use of org.minidns.record.Data in project minidns by MiniDNS.
the class DNSMessageTest method testComNsec3Lookup.
@Test
public void testComNsec3Lookup() throws Exception {
DNSMessage m = getMessageFromResource("com-nsec3");
assertEquals(0, m.answerSection.size());
List<Record<? extends Data>> records = m.authoritySection;
assertEquals(8, records.size());
for (Record<? extends Data> record : records) {
if (record.type == TYPE.NSEC3) {
assertEquals(TYPE.NSEC3, record.getPayload().getType());
NSEC3 nsec3 = (NSEC3) record.payloadData;
assertEquals(HashAlgorithm.SHA1, nsec3.hashAlgorithm);
assertEquals(1, nsec3.flags);
assertEquals(0, nsec3.iterations);
assertEquals(0, nsec3.salt.length);
switch(record.name.ace) {
case "CK0POJMG874LJREF7EFN8430QVIT8BSM.com":
assertCsEquals("CK0QFMDQRCSRU0651QLVA1JQB21IF7UR", Base32.encodeToString(nsec3.nextHashed));
assertArrayContentEquals(new TYPE[] { TYPE.NS, TYPE.SOA, TYPE.RRSIG, TYPE.DNSKEY, TYPE.NSEC3PARAM }, nsec3.types);
break;
case "V2I33UBTHNVNSP9NS85CURCLSTFPTE24.com":
assertCsEquals("V2I4KPUS7NGDML5EEJU3MVHO26GKB6PA", Base32.encodeToString(nsec3.nextHashed));
assertArrayContentEquals(new TYPE[] { TYPE.NS, TYPE.DS, TYPE.RRSIG }, nsec3.types);
break;
case "3RL20VCNK6KV8OT9TDIJPI0JU1SS6ONS.com":
assertCsEquals("3RL3UFVFRUE94PV5888AIC2TPS0JA9V2", Base32.encodeToString(nsec3.nextHashed));
assertArrayContentEquals(new TYPE[] { TYPE.NS, TYPE.DS, TYPE.RRSIG }, nsec3.types);
break;
}
}
}
}
use of org.minidns.record.Data in project minidns by MiniDNS.
the class DNSMessageTest method testSoaLookup.
@Test
public void testSoaLookup() throws Exception {
DNSMessage m = getMessageFromResource("oracle-soa");
assertFalse(m.authoritativeAnswer);
List<Record<? extends Data>> answers = m.answerSection;
assertEquals(1, answers.size());
Record<? extends Data> answer = answers.get(0);
assertTrue(answer.getPayload() instanceof SOA);
assertEquals(TYPE.SOA, answer.getPayload().getType());
SOA soa = (SOA) answer.getPayload();
assertCsEquals("orcldns1.ultradns.com", soa.mname);
assertCsEquals("hostmaster\\@oracle.com", soa.rname);
assertEquals(2015032404L, soa.serial);
assertEquals(10800, soa.refresh);
assertEquals(3600, soa.retry);
assertEquals(1209600, soa.expire);
assertEquals(900L, soa.minimum);
}
use of org.minidns.record.Data in project minidns by MiniDNS.
the class DNSMessageTest method testALookup.
@Test
public void testALookup() throws Exception {
DNSMessage m = getMessageFromResource("sun-a");
assertFalse(m.authoritativeAnswer);
List<Record<? extends Data>> answers = m.answerSection;
assertEquals(2, answers.size());
Record<? extends Data> cname = answers.get(0);
Record<? extends Data> a = answers.get(1);
assertTrue(cname.getPayload() instanceof RRWithTarget);
assertEquals(TYPE.CNAME, cname.getPayload().getType());
assertCsEquals("legacy-sun.oraclegha.com", ((RRWithTarget) (cname.getPayload())).target);
assertCsEquals("legacy-sun.oraclegha.com", a.name);
assertTrue(a.getPayload() instanceof A);
assertEquals(TYPE.A, a.getPayload().getType());
assertCsEquals("156.151.59.35", a.getPayload().toString());
}
use of org.minidns.record.Data in project minidns by MiniDNS.
