org.jitsi.dnssec.validator

Class ValUtils

java.lang.Object

org.jitsi.dnssec.validator.ValUtils

public class ValUtils
extends Object

This is a collection of routines encompassing the logic of validating different message types.

Author:

davidb

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	ValUtils.NsecProvesNodataResponse Container for responses of nsecProvesNodata(SRRset, NSECRecord, Name, int).

Field Summary

Fields

Modifier and Type	Field and Description
static String	ALGORITHM_ENABLED
static String	DIGEST_ENABLED
static String	DIGEST_HARDEN_DOWNGRADE
static String	DIGEST_PREFERENCE

Constructor Summary

Constructors

Constructor and Description
ValUtils() Creates a new instance of this class.

Method Summary

Modifier and Type	Method and Description
static ResponseClassification	classifyResponse(org.xbill.DNS.Message request, SMessage m) Given a response, classify ANSWER responses into a subtype.
static org.xbill.DNS.Name	closestEncloser(org.xbill.DNS.Name domain, org.xbill.DNS.Name owner, org.xbill.DNS.Name next) Determines the 'closest encloser' - the name that has the most common labels between domain and (Record.getName() or NSECRecord.getNext()).
boolean	hasSignedNsecs(SMessage message) Checks if the authority section of a message contains at least one signed NSEC or NSEC3 record.
void	init(Properties config) Initialize the module.
static org.xbill.DNS.Name	longestCommonName(org.xbill.DNS.Name domain1, org.xbill.DNS.Name domain2) Finds the longest domain name in common with the given name.
static boolean	nsecProvesNameError(SRRset set, org.xbill.DNS.NSECRecord nsec, org.xbill.DNS.Name qname) Determine if the given NSEC proves a NameError (NXDOMAIN) for a given qname.
static ValUtils.NsecProvesNodataResponse	nsecProvesNodata(SRRset set, org.xbill.DNS.NSECRecord nsec, org.xbill.DNS.Name qname, int qtype) Determine if a NSEC proves the NOERROR/NODATA conditions.
org.jitsi.dnssec.validator.JustifiedSecStatus	nsecProvesNodataDsReply(org.xbill.DNS.Message request, SMessage response, SRRset keyRrset, Instant date) Check DS absence.
static SecurityStatus	nsecProvesNoDS(org.xbill.DNS.NSECRecord nsec, org.xbill.DNS.Name qname) Determines whether the given NSECRecord proves that there is no DSRecord for qname.
static boolean	nsecProvesNoWC(SRRset set, org.xbill.DNS.NSECRecord nsec, org.xbill.DNS.Name qname) Determine if a NSEC record proves the non-existence of a wildcard that could have produced qname.
static org.xbill.DNS.Name	nsecWildcard(org.xbill.DNS.Name domain, SRRset set, org.xbill.DNS.NSECRecord nsec) Gets the closest encloser of domain prepended with a wildcard label.
static org.xbill.DNS.Name	rrsetWildcard(org.xbill.DNS.RRset rrset) Determine by looking at a signed RRset whether or not the RRset name was the result of a wildcard expansion.
static void	setCanonicalNsecOwner(SRRset set, org.xbill.DNS.RRSIGRecord sig) Set the owner name of NSEC RRsets to the canonical name, i.e.
static boolean	strictSubdomain(org.xbill.DNS.Name domain1, org.xbill.DNS.Name domain2) Is the first Name strictly a subdomain of the second name (i.e., below but not equal to).
KeyEntry	verifyNewDNSKEYs(SRRset dnskeyRrset, SRRset dsRrset, long badKeyTTL, Instant date) Given a DS rrset and a DNSKEY rrset, match the DS to a DNSKEY and verify the DNSKEY rrset with that key.
SecurityStatus	verifySRRset(SRRset rrset, SRRset keyRrset, Instant date) Given an SRRset that is signed by a DNSKEY found in the key_rrset, verify it.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

DIGEST_PREFERENCE

public static final String DIGEST_PREFERENCE

See Also:

Constant Field Values

DIGEST_ENABLED

public static final String DIGEST_ENABLED

See Also:

Constant Field Values

DIGEST_HARDEN_DOWNGRADE

public static final String DIGEST_HARDEN_DOWNGRADE

See Also:

Constant Field Values

ALGORITHM_ENABLED

public static final String ALGORITHM_ENABLED

See Also:

Constant Field Values

Constructor Detail

ValUtils

public ValUtils()

Creates a new instance of this class.

