.
* @param params
* The parameters to hash with.
* @return The hash.
*/
- private static byte [] hash(Name name, NSEC3Parameters params) {
+ private static byte[] hash(Name name, NSEC3Parameters params) {
try {
return params.hash(name);
} catch (NoSuchAlgorithmException e) {
try {
return nsec3.hashName(name);
} catch (NoSuchAlgorithmException e) {
- st_log.warn("Did not recognize hash algorithm: " + nsec3.getHashAlgorithm());
+ st_log.warn("Did not recognize hash algorithm: "
+ + nsec3.getHashAlgorithm());
return null;
}
/**
* Given the name of a closest encloser, return the name *.closest_encloser.
- *
+ *
* @param closestEncloser
* The name to start with.
* @return The wildcard name.
* Given a qname and its proven closest encloser, calculate the "next
* closest" name. Basically, this is the name that is one label longer than
* the closest encloser that is still a subdomain of qname.
- *
+ *
* @param qname
* The qname.
* @param closestEncloser
/**
* Find the NSEC3Record that matches a hash of a name.
- *
+ *
* @param hash
* The pre-calculated hash of a name.
* @param zonename
* @param bac
* An already allocated ByteArrayComparator, for reuse. This may
* be null.
- *
+ *
* @return The matching NSEC3Record, if one is present.
*/
- private static NSEC3Record findMatchingNSEC3(byte [] hash, Name zonename,
- List<NSEC3Record> nsec3s, NSEC3Parameters params,
- ByteArrayComparator bac) {
+ private static NSEC3Record findMatchingNSEC3(byte[] hash, Name zonename,
+ List<NSEC3Record> nsec3s, NSEC3Parameters params,
+ ByteArrayComparator bac) {
Name n = hashName(hash, zonename);
for (NSEC3Record nsec3 : nsec3s) {
* Given a hash and a candidate NSEC3Record, determine if that NSEC3Record
* covers the hash. Covers specifically means that the hash is in between
* the owner and next hashes and does not equal either.
- *
+ *
* @param nsec3
* The candidate NSEC3Record.
* @param hash
* An already allocated comparator. This may be null.
* @return True if the NSEC3Record covers the hash.
*/
- private static boolean nsec3Covers(NSEC3Record nsec3, byte[] hash,
- ByteArrayComparator bac) {
- byte[] owner = hash(nsec3.getName(), nsec3);
- byte[] next = nsec3.getNext();
+ private static boolean nsec3Covers(NSEC3Record nsec3, byte [] hash,
+ ByteArrayComparator bac) {
+ Name ownerName = nsec3.getName();
+ byte [] owner = b32.fromString(ownerName.getLabelString(0));
+ byte [] next = nsec3.getNext();
// This is the "normal case: owner < next and owner < hash < next
if ((bac.compare(owner, hash) < 0) && (bac.compare(hash, next) < 0)) {
return true;
}
-
// this is the end of zone case: next < owner && hash > owner || hash <
// next
- if ((bac.compare(next, owner) <= 0) &&
- ((bac.compare(hash, next) < 0) ||
- (bac.compare(owner, hash) < 0))) {
+ if ((bac.compare(next, owner) <= 0)
+ && ((bac.compare(hash, next) < 0) || (bac.compare(owner, hash) < 0))) {
return true;
}
/**
* Given a pre-hashed name, find a covering NSEC3 from among a list of
* NSEC3s.
- *
+ *
* @param hash
* The hash to consider.
* @param zonename
* @param params
* The NSEC3 parameters used to generate the hash -- NSEC3s that
* do not use those parameters will be skipped.
- *
+ *
* @return A covering NSEC3 if one is present, null otherwise.
*/
- private static NSEC3Record findCoveringNSEC3(byte [] hash, Name zonename,
- List<NSEC3Record> nsec3s, NSEC3Parameters params,
- ByteArrayComparator bac) {
+ private static NSEC3Record findCoveringNSEC3(byte[] hash, Name zonename,
+ List<NSEC3Record> nsec3s, NSEC3Parameters params,
+ ByteArrayComparator bac) {
ByteArrayComparator comparator = new ByteArrayComparator();
for (NSEC3Record nsec3 : nsec3s) {
* Given a name and a list of NSEC3s, find the candidate closest encloser.
* This will be the first ancestor of 'name' (including itself) to have a
* matching NSEC3 RR.
- *
+ *
* @param name
* The name the start with.
* @param zonename
* The NSEC3 parameters.
* @param bac
* A pre-allocated comparator. May be null.
- *
+ *
* @return A CEResponse containing the closest encloser name and the NSEC3
* RR that matched it, or null if there wasn't one.
