1 /***************************** -*- Java -*- ********************************\
3 * Copyright (c) 2009 VeriSign, Inc. All rights reserved. *
5 * This software is provided solely in connection with the terms of the *
6 * license agreement. Any other use without the prior express written *
7 * permission of VeriSign is completely prohibited. The software and *
8 * documentation are "Commercial Items", as that term is defined in 48 *
9 * C.F.R. section 2.101, consisting of "Commercial Computer Software" and *
10 * "Commercial Computer Software Documentation" as such terms are defined *
11 * in 48 C.F.R. section 252.227-7014(a)(5) and 48 C.F.R. section *
12 * 252.227-7014(a)(1), and used in 48 C.F.R. section 12.212 and 48 C.F.R. *
13 * section 227.7202, as applicable. Pursuant to the above and other *
14 * relevant sections of the Code of Federal Regulations, as applicable, *
15 * VeriSign's publications, commercial computer software, and commercial *
16 * computer software documentation are distributed and licensed to United *
17 * States Government end users with only those rights as granted to all *
18 * other end users, according to the terms and conditions contained in the *
19 * license agreement(s) that accompany the products and software *
22 \***************************************************************************/
24 package com.verisign.tat.dnssec;
26 import org.apache.log4j.Logger;
28 import org.xbill.DNS.*;
29 import org.xbill.DNS.utils.base64;
31 import java.io.IOException;
36 * This resolver module implements a "captive" DNSSEC validator. The captive
37 * validator does not have direct access to the Internet and DNS system --
38 * instead it attempts to validate DNS messages using only configured context.
39 * This is useful for determining if responses coming from a given authoritative
40 * server will validate independent of the normal chain of trust.
42 public class CaptiveValidator {
43 // A data structure holding all all of our trusted keys.
44 private TrustAnchorStore mTrustedKeys;
46 // The local validation utilities.
47 private ValUtils mValUtils;
49 // The local verification utility.
50 private DnsSecVerifier mVerifier;
51 private Logger log = Logger.getLogger(this.getClass());
53 private List<String> mErrorList;
55 public CaptiveValidator() {
56 mVerifier = new DnsSecVerifier();
57 mValUtils = new ValUtils(mVerifier);
58 mTrustedKeys = new TrustAnchorStore();
59 mErrorList = new ArrayList<String>();
62 // ---------------- Module Initialization -------------------
65 * Add a set of trusted keys from a file. The file should be in DNS master
66 * zone file format. Only DNSKEY records will be added.
69 * The file contains the trusted keys.
72 @SuppressWarnings("unchecked")
73 public void addTrustedKeysFromFile(String filename) throws IOException {
74 // First read in the whole trust anchor file.
75 Master master = new Master(filename, Name.root, 0);
76 ArrayList<Record> records = new ArrayList<Record>();
79 while ((r = master.nextRecord()) != null) {
83 // Record.compareTo() should sort them into DNSSEC canonical order.
84 // Don't care about canonical order per se, but do want them to be
85 // formable into RRsets.
86 Collections.sort(records);
88 SRRset cur_rrset = new SRRset();
90 for (Record rec : records) {
91 // Skip RR types that cannot be used as trusted keys. I.e.,
92 // everything not a key :)
93 if (rec.getType() != Type.DNSKEY) {
97 // If our cur_rrset is empty, we can just add it.
98 if (cur_rrset.size() == 0) {
104 // If this record matches our current RRset, we can just add it.
105 if (cur_rrset.getName().equals(rec.getName())
106 && (cur_rrset.getType() == rec.getType())
107 && (cur_rrset.getDClass() == rec.getDClass())) {
108 cur_rrset.addRR(rec);
113 // Otherwise, we add the rrset to our set of trust anchors.
