1 /***************************** -*- Java -*- ********************************\
3 * Copyright (c) 2009 VeriSign, Inc. All rights reserved. *
5 * This software is provided solely in connection with the terms of the *
6 * license agreement. Any other use without the prior express written *
7 * permission of VeriSign is completely prohibited. The software and *
8 * documentation are "Commercial Items", as that term is defined in 48 *
9 * C.F.R. section 2.101, consisting of "Commercial Computer Software" and *
10 * "Commercial Computer Software Documentation" as such terms are defined *
11 * in 48 C.F.R. section 252.227-7014(a)(5) and 48 C.F.R. section *
12 * 252.227-7014(a)(1), and used in 48 C.F.R. section 12.212 and 48 C.F.R. *
13 * section 227.7202, as applicable. Pursuant to the above and other *
14 * relevant sections of the Code of Federal Regulations, as applicable, *
15 * VeriSign's publications, commercial computer software, and commercial *
16 * computer software documentation are distributed and licensed to United *
17 * States Government end users with only those rights as granted to all *
18 * other end users, according to the terms and conditions contained in the *
19 * license agreement(s) that accompany the products and software *
22 \***************************************************************************/
24 package com.verisign.tat.dnssec;
26 import org.apache.log4j.Logger;
28 import org.xbill.DNS.*;
30 import java.io.IOException;
35 * This resolver module implements a "captive" DNSSEC validator. The captive
36 * validator does not have direct access to the Internet and DNS system --
37 * instead it attempts to validate DNS messages using only configured context.
38 * This is useful for determining if responses coming from a given authoritative
39 * server will validate independent of the normal chain of trust.
41 public class CaptiveValidator {
42 // A data structure holding all all of our trusted keys.
43 private TrustAnchorStore mTrustedKeys;
45 // The local validation utilities.
46 private ValUtils mValUtils;
48 // The local verification utility.
49 private DnsSecVerifier mVerifier;
50 private Logger log = Logger.getLogger(this.getClass());
52 private List<String> mErrorList;
54 public CaptiveValidator() {
55 mVerifier = new DnsSecVerifier();
56 mValUtils = new ValUtils(mVerifier);
57 mTrustedKeys = new TrustAnchorStore();
58 mErrorList = new ArrayList<String>();
61 // ---------------- Module Initialization -------------------
64 * Add a set of trusted keys from a file. The file should be in DNS master
65 * zone file format. Only DNSKEY records will be added.
68 * The file contains the trusted keys.
71 @SuppressWarnings("unchecked")
72 public void addTrustedKeysFromFile(String filename) throws IOException {
73 // First read in the whole trust anchor file.
74 Master master = new Master(filename, Name.root, 0);
75 ArrayList<Record> records = new ArrayList<Record>();
78 while ((r = master.nextRecord()) != null) {
82 // Record.compareTo() should sort them into DNSSEC canonical order.
83 // Don't care about canonical order per se, but do want them to be
84 // formable into RRsets.
85 Collections.sort(records);
87 SRRset cur_rrset = new SRRset();
89 for (Record rec : records) {
90 // Skip RR types that cannot be used as trusted keys. I.e.,
91 // everything not a key :)
92 if (rec.getType() != Type.DNSKEY) {
96 // If our cur_rrset is empty, we can just add it.
97 if (cur_rrset.size() == 0) {
103 // If this record matches our current RRset, we can just add it.
104 if (cur_rrset.getName().equals(rec.getName())
105 && (cur_rrset.getType() == rec.getType())
106 && (cur_rrset.getDClass() == rec.getDClass())) {
107 cur_rrset.addRR(rec);
112 // Otherwise, we add the rrset to our set of trust anchors.