Method Detail

setCanonicalNsecOwner

public static void setCanonicalNsecOwner(SRRset set,
                                         org.xbill.DNS.RRSIGRecord sig)

Set the owner name of NSEC RRsets to the canonical name, i.e. the name that is not expanded from a wildcard label.

Parameters:

set - The RRset to canonicalize.

sig - The signature that validated this RRset.

init

public void init(Properties config)

Initialize the module. The recognized configuration values are:

• DIGEST_PREFERENCE
• DIGEST_HARDEN_DOWNGRADE
• DIGEST_ENABLED
• ALGORITHM_ENABLED

Parameters:

config - The configuration data for this module.

classifyResponse

public static ResponseClassification classifyResponse(org.xbill.DNS.Message request,
                                                      SMessage m)

Given a response, classify ANSWER responses into a subtype.

Parameters:

request - The original query message.

m - The response to classify.

Returns:

A subtype ranging from UNKNOWN to NAMEERROR.

verifyNewDNSKEYs

public KeyEntry verifyNewDNSKEYs(SRRset dnskeyRrset,
                                 SRRset dsRrset,
                                 long badKeyTTL,
                                 Instant date)

Given a DS rrset and a DNSKEY rrset, match the DS to a DNSKEY and verify the DNSKEY rrset with that key.

Parameters:

dnskeyRrset - The DNSKEY rrset to match against. The security status of this rrset will be updated on a successful verification.

dsRrset - The DS rrset to match with. This rrset must already be trusted.

badKeyTTL - The TTL [s] for keys determined to be bad.

date - The date against which to verify the rrset.

Returns:

a KeyEntry. This will either contain the now trusted dnskey RRset, a "null" key entry indicating that this DS rrset/DNSKEY pair indicate an secure end to the island of trust (i.e., unknown algorithms), or a "bad" KeyEntry if the dnskey RRset fails to verify. Note that the "null" response should generally only occur in a private algorithm scenario: normally this sort of thing is checked before fetching the matching DNSKEY rrset.

verifySRRset

public SecurityStatus verifySRRset(SRRset rrset,
                                   SRRset keyRrset,
                                   Instant date)

Given an SRRset that is signed by a DNSKEY found in the key_rrset, verify it. This will return the status (either BOGUS or SECURE) and set that status in rrset.

Parameters:

rrset - The SRRset to verify.

keyRrset - The set of keys to verify against.

date - The date against which to verify the rrset.

Returns:

The status (BOGUS or SECURE).

rrsetWildcard

public static org.xbill.DNS.Name rrsetWildcard(org.xbill.DNS.RRset rrset)

Determine by looking at a signed RRset whether or not the RRset name was the result of a wildcard expansion. If so, return the name of the generating wildcard.

Parameters:

rrset - The rrset to chedck.

Returns:

the wildcard name, if the rrset was synthesized from a wildcard. null if not.

longestCommonName

public static org.xbill.DNS.Name longestCommonName(org.xbill.DNS.Name domain1,
                                                   org.xbill.DNS.Name domain2)

Finds the longest domain name in common with the given name.

Parameters:

domain1 - The first domain to process.

domain2 - The second domain to process.

Returns:

The longest label in common of domain1 and domain2. The least common name is the root.

strictSubdomain

public static boolean strictSubdomain(org.xbill.DNS.Name domain1,
                                      org.xbill.DNS.Name domain2)

Is the first Name strictly a subdomain of the second name (i.e., below but not equal to).

Parameters:

domain1 - The first domain to process.

domain2 - The second domain to process.

Returns:

True when domain1 is a strict subdomain of domain2.

closestEncloser

public static org.xbill.DNS.Name closestEncloser(org.xbill.DNS.Name domain,
                                                 org.xbill.DNS.Name owner,
                                                 org.xbill.DNS.Name next)

Determines the 'closest encloser' - the name that has the most common labels between domain and (Record.getName() or NSECRecord.getNext()).

