diff --git a/ChangeLog b/ChangeLog index 9090248..b39aec2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2006-08-31 David Blacka + + * Modified jdnssec-signzone to set the ttls of NSEC3 records (so + far) to the SOA minimum value. + + * Add NSEC3PARAM support for compatibility with the -07 NSEC3 + draft. + 2006-05-24 David Blacka * Add some error checking for the NSEC3 command line parameters diff --git a/src/com/verisignlabs/dnssec/cl/SignZone.java b/src/com/verisignlabs/dnssec/cl/SignZone.java index a9ec6f6..01ccdc5 100644 --- a/src/com/verisignlabs/dnssec/cl/SignZone.java +++ b/src/com/verisignlabs/dnssec/cl/SignZone.java @@ -811,7 +811,7 @@ public class SignZone List includedNames, byte[] salt, int iterations, int ds_digest_id) throws IOException, GeneralSecurityException { - // Remove any existing DNSSEC records (NSEC, NSEC3, RRSIG) + // Remove any existing DNSSEC records (NSEC, NSEC3, NSEC3PARAM, RRSIG) SignUtils.removeGeneratedRecords(zonename, records); // Sort the zone diff --git a/src/com/verisignlabs/dnssec/security/SignUtils.java b/src/com/verisignlabs/dnssec/security/SignUtils.java index 726a6bc..efc822e 100644 --- a/src/com/verisignlabs/dnssec/security/SignUtils.java +++ b/src/com/verisignlabs/dnssec/security/SignUtils.java @@ -517,7 +517,7 @@ public class SignUtils this.hasOptInSpan = false; addType(type); } - + public void addType(int type) { this.typemap.add(new Integer(type)); @@ -653,6 +653,9 @@ public class SignUtils // For detecting glue. Name last_cut = null; + long nsec3_ttl = 0; + long nsec3param_ttl = 0; + for (Iterator i = records.iterator(); i.hasNext();) { Record r = (Record) i.next(); @@ -668,6 +671,13 @@ public class SignUtils // note our last delegation point so we can recognize glue. if (r_sectype == RR_DELEGATION) last_cut = r_name; + if (r_type == Type.SOA) + { + SOARecord soa = (SOARecord) r; + nsec3_ttl = soa.getMinimum(); + nsec3param_ttl = soa.getTTL(); + } + // For the first iteration, we create our current node. if (current_node == null) { @@ -710,7 +720,7 @@ public class SignUtils false, proto_nsec3s); - List nsec3s = finishNSEC3s(proto_nsec3s); + List nsec3s = finishNSEC3s(proto_nsec3s, nsec3_ttl); // DEBUG // for (Iterator i = nsec3s.iterator(); i.hasNext();) // { @@ -719,6 +729,11 @@ public class SignUtils // + base16.toString(nsec3.rdataToWireCanonical())); // } records.addAll(nsec3s); + + NSEC3PARAMRecord nsec3param = new NSEC3PARAMRecord(zonename, DClass.IN, + nsec3param_ttl, NSEC3Record.SHA1_DIGEST_ID, iterations, salt); + records.add(nsec3param); + } public static void generateOptOutNSEC3Records(Name zonename, List records, @@ -731,6 +746,9 @@ public class SignUtils // For detecting glue. Name last_cut = null; + long nsec3_ttl = 0; + long nsec3param_ttl = 0; + HashSet includeSet = null; if (includedNames != null) { @@ -752,6 +770,13 @@ public class SignUtils // note our last delegation point so we can recognize glue. if (r_sectype == RR_DELEGATION) last_cut = r_name; + if (r_type == Type.SOA) + { + SOARecord soa = (SOARecord) r; + nsec3_ttl = soa.getMinimum(); + nsec3param_ttl = soa.getTTL(); + } + // For the first iteration, we create our current node. if (current_node == null) { @@ -807,8 +832,12 @@ public class SignUtils true, proto_nsec3s); - List nsec3s = finishNSEC3s(proto_nsec3s); + List nsec3s = finishNSEC3s(proto_nsec3s, nsec3_ttl); records.addAll(nsec3s); + + NSEC3PARAMRecord nsec3param = new NSEC3PARAMRecord(zonename, DClass.IN, + nsec3param_ttl, NSEC3Record.SHA1_DIGEST_ID, iterations, salt); + records.add(nsec3param); } private static void generateNSEC3ForNode(NodeInfo node, Name zonename, @@ -820,6 +849,7 @@ public class SignUtils // Add our default types. node.addType(Type.RRSIG); + if (node.name.equals(zonename)) node.addType(Type.NSEC3PARAM); // Check for ENTs -- note this will generate duplicate ENTs because it // doesn't use any context. @@ -864,7 +894,7 @@ public class SignUtils return r; } - private static List finishNSEC3s(List nsec3s) + private static List finishNSEC3s(List nsec3s, long ttl) { if (nsec3s == null) return null; Collections.sort(nsec3s, new ProtoNSEC3.Comparator()); @@ -921,6 +951,7 @@ public class SignUtils for (Iterator i = nsec3s.iterator(); i.hasNext();) { ProtoNSEC3 p = (ProtoNSEC3) i.next(); + p.setTTL(ttl); res.add(p.getNSEC3Record()); } @@ -1119,7 +1150,7 @@ public class SignUtils Record r = (Record) i.next(); if (r.getType() == Type.RRSIG || r.getType() == Type.NSEC - || r.getType() == Type.NSEC3) + || r.getType() == Type.NSEC3 || r.getType() == Type.NSEC3PARAM) { i.remove(); }