113 mTrustedKeys.store(cur_rrset);
114 cur_rrset = new SRRset();
115 cur_rrset.addRR(rec);
118 // add the last rrset (if it was not empty)
119 if (cur_rrset.size() > 0) {
120 mTrustedKeys.store(cur_rrset);
124 public void addTrustedKeysFromResponse(Message m) {
125 RRset[] rrsets = m.getSectionRRsets(Section.ANSWER);
127 for (int i = 0; i < rrsets.length; ++i) {
128 if (rrsets[i].getType() == Type.DNSKEY) {
129 SRRset srrset = new SRRset(rrsets[i]);
130 mTrustedKeys.store(srrset);
135 // ----------------- Validation Support ----------------------
138 * This routine normalizes a response. This includes removing "irrelevant"
139 * records from the answer and additional sections and (re)synthesizing
140 * CNAMEs from DNAMEs, if present.
144 private SMessage normalize(SMessage m) {
149 if ((m.getRcode() != Rcode.NOERROR) && (m.getRcode() != Rcode.NXDOMAIN)) {
153 Name qname = m.getQuestion().getName();
154 int qtype = m.getQuestion().getType();
158 // For the ANSWER section, remove all "irrelevant" records and add
159 // synthesized CNAMEs from DNAMEs
160 // This will strip out-of-order CNAMEs as well.
161 List<SRRset> rrset_list = m.getSectionList(Section.ANSWER);
162 Set<Name> additional_names = new HashSet<Name>();
164 for (ListIterator<SRRset> i = rrset_list.listIterator(); i.hasNext();) {
165 SRRset rrset = i.next();
166 int type = rrset.getType();
167 Name n = rrset.getName();
169 // Handle DNAME synthesis; DNAME synthesis does not occur at the
170 // DNAME name itself.
171 if ((type == Type.DNAME) && ValUtils.strictSubdomain(sname, n)) {
172 if (rrset.size() > 1) {
173 log.debug("Found DNAME rrset with size > 1: " + rrset);
174 m.setStatus(SecurityStatus.INVALID);
179 DNAMERecord dname = (DNAMERecord) rrset.first();
182 Name cname_alias = sname.fromDNAME(dname);
184 // Note that synthesized CNAMEs should have a TTL of zero.
185 CNAMERecord cname = new CNAMERecord(sname, dname
186 .getDClass(), 0, cname_alias);
187 SRRset cname_rrset = new SRRset();
188 cname_rrset.addRR(cname);
192 } catch (NameTooLongException e) {
193 log.debug("not adding synthesized CNAME -- "
194 + "generated name is too long", e);
200 // The only records in the ANSWER section not allowed to
201 if (!n.equals(sname)) {
202 log.debug("normalize: removing irrelevant rrset: " + rrset);
208 // Follow the CNAME chain.
209 if (type == Type.CNAME) {
210 if (rrset.size() > 1) {
211 mErrorList.add("Found CNAME rrset with size > 1: " + rrset);
212 m.setStatus(SecurityStatus.INVALID);
217 CNAMERecord cname = (CNAMERecord) rrset.first();
218 sname = cname.getAlias();
223 // Otherwise, make sure that the RRset matches the qtype.
224 if ((qtype != Type.ANY) && (qtype != type)) {
225 log.debug("normalize: removing irrelevant rrset: " + rrset);
229 // Otherwise, fetch the additional names from the relevant rrset.
230 rrsetAdditionalNames(additional_names, rrset);
233 // Get additional names from AUTHORITY
234 rrset_list = m.getSectionList(Section.AUTHORITY);
236 for (SRRset rrset : rrset_list) {
237 rrsetAdditionalNames(additional_names, rrset);
240 // For each record in the additional section, remove it if it is an
241 // address record and not in the collection of additional names found in
242 // ANSWER and AUTHORITY.
243 rrset_list = m.getSectionList(Section.ADDITIONAL);
245 for (Iterator<SRRset> i = rrset_list.iterator(); i.hasNext();) {
246 SRRset rrset = i.next();
247 int type = rrset.getType();
249 if (((type == Type.A) || (type == Type.AAAA))
250 && !additional_names.contains(rrset.getName())) {
259 * Extract additional names from the records in an rrset.
261 * @param additional_names
262 * The set to add the additional names to, if any.
264 * The rrset to extract from.
