This is basically undoing damage caused by Eclipse's built-in formatting.
public class DNSSECValTool {
/**
- * Invoke with java -jar dnssecreconciler.jar server=127.0.0.1 \
- * query_file=queries.txt dnskey_query=net dnskey_query=edu
+ * Invoke with java -jar dnssecvaltool.jar server=127.0.0.1 \
+ * query_file=queries.txt dnskey_query=net dnskey_query=edu
*/
private CaptiveValidator validator;
- private SimpleResolver resolver;
+ private SimpleResolver resolver;
private BufferedReader queryStream;
- private PrintStream errorStream;
- private Set<Name> zoneNames;
+ private PrintStream errorStream;
+ private Set<Name> zoneNames;
// Options
- public String server;
- public String query;
- public String queryFile;
- public String dnskeyFile;
+ public String server;
+ public String query;
+ public String queryFile;
+ public String dnskeyFile;
public List<String> dnskeyNames;
- public String errorFile;
- public long count = 0;
- public boolean debug = false;
+ public String errorFile;
+ public long count = 0;
+ public boolean debug = false;
DNSSECValTool() {
validator = new CaptiveValidator();
/**
* Convert a query line of the form: <qname> <qtype> <flags> to a request
* message.
- *
+ *
* @param query_line
* @return A query message
* @throws TextParseException
* @throws NameTooLongException
*/
private Message queryFromString(String query_line)
- throws TextParseException, NameTooLongException {
+ throws TextParseException, NameTooLongException {
String[] tokens = query_line.split("[ \t]+");
- Name qname = null;
- int qtype = -1;
- int qclass = -1;
+ Name qname = null;
+ int qtype = -1;
+ int qclass = -1;
- if (tokens.length < 1)
+ if (tokens.length < 1) {
return null;
+ }
qname = Name.fromString(tokens[0]);
if (!qname.isAbsolute()) {
qname = Name.concatenate(qname, Name.root);
}
/**
- * Fetch the next query from either the command line or the query file
- *
+ * Fetch the next query from either the command line or the query
+ * file
+ *
* @return a query Message, or null if the query list is exhausted
* @throws IOException
*/
if (queryStream != null) {
String line = queryStream.readLine();
- if (line == null)
+ if (line == null) {
return null;
-
+ }
return queryFromString(line);
}
return null;
-
}
/**
* Figure out the correct zone from the query by comparing the qname to the
* list of trusted DNSKEY owner names.
- *
+ *
* @param query
* @return a zone name
* @throws IOException
}
private Message resolve(Message query) {
-
try {
return resolver.send(query);
} catch (SocketTimeoutException e) {
- System.err.println("Error: timed out querying " + server + " for "
- + queryToString(query));
+ System.err.println("Error: timed out querying " + server + " for " +
+ queryToString(query));
} catch (IOException e) {
- System.err.println("Error: error querying " + server + " for "
- + queryToString(query) + ":" + e.getMessage());
+ System.err.println("Error: error querying " + server + " for " +
+ queryToString(query) + ":" + e.getMessage());
}
return null;
}
private String queryToString(Message query) {
- if (query == null)
+ if (query == null) {
return null;
+ }
Record question = query.getQuestion();
- return question.getName() + "/" + Type.string(question.getType()) + "/"
- + DClass.string(question.getDClass());
+ return question.getName() + "/" + Type.string(question.getType()) + "/" +
+ DClass.string(question.getDClass());
}
public void execute() throws IOException {
validator.addTrustedKeysFromFile(dnskeyFile);
} else {
for (String name : dnskeyNames) {
- Message query = queryFromString(name + " DNSKEY");
+ Message query = queryFromString(name + " DNSKEY");
Message response = resolve(query);
validator.addTrustedKeysFromResponse(response);
}
}
// Iterate over all queries
- Message query = nextQuery();
- long total = 0;
- long validCount = 0;
- long errorCount = 0;
+ Message query = nextQuery();
+ long total = 0;
+ long validCount = 0;
+ long errorCount = 0;
while (query != null) {
}
if (++total % 1000 == 0) {
- System.out.println("Completed " + total + " queries: "
- + validCount + " valid, " + errorCount + " errors.");
+ System.out.println("Completed " + total + " queries: " +
+ validCount + " valid, " + errorCount + " errors.");
}
-
+
if (count > 0 && total >= count) {
- if (debug) System.out.println("DEBUG: reached maximum number of queries, exiting");
+ if (debug) {
+ System.out.println("DEBUG: reached maximum number of queries, exiting");
+ }
break;
}
-
+
query = nextQuery();
}
- System.out.println("Completed " + total
- + (total > 1 ? " queries" : " query") +
- ": " + validCount + " valid, " + errorCount + " errors.");
+ System.out.println("Completed " + total + (total > 1 ? " queries" : " query") +
+ ": " + validCount + " valid, " + errorCount + " errors.");
}
private static void usage() {
}
String[] split_arg = arg.split("=", 2);
- String opt = split_arg[0];
- String optarg = split_arg[1];
+ String opt = split_arg[0];
+ String optarg = split_arg[1];
if (opt.equals("server")) {
dr.server = optarg;
import java.util.*;
/**
- * This resolver module implements a "captive" DNSSEC validator. The captive
- * validator does not have direct access to the Internet and DNS system --
- * instead it attempts to validate DNS messages using only configured context.
- * This is useful for determining if responses coming from a given authoritative
- * server will validate independent of the normal chain of trust.
+ * This resolver module implements a "captive" DNSSEC validator. The
+ * captive validator does not have direct access to the Internet and
+ * DNS system -- instead it attempts to validate DNS messages using
+ * only configured context. This is useful for determining if
+ * responses coming from a given authoritative server will validate
+ * independent of the normal chain of trust.
*/
public class CaptiveValidator {
// A data structure holding all all of our trusted keys.
private DnsSecVerifier mVerifier;
private Logger log = Logger.getLogger(this.getClass());
- private List<String> mErrorList;
+ // The list of validation errors found.
+ private List<String> mErrorList;
public CaptiveValidator() {
- mVerifier = new DnsSecVerifier();
- mValUtils = new ValUtils(mVerifier);
- mTrustedKeys = new TrustAnchorStore();
- mErrorList = new ArrayList<String>();
+ mVerifier = new DnsSecVerifier();
+ mValUtils = new ValUtils(mVerifier);
+ mTrustedKeys = new TrustAnchorStore();
+ mErrorList = new ArrayList<String>();
}
// ---------------- Module Initialization -------------------
/**
- * Add a set of trusted keys from a file. The file should be in DNS master
- * zone file format. Only DNSKEY records will be added.
- *
+ * Add a set of trusted keys from a file. The file should be in
+ * DNS master zone file format. Only DNSKEY records will be added.
+ *
* @param filename
* The file contains the trusted keys.
* @throws IOException
@SuppressWarnings("unchecked")
public void addTrustedKeysFromFile(String filename) throws IOException {
// First read in the whole trust anchor file.
- Master master = new Master(filename, Name.root, 0);
+ Master master = new Master(filename, Name.root, 0);
ArrayList<Record> records = new ArrayList<Record>();
- Record r = null;
+ Record r = null;
while ((r = master.nextRecord()) != null) {
records.add(r);
}
- // Record.compareTo() should sort them into DNSSEC canonical order.
- // Don't care about canonical order per se, but do want them to be
- // formable into RRsets.
+ // Record.compareTo() should sort them into DNSSEC canonical
+ // order. Don't care about canonical order per se, but do
+ // want them to be formable into RRsets.
Collections.sort(records);
SRRset cur_rrset = new SRRset();
for (Record rec : records) {
- // Skip RR types that cannot be used as trusted keys. I.e.,
- // everything not a key :)
+ // Skip RR types that cannot be used as trusted
+ // keys. I.e., everything not a key :)
if (rec.getType() != Type.DNSKEY) {
continue;
}
continue;
}
- // If this record matches our current RRset, we can just add it.
- if (cur_rrset.getName().equals(rec.getName())
- && (cur_rrset.getType() == rec.getType())
- && (cur_rrset.getDClass() == rec.getDClass())) {
- cur_rrset.addRR(rec);
+ // If this record matches our current RRset, we can just
+ // add it.
+ if (cur_rrset.getName().equals(rec.getName()) &&
+ (cur_rrset.getType() == rec.getType()) && (cur_rrset.getDClass() == rec.getDClass())) {
+ cur_rrset.addRR(rec);
continue;
}
// ----------------- Validation Support ----------------------
/**
- * This routine normalizes a response. This includes removing "irrelevant"
- * records from the answer and additional sections and (re)synthesizing
- * CNAMEs from DNAMEs, if present.
- *
+ * This routine normalizes a response. This includes removing
+ * "irrelevant" records from the answer and additional sections
+ * and (re)synthesizing CNAMEs from DNAMEs, if present.
+ *
* @param response
*/
private SMessage normalize(SMessage m) {
}
Name qname = m.getQuestion().getName();
- int qtype = m.getQuestion().getType();
+ int qtype = m.getQuestion().getType();
Name sname = qname;
for (ListIterator<SRRset> i = rrset_list.listIterator(); i.hasNext();) {
SRRset rrset = i.next();
- int type = rrset.getType();
- Name n = rrset.getName();
+ int type = rrset.getType();
+ Name n = rrset.getName();
- // Handle DNAME synthesis; DNAME synthesis does not occur at the
- // DNAME name itself.
+ // Handle DNAME synthesis; DNAME synthesis does not occur
+ // at the DNAME name itself.
if ((type == Type.DNAME) && ValUtils.strictSubdomain(sname, n)) {
if (rrset.size() > 1) {
log.debug("Found DNAME rrset with size > 1: " + rrset);
Name cname_alias = sname.fromDNAME(dname);
// Note that synthesized CNAMEs should have a TTL of zero.
- CNAMERecord cname = new CNAMERecord(sname, dname
- .getDClass(), 0, cname_alias);
+ CNAMERecord cname = new CNAMERecord(sname, dname.getDClass(), 0, cname_alias);
SRRset cname_rrset = new SRRset();
cname_rrset.addRR(cname);
i.add(cname_rrset);
sname = cname_alias;
} catch (NameTooLongException e) {
- log.debug("not adding synthesized CNAME -- "
- + "generated name is too long", e);
+ log.debug("not adding synthesized CNAME -- " +
+ "generated name is too long", e);
}
continue;
for (Iterator<SRRset> i = rrset_list.iterator(); i.hasNext();) {
SRRset rrset = i.next();
- int type = rrset.getType();
+ int type = rrset.getType();
+
+ if (((type == Type.A) || (type == Type.AAAA)) &&
+ !additional_names.contains(rrset.getName())) {
- if (((type == Type.A) || (type == Type.AAAA))
- && !additional_names.contains(rrset.getName())) {
i.remove();
}
}
/**
* Extract additional names from the records in an rrset.
- *
+ *
* @param additional_names
* The set to add the additional names to, if any.
* @param rrset
}
for (Iterator<Record> i = rrset.rrs(); i.hasNext();) {
- Record r = i.next();
- Name add_name = r.getAdditionalName();
+ Record r = i.next();
+ Name add_name = r.getAdditionalName();
if (add_name != null) {
additional_names.add(add_name);
}
/**
- * Check to see if a given response needs to go through the validation
- * process. Typical reasons for this routine to return false are: CD bit was
- * on in the original request, the response was already validated, or the
- * response is a kind of message that is unvalidatable (i.e., SERVFAIL,
- * REFUSED, etc.)
- *
+ * Check to see if a given response needs to go through the
+ * validation process. Typical reasons for this routine to return
+ * false are: CD bit was on in the original request, the response
+ * was already validated, or the response is a kind of message
+ * that is unvalidatable (i.e., SERVFAIL, REFUSED, etc.)
+ *
* @param message
* The message to check.
* @param origRequest
* The original request received from the client.
- *
+ *
* @return true if the response could use validation (although this does not
* mean we can actually validate this response).
*/
return false;
}
- if (!mTrustedKeys.isBelowTrustAnchor(message.getQName(), message
- .getQClass())) {
+ if (!mTrustedKeys.isBelowTrustAnchor(message.getQName(), message.getQClass())) {
return false;
}
}
/**
- * Given a "positive" response -- a response that contains an answer to the
- * question, and no CNAME chain, validate this response. This generally
- * consists of verifying the answer RRset and the authority RRsets.
- *
- * Note that by the time this method is called, the process of finding the
- * trusted DNSKEY rrset that signs this response must already have been
- * completed.
- *
+ * Given a "positive" response -- a response that contains an
+ * answer to the question, and no CNAME chain, validate this
+ * response. This generally consists of verifying the answer RRset
+ * and the authority RRsets.
+ *
+ * Note that by the time this method is called, the process of
+ * finding the trusted DNSKEY rrset that signs this response must
+ * already have been completed.
