final class ValUtils
extends java.lang.Object
Modifier and Type | Class and Description |
---|---|
static class |
ValUtils.NsecProvesNodataResponse
Container for responses of
nsecProvesNodata(SRRset, NSECRecord, Name, int) . |
Modifier and Type | Field and Description |
---|---|
static java.lang.String |
ALGORITHM_ENABLED |
private java.util.Properties |
config |
static java.lang.String |
DIGEST_ENABLED |
static java.lang.String |
DIGEST_HARDEN_DOWNGRADE |
static java.lang.String |
DIGEST_PREFERENCE |
private boolean |
digestHardenDowngrade |
private int[] |
digestPreference |
private boolean |
hasEd25519 |
private boolean |
hasEd448 |
private boolean |
hasGost |
private DnsSecVerifier |
verifier
A local copy of the verifier object.
|
private static Name |
WILDCARD |
Constructor and Description |
---|
ValUtils()
Creates a new instance of this class.
|
Modifier and Type | Method and Description |
---|---|
(package private) boolean |
atLeastOneDigestSupported(RRset dsRRset)
Determines if at least one of the DS records in the RRset has a supported digest algorithm.
|
(package private) boolean |
atLeastOneSupportedAlgorithm(RRset dsRRset)
Determines if at least one of the DS records in the RRset has a supported algorithm.
|
static ResponseClassification |
classifyResponse(Message request,
SMessage m)
Given a response, classify ANSWER responses into a subtype.
|
static Name |
closestEncloser(Name domain,
Name owner,
Name next)
Determines the 'closest encloser' - the name that has the most common labels between
domain and (Record.getName() or NSECRecord.getNext() ). |
(package private) int |
favoriteDSDigestID(SRRset dsset)
Gets the digest ID for the favorite (best) algorithm that is support in a given DS set.
|
private KeyEntry |
getKeyEntry(SRRset dnskeyRrset,
java.time.Instant date,
DSRecord ds,
DNSKEYRecord dnskey) |
boolean |
hasSignedNsecs(SMessage message)
Checks if the authority section of a message contains at least one signed NSEC or NSEC3 record.
|
void |
init(java.util.Properties config)
Initialize the module.
|
(package private) boolean |
isAlgorithmSupported(int alg)
Determines if the algorithm is supported.
|
(package private) boolean |
isDigestSupported(int digestID)
Determines if the digest algorithm is supported.
|
static Name |
longestCommonName(Name domain1,
Name domain2)
Finds the longest domain name in common with the given name.
|
static boolean |
nsecProvesNameError(SRRset set,
NSECRecord nsec,
Name qname)
Determine if the given NSEC proves a NameError (NXDOMAIN) for a given qname.
|
static ValUtils.NsecProvesNodataResponse |
nsecProvesNodata(SRRset set,
NSECRecord nsec,
Name qname,
int qtype)
Determine if a NSEC proves the NOERROR/NODATA conditions.
|
JustifiedSecStatus |
nsecProvesNodataDsReply(Message request,
SMessage response,
SRRset keyRrset,
java.time.Instant date)
Check DS absence.
|
static SecurityStatus |
nsecProvesNoDS(NSECRecord nsec,
Name qname)
|
static boolean |
nsecProvesNoWC(SRRset set,
NSECRecord nsec,
Name qname)
Determine if a NSEC record proves the non-existence of a wildcard that could have produced
qname.
|
static Name |
nsecWildcard(Name domain,
SRRset set,
NSECRecord nsec)
Gets the closest encloser of
domain prepended with a wildcard label. |
private boolean |
propertyOrTrueWithPrecondition(java.lang.String configKey,
boolean precondition) |
static Name |
rrsetWildcard(RRset rrset)
Determine by looking at a signed RRset whether or not the RRset name was the result of a
wildcard expansion.
|
static void |
setCanonicalNsecOwner(SRRset set,
RRSIGRecord sig)
Set the owner name of NSEC RRsets to the canonical name, i.e.
|
static boolean |
strictSubdomain(Name domain1,
Name domain2)
Is the first Name strictly a subdomain of the second name (i.e., below but not equal to).
|
KeyEntry |
verifyNewDNSKEYs(SRRset dnskeyRrset,
SRRset dsRrset,
long badKeyTTL,
java.time.Instant date)
Given a DS rrset and a DNSKEY rrset, match the DS to a DNSKEY and verify the DNSKEY rrset with
that key.
|
JustifiedSecStatus |
verifySRRset(SRRset rrset,
SRRset keyRrset,
java.time.Instant date)
Given an SRRset that is signed by a DNSKEY found in the key_rrset, verify it.
