dnsruby 1.55 → 1.56.0

data/lib/{Dnsruby/SingleResolver.rb → dnsruby/single_resolver.rb}

@@ -1,59 +1,59 @@
-#--
-#Copyright 2007 Nominet UK
-#
-#Licensed under the Apache License, Version 2.0 (the "License");
-#you may not use this file except in compliance with the License.
-#You may obtain a copy of the License at
-#
+# --
+# Copyright 2007 Nominet UK
+# 
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
 #     http://www.apache.org/licenses/LICENSE-2.0
-#
-#Unless required by applicable law or agreed to in writing, software
-#distributed under the License is distributed on an "AS IS" BASIS,
-#WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-#See the License for the specific language governing permissions and
-#limitations under the License.
-#++
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ++
 module Dnsruby
 
-  #== Dnsruby::SingleResolver
-  #
-  # This class has been deprecated.
-  # This implementation exists for legacy clients. New code should use the Dnsruby::Resolver class.
-  # The SingleResolver class targets a single resolver, and controls the sending of a single
-  # packet with a packet timeout. It performs no retries. Only two threads are used - the client
-  # thread and a select thread (which is reused across all queries).
-  #
-  #== Methods
-  #
-  #=== Synchronous
-  #These methods raise an exception or return a response message with rcode==NOERROR
-  #
-  #*  Dnsruby::SingleResolver#send_message(msg [, use_tcp]))
-  #*  Dnsruby::SingleResolver#query(name [, type [, klass]])
-  #
-  #=== Asynchronous
-  #These methods use a response queue to return the response and the error to the client.
-  #Support for EventMachine has been deprecated
-  #
-  #*  Dnsruby::SingleResolver#send_async(...)
-  #
+  # == Dnsruby::SingleResolver
+  # 
+  #  This class has been deprecated.
+  #  This implementation exists for legacy clients. New code should use the Dnsruby::Resolver class.
+  #  The SingleResolver class targets a single resolver, and controls the sending of a single
+  #  packet with a packet timeout. It performs no retries. Only two threads are used - the client
+  #  thread and a select thread (which is reused across all queries).
+  # 
+  # == Methods
+  # 
+  # === Synchronous
+  # These methods raise an exception or return a response message with rcode==NOERROR
+  # 
+  # *  Dnsruby::SingleResolver#send_message(msg [, use_tcp]))
+  # *  Dnsruby::SingleResolver#query(name [, type [, klass]])
+  # 
+  # === Asynchronous
+  # These methods use a response queue to return the response and the error to the client.
+  # Support for EventMachine has been deprecated
+  # 
+  # *  Dnsruby::SingleResolver#send_async(...)
+  # 
   class SingleResolver < Resolver
-    # Can take a hash with the following optional keys :
-    #
-    # * :server
-    # * :port
-    # * :use_tcp
-    # * :no_tcp
-    # * :ignore_truncation
-    # * :src_address
-    # * :src_address6
-    # * :src_port
-    # * :udp_size
-    # * :persistent_tcp
-    # * :persistent_udp
-    # * :tsig
-    # * :packet_timeout
-    # * :recurse
+    #  Can take a hash with the following optional keys :
+    # 
+    #  * :server
+    #  * :port
+    #  * :use_tcp
+    #  * :no_tcp
+    #  * :ignore_truncation
+    #  * :src_address
+    #  * :src_address6
+    #  * :src_port
+    #  * :udp_size
+    #  * :persistent_tcp
+    #  * :persistent_udp
+    #  * :tsig
+    #  * :packet_timeout
+    #  * :recurse
     def initialize(*args)
       arg=args[0]
       @single_res_mutex = Mutex.new
@@ -80,7 +80,7 @@ module Dnsruby
       @config = Config.new
 
       if (arg==nil)
-        # Get default config
+        #  Get default config
         @config = Config.new
         @config.get_ready
         @server = @config.nameserver[0]
@@ -89,13 +89,13 @@ module Dnsruby
         @configured= true
         @config.nameserver=[arg]
         @server = @config.nameserver[0]
-        #        @server=arg
+        #         @server=arg
       elsif (arg.kind_of?Name)
         @config.get_ready
         @configured= true
         @config.nameserver=arg
         @server = @config.nameserver[0]
-        #        @server=arg
+        #         @server=arg
       elsif (arg.kind_of?Hash)
         arg.keys.each do |attr|
           if (attr == :server)
@@ -122,7 +122,7 @@ module Dnsruby
 
       @single_resolvers = [isr]
 
-      #      ResolverRegister::register_single_resolver(self)
+      #       ResolverRegister::register_single_resolver(self)
     end
 
     def server=(s)
@@ -142,13 +142,13 @@ module Dnsruby
     end
 
     def server
-      #      @single_res_mutex.synchronize {
+      #       @single_res_mutex.synchronize {
       if (!@configured)
         @config.get_ready
         add_config_nameservers
       end
       return @single_resolvers[0].server
-      #      }
+      #       }
     end
 
     def retry_times=(n) # :nodoc:
@@ -163,8 +163,8 @@ module Dnsruby
       @query_timeout = t
     end
 
-    # Add the appropriate EDNS OPT RR for the specified packet. This is done
-    # automatically, unless you are using Resolver#send_plain_message
+    #  Add the appropriate EDNS OPT RR for the specified packet. This is done
+    #  automatically, unless you are using Resolver#send_plain_message
     def add_opt_rr(m)
       @single_res_mutex.synchronize {
         @single_resolvers[0].add_opt_rr(m)

data/lib/{Dnsruby → dnsruby}/single_verifier.rb

@@ -1,18 +1,18 @@
-#--
-#Copyright 2007 Nominet UK
-#
-#Licensed under the Apache License, Version 2.0 (the "License");
-#you may not use this file except in compliance with the License.
-#You may obtain a copy of the License at
-#
+# --
+# Copyright 2007 Nominet UK
+# 
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
 #     http://www.apache.org/licenses/LICENSE-2.0
-#
-#Unless required by applicable law or agreed to in writing, software
-#distributed under the License is distributed on an "AS IS" BASIS,
-#WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-#See the License for the specific language governing permissions and
-#limitations under the License.
-#++
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ++
 
 
 # This class does verification/validation from a single point - signed root,
@@ -29,29 +29,29 @@ module Dnsruby
     def initialize(vtype)
       @verifier_type = vtype
       @added_dlv_key = false
-      # The DNSKEY RRs for the signed root (when it exists)
+      #  The DNSKEY RRs for the signed root (when it exists)
       @root_anchors = KeyCache.new
 
-      # The set of trust anchors.
-      # If the root is unsigned, then these must be initialised with at least
-      # one trusted key by the client application, if verification is to be performed.
+      #  The set of trust anchors.
+      #  If the root is unsigned, then these must be initialised with at least
+      #  one trusted key by the client application, if verification is to be performed.
       @trust_anchors = KeyCache.new
 
       @dlv_registries = []
 
-      # The set of keys which are trusted.
+      #  The set of keys which are trusted.
       @trusted_keys = KeyCache.new
 
-      # The set of keys which have been indicated by a DS RRSet which has been
-      # signed by a trusted key. Although we have not yet located these keys, we
-      # have the details (tag and digest) which can identify the keys when we
-      # see them. At that point, they will be added to our trusted keys.
+      #  The set of keys which have been indicated by a DS RRSet which has been
+      #  signed by a trusted key. Although we have not yet located these keys, we
+      #  have the details (tag and digest) which can identify the keys when we
+      #  see them. At that point, they will be added to our trusted keys.
       @discovered_ds_store = []
-      # The configured_ds_store is the set of DS records which have been configured
-      # by the client as trust anchors. Use Dnssec#add_trust_anchor to add these
+      #  The configured_ds_store is the set of DS records which have been configured
+      #  by the client as trust anchors. Use Dnssec#add_trust_anchor to add these
       @configured_ds_store = []
     end
-    
+
     def set_hints(hints)
       @@hints = hints
     end
@@ -69,29 +69,29 @@ module Dnsruby
     end
 