+ *
* @param response
* The response to validate.
* @param request
*/
private void validatePositiveResponse(SMessage message, SRRset key_rrset) {
Name qname = message.getQName();
- int qtype = message.getQType();
+ int qtype = message.getQType();
SMessage m = message;
// validate the ANSWER section - this will be the answer itself
SRRset[] rrsets = m.getSectionRRsets(Section.ANSWER);
- Name wc = null;
- boolean wcNSEC_ok = false;
- boolean dname = false;
- List<NSEC3Record> nsec3s = null;
+ Name wc = null;
+ boolean wcNSEC_ok = false;
+ boolean dname = false;
+ List<NSEC3Record> nsec3s = null;
for (int i = 0; i < rrsets.length; i++) {
// Skip the CNAME following a (validated) DNAME.
// qtype=DNAME).
if (dname && (rrsets[i].getType() == Type.CNAME)) {
dname = false;
-
continue;
}
// Verify the answer rrset.
int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
- // If the (answer) rrset failed to validate, then this message is
- // BAD.
+ // If the (answer) rrset failed to validate, then this
+ // message is bogus.
if (status != SecurityStatus.SECURE) {
mErrorList.add("Positive response has failed ANSWER rrset: " +
- rrsets[i]);
+ rrsets[i]);
m.setStatus(SecurityStatus.BOGUS);
return;
}
}
- // validate the AUTHORITY section as well - this will generally be the
- // NS rrset (which could be missing, no problem)
+ // validate the AUTHORITY section as well - this will
+ // generally be the NS rrset (which could be missing, no
+ // problem)
rrsets = m.getSectionRRsets(Section.AUTHORITY);
for (int i = 0; i < rrsets.length; i++) {
int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
- // If anything in the authority section fails to be secure, we have
- // a bad message.
+ // If anything in the authority section fails to be
+ // secure, we have a bad message.
if (status != SecurityStatus.SECURE) {
mErrorList.add("Positive response has failed AUTHORITY rrset: " +
- rrsets[i]);
+ rrsets[i]);
m.setStatus(SecurityStatus.BOGUS);
return;
}
- // If this is a positive wildcard response, and we have a (just
- // verified) NSEC record, try to use it to 1) prove that qname
- // doesn't exist and 2) that the correct wildcard was used.
+ // If this is a positive wildcard response, and we have a
+ // (just verified) NSEC record, try to use it to 1) prove
+ // that qname doesn't exist and 2) that the correct
+ // wildcard was used.
if ((wc != null) && (rrsets[i].getType() == Type.NSEC)) {
NSECRecord nsec = (NSECRecord) rrsets[i].first();
- if (ValUtils.nsecProvesNameError(nsec, qname, key_rrset
- .getName())) {
+ if (ValUtils.nsecProvesNameError(nsec, qname, key_rrset.getName())) {
Name nsec_wc = ValUtils.nsecWildcard(qname, nsec);
if (!wc.equals(nsec_wc)) {
}
}
- // If this was a positive wildcard response that we haven't already
- // proven, and we have NSEC3 records, try to prove it using the NSEC3
- // records.
+ // If this was a positive wildcard response that we haven't
+ // already proven, and we have NSEC3 records, try to prove it
+ // using the NSEC3 records.
if ((wc != null) && !wcNSEC_ok && (nsec3s != null)) {
if (NSEC3ValUtils.proveWildcard(nsec3s, qname, key_rrset.getName(),
- wc, mErrorList)) {
+ wc, mErrorList)) {
wcNSEC_ok = true;
}
}
- // If after all this, we still haven't proven the positive wildcard
- // response, fail.
+ // If after all this, we still haven't proven the positive
+ // wildcard response, fail.
if ((wc != null) && !wcNSEC_ok) {
- // log.debug("positive response was wildcard expansion and "
- // + "did not prove original data did not exist");
+ // log.debug("positive response was wildcard expansion and " +
+ // "did not prove original data did not exist");
m.setStatus(SecurityStatus.BOGUS);
return;
m.setStatus(SecurityStatus.SECURE);
}
+ /** Given a "referral" type response (RCODE=NOERROR, ANSWER=0,
+ * AUTH=NS records under the zone we thought we were talking to,
+ * etc.), validate it. This consists of validating the DS or
+ * NSEC/NSEC3 RRsets and noting that the response does indeed look
+ * like a referral.
+ *
+ *
+ */
private void validateReferral(SMessage message, SRRset key_rrset) {
SMessage m = message;
// validate the AUTHORITY section.
SRRset[] rrsets = m.getSectionRRsets(Section.AUTHORITY);
- boolean secure_delegation = false;
- Name delegation = null;
- Name nsec3zone = null;
- NSECRecord nsec = null;
- List<NSEC3Record> nsec3s = null;
+ boolean secure_delegation = false;
+ Name delegation = null;
+ Name nsec3zone = null;
+ NSECRecord nsec = null;
+ List<NSEC3Record> nsec3s = null;
// validate the AUTHORITY section as well - this will generally be the
// NS rrset, plus proof of a secure delegation or not
for (int i = 0; i < rrsets.length; i++) {
int type = rrsets[i].getType();
- // The NS RRset won't be signed, but everything else should be.
+ // The NS RRset won't be signed, but everything else
+ // should be. FIXME: if we have an unexpected type here
+ // with a bad signature, we will fail when we otherwise
+ // might just have warned about the odd record. Consider
+ // checking the types first, then validating.
if (type != Type.NS) {
int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
- // If anything in the authority section fails to be secure, we
- // have
- // a bad message.
+ // If anything in the authority section fails to be
+ // secure, we have a bad message.
if (status != SecurityStatus.SECURE) {
- mErrorList.add("Positive response has failed AUTHORITY rrset: " +
+ mErrorList.add("Referral response has failed AUTHORITY rrset: " +
rrsets[i]);
m.setStatus(SecurityStatus.BOGUS);
switch (type) {
case Type.DS:
secure_delegation = true;
-
break;
case Type.NS:
delegation = rrsets[i].getName();
-
break;
case Type.NSEC:
nsec = (NSECRecord) rrsets[i].first();
-
break;
case Type.NSEC3:
-
if (nsec3s == null) {
nsec3s = new ArrayList<NSEC3Record>();
}
NSEC3Record nsec3 = (NSEC3Record) rrsets[i].first();
nsec3s.add(nsec3);
- nsec3zone = rrsets[i].getSignerName(); // this is a hack of
- // sorts.
+ // this is a hack, really.
+ nsec3zone = rrsets[i].getSignerName();
break;
}
// At this point, all validatable RRsets have been validated.
- // Now to check to see if we have a valid combination of things.
+ // Now to check to see if we have a valid combination of
+ // things.
if (delegation == null) {
// somehow we have a referral without an NS rrset.
mErrorList.add("Apparent referral does not contain NS RRset");
byte status = ValUtils.nsecProvesNoDS(nsec, delegation);
if (status != SecurityStatus.SECURE) {
- // The NSEC *must* prove that there was no DS record. The
- // INSECURE state here is still bogus.
+ // The NSEC *must* prove that there was no DS
+ // record. The INSECURE state here is still bogus.
mErrorList.add("Referral does not contain a NSEC record proving no DS");
m.setStatus(SecurityStatus.BOGUS);
private void validateCNAMEResponse(SMessage message, SRRset key_rrset) {}
/**
- * Given an "ANY" response -- a response that contains an answer to a
- * qtype==ANY question, with answers. This consists of simply verifying all
- * present answer/auth RRsets, with no checking that all types are present.
- *
- * NOTE: it may be possible to get parent-side delegation point records
- * here, which won't all be signed. Right now, this routine relies on the
- * upstream iterative resolver to not return these responses -- instead
- * treating them as referrals.
- *
+ * Given an "ANY" response -- a response that contains an answer
+ * to a qtype==ANY question, with answers. This consists of simply
+ * verifying all present answer/auth RRsets, with no checking that
+ * all types are present.
+ *
+ * NOTE: it may be possible to get parent-side delegation point
+ * records here, which won't all be signed. Right now, this
+ * routine relies on the upstream iterative resolver to not return
+ * these responses -- instead treating them as referrals.
+ *
* NOTE: RFC 4035 is silent on this issue, so this may change upon
* clarification.
- *
- * Note that by the time this method is called, the process of finding the
- * trusted DNSKEY rrset that signs this response must already have been
- * completed.
- *
+ *
+ * Note that by the time this method is called, the process of
+ * finding the trusted DNSKEY rrset that signs this response must
+ * already have been completed.
+ *
* @param message
* The response to validate.
* @param key_rrset
int qtype = message.getQType();
if (qtype != Type.ANY) {
- throw new IllegalArgumentException(
- "ANY validation called on non-ANY response.");
+ throw new IllegalArgumentException("ANY validation called on non-ANY response.");
}
SMessage m = message;
// BAD.
if (status != SecurityStatus.SECURE) {
mErrorList.add("Positive response has failed ANSWER rrset: " +
- rrsets[i]);
+ rrsets[i]);
m.setStatus(SecurityStatus.BOGUS);
return;
// a bad message.
if (status != SecurityStatus.SECURE) {
mErrorList.add("Positive response has failed AUTHORITY rrset: " +
- rrsets[i]);
+ rrsets[i]);
m.setStatus(SecurityStatus.BOGUS);
return;
}
/**
- * Validate a NOERROR/NODATA signed response -- a response that has a
- * NOERROR Rcode but no ANSWER section RRsets. This consists of verifying
- * the authority section rrsets and making certain that the authority
- * section NSEC/NSEC3s proves that the qname does exist and the qtype
- * doesn't.
- *
- * Note that by the time this method is called, the process of finding the
- * trusted DNSKEY rrset that signs this response must already have been
- * completed.
- *
+ * Validate a NOERROR/NODATA signed response -- a response that
+ * has a NOERROR Rcode but no ANSWER section RRsets. This consists
+ * of verifying the authority section rrsets and making certain
+ * that the authority section NSEC/NSEC3s proves that the qname
+ * does exist and the qtype doesn't.
+ *
+ * Note that by the time this method is called, the process of
+ * finding the trusted DNSKEY rrset that signs this response must
+ * already have been completed.
+ *
* @param response
* The response to validate.
* @param request
* @param key_rrset
* The trusted DNSKEY rrset that signs this response.
*/
- private void validateNodataResponse(SMessage message, SRRset key_rrset, List<String> errorList) {
- Name qname = message.getQName();
- int qtype = message.getQType();
+ private void validateNodataResponse(SMessage message,
+ SRRset key_rrset,
+ List<String> errorList) {
+ Name qname = message.getQName();
+ int qtype = message.getQType();
SMessage m = message;
- // Since we are here, there must be nothing in the ANSWER section to
- // validate. (Note: CNAME/DNAME responses will not directly get here --
- // instead they are broken down into individual CNAME/DNAME/final answer
- // responses.)
+ // Since we are here, there must be nothing in the ANSWER
+ // section to validate.
// validate the AUTHORITY section
SRRset[] rrsets = m.getSectionRRsets(Section.AUTHORITY);
- boolean hasValidNSEC = false; // If true, then the NODATA has been
- // proven.
+ // If true, then the NODATA has been proven.
+ boolean hasValidNSEC = false;
- Name ce = null; // for wildcard NODATA responses. This is the proven
- // closest encloser.
+ // for wildcard NODATA responses. This is the proven closest
+ // encloser.
+ Name ce = null;
- NSECRecord wc = null; // for wildcard NODATA responses. This is the
- // wildcard NSEC.
+ // for wildcard NODATA responses. This is the wildcard NSEC.
+ NSECRecord wc = null;
- List<NSEC3Record> nsec3s = null; // A collection of NSEC3 RRs found in
- // the authority
- // section.
+ // A collection of NSEC3 RRs found in the authority section.
+ List<NSEC3Record> nsec3s = null;
- Name nsec3Signer = null; // The RRSIG signer field for the NSEC3 RRs.
+ // The RRSIG signer field for the NSEC3 RRs.
+ Name nsec3Signer = null;
for (int i = 0; i < rrsets.length; i++) {
int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
if (status != SecurityStatus.SECURE) {
mErrorList.add("NODATA response has failed AUTHORITY rrset: " +
- rrsets[i]);
+ rrsets[i]);
m.setStatus(SecurityStatus.BOGUS);
return;
if (nsec.getName().isWild()) {
wc = nsec;
}
- } else if (ValUtils.nsecProvesNameError(nsec, qname, rrsets[i]
- .getSignerName())) {
+ } else if (ValUtils.nsecProvesNameError(nsec, qname, rrsets[i].getSignerName())) {
ce = ValUtils.closestEncloser(qname, nsec);
}
}
// check to see if we have a wildcard NODATA proof.