114 mTrustedKeys.store(cur_rrset);
115 cur_rrset = new SRRset();
116 cur_rrset.addRR(rec);
119 // add the last rrset (if it was not empty)
120 if (cur_rrset.size() > 0) {
121 mTrustedKeys.store(cur_rrset);
125 public void addTrustedKeysFromResponse(Message m) {
126 RRset[] rrsets = m.getSectionRRsets(Section.ANSWER);
128 for (int i = 0; i < rrsets.length; ++i) {
129 if (rrsets[i].getType() == Type.DNSKEY) {
130 SRRset srrset = new SRRset(rrsets[i]);
131 mTrustedKeys.store(srrset);
136 // ----------------- Validation Support ----------------------
139 * This routine normalizes a response. This includes removing "irrelevant"
140 * records from the answer and additional sections and (re)synthesizing
141 * CNAMEs from DNAMEs, if present.
145 private SMessage normalize(SMessage m) {
150 if ((m.getRcode() != Rcode.NOERROR) && (m.getRcode() != Rcode.NXDOMAIN)) {
154 Name qname = m.getQuestion().getName();
155 int qtype = m.getQuestion().getType();
159 // For the ANSWER section, remove all "irrelevant" records and add
160 // synthesized CNAMEs from DNAMEs
161 // This will strip out-of-order CNAMEs as well.
162 List<SRRset> rrset_list = m.getSectionList(Section.ANSWER);
163 Set<Name> additional_names = new HashSet<Name>();
165 for (ListIterator<SRRset> i = rrset_list.listIterator(); i.hasNext();) {
166 SRRset rrset = i.next();
167 int type = rrset.getType();
168 Name n = rrset.getName();
170 // Handle DNAME synthesis; DNAME synthesis does not occur at the
171 // DNAME name itself.
172 if ((type == Type.DNAME) && ValUtils.strictSubdomain(sname, n)) {
173 if (rrset.size() > 1) {
174 log.debug("Found DNAME rrset with size > 1: " + rrset);
175 m.setStatus(SecurityStatus.INVALID);
180 DNAMERecord dname = (DNAMERecord) rrset.first();
183 Name cname_alias = sname.fromDNAME(dname);
185 // Note that synthesized CNAMEs should have a TTL of zero.
186 CNAMERecord cname = new CNAMERecord(sname, dname
187 .getDClass(), 0, cname_alias);
188 SRRset cname_rrset = new SRRset();
189 cname_rrset.addRR(cname);
193 } catch (NameTooLongException e) {
194 log.debug("not adding synthesized CNAME -- "
195 + "generated name is too long", e);
201 // The only records in the ANSWER section not allowed to
202 if (!n.equals(sname)) {
203 log.debug("normalize: removing irrelevant rrset: " + rrset);
209 // Follow the CNAME chain.
210 if (type == Type.CNAME) {
211 if (rrset.size() > 1) {
212 mErrorList.add("Found CNAME rrset with size > 1: " + rrset);
213 m.setStatus(SecurityStatus.INVALID);
218 CNAMERecord cname = (CNAMERecord) rrset.first();
219 sname = cname.getAlias();
224 // Otherwise, make sure that the RRset matches the qtype.
225 if ((qtype != Type.ANY) && (qtype != type)) {
226 log.debug("normalize: removing irrelevant rrset: " + rrset);
230 // Otherwise, fetch the additional names from the relevant rrset.
231 rrsetAdditionalNames(additional_names, rrset);
234 // Get additional names from AUTHORITY
235 rrset_list = m.getSectionList(Section.AUTHORITY);
237 for (SRRset rrset : rrset_list) {
238 rrsetAdditionalNames(additional_names, rrset);
241 // For each record in the additional section, remove it if it is an
242 // address record and not in the collection of additional names found in
243 // ANSWER and AUTHORITY.
244 rrset_list = m.getSectionList(Section.ADDITIONAL);
246 for (Iterator<SRRset> i = rrset_list.iterator(); i.hasNext();) {
247 SRRset rrset = i.next();
248 int type = rrset.getType();
250 if (((type == Type.A) || (type == Type.AAAA))
251 && !additional_names.contains(rrset.getName())) {
260 * Extract additional names from the records in an rrset.
262 * @param additional_names
263 * The set to add the additional names to, if any.
265 * The rrset to extract from.