     def get_dlv_resolver # :nodoc:
-      #      if (Dnssec.do_validation_with_recursor?)
-      #        return Recursor.new
-      #      else
+      #       if (Dnssec.do_validation_with_recursor?)
+      #         return Recursor.new
+      #       else
       if (Dnssec.default_resolver)
         return Dnssec.default_resolver
       else
         return Resolver.new
       end
-      #      end
+      #       end
     end
     def add_dlv_key(key)
-      # Is this a ZSK or a KSK?
-      # If it is a KSK, then get the ZSK from the zone
+      #  Is this a ZSK or a KSK?
+      #  If it is a KSK, then get the ZSK from the zone
       if (key.sep_key?)
         get_dlv_key(key)
       end
     end
     def get_dlv_key(ksk) # :nodoc:
-      # Using the KSK, get the ZSK for the DLV registry
+      #  Using the KSK, get the ZSK for the DLV registry
       if (!@res && (@verifier_type == VerifierType::DLV))
         @res = get_dlv_resolver
       end
-      #      print "Sending query : res.dnssec = #{@res.dnssec}"
+      #       print "Sending query : res.dnssec = #{@res.dnssec}"
       ret = nil
       begin
         ret = @res.query_no_validation_or_recursion("dlv.isc.org.", Types.DNSKEY)
@@ -99,7 +99,7 @@ module Dnsruby
           raise ResolvError.new("Couldn't get response from Recursor")
         end
       rescue ResolvError => e
-        #        print "ERROR - Couldn't find the DLV key\n"
+        #         print "ERROR - Couldn't find the DLV key\n"
         TheLog.error("Couldn't find the DLV key\n")
         return
       end
@@ -107,23 +107,23 @@ module Dnsruby
       begin
         verify(key_rrset, ksk)
         add_trusted_key(key_rrset)
-        #        print "Successfully added DLV key\n"
+        #         print "Successfully added DLV key\n"
         TheLog.info("Successfully added DLV key")
         @added_dlv_key = true
       rescue VerifyError => e
-        #        print "Error verifying DLV key : #{e}\n"
+        #         print "Error verifying DLV key : #{e}\n"
         TheLog.error("Error verifying DLV key : #{e}")
       end
     end
     def add_trust_anchor(t)
       add_trust_anchor_with_expiration(t, Time.utc(2035,"jan",1,20,15,1).to_i)
     end
-    # Add the
+    #  Add the
     def add_trust_anchor_with_expiration(k, expiration)
       if (k.type == Types.DNSKEY)
-        #        k.flags = k.flags | RR::IN::DNSKEY::SEP_KEY
+        #         k.flags = k.flags | RR::IN::DNSKEY::SEP_KEY
         @trust_anchors.add_key_with_expiration(k, expiration)
-        #        print "Adding trust anchor for #{k.name}\n"
+        #         print "Adding trust anchor for #{k.name}\n"
         TheLog.info("Adding trust anchor for #{k.name}")
       elsif ((k.type == Types.DS) || ((k.type == Types.DLV) && (@verifier_type == VerifierType::DLV)))
         @configured_ds_store.push(k)
@@ -133,7 +133,7 @@ module Dnsruby
     def remove_trust_anchor(t)
       @trust_anchors.delete(t)
     end
-    # Wipes the cache of trusted keys
+    #  Wipes the cache of trusted keys
     def clear_trust_anchors
       @trust_anchors = KeyCache.new
     end
@@ -142,39 +142,39 @@ module Dnsruby
       return @trust_anchors.keys + @configured_ds_store
     end
 
-    # Check that the RRSet and RRSIG record are compatible
+    #  Check that the RRSet and RRSIG record are compatible
     def check_rr_data(rrset, sigrec)#:nodoc: all
-      #Each RR MUST have the same owner name as the RRSIG RR;
+      # Each RR MUST have the same owner name as the RRSIG RR;
       if (rrset.name.canonical != sigrec.name.canonical)
         raise VerifyError.new("RRSET should have same owner name as RRSIG for verification (rrsert=#{rrset.name}, sigrec=#{sigrec.name}")
       end
 
-      #Each RR MUST have the same class as the RRSIG RR;
+      # Each RR MUST have the same class as the RRSIG RR;
       if (rrset.klass != sigrec.klass)
         raise VerifyError.new("RRSET should have same DNS class as RRSIG for verification")
       end
 
-      #Each RR in the RRset MUST have the RR type listed in the
-      #RRSIG RR's Type Covered field;
+      # Each RR in the RRset MUST have the RR type listed in the
+      # RRSIG RR's Type Covered field;
       if (rrset.type != sigrec.type_covered)
         raise VerifyError.new("RRSET should have same type as RRSIG for verification")
       end
 
-      #      #Each RR in the RRset MUST have the TTL listed in the
-      #      #RRSIG Original TTL Field;
-      #      if (rrset.ttl  != sigrec.original_ttl)
-      #        raise VerifyError.new("RRSET should have same ttl as RRSIG original_ttl for verification (should be #{sigrec.original_ttl} but was #{rrset.ttl}")
-      #      end
+      #       #Each RR in the RRset MUST have the TTL listed in the
+      #       #RRSIG Original TTL Field;
+      #       if (rrset.ttl  != sigrec.original_ttl)
+      #         raise VerifyError.new("RRSET should have same ttl as RRSIG original_ttl for verification (should be #{sigrec.original_ttl} but was #{rrset.ttl}")
+      #       end
 
-      # Now check that we are in the validity period for the RRSIG
+      #  Now check that we are in the validity period for the RRSIG
       now = Time.now.to_i
       if ((sigrec.expiration < now) || (sigrec.inception > now))
         raise VerifyError.new("Signature record not in validity period")
       end
     end
 
-    # Add the specified keys to the trusted key cache.
-    # k can be a KeyCache, or an RRSet of DNSKEYs.
+    #  Add the specified keys to the trusted key cache.
+    #  k can be a KeyCache, or an RRSet of DNSKEYs.
     def add_trusted_key(k)
       @trusted_keys.add(k)
     end
@@ -183,7 +183,7 @@ module Dnsruby
       @configured_ds_store.push(ds)
     end
 
-    # Wipes the cache of trusted keys
+    #  Wipes the cache of trusted keys
     def clear_trusted_keys
       @trusted_keys = KeyCache.new
       @res = nil
@@ -201,15 +201,15 @@ module Dnsruby
       return @trusted_keys.keys + @configured_ds_store + discovered_ds
     end
 
-    # Check that the key fits a signed DS record key details
-    # If so, then add the key to the trusted keys
+    #  Check that the key fits a signed DS record key details
+    #  If so, then add the key to the trusted keys
     def check_ds(key, ds_rrset)#:nodoc: all
       expiration = 0
       found = false
       ds_rrset.sigs.each { |sig|
         if ((sig.type_covered == Types.DS) || ((sig.type_covered == Types.DLV)&& (@verifier_type==VerifierType::DLV)))
           if (sig.inception <= Time.now.to_i)
-            # Check sig.expiration, sig.algorithm
+            #  Check sig.expiration, sig.algorithm
             if (sig.expiration > expiration)
               expiration = sig.expiration
             end
@@ -229,19 +229,19 @@ module Dnsruby
       return found
     end
 
-    # Verify the specified message (or RRSet) using the set of trusted keys.
-    # If keys is a DNSKEY, or an Array or RRSet of DNSKEYs, then keys
-    # is added to the set of trusted keys before the message (or RRSet) is
-    # verified.
-    #
-    # If msg is a Dnsruby::Message, then any signed DNSKEY or DS RRSets are
-    # processed first, and any new keys are added to the trusted key set
-    # before the other RRSets are checked.
-    #
-    # msg can be a Dnsruby::Message or Dnsruby::RRSet.
-    # keys may be nil, or a KeyCache or an RRSet of Dnsruby::RR::DNSKEY
-    #
-    # Returns true if the message verifies OK, and false otherwise.
+    #  Verify the specified message (or RRSet) using the set of trusted keys.
+    #  If keys is a DNSKEY, or an Array or RRSet of DNSKEYs, then keys
+    #  is added to the set of trusted keys before the message (or RRSet) is
+    #  verified.
+    # 
+    #  If msg is a Dnsruby::Message, then any signed DNSKEY or DS RRSets are
+    #  processed first, and any new keys are added to the trusted key set
+    #  before the other RRSets are checked.
+    # 
+    #  msg can be a Dnsruby::Message or Dnsruby::RRSet.
+    #  keys may be nil, or a KeyCache or an RRSet of Dnsruby::RR::DNSKEY
+    # 
+    #  Returns true if the message verifies OK, and false otherwise.
     def verify(msg, keys = nil)
       if (msg.kind_of?RRSet)
         if (msg.type == Types.DNSKEY)
@@ -253,13 +253,13 @@ module Dnsruby
         end
         return verify_rrset(msg, keys)
       end
-      # Use the set of trusted keys to check any RRSets we can, ideally
-      # those of other DNSKEY RRSets first. Then, see if we can use any of the
-      # new total set of keys to check the rest of the rrsets.
-      # Return true if we can verify the whole message.
+      #  Use the set of trusted keys to check any RRSets we can, ideally
+      #  those of other DNSKEY RRSets first. Then, see if we can use any of the
+      #  new total set of keys to check the rest of the rrsets.
+      #  Return true if we can verify the whole message.
 
       msg.each_section do |section|
-        #        print "Checking section : #{section}\n"
+        #         print "Checking section : #{section}\n"
         ds_rrsets = section.rrsets(Types.DS)
         if ((!ds_rrsets || ds_rrsets.length == 0) && (@verifier_type == VerifierType::DLV))
           ds_rrsets = section.rrsets(Types.DLV)
@@ -267,7 +267,7 @@ module Dnsruby
         ds_rrsets.each {|ds_rrset|
           if ((ds_rrset && ds_rrset.rrs.length > 0) && !verify_ds_rrset(ds_rrset, keys, msg))
             raise VerifyError.new("Failed to verify DS RRSet")
-            #            return false
+            #             return false
           end
         }
 
@@ -275,24 +275,24 @@ module Dnsruby
         key_rrsets.each {|key_rrset|
           if ((key_rrset && key_rrset.rrs.length > 0) && !verify_key_rrset(key_rrset, keys))
             raise VerifyError.new("Failed to verify DNSKEY RRSet")
-            #            return false
+            #             return false
           end
         }
       end
 
       verify_nsecs(msg)
 