- // The wildcard NODATA is 1 NSEC proving that qname does not exists (and
- // also proving what the closest encloser is), and 1 NSEC showing the
- // matching wildcard, which must be *.closest_encloser.
+ // The wildcard NODATA is 1 NSEC proving that qname does not
+ // exists (and also proving what the closest encloser is), and
+ // 1 NSEC showing the matching wildcard, which must be
+ // *.closest_encloser.
if ((ce != null) || (wc != null)) {
try {
Name wc_name = new Name("*", ce);
if (!hasValidNSEC && (nsec3s != null) && (nsec3s.size() > 0)) {
// try to prove NODATA with our NSEC3 record(s)
hasValidNSEC = NSEC3ValUtils.proveNodata(nsec3s, qname, qtype,
- nsec3Signer, errorList);
+ nsec3Signer, errorList);
}
if (!hasValidNSEC) {
- log.debug("NODATA response failed to prove NODATA "
- + "status with NSEC/NSEC3");
+ log.debug("NODATA response failed to prove NODATA " +
+ "status with NSEC/NSEC3");
log.trace("Failed NODATA:\n" + m);
mErrorList.add("NODATA response failed to prove NODATA status with NSEC/NSEC3");
m.setStatus(SecurityStatus.BOGUS);
}
/**
- * Validate a NAMEERROR signed response -- a response that has a NXDOMAIN
- * Rcode. This consists of verifying the authority section rrsets and making
- * certain that the authority section NSEC proves that the qname doesn't
- * exist and the covering wildcard also doesn't exist..
- *
- * Note that by the time this method is called, the process of finding the
- * trusted DNSKEY rrset that signs this response must already have been
- * completed.
- *
+ * Validate a NAMEERROR signed response -- a response that has a
+ * NXDOMAIN Rcode. This consists of verifying the authority
+ * section rrsets and making certain that the authority section
+ * NSEC proves that the qname doesn't exist and the covering
+ * wildcard also doesn't exist..
+ *
+ * Note that by the time this method is called, the process of
+ * finding the trusted DNSKEY rrset that signs this response must
+ * already have been completed.
+ *
* @param response
* The response to validate.
* @param request
SMessage m = message;
if (message.getCount(Section.ANSWER) > 0) {
- log.warn(
- "NameError response contained records in the ANSWER SECTION");
+ log.warn("NameError response contained records in the ANSWER SECTION");
mErrorList.add("NameError response contained records in the ANSWER SECTION");
message.setStatus(SecurityStatus.INVALID);
// Validate the authority section -- all RRsets in the authority section
// must be signed and valid.
// In addition, the NSEC record(s) must prove the NXDOMAIN condition.
- boolean hasValidNSEC = false;
- boolean hasValidWCNSEC = false;
- SRRset[] rrsets = m.getSectionRRsets(Section.AUTHORITY);
- List<NSEC3Record> nsec3s = null;
- Name nsec3Signer = null;
+ boolean hasValidNSEC = false;
+ boolean hasValidWCNSEC = false;
+ SRRset[] rrsets = m.getSectionRRsets(Section.AUTHORITY);
+ List<NSEC3Record> nsec3s = null;
+ Name nsec3Signer = null;
for (int i = 0; i < rrsets.length; i++) {
int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
if (status != SecurityStatus.SECURE) {
mErrorList.add("NameError response has failed AUTHORITY rrset: " +
- rrsets[i]);
+ rrsets[i]);
m.setStatus(SecurityStatus.BOGUS);
return;
if (rrsets[i].getType() == Type.NSEC) {
NSECRecord nsec = (NSECRecord) rrsets[i].first();
- if (ValUtils.nsecProvesNameError(nsec, qname, rrsets[i]
- .getSignerName())) {
+ if (ValUtils.nsecProvesNameError(nsec, qname, rrsets[i].getSignerName())) {
hasValidNSEC = true;
}
- if (ValUtils.nsecProvesNoWC(nsec, qname, rrsets[i]
- .getSignerName())) {
+ if (ValUtils.nsecProvesNoWC(nsec, qname, rrsets[i].getSignerName())) {
hasValidWCNSEC = true;
}
}
return;
}
- hasValidNSEC = NSEC3ValUtils.proveNameError(nsec3s, qname,
- nsec3Signer, mErrorList);
+ hasValidNSEC = NSEC3ValUtils.proveNameError(nsec3s, qname, nsec3Signer, mErrorList);
- // Note that we assume that the NSEC3ValUtils proofs encompass the
- // wildcard part of the proof.
+ // Note that we assume that the NSEC3ValUtils proofs
+ // encompass the wildcard part of the proof.
hasValidWCNSEC = hasValidNSEC;
}
}
}
- // FIXME: it is unclear if we should actually normalize our responses
- // Instead, maybe we should just fail if they are not normal?
+ // FIXME: it is unclear if we should actually normalize our
+ // responses Instead, maybe we should just fail if they are
+ // not normal?
message = normalize(message);
if (!needsValidation(message)) {
case POSITIVE:
log.trace("Validating a positive response");
validatePositiveResponse(message, key_rrset);
-
break;
case REFERRAL:
validateReferral(message, key_rrset);
-
break;
case NODATA:
log.trace("Validating a NODATA response");
validateNodataResponse(message, key_rrset, mErrorList);
-
break;
case NAMEERROR:
log.trace("Validating a NXDOMAIN response");
validateNameErrorResponse(message, key_rrset);
-
break;
case CNAME:
log.trace("Validating a CNAME response");
validateCNAMEResponse(message, key_rrset);
-
break;
case ANY:
log.trace("Validating a positive ANY response");
validateAnyResponse(message, key_rrset);
-
break;
default:
}
public byte validateMessage(Message message, String zone)
- throws TextParseException {
+ throws TextParseException {
SMessage sm = new SMessage(message);
- Name z = Name.fromString(zone);
+ Name z = Name.fromString(zone);
return validateMessage(sm, z);
}
public byte validateMessage(byte[] messagebytes, String zone)
- throws IOException {
+ throws IOException {
Message message = new Message(messagebytes);
return validateMessage(message, zone);
}
public byte validateMessage(String b64messagebytes, String zone)
- throws IOException {
+ throws IOException {
byte[] messagebytes = base64.fromString(b64messagebytes);
return validateMessage(messagebytes, zone);
}
import java.util.*;
/**
- * A class for performing basic DNSSEC verification. The DNSJAVA package
- * contains a similar class. This is a re-implementation that allows us to have
- * finer control over the validation process.
+ * A class for performing basic DNSSEC verification. The DNSJAVA
+ * package contains a similar class. This is a re-implementation that
+ * allows us to have finer control over the validation process.
*/
public class DnsSecVerifier {
public static final int UNKNOWN = 0;
- public static final int RSA = 1;
- public static final int DSA = 2;
+ public static final int RSA = 1;
+ public static final int DSA = 2;
private Logger log = Logger.getLogger(this.getClass());
/**
private HashMap<Integer, AlgEntry> mAlgorithmMap;
/**
- * This is a mapping of DNSSEC private (DNS name) identifiers to JCA
- * algorithm identifiers.
+ * This is a mapping of DNSSEC private (DNS name) identifiers to
+ * JCA algorithm identifiers.
*/
private HashMap<Name, AlgEntry> mPrivateAlgorithmMap;
// For now, we just accept new identifiers for existing algorithms.
// FIXME: handle private identifiers.
- List<Util.ConfigEntry> aliases = Util.parseConfigPrefix(config,
- "dns.algorithm.");
+ List<Util.ConfigEntry> aliases = Util.parseConfigPrefix(config, "dns.algorithm.");
for (Util.ConfigEntry entry : aliases) {
Integer alg_alias = Integer.valueOf(Util.parseInt(entry.key, -1));
- Integer alg_orig = Integer.valueOf(Util.parseInt(entry.value, -1));
+ Integer alg_orig = Integer.valueOf(Util.parseInt(entry.value, -1));
if (!mAlgorithmMap.containsKey(alg_orig)) {
- log.warn("Unable to alias " + alg_alias
- + " to unknown algorithm " + alg_orig);
-
+ log.warn("Unable to alias " + alg_alias + " to unknown algorithm " + alg_orig);
continue;
}
if (mAlgorithmMap.containsKey(alg_alias)) {
- log.warn("Algorithm alias " + alg_alias
- + " is already defined and cannot be redefined");
-
+ log.warn("Algorithm alias " + alg_alias + " is already defined and cannot be redefined");
continue;
}
log.warn("DNSSEC alg " + alg + " has a null entry!");
} else {
log.debug("DNSSEC alg " + alg + " maps to " + entry.jcaName
- + " (" + entry.dnssecAlg + ")");
+ + " (" + entry.dnssecAlg + ")");
}
}
}
/**
- * Find the matching DNSKEY(s) to an RRSIG within a DNSKEY rrset. Normally
- * this will only return one DNSKEY. It can return more than one, since
- * KeyID/Footprints are not guaranteed to be unique.
- *
+ * Find the matching DNSKEY(s) to an RRSIG within a DNSKEY
+ * rrset. Normally this will only return one DNSKEY. It can return
+ * more than one, since KeyID/Footprints are not guaranteed to be
+ * unique.
+ *
* @param dnskey_rrset
* The DNSKEY rrset to search.
* @param signature
private List<DNSKEYRecord> findKey(RRset dnskey_rrset, RRSIGRecord signature) {
if (!signature.getSigner().equals(dnskey_rrset.getName())) {
log.trace("findKey: could not find appropriate key because "
- + "incorrect keyset was supplied. Wanted: "
- + signature.getSigner() + ", got: "
- + dnskey_rrset.getName());
+ + "incorrect keyset was supplied. Wanted: "
+ + signature.getSigner() + ", got: "
+ + dnskey_rrset.getName());
return null;
}
int keyid = signature.getFootprint();
- int alg = signature.getAlgorithm();
+ int alg = signature.getAlgorithm();
- List<DNSKEYRecord> res = new ArrayList<DNSKEYRecord>(dnskey_rrset
- .size());
+ List<DNSKEYRecord> res = new ArrayList<DNSKEYRecord>(dnskey_rrset.size());
for (Iterator i = dnskey_rrset.rrs(); i.hasNext();) {
DNSKEYRecord r = (DNSKEYRecord) i.next();
}
if (res.size() == 0) {
- log.trace("findKey: could not find a key matching "
- + "the algorithm and footprint in supplied keyset. ");
+ log.trace("findKey: could not find a key matching " +
+ "the algorithm and footprint in supplied keyset.");
return null;
}
}
/**
- * Check to see if a signature looks valid (i.e., matches the rrset in
- * question, in the validity period, etc.)
- *
+ * Check to see if a signature looks valid (i.e., matches the
+ * rrset in question, in the validity period, etc.)
+ *
* @param rrset
* The rrset that the signature belongs to.
* @param sigrec
* The signature record to check.
- * @return A value of SecurityStatus.SECURE if it looks OK, SecurityStatus.BOGUS if it looks
- * bad.
+ * @return A value of SecurityStatus.SECURE if it looks OK,
+ * SecurityStatus.BOGUS if it looks bad.
*/
private byte checkSignature(RRset rrset, RRSIGRecord sigrec) {
if ((rrset == null) || (sigrec == null)) {
return SecurityStatus.BOGUS;
}
- Date now = new Date();
- Date start = sigrec.getTimeSigned();
+ Date now = new Date();
+ Date start = sigrec.getTimeSigned();
Date expire = sigrec.getExpire();
if (now.before(start)) {
}
if (now.after(expire)) {
- log.debug("Signature has expired (now = " + now
- + ", sig expires = " + expire);
+ log.debug("Signature has expired (now = " + now +
+ ", sig expires = " + expire);
return SecurityStatus.BOGUS;
}
}
public PublicKey parseDNSKEY(DNSKEYRecord key) {
- AlgEntry ae = (AlgEntry) mAlgorithmMap.get(Integer.valueOf(key
- .getAlgorithm()));
+ AlgEntry ae = (AlgEntry) mAlgorithmMap.get(Integer.valueOf(key.getAlgorithm()));
if (key.getAlgorithm() != ae.dnssecAlg) {
// Recast the DNSKEYRecord in question as one using the offical
// underlying
// KEYConverter class from DNSjava
key = new DNSKEYRecord(key.getName(), key.getDClass(),
- key.getTTL(), key.getFlags(), key.getProtocol(),
- ae.dnssecAlg, key.getKey());
+ key.getTTL(), key.getFlags(), key.getProtocol(),
+ ae.dnssecAlg, key.getKey());
}
return KEYConverter.parseRecord(key);
}
/**
- * Actually cryptographically verify a signature over the rrset. The RRSIG
- * record must match the rrset being verified (see checkSignature).
