Example 1 with NoTrustAnchorReason
use of org.minidns.dnssec.UnverifiedReason.NoTrustAnchorReason in project minidns by MiniDNS.
the class DNSSECClient method verifySecureEntryPoint.
private Set<UnverifiedReason> verifySecureEntryPoint(Question q, final Record<DNSKEY> sepRecord) throws IOException {
final DNSKEY dnskey = sepRecord.payloadData;
Set<UnverifiedReason> unverifiedReasons = new HashSet<>();
Set<UnverifiedReason> activeReasons = new HashSet<>();
if (knownSeps.containsKey(sepRecord.name)) {
if (dnskey.keyEquals(knownSeps.get(sepRecord.name))) {
return unverifiedReasons;
} else {
unverifiedReasons.add(new UnverifiedReason.ConflictsWithSep(sepRecord));
return unverifiedReasons;
}
}
// configured with one and we can abort stating the reason.
if (sepRecord.name.isRootLabel()) {
unverifiedReasons.add(new UnverifiedReason.NoRootSecureEntryPointReason());
return unverifiedReasons;
}
DelegatingDnssecRR delegation = null;
DNSSECMessage dsResp = queryDnssec(sepRecord.name, TYPE.DS);
if (dsResp == null) {
LOGGER.fine("There is no DS record for " + sepRecord.name + ", server gives no result");
} else {
unverifiedReasons.addAll(dsResp.getUnverifiedReasons());
for (Record<? extends Data> record : dsResp.answerSection) {
Record<DS> dsRecord = record.ifPossibleAs(DS.class);
if (dsRecord == null)
continue;
DS ds = dsRecord.payloadData;
if (dnskey.getKeyTag() == ds.keyTag) {
delegation = ds;
activeReasons = dsResp.getUnverifiedReasons();
break;
}
}
if (delegation == null) {
LOGGER.fine("There is no DS record for " + sepRecord.name + ", server gives empty result");
}
}
if (delegation == null && dlv != null && !dlv.isChildOf(sepRecord.name)) {
DNSSECMessage dlvResp = queryDnssec(DNSName.from(sepRecord.name, dlv), TYPE.DLV);
if (dlvResp != null) {
unverifiedReasons.addAll(dlvResp.getUnverifiedReasons());
for (Record<? extends Data> record : dlvResp.answerSection) {
Record<DLV> dlvRecord = record.ifPossibleAs(DLV.class);
if (dlvRecord == null)
continue;
if (sepRecord.payloadData.getKeyTag() == dlvRecord.payloadData.keyTag) {
LOGGER.fine("Found DLV for " + sepRecord.name + ", awesome.");
delegation = dlvRecord.payloadData;
activeReasons = dlvResp.getUnverifiedReasons();
break;
}
}
}
}
if (delegation != null) {
UnverifiedReason unverifiedReason = verifier.verify(sepRecord, delegation);
if (unverifiedReason != null) {
unverifiedReasons.add(unverifiedReason);
} else {
unverifiedReasons = activeReasons;
}
} else if (unverifiedReasons.isEmpty()) {
unverifiedReasons.add(new NoTrustAnchorReason(sepRecord.name.ace));
}
return unverifiedReasons;
}
Also used :
DelegatingDnssecRR(org.minidns.record.DelegatingDnssecRR)
DNSKEY(org.minidns.record.DNSKEY)
DS(org.minidns.record.DS)
DLV(org.minidns.record.DLV)
NoTrustAnchorReason(org.minidns.dnssec.UnverifiedReason.NoTrustAnchorReason)
HashSet(java.util.HashSet)
Example 2 with NoTrustAnchorReason
use of org.minidns.dnssec.UnverifiedReason.NoTrustAnchorReason in project minidns by MiniDNS.
the class DNSSECClient method verifySignedRecords.
private Set<UnverifiedReason> verifySignedRecords(Question q, RRSIG rrsig, List<Record<? extends Data>> records) throws IOException {
Set<UnverifiedReason> result = new HashSet<>();
DNSKEY dnskey = null;
if (rrsig.typeCovered == TYPE.DNSKEY) {
// Key must be present
for (Record<? extends Data> record : records) {
Record<DNSKEY> dnsKeyRecord = record.ifPossibleAs(DNSKEY.class);
if (dnsKeyRecord == null)
continue;
if (dnsKeyRecord.payloadData.getKeyTag() == rrsig.keyTag) {
dnskey = dnsKeyRecord.payloadData;
break;
}
}
} else if (q.type == TYPE.DS && rrsig.signerName.equals(q.name)) {
// We should not probe for the self signed DS negative response, as it will be an endless loop.
result.add(new NoTrustAnchorReason(q.name.ace));
return result;
} else {
DNSSECMessage dnskeyRes = queryDnssec(rrsig.signerName, TYPE.DNSKEY);
if (dnskeyRes == null) {
throw new DNSSECValidationFailedException(q, "There is no DNSKEY " + rrsig.signerName + ", but it is used");
}
result.addAll(dnskeyRes.getUnverifiedReasons());
for (Record<? extends Data> record : dnskeyRes.answerSection) {
Record<DNSKEY> dnsKeyRecord = record.ifPossibleAs(DNSKEY.class);
if (dnsKeyRecord == null)
continue;
if (dnsKeyRecord.payloadData.getKeyTag() == rrsig.keyTag) {
dnskey = dnsKeyRecord.payloadData;
}
}
}
if (dnskey == null) {
throw new DNSSECValidationFailedException(q, records.size() + " " + rrsig.typeCovered + " record(s) are signed using an unknown key.");
}
UnverifiedReason unverifiedReason = verifier.verify(records, rrsig, dnskey);
if (unverifiedReason != null) {
result.add(unverifiedReason);
}
return result;
}
Also used :
Record(org.minidns.record.Record)
Data(org.minidns.record.Data)
NoTrustAnchorReason(org.minidns.dnssec.UnverifiedReason.NoTrustAnchorReason)
DNSKEY(org.minidns.record.DNSKEY)
HashSet(java.util.HashSet)
Aggregations
HashSet (java.util.HashSet)2
NoTrustAnchorReason (org.minidns.dnssec.UnverifiedReason.NoTrustAnchorReason)2
DNSKEY (org.minidns.record.DNSKEY)2
DLV (org.minidns.record.DLV)1
DS (org.minidns.record.DS)1
Data (org.minidns.record.Data)1
DelegatingDnssecRR (org.minidns.record.DelegatingDnssecRR)1
Record (org.minidns.record.Record)1
