Package org.jitsi.dnssec.validator

Class ValUtils

  • public class ValUtils
extends java.lang.Object
    This is a collection of routines encompassing the logic of validating different message types.
    Author:
    davidb

    • Field Summary

      Fields 
      Modifier and Type Field Description
      static java.lang.String DIGEST_PREFERENCE  

    • Constructor Summary

      Constructors 
      Constructor Description
      ValUtils()
      Creates a new instance of this class.

    • Method Summary

      All Methods Static Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      static ResponseClassification classifyResponse​(SMessage m)
      Given a response, classify ANSWER responses into a subtype.
      static org.xbill.DNS.Name closestEncloser​(org.xbill.DNS.Name domain, org.xbill.DNS.NSECRecord nsec)
      Determines the 'closest encloser' - the name that has the most common labels between domain and (Record.getName() or NSECRecord.getNext()).
      boolean hasSignedNsecs​(SMessage message)
      Checks if the authority section of a message contains at least one signed NSEC or NSEC3 record.
      void init​(java.util.Properties config)
      Initialize the module.
      static org.xbill.DNS.Name longestCommonName​(org.xbill.DNS.Name domain1, org.xbill.DNS.Name domain2)
      Finds the longest domain name in common with the given name.
      static boolean nsecProvesNameError​(org.xbill.DNS.NSECRecord nsec, org.xbill.DNS.Name qname, org.xbill.DNS.Name signerName)
      Determine if the given NSEC proves a NameError (NXDOMAIN) for a given qname.
      static ValUtils.NsecProvesNodataResponse nsecProvesNodata​(org.xbill.DNS.NSECRecord nsec, org.xbill.DNS.Name qname, int qtype)
      Determine if a NSEC proves the NOERROR/NODATA conditions.
      org.jitsi.dnssec.validator.JustifiedSecStatus nsecProvesNodataDsReply​(org.xbill.DNS.Message request, SMessage response, SRRset keyRrset)
      Check DS absence.
      static SecurityStatus nsecProvesNoDS​(org.xbill.DNS.NSECRecord nsec, org.xbill.DNS.Name qname)
      Determines whether the given NSECRecord proves that there is no DSRecord for qname.
      static boolean nsecProvesNoWC​(org.xbill.DNS.NSECRecord nsec, org.xbill.DNS.Name qname, org.xbill.DNS.Name signerName)
      Determine if a NSEC record proves the non-existence of a wildcard that could have produced qname.
      static org.xbill.DNS.Name nsecWildcard​(org.xbill.DNS.Name domain, org.xbill.DNS.NSECRecord nsec)
      Gets the closest encloser of domain prepended with a wildcard label.
      static org.xbill.DNS.Name rrsetWildcard​(org.xbill.DNS.RRset rrset)
      Determine by looking at a signed RRset whether or not the RRset name was the result of a wildcard expansion.
      static boolean strictSubdomain​(org.xbill.DNS.Name domain1, org.xbill.DNS.Name domain2)
      Is the first Name strictly a subdomain of the second name (i.e., below but not equal to).
      KeyEntry verifyNewDNSKEYs​(SRRset dnskeyRrset, SRRset dsRrset, long badKeyTTL)
      Given a DS rrset and a DNSKEY rrset, match the DS to a DNSKEY and verify the DNSKEY rrset with that key.
      SecurityStatus verifySRRset​(SRRset rrset, SRRset keyRrset)
      Given an SRRset that is signed by a DNSKEY found in the key_rrset, verify it.

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Field Detail

      • DIGEST_PREFERENCE

        public static final java.lang.String DIGEST_PREFERENCE
        See Also:
        Constant Field Values

    • Constructor Detail

      • ValUtils

        public ValUtils()
        Creates a new instance of this class.

    • Method Detail

      • init

        public void init​(java.util.Properties config)
        Initialize the module. The only recognized configuration value is DIGEST_PREFERENCE.
        Parameters:
        config - The configuration data for this module.

      • classifyResponse

        public static ResponseClassification classifyResponse​(SMessage m)
        Given a response, classify ANSWER responses into a subtype.
        Parameters:
        m - The response to classify.
        Returns:
        A subtype ranging from UNKNOWN to NAMEERROR.

      • verifyNewDNSKEYs

        public KeyEntry verifyNewDNSKEYs​(SRRset dnskeyRrset,
                                 SRRset dsRrset,
                                 long badKeyTTL)
        Given a DS rrset and a DNSKEY rrset, match the DS to a DNSKEY and verify the DNSKEY rrset with that key.
        Parameters:
        dnskeyRrset - The DNSKEY rrset to match against. The security status of this rrset will be updated on a successful verification.
        dsRrset - The DS rrset to match with. This rrset must already be trusted.
        badKeyTTL - The TTL [s] for keys determined to be bad.
        Returns:
        a KeyEntry. This will either contain the now trusted dnskey RRset, a "null" key entry indicating that this DS rrset/DNSKEY pair indicate an secure end to the island of trust (i.e., unknown algorithms), or a "bad" KeyEntry if the dnskey RRset fails to verify. Note that the "null" response should generally only occur in a private algorithm scenario: normally this sort of thing is checked before fetching the matching DNSKEY rrset.

      • verifySRRset

        public SecurityStatus verifySRRset​(SRRset rrset,
                                   SRRset keyRrset)
        Given an SRRset that is signed by a DNSKEY found in the key_rrset, verify it. This will return the status (either BOGUS or SECURE) and set that status in rrset.
        Parameters:
        rrset - The SRRset to verify.
        keyRrset - The set of keys to verify against.
        Returns:
        The status (BOGUS or SECURE).