- *
+ * Actually cryptographically verify a signature over the
+ * rrset. The RRSIG record must match the rrset being verified
+ * (see checkSignature).
+ *
* @param rrset
* The rrset to verify.
* @param sigrec
* UNCHECKED if we just couldn't actually do the function.
*/
public byte verifySignature(RRset rrset, RRSIGRecord sigrec,
- DNSKEYRecord key) {
+ DNSKEYRecord key) {
try {
PublicKey pk = parseDNSKEY(key);
if (pk == null) {
- log
- .warn("Could not convert DNSKEY record to a JCA public key: "
- + key);
-
+ log.warn("Could not convert DNSKEY record to a JCA public key: " + key);
return SecurityStatus.UNCHECKED;
}
/**
* Verify an RRset against a particular signature.
- *
- * @return DNSSEC.Secure if the signature verfied, DNSSEC.Failed if it did
- * not verify (for any reason), and DNSSEC.Insecure if verification
- * could not be completed (usually because the public key was not
- * available).
+ *
+ * @return DNSSEC.Secure if the signature verfied, DNSSEC.Failed
+ * if it did not verify (for any reason), and
+ * DNSSEC.Insecure if verification could not be completed
+ * (usually because the public key was not available).
*/
public byte verifySignature(RRset rrset, RRSIGRecord sigrec, RRset key_rrset) {
byte result = checkSignature(rrset, sigrec);
if (keys == null) {
log.trace("could not find appropriate key");
-
return SecurityStatus.BOGUS;
}
}
/**
- * Verifies an RRset. This routine does not modify the RRset. This RRset is
- * presumed to be verifiable, and the correct DNSKEY rrset is presumed to
- * have been found.
- *
+ * Verifies an RRset. This routine does not modify the RRset. This
+ * RRset is presumed to be verifiable, and the correct DNSKEY
+ * rrset is presumed to have been found.
+ *
* @return SecurityStatus.SECURE if the rrest verified positively,
* SecurityStatus.BOGUS otherwise.
*/
}
/**
- * Verify an RRset against a single DNSKEY. Use this when you must be
- * certain that an RRset signed and verifies with a particular DNSKEY (as
- * opposed to a particular DNSKEY rrset).
- *
+ * Verify an RRset against a single DNSKEY. Use this when you must
+ * be certain that an RRset signed and verifies with a particular
+ * DNSKEY (as opposed to a particular DNSKEY rrset).
+ *
* @param rrset
* The rrset to verify.
* @param dnskey
Signature s = null;
try {
- AlgEntry entry = (AlgEntry) mAlgorithmMap
- .get(Integer.valueOf(algorithm));
+ AlgEntry entry = (AlgEntry) mAlgorithmMap.get(Integer.valueOf(algorithm));
if (entry == null) {
log.info("DNSSEC algorithm " + algorithm + " not recognized.");
-
return null;
}
}
private static class AlgEntry {
- public String jcaName;
+ public String jcaName;
public boolean isDSA;
- public int dnssecAlg;
+ public int dnssecAlg;
public AlgEntry(String name, int dnssecAlg, boolean isDSA) {
jcaName = name;
this.isDSA = isDSA;
}
}
-
- // TODO: enable private algorithm support in dnsjava.
- // Right now, this cannot be used because the DNSKEYRecord object doesn't
- // give us
- // the private key name.
- // private Signature getSignature(Name private_alg)
- // {
- // Signature s = null;
- //
- // try
- // {
- // String alg_id = (String) mAlgorithmMap.get(private_alg);
- // if (alg_id == null)
- // {
- // log.debug("DNSSEC private algorithm '" + private_alg
- // + "' not recognized.");
- // return null;
- // }
- //
- // s = Signature.getInstance(alg_id);
- // }
- // catch (NoSuchAlgorithmException e)
- // {
- // log.error("error getting Signature object", e);
- // }
- //
- // return s;
- // }
}
import java.util.*;
public class NSEC3ValUtils {
- // FIXME: should probably refactor to handle different NSEC3 parameters more
- // efficiently.
+ // FIXME: should probably refactor to handle different NSEC3
+ // parameters more efficiently.
// Given a list of NSEC3 RRs, they should be grouped according to
- // parameters. The idea is to hash and compare for each group independently,
- // instead of having to skip NSEC3 RRs with the wrong parameters.
- private static Name asterisk_label = Name.fromConstantString("*");
- private static Logger st_log = Logger.getLogger(NSEC3ValUtils.class);
- private static final base32 b32 = new base32(base32.Alphabet.BASE32HEX,
- false, false);
+ // parameters. The idea is to hash and compare for each group
+ // independently, instead of having to skip NSEC3 RRs with the
+ // wrong parameters.
+ private static Name asterisk_label = Name.fromConstantString("*");
+ private static Logger st_log = Logger.getLogger(NSEC3ValUtils.class);
+ private static final base32 b32 = new base32(base32.Alphabet.BASE32HEX,
+ false, false);
public static boolean supportsHashAlgorithm(int alg) {
if (alg == NSEC3Record.SHA1_DIGEST_ID) {
}
/**
- * Given a list of NSEC3Records that are part of a message, determine the
- * NSEC3 parameters (hash algorithm, iterations, and salt) present. If there
- * is more than one distinct grouping, return null;
- *
+ * Given a list of NSEC3Records that are part of a message,
+ * determine the NSEC3 parameters (hash algorithm, iterations, and
+ * salt) present. If there is more than one distinct grouping,
+ * return null;
+ *
* @param nsec3s
* A list of NSEC3Record object.
- * @return A set containing a number of objects (NSEC3Parameter objects)
- * that correspond to each distinct set of parameters, or null if
- * the nsec3s list was empty.
+ * @return A set containing a number of objects (NSEC3Parameter
+ * objects) that correspond to each distinct set of
+ * parameters, or null if the nsec3s list was empty.
*/
public static NSEC3Parameters nsec3Parameters(List<NSEC3Record> nsec3s) {
if ((nsec3s == null) || (nsec3s.size() == 0)) {
return null;
}
- NSEC3Parameters params = new NSEC3Parameters((NSEC3Record) nsec3s
- .get(0));
- ByteArrayComparator bac = new ByteArrayComparator();
+ NSEC3Parameters params = new NSEC3Parameters((NSEC3Record) nsec3s.get(0));
+ ByteArrayComparator bac = new ByteArrayComparator();
for (NSEC3Record nsec3 : nsec3s) {
if (!params.match(nsec3, bac)) {
/**
* Given a hash and an a zone name, construct an NSEC3 ownername.
- *
+ *
* @param hash
* The hash of an original name.
* @param zonename
/**
* Given a set of NSEC3 parameters, hash a name.
- *
+ *
* @param name
* The name to hash.
* @param params
return params.hash(name);
} catch (NoSuchAlgorithmException e) {
st_log.warn("Did not recognize hash algorithm: " + params.alg);
-
return null;
}
}
/**
* Given the name of a closest encloser, return the name *.closest_encloser.
- *
+ *
* @param closestEncloser
* The name to start with.
* @return The wildcard name.
}
/**
- * Given a qname and its proven closest encloser, calculate the "next
- * closest" name. Basically, this is the name that is one label longer than
- * the closest encloser that is still a subdomain of qname.
- *
+ * Given a qname and its proven closest encloser, calculate the
+ * "next closest" name. Basically, this is the name that is one
+ * label longer than the closest encloser that is still a
+ * subdomain of qname.
+ *
* @param qname
* The qname.
* @param closestEncloser
/**
* Find the NSEC3Record that matches a hash of a name.
- *
+ *
* @param hash
* The pre-calculated hash of a name.
* @param zonename
* @param bac
* An already allocated ByteArrayComparator, for reuse. This may
* be null.
- *
+ *
* @return The matching NSEC3Record, if one is present.
*/
- private static NSEC3Record findMatchingNSEC3(byte[] hash, Name zonename,
- List<NSEC3Record> nsec3s, NSEC3Parameters params,
- ByteArrayComparator bac) {
+ private static NSEC3Record findMatchingNSEC3(byte[] hash,
+ Name zonename,
+ List<NSEC3Record> nsec3s,
+ NSEC3Parameters params,
+ ByteArrayComparator bac) {
Name n = hashName(hash, zonename);
for (NSEC3Record nsec3 : nsec3s) {
}
/**
- * Given a hash and a candidate NSEC3Record, determine if that NSEC3Record
- * covers the hash. Covers specifically means that the hash is in between
- * the owner and next hashes and does not equal either.
- *
+ * Given a hash and a candidate NSEC3Record, determine if that
+ * NSEC3Record covers the hash. Covers specifically means that the
+ * hash is in between the owner and next hashes and does not equal
+ * either.
+ *
* @param nsec3
* The candidate NSEC3Record.
* @param hash
* An already allocated comparator. This may be null.
* @return True if the NSEC3Record covers the hash.
*/
- private static boolean nsec3Covers(NSEC3Record nsec3, byte [] hash,
- ByteArrayComparator bac) {
+ private static boolean nsec3Covers(NSEC3Record nsec3,
+ byte[] hash,
+ ByteArrayComparator bac) {
Name ownerName = nsec3.getName();
- byte [] owner = b32.fromString(ownerName.getLabelString(0));
- byte [] next = nsec3.getNext();
+ byte[] owner = b32.fromString(ownerName.getLabelString(0));
+ byte[] next = nsec3.getNext();
// This is the "normal case: owner < next and owner < hash < next
if ((bac.compare(owner, hash) < 0) && (bac.compare(hash, next) < 0)) {
}
// this is the end of zone case: next < owner && hash > owner || hash <
// next
- if ((bac.compare(next, owner) <= 0)
- && ((bac.compare(hash, next) < 0) || (bac.compare(owner, hash) < 0))) {
+ if ((bac.compare(next, owner) <= 0) &&
+ ((bac.compare(hash, next) < 0) || (bac.compare(owner, hash) < 0))) {
return true;
}
}
/**
- * Given a pre-hashed name, find a covering NSEC3 from among a list of
- * NSEC3s.
- *
+ * Given a pre-hashed name, find a covering NSEC3 from among a
+ * list of NSEC3s.
+ *
* @param hash
* The hash to consider.
* @param zonename
* @param params
* The NSEC3 parameters used to generate the hash -- NSEC3s that
* do not use those parameters will be skipped.
- *
+ *
* @return A covering NSEC3 if one is present, null otherwise.
*/
- private static NSEC3Record findCoveringNSEC3(byte[] hash, Name zonename,
- List<NSEC3Record> nsec3s, NSEC3Parameters params,
- ByteArrayComparator bac) {
+ private static NSEC3Record findCoveringNSEC3(byte[] hash,
+ Name zonename,
+ List<NSEC3Record> nsec3s,
+ NSEC3Parameters params,
+ ByteArrayComparator bac) {
ByteArrayComparator comparator = new ByteArrayComparator();
for (NSEC3Record nsec3 : nsec3s) {
}
/**
- * Given a name and a list of NSEC3s, find the candidate closest encloser.
- * This will be the first ancestor of 'name' (including itself) to have a
- * matching NSEC3 RR.
- *
+ * Given a name and a list of NSEC3s, find the candidate closest
+ * encloser. This will be the first ancestor of 'name' (including
+ * itself) to have a matching NSEC3 RR.
+ *
* @param name
* The name the start with.
* @param zonename
* The NSEC3 parameters.
* @param bac
* A pre-allocated comparator. May be null.
- *
+ *
* @return A CEResponse containing the closest encloser name and the NSEC3
* RR that matched it, or null if there wasn't one.
*/
- private static CEResponse findClosestEncloser(Name name, Name zonename,
- List<NSEC3Record> nsec3s, NSEC3Parameters params,
- ByteArrayComparator bac) {
+ private static CEResponse findClosestEncloser(Name name,
+ Name zonename,
+ List<NSEC3Record> nsec3s,
+ NSEC3Parameters params,
+ ByteArrayComparator bac) {
Name n = name;
NSEC3Record nsec3;
// FIXME: modify so that the NSEC3 matching the zone apex need not be
// present.
while (n.labels() >= zonename.labels()) {
- nsec3 = findMatchingNSEC3(hash(n, params), zonename,
- nsec3s, params, bac);
+ nsec3 = findMatchingNSEC3(hash(n, params), zonename, nsec3s, params, bac);
if (nsec3 != null) {
return new CEResponse(n, nsec3);
}
/**
- * Given a List of nsec3 RRs, find and prove the closest encloser to qname.
- *
+ * Given a List of nsec3 RRs, find and prove the closest encloser
+ * to qname.
+ *
* @param qname
* The qname in question.
* @param zonename
* The name of the zone that the NSEC3 RRs come from.
* @param nsec3s
- * The list of NSEC3s found the this response (already verified).
