dnsruby 1.37 → 1.38
Sign up to get free protection for your applications and to get access to all the features.
- data/lib/Dnsruby/resource/DNSKEY.rb +3 -1
- data/lib/Dnsruby/resource/RRSIG.rb +1 -1
- data/lib/Dnsruby/resource/resource.rb +2 -0
- data/lib/Dnsruby/single_verifier.rb +41 -39
- data/lib/dnsruby.rb +2 -1
- data/test/tc_verifier.rb +82 -2
- metadata +3 -15
- data/demo/digroot.rb +0 -92
- data/html/created.rid +0 -1
- data/html/fr_class_index.html +0 -117
- data/html/fr_file_index.html +0 -82
- data/html/fr_method_index.html +0 -364
- data/html/index.html +0 -24
- data/lib/Dnsruby/resource/delete_me.rhtml +0 -6
- data/lib/Dnsruby/select_thread.rb.michael.rb +0 -602
- data/test/tc_auth.rb +0 -49
- data/test/ts_queue.rb +0 -3
|
@@ -64,7 +64,7 @@ module Dnsruby
|
|
|
64
64
|
|
|
65
65
|
def algorithm=(a)
|
|
66
66
|
if (a.instance_of?String)
|
|
67
|
-
if (a.
|
|
67
|
+
if (a.to_i > 0)
|
|
68
68
|
a = a.to_i
|
|
69
69
|
end
|
|
70
70
|
end
|
|
@@ -264,6 +264,8 @@ module Dnsruby
|
|
|
264
264
|
def public_key
|
|
265
265
|
if (!@public_key)
|
|
266
266
|
if [Algorithms.RSASHA1,
|
|
267
|
+
Algorithms.RSASHA256,
|
|
268
|
+
Algorithms.RSASHA512,
|
|
267
269
|
Algorithms.RSASHA1_NSEC3_SHA1].include?(@algorithm)
|
|
268
270
|
@public_key = rsa_key
|
|
269
271
|
elsif [Algorithms.DSA,
|
|
@@ -146,11 +146,11 @@ module Dnsruby
|
|
|
146
146
|
raise VerifyError.new("RRSET should have same type as RRSIG for verification")
|
|
147
147
|
end
|
|
148
148
|
|
|
149
|
-
# #Each RR in the RRset MUST have the TTL listed in the
|
|
150
|
-
# #RRSIG Original TTL Field;
|
|
151
|
-
# if (rrset.ttl != sigrec.original_ttl)
|
|
152
|
-
# raise VerifyError.new("RRSET should have same ttl as RRSIG original_ttl for verification (should be #{sigrec.original_ttl} but was #{rrset.ttl}")
|
|
153
|
-
# end
|
|
149
|
+
# #Each RR in the RRset MUST have the TTL listed in the
|
|
150
|
+
# #RRSIG Original TTL Field;
|
|
151
|
+
# if (rrset.ttl != sigrec.original_ttl)
|
|
152
|
+
# raise VerifyError.new("RRSET should have same ttl as RRSIG original_ttl for verification (should be #{sigrec.original_ttl} but was #{rrset.ttl}")
|
|
153
|
+
# end
|
|
154
154
|
|
|
155
155
|
# Now check that we are in the validity period for the RRSIG
|
|
156
156
|
now = Time.now.to_i
|
|
@@ -240,7 +240,7 @@ module Dnsruby
|
|
|
240
240
|
# Return true if we can verify the whole message.
|
|
241
241
|
|
|
242
242
|
msg.each_section do |section|
|
|
243
|
-
# print "Checking section : #{section}\n"
|
|
243
|
+
# print "Checking section : #{section}\n"
|
|
244
244
|
ds_rrsets = section.rrsets(Types.DS)
|
|
245
245
|
if ((!ds_rrsets || ds_rrsets.length == 0) && (@verifier_type == VerifierType::DLV))
|
|
246
246
|
ds_rrsets = section.rrsets(Types.DLV)
|
|
@@ -374,14 +374,14 @@ module Dnsruby
|
|
|
374
374
|
return if (msg.rcode == RCode.NOERROR && ((qtype == Types.ANY) || (qtype == Types.NSEC) || (qtype == Types.NSEC3)))
|
|
375
375
|
if ((msg.rrsets('NSEC').length > 0) || (msg.rrsets('NSEC3').length > 0))
|
|
376
376
|
if (msg.rcode == RCode.NXDOMAIN)
|
|
377
|
-
# print "Checking NSECs for Name Error\n"
|
|
377
|
+
# print "Checking NSECs for Name Error\n"
|
|
378
378
|
#Name error - NSEC wil prove i) no exact match for <SNAME, SCLASS>, and ii) no RRSets that could match through wildcard expansion
|
|
379
379
|
# - this may be proved in one or more NSECs (and associated RRSIGs)
|
|
380
380
|
check_name_in_nsecs(msg)
|
|
381
381
|
return check_no_wildcard_expansion(msg)
|
|
382
382
|
elsif (msg.rcode == RCode.NOERROR)
|
|
383
383
|
if (msg.answer.length > 0)