*/
private static CEResponse findClosestEncloser(Name name, Name zonename,
- List<NSEC3Record> nsec3s, NSEC3Parameters params,
- ByteArrayComparator bac) {
- Name n = name;
+ List<NSEC3Record> nsec3s, NSEC3Parameters params,
+ ByteArrayComparator bac) {
+ Name n = name;
NSEC3Record nsec3;
// FIXME: modify so that the NSEC3 matching the zone apex need not be
// present.
while (n.labels() >= zonename.labels()) {
- nsec3 = findMatchingNSEC3(hash(n, params), zonename, nsec3s,
- params, bac);
+ nsec3 = findMatchingNSEC3(hash(n, params), zonename,
+ nsec3s, params, bac);
if (nsec3 != null) {
return new CEResponse(n, nsec3);
/**
* Given a List of nsec3 RRs, find and prove the closest encloser to qname.
- *
+ *
* @param qname
* The qname in question.
* @param zonename
* that matches it.
*/
private static CEResponse proveClosestEncloser(Name qname, Name zonename,
- List<NSEC3Record> nsec3s, NSEC3Parameters params,
- ByteArrayComparator bac, boolean proveDoesNotExist) {
+ List<NSEC3Record> nsec3s, NSEC3Parameters params,
+ ByteArrayComparator bac, boolean proveDoesNotExist, List<String> errorList) {
CEResponse candidate = findClosestEncloser(qname, zonename, nsec3s,
params, bac);
if (candidate == null) {
- st_log.debug("proveClosestEncloser: could not find a "
- + "candidate for the closest encloser.");
+ errorList.add("Could not find a candidate for the closest encloser");
+ st_log.debug("proveClosestEncloser: could not find a " +
+ "candidate for the closest encloser.");
return null;
}
if (candidate.closestEncloser.equals(qname)) {
if (proveDoesNotExist) {
- st_log
- .debug("proveClosestEncloser: proved that qname existed!");
+ errorList.add("Proven closest encloser proved that the qname existed and should not have");
+ st_log.debug("proveClosestEncloser: proved that qname existed!");
return null;
}
// should have been a referral. If it is a DNAME, then it should have
// been
// a DNAME response.
- if (candidate.ce_nsec3.hasType(Type.NS)
- && !candidate.ce_nsec3.hasType(Type.SOA)) {
- st_log.debug("proveClosestEncloser: closest encloser "
- + "was a delegation!");
+ if (candidate.ce_nsec3.hasType(Type.NS) &&
+ !candidate.ce_nsec3.hasType(Type.SOA)) {
+ errorList.add("Proven closest encloser was a delegation");
+ st_log.debug("proveClosestEncloser: closest encloser " +
+ "was a delegation!");
return null;
}
if (candidate.ce_nsec3.hasType(Type.DNAME)) {
+ errorList.add("Proven closest encloser was a DNAME");
st_log.debug("proveClosestEncloser: closest encloser was a DNAME!");
return null;
}
// Otherwise, we need to show that the next closer name is covered.
- Name nextClosest = nextClosest(qname, candidate.closestEncloser);
+ Name nextClosest = nextClosest(qname, candidate.closestEncloser);
- byte [] nc_hash = hash(nextClosest, params);
- candidate.nc_nsec3 = findCoveringNSEC3(nc_hash, zonename, nsec3s,
+ byte[] nc_hash = hash(nextClosest, params);
+ candidate.nc_nsec3 = findCoveringNSEC3(nc_hash, zonename, nsec3s,
params, bac);
if (candidate.nc_nsec3 == null) {
- st_log.debug("Could not find proof that the "
- + "closest encloser was the closest encloser");
+ errorList.add("Could not find proof that the closest encloser was the closest encloser");
+ errorList.add("hash " + hashName(nc_hash, zonename) + " is not covered by any NSEC3 RRs");
+ st_log.debug("Could not find proof that the " +
+ "closest encloser was the closest encloser");
return null;
}
private static int maxIterations(int baseAlg, int keysize) {
switch (baseAlg) {
- case DnsSecVerifier.RSA:
+ case DnsSecVerifier.RSA:
- if (keysize == 0) {
- return 2500; // the max at 4096
- }
+ if (keysize == 0) {
+ return 2500; // the max at 4096
+ }
- if (keysize > 2048) {
- return 2500;
- }
+ if (keysize > 2048) {
+ return 2500;
+ }
- if (keysize > 1024) {
- return 500;
- }
+ if (keysize > 1024) {
+ return 500;
+ }
- if (keysize > 0) {
- return 150;
- }
+ if (keysize > 0) {
+ return 150;
+ }
- break;
+ break;
- case DnsSecVerifier.DSA:
+ case DnsSecVerifier.DSA:
- if (keysize == 0) {
- return 5000; // the max at 2048;
- }
+ if (keysize == 0) {
+ return 5000; // the max at 2048;
+ }
- if (keysize > 1024) {
- return 5000;
- }
+ if (keysize > 1024) {
+ return 5000;
+ }
- if (keysize > 0) {
- return 1500;
- }
+ if (keysize > 0) {
+ return 1500;
+ }
- break;
+ break;
}
return -1;
@SuppressWarnings("unchecked")
private static boolean validIterations(NSEC3Parameters nsec3params,
- RRset dnskey_rrset, DnsSecVerifier verifier) {
+ RRset dnskey_rrset, DnsSecVerifier verifier) {
// for now, we return the maximum iterations based simply on the key
// algorithms that may have been used to sign the NSEC3 RRsets.