+ * The list of NSEC3s found the this response (already
+ * verified).
* @param params
* The NSEC3 parameters found in the response.
* @param bac
* A pre-allocated comparator. May be null.
* @param proveDoesNotExist
- * If true, then if the closest encloser turns out to be qname,
- * then null is returned.
- * @return null if the proof isn't completed. Otherwise, return a CEResponse
- * object which contains the closest encloser name and the NSEC3
- * that matches it.
+ * If true, then if the closest encloser turns out to
+ * be qname, then null is returned.
+ * @return null if the proof isn't completed. Otherwise, return a
+ * CEResponse object which contains the closest encloser
+ * name and the NSEC3 that matches it.
*/
- private static CEResponse proveClosestEncloser(Name qname, Name zonename,
- List<NSEC3Record> nsec3s, NSEC3Parameters params,
- ByteArrayComparator bac, boolean proveDoesNotExist, List<String> errorList) {
- CEResponse candidate = findClosestEncloser(qname, zonename, nsec3s,
- params, bac);
+ private static CEResponse proveClosestEncloser(Name qname,
+ Name zonename,
+ List<NSEC3Record> nsec3s,
+ NSEC3Parameters params,
+ ByteArrayComparator bac,
+ boolean proveDoesNotExist,
+ List<String> errorList) {
+ CEResponse candidate = findClosestEncloser(qname, zonename, nsec3s, params, bac);
if (candidate == null) {
errorList.add("Could not find a candidate for the closest encloser");
st_log.debug("proveClosestEncloser: could not find a " +
- "candidate for the closest encloser.");
+ "candidate for the closest encloser.");
return null;
}
return null;
}
- // otherwise, we need to nothing else to prove that qname is its own
- // closest encloser.
+ // otherwise, we need to nothing else to prove that qname
+ // is its own closest encloser.
return candidate;
}
- // If the closest encloser is actually a delegation, then the response
- // should have been a referral. If it is a DNAME, then it should have
- // been
- // a DNAME response.
- if (candidate.ce_nsec3.hasType(Type.NS) &&
- !candidate.ce_nsec3.hasType(Type.SOA)) {
+ // If the closest encloser is actually a delegation, then the
+ // response should have been a referral. If it is a DNAME,
+ // then it should have been a DNAME response.
+ if (candidate.ce_nsec3.hasType(Type.NS) && !candidate.ce_nsec3.hasType(Type.SOA)) {
errorList.add("Proven closest encloser was a delegation");
st_log.debug("proveClosestEncloser: closest encloser " +
"was a delegation!");
Name nextClosest = nextClosest(qname, candidate.closestEncloser);
byte[] nc_hash = hash(nextClosest, params);
- candidate.nc_nsec3 = findCoveringNSEC3(nc_hash, zonename, nsec3s,
- params, bac);
+ candidate.nc_nsec3 = findCoveringNSEC3(nc_hash, zonename, nsec3s, params, bac);
if (candidate.nc_nsec3 == null) {
errorList.add("Could not find proof that the closest encloser was the closest encloser");
@SuppressWarnings("rawtypes")
private static boolean validIterations(NSEC3Parameters nsec3params,
- RRset dnskey_rrset, DnsSecVerifier verifier) {
- // for now, we return the maximum iterations based simply on the key
- // algorithms that may have been used to sign the NSEC3 RRsets.
+ RRset dnskey_rrset,
+ DnsSecVerifier verifier) {
+ // for now, we return the maximum iterations based simply on
+ // the key algorithms that may have been used to sign the
+ // NSEC3 RRsets.
int max_iterations = 0;
for (Iterator i = dnskey_rrset.rrs(); i.hasNext();) {
- DNSKEYRecord dnskey = (DNSKEYRecord) i.next();
- int baseAlg = verifier.baseAlgorithm(dnskey.getAlgorithm());
- int iters = maxIterations(baseAlg, 0);
+ DNSKEYRecord dnskey = (DNSKEYRecord) i.next();
+ int baseAlg = verifier.baseAlgorithm(dnskey.getAlgorithm());
+ int iters = maxIterations(baseAlg, 0);
max_iterations = (max_iterations < iters) ? iters : max_iterations;
}
}
/**
- * Determine if all of the NSEC3s in a response are legally ignoreable
- * (i.e., their presence should lead to an INSECURE result). Currently, this
- * is solely based on iterations.
- *
+ * Determine if all of the NSEC3s in a response are legally
+ * ignoreable (i.e., their presence should lead to an INSECURE
+ * result). Currently, this is solely based on iterations.
+ *
* @param nsec3s
- * The list of NSEC3s. If there is more than one set of NSEC3
- * parameters present, this test will not be performed.
+ * The list of NSEC3s. If there is more than one set of
+ * NSEC3 parameters present, this test will not be
+ * performed.
* @param dnskey_rrset
* The set of validating DNSKEYs.
* @param verifier
- * The verifier used to verify the NSEC3 RRsets. This is solely
- * used to map algorithm aliases.
- * @return true if all of the NSEC3s can be legally ignored, false if not.
+ * The verifier used to verify the NSEC3 RRsets. This
+ * is solely used to map algorithm aliases.
+ * @return true if all of the NSEC3s can be legally ignored, false
+ * if not.
*/
public static boolean allNSEC3sIgnoreable(List<NSEC3Record> nsec3s,
- RRset dnskey_rrset, DnsSecVerifier verifier) {
+ RRset dnskey_rrset,
+ DnsSecVerifier verifier) {
NSEC3Parameters params = nsec3Parameters(nsec3s);
if (params == null) {
}
/**
- * Determine if the set of NSEC3 records provided with a response prove NAME
- * ERROR. This means that the NSEC3s prove a) the closest encloser exists,
- * b) the direct child of the closest encloser towards qname doesn't exist,
- * and c) *.closest encloser does not exist.
- *
+ * Determine if the set of NSEC3 records provided with a response
+ * prove NAME ERROR. This means that the NSEC3s prove a) the
+ * closest encloser exists, b) the direct child of the closest
+ * encloser towards qname doesn't exist, and c) *.closest encloser
+ * does not exist.
+ *
* @param nsec3s
* The list of NSEC3s.
* @param qname
* The query name to check against.
* @param zonename
- * This is the name of the zone that the NSEC3s belong to. This
- * may be discovered in any number of ways. A good one is to use
- * the signerName from the NSEC3 record's RRSIG.
- * @return SecurityStatus.SECURE of the Name Error is proven by the NSEC3
- * RRs, BOGUS if not, INSECURE if all of the NSEC3s could be validly
- * ignored.
+ * This is the name of the zone that the NSEC3s belong
+ * to. This may be discovered in any number of ways. A
+ * good one is to use the signerName from the NSEC3
+ * record's RRSIG.
+ * @return SecurityStatus.SECURE of the Name Error is proven by
+ * the NSEC3 RRs, BOGUS if not, INSECURE if all of the
+ * NSEC3s could be validly ignored.
*/
- public static boolean proveNameError(List<NSEC3Record> nsec3s, Name qname,
- Name zonename, List<String> errorList) {
+ public static boolean proveNameError(List<NSEC3Record> nsec3s,
+ Name qname,
+ Name zonename,
+ List<String> errorList) {
if ((nsec3s == null) || (nsec3s.size() == 0)) {
return false;
}
if (nsec3params == null) {
errorList.add("Could not find a single set of NSEC3 parameters (multiple parameters present");
st_log.debug("Could not find a single set of " +
- "NSEC3 parameters (multiple parameters present).");
+ "NSEC3 parameters (multiple parameters present).");
return false;
}
// First locate and prove the closest encloser to qname. We will use the
// variant that fails if the closest encloser turns out to be qname.
CEResponse ce = proveClosestEncloser(qname, zonename, nsec3s,
- nsec3params, bac, true, errorList);
+ nsec3params, bac, true, errorList);
if (ce == null) {
errorList.add("Failed to find the closest encloser as part of the NSEC3 proof");
// At this point, we know that qname does not exist. Now we need to
// prove
// that the wildcard does not exist.
- Name wc = ceWildcard(ce.closestEncloser);
- byte[] wc_hash = hash(wc, nsec3params);
+ Name wc = ceWildcard(ce.closestEncloser);
+ byte[] wc_hash = hash(wc, nsec3params);
NSEC3Record nsec3 = findCoveringNSEC3(wc_hash, zonename, nsec3s,
- nsec3params, bac);
+ nsec3params, bac);
if (nsec3 == null) {
errorList.add("Failed to prove that the applicable wildcard did not exist");
st_log.debug("proveNameError: could not prove that the " +
- "applicable wildcard did not exist.");
+ "applicable wildcard did not exist.");
return false;
}
}
/**
- * Determine if the NSEC3s provided in a response prove the NOERROR/NODATA
- * status. There are a number of different variants to this:
- *
+ * Determine if the NSEC3s provided in a response prove the
+ * NOERROR/NODATA status. There are a number of different variants
+ * to this:
+ *
* 1) Normal NODATA -- qname is matched to an NSEC3 record, type is not
* present.
- *
+ *
* 2) ENT NODATA -- because there must be NSEC3 record for
* empty-non-terminals, this is the same as #1.
- *
+ *
* 3) NSEC3 ownername NODATA -- qname matched an existing, lone NSEC3
* ownername, but qtype was not NSEC3. NOTE: as of nsec-05, this case no
* longer exists.
- *
+ *
* 4) Wildcard NODATA -- A wildcard matched the name, but not the type.
- *
+ *
* 5) Opt-In DS NODATA -- the qname is covered by an opt-in span and qtype
* == DS. (or maybe some future record with the same parent-side-only
* property)
- *
+ *
* @param nsec3s
* The NSEC3Records to consider.
* @param qname
* The name of the zone that the NSEC3s came from.
* @return true if the NSEC3s prove the proposition.
*/
- public static boolean proveNodata(List<NSEC3Record> nsec3s, Name qname,
- int qtype, Name zonename, List<String> errorList) {
+ public static boolean proveNodata(List<NSEC3Record> nsec3s,
+ Name qname,
+ int qtype,
+ Name zonename,
+ List<String> errorList) {
if ((nsec3s == null) || (nsec3s.size() == 0)) {
return false;
}
NSEC3Parameters nsec3params = nsec3Parameters(nsec3s);
if (nsec3params == null) {
- st_log.debug("could not find a single set of "
- + "NSEC3 parameters (multiple parameters present)");
+ st_log.debug("could not find a single set of " +
+ "NSEC3 parameters (multiple parameters present)");
return false;
}
ByteArrayComparator bac = new ByteArrayComparator();
NSEC3Record nsec3 = findMatchingNSEC3(hash(qname, nsec3params),
- zonename, nsec3s, nsec3params, bac);
+ zonename, nsec3s, nsec3params, bac);
// Cases 1 & 2.
if (nsec3 != null) {
if (nsec3.hasType(qtype)) {
- st_log
- .debug("proveNodata: Matching NSEC3 proved that type existed!");
+ st_log.debug("proveNodata: Matching NSEC3 proved that type existed!");
return false;
}
if (nsec3.hasType(Type.CNAME)) {
- st_log.debug("proveNodata: Matching NSEC3 proved "
- + "that a CNAME existed!");
+ st_log.debug("proveNodata: Matching NSEC3 proved " +
+ "that a CNAME existed!");
return false;
}
// match qname. Although, at this point, we know that it won't since we
// just checked that.
CEResponse ce = proveClosestEncloser(qname, zonename, nsec3s,
- nsec3params, bac, true, errorList);
+ nsec3params, bac, true, errorList);
// At this point, not finding a match or a proven closest encloser is a
// problem.
if (ce == null) {
- st_log.debug("proveNodata: did not match qname, "
- + "nor found a proven closest encloser.");
+ st_log.debug("proveNodata: did not match qname, " +
+ "nor found a proven closest encloser.");
return false;
}
// Case 4:
Name wc = ceWildcard(ce.closestEncloser);
nsec3 = findMatchingNSEC3(hash(wc, nsec3params), zonename, nsec3s,
- nsec3params, bac);
+ nsec3params, bac);
if (nsec3 != null) {
if (nsec3.hasType(qtype)) {
// Case 5.
if (qtype != Type.DS) {
- st_log
- .debug("proveNodata: could not find matching NSEC3, "
- + "nor matching wildcard, and qtype is not DS -- no more options.");
+ st_log.debug("proveNodata: could not find matching NSEC3, " +
+ "nor matching wildcard, and qtype is not DS -- no more options.");
return false;
}
// We need to make sure that the covering NSEC3 is opt-in.
if (!isOptOut(ce.nc_nsec3)) {
- st_log.debug("proveNodata: covering NSEC3 was not "
- + "opt-in in an opt-in DS NOERROR/NODATA case.");
+ st_log.debug("proveNodata: covering NSEC3 was not " +
+ "opt-in in an opt-in DS NOERROR/NODATA case.");
return false;
}
}
/**
- * Prove that a positive wildcard match was appropriate (no direct match
- * RRset).