the class DNSSECClient method verifySignedRecords.
private Set<UnverifiedReason> verifySignedRecords(Question q, RRSIG rrsig, List<Record<? extends Data>> records) throws IOException {
Set<UnverifiedReason> result = new HashSet<>();
DNSKEY dnskey = null;
if (rrsig.typeCovered == TYPE.DNSKEY) {
// Key must be present
for (Record<? extends Data> record : records) {
Record<DNSKEY> dnsKeyRecord = record.ifPossibleAs(DNSKEY.class);
if (dnsKeyRecord == null)
continue;
if (dnsKeyRecord.payloadData.getKeyTag() == rrsig.keyTag) {
dnskey = dnsKeyRecord.payloadData;
break;
}
}
} else if (q.type == TYPE.DS && rrsig.signerName.equals(q.name)) {
// We should not probe for the self signed DS negative response, as it will be an endless loop.
result.add(new NoTrustAnchorReason(q.name.ace));
return result;
} else {
DNSSECMessage dnskeyRes = queryDnssec(rrsig.signerName, TYPE.DNSKEY);
if (dnskeyRes == null) {
throw new DNSSECValidationFailedException(q, "There is no DNSKEY " + rrsig.signerName + ", but it is used");
}
result.addAll(dnskeyRes.getUnverifiedReasons());
for (Record<? extends Data> record : dnskeyRes.answerSection) {
Record<DNSKEY> dnsKeyRecord = record.ifPossibleAs(DNSKEY.class);
if (dnsKeyRecord == null)
continue;
if (dnsKeyRecord.payloadData.getKeyTag() == rrsig.keyTag) {
dnskey = dnsKeyRecord.payloadData;
}
}
}
if (dnskey == null) {
throw new DNSSECValidationFailedException(q, records.size() + " " + rrsig.typeCovered + " record(s) are signed using an unknown key.");
}
UnverifiedReason unverifiedReason = verifier.verify(records, rrsig, dnskey);
if (unverifiedReason != null) {
result.add(unverifiedReason);
}
return result;
}
use of org.minidns.record.Data in project minidns by MiniDNS.
the class DNSSECClient method verifyAnswer.
private Set<UnverifiedReason> verifyAnswer(DNSMessage dnsMessage) throws IOException {
Question q = dnsMessage.questions.get(0);
List<Record<? extends Data>> answers = dnsMessage.answerSection;
List<Record<? extends Data>> toBeVerified = dnsMessage.copyAnswers();
VerifySignaturesResult verifiedSignatures = verifySignatures(q, answers, toBeVerified);
Set<UnverifiedReason> result = verifiedSignatures.reasons;
if (!result.isEmpty()) {
return result;
}
// Keep SEPs separated, we only need one valid SEP.
boolean sepSignatureValid = false;
Set<UnverifiedReason> sepReasons = new HashSet<>();
for (Iterator<Record<? extends Data>> iterator = toBeVerified.iterator(); iterator.hasNext(); ) {
Record<DNSKEY> record = iterator.next().ifPossibleAs(DNSKEY.class);
if (record == null) {
continue;
}
// Verify all DNSKEYs as if it was a SEP. If we find a single SEP we are safe.
Set<UnverifiedReason> reasons = verifySecureEntryPoint(q, record);
if (reasons.isEmpty()) {
sepSignatureValid = true;
} else {
sepReasons.addAll(reasons);
}
if (!verifiedSignatures.sepSignaturePresent) {
LOGGER.finer("SEP key is not self-signed.");
}
iterator.remove();
}
if (verifiedSignatures.sepSignaturePresent && !sepSignatureValid) {
result.addAll(sepReasons);
}
if (verifiedSignatures.sepSignatureRequired && !verifiedSignatures.sepSignaturePresent) {
result.add(new NoSecureEntryPointReason(q.name.ace));
}
if (!toBeVerified.isEmpty()) {
if (toBeVerified.size() != answers.size()) {
throw new DNSSECValidationFailedException(q, "Only some records are signed!");
} else {
result.add(new NoSignaturesReason(q));
}
}
return result;
}
Aggregations