davidb/jdnssec-tools
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 1 Wiki Activity

NSEC3PARAM support

Browse Source 
git-svn-id: https://svn.verisignlabs.com/jdnssec/tools/trunk@85 4cbd57fe-54e5-0310-bd9a-f30fe5ea5e6e
This commit is contained in:
David Blacka 2006-09-01 02:23:40 +00:00
parent b09196059e
commit 08b2c4bc32
3 changed files with 45 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
ChangeLog
View File

@ -1,3 +1,11 @@
2006-08-31 David Blacka <davidb@fury.blacka.com>
* Modified jdnssec-signzone to set the ttls of NSEC3 records (so
far) to the SOA minimum value.
* Add NSEC3PARAM support for compatibility with the -07 NSEC3
draft.
2006-05-24 David Blacka <davidb@verisignlabs.com> 2006-05-24 David Blacka <davidb@verisignlabs.com>
* Add some error checking for the NSEC3 command line parameters * Add some error checking for the NSEC3 command line parameters

2
src/com/verisignlabs/dnssec/cl/SignZone.java
View File

@ -811,7 +811,7 @@ public class SignZone
List includedNames, byte[] salt, int iterations, int ds_digest_id) List includedNames, byte[] salt, int iterations, int ds_digest_id)
throws IOException, GeneralSecurityException throws IOException, GeneralSecurityException
{ {
// Remove any existing DNSSEC records (NSEC, NSEC3, RRSIG) // Remove any existing DNSSEC records (NSEC, NSEC3, NSEC3PARAM, RRSIG)
SignUtils.removeGeneratedRecords(zonename, records); SignUtils.removeGeneratedRecords(zonename, records);
// Sort the zone // Sort the zone

41
src/com/verisignlabs/dnssec/security/SignUtils.java
View File

@ -517,7 +517,7 @@ public class SignUtils
this.hasOptInSpan = false; this.hasOptInSpan = false;
addType(type); addType(type);
} }
public void addType(int type) public void addType(int type)
{ {
this.typemap.add(new Integer(type)); this.typemap.add(new Integer(type));
@ -653,6 +653,9 @@ public class SignUtils
// For detecting glue. // For detecting glue.
Name last_cut = null; Name last_cut = null;
long nsec3_ttl = 0;
long nsec3param_ttl = 0;
for (Iterator i = records.iterator(); i.hasNext();) for (Iterator i = records.iterator(); i.hasNext();)
{ {
Record r = (Record) i.next(); Record r = (Record) i.next();
@ -668,6 +671,13 @@ public class SignUtils
// note our last delegation point so we can recognize glue. // note our last delegation point so we can recognize glue.
if (r_sectype == RR_DELEGATION) last_cut = r_name; if (r_sectype == RR_DELEGATION) last_cut = r_name;
if (r_type == Type.SOA)
{
SOARecord soa = (SOARecord) r;
nsec3_ttl = soa.getMinimum();
nsec3param_ttl = soa.getTTL();
}
// For the first iteration, we create our current node. // For the first iteration, we create our current node.
if (current_node == null) if (current_node == null)
{ {
@ -710,7 +720,7 @@ public class SignUtils
false, false,
proto_nsec3s); proto_nsec3s);
List nsec3s = finishNSEC3s(proto_nsec3s); List nsec3s = finishNSEC3s(proto_nsec3s, nsec3_ttl);
// DEBUG // DEBUG
// for (Iterator i = nsec3s.iterator(); i.hasNext();) // for (Iterator i = nsec3s.iterator(); i.hasNext();)
// { // {
@ -719,6 +729,11 @@ public class SignUtils
// + base16.toString(nsec3.rdataToWireCanonical())); // + base16.toString(nsec3.rdataToWireCanonical()));
// } // }
records.addAll(nsec3s); records.addAll(nsec3s);
NSEC3PARAMRecord nsec3param = new NSEC3PARAMRecord(zonename, DClass.IN,
nsec3param_ttl, NSEC3Record.SHA1_DIGEST_ID, iterations, salt);
records.add(nsec3param);
} }
public static void generateOptOutNSEC3Records(Name zonename, List records, public static void generateOptOutNSEC3Records(Name zonename, List records,
@ -731,6 +746,9 @@ public class SignUtils
// For detecting glue. // For detecting glue.
Name last_cut = null; Name last_cut = null;
long nsec3_ttl = 0;
long nsec3param_ttl = 0;
HashSet includeSet = null; HashSet includeSet = null;
if (includedNames != null) if (includedNames != null)
{ {
@ -752,6 +770,13 @@ public class SignUtils
// note our last delegation point so we can recognize glue. // note our last delegation point so we can recognize glue.
if (r_sectype == RR_DELEGATION) last_cut = r_name; if (r_sectype == RR_DELEGATION) last_cut = r_name;
if (r_type == Type.SOA)
{
SOARecord soa = (SOARecord) r;
nsec3_ttl = soa.getMinimum();
nsec3param_ttl = soa.getTTL();
}
// For the first iteration, we create our current node. // For the first iteration, we create our current node.
if (current_node == null) if (current_node == null)
{ {
@ -807,8 +832,12 @@ public class SignUtils
true, true,
proto_nsec3s); proto_nsec3s);
List nsec3s = finishNSEC3s(proto_nsec3s); List nsec3s = finishNSEC3s(proto_nsec3s, nsec3_ttl);
records.addAll(nsec3s); records.addAll(nsec3s);
NSEC3PARAMRecord nsec3param = new NSEC3PARAMRecord(zonename, DClass.IN,
nsec3param_ttl, NSEC3Record.SHA1_DIGEST_ID, iterations, salt);
records.add(nsec3param);
} }
private static void generateNSEC3ForNode(NodeInfo node, Name zonename, private static void generateNSEC3ForNode(NodeInfo node, Name zonename,
@ -820,6 +849,7 @@ public class SignUtils
// Add our default types. // Add our default types.
node.addType(Type.RRSIG); node.addType(Type.RRSIG);
if (node.name.equals(zonename)) node.addType(Type.NSEC3PARAM);
// Check for ENTs -- note this will generate duplicate ENTs because it // Check for ENTs -- note this will generate duplicate ENTs because it
// doesn't use any context. // doesn't use any context.
@ -864,7 +894,7 @@ public class SignUtils
return r; return r;
} }
private static List finishNSEC3s(List nsec3s) private static List finishNSEC3s(List nsec3s, long ttl)
{ {
if (nsec3s == null) return null; if (nsec3s == null) return null;
Collections.sort(nsec3s, new ProtoNSEC3.Comparator()); Collections.sort(nsec3s, new ProtoNSEC3.Comparator());
@ -921,6 +951,7 @@ public class SignUtils
for (Iterator i = nsec3s.iterator(); i.hasNext();) for (Iterator i = nsec3s.iterator(); i.hasNext();)
{ {
ProtoNSEC3 p = (ProtoNSEC3) i.next(); ProtoNSEC3 p = (ProtoNSEC3) i.next();
p.setTTL(ttl);
res.add(p.getNSEC3Record()); res.add(p.getNSEC3Record());
} }
@ -1119,7 +1150,7 @@ public class SignUtils
Record r = (Record) i.next(); Record r = (Record) i.next();
if (r.getType() == Type.RRSIG || r.getType() == Type.NSEC if (r.getType() == Type.RRSIG || r.getType() == Type.NSEC
|| r.getType() == Type.NSEC3) || r.getType() == Type.NSEC3 || r.getType() == Type.NSEC3PARAM)
{ {
i.remove(); i.remove();
} }