-      # Then, look through all the remaining RRSets, and verify them all (unless not necessary).
+      #  Then, look through all the remaining RRSets, and verify them all (unless not necessary).
       msg.section_rrsets.each do |section, rrsets|
         rrsets.each do |rrset|
-          # If delegation NS or glue AAAA/A, then don't expect RRSIG.
-          # Otherwise, expect RRSIG and fail verification if RRSIG is not present
+          #  If delegation NS or glue AAAA/A, then don't expect RRSIG.
+          #  Otherwise, expect RRSIG and fail verification if RRSIG is not present
 
           if ((section == "authority") && (rrset.type == Types.NS))
-            # Check for delegation
+            #  Check for delegation
             dsrrset = msg.authority.rrsets('DS')[0]
             if ((msg.answer.size == 0) && (!dsrrset) && (rrset.type == Types.NS)) # (isDelegation)
-              # Now check NSEC(3) records for absence of DS and SOA
+              #  Now check NSEC(3) records for absence of DS and SOA
               nsec = msg.authority.rrsets('NSEC')[0]
               if (!nsec || (nsec.length == 0))
                 nsec = msg.authority.rrsets('NSEC3')[0]
@@ -303,19 +303,19 @@ module Dnsruby
                 end
               end
             end
-            # If NS records delegate the name to the child's nameservers, then they MUST NOT be signed
+            #  If NS records delegate the name to the child's nameservers, then they MUST NOT be signed
             if (rrset.type == Types.NS)
-              #              all_delegate = true
-              #              rrset.rrs.each {|rr|
-              #                name = Name.create(rr.nsdname)
-              #                name.absolute = true
-              #                if (!(name.subdomain_of?(rr.name)))
-              #                  all_delegate = false
-              #                end
-              #              }
-              #              if (all_delegate && rrset.sigs.length == 0)
-              #                next
-              #              end
+              #               all_delegate = true
+              #               rrset.rrs.each {|rr|
+              #                 name = Name.create(rr.nsdname)
+              #                 name.absolute = true
+              #                 if (!(name.subdomain_of?(rr.name)))
+              #                   all_delegate = false
+              #                 end
+              #               }
+              #               if (all_delegate && rrset.sigs.length == 0)
+              #                 next
+              #               end
               if ((rrset.name.canonical == msg.question()[0].qname.canonical) && (rrset.sigs.length == 0))
                 next
               end
@@ -323,8 +323,8 @@ module Dnsruby
           end
 
           if (section == "additional")
-            # check for glue
-            # if the ownername (in the addtional section) of the glue address is the same or longer as the ownername of the NS record, it is glue
+            #  check for glue
+            #  if the ownername (in the addtional section) of the glue address is the same or longer as the ownername of the NS record, it is glue
             if (msg.additional.size > 0)
               arec = msg.additional.rrsets('A')[0]
               if (!arec || arec.rrs.length == 0)
@@ -344,15 +344,15 @@ module Dnsruby
               }
             end
           end
-          # If records are in additional, and no RRSIG, that's Ok - just don't use them!
+          #  If records are in additional, and no RRSIG, that's Ok - just don't use them!
           if ((section == "additional") && (rrset.sigs.length == 0))
-            # @TODO@ Make sure that we don't cache these records!
+            #  @TODO@ Make sure that we don't cache these records!
             next
           end
-          # else verify RRSet
-          #          print "About to verify #{rrset.name}, #{rrset.type}\n"
+          #  else verify RRSet
+          #           print "About to verify #{rrset.name}, #{rrset.type}\n"
           if (!verify_rrset(rrset, keys))
-            #            print "FAILED TO VERIFY RRSET #{rrset.name}, #{rrset.type}\n"
+            #             print "FAILED TO VERIFY RRSET #{rrset.name}, #{rrset.type}\n"
             TheLog.debug("Failed to verify rrset")
             return false
           end
@@ -362,59 +362,59 @@ module Dnsruby
     end
 
     def verify_nsecs(msg) # :nodoc:
-      # NSEC(3) handling. Get NSEC(3)s in four cases : (RFC 4035, section 3.1.3)
-      # a) No data - <SNAME, SCLASS> matches, but no <SNAME, SCLASS, STYPE) (§3.1.3.1)
-      #     - will expect NSEC in Authority (and associated RRSIG)
-      #     - NOERROR returned
-      # b) Name error - no RRSets that match <SNAME, SCLASS> either exactly or through wildcard expansion   (§3.1.3.2)
-      #     - NSEC wil prove i) no exact match for <SNAME, SCLASS>, and ii) no RRSets that could match through wildcard expansion
-      #     - this may be proved in one or more NSECs (and associated RRSIGs)
-      #     - NXDOMAIN returned - should ensure we verify!
-      # c) Wildcard answer - No <SNAME, SCLASS> direct matches, but matches <SNAME, SCLASS, STYPE> through wildcard expansion (§3.1.3.3)
-      #     - Answer section must include wildcard-expanded answer (and associated RRSIGs)
-      #     - label count in answer RRSIG indicates wildcard RRSet was expanded (less labels than in owner name)
-      #     - Authority section must include NSEC (and RRSIGs) proving that zone does not contain a closer match
-      #     - NOERROR returned
-      # d) Wildcard no data - No <SNAME, SCLASS> direct. <SNAME, SCLASS> yes but <SNAME, SCLASS, STYPE> no through wildcard expansion (§3.1.3.4)
-      #     - Authority section contains NSECs (and RRSIGs) for :
-      #         i) NSEC proving no RRSets matching STYPE at wildcard owner name that matched <SNAME, SCLASS> via wildcard expansion
-      #         ii) NSEC proving no RRSets in zone that would have been closer match for <SNAME, SCLASS>
-      #     - this may be proved by one or more NSECs (and associated RRSIGs)
-      #     - NOERROR returned
-      #
-      # Otherwise no NSECs should be returned.
-
-      # So, check for NSEC records in response, and work out what type of answer we have.
-      # Then, if NSECs are present, make sure that we prove what they said they would.
-      # What if the message *should* have no NSEC records? That can only be known by the validator.
-      # We will assume that the validator has checked the (non)-existence of NSEC records - we should not
-      # get upset if there aren't any. However, if there are, then we should verify that they say the right thing
+      #  NSEC(3) handling. Get NSEC(3)s in four cases : (RFC 4035, section 3.1.3)
+      #  a) No data - <SNAME, SCLASS> matches, but no <SNAME, SCLASS, STYPE) (§3.1.3.1)
+      #      - will expect NSEC in Authority (and associated RRSIG)
+      #      - NOERROR returned
+      #  b) Name error - no RRSets that match <SNAME, SCLASS> either exactly or through wildcard expansion   (§3.1.3.2)
+      #      - NSEC wil prove i) no exact match for <SNAME, SCLASS>, and ii) no RRSets that could match through wildcard expansion
+      #      - this may be proved in one or more NSECs (and associated RRSIGs)
+      #      - NXDOMAIN returned - should ensure we verify!
+      #  c) Wildcard answer - No <SNAME, SCLASS> direct matches, but matches <SNAME, SCLASS, STYPE> through wildcard expansion (§3.1.3.3)
+      #      - Answer section must include wildcard-expanded answer (and associated RRSIGs)
+      #      - label count in answer RRSIG indicates wildcard RRSet was expanded (less labels than in owner name)
+      #      - Authority section must include NSEC (and RRSIGs) proving that zone does not contain a closer match
+      #      - NOERROR returned
+      #  d) Wildcard no data - No <SNAME, SCLASS> direct. <SNAME, SCLASS> yes but <SNAME, SCLASS, STYPE> no through wildcard expansion (§3.1.3.4)
+      #      - Authority section contains NSECs (and RRSIGs) for :
+      #          i) NSEC proving no RRSets matching STYPE at wildcard owner name that matched <SNAME, SCLASS> via wildcard expansion
+      #          ii) NSEC proving no RRSets in zone that would have been closer match for <SNAME, SCLASS>
+      #      - this may be proved by one or more NSECs (and associated RRSIGs)
+      #      - NOERROR returned
+      # 
+      #  Otherwise no NSECs should be returned.
+
+      #  So, check for NSEC records in response, and work out what type of answer we have.
+      #  Then, if NSECs are present, make sure that we prove what they said they would.
+      #  What if the message *should* have no NSEC records? That can only be known by the validator.
+      #  We will assume that the validator has checked the (non)-existence of NSEC records - we should not
+      #  get upset if there aren't any. However, if there are, then we should verify that they say the right thing
       qtype = msg.question()[0].qtype
       return if (msg.rcode == RCode.NOERROR && ((qtype == Types.ANY) || (qtype == Types.NSEC) || (qtype == Types.NSEC3)))
       if ((msg.rrsets('NSEC').length > 0) || (msg.rrsets('NSEC3').length > 0))
         if (msg.rcode == RCode.NXDOMAIN)
-          #          print "Checking NSECs for Name Error\n"
-          #Name error - NSEC wil prove i) no exact match for <SNAME, SCLASS>, and ii) no RRSets that could match through wildcard expansion
-          #           - this may be proved in one or more NSECs (and associated RRSIGs)
+          #           print "Checking NSECs for Name Error\n"
+          # Name error - NSEC wil prove i) no exact match for <SNAME, SCLASS>, and ii) no RRSets that could match through wildcard expansion
+          #            - this may be proved in one or more NSECs (and associated RRSIGs)
           check_name_in_nsecs(msg)
           return check_no_wildcard_expansion(msg)
         elsif (msg.rcode == RCode.NOERROR)
           if (msg.answer.length > 0)
-            #            print "Checking NSECs for wildcard expansion\n"
-            # wildcard expansion answer - check NSECs!
-            # We want to make sure that the NSEC tells us that there is no closer match for this name
-            # @TODO@ We need to make replace the RRSIG name with the wildcard name before we can verify it correctly.
+            #             print "Checking NSECs for wildcard expansion\n"
+            #  wildcard expansion answer - check NSECs!
+            #  We want to make sure that the NSEC tells us that there is no closer match for this name
+            #  @TODO@ We need to make replace the RRSIG name with the wildcard name before we can verify it correctly.
             check_num_rrsig_labels(msg)
             return check_name_in_nsecs(msg, msg.question()[0].qtype, true)
           else
-            # Either no data or wildcard no data - check to see which
-            # Should be able to tell this by checking the number of labels in the NSEC records.
-            # Sort these two last cases out!
+            #  Either no data or wildcard no data - check to see which
+            #  Should be able to tell this by checking the number of labels in the NSEC records.
+            #  Sort these two last cases out!
             isWildcardNoData = false
             [msg.authority.rrsets('NSEC'), msg.authority.rrsets('NSEC3')].each {|nsec_rrsets|
               nsec_rrsets.each {|nsec_rrset|
                 nsec_rrset.rrs.each {|nsec|
-                  #                  print "Checking nsec to see if wildcard : #{nsec}\n"
+                  #                   print "Checking nsec to see if wildcard : #{nsec}\n"
                   if (nsec.name.wild? ||(nsec.name.labels.length < msg.question()[0].qname.labels.length))
                     isWildcardNoData = true
                   end
@@ -423,28 +423,28 @@ module Dnsruby
             }
 