int max_iterations = 0;
for (Iterator i = dnskey_rrset.rrs(); i.hasNext();) {
- DNSKEYRecord dnskey = (DNSKEYRecord) i.next();
- int baseAlg = verifier.baseAlgorithm(dnskey.getAlgorithm());
- int iters = maxIterations(baseAlg, 0);
- max_iterations = (max_iterations < iters) ? iters
- : max_iterations;
+ DNSKEYRecord dnskey = (DNSKEYRecord) i.next();
+ int baseAlg = verifier.baseAlgorithm(dnskey.getAlgorithm());
+ int iters = maxIterations(baseAlg, 0);
+ max_iterations = (max_iterations < iters) ? iters : max_iterations;
}
if (nsec3params.iterations > max_iterations) {
* Determine if all of the NSEC3s in a response are legally ignoreable
* (i.e., their presence should lead to an INSECURE result). Currently, this
* is solely based on iterations.
- *
+ *
* @param nsec3s
* The list of NSEC3s. If there is more than one set of NSEC3
* parameters present, this test will not be performed.
* @return true if all of the NSEC3s can be legally ignored, false if not.
*/
public static boolean allNSEC3sIgnoreable(List<NSEC3Record> nsec3s,
- RRset dnskey_rrset, DnsSecVerifier verifier) {
+ RRset dnskey_rrset, DnsSecVerifier verifier) {
NSEC3Parameters params = nsec3Parameters(nsec3s);
if (params == null) {
* ERROR. This means that the NSEC3s prove a) the closest encloser exists,
* b) the direct child of the closest encloser towards qname doesn't exist,
* and c) *.closest encloser does not exist.
- *
+ *
* @param nsec3s
* The list of NSEC3s.
* @param qname
* ignored.
*/
public static boolean proveNameError(List<NSEC3Record> nsec3s, Name qname,
- Name zonename) {
+ Name zonename, List<String> errorList) {
if ((nsec3s == null) || (nsec3s.size() == 0)) {
return false;
}
NSEC3Parameters nsec3params = nsec3Parameters(nsec3s);
if (nsec3params == null) {
- st_log.debug("Could not find a single set of "
- + "NSEC3 parameters (multiple parameters present).");
+ errorList.add("Could not find a single set of NSEC3 parameters (multiple parameters present");
+ st_log.debug("Could not find a single set of " +
+ "NSEC3 parameters (multiple parameters present).");
return false;
}
// First locate and prove the closest encloser to qname. We will use the
// variant that fails if the closest encloser turns out to be qname.
CEResponse ce = proveClosestEncloser(qname, zonename, nsec3s,
- nsec3params, bac, true);
+ nsec3params, bac, true, errorList);
if (ce == null) {
+ errorList.add("Failed to find the closest encloser as part of the NSEC3 proof");
st_log.debug("proveNameError: failed to prove a closest encloser.");
return false;
// At this point, we know that qname does not exist. Now we need to
// prove
// that the wildcard does not exist.
- Name wc = ceWildcard(ce.closestEncloser);
- byte [] wc_hash = hash(wc, nsec3params);
- NSEC3Record nsec3 = findCoveringNSEC3(wc_hash, zonename, nsec3s,
+ Name wc = ceWildcard(ce.closestEncloser);
+ byte[] wc_hash = hash(wc, nsec3params);
+ NSEC3Record nsec3 = findCoveringNSEC3(wc_hash, zonename, nsec3s,
nsec3params, bac);
if (nsec3 == null) {
- st_log.debug("proveNameError: could not prove that the "
- + "applicable wildcard did not exist.");
+ errorList.add("Failed to prove that the applicable wildcard did not exist");
+ st_log.debug("proveNameError: could not prove that the " +
+ "applicable wildcard did not exist.");
return false;
}
/**
* Determine if the NSEC3s provided in a response prove the NOERROR/NODATA
* status. There are a number of different variants to this:
- *
+ *
* 1) Normal NODATA -- qname is matched to an NSEC3 record, type is not
* present.
