Modifier and Type | Field and Description |
---|---|
private java.time.Clock |
clock
The clock used to validate messages.
|
private static long |
DEFAULT_TA_BAD_KEY_TTL
This is the TTL to use when a trust anchor priming query failed to validate.
|
private Resolver |
headResolver
The resolver that performs the actual DNS lookups.
|
private boolean |
isAddReasonToAdditional
If
true , an additional record with the validation reason is added to the Section.ADDITIONAL section. |
private KeyCache |
keyCache
This is a cache of validated, but expirable DNSKEY rrsets.
|
private NSEC3ValUtils |
n3valUtils
The local NSEC3 validation utilities.
|
private TrustAnchorStore |
trustAnchors
A data structure holding all trust anchors.
|
static int |
VALIDATION_REASON_QCLASS
The QCLASS being used for the injection of the reason why the validator came to the returned
result.
|
private ValUtils |
valUtils
The local validation utilities.
|
Constructor and Description |
---|
ValidatingResolver(Resolver headResolver)
Creates a new instance of this class.
|
ValidatingResolver(Resolver headResolver,
java.time.Clock clock)
Creates a new instance of this class.
|
Modifier and Type | Method and Description |
---|---|
private void |
addValidationReasonTxtRecord(Message m,
java.lang.String reason) |
private void |
applyEdeToOpt(SMessage validated,
Message m) |
private KeyEntry |
dsReponseToKeForNodata(SMessage response,
Message request,
SRRset keyRrset)
Given a DS response, the DS request, and the current key rrset, validate the DS response for
the NODATA case, returning a KeyEntry.
|
private KeyEntry |
dsResponseToKE(SMessage response,
Message request,
SRRset keyRrset)
Given a DS response, the DS request, and the current key rrset, validate the DS response,
returning a KeyEntry.
|
private static SMessage |
errorMessage(Message request,
int rcode)
Creates a response message with the given return code.
|
private <T> java.util.concurrent.CompletionStage<T> |
failedFuture(java.lang.Throwable e) |
java.time.Duration |
getTimeout()
Gets the amount of time to wait for a response before giving up.
|
TrustAnchorStore |
getTrustAnchors()
Gets the store with the loaded trust anchors.
|
void |
init(java.util.Properties config)
Initialize the module.
|
void |
loadTrustAnchors(java.io.InputStream data)
Load the trust anchor file into the trust anchor store.
|
private java.util.concurrent.CompletionStage<KeyEntry> |
prepareFindKey(SRRset rrset) |
private java.util.concurrent.CompletionStage<java.lang.Void> |
processDNSKEYResponse(Message request,
SMessage response,
FindKeyState state) |
private java.util.concurrent.CompletionStage<java.lang.Void> |
processDSResponse(Message request,
SMessage response,
FindKeyState state)
This handles the responses to locally generated DS queries.
|
private java.util.concurrent.CompletionStage<java.lang.Void> |
processFindKey(FindKeyState state)
Process the FINDKEY state.
|
private SMessage |
processFinishedState(Message request,
SMessage response)
Apply any final massaging to a response before returning up the pipeline.
|
private java.util.concurrent.CompletionStage<SMessage> |
processValidate(Message request,
SMessage response) |
private void |
removeSpuriousAuthority(SMessage response)
For messages that are not referrals, if the chase reply contains an unsigned NS record in the
authority section it could have been inserted by a (BIND) forwarder that thinks the zone is
insecure, and that has an NS record without signatures in cache.
|
java.util.concurrent.CompletionStage<Message> |
sendAsync(Message query)
Asynchronously sends a message and validates the response with DNSSEC before returning it.
|
private java.util.concurrent.CompletionStage<SMessage> |
sendRequest(Message request) |
void |
setEDNS(int version,
int payloadSize,
int flags,
java.util.List<EDNSOption> options)
The method is forwarded to the resolver, but always ensure that the level is 0 and the flags
contains DO.
|
void |
setIgnoreTruncation(boolean flag)
This is a no-op, truncation is never ignored.
|
void |
setPort(int port)
Forwards the data to the head resolver passed at construction time.
|
void |
setTCP(boolean flag)
Forwards the data to the head resolver passed at construction time.
|
void |
setTimeout(java.time.Duration duration)
Sets the amount of time to wait for a response before giving up.