             if (isWildcardNoData)
-              #              print "Checking NSECs for wildcard no data\n"
-              # Check NSECs -
-              #         i) NSEC proving no RRSets matching STYPE at wildcard owner name that matched <SNAME, SCLASS> via wildcard expansion
+              #               print "Checking NSECs for wildcard no data\n"
+              #  Check NSECs -
+              #          i) NSEC proving no RRSets matching STYPE at wildcard owner name that matched <SNAME, SCLASS> via wildcard expansion
               check_name_not_in_wildcard_nsecs(msg)
-              #         ii) NSEC proving no RRSets in zone that would have been closer match for <SNAME, SCLASS>
+              #          ii) NSEC proving no RRSets in zone that would have been closer match for <SNAME, SCLASS>
               return check_name_in_and_type_not_in_nsecs(msg)
             else # (isNoData)
-              #              print "Checking NSECs for No data\n"
-              # Check NSEC types covered to make sure this type not present.
+              #               print "Checking NSECs for No data\n"
+              #  Check NSEC types covered to make sure this type not present.
               return check_name_in_and_type_not_in_nsecs(msg)
             end
           end
         else
-          # Anything we should do here?
+          #  Anything we should do here?
         end
       end
 
     end
 
     def check_num_rrsig_labels(msg) # :nodoc:
-      # Check that the number of labels in the RRSIG is less than the number
-      # of labels in the answer name
+      #  Check that the number of labels in the RRSIG is less than the number
+      #  of labels in the answer name
       answer_rrset = msg.answer.rrset(msg.question()[0].qname, msg.question()[0].qtype)
       if (answer_rrset.length == 0)
         raise VerifyError.new("Expected wildcard expanded answer for #{msg.question()[0].qname}")
@@ -456,13 +456,13 @@ module Dnsruby
     end
 
     def check_no_wildcard_expansion(msg) # :nodoc:
-      # @TODO@ Do this for NSEC3 records!!!
+      #  @TODO@ Do this for NSEC3 records!!!
       proven_no_wildcards = false
       name = msg.question()[0].qname
       [msg.authority.rrsets('NSEC'), msg.authority.rrsets('NSEC3')].each {|nsec_rrsets|
         nsec_rrsets.each {|nsecs|
           nsecs.rrs.each {|nsec|
-            #            print "Checking NSEC : #{nsec}\n"
+            #             print "Checking NSEC : #{nsec}\n"
             next if (nsec.name.wild?)
             if (check_record_proves_no_wildcard(msg, nsec))
               proven_no_wildcards = true
@@ -471,20 +471,20 @@ module Dnsruby
         }
       }
       if (!proven_no_wildcards)
-        #        print "No proof that no RRSets could match through wildcard expansion\n"
+        #         print "No proof that no RRSets could match through wildcard expansion\n"
         raise VerifyError.new("No proof that no RRSets could match through wildcard expansion")
       end
 
     end
-    
+
     def check_record_proves_no_wildcard(msg, nsec) # :nodoc:
-      # Check that the NSEC goes from the SOA to a zone canonically after a wildcard
-      #      print "Checking wildcard proof for #{nsec.name}\n"
+      #  Check that the NSEC goes from the SOA to a zone canonically after a wildcard
+      #       print "Checking wildcard proof for #{nsec.name}\n"
       soa_rrset = msg.authority.rrset(nsec.name, 'SOA')
       if (soa_rrset.length > 0)
-        #        print "Found SOA for #{nsec.name}\n"
+        #         print "Found SOA for #{nsec.name}\n"
         wildcard_name = Name.create("*." + nsec.name.to_s)
-        #        print "Checking #{wildcard_name}\n"
+        #         print "Checking #{wildcard_name}\n"
         if (wildcard_name.canonically_before(nsec.next_domain))
           return true
         end
@@ -493,16 +493,16 @@ module Dnsruby
     end
 
     def check_name_in_nsecs(msg, qtype=nil, expected_qtype = false) # :nodoc:
-      # Check these NSECs to make sure that this name cannot be in the zone
-      # and that no RRSets could match through wildcard expansion
-      # @TODO@ Get this right for NSEC3 too!
+      #  Check these NSECs to make sure that this name cannot be in the zone
+      #  and that no RRSets could match through wildcard expansion
+      #  @TODO@ Get this right for NSEC3 too!
       name = msg.question()[0].qname
       proven_name_in_nsecs = false
       type_covered_checked = false
       [msg.authority.rrsets('NSEC'), msg.authority.rrsets('NSEC3')].each {|nsec_rrsets|
         nsec_rrsets.each {|nsecs|
           nsecs.rrs.each {|nsec|
-            #            print "Checking NSEC : #{nsec}\n"
+            #             print "Checking NSEC : #{nsec}\n"
             next if (nsec.name.wild?)
             if nsec.check_name_in_range(name)
               proven_name_in_nsecs = true
@@ -512,9 +512,9 @@ module Dnsruby
                   qtype_present = true
                 end
                 if (qtype_present != expected_qtype)
-                  #                  print "#{nsec.type} record #{nsec} does #{expected_qtype ? 'not ' : ''} include #{qtype} type\n"
+                  #                   print "#{nsec.type} record #{nsec} does #{expected_qtype ? 'not ' : ''} include #{qtype} type\n"
                   raise VerifyError.new("#{nsec.type} record #{nsec} does #{expected_qtype ? 'not ' : ''}include #{qtype} type")
-                  #              return false
+                  #               return false
                 end
                 type_covered_checked = true
               end
@@ -523,11 +523,11 @@ module Dnsruby
         }
       }
       if (!proven_name_in_nsecs)
-        #        print "No proof for non-existence for #{name}\n"
+        #         print "No proof for non-existence for #{name}\n"
         raise VerifyError.new("No proof for non-existence for #{name}")
       end
       if (qtype && !type_covered_checked)
-        #        print "Tyes covered wrong for #{name}\n"
+        #         print "Tyes covered wrong for #{name}\n"
         raise VerifyError.new("Types covered wrong for #{name}")
       end
     end
@@ -537,45 +537,45 @@ module Dnsruby
     end
 
