NSEC3PARAM support

git-svn-id: https://svn.verisignlabs.com/jdnssec/tools/trunk@85 4cbd57fe-54e5-0310-bd9a-f30fe5ea5e6e
2006-09-01 02:23:40 +00:00 · 2006-09-01 02:23:40 +00:00 · 08b2c4bc32
parent b09196059e
commit 08b2c4bc32
3 changed files with 45 additions and 6 deletions
--- a/8
+++ b/8
@ -1,3 +1,11 @@
+2006-08-31  David Blacka  <davidb@fury.blacka.com>
+
+	* Modified jdnssec-signzone to set the ttls of NSEC3 records (so
+	far) to the SOA minimum value.
+
+	* Add NSEC3PARAM support for compatibility with the -07 NSEC3
+	draft.
+
 2006-05-24  David Blacka  <davidb@verisignlabs.com>

 	* Add some error checking for the NSEC3 command line parameters
--- a/src/com/verisignlabs/dnssec/cl/SignZone.java
+++ b/src/com/verisignlabs/dnssec/cl/SignZone.java
@ -811,7 +811,7 @@ public class SignZone
      List includedNames, byte[] salt, int iterations, int ds_digest_id)
      throws IOException, GeneralSecurityException
  {
-    // Remove any existing DNSSEC records (NSEC, NSEC3, RRSIG)
+    // Remove any existing DNSSEC records (NSEC, NSEC3, NSEC3PARAM, RRSIG)
    SignUtils.removeGeneratedRecords(zonename, records);

    // Sort the zone
--- a/src/com/verisignlabs/dnssec/security/SignUtils.java
+++ b/src/com/verisignlabs/dnssec/security/SignUtils.java
@ -517,7 +517,7 @@ public class SignUtils
      this.hasOptInSpan = false;
      addType(type);
    }
-
+    
    public void addType(int type)
    {
      this.typemap.add(new Integer(type));
@ -653,6 +653,9 @@ public class SignUtils
    // For detecting glue.
    Name last_cut = null;

+    long nsec3_ttl = 0;
+    long nsec3param_ttl = 0;
+
    for (Iterator i = records.iterator(); i.hasNext();)
    {
      Record r = (Record) i.next();
@ -668,6 +671,13 @@ public class SignUtils
      // note our last delegation point so we can recognize glue.
      if (r_sectype == RR_DELEGATION) last_cut = r_name;

+      if (r_type == Type.SOA)
+      {
+        SOARecord soa = (SOARecord) r;
+        nsec3_ttl = soa.getMinimum();
+        nsec3param_ttl = soa.getTTL();
+      }
+
      // For the first iteration, we create our current node.
      if (current_node == null)
      {
@ -710,7 +720,7 @@ public class SignUtils
        false,
        proto_nsec3s);

-    List nsec3s = finishNSEC3s(proto_nsec3s);
+    List nsec3s = finishNSEC3s(proto_nsec3s, nsec3_ttl);
    // DEBUG
    // for (Iterator i = nsec3s.iterator(); i.hasNext();)
    // {
@ -719,6 +729,11 @@ public class SignUtils
    // + base16.toString(nsec3.rdataToWireCanonical()));
    // }
    records.addAll(nsec3s);
+
+    NSEC3PARAMRecord nsec3param = new NSEC3PARAMRecord(zonename, DClass.IN,
+        nsec3param_ttl, NSEC3Record.SHA1_DIGEST_ID, iterations, salt);
+    records.add(nsec3param);
+
  }

  public static void generateOptOutNSEC3Records(Name zonename, List records,
@ -731,6 +746,9 @@ public class SignUtils
    // For detecting glue.
    Name last_cut = null;

+    long nsec3_ttl = 0;
+    long nsec3param_ttl = 0;
+
    HashSet includeSet = null;
    if (includedNames != null)
    {
@ -752,6 +770,13 @@ public class SignUtils
      // note our last delegation point so we can recognize glue.
      if (r_sectype == RR_DELEGATION) last_cut = r_name;

+      if (r_type == Type.SOA)
+      {
+        SOARecord soa = (SOARecord) r;
+        nsec3_ttl = soa.getMinimum();
+        nsec3param_ttl = soa.getTTL();
+      }
+
      // For the first iteration, we create our current node.
      if (current_node == null)
      {
@ -807,8 +832,12 @@ public class SignUtils
        true,
        proto_nsec3s);

-    List nsec3s = finishNSEC3s(proto_nsec3s);
+    List nsec3s = finishNSEC3s(proto_nsec3s, nsec3_ttl);
    records.addAll(nsec3s);
+
+    NSEC3PARAMRecord nsec3param = new NSEC3PARAMRecord(zonename, DClass.IN,
+        nsec3param_ttl, NSEC3Record.SHA1_DIGEST_ID, iterations, salt);
+    records.add(nsec3param);
  }

  private static void generateNSEC3ForNode(NodeInfo node, Name zonename,
@ -820,6 +849,7 @@ public class SignUtils

    // Add our default types.
    node.addType(Type.RRSIG);
+    if (node.name.equals(zonename)) node.addType(Type.NSEC3PARAM);

    // Check for ENTs -- note this will generate duplicate ENTs because it
    // doesn't use any context.
@ -864,7 +894,7 @@ public class SignUtils
    return r;
  }

-  private static List finishNSEC3s(List nsec3s)
+  private static List finishNSEC3s(List nsec3s, long ttl)
  {
    if (nsec3s == null) return null;
    Collections.sort(nsec3s, new ProtoNSEC3.Comparator());
@ -921,6 +951,7 @@ public class SignUtils
    for (Iterator i = nsec3s.iterator(); i.hasNext();)
    {
      ProtoNSEC3 p = (ProtoNSEC3) i.next();
+      p.setTTL(ttl);
      res.add(p.getNSEC3Record());
    }

@ -1119,7 +1150,7 @@ public class SignUtils
      Record r = (Record) i.next();

      if (r.getType() == Type.RRSIG || r.getType() == Type.NSEC
-          || r.getType() == Type.NSEC3)
+          || r.getType() == Type.NSEC3 || r.getType() == Type.NSEC3PARAM)
      {
        i.remove();
      }