- *
+ * Prove that a positive wildcard match was appropriate (no direct
+ * match RRset).
+ *
* @param nsec3s
* The NSEC3 records to work with.
* @param qname
* The purported wildcard that matched.
* @return true if the NSEC3 records prove this case.
*/
- public static boolean proveWildcard(List<NSEC3Record> nsec3s, Name qname,
- Name zonename, Name wildcard, List<String> errorList) {
+ public static boolean proveWildcard(List<NSEC3Record> nsec3s,
+ Name qname,
+ Name zonename,
+ Name wildcard,
+ List<String> errorList) {
if ((nsec3s == null) || (nsec3s.size() == 0)) {
return false;
}
if (nsec3params == null) {
errorList.add("Could not find a single set of NSEC3 parameters (multiple parameters present)");
- st_log.debug(
- "couldn't find a single set of NSEC3 parameters (multiple parameters present).");
+ st_log.debug("Couldn't find a single set of NSEC3 parameters (multiple parameters present).");
return false;
}
// Otherwise, we need to show that the next closer name is covered.
Name nextClosest = nextClosest(qname, candidate.closestEncloser);
candidate.nc_nsec3 = findCoveringNSEC3(hash(nextClosest, nsec3params),
- zonename, nsec3s, nsec3params, bac);
+ zonename, nsec3s, nsec3params, bac);
if (candidate.nc_nsec3 == null) {
errorList.add("Did not find a NSEC3 that covered the next closer name to '" +
qname + "' from '" + candidate.closestEncloser + "' (derived from the wildcard: " +
wildcard + ")");
st_log.debug("proveWildcard: did not find a covering NSEC3 " +
- "that covered the next closer name to " + qname + " from " +
- candidate.closestEncloser + " (derived from wildcard " +
- wildcard + ")");
+ "that covered the next closer name to " + qname + " from " +
+ candidate.closestEncloser + " (derived from wildcard " +
+ wildcard + ")");
return false;
}
/**
* Prove that a DS response either had no DS, or wasn't a delegation point.
- *
- * Fundamentally there are two cases here: normal NODATA and Opt-In NODATA.
- *
+ *
+ * Fundamentally there are two cases here: normal NODATA and
+ * Opt-In NODATA.
+ *
* @param nsec3s
* The NSEC3 RRs to examine.
* @param qname
* The name of the DS in question.
* @param zonename
* The name of the zone that the NSEC3 RRs come from.
- *
- * @return SecurityStatus.SECURE if it was proven that there is no DS in a
- * secure (i.e., not opt-in) way, SecurityStatus.INSECURE if there
- * was no DS in an insecure (i.e., opt-in) way,
- * SecurityStatus.INDETERMINATE if it was clear that this wasn't a
- * delegation point, and SecurityStatus.BOGUS if the proofs don't
- * work out.
+ *
+ * @return SecurityStatus.SECURE if it was proven that there is no
+ * DS in a secure (i.e., not opt-in) way,
+ * SecurityStatus.INSECURE if there was no DS in an
+ * insecure (i.e., opt-in) way,
+ * SecurityStatus.INDETERMINATE if it was clear that this
+ * wasn't a delegation point, and SecurityStatus.BOGUS if
+ * the proofs don't work out.
*/
- public static byte proveNoDS(List<NSEC3Record> nsec3s, Name qname,
- Name zonename, List<String> errorList) {
+ public static byte proveNoDS(List<NSEC3Record> nsec3s,
+ Name qname,
+ Name zonename,
+ List<String> errorList) {
if ((nsec3s == null) || (nsec3s.size() == 0)) {
return SecurityStatus.BOGUS;
}
if (nsec3params == null) {
errorList.add("Could not find a single set of NSEC3 parameters (multiple parameters present)");
st_log.debug("couldn't find a single set of " +
- "NSEC3 parameters (multiple parameters present).");
+ "NSEC3 parameters (multiple parameters present).");
return SecurityStatus.BOGUS;
}
// Look for a matching NSEC3 to qname -- this is the normal NODATA case.
NSEC3Record nsec3 = findMatchingNSEC3(hash(qname, nsec3params),
- zonename, nsec3s, nsec3params, bac);
+ zonename, nsec3s, nsec3params, bac);
if (nsec3 != null) {
// If the matching NSEC3 has the SOA bit set, it is from the wrong
// zone (the child instead of the parent). If it has the DS bit set,
// then we were lied to.
if (nsec3.hasType(Type.SOA) || nsec3.hasType(Type.DS)) {
- errorList.add("Matching NSEC3 is incorrectly from the child instead of the parent (SOA or DS bit set)");
+ errorList.add("Matching NSEC3 is incorrectly from the child " +
+ "instead of the parent (SOA or DS bit set)");
return SecurityStatus.BOGUS;
}
// Otherwise, we are probably in the opt-in case.
CEResponse ce = proveClosestEncloser(qname, zonename, nsec3s,
- nsec3params, bac, true, errorList);
+ nsec3params, bac, true, errorList);
if (ce == null) {
errorList.add("Failed to prove the closest encloser as part of a 'No DS' proof");
* algorithm, iterations, and salt.
*/
private static class NSEC3Parameters {
- public int alg;
- public byte[] salt;
- public int iterations;
+ public int alg;
+ public byte[] salt;
+ public int iterations;
private NSEC3PARAMRecord nsec3paramrec;
public NSEC3Parameters(NSEC3Record r) {
- alg = r.getHashAlgorithm();
- salt = r.getSalt();
+ alg = r.getHashAlgorithm();
+ salt = r.getSalt();
iterations = r.getIterations();
nsec3paramrec = new NSEC3PARAMRecord(Name.root, DClass.IN, 0, alg,
- 0, iterations, salt);
+ 0, iterations, salt);
}
public boolean match(NSEC3Record r, ByteArrayComparator bac) {
* encloser proof.
*/
private static class CEResponse {
- public Name closestEncloser;
+ public Name closestEncloser;
public NSEC3Record ce_nsec3;
public NSEC3Record nc_nsec3;
public CEResponse(Name ce, NSEC3Record nsec3) {
this.closestEncloser = ce;
- this.ce_nsec3 = nsec3;
+ this.ce_nsec3 = nsec3;
}
}
}
* This class represents a DNS message with resolver/validator state.
*/
public class SMessage {
- private static SRRset[] empty_srrset_array = new SRRset[0];
- private Header mHeader;
- private Record mQuestion;
- private OPTRecord mOPTRecord;
+ private static SRRset[] empty_srrset_array = new SRRset[0];
+ private Header mHeader;
+ private Record mQuestion;
+ private OPTRecord mOPTRecord;
private List<SRRset>[] mSection;
private SecurityStatus mSecurityStatus;
@SuppressWarnings("unchecked")
public SMessage(Header h) {
- mSection = (List<SRRset>[]) new List[3];
- mHeader = h;
+ mSection = (List<SRRset>[]) new List[3];
+ mHeader = h;
mSecurityStatus = new SecurityStatus();
}
public SMessage(Message m) {
this(m.getHeader());
- mQuestion = m.getQuestion();
+ mQuestion = m.getQuestion();
mOPTRecord = m.getOPT();
for (int i = Section.ANSWER; i <= Section.ADDITIONAL; i++) {
/**
* Find a specific (S)RRset in a given section.
- *
+ *
* @param name
* the name of the RRset.
* @param type
* the class of the RRset.
* @param section
* the section to look in (ANSWER -> ADDITIONAL)
- *
+ *
* @return The SRRset if found, null otherwise.
*/
public SRRset findRRset(Name name, int type, int dclass, int section) {
SRRset[] rrsets = getSectionRRsets(section);
for (int i = 0; i < rrsets.length; i++) {
- if (rrsets[i].getName().equals(name)
- && (rrsets[i].getType() == type)
- && (rrsets[i].getDClass() == dclass)) {
+ if (rrsets[i].getName().equals(name) &&
+ (rrsets[i].getType() == type) &&
+ (rrsets[i].getDClass() == dclass)) {
+
return rrsets[i];
}
}
/**
* Find an "answer" RRset. This will look for RRsets in the ANSWER section
- * that match the <qname,qtype,qclass>, taking into consideration CNAMEs.
- *
+ * that match the qname/qtype/qclass, taking into consideration CNAMEs.
+ *
* @param qname
* The starting search name.
* @param qtype
* The search type.
* @param qclass
* The search class.
- *
+ *
* @return a SRRset matching the query. This SRRset may have a different
* name from qname, due to following a CNAME chain.
*/
SRRset[] srrsets = getSectionRRsets(Section.ANSWER);
for (int i = 0; i < srrsets.length; i++) {
- if (srrsets[i].getName().equals(qname)
- && (srrsets[i].getType() == Type.CNAME)) {
+ if (srrsets[i].getName().equals(qname) && (srrsets[i].getType() == Type.CNAME)) {
CNAMERecord cname = (CNAMERecord) srrsets[i].first();
qname = cname.getTarget();
continue;
}
- if (srrsets[i].getName().equals(qname)
- && (srrsets[i].getType() == qtype)
- && (srrsets[i].getDClass() == qclass)) {
+ if (srrsets[i].getName().equals(qname) &&
+ (srrsets[i].getType() == qtype) &&
+ (srrsets[i].getDClass() == qclass)) {
+
return srrsets[i];
}
}
*/
public class SRRset extends RRset {
private static final long serialVersionUID = 1L;
- private SecurityStatus mSecurityStatus;
+ private SecurityStatus mSecurityStatus;
/** Create a new, blank SRRset. */
public SRRset() {
/**
* Codes for DNSSEC security statuses.
- *
+ *
* @author davidb
*/
public class SecurityStatus implements Serializable {
private static final long serialVersionUID = 1L;
-
- public static final byte INVALID = -1;
+ public static final byte INVALID = -1;
/**
* UNCHECKED means that object has yet to be validated.
*/
public class SignUtils {
// private static final int DSA_SIGNATURE_LENGTH = 20;
- private static final int ASN1_INT = 0x02;
- private static final int ASN1_SEQ = 0x30;
- public static final int RR_NORMAL = 0;
- public static final int RR_DELEGATION = 1;
- public static final int RR_GLUE = 2;
- public static final int RR_INVALID = 3;
+ private static final int ASN1_INT = 0x02;
+ private static final int ASN1_SEQ = 0x30;
+ public static final int RR_NORMAL = 0;
+ public static final int RR_DELEGATION = 1;
+ public static final int RR_GLUE = 2;
+ public static final int RR_INVALID = 3;
+
private static Logger log = Logger.getLogger(SignUtils.class);
/**
* Generate from some basic information a prototype SIG RR containing
* everything but the actual signature itself.
- *
+ *
* @param rrset
* the RRset being signed.
* @param signer
* the TTL of the resulting SIG record.
* @return a prototype signature based on the RRset and key information.
*/
- public static RRSIGRecord generatePreRRSIG(RRset rrset, Name signer,
- int alg, int keyid, Date start, Date expire, long sig_ttl) {
+ public static RRSIGRecord generatePreRRSIG(RRset rrset,
+ Name signer,
+ int alg,
+ int keyid,
+ Date start,
+ Date expire,
+ long sig_ttl) {
return new RRSIGRecord(rrset.getName(), rrset.getDClass(), sig_ttl,
- rrset.getType(), alg, rrset.getTTL(), expire, start, keyid,
- signer, null);
+ rrset.getType(), alg, rrset.getTTL(), expire, start, keyid,
+ signer, null);
}
/**
- * Generate from some basic information a prototype SIG RR containing
- * everything but the actual signature itself.
- *
+ * Generate from some basic information a prototype SIG RR
+ * containing everything but the actual signature itself.
+ *
* @param rrset
* the RRset being signed.
* @param key
- * the public KEY RR counterpart to the key being used to sign
- * the RRset
+ * the public KEY RR counterpart to the key being used
+ * to sign the RRset
* @param start
* the SIG inception time.
* @param expire
* the TTL of the resulting SIG record.
* @return a prototype signature based on the RRset and key information.
*/
- public static RRSIGRecord generatePreRRSIG(RRset rrset, DNSKEYRecord key,
- Date start, Date expire, long sig_ttl) {
- return generatePreRRSIG(rrset, key.getName(), key.getAlgorithm(), key
- .getFootprint(), start, expire, sig_ttl);
+ public static RRSIGRecord generatePreRRSIG(RRset rrset,
+ DNSKEYRecord key,
+ Date start,
+ Date expire,
+ long sig_ttl) {
+ return generatePreRRSIG(rrset, key.getName(), key.getAlgorithm(),
+ key.getFootprint(), start, expire, sig_ttl);
}
/**
- * Generate from some basic information a prototype SIG RR containing
- * everything but the actual signature itself.