     def check_name_not_in_wildcard_nsecs(msg) # :nodoc:
-      # @TODO@ Do this for NSEC3 records too!
+      #  @TODO@ Do this for NSEC3 records too!
       name = msg.question()[0].qname
       qtype = msg.question()[0].qtype
       done= false
       [msg.authority.rrsets('NSEC'), msg.authority.rrsets('NSEC3')].each {|nsec_rrsets|
         nsec_rrsets.each {|nsecs|
           nsecs.rrs.each {|nsec|
-            #            print "Checking NSEC : #{nsec}\n"
+            #             print "Checking NSEC : #{nsec}\n"
             next if !nsec.name.wild?
-            # Check the wildcard expansion
-            # We want to see that the name is in the wildcard range, and that the type
-            # is not in the types for the NSEC
+            #  Check the wildcard expansion
+            #  We want to see that the name is in the wildcard range, and that the type
+            #  is not in the types for the NSEC
             if nsec.check_name_in_wildcard_range(name)
-              #              print "Wildcard expansion in #{nsec} includes #{name}\n"
+              #               print "Wildcard expansion in #{nsec} includes #{name}\n"
               raise VerifyError.new("Wildcard expansion in #{nsec} includes #{name}")
-              #            return false
+              #             return false
             end
             if (nsec.types.include?qtype)
-              #              print "#{qtype} present in wildcard #{nsec}\n"
+              #               print "#{qtype} present in wildcard #{nsec}\n"
               raise VerifyError.new("#{qtype} present in wildcard #{nsec}")
-              #            return false
+              #             return false
             end
             done = true
           }
         }
       }
       return if done
-      #      print("Expected wildcard expansion in #{msg}\n")
+      #       print("Expected wildcard expansion in #{msg}\n")
       raise VerifyError.new("Expected wildcard expansion in #{msg}")
-      #      return false
+      #       return false
     end
 
     def verify_ds_rrset(ds_rrset, keys = nil, msg = nil) # :nodoc:
-      #      print "verify_ds_rrset #{ds_rrset}\n"
+      #       print "verify_ds_rrset #{ds_rrset}\n"
       if (ds_rrset && ds_rrset.num_sigs > 0)
         if (verify_rrset(ds_rrset, keys))
-          # Need to handle DS RRSets (with RRSIGs) not just DS records.
-          #            ds_rrset.rrs.each do |ds|
-          # Work out which key this refers to, and add it to the trusted key store
+          #  Need to handle DS RRSets (with RRSIGs) not just DS records.
+          #             ds_rrset.rrs.each do |ds|
+          #  Work out which key this refers to, and add it to the trusted key store
           found = false
           if (msg)
             msg.each_section do |section|
@@ -593,16 +593,16 @@ module Dnsruby
               found = true
             end
           }
-          # If we couldn't find the trusted key, then we should store the
-          # key tag and digest in a @@discovered_ds_store.
-          # Each time we see a new key (which has been signed) then we should
-          # check if it is sitting on the discovered_ds_store.
-          # If it is, then we should add it to the trusted_keys and remove the
-          # DS from the discovered_ds_store
+          #  If we couldn't find the trusted key, then we should store the
+          #  key tag and digest in a @@discovered_ds_store.
+          #  Each time we see a new key (which has been signed) then we should
+          #  check if it is sitting on the discovered_ds_store.
+          #  If it is, then we should add it to the trusted_keys and remove the
+          #  DS from the discovered_ds_store
           if (!found)
             @discovered_ds_store.push(ds_rrset)
           end
-          #            end
+          #             end
           return true
         else
           return false
@@ -612,14 +612,14 @@ module Dnsruby
     end
 
     def verify_key_rrset(key_rrset, keys = nil) # :nodoc:
-      #      print "verify_key_rrset\n"
+      #       print "verify_key_rrset\n"
       verified = false
       if (key_rrset && key_rrset.num_sigs > 0)
         if (verify_rrset(key_rrset, keys))
-          #            key_rrset.rrs.each do |rr|
-          #          print "Adding keys : "
-          #          key_rrset.rrs.each {|rr| print "#{rr.key_tag}, "}
-          #          print "\n"
+          #             key_rrset.rrs.each do |rr|
+          #           print "Adding keys : "
+          #           key_rrset.rrs.each {|rr| print "#{rr.key_tag}, "}
+          #           print "\n"
           @trusted_keys.add(key_rrset) # rr)
           verified = true
         end
@@ -629,7 +629,7 @@ module Dnsruby
     end
 
     def check_ds_stores(key_rrset) # :nodoc:
-      # See if the keys match any of the to_be_trusted_keys
+      #  See if the keys match any of the to_be_trusted_keys
       key_rrset.rrs.each do |key|
         @configured_ds_store.each do |ds|
           if (ds.check_key(key))
@@ -637,8 +637,8 @@ module Dnsruby
           end
         end
         @discovered_ds_store.each do |tbtk|
-          # Check that the RRSet is still valid!!
-          # Should we get it out of the main cache?
+          #  Check that the RRSet is still valid!!
+          #  Should we get it out of the main cache?
           if ((tbtk.sigs()[0].expiration < Time.now.to_i))
             @discovered_ds_store.delete(tbtk)
           else
@@ -650,7 +650,7 @@ module Dnsruby
             }
           end
         end
-        #            end
+        #             end
       end
 
     end
@@ -660,9 +660,9 @@ module Dnsruby
       return keys_to_check
     end
 
-    # Find the first matching DNSKEY and RRSIG record in the two sets.
+    #  Find the first matching DNSKEY and RRSIG record in the two sets.
     def get_matching_key(keys, sigrecs)#:nodoc: all
-      # There can be multiple signatures in the RRSet - which one should we choose?
+      #  There can be multiple signatures in the RRSet - which one should we choose?
       if ((keys == nil) || (sigrecs == nil))
         return nil, nil
       end
@@ -690,12 +690,12 @@ module Dnsruby
       return nil, nil
     end
 
-    # Verify the signature of an rrset encoded with the specified KeyCache
-    # or RRSet. If no signature is included, false is returned.
-    #
-    # Returns true if the RRSet verified, false otherwise.
+    #  Verify the signature of an rrset encoded with the specified KeyCache
+    #  or RRSet. If no signature is included, false is returned.
+    # 
+    #  Returns true if the RRSet verified, false otherwise.
     def verify_rrset(rrset, keys = nil)
-      #      print "Verify_rrset #{rrset.name}, #{rrset.type}\n"
+      #       print "Verify_rrset #{rrset.name}, #{rrset.type}\n"
 #      print "ABOUT TO VERIFY WITH #{keys == nil ? '0' : keys.length} keys\n"
 #      if (keys != nil)
 #        if (keys.length > 0)
@@ -736,32 +736,32 @@ module Dnsruby
         keyrec, sigrec = get_matching_key(keys, sigrecs)
       end
 
-      #      return false if !keyrec
+      #       return false if !keyrec
       if (!keyrec)
-        #        print "Couldn't find signing key! #{rrset.name}, #{rrset.type},\n "
+        #         print "Couldn't find signing key! #{rrset.name}, #{rrset.type},\n "
         raise VerifyError.new("Signing key not found")
       end
 
-      # RFC 4034
-      #3.1.8.1.  Signature Calculation
+      #  RFC 4034
+      # 3.1.8.1.  Signature Calculation
 
       if (keyrec.sep_key? && !keyrec.zone_key?)
         Dnsruby.log.error("DNSKEY with SEP flag set and Zone Key flag not set was used to verify RRSIG over RRSET - this is not allowed by RFC4034 section 2.1.1")
-        #        return false
+        #         return false
         raise VerifyError.new("DNSKEY with SEP flag set and Zone Key flag not set")
       end
 
 
 #      print "VERIFY KEY FOUND - doing verification\n"
 
-      #Any DNS names in the RDATA field of each RR MUST be in
-      #canonical form; and
-      #The RRset MUST be sorted in canonical order.
+      # Any DNS names in the RDATA field of each RR MUST be in
+      # canonical form; and
+      # The RRset MUST be sorted in canonical order.
       rrset = rrset.sort_canonical
 
       sig_data = sigrec.sig_data
 
-      #RR(i) = owner | type | class | TTL | RDATA length | RDATA
+      # RR(i) = owner | type | class | TTL | RDATA length | RDATA
       rrset.each do |rec|
         old_ttl = rec.ttl
         rec.ttl = sigrec.original_ttl
@@ -775,7 +775,7 @@ module Dnsruby
         sig_data += data
       end
 
-      # Now calculate the signature
+      #  Now calculate the signature
       verified = false
       if [Algorithms.RSASHA1,
           Algorithms.RSASHA1_NSEC3_SHA1].include?(sigrec.algorithm)
@@ -786,9 +786,9 @@ module Dnsruby
         verified = keyrec.public_key.verify(OpenSSL::Digest::SHA512.new, sigrec.signature, sig_data)
       elsif [Algorithms.DSA,
           Algorithms.DSA_NSEC3_SHA1].include?(sigrec.algorithm)
-        # we are ignoring T for now
-        # t = sigrec.signature[0]
-        # t = t.getbyte(0) if t.class == String
+        #  we are ignoring T for now
+        #  t = sigrec.signature[0]
+        #  t = t.getbyte(0) if t.class == String
         r = RR::get_num(sigrec.signature[1, 20])
         s = RR::get_num(sigrec.signature[21, 20])
         r_asn1 = OpenSSL::ASN1::Integer.new(r)
@@ -803,39 +803,39 @@ module Dnsruby
       if (!verified)
         raise VerifyError.new("Signature failed to cryptographically verify")
       end
-      # Sort out the TTLs - set it to the minimum valid ttl
+      #  Sort out the TTLs - set it to the minimum valid ttl
       expiration_diff = (sigrec.expiration.to_i - Time.now.to_i).abs
       rrset.ttl = ([rrset.ttl, sigrec.ttl, sigrec.original_ttl,
           expiration_diff].sort)[0]
-      #            print "VERIFIED OK\n"
+      #             print "VERIFIED OK\n"
       return true
     end
 
     def find_closest_dlv_anchor_for(name) # :nodoc:
-      # To find the closest anchor, query DLV.isc.org for [a.b.c.d], then [a.b.c], [a.b], etc.
-      # once closest anchor found, simply run follow_chain from that anchor
+      #  To find the closest anchor, query DLV.isc.org for [a.b.c.d], then [a.b.c], [a.b], etc.
+      #  once closest anchor found, simply run follow_chain from that anchor
+
+      #  @TODO@ REALLY NEED AGGRESSIVE NEGATIVE CACHING HERE!!
+      #  i.e. don't look up zones which we *know* we don't have a DLV anchor for
 