Parameters:

domain - The name for which the closest encloser is queried.

owner - The beginning of the covering Name to check.

next - The end of the covering Name to check.

Returns:

The closest encloser name of domain as defined by owner and next.

nsecWildcard

public static org.xbill.DNS.Name nsecWildcard(org.xbill.DNS.Name domain,
                                              SRRset set,
                                              org.xbill.DNS.NSECRecord nsec)
                                       throws org.xbill.DNS.NameTooLongException

Gets the closest encloser of domain prepended with a wildcard label.

Parameters:

domain - The name for which the wildcard closest encloser is demanded.

set - The RRset containing nsec to check.

nsec - The covering NSEC that defines the encloser.

Returns:

The wildcard closest encloser name of domain as defined by nsec .

Throws:

org.xbill.DNS.NameTooLongException - If adding the wildcard label to the closest encloser results in an invalid name.

nsecProvesNameError

public static boolean nsecProvesNameError(SRRset set,
                                          org.xbill.DNS.NSECRecord nsec,
                                          org.xbill.DNS.Name qname)

Determine if the given NSEC proves a NameError (NXDOMAIN) for a given qname.

Parameters:

set - The RRset that contains the NSEC.

nsec - The NSEC to check.

qname - The qname to check against.

Returns:

true if the NSEC proves the condition.

nsecProvesNoWC

public static boolean nsecProvesNoWC(SRRset set,
                                     org.xbill.DNS.NSECRecord nsec,
                                     org.xbill.DNS.Name qname)

Determine if a NSEC record proves the non-existence of a wildcard that could have produced qname.

Parameters:

set - The RRset of the NSEC record.

nsec - The nsec record to check.

qname - The qname to check against.

Returns:

true if the NSEC proves the condition.

nsecProvesNodata

public static ValUtils.NsecProvesNodataResponse nsecProvesNodata(SRRset set,
                                                                 org.xbill.DNS.NSECRecord nsec,
                                                                 org.xbill.DNS.Name qname,
                                                                 int qtype)

Determine if a NSEC proves the NOERROR/NODATA conditions. This will also handle the empty non-terminal (ENT) case and partially handle the wildcard case. If the ownername of 'nsec' is a wildcard, the validator must still be provided proof that qname did not directly exist and that the wildcard is, in fact, *.closest_encloser.

Parameters:

set - The RRset of the NSEC record.

nsec - The NSEC to check

qname - The query name to check against.

qtype - The query type to check against.

Returns:

true if the NSEC proves the condition.

nsecProvesNodataDsReply

public org.jitsi.dnssec.validator.JustifiedSecStatus nsecProvesNodataDsReply(org.xbill.DNS.Message request,
                                                                             SMessage response,
                                                                             SRRset keyRrset,
                                                                             Instant date)

Check DS absence. There is a NODATA reply to a DS that needs checking. NSECs can prove this is not a delegation point, or successfully prove that there is no DS. Or this fails.

Parameters:

request - The request that generated this response.

response - The response to validate.

keyRrset - The key that validate the NSECs.

date - The date against which to verify the response.

Returns:

The NODATA proof along with the reason of the result.

hasSignedNsecs

public boolean hasSignedNsecs(SMessage message)

Checks if the authority section of a message contains at least one signed NSEC or NSEC3 record.

Parameters:

message - The message to inspect.

Returns:

True if at least one record is found, false otherwise.

nsecProvesNoDS

public static SecurityStatus nsecProvesNoDS(org.xbill.DNS.NSECRecord nsec,
                                            org.xbill.DNS.Name qname)

Determines whether the given NSECRecord proves that there is no DSRecord for qname.

Parameters:

nsec - The NSEC that should prove the non-existence.

qname - The name for which the prove is made.

Returns:

SecurityStatus.BOGUS when the NSEC is from the child domain or indicates that there indeed is a DS record, SecurityStatus.INSECURE when there is not even a prove for a NS record, SecurityStatus.SECURE when there is no DS record.