|
void |
setTSIGKey(TSIG key)
Forwards the data to the head resolver passed at construction time.
|
private java.util.concurrent.CompletionStage<java.lang.Boolean> |
validateAnswerAndGetWildcards(SMessage response,
int qtype,
java.util.Map<Name,Name> wcs) |
private java.util.concurrent.CompletionStage<java.lang.Boolean> |
validateAnswerAndGetWildcardsRecursive(SMessage response,
int qtype,
java.util.Map<Name,Name> wcs,
java.util.concurrent.atomic.AtomicInteger setIndex) |
private java.util.concurrent.CompletionStage<java.lang.Void> |
validateNameErrorResponse(Message request,
SMessage response)
Validate a NAMEERROR signed response -- a response that has a NXDOMAIN Rcode.
|
private java.util.concurrent.CompletionStage<java.lang.Void> |
validateNameErrorResponseRecursive(SMessage response,
java.util.concurrent.atomic.AtomicInteger setIndex) |
private java.util.concurrent.CompletionStage<java.lang.Void> |
validateNodataResponse(Message request,
SMessage response)
Validate a NOERROR/NODATA signed response -- a response that has a NOERROR Rcode but no ANSWER
section RRsets.
|
private java.util.concurrent.CompletionStage<java.lang.Void> |
validateNodataResponseRecursive(SMessage response,
java.util.concurrent.atomic.AtomicInteger setIndex) |
private java.util.concurrent.CompletionStage<java.lang.Void> |
validatePositiveResponse(Message request,
SMessage response)
Given a "postive" response -- a response that contains an answer to the question, and no CNAME
chain, validate this response.
|
private java.util.concurrent.CompletionStage<java.lang.Boolean> |
validatePositiveResponseRecursive(SMessage response,
java.util.Map<Name,Name> wcs,
java.util.List<SRRset> nsec3s,
java.util.List<SRRset> nsecs,
int[] sections,
java.util.concurrent.atomic.AtomicInteger sectionIndex,
java.util.concurrent.atomic.AtomicInteger setIndex) |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
send, sendAsync, sendAsync, setEDNS, setEDNS, setTimeout, setTimeout
public static final int VALIDATION_REASON_QCLASS
private static final long DEFAULT_TA_BAD_KEY_TTL
private final KeyCache keyCache
private final TrustAnchorStore trustAnchors
private final ValUtils valUtils
private final NSEC3ValUtils n3valUtils
private final Resolver headResolver
private final java.time.Clock clock
private boolean isAddReasonToAdditional
true
, an additional record with the validation reason is added to the Section.ADDITIONAL
section. The record is available at ./TXT/
65280.public ValidatingResolver(Resolver headResolver)
headResolver
- The resolver to which queries for DS, DNSKEY and referring CNAME records
are sent.public ValidatingResolver(Resolver headResolver, java.time.Clock clock)
headResolver
- The resolver to which queries for DS, DNSKEY and referring CNAME records
are sent.clock
- the Clock to validate messages.public void init(java.util.Properties config) throws java.io.IOException
config
- The configuration data for this module.java.io.IOException
- When the file specified in the config does not exist or cannot be read.KeyCache.init(Properties)
,
ValUtils.init(Properties)
,
NSEC3ValUtils.init(Properties)
public void loadTrustAnchors(java.io.InputStream data) throws java.io.IOException
data
- The trust anchor data.java.io.IOException
- when the trust anchor data could not be read.public TrustAnchorStore getTrustAnchors()
private void removeSpuriousAuthority(SMessage response)
response:
- the chased reply, we have a key for this contents, so we should have
signatures for these rrsets and not having signatures means it will be bogus.private java.util.concurrent.CompletionStage<java.lang.Void> validatePositiveResponse(Message request, SMessage response)
Given an "ANY" response -- a response that contains an answer to a qtype==ANY question, with answers. This consists of simply verifying all present answer/auth RRsets, with no checking that all types are present.
NOTE: it may be possible to get parent-side delegation point records here, which won't all be signed. Right now, this routine relies on the upstream iterative resolver to not return these responses -- instead treating them as referrals.
