Use the SOA minimum value for the generated NSEC records' TTL
git-svn-id: https://svn.verisignlabs.com/jdnssec/tools/trunk@131 4cbd57fe-54e5-0310-bd9a-f30fe5ea5e6e
This commit is contained in:
David Blacka
parent
c7e5d9e09b
commit
b0fac2fd43
@ -122,8 +122,8 @@ public class SignUtils
|
|||||||
*
|
*
|
||||||
* @param presig
|
* @param presig
|
||||||
* the RRSIG RR prototype.
|
* the RRSIG RR prototype.
|
||||||
* @return the RDATA portion of the prototype RRSIG record. This forms the first
|
* @return the RDATA portion of the prototype RRSIG record. This forms the
|
||||||
* part of the data to be signed.
|
* first part of the data to be signed.
|
||||||
*/
|
*/
|
||||||
private static byte[] generatePreSigRdata(RRSIGRecord presig)
|
private static byte[] generatePreSigRdata(RRSIGRecord presig)
|
||||||
{
|
{
|
||||||
@ -338,13 +338,17 @@ public class SignUtils
|
|||||||
public static byte[] convertDSASignature(DSAParams params, byte[] signature)
|
public static byte[] convertDSASignature(DSAParams params, byte[] signature)
|
||||||
throws SignatureException
|
throws SignatureException
|
||||||
{
|
{
|
||||||
if (signature[0] != ASN1_SEQ || signature[2] != ASN1_INT) { throw new SignatureException(
|
if (signature[0] != ASN1_SEQ || signature[2] != ASN1_INT)
|
||||||
"Invalid ASN.1 signature format: expected SEQ, INT"); }
|
{
|
||||||
|
throw new SignatureException("Invalid ASN.1 signature format: expected SEQ, INT");
|
||||||
|
}
|
||||||
|
|
||||||
byte r_pad = (byte) (signature[3] - 20);
|
byte r_pad = (byte) (signature[3] - 20);
|
||||||
|
|
||||||
if (signature[24 + r_pad] != ASN1_INT) { throw new SignatureException(
|
if (signature[24 + r_pad] != ASN1_INT)
|
||||||
"Invalid ASN.1 signature format: expected SEQ, INT, INT"); }
|
{
|
||||||
|
throw new SignatureException("Invalid ASN.1 signature format: expected SEQ, INT, INT");
|
||||||
|
}
|
||||||
|
|
||||||
log.finer("(start) ASN.1 DSA Sig:\n" + base64.toString(signature));
|
log.finer("(start) ASN.1 DSA Sig:\n" + base64.toString(signature));
|
||||||
|
|
||||||
@ -499,7 +503,8 @@ public class SignUtils
|
|||||||
// Current record is part of the current RRset.
|
// Current record is part of the current RRset.
|
||||||
if (rrset.getName().equals(r.getName())
|
if (rrset.getName().equals(r.getName())
|
||||||
&& rrset.getDClass() == r.getDClass()
|
&& rrset.getDClass() == r.getDClass()
|
||||||
&& ((r.getType() == Type.RRSIG && rrset.getType() == ((RRSIGRecord) r).getTypeCovered()) || rrset.getType() == r.getType()))
|
&& ((r.getType() == Type.RRSIG && rrset.getType() == ((RRSIGRecord) r).getTypeCovered()) ||
|
||||||
|
rrset.getType() == r.getType()))
|
||||||
{
|
{
|
||||||
rrset.addRR(r);
|
rrset.addRR(r);
|
||||||
continue;
|
continue;
|
||||||
@ -601,6 +606,24 @@ public class SignUtils
|
|||||||
|
|
||||||
Name last_cut = null;
|
Name last_cut = null;
|
||||||
int backup;
|
int backup;
|
||||||
|
long nsec_ttl = 0;
|
||||||
|
|
||||||
|
// First find the SOA record -- it should be near the beginning -- and get
|
||||||
|
// the soa minimum
|
||||||
|
for (Iterator i = records.iterator(); i.hasNext();)
|
||||||
|
{
|
||||||
|
Object o = i.next();
|
||||||
|
if (o instanceof SOARecord)
|
||||||
|
{
|
||||||
|
SOARecord soa = (SOARecord) o;
|
||||||
|
nsec_ttl = soa.getMinimum();
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (nsec_ttl == 0)
|
||||||
|
{
|
||||||
|
throw new IllegalArgumentException("Zone did not contain a SOA record");
|
||||||
|
}
|
||||||
|
|
||||||
for (ListIterator i = records.listIterator(); i.hasNext();)
|
for (ListIterator i = records.listIterator(); i.hasNext();)
|
||||||
{
|
{
|
||||||
@ -634,7 +657,7 @@ public class SignUtils
|
|||||||
if (last_node != null)
|
if (last_node != null)
|
||||||
{
|
{
|
||||||
NSECRecord nsec = new NSECRecord(last_node.name, last_node.dclass,
|
NSECRecord nsec = new NSECRecord(last_node.name, last_node.dclass,
|
||||||
last_node.ttl, current_node.name,
|
nsec_ttl, current_node.name,
|
||||||
last_node.getTypes());
|
last_node.getTypes());
|
||||||
// Note: we have to add this through the iterator, otherwise
|
// Note: we have to add this through the iterator, otherwise
|
||||||
// the next access via the iterator will generate a
|
// the next access via the iterator will generate a
|
||||||
@ -661,7 +684,7 @@ public class SignUtils
|
|||||||
if (last_node != null)
|
if (last_node != null)
|
||||||
{
|
{
|
||||||
NSECRecord nsec = new NSECRecord(last_node.name, last_node.dclass,
|
NSECRecord nsec = new NSECRecord(last_node.name, last_node.dclass,
|
||||||
last_node.ttl, current_node.name,
|
nsec_ttl, current_node.name,
|
||||||
last_node.getTypes());
|
last_node.getTypes());
|
||||||
records.add(last_node.nsecIndex - 1, nsec);
|
records.add(last_node.nsecIndex - 1, nsec);
|
||||||
log.finer("Generated: " + nsec);
|
log.finer("Generated: " + nsec);
|
||||||
@ -669,7 +692,7 @@ public class SignUtils
|
|||||||
|
|
||||||
// Generate last NSEC
|
// Generate last NSEC
|
||||||
NSECRecord nsec = new NSECRecord(current_node.name, current_node.dclass,
|
NSECRecord nsec = new NSECRecord(current_node.name, current_node.dclass,
|
||||||
current_node.ttl, zonename,
|
nsec_ttl, zonename,
|
||||||
current_node.getTypes());
|
current_node.getTypes());
|
||||||
records.add(nsec);
|
records.add(nsec);
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user