267 private void rrsetAdditionalNames(Set<Name> additional_names, SRRset rrset) {
272 for (Iterator<Record> i = rrset.rrs(); i.hasNext();) {
274 Name add_name = r.getAdditionalName();
276 if (add_name != null) {
277 additional_names.add(add_name);
282 private SRRset findKeys(SMessage message) {
283 Name qname = message.getQName();
284 int qclass = message.getQClass();
286 return mTrustedKeys.find(qname, qclass);
290 * Check to see if a given response needs to go through the validation
291 * process. Typical reasons for this routine to return false are: CD bit was
292 * on in the original request, the response was already validated, or the
293 * response is a kind of message that is unvalidatable (i.e., SERVFAIL,
297 * The message to check.
299 * The original request received from the client.
301 * @return true if the response could use validation (although this does not
302 * mean we can actually validate this response).
304 private boolean needsValidation(SMessage message) {
305 int rcode = message.getRcode();
307 if ((rcode != Rcode.NOERROR) && (rcode != Rcode.NXDOMAIN)) {
308 log.debug("cannot validate non-answer.");
309 log.trace("non-answer: " + message);
314 if (!mTrustedKeys.isBelowTrustAnchor(message.getQName(), message
323 * Given a "positive" response -- a response that contains an answer to the
324 * question, and no CNAME chain, validate this response. This generally
325 * consists of verifying the answer RRset and the authority RRsets.
327 * Note that by the time this method is called, the process of finding the
328 * trusted DNSKEY rrset that signs this response must already have been
332 * The response to validate.
334 * The request that generated this response.
336 * The trusted DNSKEY rrset that matches the signer of the
339 private void validatePositiveResponse(SMessage message, SRRset key_rrset) {
340 Name qname = message.getQName();
341 int qtype = message.getQType();
343 SMessage m = message;
345 // validate the ANSWER section - this will be the answer itself
346 SRRset[] rrsets = m.getSectionRRsets(Section.ANSWER);
349 boolean wcNSEC_ok = false;
350 boolean dname = false;
351 List<NSEC3Record> nsec3s = null;
353 for (int i = 0; i < rrsets.length; i++) {
354 // Skip the CNAME following a (validated) DNAME.
355 // Because of the normalization routines in NameserverClient, there
356 // will always be an unsigned CNAME following a DNAME (unless
358 if (dname && (rrsets[i].getType() == Type.CNAME)) {
364 // Verify the answer rrset.
365 int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
367 // If the (answer) rrset failed to validate, then this message is
369 if (status != SecurityStatus.SECURE) {
370 mErrorList.add("Positive response has failed ANSWER rrset: " +
372 m.setStatus(SecurityStatus.BOGUS);
377 // Check to see if the rrset is the result of a wildcard expansion.
378 // If so, an additional check will need to be made in the authority
380 wc = ValUtils.rrsetWildcard(rrsets[i]);
381 // if the wildcard expansion equals the orig name, then we
382 // have the actual wildcard record and no actual wildcard
383 // expansion happened, so we shouldn't do the extra
385 if (wc.equals(rrsets[i].getName())) {
389 // Notice a DNAME that should be followed by an unsigned CNAME.
390 if ((qtype != Type.DNAME) && (rrsets[i].getType() == Type.DNAME)) {
395 // validate the AUTHORITY section as well - this will generally be the
396 // NS rrset (which could be missing, no problem)
397 rrsets = m.getSectionRRsets(Section.AUTHORITY);
399 for (int i = 0; i < rrsets.length; i++) {
400 int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
402 // If anything in the authority section fails to be secure, we have
404 if (status != SecurityStatus.SECURE) {
405 mErrorList.add("Positive response has failed AUTHORITY rrset: " +
407 m.setStatus(SecurityStatus.BOGUS);
412 // If this is a positive wildcard response, and we have a (just
413 // verified) NSEC record, try to use it to 1) prove that qname
414 // doesn't exist and 2) that the correct wildcard was used.
415 if ((wc != null) && (rrsets[i].getType() == Type.NSEC)) {
416 NSECRecord nsec = (NSECRecord) rrsets[i].first();
418 if (ValUtils.nsecProvesNameError(nsec, qname, key_rrset
420 Name nsec_wc = ValUtils.nsecWildcard(qname, nsec);
422 if (!wc.equals(nsec_wc)) {
423 mErrorList.add("Positive wildcard response wasn't generated by the correct wildcard");
424 m.setStatus(SecurityStatus.BOGUS);
433 // Otherwise, if this is a positive wildcard response and we have
434 // NSEC3 records, collect them.
