Example 1 with NSEC3Record
use of org.xbill.DNS.NSEC3Record in project dim by 1and1.
the class ZoneVerifier method processNSEC3Chain.
private int processNSEC3Chain() {
int errors = 0;
NSEC3Record lastNSEC3 = null;
NSEC3Record firstNSEC3 = null;
for (Iterator<Map.Entry<Name, MarkRRset>> i = mNSEC3Map.entrySet().iterator(); i.hasNext(); ) {
// which is different.
if (lastNSEC3 != null) {
if (compareNSEC3Hashes(lastNSEC3.getName(), lastNSEC3.getNext()) >= 0) {
log.warning("NSEC3 for " + lastNSEC3.getName() + " has next name >= owner but is not the last NSEC3 in the chain.");
errors++;
}
}
Map.Entry<Name, MarkRRset> entry = i.next();
Name n = entry.getKey();
MarkRRset rrset = entry.getValue();
// signed node.
if (!rrset.getMark()) {
log.warning("NSEC3 RR for " + n + " appears to be extra.");
errors++;
}
NSEC3Record nsec3 = (NSEC3Record) rrset.first();
// nsec3 map incorrectly.
if (!n.equals(nsec3.getName())) {
log.severe("The NSEC3 in the map for name " + n + " has name " + nsec3.getName());
errors++;
}
// note the first NSEC3 in the chain.
if (lastNSEC3 == null) {
firstNSEC3 = nsec3;
} else // Check that the prior NSEC3's next hashed name equals this row's hashed
// owner name.
{
if (compareNSEC3Hashes(nsec3.getName(), lastNSEC3.getNext()) != 0) {
String nextstr = mBase32.toString(lastNSEC3.getNext());
log.warning("NSEC3 for " + lastNSEC3.getName() + " does not point to the next NSEC3 in the chain: " + nsec3.getName() + ", instead points to: " + nextstr);
errors++;
}
}
lastNSEC3 = nsec3;
}
// the ownername should be >= next name.
if (compareNSEC3Hashes(lastNSEC3.getName(), lastNSEC3.getNext()) < 0) {
String nextstr = mBase32.toString(lastNSEC3.getNext());
log.warning("The last NSEC3 RR in the chain did not have an owner >= next: owner = " + lastNSEC3.getName() + " next = " + nextstr);
errors++;
}
// check to make sure it links to the first NSEC in the chain
if (compareNSEC3Hashes(firstNSEC3.getName(), lastNSEC3.getNext()) != 0) {
log.warning("The last NSEC3 RR in the chain did not link to the first NSEC3");
errors++;
}
return errors;
}Example 2 with NSEC3Record
use of org.xbill.DNS.NSEC3Record in project dim by 1and1.
the class ZoneFormat method determineNSEC3Owners.
private static void determineNSEC3Owners(List<Record> zone) throws NoSuchAlgorithmException {
// Put the zone into a consistent (name and RR type) order.
Collections.sort(zone, new RecordComparator());
// first, find the NSEC3PARAM record -- this is an inefficient linear
// search, although it should be near the head of the list.
NSEC3PARAMRecord nsec3param = null;
HashMap<String, String> map = new HashMap<String, String>();
base32 b32 = new base32(base32.Alphabet.BASE32HEX, false, true);
Name zonename = null;
for (Record r : zone) {
if (r.getType() == Type.SOA) {
zonename = r.getName();
continue;
}
if (r.getType() == Type.NSEC3PARAM) {
nsec3param = (NSEC3PARAMRecord) r;
break;
}
}
// If we couldn't determine a zone name, we have an issue.
if (zonename == null)
return;
// If there wasn't one, we have nothing to do.
