Example 1 with DS
use of org.minidns.record.DS in project minidns by MiniDNS.
the class DNSSECClient method verifySecureEntryPoint.
private Set<UnverifiedReason> verifySecureEntryPoint(Question q, final Record<DNSKEY> sepRecord) throws IOException {
final DNSKEY dnskey = sepRecord.payloadData;
Set<UnverifiedReason> unverifiedReasons = new HashSet<>();
Set<UnverifiedReason> activeReasons = new HashSet<>();
if (knownSeps.containsKey(sepRecord.name)) {
if (dnskey.keyEquals(knownSeps.get(sepRecord.name))) {
return unverifiedReasons;
} else {
unverifiedReasons.add(new UnverifiedReason.ConflictsWithSep(sepRecord));
return unverifiedReasons;
}
}
// configured with one and we can abort stating the reason.
if (sepRecord.name.isRootLabel()) {
unverifiedReasons.add(new UnverifiedReason.NoRootSecureEntryPointReason());
return unverifiedReasons;
}
DelegatingDnssecRR delegation = null;
DNSSECMessage dsResp = queryDnssec(sepRecord.name, TYPE.DS);
if (dsResp == null) {
LOGGER.fine("There is no DS record for " + sepRecord.name + ", server gives no result");
} else {
unverifiedReasons.addAll(dsResp.getUnverifiedReasons());
for (Record<? extends Data> record : dsResp.answerSection) {
Record<DS> dsRecord = record.ifPossibleAs(DS.class);
if (dsRecord == null)
continue;
DS ds = dsRecord.payloadData;
if (dnskey.getKeyTag() == ds.keyTag) {
delegation = ds;
activeReasons = dsResp.getUnverifiedReasons();
break;
}
}
if (delegation == null) {
LOGGER.fine("There is no DS record for " + sepRecord.name + ", server gives empty result");
}
}
if (delegation == null && dlv != null && !dlv.isChildOf(sepRecord.name)) {
DNSSECMessage dlvResp = queryDnssec(DNSName.from(sepRecord.name, dlv), TYPE.DLV);
if (dlvResp != null) {
unverifiedReasons.addAll(dlvResp.getUnverifiedReasons());
for (Record<? extends Data> record : dlvResp.answerSection) {
Record<DLV> dlvRecord = record.ifPossibleAs(DLV.class);
if (dlvRecord == null)
continue;
if (sepRecord.payloadData.getKeyTag() == dlvRecord.payloadData.keyTag) {
LOGGER.fine("Found DLV for " + sepRecord.name + ", awesome.");
delegation = dlvRecord.payloadData;
activeReasons = dlvResp.getUnverifiedReasons();
break;
}
}
}
}
if (delegation != null) {
UnverifiedReason unverifiedReason = verifier.verify(sepRecord, delegation);
if (unverifiedReason != null) {
unverifiedReasons.add(unverifiedReason);
} else {
unverifiedReasons = activeReasons;
}
} else if (unverifiedReasons.isEmpty()) {
unverifiedReasons.add(new NoTrustAnchorReason(sepRecord.name.ace));
}
return unverifiedReasons;
}
Also used :
DelegatingDnssecRR(org.minidns.record.DelegatingDnssecRR)
DNSKEY(org.minidns.record.DNSKEY)
DS(org.minidns.record.DS)
DLV(org.minidns.record.DLV)
NoTrustAnchorReason(org.minidns.dnssec.UnverifiedReason.NoTrustAnchorReason)
HashSet(java.util.HashSet)
Example 2 with DS
use of org.minidns.record.DS in project minidns by MiniDNS.
the class DNSMessageTest method testComDsAndRrsigLookup.
@Test
public void testComDsAndRrsigLookup() throws Exception {
DNSMessage m = getMessageFromResource("com-ds-rrsig");
assertFalse(m.authoritativeAnswer);
assertTrue(m.recursionDesired);
assertTrue(m.recursionAvailable);
List<Record<? extends Data>> answers = m.answerSection;
assertEquals(2, answers.size());
assertEquals(TYPE.DS, answers.get(0).type);
assertEquals(TYPE.DS, answers.get(0).payloadData.getType());
DS ds = (DS) answers.get(0).payloadData;
assertEquals(30909, ds.keyTag);
assertEquals(SignatureAlgorithm.RSASHA256, ds.algorithm);
assertEquals(DigestAlgorithm.SHA256, ds.digestType);
assertCsEquals("E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CFC41A5766", ds.getDigestHex());
assertEquals(TYPE.RRSIG, answers.get(1).type);
assertEquals(TYPE.RRSIG, answers.get(1).payloadData.getType());
RRSIG rrsig = (RRSIG) answers.get(1).payloadData;
assertEquals(TYPE.DS, rrsig.typeCovered);
assertEquals(SignatureAlgorithm.RSASHA256, rrsig.algorithm);
assertEquals(1, rrsig.labels);
assertEquals(86400, rrsig.originalTtl);
SimpleDateFormat dateFormat = new SimpleDateFormat("yyyyMMddHHmmss");
dateFormat.setTimeZone(TimeZone.getTimeZone("UTC"));
assertCsEquals("20150629170000", dateFormat.format(rrsig.signatureExpiration));
assertCsEquals("20150619160000", dateFormat.format(rrsig.signatureInception));
assertEquals(48613, rrsig.keyTag);
assertCsEquals(".", rrsig.signerName);
assertEquals(128, rrsig.signature.length);
List<Record<? extends Data>> arr = m.additionalSection;
assertEquals(1, arr.size());
assertEquals(TYPE.OPT, arr.get(0).getPayload().getType());
Record<? extends Data> opt = arr.get(0);
EDNS edns = EDNS.fromRecord(opt);
assertEquals(512, edns.udpPayloadSize);
assertEquals(0, edns.version);
assertTrue(edns.dnssecOk);
}
Also used :
EDNS(org.minidns.edns.EDNS)
Record(org.minidns.record.Record)
Data(org.minidns.record.Data)
RRSIG(org.minidns.record.RRSIG)
SimpleDateFormat(java.text.SimpleDateFormat)
DNSMessage(org.minidns.dnsmessage.DNSMessage)
DS(org.minidns.record.DS)
Test(org.junit.Test)
Aggregations
DS (org.minidns.record.DS)2
SimpleDateFormat (java.text.SimpleDateFormat)1
HashSet (java.util.HashSet)1
Test (org.junit.Test)1
DNSMessage (org.minidns.dnsmessage.DNSMessage)1
NoTrustAnchorReason (org.minidns.dnssec.UnverifiedReason.NoTrustAnchorReason)1
EDNS (org.minidns.edns.EDNS)1
DLV (org.minidns.record.DLV)1
DNSKEY (org.minidns.record.DNSKEY)1
Data (org.minidns.record.Data)1
DelegatingDnssecRR (org.minidns.record.DelegatingDnssecRR)1
RRSIG (org.minidns.record.RRSIG)1
Record (org.minidns.record.Record)1