435 if ((wc != null) && (rrsets[i].getType() == Type.NSEC3)) {
436 if (nsec3s == null) {
437 nsec3s = new ArrayList<NSEC3Record>();
440 nsec3s.add((NSEC3Record) rrsets[i].first());
444 // If this was a positive wildcard response that we haven't already
445 // proven, and we have NSEC3 records, try to prove it using the NSEC3
447 if ((wc != null) && !wcNSEC_ok && (nsec3s != null)) {
448 if (NSEC3ValUtils.proveWildcard(nsec3s, qname, key_rrset.getName(),
454 // If after all this, we still haven't proven the positive wildcard
456 if ((wc != null) && !wcNSEC_ok) {
457 mErrorList.add("Positive response was wildcard expansion " +
458 "and did not prove original data did not exist.");
459 m.setStatus(SecurityStatus.BOGUS);
464 log.trace("Successfully validated positive response");
465 m.setStatus(SecurityStatus.SECURE);
468 private void validateReferral(SMessage message, SRRset key_rrset) {
469 SMessage m = message;
471 if (m.getCount(Section.ANSWER) > 0) {
472 m.setStatus(SecurityStatus.INVALID);
477 // validate the AUTHORITY section.
478 SRRset[] rrsets = m.getSectionRRsets(Section.AUTHORITY);
480 boolean secure_delegation = false;
481 Name delegation = null;
482 Name nsec3zone = null;
483 NSECRecord nsec = null;
484 List<NSEC3Record> nsec3s = null;
486 // validate the AUTHORITY section as well - this will generally be the
487 // NS rrset, plus proof of a secure delegation or not
488 rrsets = m.getSectionRRsets(Section.AUTHORITY);
490 for (int i = 0; i < rrsets.length; i++) {
491 int type = rrsets[i].getType();
493 // The NS RRset won't be signed, but everything else should be.
494 if (type != Type.NS) {
495 int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
497 // If anything in the authority section fails to be secure, we
500 if (status != SecurityStatus.SECURE) {
501 mErrorList.add("Positive response has failed AUTHORITY rrset: " +
503 m.setStatus(SecurityStatus.BOGUS);
511 secure_delegation = true;
516 delegation = rrsets[i].getName();
521 nsec = (NSECRecord) rrsets[i].first();
527 if (nsec3s == null) {
528 nsec3s = new ArrayList<NSEC3Record>();
531 NSEC3Record nsec3 = (NSEC3Record) rrsets[i].first();
533 nsec3zone = rrsets[i].getSignerName(); // this is a hack of
539 log.warn("Encountered unexpected type in a REFERRAL response: "
540 + Type.string(type));
546 // At this point, all validatable RRsets have been validated.
547 // Now to check to see if we have a valid combination of things.
548 if (delegation == null) {
549 // somehow we have a referral without an NS rrset.
550 mErrorList.add("Apparent referral does not contain NS RRset");
551 m.setStatus(SecurityStatus.BOGUS);
556 if (secure_delegation) {
557 if ((nsec != null) || ((nsec3s != null) && (nsec3s.size() > 0))) {
558 // we found both a DS rrset *and* NSEC/NSEC3 rrsets!
559 mErrorList.add("Referral contains both DS and NSEC/NSEC3 RRsets");
560 m.setStatus(SecurityStatus.BOGUS);
565 // otherwise, we are done.
566 m.setStatus(SecurityStatus.SECURE);
571 // Note: not going to care if both NSEC and NSEC3 rrsets were present.
573 byte status = ValUtils.nsecProvesNoDS(nsec, delegation);
575 if (status != SecurityStatus.SECURE) {
576 // The NSEC *must* prove that there was no DS record. The
577 // INSECURE state here is still bogus.
