davidb/captive-validator
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix issue when validating a response containing the original wildcard record

Browse Source 
e.g., a response to *.foo.bar.com itself.
Enable debug logging when debug=true.
This commit is contained in:
David Blacka 2015-07-28 15:38:27 -04:00
parent 37e9932d6e
commit a72a903d0b
2 changed files with 11 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/com/verisign/cl/DNSSECValTool.java
View File

@ -343,6 +343,7 @@ public class DNSSECValTool {
dr.dnskeyNames.add(optarg); dr.dnskeyNames.add(optarg);
} else if (opt.equals("debug")) { } else if (opt.equals("debug")) {
dr.debug = Boolean.parseBoolean(optarg); dr.debug = Boolean.parseBoolean(optarg);
rootLogger.setLevel(Level.TRACE);
} else { } else {
System.err.println("Unrecognized option: " + opt); System.err.println("Unrecognized option: " + opt);
usage(); usage();

13
src/com/verisign/tat/dnssec/CaptiveValidator.java
View File

@ -378,6 +378,13 @@ public class CaptiveValidator {
// If so, an additional check will need to be made in the authority // If so, an additional check will need to be made in the authority
// section. // section.
wc = ValUtils.rrsetWildcard(rrsets[i]); wc = ValUtils.rrsetWildcard(rrsets[i]);
// if the wildcard expansion equals the orig name, then we
// have the actual wildcard record and no actual wildcard
// expansion happened, so we shouldn't do the extra
// validation.
if (wc.equals(rrsets[i].getName())) {
wc = null;
}
// Notice a DNAME that should be followed by an unsigned CNAME. // Notice a DNAME that should be followed by an unsigned CNAME.
if ((qtype != Type.DNAME) && (rrsets[i].getType() == Type.DNAME)) { if ((qtype != Type.DNAME) && (rrsets[i].getType() == Type.DNAME)) {
@ -447,8 +454,8 @@ public class CaptiveValidator {
// If after all this, we still haven't proven the positive wildcard // If after all this, we still haven't proven the positive wildcard
// response, fail. // response, fail.
if ((wc != null) && !wcNSEC_ok) { if ((wc != null) && !wcNSEC_ok) {
// log.debug("positive response was wildcard expansion and " mErrorList.add("Positive response was wildcard expansion " +
// + "did not prove original data did not exist"); "and did not prove original data did not exist.");
m.setStatus(SecurityStatus.BOGUS); m.setStatus(SecurityStatus.BOGUS);
return; return;
@ -945,7 +952,7 @@ public class CaptiveValidator {
} }
ValUtils.ResponseType subtype = ValUtils.classifyResponse(message, zone); ValUtils.ResponseType subtype = ValUtils.classifyResponse(message, zone);
log.debug("Response was classified as a " + subtype);
switch (subtype) { switch (subtype) {
case POSITIVE: case POSITIVE:
log.trace("Validating a positive response"); log.trace("Validating a positive response");