266 private void rrsetAdditionalNames(Set<Name> additional_names, SRRset rrset) {
271 for (Iterator<Record> i = rrset.rrs(); i.hasNext();) {
273 Name add_name = r.getAdditionalName();
275 if (add_name != null) {
276 additional_names.add(add_name);
281 private SRRset findKeys(SMessage message) {
282 Name qname = message.getQName();
283 int qclass = message.getQClass();
285 return mTrustedKeys.find(qname, qclass);
289 * Check to see if a given response needs to go through the validation
290 * process. Typical reasons for this routine to return false are: CD bit was
291 * on in the original request, the response was already validated, or the
292 * response is a kind of message that is unvalidatable (i.e., SERVFAIL,
296 * The message to check.
298 * The original request received from the client.
300 * @return true if the response could use validation (although this does not
301 * mean we can actually validate this response).
303 private boolean needsValidation(SMessage message) {
304 int rcode = message.getRcode();
306 if ((rcode != Rcode.NOERROR) && (rcode != Rcode.NXDOMAIN)) {
307 log.debug("cannot validate non-answer.");
308 log.trace("non-answer: " + message);
313 if (!mTrustedKeys.isBelowTrustAnchor(message.getQName(), message
322 * Given a "positive" response -- a response that contains an answer to the
323 * question, and no CNAME chain, validate this response. This generally
324 * consists of verifying the answer RRset and the authority RRsets.
326 * Note that by the time this method is called, the process of finding the
327 * trusted DNSKEY rrset that signs this response must already have been
331 * The response to validate.
333 * The request that generated this response.
335 * The trusted DNSKEY rrset that matches the signer of the
338 private void validatePositiveResponse(SMessage message, SRRset key_rrset) {
339 Name qname = message.getQName();
340 int qtype = message.getQType();
342 SMessage m = message;
344 // validate the ANSWER section - this will be the answer itself
345 SRRset[] rrsets = m.getSectionRRsets(Section.ANSWER);
348 boolean wcNSEC_ok = false;
349 boolean dname = false;
350 List<NSEC3Record> nsec3s = null;
352 for (int i = 0; i < rrsets.length; i++) {
353 // Skip the CNAME following a (validated) DNAME.
354 // Because of the normalization routines in NameserverClient, there
355 // will always be an unsigned CNAME following a DNAME (unless
357 if (dname && (rrsets[i].getType() == Type.CNAME)) {
363 // Verify the answer rrset.
364 int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
366 // If the (answer) rrset failed to validate, then this message is
368 if (status != SecurityStatus.SECURE) {
369 mErrorList.add("Positive response has failed ANSWER rrset: " +
371 m.setStatus(SecurityStatus.BOGUS);
376 // Check to see if the rrset is the result of a wildcard expansion.
377 // If so, an additional check will need to be made in the authority
379 wc = ValUtils.rrsetWildcard(rrsets[i]);
381 // Notice a DNAME that should be followed by an unsigned CNAME.
382 if ((qtype != Type.DNAME) && (rrsets[i].getType() == Type.DNAME)) {
387 // validate the AUTHORITY section as well - this will generally be the
388 // NS rrset (which could be missing, no problem)
389 rrsets = m.getSectionRRsets(Section.AUTHORITY);
391 for (int i = 0; i < rrsets.length; i++) {
392 int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
394 // If anything in the authority section fails to be secure, we have
396 if (status != SecurityStatus.SECURE) {
397 mErrorList.add("Positive response has failed AUTHORITY rrset: " +
399 m.setStatus(SecurityStatus.BOGUS);
404 // If this is a positive wildcard response, and we have a (just
405 // verified) NSEC record, try to use it to 1) prove that qname
406 // doesn't exist and 2) that the correct wildcard was used.
407 if ((wc != null) && (rrsets[i].getType() == Type.NSEC)) {
408 NSECRecord nsec = (NSECRecord) rrsets[i].first();
410 if (ValUtils.nsecProvesNameError(nsec, qname, key_rrset
412 Name nsec_wc = ValUtils.nsecWildcard(qname, nsec);
414 if (!wc.equals(nsec_wc)) {
415 mErrorList.add("Positive wildcard response wasn't generated by the correct wildcard");
416 m.setStatus(SecurityStatus.BOGUS);
425 // Otherwise, if this is a positive wildcard response and we have
426 // NSEC3 records, collect them.