|
public static final java.lang.String DIGEST_PREFERENCE
public static final java.lang.String DIGEST_ENABLED
public static final java.lang.String DIGEST_HARDEN_DOWNGRADE
public static final java.lang.String ALGORITHM_ENABLED
private static final Name WILDCARD
private final DnsSecVerifier verifier
private int[] digestPreference
private java.util.Properties config
private boolean digestHardenDowngrade
private boolean hasGost
private boolean hasEd25519
private boolean hasEd448
public static void setCanonicalNsecOwner(SRRset set, RRSIGRecord sig)
set
- The RRset to canonicalize.sig
- The signature that validated this RRset.public void init(java.util.Properties config)
config
- The configuration data for this module.public static ResponseClassification classifyResponse(Message request, SMessage m)
request
- The original query message.m
- The response to classify.public KeyEntry verifyNewDNSKEYs(SRRset dnskeyRrset, SRRset dsRrset, long badKeyTTL, java.time.Instant date)
dnskeyRrset
- The DNSKEY rrset to match against. The security status of this rrset will be
updated on a successful verification.dsRrset
- The DS rrset to match with. This rrset must already be trusted.badKeyTTL
- The TTL [s] for keys determined to be bad.date
- The date against which to verify the rrset.private KeyEntry getKeyEntry(SRRset dnskeyRrset, java.time.Instant date, DSRecord ds, DNSKEYRecord dnskey)
int favoriteDSDigestID(SRRset dsset)
The order of preference can be configured with the property "dnsjava.dnssec.digest_preference". If the property is not set, the highest supported number is returned.
dsset
- The DS set to check for the favorite algorithm.public JustifiedSecStatus verifySRRset(SRRset rrset, SRRset keyRrset, java.time.Instant date)
rrset
- The SRRset to verify.keyRrset
- The set of keys to verify against.date
- The date against which to verify the rrset.public static Name rrsetWildcard(RRset rrset)
rrset
- The rrset to chedck.public static Name longestCommonName(Name domain1, Name domain2)
domain1
- The first domain to process.domain2
- The second domain to process.public static boolean strictSubdomain(Name domain1, Name domain2)
domain1
- The first domain to process.domain2
- The second domain to process.public static Name closestEncloser(Name domain, Name owner, Name next)
domain
and (Record.getName()
or NSECRecord.getNext()
).public static Name nsecWildcard(Name domain, SRRset set, NSECRecord nsec) throws NameTooLongException
domain
prepended with a wildcard label.domain
- The name for which the wildcard closest encloser is demanded.set
- The RRset containing nsec
to check.nsec
- The covering NSEC that defines the encloser.domain
as defined by nsec
.NameTooLongException
- If adding the wildcard label to the closest encloser results in an
invalid name.public static boolean nsecProvesNameError(SRRset set, NSECRecord nsec, Name qname)
set
- The RRset that contains the NSEC.nsec
- The NSEC to check.qname
- The qname to check against.public static boolean nsecProvesNoWC(SRRset set, NSECRecord nsec, Name qname)
set
- The RRset of the NSEC record.nsec
- The nsec record to check.qname
- The qname to check against.public static ValUtils.NsecProvesNodataResponse nsecProvesNodata(SRRset set, NSECRecord nsec, Name qname, int qtype)
set
- The RRset of the NSEC record.nsec
- The NSEC to checkqname
- The query name to check against.qtype
- The query type to check against.public JustifiedSecStatus nsecProvesNodataDsReply(Message request, SMessage response, SRRset keyRrset, java.time.Instant date)
request
- The request that generated this response.response
- The response to validate.keyRrset
- The key that validate the NSECs.date
- The date against which to verify the response.public boolean hasSignedNsecs(SMessage message)
message
- The message to inspect.public static SecurityStatus nsecProvesNoDS(NSECRecord nsec, Name qname)
nsec
- The NSEC that should prove the non-existence.qname
- The name for which the prove is made.SecurityStatus.BOGUS
when the NSEC is from the child domain or indicates that
there indeed is a DS record, SecurityStatus.INSECURE
when there is not even a prove
for a NS record, SecurityStatus.SECURE
when there is no DS record.boolean atLeastOneSupportedAlgorithm(RRset dsRRset)
dsRRset
- The RR set to search in.boolean isAlgorithmSupported(int alg)
alg
- The algorithm to check.boolean atLeastOneDigestSupported(RRset dsRRset)
dsRRset
- The RR set to search in.boolean isDigestSupported(int digestID)
digestID
- the algorithm to check.private boolean propertyOrTrueWithPrecondition(java.lang.String configKey, boolean precondition)