- *
+ * Generate from some basic information a prototype SIG RR
+ * containing everything but the actual signature itself.
+ *
* @param rec
* the DNS record being signed (forming an entire RRset).
* @param key
* the TTL of the result SIG record.
* @return a prototype signature based on the Record and key information.
*/
- public static RRSIGRecord generatePreRRSIG(Record rec, DNSKEYRecord key,
- Date start, Date expire, long sig_ttl) {
- return new RRSIGRecord(rec.getName(), rec.getDClass(), sig_ttl, rec
- .getType(), key.getAlgorithm(), rec.getTTL(), expire, start,
- key.getFootprint(), key.getName(), null);
+ public static RRSIGRecord generatePreRRSIG(Record rec,
+ DNSKEYRecord key,
+ Date start,
+ Date expire,
+ long sig_ttl) {
+ return new RRSIGRecord(rec.getName(), rec.getDClass(), sig_ttl,
+ rec.getType(), key.getAlgorithm(), rec.getTTL(),
+ expire, start, key.getFootprint(), key.getName(), null);
}
/**
* Generate the binary image of the prototype SIG RR.
- *
+ *
* @param presig
* the SIG RR prototype.
* @return the RDATA portion of the prototype SIG record. This forms the
DNSOutput image = new DNSOutput();
// precalculate some things
- int start_time = (int) (presig.getTimeSigned().getTime() / 1000);
- int expire_time = (int) (presig.getExpire().getTime() / 1000);
- Name signer = presig.getSigner();
+ int start_time = (int) (presig.getTimeSigned().getTime() / 1000);
+ int expire_time = (int) (presig.getExpire().getTime() / 1000);
+ Name signer = presig.getSigner();
// first write out the partial SIG record (this is the SIG RDATA
// minus the actual signature.
/**
* Calculate the canonical wire line format of the RRset.
- *
+ *
* @param rrset
* the RRset to convert.
* @param ttl
* part of data to be signed.
*/
@SuppressWarnings("rawtypes")
- public static byte[] generateCanonicalRRsetData(RRset rrset, long ttl,
- int labels) {
+ public static byte[] generateCanonicalRRsetData(RRset rrset, long ttl, int labels) {
DNSOutput image = new DNSOutput();
if (ttl == 0) {
if (n.labels() != labels) {
n = n.wild(n.labels() - labels);
wildcardName = true;
- log.trace("Detected wildcard expansion: " + rrset.getName()
- + " changed to " + n);
+ log.trace("Detected wildcard expansion: " + rrset.getName() +
+ " changed to " + n);
}
// now convert the wire format records in the RRset into a
// or ownername.
// In the TTL case, this avoids changing the ttl in the
// response.
- r = Record.newRecord(n, r.getType(), r.getDClass(), ttl, r
- .rdataToWireCanonical());
+ r = Record.newRecord(n, r.getType(), r.getDClass(), ttl,
+ r.rdataToWireCanonical());
}
byte[] wire_fmt = r.toWireCanonical();
// put the records into the correct ordering.
// Calculate the offset where the RDATA begins (we have to skip
// past the length byte)
- int offset = rrset.getName().toWireCanonical().length + 10;
- ByteArrayComparator bac = new ByteArrayComparator(offset, false);
+ int offset = rrset.getName().toWireCanonical().length + 10;
+ ByteArrayComparator bac = new ByteArrayComparator(offset, false);
Collections.sort(canonical_rrs, bac);
}
/**
- * Given an RRset and the prototype signature, generate the canonical data
- * that is to be signed.
- *
+ * Given an RRset and the prototype signature, generate the
+ * canonical data that is to be signed.
+ *
* @param rrset
* the RRset to be signed.
* @param presig
*/
public static byte[] generateSigData(RRset rrset, RRSIGRecord presig)
throws IOException {
- byte[] rrset_data = generateCanonicalRRsetData(rrset, presig
- .getOrigTTL(), presig.getLabels());
+ byte[] rrset_data = generateCanonicalRRsetData(rrset, presig.getOrigTTL(), presig.getLabels());
return generateSigData(rrset_data, presig);
}
/**
- * Given an RRset and the prototype signature, generate the canonical data
- * that is to be signed.
- *
+ * Given an RRset and the prototype signature, generate the
+ * canonical data that is to be signed.
+ *
* @param rrset_data
* the RRset converted into canonical wire line format (as per
* the canonicalization rules in RFC 2535).
* @return a block of data ready to be signed.
*/
public static byte[] generateSigData(byte[] rrset_data, RRSIGRecord presig)
- throws IOException {
+ throws IOException {
byte[] sig_rdata = generatePreSigRdata(presig);
- ByteArrayOutputStream image = new ByteArrayOutputStream(
- sig_rdata.length + rrset_data.length);
+ ByteArrayOutputStream image = new ByteArrayOutputStream(sig_rdata.length + rrset_data.length);
image.write(sig_rdata);
image.write(rrset_data);
}
/**
- * Given the actual signature and the prototype signature, combine them and
- * return the fully formed RRSIGRecord.
- *
+ * Given the actual signature and the prototype signature, combine
+ * them and return the fully formed RRSIGRecord.
+ *
* @param signature
* the cryptographic signature, in DNSSEC format.
* @param presig
* @return the fully formed RRSIG RR.
*/
public static RRSIGRecord generateRRSIG(byte[] signature, RRSIGRecord presig) {
- return new RRSIGRecord(presig.getName(), presig.getDClass(), presig
- .getTTL(), presig.getTypeCovered(), presig.getAlgorithm(),
- presig.getOrigTTL(), presig.getExpire(),
- presig.getTimeSigned(), presig.getFootprint(), presig
- .getSigner(), signature);
+ return new RRSIGRecord(presig.getName(), presig.getDClass(),
+ presig.getTTL(), presig.getTypeCovered(), presig.getAlgorithm(),
+ presig.getOrigTTL(), presig.getExpire(), presig.getTimeSigned(),
+ presig.getFootprint(), presig.getSigner(), signature);
}
/**
- * Converts from a RFC 2536 formatted DSA signature to a JCE (ASN.1)
- * formatted signature.
- *
+ * Converts from a RFC 2536 formatted DSA signature to a JCE
+ * (ASN.1) formatted signature.
+ *
* <p>
* ASN.1 format = ASN1_SEQ . seq_length . ASN1_INT . Rlength . R . ANS1_INT
* . Slength . S
* </p>
- *
- * The integers R and S may have a leading null byte to force the integer
- * positive.
- *
+ *
+ * The integers R and S may have a leading null byte to force the
+ * integer positive.
+ *
* @param signature
* the RFC 2536 formatted DSA signature.
* @return The ASN.1 formatted DSA signature.
* signature.
*/
public static byte[] convertDSASignature(byte[] signature)
- throws SignatureException {
+ throws SignatureException {
if (signature.length != 41) {
- throw new SignatureException(
- "RFC 2536 signature not expected length.");
+ throw new SignatureException("RFC 2536 signature not expected length.");
}
byte r_pad = 0;
}
/**
- * Converts from a JCE (ASN.1) formatted DSA signature to a RFC 2536
- * compliant signature.
- *
+ * Converts from a JCE (ASN.1) formatted DSA signature to a RFC
+ * 2536 compliant signature.
+ *
* <p>
* rfc2536 format = T . R . S
* </p>
- *
+ *
* where T is a number between 0 and 8, which is based on the DSA key
* length, and R & S are formatted to be exactly 20 bytes each (no leading
* null bytes).
- *
+ *
* @param params
* the DSA parameters associated with the DSA key used to
* generate the signature.
* if something is wrong with the ASN.1 format.
*/
public static byte[] convertDSASignature(DSAParams params, byte[] signature)
- throws SignatureException {
+ throws SignatureException {
if ((signature[0] != ASN1_SEQ) || (signature[2] != ASN1_INT)) {
- throw new SignatureException(
- "Invalid ASN.1 signature format: expected SEQ, INT");
+ throw new SignatureException("Invalid ASN.1 signature format: expected SEQ, INT");
}
byte r_pad = (byte) (signature[3] - 20);
if (signature[24 + r_pad] != ASN1_INT) {
- throw new SignatureException(
- "Invalid ASN.1 signature format: expected SEQ, INT, INT");
+ throw new SignatureException("Invalid ASN.1 signature format: expected SEQ, INT, INT");
}
log.trace("(start) ASN.1 DSA Sig:\n" + base64.toString(signature));
// S is shorter than 20 bytes, so right justify the number
// (s_pad is negative here).
Arrays.fill(sig, 21, 21 - s_pad, (byte) 0);
- System
- .arraycopy(signature, 26 + r_pad, sig, 21 - s_pad,
- 20 + s_pad);
+ System.arraycopy(signature, 26 + r_pad, sig, 21 - s_pad, 20 + s_pad);
}
if ((r_pad < 0) || (s_pad < 0)) {
- log
- .trace("(finish ***) RFC 2536 DSA Sig:\n"
- + base64.toString(sig));
+ log.trace("(finish ***) RFC 2536 DSA Sig:\n" + base64.toString(sig));
} else {
log.trace("(finish) RFC 2536 DSA Sig:\n" + base64.toString(sig));
}
}
/**
- * This class implements a basic comparator for byte arrays. It is primarily
- * useful for comparing RDATA portions of DNS records in doing DNSSEC
- * canonical ordering.
+ * This class implements a basic comparator for byte arrays. It is
+ * primarily useful for comparing RDATA portions of DNS records in
+ * doing DNSSEC canonical ordering.
*/
public static class ByteArrayComparator implements Comparator<byte[]>, Serializable {
private static final long serialVersionUID = 1L;
- private int mOffset = 0;
- private boolean mDebug = false;
+ private int mOffset = 0;
+ private boolean mDebug = false;
- public ByteArrayComparator() {
- }
+ public ByteArrayComparator() { }
public ByteArrayComparator(int offset, boolean debug) {
mOffset = offset;
- mDebug = debug;
+ mDebug = debug;
}
public int compare(byte[] b1, byte[] b2) throws ClassCastException {
for (int i = mOffset; (i < b1.length) && (i < b2.length); i++) {
if (b1[i] != b2[i]) {
if (mDebug) {
- System.out
- .println("offset " + i + " differs (this is "
- + (i - mOffset)
- + " bytes in from our offset.)");
+ System.out.println("offset " + i + " differs (this is " + (i - mOffset) +
+ " bytes in from our offset.)");
}
return (b1[i] & 0xFF) - (b2[i] & 0xFF);
for (Map.Entry<String, SRRset> entry : mMap.entrySet()) {
for (Iterator<Record> i = entry.getValue().rrs(); i.hasNext();) {
DNSKEYRecord r = (DNSKEYRecord) i.next();
- String key_desc = r.getName().toString() + "/"
- + DNSSEC.Algorithm.string(r.getAlgorithm()) + "/"
- + r.getFootprint();
+ String key_desc = r.getName().toString() + "/" +
+ DNSSEC.Algorithm.string(r.getAlgorithm()) + "/" +
+ r.getFootprint();
res.add(key_desc);
}
}
public class Util {
/**
* Convert a DNS name into a string suitable for use as a cache key.
- *
+ *
* @param name
* The name to convert.
* @return A string representing the name. This isn't ever meant to be
}
public static List<ConfigEntry> parseConfigPrefix(Properties config,
- String prefix) {
+ String prefix) {
if (!prefix.endsWith(".")) {
prefix = prefix + ".";
}
*/
public class ValUtils {
private static Logger st_log = Logger.getLogger(ValUtils.class);
- private Logger log = Logger.getLogger(this.getClass());
+ private Logger log = Logger.getLogger(this.getClass());
/** A local copy of the verifier object. */
private DnsSecVerifier mVerifier;
/**
* Given a response, classify ANSWER responses into a subtype.
- *
+ *
* @param m
* The response to classify.
- *
+ *
* @return A subtype ranging from UNKNOWN to NAMEERROR.
*/
public static ResponseType classifyResponse(SMessage m, Name zone) {
// Normal Name Error's are easy to detect -- but don't mistake a CNAME
// chain ending in NXDOMAIN.
- if ((m.getRcode() == Rcode.NXDOMAIN)
- && (m.getCount(Section.ANSWER) == 0)) {
+ if ((m.getRcode() == Rcode.NXDOMAIN) && (m.getCount(Section.ANSWER) == 0)) {
return ResponseType.NAMEERROR;
}
// 1) nothing in the ANSWER section
// 2) an NS RRset in the AUTHORITY section that is a strict subdomain of
// 'zone' (the presumed queried zone).