427 if ((wc != null) && (rrsets[i].getType() == Type.NSEC3)) {
428 if (nsec3s == null) {
429 nsec3s = new ArrayList<NSEC3Record>();
432 nsec3s.add((NSEC3Record) rrsets[i].first());
436 // If this was a positive wildcard response that we haven't already
437 // proven, and we have NSEC3 records, try to prove it using the NSEC3
439 if ((wc != null) && !wcNSEC_ok && (nsec3s != null)) {
440 if (NSEC3ValUtils.proveWildcard(nsec3s, qname, key_rrset.getName(),
446 // If after all this, we still haven't proven the positive wildcard
448 if ((wc != null) && !wcNSEC_ok) {
449 // log.debug("positive response was wildcard expansion and "
450 // + "did not prove original data did not exist");
451 m.setStatus(SecurityStatus.BOGUS);
456 log.trace("Successfully validated positive response");
457 m.setStatus(SecurityStatus.SECURE);
460 private void validateReferral(SMessage message, SRRset key_rrset) {
461 SMessage m = message;
463 if (m.getCount(Section.ANSWER) > 0) {
464 m.setStatus(SecurityStatus.INVALID);
469 // validate the AUTHORITY section.
470 SRRset[] rrsets = m.getSectionRRsets(Section.AUTHORITY);
472 boolean secure_delegation = false;
473 Name delegation = null;
474 Name nsec3zone = null;
475 NSECRecord nsec = null;
476 List<NSEC3Record> nsec3s = null;
478 // validate the AUTHORITY section as well - this will generally be the
479 // NS rrset, plus proof of a secure delegation or not
480 rrsets = m.getSectionRRsets(Section.AUTHORITY);
482 for (int i = 0; i < rrsets.length; i++) {
483 int type = rrsets[i].getType();
485 // The NS RRset won't be signed, but everything else should be.
486 if (type != Type.NS) {
487 int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
489 // If anything in the authority section fails to be secure, we
492 if (status != SecurityStatus.SECURE) {
493 mErrorList.add("Positive response has failed AUTHORITY rrset: " +
495 m.setStatus(SecurityStatus.BOGUS);
503 secure_delegation = true;
508 delegation = rrsets[i].getName();
513 nsec = (NSECRecord) rrsets[i].first();
519 if (nsec3s == null) {
520 nsec3s = new ArrayList<NSEC3Record>();
523 NSEC3Record nsec3 = (NSEC3Record) rrsets[i].first();
525 nsec3zone = rrsets[i].getSignerName(); // this is a hack of
531 log.warn("Encountered unexpected type in a REFERRAL response: "
532 + Type.string(type));
538 // At this point, all validatable RRsets have been validated.
539 // Now to check to see if we have a valid combination of things.
540 if (delegation == null) {
541 // somehow we have a referral without an NS rrset.
542 mErrorList.add("Apparent referral does not contain NS RRset");
543 m.setStatus(SecurityStatus.BOGUS);
548 if (secure_delegation) {
549 if ((nsec != null) || ((nsec3s != null) && (nsec3s.size() > 0))) {
550 // we found both a DS rrset *and* NSEC/NSEC3 rrsets!
551 mErrorList.add("Referral contains both DS and NSEC/NSEC3 RRsets");
552 m.setStatus(SecurityStatus.BOGUS);
557 // otherwise, we are done.
558 m.setStatus(SecurityStatus.SECURE);
563 // Note: not going to care if both NSEC and NSEC3 rrsets were present.
565 byte status = ValUtils.nsecProvesNoDS(nsec, delegation);
567 if (status != SecurityStatus.SECURE) {
568 // The NSEC *must* prove that there was no DS record. The
569 // INSECURE state here is still bogus.