-      # @TODO@ REALLY NEED AGGRESSIVE NEGATIVE CACHING HERE!!
-      # i.e. don't look up zones which we *know* we don't have a DLV anchor for
-      
       n = Name.create(name)
       root = Name.create(".")
       while (n != root)
-        # Try to find name in DLV, and return it if possible
+        #  Try to find name in DLV, and return it if possible
         dlv_rrset = query_dlv_for(n)
         if (dlv_rrset)
           key_rrset = get_zone_key_from_dlv_rrset(dlv_rrset, n)
           return key_rrset
         end
-        # strip the name
+        #  strip the name
         n = n.strip_label
       end
       return false
     end
 
     def get_zone_key_from_dlv_rrset(dlv_rrset, name) # :nodoc:
-      # We want to return the key for the zone i.e. DS/DNSKEY for .se, NOT DLV for se.dlv.isc.org
-      # So, we have the DLv record. Now use it to add the zone's DNSKEYs to the trusted key set.
+      #  We want to return the key for the zone i.e. DS/DNSKEY for .se, NOT DLV for se.dlv.isc.org
+      #  So, we have the DLv record. Now use it to add the zone's DNSKEYs to the trusted key set.
       res = get_nameservers_for(name)
       if (!res)
         if (Dnssec.do_validation_with_recursor?)
@@ -848,51 +848,51 @@ module Dnsruby
           end
         end
       end
-      #      query = Message.new(name, Types.DNSKEY)
-      #      query.do_validation = false
+      #       query = Message.new(name, Types.DNSKEY)
+      #       query.do_validation = false
       ret = nil
       begin
-        #        ret = res.send_message(query)
+        #         ret = res.send_message(query)
         ret = res.query_no_validation_or_recursion(name, Types.DNSKEY)
         if (!ret)
           raise ResolvError.new("Couldn't get DNSKEY from Recursor")
         end
       rescue ResolvError => e
-        #        print "Error getting zone key from DLV RR for #{name} : #{e}\n"
+        #         print "Error getting zone key from DLV RR for #{name} : #{e}\n"
         TheLog.error("Error getting zone key from DLV RR for #{name} : #{e}")
         return false
       end
       key_rrset = ret.answer.rrset(name, Types.DNSKEY)
       begin
         verify(key_rrset, dlv_rrset)
-        #        Cache.add(ret)
+        #         Cache.add(ret)
         return key_rrset
       rescue VerifyError => e
-        #        print "Can't move from DLV RR to zone DNSKEY for #{name}, error : #{e}\n"
+        #         print "Can't move from DLV RR to zone DNSKEY for #{name}, error : #{e}\n"
         TheLog.debug("Can't move from DLV RR to zone DNSKEY for #{name}, error : #{e}")
       end
       return false
     end
 
     def query_dlv_for(name) # :nodoc:
-      # See if there is a record for name in dlv.isc.org
+      #  See if there is a record for name in dlv.isc.org
       if (!@res && (@verifier_type == VerifierType::DLV))
         @res = get_dlv_resolver
       end
       begin
         name_to_query = name.to_s+".dlv.isc.org"
-        #        query = Message.new(name_to_query, Types.DLV)
-        #        @res.single_resolvers()[0].prepare_for_dnssec(query)
-        #        query.do_validation = false
+        #         query = Message.new(name_to_query, Types.DLV)
+        #         @res.single_resolvers()[0].prepare_for_dnssec(query)
+        #         query.do_validation = false
         ret = nil
         begin
-          #          ret = @res.send_message(query)
+          #           ret = @res.send_message(query)
           ret = @res.query_no_validation_or_recursion(name_to_query, Types.DLV)
           if (!ret)
             raise ResolvError.new("Couldn't get DLV record from Recursor")
           end
         rescue ResolvError => e
-          #          print "Error getting DLV record for #{name} : #{e}\n"
+          #           print "Error getting DLV record for #{name} : #{e}\n"
           TheLog.info("Error getting DLV record for #{name} : #{e}")
           return nil
         end
@@ -900,96 +900,96 @@ module Dnsruby
         if (dlv_rrset.rrs.length > 0)
           begin
             verify(dlv_rrset)
-            #            Cache.add(ret)
+            #             Cache.add(ret)
             return dlv_rrset
           rescue VerifyError => e
-            #            print "Error verifying DLV records for #{name}, #{e}\n"
+            #             print "Error verifying DLV records for #{name}, #{e}\n"
             TheLog.info("Error verifying DLV records for #{name}, #{e}")
           end
         end
       rescue NXDomain
-        #        print "NXDomain for DLV lookup for #{name}\n"
+        #         print "NXDomain for DLV lookup for #{name}\n"
         return nil
       end
       return nil
     end
 
     def find_closest_anchor_for(name) # :nodoc:
-      # Check if we have an anchor for name.
-      # If not, strip off first label and try again
-      # If we get to root, then return false
+      #  Check if we have an anchor for name.
+      #  If not, strip off first label and try again
+      #  If we get to root, then return false
       name = "." if name == ""
       n = Name.create(name)
       root = Name.create(".")
       while (true) # n != root)
-        # Try the trusted keys first, then the DS set
+        #  Try the trusted keys first, then the DS set
         (@trust_anchors.keys + @trusted_keys.keys + @configured_ds_store + @discovered_ds_store).each {|key|
           return key if key.name.canonical == n.canonical
         }
         break if (n.to_s == root.to_s)
-        # strip the name
+        #  strip the name
         n = n.strip_label
       end
       return false
     end
 
-    # @TODO@ Handle REVOKED keys! (RFC 5011)
-    # Remember that revoked keys will have a different key_tag than pre-revoked.
-    # So, if we see a revoked key, we should go through our key store for
-    # that authority and remove any keys with the pre-revoked key_tag.
+    #  @TODO@ Handle REVOKED keys! (RFC 5011)
+    #  Remember that revoked keys will have a different key_tag than pre-revoked.
+    #  So, if we see a revoked key, we should go through our key store for
+    #  that authority and remove any keys with the pre-revoked key_tag.
 
     def follow_chain(anchor, name) # :nodoc:
-      # Follow the chain from the anchor to name, returning the appropriate
-      # key at the end, or false.
-      #
-      # i.e. anchor = se, name = foo.example.se
-      #   get anchor for example.se with se anchor
-      #   get anchor for foo.example.se with example.se anchor
+      #  Follow the chain from the anchor to name, returning the appropriate
+      #  key at the end, or false.
+      # 
+      #  i.e. anchor = se, name = foo.example.se
+      #    get anchor for example.se with se anchor
+      #    get anchor for foo.example.se with example.se anchor
       next_key = anchor
       next_step = anchor.name
       parent = next_step
-      #      print "Follow chain from #{anchor.name} to #{name}\n"
+      #       print "Follow chain from #{anchor.name} to #{name}\n"
       TheLog.debug("Follow chain from #{anchor.name} to #{name}")
 
-      #      res = nil
+      #       res = nil
       res = Dnssec.default_resolver
-      #      while ((next_step != name) || (next_key.type != Types.DNSKEY))
+      #       while ((next_step != name) || (next_key.type != Types.DNSKEY))
       while (true)
-        #        print "In loop for parent=#{parent}, next step = #{next_step}\n"
+        #         print "In loop for parent=#{parent}, next step = #{next_step}\n"
         dont_move_on = false
         if (next_key.type != Types.DNSKEY)
           dont_move_on = true
         end
         next_key, res = get_anchor_for(next_step, parent, next_key, res)
         if (next_step.canonical.to_s == name.canonical.to_s)
-          #      print "Returning #{next_key.type} for #{next_step}, #{(next_key.type != Types.DNSKEY)}\n"
+          #       print "Returning #{next_key.type} for #{next_step}, #{(next_key.type != Types.DNSKEY)}\n"
           return next_key
         end
         return false if (!next_key)
-        # Add the next label on
+        #  Add the next label on
         if (!dont_move_on)
           parent = next_step
           next_step = Name.new(name.labels[name.labels.length-1-next_step.labels.length,1] +
               next_step.labels , name.absolute?)
-          #          print "Next parent = #{parent}, next_step = #{next_step}, next_key.type = #{next_key.type.string}\n"
+          #           print "Next parent = #{parent}, next_step = #{next_step}, next_key.type = #{next_key.type.string}\n"
         end
       end
 