NOTE: RFC 4035 is silent on this issue, so this may change upon clarification.
request
- The request that generated this response.response
- The response to validate.private java.util.concurrent.CompletionStage<java.lang.Boolean> validatePositiveResponseRecursive(SMessage response, java.util.Map<Name,Name> wcs, java.util.List<SRRset> nsec3s, java.util.List<SRRset> nsecs, int[] sections, java.util.concurrent.atomic.AtomicInteger sectionIndex, java.util.concurrent.atomic.AtomicInteger setIndex)
private java.util.concurrent.CompletionStage<java.lang.Boolean> validateAnswerAndGetWildcards(SMessage response, int qtype, java.util.Map<Name,Name> wcs)
private java.util.concurrent.CompletionStage<java.lang.Boolean> validateAnswerAndGetWildcardsRecursive(SMessage response, int qtype, java.util.Map<Name,Name> wcs, java.util.concurrent.atomic.AtomicInteger setIndex)
private java.util.concurrent.CompletionStage<java.lang.Void> validateNodataResponse(Message request, SMessage response)
Note that by the time this method is called, the process of finding the trusted DNSKEY rrset that signs this response must already have been completed.
request
- The request that generated this response.response
- The response to validate.private java.util.concurrent.CompletionStage<java.lang.Void> validateNodataResponseRecursive(SMessage response, java.util.concurrent.atomic.AtomicInteger setIndex)
private <T> java.util.concurrent.CompletionStage<T> failedFuture(java.lang.Throwable e)
private java.util.concurrent.CompletionStage<java.lang.Void> validateNameErrorResponse(Message request, SMessage response)
Note that by the time this method is called, the process of finding the trusted DNSKEY rrset that signs this response must already have been completed.
request
- The request to be proved to not exist.response
- The response to validate.private java.util.concurrent.CompletionStage<java.lang.Void> validateNameErrorResponseRecursive(SMessage response, java.util.concurrent.atomic.AtomicInteger setIndex)
private java.util.concurrent.CompletionStage<java.lang.Void> processFindKey(FindKeyState state)
state
- The state associated with the current key finding phase.private KeyEntry dsResponseToKE(SMessage response, Message request, SRRset keyRrset)
response
- The DS response.request
- The DS request.keyRrset
- The current DNSKEY rrset from the forEvent state.private KeyEntry dsReponseToKeForNodata(SMessage response, Message request, SRRset keyRrset)
response
- The DS response.request
- The DS request.keyRrset
- The current DNSKEY rrset from the forEvent state.private java.util.concurrent.CompletionStage<java.lang.Void> processDSResponse(Message request, SMessage response, FindKeyState state)
request
- The request for which the response is processed.response
- The response to process.state
- The state associated with the current key finding phase.private java.util.concurrent.CompletionStage<java.lang.Void> processDNSKEYResponse(Message request, SMessage response, FindKeyState state)
private java.util.concurrent.CompletionStage<SMessage> processValidate(Message request, SMessage response)
private SMessage processFinishedState(Message request, SMessage response)
public void setPort(int port)
setPort
in interface Resolver
port
- The IP destination port for the queries sent.Resolver.setPort(int)
public void setTCP(boolean flag)
setTCP
in interface Resolver
flag
- true
to enable TCP, false
to disable it.Resolver.setTCP(boolean)
public void setIgnoreTruncation(boolean flag)
setIgnoreTruncation
in interface Resolver
flag
- unusedpublic void setEDNS(int version, int payloadSize, int flags, java.util.List<EDNSOption> options)
setEDNS
in interface Resolver
version
- The EDNS level to use. 0 indicates EDNS0.payloadSize
- The maximum DNS packet size that this host is capable of receiving over UDP.
If 0 is specified, the default (1280) is used.flags
- EDNS extended flags to be set in the OPT record, ExtendedFlags.DO
is
always appended.options
- EDNS options to be set in the OPT record, specified as a List of
OPTRecord.Option elements.Resolver.setEDNS(int, int, int, List)
public void setTSIGKey(TSIG key)
setTSIGKey
in interface Resolver
key
- The key.Resolver.setTSIGKey(TSIG)
public java.time.Duration getTimeout()
Resolver
getTimeout
in interface Resolver
Resolver.setTimeout(Duration)
public void setTimeout(java.time.Duration duration)
Resolver
setTimeout
in interface Resolver
duration
- The amount of time to wait.public java.util.concurrent.CompletionStage<Message> sendAsync(Message query)
private void addValidationReasonTxtRecord(Message m, java.lang.String reason)