570 mErrorList.add("Referral does not contain a NSEC record proving no DS");
571 m.setStatus(SecurityStatus.BOGUS);
576 m.setStatus(SecurityStatus.SECURE);
581 if (nsec3s.size() > 0) {
582 byte status = NSEC3ValUtils.proveNoDS(nsec3s, delegation, nsec3zone, mErrorList);
584 if (status != SecurityStatus.SECURE) {
585 // the NSEC3 RRs MUST prove no DS, so the INDETERMINATE state is
587 mErrorList.add("Referral does not contain NSEC3 record(s) proving no DS");
588 m.setStatus(SecurityStatus.BOGUS);
593 m.setStatus(SecurityStatus.SECURE);
598 // failed to find proof either way.
599 mErrorList.add("Referral does not contain proof of no DS");
600 m.setStatus(SecurityStatus.BOGUS);
603 // FIXME: write CNAME validation code.
604 private void validateCNAMEResponse(SMessage message, SRRset key_rrset) {}
607 * Given an "ANY" response -- a response that contains an answer to a
608 * qtype==ANY question, with answers. This consists of simply verifying all
609 * present answer/auth RRsets, with no checking that all types are present.
611 * NOTE: it may be possible to get parent-side delegation point records
612 * here, which won't all be signed. Right now, this routine relies on the
613 * upstream iterative resolver to not return these responses -- instead
614 * treating them as referrals.
616 * NOTE: RFC 4035 is silent on this issue, so this may change upon
619 * Note that by the time this method is called, the process of finding the
620 * trusted DNSKEY rrset that signs this response must already have been
624 * The response to validate.
626 * The trusted DNSKEY rrset that matches the signer of the
629 private void validateAnyResponse(SMessage message, SRRset key_rrset) {
630 int qtype = message.getQType();
632 if (qtype != Type.ANY) {
633 throw new IllegalArgumentException(
634 "ANY validation called on non-ANY response.");
637 SMessage m = message;
639 // validate the ANSWER section.
640 SRRset[] rrsets = m.getSectionRRsets(Section.ANSWER);
642 for (int i = 0; i < rrsets.length; i++) {
643 int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
645 // If the (answer) rrset failed to validate, then this message is
647 if (status != SecurityStatus.SECURE) {
648 mErrorList.add("Positive response has failed ANSWER rrset: " +
650 m.setStatus(SecurityStatus.BOGUS);
656 // validate the AUTHORITY section as well - this will be the NS rrset
657 // (which could be missing, no problem)
658 rrsets = m.getSectionRRsets(Section.AUTHORITY);
660 for (int i = 0; i < rrsets.length; i++) {
661 int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
663 // If anything in the authority section fails to be secure, we have
665 if (status != SecurityStatus.SECURE) {
666 mErrorList.add("Positive response has failed AUTHORITY rrset: " +
668 m.setStatus(SecurityStatus.BOGUS);
674 log.trace("Successfully validated positive ANY response");
675 m.setStatus(SecurityStatus.SECURE);
679 * Validate a NOERROR/NODATA signed response -- a response that has a
680 * NOERROR Rcode but no ANSWER section RRsets. This consists of verifying
681 * the authority section rrsets and making certain that the authority
682 * section NSEC/NSEC3s proves that the qname does exist and the qtype
685 * Note that by the time this method is called, the process of finding the
686 * trusted DNSKEY rrset that signs this response must already have been
690 * The response to validate.
692 * The request that generated this response.
694 * The trusted DNSKEY rrset that signs this response.
696 private void validateNodataResponse(SMessage message, SRRset key_rrset, List<String> errorList) {
697 Name qname = message.getQName();
698 int qtype = message.getQType();
700 SMessage m = message;
702 // Since we are here, there must be nothing in the ANSWER section to
703 // validate. (Note: CNAME/DNAME responses will not directly get here --
704 // instead they are broken down into individual CNAME/DNAME/final answer
707 // validate the AUTHORITY section
708 SRRset[] rrsets = m.getSectionRRsets(Section.AUTHORITY);
710 boolean hasValidNSEC = false; // If true, then the NODATA has been
713 Name ce = null; // for wildcard NODATA responses. This is the proven
716 NSECRecord wc = null; // for wildcard NODATA responses. This is the
719 List<NSEC3Record> nsec3s = null; // A collection of NSEC3 RRs found in
723 Name nsec3Signer = null; // The RRSIG signer field for the NSEC3 RRs.
725 for (int i = 0; i < rrsets.length; i++) {
726 int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
728 if (status != SecurityStatus.SECURE) {
729 mErrorList.add("NODATA response has failed AUTHORITY rrset: " +
731 m.setStatus(SecurityStatus.BOGUS);
736 // If we encounter an NSEC record, try to use it to prove NODATA.