- *
+ *
* 2) ENT NODATA -- because there must be NSEC3 record for
* empty-non-terminals, this is the same as #1.
- *
+ *
* 3) NSEC3 ownername NODATA -- qname matched an existing, lone NSEC3
* ownername, but qtype was not NSEC3. NOTE: as of nsec-05, this case no
* longer exists.
- *
+ *
* 4) Wildcard NODATA -- A wildcard matched the name, but not the type.
- *
+ *
* 5) Opt-In DS NODATA -- the qname is covered by an opt-in span and qtype
* == DS. (or maybe some future record with the same parent-side-only
* property)
- *
+ *
* @param nsec3s
* The NSEC3Records to consider.
* @param qname
* @return true if the NSEC3s prove the proposition.
*/
public static boolean proveNodata(List<NSEC3Record> nsec3s, Name qname,
- int qtype, Name zonename) {
+ int qtype, Name zonename, List<String> errorList) {
if ((nsec3s == null) || (nsec3s.size() == 0)) {
return false;
}
NSEC3Parameters nsec3params = nsec3Parameters(nsec3s);
if (nsec3params == null) {
- st_log.debug("could not find a single set of " +
- "NSEC3 parameters (multiple parameters present)");
+ st_log.debug("could not find a single set of "
+ + "NSEC3 parameters (multiple parameters present)");
return false;
}
- ByteArrayComparator bac = new ByteArrayComparator();
+ ByteArrayComparator bac = new ByteArrayComparator();
- NSEC3Record nsec3 = findMatchingNSEC3(hash(qname, nsec3params),
+ NSEC3Record nsec3 = findMatchingNSEC3(hash(qname, nsec3params),
zonename, nsec3s, nsec3params, bac);
// Cases 1 & 2.
if (nsec3 != null) {
if (nsec3.hasType(qtype)) {
- st_log.debug(
- "proveNodata: Matching NSEC3 proved that type existed!");
+ st_log
+ .debug("proveNodata: Matching NSEC3 proved that type existed!");
return false;
}
if (nsec3.hasType(Type.CNAME)) {
- st_log.debug("proveNodata: Matching NSEC3 proved " +
- "that a CNAME existed!");
+ st_log.debug("proveNodata: Matching NSEC3 proved "
+ + "that a CNAME existed!");
return false;
}
// match qname. Although, at this point, we know that it won't since we
// just checked that.
CEResponse ce = proveClosestEncloser(qname, zonename, nsec3s,
- nsec3params, bac, true);
+ nsec3params, bac, true, errorList);
// At this point, not finding a match or a proven closest encloser is a
// problem.
if (ce == null) {
- st_log.debug("proveNodata: did not match qname, " +
- "nor found a proven closest encloser.");
+ st_log.debug("proveNodata: did not match qname, "
+ + "nor found a proven closest encloser.");
return false;
}
// Case 5.
if (qtype != Type.DS) {
- st_log.debug("proveNodata: could not find matching NSEC3, " +
- "nor matching wildcard, and qtype is not DS -- no more options.");
+ st_log
+ .debug("proveNodata: could not find matching NSEC3, "
+ + "nor matching wildcard, and qtype is not DS -- no more options.");
return false;
}
// We need to make sure that the covering NSEC3 is opt-in.
if (!isOptOut(ce.nc_nsec3)) {
- st_log.debug("proveNodata: covering NSEC3 was not " +
- "opt-in in an opt-in DS NOERROR/NODATA case.");
+ st_log.debug("proveNodata: covering NSEC3 was not "
+ + "opt-in in an opt-in DS NOERROR/NODATA case.");
return false;
}
/**
* Prove that a positive wildcard match was appropriate (no direct match
* RRset).
- *
+ *
* @param nsec3s
* The NSEC3 records to work with.
* @param qname
* @return true if the NSEC3 records prove this case.
