Example 1 with DNSSECMessage
use of org.minidns.dnssec.DNSSECMessage in project minidns by MiniDNS.
the class IterativeDNSSECTest method shouldRequireLessQueries.
@IntegrationTest
public static void shouldRequireLessQueries() throws IOException {
DNSSECClient normalCacheClient = getClient(CacheConfig.normal);
DNSSECMessage normalCacheResult = normalCacheClient.queryDnssec(DNSSEC_DOMAIN, RR_TYPE);
assertTrue(normalCacheResult.authenticData);
NetworkDataSourceWithAccounting normalCacheNdswa = NetworkDataSourceWithAccounting.from(normalCacheClient);
DNSSECClient extendedCacheClient = getClient(CacheConfig.extended);
DNSSECMessage extendedCacheResult = extendedCacheClient.queryDnssec(DNSSEC_DOMAIN, RR_TYPE);
assertTrue(extendedCacheResult.authenticData);
NetworkDataSourceWithAccounting extendedCacheNdswa = NetworkDataSourceWithAccounting.from(extendedCacheClient);
assertTrue(normalCacheNdswa.getStats().successfulQueries > extendedCacheNdswa.getStats().successfulQueries);
}
Also used :
DNSSECMessage(org.minidns.dnssec.DNSSECMessage)
DNSSECClient(org.minidns.dnssec.DNSSECClient)
NetworkDataSourceWithAccounting(org.minidns.source.NetworkDataSourceWithAccounting)
Example 2 with DNSSECMessage
use of org.minidns.dnssec.DNSSECMessage in project minidns by MiniDNS.
the class DNSSECStats method iterativeDnsssecTest.
public static void iterativeDnsssecTest() throws SecurityException, IllegalArgumentException, IOException {
MiniDnsJul.enableMiniDnsTrace();
DNSSECClient client = new DNSSECClient(new ExtendedLRUCache());
client.setMode(Mode.iterativeOnly);
DNSSECMessage secRes = client.queryDnssec("verteiltesysteme.net", TYPE.A);
// CHECKSTYLE:OFF
System.out.println(secRes);
// CHECKSTYLE:ON
}
Also used :
ExtendedLRUCache(org.minidns.cache.ExtendedLRUCache)
DNSSECMessage(org.minidns.dnssec.DNSSECMessage)
DNSSECClient(org.minidns.dnssec.DNSSECClient)
Example 3 with DNSSECMessage
use of org.minidns.dnssec.DNSSECMessage in project minidns by MiniDNS.
the class DNSSECStats method iterativeDnssecLookup.
private static void iterativeDnssecLookup(CacheConfig cacheConfig) throws IOException {
DNSSECClient client = MiniDNSStats.getClient(cacheConfig);
client.setMode(Mode.iterativeOnly);
DNSSECMessage secRes = client.queryDnssec(DOMAIN, RR_TYPE);
StringBuilder stats = MiniDNSStats.getStats(client);
stats.append('\n');
stats.append(secRes);
stats.append('\n');
for (UnverifiedReason r : secRes.getUnverifiedReasons()) {
stats.append(r);
}
stats.append("\n\n");
// CHECKSTYLE:OFF
System.out.println(stats);
// CHECKSTYLE:ON
}
Also used :
UnverifiedReason(org.minidns.dnssec.UnverifiedReason)
DNSSECMessage(org.minidns.dnssec.DNSSECMessage)
DNSSECClient(org.minidns.dnssec.DNSSECClient)
Example 4 with DNSSECMessage
use of org.minidns.dnssec.DNSSECMessage in project minidns by MiniDNS.
the class DaneVerifier method verifyCertificateChain.
/**
* Verifies a certificate chain to be valid when used with the given connection details using DANE.
*
* @param chain A certificate chain that should be verified using DANE.
* @param hostName The DNS name of the host this certificate chain belongs to.
* @param port The port number that was used to reach the server providing the certificate chain in question.
* @return Whether the DANE verification is the only requirement according to the TLSA record.
* If this method returns {@code false}, additional PKIX validation is required.
* @throws CertificateException if the certificate chain provided differs from the one enforced using DANE.
*/
public boolean verifyCertificateChain(X509Certificate[] chain, String hostName, int port) throws CertificateException {
DNSName req = DNSName.from("_" + port + "._tcp." + hostName);
DNSMessage res;
try {
res = client.query(req, Record.TYPE.TLSA);
} catch (IOException e) {
throw new RuntimeException(e);
}
if (!res.authenticData) {
String msg = "Got TLSA response from DNS server, but was not signed properly.";
if (res instanceof DNSSECMessage) {
msg += " Reasons:";
for (UnverifiedReason reason : ((DNSSECMessage) res).getUnverifiedReasons()) {
msg += " " + reason;
}
}
LOGGER.info(msg);
return false;
}
List<DaneCertificateException.CertificateMismatch> certificateMismatchExceptions = new LinkedList<>();
boolean verified = false;
for (Record<? extends Data> record : res.answerSection) {
if (record.type == Record.TYPE.TLSA && record.name.equals(req)) {
TLSA tlsa = (TLSA) record.payloadData;
try {
verified |= checkCertificateMatches(chain[0], tlsa, hostName);
} catch (DaneCertificateException.CertificateMismatch certificateMismatchException) {
// Record the mismatch and only throw an exception if no
// TLSA RR is able to verify the cert. This allows for TLSA
// certificate rollover.
certificateMismatchExceptions.add(certificateMismatchException);
}
if (verified)
break;
}
}
if (!verified && !certificateMismatchExceptions.isEmpty()) {
throw new DaneCertificateException.MultipleCertificateMismatchExceptions(certificateMismatchExceptions);
}
return verified;
}
Also used :
TLSA(org.minidns.record.TLSA)
IOException(java.io.IOException)
DNSName(org.minidns.dnsname.DNSName)
LinkedList(java.util.LinkedList)
UnverifiedReason(org.minidns.dnssec.UnverifiedReason)
DNSSECMessage(org.minidns.dnssec.DNSSECMessage)
DNSMessage(org.minidns.dnsmessage.DNSMessage)
Aggregations
DNSSECMessage (org.minidns.dnssec.DNSSECMessage)4
DNSSECClient (org.minidns.dnssec.DNSSECClient)3
UnverifiedReason (org.minidns.dnssec.UnverifiedReason)2
IOException (java.io.IOException)1
LinkedList (java.util.LinkedList)1
ExtendedLRUCache (org.minidns.cache.ExtendedLRUCache)1
DNSMessage (org.minidns.dnsmessage.DNSMessage)1
DNSName (org.minidns.dnsname.DNSName)1
TLSA (org.minidns.record.TLSA)1
NetworkDataSourceWithAccounting (org.minidns.source.NetworkDataSourceWithAccounting)1