737 // This needs to handle the ENT NODATA case.
738 if (rrsets[i].getType() == Type.NSEC) {
739 NSECRecord nsec = (NSECRecord) rrsets[i].first();
741 if (ValUtils.nsecProvesNodata(nsec, qname, qtype)) {
744 if (nsec.getName().isWild()) {
747 } else if (ValUtils.nsecProvesNameError(nsec, qname, rrsets[i]
749 ce = ValUtils.closestEncloser(qname, nsec);
753 // Collect any NSEC3 records present.
754 if (rrsets[i].getType() == Type.NSEC3) {
755 if (nsec3s == null) {
756 nsec3s = new ArrayList<NSEC3Record>();
759 nsec3s.add((NSEC3Record) rrsets[i].first());
760 nsec3Signer = rrsets[i].getSignerName();
764 // check to see if we have a wildcard NODATA proof.
766 // The wildcard NODATA is 1 NSEC proving that qname does not exists (and
767 // also proving what the closest encloser is), and 1 NSEC showing the
768 // matching wildcard, which must be *.closest_encloser.
769 if ((ce != null) || (wc != null)) {
771 Name wc_name = new Name("*", ce);
773 if (!wc_name.equals(wc.getName())) {
774 hasValidNSEC = false;
776 } catch (TextParseException e) {
781 NSEC3ValUtils.stripUnknownAlgNSEC3s(nsec3s);
783 if (!hasValidNSEC && (nsec3s != null) && (nsec3s.size() > 0)) {
784 // try to prove NODATA with our NSEC3 record(s)
785 hasValidNSEC = NSEC3ValUtils.proveNodata(nsec3s, qname, qtype,
786 nsec3Signer, errorList);
790 log.debug("NODATA response failed to prove NODATA "
791 + "status with NSEC/NSEC3");
792 log.trace("Failed NODATA:\n" + m);
793 mErrorList.add("NODATA response failed to prove NODATA status with NSEC/NSEC3");
794 m.setStatus(SecurityStatus.BOGUS);
799 log.trace("successfully validated NODATA response.");
800 m.setStatus(SecurityStatus.SECURE);
804 * Validate a NAMEERROR signed response -- a response that has a NXDOMAIN
805 * Rcode. This consists of verifying the authority section rrsets and making
806 * certain that the authority section NSEC proves that the qname doesn't
807 * exist and the covering wildcard also doesn't exist..
809 * Note that by the time this method is called, the process of finding the
810 * trusted DNSKEY rrset that signs this response must already have been
814 * The response to validate.
816 * The request that generated this response.
818 * The trusted DNSKEY rrset that signs this response.
820 private void validateNameErrorResponse(SMessage message, SRRset key_rrset) {
821 Name qname = message.getQName();
823 SMessage m = message;
825 if (message.getCount(Section.ANSWER) > 0) {
827 "NameError response contained records in the ANSWER SECTION");
828 mErrorList.add("NameError response contained records in the ANSWER SECTION");
829 message.setStatus(SecurityStatus.INVALID);
834 // Validate the authority section -- all RRsets in the authority section
835 // must be signed and valid.
836 // In addition, the NSEC record(s) must prove the NXDOMAIN condition.