|
|
384
|
-
# print "Checking NSECs for wildcard expansion\n"
|
|
384
|
+
# print "Checking NSECs for wildcard expansion\n"
|
|
385
385
|
# wildcard expansion answer - check NSECs!
|
|
386
386
|
# We want to make sure that the NSEC tells us that there is no closer match for this name
|
|
387
387
|
# @TODO@ We need to make replace the RRSIG name with the wildcard name before we can verify it correctly.
|
|
@@ -395,7 +395,7 @@ module Dnsruby
|
|
|
395
395
|
[msg.authority.rrsets('NSEC'), msg.authority.rrsets('NSEC3')].each {|nsec_rrsets|
|
|
396
396
|
nsec_rrsets.each {|nsec_rrset|
|
|
397
397
|
nsec_rrset.rrs.each {|nsec|
|
|
398
|
-
# print "Checking nsec to see if wildcard : #{nsec}\n"
|
|
398
|
+
# print "Checking nsec to see if wildcard : #{nsec}\n"
|
|
399
399
|
if (nsec.name.wild? ||(nsec.name.labels.length < msg.question()[0].qname.labels.length))
|
|
400
400
|
isWildcardNoData = true
|
|
401
401
|
end
|
|
@@ -404,14 +404,14 @@ module Dnsruby
|
|
|
404
404
|
}
|
|
405
405
|
|
|
406
406
|
if (isWildcardNoData)
|
|
407
|
-
# print "Checking NSECs for wildcard no data\n"
|
|
407
|
+
# print "Checking NSECs for wildcard no data\n"
|
|
408
408
|
# Check NSECs -
|
|
409
409
|
# i) NSEC proving no RRSets matching STYPE at wildcard owner name that matched <SNAME, SCLASS> via wildcard expansion
|
|
410
410
|
check_name_not_in_wildcard_nsecs(msg)
|
|
411
411
|
# ii) NSEC proving no RRSets in zone that would have been closer match for <SNAME, SCLASS>
|
|
412
412
|
return check_name_in_and_type_not_in_nsecs(msg)
|
|
413
413
|
else # (isNoData)
|
|
414
|
-
# print "Checking NSECs for No data\n"
|
|
414
|
+
# print "Checking NSECs for No data\n"
|
|
415
415
|
# Check NSEC types covered to make sure this type not present.
|
|
416
416
|
return check_name_in_and_type_not_in_nsecs(msg)
|
|
417
417
|
end
|
|
@@ -442,7 +442,7 @@ module Dnsruby
|
|
|
442
442
|
[msg.authority.rrsets('NSEC'), msg.authority.rrsets('NSEC3')].each {|nsec_rrsets|
|
|
443
443
|
nsec_rrsets.each {|nsecs|
|
|
444
444
|
nsecs.rrs.each {|nsec|
|
|
445
|
-
# print "Checking NSEC : #{nsec}\n"
|
|
445
|
+
# print "Checking NSEC : #{nsec}\n"
|
|
446
446
|
next if (nsec.name.wild?)
|
|
447
447
|
if (check_record_proves_no_wildcard(msg, nsec))
|
|
448
448
|
proven_no_wildcards = true
|
|
@@ -451,7 +451,7 @@ module Dnsruby
|
|
|
451
451
|
}
|
|
452
452
|
}
|
|
453
453
|
if (!proven_no_wildcards)
|
|
454
|
-
# print "No proof that no RRSets could match through wildcard expansion\n"
|
|
454
|
+
# print "No proof that no RRSets could match through wildcard expansion\n"
|
|
455
455
|
raise VerifyError.new("No proof that no RRSets could match through wildcard expansion")
|
|
456
456
|
end
|
|
457
457
|
|
|
@@ -459,12 +459,12 @@ module Dnsruby
|
|
|
459
459
|
|
|
460
460
|
def check_record_proves_no_wildcard(msg, nsec) # :nodoc:
|
|
461
461
|
# Check that the NSEC goes from the SOA to a zone canonically after a wildcard
|
|
462
|
-
# print "Checking wildcard proof for #{nsec.name}\n"
|
|
462
|
+
# print "Checking wildcard proof for #{nsec.name}\n"
|
|
463
463
|
soa_rrset = msg.authority.rrset(nsec.name, 'SOA')
|
|
464
464
|
if (soa_rrset.length > 0)
|
|
465
|
-
# print "Found SOA for #{nsec.name}\n"
|
|
465
|
+
# print "Found SOA for #{nsec.name}\n"
|
|
466
466
|
wildcard_name = Name.create("*." + nsec.name.to_s)
|
|
467
|
-
# print "Checking #{wildcard_name}\n"
|
|
467
|
+
# print "Checking #{wildcard_name}\n"
|
|
468
468
|
if (wildcard_name.canonically_before(nsec.next_domain))
|
|
469
469
|
return true
|
|
470
470
|
end
|
|
@@ -481,7 +481,7 @@ module Dnsruby
|
|
|
481
481
|
[msg.authority.rrsets('NSEC'), msg.authority.rrsets('NSEC3')].each {|nsec_rrsets|
|
|
482
482
|
nsec_rrsets.each {|nsecs|
|
|
483
483
|
nsecs.rrs.each {|nsec|
|
|
484
|
-
# print "Checking NSEC : #{nsec}\n"
|
|
484
|
+
# print "Checking NSEC : #{nsec}\n"
|
|
485
485
|
next if (nsec.name.wild?)
