use of org.minidns.record.DNSKEY in project minidns by MiniDNS.
the class DNSSECClientTest method testValidDLV.
@SuppressWarnings("unchecked")
@Test
public void testValidDLV() throws IOException {
PrivateKey dlvPrivateKSK = generatePrivateKey(algorithm, 2048);
DNSKEY dlvKSK = dnskey(DNSKEY.FLAG_ZONE | DNSKEY.FLAG_SECURE_ENTRY_POINT, algorithm, publicKey(algorithm, dlvPrivateKSK));
PrivateKey dlvPrivateZSK = generatePrivateKey(algorithm, 1024);
DNSKEY dlvZSK = dnskey(DNSKEY.FLAG_ZONE, algorithm, publicKey(algorithm, dlvPrivateZSK));
applyZones(client, signedRootZone(sign(rootKSK, "", rootPrivateKSK, algorithm, record("", rootKSK), record("", rootZSK)), sign(rootZSK, "", rootPrivateZSK, algorithm, record("dlv", ds("dlv", digestType, dlvKSK))), sign(rootZSK, "", rootPrivateZSK, algorithm, record("dlv", ns("ns.com"))), sign(rootZSK, "", rootPrivateZSK, algorithm, record("com", ns("ns.com"))), sign(rootZSK, "", rootPrivateZSK, algorithm, record("ns.com", a("1.1.1.1")))), signedZone("com", "ns.com", "1.1.1.1", sign(comKSK, "com", comPrivateKSK, algorithm, record("com", comKSK), record("com", comZSK)), sign(comZSK, "com", comPrivateZSK, algorithm, record("example.com", a("1.1.1.2")))), signedZone("dlv", "ns.com", "1.1.1.1", sign(dlvKSK, "dlv", dlvPrivateKSK, algorithm, record("dlv", dlvKSK), record("dlv", dlvZSK)), sign(dlvZSK, "dlv", dlvPrivateZSK, algorithm, record("com.dlv", dlv("com", digestType, comKSK)))));
client.configureLookasideValidation(DNSName.from("dlv"));
DNSMessage message = client.query("example.com", Record.TYPE.A);
assertNotNull(message);
assertTrue(message.authenticData);
checkCorrectExampleMessage(message);
client.disableLookasideValidation();
message = client.query("example.com", Record.TYPE.A);
assertNotNull(message);
assertFalse(message.authenticData);
checkCorrectExampleMessage(message);
}
use of org.minidns.record.DNSKEY in project minidns by MiniDNS.
the class DNSMessageTest method testRootDnskeyLookup.
@Test
public void testRootDnskeyLookup() throws Exception {
DNSMessage m = getMessageFromResource("root-dnskey");
assertFalse(m.authoritativeAnswer);
assertTrue(m.recursionDesired);
assertTrue(m.recursionAvailable);
List<Record<? extends Data>> answers = m.answerSection;
assertEquals(3, answers.size());
for (int i = 0; i < answers.size(); i++) {
Record<? extends Data> answer = answers.get(i);
assertCsEquals(".", answer.name);
assertEquals(19593, answer.getTtl());
assertEquals(TYPE.DNSKEY, answer.type);
assertEquals(TYPE.DNSKEY, answer.getPayload().getType());
DNSKEY dnskey = (DNSKEY) answer.getPayload();
assertEquals(3, dnskey.protocol);
assertEquals(SignatureAlgorithm.RSASHA256, dnskey.algorithm);
assertTrue((dnskey.flags & DNSKEY.FLAG_ZONE) > 0);
assertEquals(dnskey.getKeyTag(), dnskey.getKeyTag());
switch(i) {
case 0:
assertTrue((dnskey.flags & DNSKEY.FLAG_SECURE_ENTRY_POINT) > 0);
assertEquals(260, dnskey.getKeyLength());
assertEquals(19036, dnskey.getKeyTag());
break;
case 1:
assertEquals(DNSKEY.FLAG_ZONE, dnskey.flags);
assertEquals(132, dnskey.getKeyLength());
assertEquals(48613, dnskey.getKeyTag());
break;
case 2:
assertEquals(DNSKEY.FLAG_ZONE, dnskey.flags);
assertEquals(132, dnskey.getKeyLength());
assertEquals(1518, dnskey.getKeyTag());
break;
}
}
List<Record<? extends Data>> arr = m.additionalSection;
assertEquals(1, arr.size());
Record<? extends Data> opt = arr.get(0);
EDNS edns = EDNS.fromRecord(opt);
assertEquals(512, edns.udpPayloadSize);
assertEquals(0, edns.version);
}
use of org.minidns.record.DNSKEY in project minidns by MiniDNS.
the class DNSSECClient method verifySignatures.
private VerifySignaturesResult verifySignatures(Question q, Collection<Record<? extends Data>> reference, List<Record<? extends Data>> toBeVerified) throws IOException {
final Date now = new Date();
final List<RRSIG> outdatedRrSigs = new LinkedList<>();
VerifySignaturesResult result = new VerifySignaturesResult();
final List<Record<RRSIG>> rrsigs = new ArrayList<>(toBeVerified.size());
for (Record<? extends Data> recordToBeVerified : toBeVerified) {
Record<RRSIG> record = recordToBeVerified.ifPossibleAs(RRSIG.class);
if (record == null)
continue;
RRSIG rrsig = record.payloadData;
if (rrsig.signatureExpiration.compareTo(now) < 0 || rrsig.signatureInception.compareTo(now) > 0) {
// This RRSIG is out of date, but there might be one that is not.
outdatedRrSigs.add(rrsig);
continue;
}
rrsigs.add(record);
}
if (rrsigs.isEmpty()) {
if (!outdatedRrSigs.isEmpty()) {
result.reasons.add(new NoActiveSignaturesReason(q, outdatedRrSigs));
} else {
result.reasons.add(new NoSignaturesReason(q));
}
return result;
}
for (Record<RRSIG> sigRecord : rrsigs) {
RRSIG rrsig = sigRecord.payloadData;
List<Record<? extends Data>> records = new ArrayList<>(reference.size());
for (Record<? extends Data> record : reference) {
if (record.type == rrsig.typeCovered && record.name.equals(sigRecord.name)) {
records.add(record);
}
}
Set<UnverifiedReason> reasons = verifySignedRecords(q, rrsig, records);
result.reasons.addAll(reasons);
if (q.name.equals(rrsig.signerName) && rrsig.typeCovered == TYPE.DNSKEY) {
for (Iterator<Record<? extends Data>> iterator = records.iterator(); iterator.hasNext(); ) {
Record<DNSKEY> dnsKeyRecord = iterator.next().ifPossibleAs(DNSKEY.class);
// dnsKeyRecord should never be null here.
DNSKEY dnskey = dnsKeyRecord.payloadData;
// DNSKEYs are verified separately, so don't mark them verified now.
iterator.remove();
if (dnskey.getKeyTag() == rrsig.keyTag) {
result.sepSignaturePresent = true;
}
}
// DNSKEY's should be signed by a SEP
result.sepSignatureRequired = true;
}
if (!isParentOrSelf(sigRecord.name.ace, rrsig.signerName.ace)) {
LOGGER.finer("Records at " + sigRecord.name + " are cross-signed with a key from " + rrsig.signerName);
} else {
toBeVerified.removeAll(records);
}
toBeVerified.remove(sigRecord);
}
return result;
}
Aggregations