      • rrsetWildcard

        public static org.xbill.DNS.Name rrsetWildcard​(org.xbill.DNS.RRset rrset)
        Determine by looking at a signed RRset whether or not the RRset name was the result of a wildcard expansion. If so, return the name of the generating wildcard.
        Parameters:
        rrset - The rrset to chedck.
        Returns:
        the wildcard name, if the rrset was synthesized from a wildcard. null if not.

      • longestCommonName

        public static org.xbill.DNS.Name longestCommonName​(org.xbill.DNS.Name domain1,
                                                   org.xbill.DNS.Name domain2)
        Finds the longest domain name in common with the given name.
        Parameters:
        domain1 - The first domain to process.
        domain2 - The second domain to process.
        Returns:
        The longest label in common of domain1 and domain2. The least common name is the root.

      • strictSubdomain

        public static boolean strictSubdomain​(org.xbill.DNS.Name domain1,
                                      org.xbill.DNS.Name domain2)
        Is the first Name strictly a subdomain of the second name (i.e., below but not equal to).
        Parameters:
        domain1 - The first domain to process.
        domain2 - The second domain to process.
        Returns:
        True when domain1 is a strict subdomain of domain2.

      • closestEncloser

        public static org.xbill.DNS.Name closestEncloser​(org.xbill.DNS.Name domain,
                                                 org.xbill.DNS.NSECRecord nsec)
        Determines the 'closest encloser' - the name that has the most common labels between domain and (Record.getName() or NSECRecord.getNext()).
        Parameters:
        domain - The name for which the closest encloser is queried.
        nsec - The covering NSECRecord to check.
        Returns:
        The closest encloser name of domain as defined by nsec.

      • nsecWildcard

        public static org.xbill.DNS.Name nsecWildcard​(org.xbill.DNS.Name domain,
                                              org.xbill.DNS.NSECRecord nsec)
                                       throws org.xbill.DNS.NameTooLongException
        Gets the closest encloser of domain prepended with a wildcard label.
        Parameters:
        domain - The name for which the wildcard closest encloser is demanded.
        nsec - The covering NSEC that defines the encloser.
        Returns:
        The wildcard closest encloser name of domain as defined by nsec.
        Throws:
        org.xbill.DNS.NameTooLongException - If adding the wildcard label to the closest encloser results in an invalid name.

      • nsecProvesNameError

        public static boolean nsecProvesNameError​(org.xbill.DNS.NSECRecord nsec,
                                          org.xbill.DNS.Name qname,
                                          org.xbill.DNS.Name signerName)
        Determine if the given NSEC proves a NameError (NXDOMAIN) for a given qname.
        Parameters:
        nsec - The NSEC to check.
        qname - The qname to check against.
        signerName - The signer of the NSEC RRset.
        Returns:
        true if the NSEC proves the condition.

      • nsecProvesNoWC

        public static boolean nsecProvesNoWC​(org.xbill.DNS.NSECRecord nsec,
                                     org.xbill.DNS.Name qname,
                                     org.xbill.DNS.Name signerName)
        Determine if a NSEC record proves the non-existence of a wildcard that could have produced qname.
        Parameters:
        nsec - The nsec to check.
        qname - The qname to check against.
        signerName - The signer of the NSEC RRset.
        Returns:
        true if the NSEC proves the condition.

      • nsecProvesNodata

        public static ValUtils.NsecProvesNodataResponse nsecProvesNodata​(org.xbill.DNS.NSECRecord nsec,
                                                                 org.xbill.DNS.Name qname,
                                                                 int qtype)
        Determine if a NSEC proves the NOERROR/NODATA conditions. This will also handle the empty non-terminal (ENT) case and partially handle the wildcard case. If the ownername of 'nsec' is a wildcard, the validator must still be provided proof that qname did not directly exist and that the wildcard is, in fact, *.closest_encloser.
        Parameters:
        nsec - The NSEC to check
        qname - The query name to check against.
        qtype - The query type to check against.
        Returns:
        true if the NSEC proves the condition.

      • nsecProvesNodataDsReply

        public org.jitsi.dnssec.validator.JustifiedSecStatus nsecProvesNodataDsReply​(org.xbill.DNS.Message request,
                                                                             SMessage response,
                                                                             SRRset keyRrset)
        Check DS absence. There is a NODATA reply to a DS that needs checking. NSECs can prove this is not a delegation point, or successfully prove that there is no DS. Or this fails.
        Parameters:
        request - The request that generated this response.
        response - The response to validate.
        keyRrset - The key that validate the NSECs.
        Returns:
        The NODATA proof along with the reason of the result.

      • hasSignedNsecs

        public boolean hasSignedNsecs​(SMessage message)
        Checks if the authority section of a message contains at least one signed NSEC or NSEC3 record.
        Parameters:
        message - The message to inspect.
        Returns:
        True if at least one record is found, false otherwise.

      • nsecProvesNoDS

        public static SecurityStatus nsecProvesNoDS​(org.xbill.DNS.NSECRecord nsec,
                                            org.xbill.DNS.Name qname)
        Determines whether the given NSECRecord proves that there is no DSRecord for qname.
        Parameters:
        nsec - The NSEC that should prove the non-existence.
        qname - The name for which the prove is made.
        Returns:
        SecurityStatus.BOGUS when the NSEC is from the child domain or indicates that there indeed is a DS record, SecurityStatus.INSECURE when there is not even a prove for a NS record, SecurityStatus.SECURE when there is no DS record.