837 boolean hasValidNSEC = false;
838 boolean hasValidWCNSEC = false;
839 SRRset[] rrsets = m.getSectionRRsets(Section.AUTHORITY);
840 List<NSEC3Record> nsec3s = null;
841 Name nsec3Signer = null;
843 for (int i = 0; i < rrsets.length; i++) {
844 int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
846 if (status != SecurityStatus.SECURE) {
847 mErrorList.add("NameError response has failed AUTHORITY rrset: " +
849 m.setStatus(SecurityStatus.BOGUS);
854 if (rrsets[i].getType() == Type.NSEC) {
855 NSECRecord nsec = (NSECRecord) rrsets[i].first();
857 if (ValUtils.nsecProvesNameError(nsec, qname, rrsets[i]
862 if (ValUtils.nsecProvesNoWC(nsec, qname, rrsets[i]
864 hasValidWCNSEC = true;
868 if (rrsets[i].getType() == Type.NSEC3) {
869 if (nsec3s == null) {
870 nsec3s = new ArrayList<NSEC3Record>();
873 nsec3s.add((NSEC3Record) rrsets[i].first());
874 nsec3Signer = rrsets[i].getSignerName();
878 NSEC3ValUtils.stripUnknownAlgNSEC3s(nsec3s);
880 if ((nsec3s != null) && (nsec3s.size() > 0)) {
881 log.debug("Validating nxdomain: using NSEC3 records");
883 // Attempt to prove name error with nsec3 records.
884 if (NSEC3ValUtils.allNSEC3sIgnoreable(nsec3s, key_rrset, mVerifier)) {
885 // log.debug("all NSEC3s were validated but ignored.");
886 m.setStatus(SecurityStatus.INSECURE);
891 hasValidNSEC = NSEC3ValUtils.proveNameError(nsec3s, qname,
892 nsec3Signer, mErrorList);
894 // Note that we assume that the NSEC3ValUtils proofs encompass the
895 // wildcard part of the proof.
896 hasValidWCNSEC = hasValidNSEC;
899 // If the message fails to prove either condition, it is bogus.
901 mErrorList.add("NameError response has failed to prove qname does not exist");
902 m.setStatus(SecurityStatus.BOGUS);
907 if (!hasValidWCNSEC) {
908 mErrorList.add("NameError response has failed to prove covering wildcard does not exist");
909 m.setStatus(SecurityStatus.BOGUS);
914 // Otherwise, we consider the message secure.
915 log.trace("successfully validated NAME ERROR response.");
916 m.setStatus(SecurityStatus.SECURE);
919 public byte validateMessage(SMessage message, Name zone) {
921 if (!zone.isAbsolute()) {
923 zone = Name.concatenate(zone, Name.root);
924 } catch (NameTooLongException e) {
927 return SecurityStatus.UNCHECKED;
931 // FIXME: it is unclear if we should actually normalize our responses
932 // Instead, maybe we should just fail if they are not normal?
933 message = normalize(message);
935 if (!needsValidation(message)) {
936 return SecurityStatus.UNCHECKED;
939 SRRset key_rrset = findKeys(message);
941 if (key_rrset == null) {
942 mErrorList.add("Failed to find matching DNSKEYs for the response");
943 return SecurityStatus.BOGUS;
946 ValUtils.ResponseType subtype = ValUtils
947 .classifyResponse(message, zone);
951 log.trace("Validating a positive response");
952 validatePositiveResponse(message, key_rrset);
957 validateReferral(message, key_rrset);
962 log.trace("Validating a NODATA response");
963 validateNodataResponse(message, key_rrset, mErrorList);
968 log.trace("Validating a NXDOMAIN response");
969 validateNameErrorResponse(message, key_rrset);
974 log.trace("Validating a CNAME response");
975 validateCNAMEResponse(message, key_rrset);
980 log.trace("Validating a positive ANY response");
981 validateAnyResponse(message, key_rrset);
986 log.error("unhandled response subtype: " + subtype);
989 return message.getSecurityStatus().getStatus();
992 public byte validateMessage(Message message, String zone)
993 throws TextParseException {
994 SMessage sm = new SMessage(message);
995 Name z = Name.fromString(zone);
997 return validateMessage(sm, z);
1000 public List<String> listTrustedKeys() {
1001 return mTrustedKeys.listTrustAnchors();
1004 public List<String> getErrorList() {