-      #      print "Returning #{next_key.type} for #{next_step}, #{(next_key.type != Types.DNSKEY)}\n"
+      #       print "Returning #{next_key.type} for #{next_step}, #{(next_key.type != Types.DNSKEY)}\n"
 
       return next_key
     end
 
     def get_anchor_for(child, parent, current_anchor, parent_res = nil) # :nodoc:
-      #      print "Trying to discover anchor for #{child} from #{parent}\n"
+      #       print "Trying to discover anchor for #{child} from #{parent}\n"
       TheLog.debug("Trying to discover anchor for #{child} from #{parent} using #{current_anchor}, #{parent_res}")
-      # We wish to return a DNSKEY which the caller can use to verify name
-      # We are either given a key or a ds record from the parent zone
-      # If given a DNSKEY, then find a DS record signed by that key for the child zone
-      # Use the DS record to find a valid key in the child zone
-      # Return it
+      #  We wish to return a DNSKEY which the caller can use to verify name
+      #  We are either given a key or a ds record from the parent zone
+      #  If given a DNSKEY, then find a DS record signed by that key for the child zone
+      #  Use the DS record to find a valid key in the child zone
+      #  Return it
 
-      # Find NS RRSet for parent
+      #  Find NS RRSet for parent
       child_res = nil
       if (Dnssec.do_validation_with_recursor?)
         parent_res = get_recursor
@@ -998,7 +998,7 @@ module Dnsruby
       begin
         if (child!=parent)
           if (!parent_res)
-            #                      print "No res passed - try to get nameservers for #{parent}\n"
+            #                       print "No res passed - try to get nameservers for #{parent}\n"
             parent_res = get_nameservers_for(parent)
             if (!parent_res)
               if (Dnssec.do_validation_with_recursor?)
@@ -1012,10 +1012,10 @@ module Dnsruby
               end
             end
           end
-          # Use that Resolver to query for DS record and NS for children
+          #  Use that Resolver to query for DS record and NS for children
           ds_rrset = current_anchor
           if (current_anchor.type == Types.DNSKEY)
-            #            print "Trying to find DS records for #{child} from servers for #{parent}\n"
+            #             print "Trying to find DS records for #{child} from servers for #{parent}\n"
             TheLog.debug("Trying to find DS records for #{child} from servers for #{parent}")
             ds_ret = nil
             begin
@@ -1024,32 +1024,32 @@ module Dnsruby
                 raise ResolvError.new("Couldn't get DS records from Recursor")
               end
             rescue ResolvError => e
-              #              print "Error getting DS record for #{child} : #{e}\n"
+              #               print "Error getting DS record for #{child} : #{e}\n"
               TheLog.error("Error getting DS record for #{child} : #{e}")
               return false, nil
             end
             ds_rrset = ds_ret.answer.rrset(child, Types.DS)
             if (ds_rrset.rrs.length == 0)
-              # @TODO@ Check NSEC(3) records - still need to verify there are REALLY no ds records!
-              #              print "NO DS RECORDS RETURNED FOR #{parent}\n"
-              #              child_res = parent_res
+              #  @TODO@ Check NSEC(3) records - still need to verify there are REALLY no ds records!
+              #               print "NO DS RECORDS RETURNED FOR #{parent}\n"
+              #               child_res = parent_res
             else
               begin
                 if (verify(ds_rrset, current_anchor) || verify(ds_rrset))
-                  # Try to make the resolver from the authority/additional NS RRSets in DS response
+                  #  Try to make the resolver from the authority/additional NS RRSets in DS response
                   if (!Dnssec.do_validation_with_recursor?)
                     child_res = get_nameservers_from_message(child, ds_ret)
                   end
                 end
               rescue VerifyError => e
-                #                print "FAILED TO VERIFY DS RRSET FOR #{child}\n"
+                #                 print "FAILED TO VERIFY DS RRSET FOR #{child}\n"
                 TheLog.info("FAILED TO VERIFY DS RRSET FOR #{child}")
                 return false, nil
               end
             end
           end
         end
-        # Make Resolver using all child NSs
+        #  Make Resolver using all child NSs
         if (!child_res)
           child_res = get_nameservers_for(child, parent_res)
         end
@@ -1068,37 +1068,37 @@ module Dnsruby
             end
           end
         end
-        # Query for DNSKEY record, and verify against DS in parent.
-        # Need to get resolver NOT to verify this message - we verify it afterwards
-        #        print "Trying to find DNSKEY records for #{child} from servers for #{child}\n"
+        #  Query for DNSKEY record, and verify against DS in parent.
+        #  Need to get resolver NOT to verify this message - we verify it afterwards
+        #         print "Trying to find DNSKEY records for #{child} from servers for #{child}\n"
         TheLog.info("Trying to find DNSKEY records for #{child} from servers for #{child}")
-        #        query = Message.new(child, Types.DNSKEY)
-        #        query.do_validation = false
+        #         query = Message.new(child, Types.DNSKEY)
+        #         query.do_validation = false
         key_ret = nil
         begin
-          #          key_ret = child_res.send_message(query)
+          #           key_ret = child_res.send_message(query)
           key_ret = child_res.query_no_validation_or_recursion(child, Types.DNSKEY)
           if (!key_ret)
             raise ResolvError.new("Couldn't get info from Recursor")
           end
         rescue ResolvError => e
-          #          print "Error getting DNSKEY for #{child} : #{e}\n"
+          #           print "Error getting DNSKEY for #{child} : #{e}\n"
           TheLog.error("Error getting DNSKEY for #{child} : #{e}")
           return false, nil
         end
         verified = true
         key_rrset = key_ret.answer.rrset(child, Types.DNSKEY)
         if (key_rrset.rrs.length == 0)
-          # @TODO@ Still need to check NSEC records to make *sure* no key rrs returned!
-          #          print "NO DNSKEY RECORDS RETURNED FOR #{child}\n"
+          #  @TODO@ Still need to check NSEC records to make *sure* no key rrs returned!
+          #           print "NO DNSKEY RECORDS RETURNED FOR #{child}\n"
           TheLog.debug("NO DNSKEY RECORDS RETURNED FOR #{child}")
-          #        end
+          #         end
           verified = false
         else
-          # Should check that the matching key's zone flag is set (RFC 4035 section 5.2)
+          #  Should check that the matching key's zone flag is set (RFC 4035 section 5.2)
           key_rrset.rrs.each {|k|
             if (!k.zone_key?)
-              #              print "Discovered DNSKEY is not a zone key - ignoring\n"
+              #               print "Discovered DNSKEY is not a zone key - ignoring\n"
               TheLog.debug("Discovered DNSKEY is not a zone key - ignoring")
               return false, child_res
             end
@@ -1113,8 +1113,8 @@ module Dnsruby
             end
           end
         end
-        
-        # Try to make the resolver from the authority/additional NS RRSets in DNSKEY response
+
+        #  Try to make the resolver from the authority/additional NS RRSets in DNSKEY response
         new_res = get_nameservers_from_message(child,  key_ret) # @TODO@ ?
         if (!new_res)
           new_res = child_res
@@ -1123,17 +1123,17 @@ module Dnsruby
           TheLog.info("Failed to verify DNSKEY for #{child}")
           return false, nil # new_res
         end
-        #        Cache.add(key_ret)
+        #         Cache.add(key_ret)
         return key_rrset, new_res
       rescue VerifyError => e
-        #        print "Verification error : #{e}\n"
+        #         print "Verification error : #{e}\n"
         TheLog.info("Verification error : #{e}\n")
         return false, nil # new_res
       end
     end
 
     def get_nameservers_for(name, res = nil) # :nodoc:
-      # @TODO@ !!!
+      #  @TODO@ !!!
       if (Dnssec.do_validation_with_recursor?)
         return get_recursor
       else
@@ -1158,9 +1158,9 @@ module Dnsruby
         return nil
       end
       if (ns_rrset.sigs.length > 0)
-        #                verify_rrset(ns_rrset) # @TODO@ ??
+        #                 verify_rrset(ns_rrset) # @TODO@ ??
       end
-      #      Cache.add(ns_ret)
+      #       Cache.add(ns_ret)
       ns_additional = []
       ns_ret.additional.each {|rr| ns_additional.push(rr) if (rr.type == Types.A) }
       nameservers = []
@@ -1168,41 +1168,41 @@ module Dnsruby
       ns_additional = []
       ns_ret.additional.each {|rr| ns_additional.push(rr) if (rr.type == Types.AAAA) }
       add_nameservers(ns_rrset, ns_additional, nameservers) if (ns_additional.length > 0)
-      # Make Resolver using all NSs
+      #  Make Resolver using all NSs
       if (nameservers.length == 0)
-        #        print "Can't find nameservers for #{ns_ret.question()[0].qname} from #{ns_rrset.rrs}\n"
+        #         print "Can't find nameservers for #{ns_ret.question()[0].qname} from #{ns_rrset.rrs}\n"
         TheLog.info("Can't find nameservers for #{ns_ret.question()[0].qname} from #{ns_rrset.rrs}")
         return  nil # @TODO@ Could return a recursor here?
-        #return Recursor.new
+        # return Recursor.new
       end
       res = Resolver.new()
       res.nameserver=(nameservers)
-      # Set the retry_delay to be (at least) the number of nameservers
-      # Otherwise, the queries will be sent at a rate of more than one a second!
+      #  Set the retry_delay to be (at least) the number of nameservers
+      #  Otherwise, the queries will be sent at a rate of more than one a second!
       res.retry_delay = nameservers.length * 2
       res.dnssec = true
       return res
     end
 