- if ((zone != null) && (m.getCount(Section.ANSWER) == 0)
- && (m.getCount(Section.AUTHORITY) > 0)) {
+ if ((zone != null) && (m.getCount(Section.ANSWER) == 0) &&
+ (m.getCount(Section.AUTHORITY) > 0)) {
+
rrsets = m.getSectionRRsets(Section.AUTHORITY);
for (int i = 0; i < rrsets.length; ++i) {
}
/**
- * Given a response, determine the name of the "signer". This is primarily
- * to determine if the response is, in fact, signed at all, and, if so, what
- * is the name of the most pertinent keyset.
- *
+ * Given a response, determine the name of the "signer". This is
+ * primarily to determine if the response is, in fact, signed at
+ * all, and, if so, what is the name of the most pertinent keyset.
+ *
* @param m
* The response to analyze.
* @return a signer name, if the response is signed (even partially), or
/**
* Given a DNSKEY record, generate the DS record from it.
- *
+ *
* @param keyrec
* the DNSKEY record in question.
* @param ds_alg
/**
* Check to see if a type is a special DNSSEC type.
- *
+ *
* @param type
* The type.
- *
+ *
* @return true if the type is one of the special DNSSEC types.
*/
public static boolean isDNSSECType(int type) {
}
/**
- * Set the security status of a particular RRset. This will only upgrade the
- * security status.
- *
+ * Set the security status of a particular RRset. This will only
+ * upgrade the security status.
+ *
* @param rrset
* The SRRset to update.
* @param security
}
/**
- * Set the security status of a message and all of its RRsets. This will
- * only upgrade the status of the message (i.e., set to more secure, not
- * less) and all of the RRsets.
- *
- * @param m
- * @param security
- * KeyEntry ke;
- *
- * SMessage m = response.getSMessage(); SRRset ans_rrset =
- * m.findAnswerRRset(qname, qtype, qclass);
- *
- * ke = verifySRRset(ans_rrset, key_rrset); if
- * (ans_rrset.getSecurityStatus() != SecurityStatus.SECURE) {
- * return; } key_rrset = ke.getRRset();
+ * Set the security status of a message and all of its
+ * RRsets. This will only upgrade the status of the message (i.e.,
+ * set to more secure, not less) and all of the RRsets.
*/
public static void setMessageSecurity(SMessage m, byte security) {
if (m == null) {
}
/**
- * Given an SRRset that is signed by a DNSKEY found in the key_rrset, verify
- * it. This will return the status (either BOGUS or SECURE) and set that
- * status in rrset.
- *
+ * Given an SRRset that is signed by a DNSKEY found in the
+ * key_rrset, verify it. This will return the status (either BOGUS
+ * or SECURE) and set that status in rrset.
+ *
* @param rrset
* The SRRset to verify.
* @param key_rrset
* @return The status (BOGUS or SECURE).
*/
public byte verifySRRset(SRRset rrset, SRRset key_rrset) {
- String rrset_name = rrset.getName() + "/"
- + Type.string(rrset.getType()) + "/"
- + DClass.string(rrset.getDClass());
+ String rrset_name = rrset.getName() + "/" + Type.string(rrset.getType()) + "/" +
+ DClass.string(rrset.getDClass());
if (rrset.getSecurityStatus() == SecurityStatus.SECURE) {
- log.trace("verifySRRset: rrset <" + rrset_name
- + "> previously found to be SECURE");
+ log.trace("verifySRRset: rrset <" + rrset_name +
+ "> previously found to be SECURE");
return SecurityStatus.SECURE;
}
byte status = mVerifier.verify(rrset, key_rrset);
if (status != SecurityStatus.SECURE) {
- log.debug("verifySRRset: rrset <" + rrset_name
- + "> found to be BAD");
+ log.debug("verifySRRset: rrset <" + rrset_name + "> found to be BAD");
status = SecurityStatus.BOGUS;
} else {
- log.trace("verifySRRset: rrset <" + rrset_name
- + "> found to be SECURE");
+ log.trace("verifySRRset: rrset <" + rrset_name + "> found to be SECURE");
}
rrset.setSecurityStatus(status);
/**
* Determine if a given type map has a given type.
- *
+ *
* @param types
* The type map from the NSEC record.
* @param type
/**
* Finds the longest common name between two domain names.
- *
+ *
* @param domain1
* @param domain2
* @return
/**
* Determine by looking at a signed RRset whether or not the rrset name was
* the result of a wildcard expansion.
- *
+ *
* @param rrset
* The rrset to examine.
* @return true if the rrset is a wildcard expansion. This will return false
* Determine by looking at a signed RRset whether or not the RRset name was
* the result of a wildcard expansion. If so, return the name of the
* generating wildcard.
- *
+ *
* @param rrset
* The rrset to check.
* @return the wildcard name, if the rrset was synthesized from a wildcard.
}
/**
- * Determine if the given NSEC proves a NameError (NXDOMAIN) for a given
- * qname.
- *
+ * Determine if the given NSEC proves a NameError (NXDOMAIN) for a
+ * given qname.
+ *
* @param nsec
* The NSEC to check.
* @param qname
public static boolean nsecProvesNameError(NSECRecord nsec, Name qname,
Name signerName) {
Name owner = nsec.getName();
- Name next = nsec.getNext();
+ Name next = nsec.getNext();
// If NSEC owner == qname, then this NSEC proves that qname exists.
if (qname.equals(owner)) {
// If NSEC is a parent of qname, we need to check the type map
// If the parent name has a DNAME or is a delegation point, then this
// NSEC is being misused.
- boolean hasBadType = typeMapHasType(nsec.getTypes(), Type.DNAME)
- || (typeMapHasType(nsec.getTypes(), Type.NS) && !typeMapHasType(
- nsec.getTypes(), Type.SOA));
+ boolean hasBadType = typeMapHasType(nsec.getTypes(), Type.DNAME) ||
+ (typeMapHasType(nsec.getTypes(), Type.NS) && !typeMapHasType(nsec.getTypes(), Type.SOA));
if (qname.subdomain(owner) && hasBadType) {
return false;
}
- if (((qname.compareTo(owner) > 0) && (qname.compareTo(next) < 0))
- || signerName.equals(next)) {
+ if (((qname.compareTo(owner) > 0) && (qname.compareTo(next) < 0)) || signerName.equals(next)) {
return true;
}
}
/**
- * Determine if a NSEC record proves the non-existence of a wildcard that
- * could have produced qname.
- *
+ * Determine if a NSEC record proves the non-existence of a
+ * wildcard that could have produced qname.
+ *
* @param nsec
* The nsec to check.
* @param qname
* The signer name for the NSEC rrset, used as the zone name.
* @return true if the NSEC proves the condition.
*/
- public static boolean nsecProvesNoWC(NSECRecord nsec, Name qname,
- Name signerName) {
+ public static boolean nsecProvesNoWC(NSECRecord nsec, Name qname, Name signerName) {
Name owner = nsec.getName();
- Name next = nsec.getNext();
+ Name next = nsec.getNext();
- int qname_labels = qname.labels();
+ int qname_labels = qname.labels();
int signer_labels = signerName.labels();
for (int i = qname_labels - signer_labels; i > 0; i--) {
Name wc_name = qname.wild(i);
- if ((wc_name.compareTo(owner) > 0)
- && ((wc_name.compareTo(next) < 0) || signerName
- .equals(next))) {
+ if ((wc_name.compareTo(owner) > 0) &&
+ ((wc_name.compareTo(next) < 0) || signerName.equals(next))) {
return true;
}
}
}
/**
- * Determine if a NSEC proves the NOERROR/NODATA conditions. This will also
- * handle the empty non-terminal (ENT) case and partially handle the
- * wildcard case. If the ownername of 'nsec' is a wildcard, the validator
- * must still be provided proof that qname did not directly exist and that
- * the wildcard is, in fact, *.closest_encloser.
- *
+ * Determine if a NSEC proves the NOERROR/NODATA conditions. This
+ * will also handle the empty non-terminal (ENT) case and
+ * partially handle the wildcard case. If the ownername of 'nsec'
+ * is a wildcard, the validator must still be provided proof that
+ * qname did not directly exist and that the wildcard is, in fact,
+ * *.closest_encloser.
+ *
* @param nsec
* The NSEC to check
* @param qname
* The query type to check against.
* @return true if the NSEC proves the condition.
*/
- public static boolean nsecProvesNodata(NSECRecord nsec, Name qname,
- int qtype) {
+ public static boolean nsecProvesNodata(NSECRecord nsec, Name qname, int qtype) {
if (!nsec.getName().equals(qname)) {
// wildcard checking.
- // If this is a wildcard NSEC, make sure that a) it was possible to
- // have
- // generated qname from the wildcard and b) the type map does not
- // contain qtype. Note that this does NOT prove that this wildcard
- // was
- // the applicable wildcard.
+ // If this is a wildcard NSEC, make sure that a) it was
+ // possible to have generated qname from the wildcard and
+ // b) the type map does not contain qtype. Note that this
+ // does NOT prove that this wildcard was the applicable
+ // wildcard.
if (nsec.getName().isWild()) {
// the is the purported closest encloser.
Name ce = new Name(nsec.getName(), 1);
- // The qname must be a strict subdomain of the closest encloser,
- // and
- // the qtype must be absent from the type map.
- if (!strictSubdomain(qname, ce)
- || typeMapHasType(nsec.getTypes(), qtype)) {
+ // The qname must be a strict subdomain of the closest
+ // encloser, and the qtype must be absent from the
+ // type map.
+ if (!strictSubdomain(qname, ce) || typeMapHasType(nsec.getTypes(), qtype)) {
return false;
}
// empty-non-terminal checking.
- // If the nsec is proving that qname is an ENT, the nsec owner will
- // be
- // less than qname, and the next name will be a child domain of the
- // qname.
+ // If the nsec is proving that qname is an ENT, the nsec
+ // owner will be less than qname, and the next name will
+ // be a child domain of the qname.
if (strictSubdomain(nsec.getNext(), qname)
&& (qname.compareTo(nsec.getName()) > 0)) {
return true;
}
- // Otherwise, this NSEC does not prove ENT, so it does not prove
- // NODATA.
+ // Otherwise, this NSEC does not prove ENT, so it does not
+ // prove NODATA.
return false;
}
return false;
}
- // if the name is a CNAME node, then we should have gotten the CNAME
+ // if the name is a CNAME node, then we should have gotten the
+ // CNAME
if (typeMapHasType(nsec.getTypes(), Type.CNAME)) {
return false;
}
- // If an NS set exists at this name, and NOT a SOA (so this is a zone
- // cut,
- // not a zone apex), then we should have gotten a referral (or we just
- // got
- // the wrong NSEC).
- if (typeMapHasType(nsec.getTypes(), Type.NS)
- && !typeMapHasType(nsec.getTypes(), Type.SOA)) {
+ // If an NS set exists at this name, and NOT a SOA (so this is
+ // a zone cut, not a zone apex), then we should have gotten a
+ // referral (or we just got the wrong NSEC).
+ if (typeMapHasType(nsec.getTypes(), Type.NS) &&
+ !typeMapHasType(nsec.getTypes(), Type.SOA)) {
+
return false;
}
int[] types = nsec.getTypes();
if (typeMapHasType(types, Type.SOA) || typeMapHasType(types, Type.DS)) {
- // SOA present means that this is the NSEC from the child, not the
- // parent (so it is the wrong one)
- // DS present means that there should have been a positive response
- // to
- // the DS query, so there is something wrong.
+ // SOA present means that this is the NSEC from the child,
+ // not the parent (so it is the wrong one) DS present
+ // means that there should have been a positive response
+ // to the DS query, so there is something wrong.
return SecurityStatus.BOGUS;
}
if (!typeMapHasType(types, Type.NS)) {
- // If there is no NS at this point at all, then this doesn't prove
- // anything one way or the other.
+ // If there is no NS at this point at all, then this
+ // doesn't prove anything one way or the other.
return SecurityStatus.INSECURE;
}
return SecurityStatus.SECURE;
}
- // These are response subtypes. They are necessary for determining the
- // validation strategy. They have no bearing on the iterative resolution
- // algorithm, so they are confined here.
+ // These are response subtypes. They are necessary for determining
+ // the validation strategy. They have no bearing on the iterative
+ // resolution algorithm, so they are confined here.
public enum ResponseType {
- UNTYPED, UNKNOWN, POSITIVE, CNAME, NODATA, NAMEERROR, ANY, REFERRAL,
- // a referral response
- THROWAWAY;
- // a throwaway response (i.e., an error)
+ UNTYPED, UNKNOWN, POSITIVE, CNAME, NODATA, NAMEERROR, ANY, REFERRAL, // a referral response
+ THROWAWAY; // a throwaway response (i.e., an error)
}
}
git://blacka.com / captive-validator.git / commitdiff