578 mErrorList.add("Referral does not contain a NSEC record proving no DS");
579 m.setStatus(SecurityStatus.BOGUS);
584 m.setStatus(SecurityStatus.SECURE);
589 if (nsec3s != null && nsec3s.size() > 0) {
590 byte status = NSEC3ValUtils.proveNoDS(nsec3s, delegation, nsec3zone, mErrorList);
592 if (status != SecurityStatus.SECURE) {
593 // the NSEC3 RRs MUST prove no DS, so the INDETERMINATE state is
595 mErrorList.add("Referral does not contain NSEC3 record(s) proving no DS");
596 m.setStatus(SecurityStatus.BOGUS);
601 m.setStatus(SecurityStatus.SECURE);
606 // failed to find proof either way.
607 mErrorList.add("Referral does not contain proof of no DS");
608 m.setStatus(SecurityStatus.BOGUS);
611 // FIXME: write CNAME validation code.
612 private void validateCNAMEResponse(SMessage message, SRRset key_rrset) {}
615 * Given an "ANY" response -- a response that contains an answer to a
616 * qtype==ANY question, with answers. This consists of simply verifying all
617 * present answer/auth RRsets, with no checking that all types are present.
619 * NOTE: it may be possible to get parent-side delegation point records
620 * here, which won't all be signed. Right now, this routine relies on the
621 * upstream iterative resolver to not return these responses -- instead
622 * treating them as referrals.
624 * NOTE: RFC 4035 is silent on this issue, so this may change upon
627 * Note that by the time this method is called, the process of finding the
628 * trusted DNSKEY rrset that signs this response must already have been
632 * The response to validate.
634 * The trusted DNSKEY rrset that matches the signer of the
637 private void validateAnyResponse(SMessage message, SRRset key_rrset) {
638 int qtype = message.getQType();
640 if (qtype != Type.ANY) {
641 throw new IllegalArgumentException(
642 "ANY validation called on non-ANY response.");
645 SMessage m = message;
647 // validate the ANSWER section.
648 SRRset[] rrsets = m.getSectionRRsets(Section.ANSWER);
650 for (int i = 0; i < rrsets.length; i++) {
651 int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
653 // If the (answer) rrset failed to validate, then this message is
655 if (status != SecurityStatus.SECURE) {
656 mErrorList.add("Positive response has failed ANSWER rrset: " +
658 m.setStatus(SecurityStatus.BOGUS);
664 // validate the AUTHORITY section as well - this will be the NS rrset
665 // (which could be missing, no problem)
666 rrsets = m.getSectionRRsets(Section.AUTHORITY);
668 for (int i = 0; i < rrsets.length; i++) {
669 int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
671 // If anything in the authority section fails to be secure, we have
673 if (status != SecurityStatus.SECURE) {
674 mErrorList.add("Positive response has failed AUTHORITY rrset: " +
676 m.setStatus(SecurityStatus.BOGUS);
682 log.trace("Successfully validated positive ANY response");
683 m.setStatus(SecurityStatus.SECURE);
687 * Validate a NOERROR/NODATA signed response -- a response that has a
688 * NOERROR Rcode but no ANSWER section RRsets. This consists of verifying
689 * the authority section rrsets and making certain that the authority
690 * section NSEC/NSEC3s proves that the qname does exist and the qtype
693 * Note that by the time this method is called, the process of finding the
694 * trusted DNSKEY rrset that signs this response must already have been
698 * The response to validate.
700 * The request that generated this response.
702 * The trusted DNSKEY rrset that signs this response.
704 private void validateNodataResponse(SMessage message, SRRset key_rrset, List<String> errorList) {
705 Name qname = message.getQName();
706 int qtype = message.getQType();
708 SMessage m = message;
710 // Since we are here, there must be nothing in the ANSWER section to
711 // validate. (Note: CNAME/DNAME responses will not directly get here --
712 // instead they are broken down into individual CNAME/DNAME/final answer
715 // validate the AUTHORITY section
716 SRRset[] rrsets = m.getSectionRRsets(Section.AUTHORITY);
718 boolean hasValidNSEC = false; // If true, then the NODATA has been
721 Name ce = null; // for wildcard NODATA responses. This is the proven
724 NSECRecord wc = null; // for wildcard NODATA responses. This is the
727 List<NSEC3Record> nsec3s = null; // A collection of NSEC3 RRs found in
731 Name nsec3Signer = null; // The RRSIG signer field for the NSEC3 RRs.
733 for (int i = 0; i < rrsets.length; i++) {
734 int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
736 if (status != SecurityStatus.SECURE) {
737 mErrorList.add("NODATA response has failed AUTHORITY rrset: " +
739 m.setStatus(SecurityStatus.BOGUS);
744 // If we encounter an NSEC record, try to use it to prove NODATA.