*/
public static boolean proveWildcard(List<NSEC3Record> nsec3s, Name qname,
- Name zonename, Name wildcard) {
+ Name zonename, Name wildcard, List<String> errorList) {
if ((nsec3s == null) || (nsec3s.size() == 0)) {
return false;
}
NSEC3Parameters nsec3params = nsec3Parameters(nsec3s);
if (nsec3params == null) {
- st_log
- .debug("couldn't find a single set of NSEC3 parameters (multiple parameters present).");
+ errorList.add("Could not find a single set of NSEC3 parameters (multiple parameters present)");
+ st_log.debug(
+ "couldn't find a single set of NSEC3 parameters (multiple parameters present).");
return false;
}
zonename, nsec3s, nsec3params, bac);
if (candidate.nc_nsec3 == null) {
- st_log.debug("proveWildcard: did not find a covering NSEC3 "
- + "that covered the next closer name to " + qname
- + " from " + candidate.closestEncloser
- + " (derived from wildcard " + wildcard + ")");
+ errorList.add("Did not find a NSEC3 that covered the next closer name to '" +
+ qname + "' from '" + candidate.closestEncloser + "' (derived from the wildcard: " +
+ wildcard + ")");
+ st_log.debug("proveWildcard: did not find a covering NSEC3 " +
+ "that covered the next closer name to " + qname + " from " +
+ candidate.closestEncloser + " (derived from wildcard " +
+ wildcard + ")");
return false;
}
/**
* Prove that a DS response either had no DS, or wasn't a delegation point.
- *
+ *
* Fundamentally there are two cases here: normal NODATA and Opt-In NODATA.
- *
+ *
* @param nsec3s
* The NSEC3 RRs to examine.
* @param qname
* The name of the DS in question.
* @param zonename
* The name of the zone that the NSEC3 RRs come from.
- *
+ *
* @return SecurityStatus.SECURE if it was proven that there is no DS in a
* secure (i.e., not opt-in) way, SecurityStatus.INSECURE if there
* was no DS in an insecure (i.e., opt-in) way,
* work out.
*/
public static byte proveNoDS(List<NSEC3Record> nsec3s, Name qname,
- Name zonename) {
+ Name zonename, List<String> errorList) {
if ((nsec3s == null) || (nsec3s.size() == 0)) {
return SecurityStatus.BOGUS;
}
NSEC3Parameters nsec3params = nsec3Parameters(nsec3s);
if (nsec3params == null) {
- st_log.debug("couldn't find a single set of "
- + "NSEC3 parameters (multiple parameters present).");
+ errorList.add("Could not find a single set of NSEC3 parameters (multiple parameters present)");
+ st_log.debug("couldn't find a single set of " +
+ "NSEC3 parameters (multiple parameters present).");
return SecurityStatus.BOGUS;
}
// zone (the child instead of the parent). If it has the DS bit set,
// then we were lied to.
if (nsec3.hasType(Type.SOA) || nsec3.hasType(Type.DS)) {
+ errorList.add("Matching NSEC3 is incorrectly from the child instead of the parent (SOA or DS bit set)");
return SecurityStatus.BOGUS;
}
// Otherwise, we are probably in the opt-in case.
CEResponse ce = proveClosestEncloser(qname, zonename, nsec3s,
- nsec3params, bac, true);
+ nsec3params, bac, true, errorList);
if (ce == null) {
+ errorList.add("Failed to prove the closest encloser as part of a 'No DS' proof");
return SecurityStatus.BOGUS;
}
return SecurityStatus.SECURE;
}
+ errorList.add("Failed to find a covering NSEC3 for 'No DS' proof");
return SecurityStatus.BOGUS;
}
* algorithm, iterations, and salt.
*/
private static class NSEC3Parameters {
- public int alg;
- public byte [] salt;
- public int iterations;
+ public int alg;
+ public byte[] salt;
+ public int iterations;
private NSEC3PARAMRecord nsec3paramrec;
public NSEC3Parameters(NSEC3Record r) {
- alg = r.getHashAlgorithm();
- salt = r.getSalt();
- iterations = r.getIterations();
+ alg = r.getHashAlgorithm();
+ salt = r.getSalt();
+ iterations = r.getIterations();
- nsec3paramrec = new NSEC3PARAMRecord(Name.root, DClass.IN, 0,
- alg, 0, iterations, salt);
+ nsec3paramrec = new NSEC3PARAMRecord(Name.root, DClass.IN, 0, alg,
+ 0, iterations, salt);
}
public boolean match(NSEC3Record r, ByteArrayComparator bac) {
* encloser proof.
*/
private static class CEResponse {
- public Name closestEncloser;
+ public Name closestEncloser;
public NSEC3Record ce_nsec3;
public NSEC3Record nc_nsec3;
public CEResponse(Name ce, NSEC3Record nsec3) {
- this.closestEncloser = ce;
- this.ce_nsec3 = nsec3;
+ this.closestEncloser = ce;
+ this.ce_nsec3 = nsec3;
}
}
}