     def add_nameservers(ns_rrset, ns_additional, nameservers) # :nodoc:
-      # Want to go through all of the ns_rrset NS records,
-      #      print "Checking #{ns_rrset.rrs.length} NS records against #{ns_additional.length} address records\n"
+      #  Want to go through all of the ns_rrset NS records,
+      #       print "Checking #{ns_rrset.rrs.length} NS records against #{ns_additional.length} address records\n"
       ns_rrset.rrs.sort_by {rand}.each {|ns_rr|
-        #   and see if we can find any of the names in the A/AAAA records in ns_additional
+        #    and see if we can find any of the names in the A/AAAA records in ns_additional
         found_addr = false
         ns_additional.each {|addr_rr|
           if (ns_rr.nsdname.canonical == addr_rr.name.canonical)
-            #            print "Found address #{addr_rr.address} for #{ns_rr.nsdname}\n"
+            #             print "Found address #{addr_rr.address} for #{ns_rr.nsdname}\n"
             nameservers.push(addr_rr.address.to_s)
             found_addr = true
             break
-            # If we can, then we add the server A/AAAA address to nameservers
+            #  If we can, then we add the server A/AAAA address to nameservers
           end
-          # If we can't, then we add the server NS name to nameservers
+          #  If we can't, then we add the server NS name to nameservers
 
         }
         if (!found_addr)
-          #          print "Couldn't find address - adding #{ns_rr.nsdname}\n"
+          #           print "Couldn't find address - adding #{ns_rr.nsdname}\n"
           nameservers.push(ns_rr.nsdname)
         end
 
@@ -1210,22 +1210,22 @@ module Dnsruby
     end
 
     def validate_no_rrsigs(msg) # :nodoc:
-      #      print "Validating unsigned response\n"
-      # WHAT IF THERE ARE NO RRSIGS IN MSG?
-      # Then we need to check that we do not expect any RRSIGs
+      #       print "Validating unsigned response\n"
+      #  WHAT IF THERE ARE NO RRSIGS IN MSG?
+      #  Then we need to check that we do not expect any RRSIGs
       if (!msg.question()[0] && msg.answer.length == 0)
-        #        print "Returning Message insecure OK\n"
+        #         print "Returning Message insecure OK\n"
         msg.security_level = Message::SecurityLevel.INSECURE
         return true
       end
       qname = msg.question()[0].qname
       closest_anchor = find_closest_anchor_for(qname)
-      #      print "Found closest anchor :#{closest_anchor}\n"
+      #       print "Found closest anchor :#{closest_anchor}\n"
       if (closest_anchor)
         actual_anchor = follow_chain(closest_anchor, qname)
-        #        print "Actual anchor : #{actual_anchor}\n"
+        #         print "Actual anchor : #{actual_anchor}\n"
         if (actual_anchor)
-          #          print("Anchor exists for #{qname}, but no signatures in #{msg}\n")
+          #           print("Anchor exists for #{qname}, but no signatures in #{msg}\n")
           TheLog.error("Anchor exists for #{qname}, but no signatures in #{msg}")
           msg.security_level = Message::SecurityLevel.BOGUS
           return false
@@ -1233,15 +1233,15 @@ module Dnsruby
       end
       if ((@verifier_type == VerifierType::DLV) &&
             @added_dlv_key)
-        # Remember to check DLV registry as well (if appropriate!)
-        #        print "Checking DLV for closest anchor\n"
+        #  Remember to check DLV registry as well (if appropriate!)
+        #         print "Checking DLV for closest anchor\n"
         dlv_anchor = find_closest_dlv_anchor_for(qname)
-        #        print "Found DLV closest anchor :#{dlv_anchor}\n"
+        #         print "Found DLV closest anchor :#{dlv_anchor}\n"
         if (dlv_anchor)
           actual_anchor = follow_chain(dlv_anchor, qname)
-          #          print "Actual anchor : #{actual_anchor}\n"
+          #           print "Actual anchor : #{actual_anchor}\n"
           if (actual_anchor)
-            #            print("DLV Anchor exists for #{qname}, but no signatures in #{msg}\n")
+            #             print("DLV Anchor exists for #{qname}, but no signatures in #{msg}\n")
             TheLog.error("DLV Anchor exists for #{qname}, but no signatures in #{msg}")
             msg.security_level = Message::SecurityLevel.BOGUS
             return false
@@ -1249,7 +1249,7 @@ module Dnsruby
 
         end
       end
-      #      print "Returning Message insecure OK\n"
+      #       print "Returning Message insecure OK\n"
       msg.security_level = Message::SecurityLevel.INSECURE
       return true
     end
@@ -1259,14 +1259,14 @@ module Dnsruby
         return validate_no_rrsigs(msg)
       end
 
-      # See if it is a child of any of our trust anchors.
-      # If it is, then see if we have a trusted key for it
-      # If we don't, then see if we can get to it from the closest
-      # trust anchor
-      # Otherwise, try DLV (if configured)
-      #
-      #
-      # So - find closest existing trust anchor
+      #  See if it is a child of any of our trust anchors.
+      #  If it is, then see if we have a trusted key for it
+      #  If we don't, then see if we can get to it from the closest
+      #  trust anchor
+      #  Otherwise, try DLV (if configured)
+      # 
+      # 
+      #  So - find closest existing trust anchor
       error = nil
       msg.security_level = Message::SecurityLevel.INDETERMINATE
       qname = msg.question()[0].qname
@@ -1277,28 +1277,28 @@ module Dnsruby
       if ((msg.security_level.code < Message::SecurityLevel::SECURE) &&
             (@verifier_type == VerifierType::DLV) &&
             @added_dlv_key)
-        # If we can't find anything, and we're set to check DLV, then
-        # check the DLV registry and work down from there.
+        #  If we can't find anything, and we're set to check DLV, then
+        #  check the DLV registry and work down from there.
         dlv_anchor = find_closest_dlv_anchor_for(qname)
         if (dlv_anchor)
-          #          print "Trying to follow DLV anchor from #{dlv_anchor.name} to #{qname}\n"
+          #           print "Trying to follow DLV anchor from #{dlv_anchor.name} to #{qname}\n"
           TheLog.debug("Trying to follow DLV anchor from #{dlv_anchor.name} to #{qname}")
           error = try_to_follow_from_anchor(dlv_anchor, msg, qname)
         else
-          #          print "Couldn't find DLV anchor for #{qname}\n"
+          #           print "Couldn't find DLV anchor for #{qname}\n"
           TheLog.debug("Couldn't find DLV anchor for #{qname}")
         end
       end
       if (msg.security_level.code != Message::SecurityLevel::SECURE)
         begin
-          #          print "Trying to verify one last time\n"
+          #           print "Trying to verify one last time\n"
 
           if verify(msg) # Just make sure we haven't picked the keys up anywhere
             msg.security_level = Message::SecurityLevel.SECURE
             return true
           end
         rescue VerifyError => e
-          #          print "Verify failed : #{e}\n"
+          #           print "Verify failed : #{e}\n"
         end
       end
       if (error)
@@ -1314,7 +1314,7 @@ module Dnsruby
     def try_to_follow_from_anchor(closest_anchor, msg, qname) # :nodoc:
       error = nil
       if (closest_anchor)
-        # Then try to descend to the level we're interested in
+        #  Then try to descend to the level we're interested in
         actual_anchor = follow_chain(closest_anchor, qname)
         if (!actual_anchor)
           TheLog.debug("Unable to follow chain from anchor : #{closest_anchor.name}")
@@ -1323,7 +1323,7 @@ module Dnsruby
           actual_anchor_keys = ""
           actual_anchor.rrs.each {|rr| actual_anchor_keys += ", #{rr.key_tag}"}
           TheLog.debug("Found anchor #{actual_anchor.name}, #{actual_anchor.type} for #{qname} : #{actual_anchor_keys}")
-          #          print "Found anchor #{actual_anchor.name}, #{actual_anchor.type} for #{qname} : #{actual_anchor_keys}\n"
+          #           print "Found anchor #{actual_anchor.name}, #{actual_anchor.type} for #{qname} : #{actual_anchor_keys}\n"
           begin
             if (verify(msg, actual_anchor))
               TheLog.debug("Validated #{qname}")
@@ -1331,13 +1331,13 @@ module Dnsruby
             end
           rescue VerifyError => e
             TheLog.info("BOGUS #{qname}! Error : #{e}")
-            #            print "BOGUS #{qname}! Error : #{e}\n"
+            #             print "BOGUS #{qname}! Error : #{e}\n"
             msg.security_level = Message::SecurityLevel.BOGUS
             error = e
           end
         end
       else
-        #        print "Unable to find an anchor for #{qname}\n"
+        #         print "Unable to find an anchor for #{qname}\n"
         msg.security_level = Message::SecurityLevel.INSECURE
       end
       return error