745 // This needs to handle the ENT NODATA case.
746 if (rrsets[i].getType() == Type.NSEC) {
747 NSECRecord nsec = (NSECRecord) rrsets[i].first();
749 if (ValUtils.nsecProvesNodata(nsec, qname, qtype)) {
752 if (nsec.getName().isWild()) {
755 } else if (ValUtils.nsecProvesNameError(nsec, qname, rrsets[i]
757 ce = ValUtils.closestEncloser(qname, nsec);
761 // Collect any NSEC3 records present.
762 if (rrsets[i].getType() == Type.NSEC3) {
763 if (nsec3s == null) {
764 nsec3s = new ArrayList<NSEC3Record>();
767 nsec3s.add((NSEC3Record) rrsets[i].first());
768 nsec3Signer = rrsets[i].getSignerName();
772 // check to see if we have a wildcard NODATA proof.
774 // The wildcard NODATA is 1 NSEC proving that qname does not exists (and
775 // also proving what the closest encloser is), and 1 NSEC showing the
776 // matching wildcard, which must be *.closest_encloser.
777 if ((ce != null) || (wc != null)) {
779 Name wc_name = new Name("*", ce);
781 if (!wc_name.equals(wc.getName())) {
782 hasValidNSEC = false;
784 } catch (TextParseException e) {
789 NSEC3ValUtils.stripUnknownAlgNSEC3s(nsec3s);
791 if (!hasValidNSEC && (nsec3s != null) && (nsec3s.size() > 0)) {
792 // try to prove NODATA with our NSEC3 record(s)
793 hasValidNSEC = NSEC3ValUtils.proveNodata(nsec3s, qname, qtype,
794 nsec3Signer, errorList);
798 log.debug("NODATA response failed to prove NODATA "
799 + "status with NSEC/NSEC3");
800 log.trace("Failed NODATA:\n" + m);
801 mErrorList.add("NODATA response failed to prove NODATA status with NSEC/NSEC3");
802 m.setStatus(SecurityStatus.BOGUS);
807 log.trace("successfully validated NODATA response.");
808 m.setStatus(SecurityStatus.SECURE);
812 * Validate a NAMEERROR signed response -- a response that has a NXDOMAIN
813 * Rcode. This consists of verifying the authority section rrsets and making
814 * certain that the authority section NSEC proves that the qname doesn't
815 * exist and the covering wildcard also doesn't exist..
817 * Note that by the time this method is called, the process of finding the
818 * trusted DNSKEY rrset that signs this response must already have been
822 * The response to validate.
824 * The request that generated this response.
826 * The trusted DNSKEY rrset that signs this response.
828 private void validateNameErrorResponse(SMessage message, SRRset key_rrset) {
829 Name qname = message.getQName();
831 SMessage m = message;
833 if (message.getCount(Section.ANSWER) > 0) {
835 "NameError response contained records in the ANSWER SECTION");
836 mErrorList.add("NameError response contained records in the ANSWER SECTION");
837 message.setStatus(SecurityStatus.INVALID);
842 // Validate the authority section -- all RRsets in the authority section
843 // must be signed and valid.
844 // In addition, the NSEC record(s) must prove the NXDOMAIN condition.