if (nsec3param == null)
return;
// Next pass, calculate a mapping between ownernames and hashnames
Name last_name = null;
for (Record r : zone) {
if (r.getName().equals(last_name))
continue;
if (r.getType() == Type.NSEC3)
continue;
Name n = r.getName();
byte[] hash = nsec3param.hashName(n);
String hashname = b32.toString(hash);
map.put(hashname, n.toString().toLowerCase());
last_name = n;
// inefficiently create hashes for the possible ancestor ENTs
for (int i = zonename.labels() + 1; i < n.labels(); ++i) {
Name parent = new Name(n, n.labels() - i);
byte[] parent_hash = nsec3param.hashName(parent);
String parent_hashname = b32.toString(parent_hash);
if (!map.containsKey(parent_hashname)) {
map.put(parent_hashname, parent.toString().toLowerCase());
}
}
}
// Final pass, assign the names if we can
for (ListIterator<Record> i = zone.listIterator(); i.hasNext(); ) {
Record r = i.next();
if (r.getType() != Type.NSEC3)
continue;
NSEC3Record nsec3 = (NSEC3Record) r;
String hashname = nsec3.getName().getLabelString(0).toLowerCase();
String ownername = (String) map.get(hashname);
NSEC3Record new_nsec3 = new NSEC3Record(nsec3.getName(), nsec3.getDClass(), nsec3.getTTL(), nsec3.getHashAlgorithm(), nsec3.getFlags(), nsec3.getIterations(), nsec3.getSalt(), nsec3.getNext(), nsec3.getTypes(), ownername);
i.set(new_nsec3);
}
}
Also used :
NSEC3PARAMRecord(org.xbill.DNS.NSEC3PARAMRecord)
HashMap(java.util.HashMap)
NSEC3Record(org.xbill.DNS.NSEC3Record)
DNS.utils.base32(org.xbill.DNS.utils.base32)
NSEC3PARAMRecord(org.xbill.DNS.NSEC3PARAMRecord)
NSEC3Record(org.xbill.DNS.NSEC3Record)
Record(org.xbill.DNS.Record)
RecordComparator(com.verisignlabs.dnssec.security.RecordComparator)
Name(org.xbill.DNS.Name)
Example 3 with NSEC3Record
use of org.xbill.DNS.NSEC3Record in project dim by 1and1.
the class ZoneVerifier method processNSEC3.
private int processNSEC3(Name n, Set<Integer> typeset, NodeType ntype) throws NoSuchAlgorithmException, TextParseException {
// calculate the NSEC3 RR name
byte[] hash = mNSEC3params.hashName(n);
String hashstr = mBase32.toString(hash);
Name hashname = new Name(hashstr, mZoneName);
MarkRRset rrset = mNSEC3Map.get(hashname);
if (rrset == null) {
log.warning("Missing NSEC3 for " + hashname + " corresponding to " + n);
return 1;
}
int errors = 0;
rrset.setMark(true);
NSEC3Record nsec3 = (NSEC3Record) rrset.first();
// check typemap
if (!checkTypeMap(typeset, nsec3.getTypes())) {
log.warning("Typemap for NSEC3 RR " + hashname + " for " + n + " did not match what was expected. Expected '" + typesetToString(typeset) + "', got '" + typesToString(nsec3.getTypes()) + "'");
errors++;
}
// verify rrset
errors += processRRset(rrset);
// this is recursive.
if (shouldCheckENTs(n, typeset, ntype)) {
Name ent = new Name(n, 1);
if (mNodeMap.get(ent) == null) {
errors += processNSEC3(ent, null, NodeType.NORMAL);
}
}
return errors;
}
Also used :
NSEC3Record(org.xbill.DNS.NSEC3Record)
Name(org.xbill.DNS.Name)
Aggregations
NSEC3Record (org.xbill.DNS.NSEC3Record)3
Name (org.xbill.DNS.Name)3
HashMap (java.util.HashMap)2
RecordComparator (com.verisignlabs.dnssec.security.RecordComparator)1
Map (java.util.Map)1
SortedMap (java.util.SortedMap)1
TreeMap (java.util.TreeMap)1
NSEC3PARAMRecord (org.xbill.DNS.NSEC3PARAMRecord)1
Record (org.xbill.DNS.Record)1
DNS.utils.base32 (org.xbill.DNS.utils.base32)1