845 boolean hasValidNSEC = false;
846 boolean hasValidWCNSEC = false;
847 SRRset[] rrsets = m.getSectionRRsets(Section.AUTHORITY);
848 List<NSEC3Record> nsec3s = null;
849 Name nsec3Signer = null;
851 for (int i = 0; i < rrsets.length; i++) {
852 int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
854 if (status != SecurityStatus.SECURE) {
855 mErrorList.add("NameError response has failed AUTHORITY rrset: " +
857 m.setStatus(SecurityStatus.BOGUS);
862 if (rrsets[i].getType() == Type.NSEC) {
863 NSECRecord nsec = (NSECRecord) rrsets[i].first();
865 if (ValUtils.nsecProvesNameError(nsec, qname, rrsets[i]
870 if (ValUtils.nsecProvesNoWC(nsec, qname, rrsets[i]
872 hasValidWCNSEC = true;
876 if (rrsets[i].getType() == Type.NSEC3) {
877 if (nsec3s == null) {
878 nsec3s = new ArrayList<NSEC3Record>();
881 nsec3s.add((NSEC3Record) rrsets[i].first());
882 nsec3Signer = rrsets[i].getSignerName();
886 NSEC3ValUtils.stripUnknownAlgNSEC3s(nsec3s);
888 if ((nsec3s != null) && (nsec3s.size() > 0)) {
889 log.debug("Validating nxdomain: using NSEC3 records");
891 // Attempt to prove name error with nsec3 records.
892 if (NSEC3ValUtils.allNSEC3sIgnoreable(nsec3s, key_rrset, mVerifier)) {
893 // log.debug("all NSEC3s were validated but ignored.");
894 m.setStatus(SecurityStatus.INSECURE);
899 hasValidNSEC = NSEC3ValUtils.proveNameError(nsec3s, qname,
900 nsec3Signer, mErrorList);
902 // Note that we assume that the NSEC3ValUtils proofs encompass the
903 // wildcard part of the proof.
904 hasValidWCNSEC = hasValidNSEC;
907 // If the message fails to prove either condition, it is bogus.
909 mErrorList.add("NameError response has failed to prove qname does not exist");
910 m.setStatus(SecurityStatus.BOGUS);
915 if (!hasValidWCNSEC) {
916 mErrorList.add("NameError response has failed to prove covering wildcard does not exist");
917 m.setStatus(SecurityStatus.BOGUS);
922 // Otherwise, we consider the message secure.
923 log.trace("successfully validated NAME ERROR response.");
924 m.setStatus(SecurityStatus.SECURE);
927 public byte validateMessage(SMessage message, Name zone) {
929 if (!zone.isAbsolute()) {
931 zone = Name.concatenate(zone, Name.root);
932 } catch (NameTooLongException e) {
935 return SecurityStatus.UNCHECKED;
939 // FIXME: it is unclear if we should actually normalize our responses
940 // Instead, maybe we should just fail if they are not normal?
941 message = normalize(message);
943 if (!needsValidation(message)) {
944 return SecurityStatus.UNCHECKED;
947 SRRset key_rrset = findKeys(message);
949 if (key_rrset == null) {
950 mErrorList.add("Failed to find matching DNSKEYs for the response");
951 return SecurityStatus.BOGUS;
954 ValUtils.ResponseType subtype = ValUtils.classifyResponse(message, zone);
955 log.debug("Response was classified as a " + subtype);
958 log.trace("Validating a positive response");
959 validatePositiveResponse(message, key_rrset);
964 validateReferral(message, key_rrset);
969 log.trace("Validating a NODATA response");
970 validateNodataResponse(message, key_rrset, mErrorList);
975 log.trace("Validating a NXDOMAIN response");
976 validateNameErrorResponse(message, key_rrset);
981 log.trace("Validating a CNAME response");
982 validateCNAMEResponse(message, key_rrset);
987 log.trace("Validating a positive ANY response");
988 validateAnyResponse(message, key_rrset);
993 log.error("unhandled response subtype: " + subtype);
996 return message.getSecurityStatus().getStatus();
999 public byte validateMessage(Message message, String zone)
1000 throws TextParseException {
1001 SMessage sm = new SMessage(message);
1002 Name z = Name.fromString(zone);
1004 return validateMessage(sm, z);
1007 public byte validateMessage(byte[] messagebytes, String zone)
1008 throws IOException {
1009 Message message = new Message(messagebytes);
1010 return validateMessage(message, zone);
1013 public byte validateMessage(String b64messagebytes, String zone)
1014 throws IOException {
1015 byte[] messagebytes = base64.fromString(b64messagebytes);
1016 return validateMessage(messagebytes, zone);
1019 public List<String> listTrustedKeys() {
1020 return mTrustedKeys.listTrustAnchors();
1023 public List<String> getErrorList() {