|
|
486
486
|
if nsec.check_name_in_range(name)
|
|
487
487
|
proven_name_in_nsecs = true
|
|
@@ -491,7 +491,7 @@ module Dnsruby
|
|
|
491
491
|
qtype_present = true
|
|
492
492
|
end
|
|
493
493
|
if (qtype_present != expected_qtype)
|
|
494
|
-
# print "#{nsec.type} record #{nsec} does #{expected_qtype ? 'not ' : ''} include #{qtype} type\n"
|
|
494
|
+
# print "#{nsec.type} record #{nsec} does #{expected_qtype ? 'not ' : ''} include #{qtype} type\n"
|
|
495
495
|
raise VerifyError.new("#{nsec.type} record #{nsec} does #{expected_qtype ? 'not ' : ''}include #{qtype} type")
|
|
496
496
|
# return false
|
|
497
497
|
end
|
|
@@ -502,11 +502,11 @@ module Dnsruby
|
|
|
502
502
|
}
|
|
503
503
|
}
|
|
504
504
|
if (!proven_name_in_nsecs)
|
|
505
|
-
# print "No proof for non-existence for #{name}\n"
|
|
505
|
+
# print "No proof for non-existence for #{name}\n"
|
|
506
506
|
raise VerifyError.new("No proof for non-existence for #{name}")
|
|
507
507
|
end
|
|
508
508
|
if (qtype && !type_covered_checked)
|
|
509
|
-
# print "Tyes covered wrong for #{name}\n"
|
|
509
|
+
# print "Tyes covered wrong for #{name}\n"
|
|
510
510
|
raise VerifyError.new("Types covered wrong for #{name}")
|
|
511
511
|
end
|
|
512
512
|
end
|
|
@@ -522,18 +522,18 @@ module Dnsruby
|
|
|
522
522
|
[msg.authority.rrsets('NSEC'), msg.authority.rrsets('NSEC3')].each {|nsec_rrsets|
|
|
523
523
|
nsec_rrsets.each {|nsecs|
|
|
524
524
|
nsecs.rrs.each {|nsec|
|
|
525
|
-
# print "Checking NSEC : #{nsec}\n"
|
|
525
|
+
# print "Checking NSEC : #{nsec}\n"
|
|
526
526
|
next if !nsec.name.wild?
|
|
527
527
|
# Check the wildcard expansion
|
|
528
528
|
# We want to see that the name is in the wildcard range, and that the type
|
|
529
529
|
# is not in the types for the NSEC
|
|
530
530
|
if nsec.check_name_in_wildcard_range(name)
|
|
531
|
-
# print "Wildcard expansion in #{nsec} includes #{name}\n"
|
|
531
|
+
# print "Wildcard expansion in #{nsec} includes #{name}\n"
|
|
532
532
|
raise VerifyError.new("Wildcard expansion in #{nsec} includes #{name}")
|
|
533
533
|
# return false
|
|
534
534
|
end
|
|
535
535
|
if (nsec.types.include?qtype)
|
|
536
|
-
# print "#{qtype} present in wildcard #{nsec}\n"
|
|
536
|
+
# print "#{qtype} present in wildcard #{nsec}\n"
|
|
537
537
|
raise VerifyError.new("#{qtype} present in wildcard #{nsec}")
|
|
538
538
|
# return false
|
|
539
539
|
end
|
|
@@ -542,7 +542,7 @@ module Dnsruby
|
|
|
542
542
|
}
|
|
543
543
|
}
|
|
544
544
|
return if done
|
|
545
|
-
# print("Expected wildcard expansion in #{msg}\n")
|
|
545
|
+
# print("Expected wildcard expansion in #{msg}\n")
|
|
546
546
|
raise VerifyError.new("Expected wildcard expansion in #{msg}")
|
|
547
547
|
# return false
|
|
548
548
|
end
|
|
@@ -658,7 +658,7 @@ module Dnsruby
|
|
|
658
658
|
|
|
659
659
|
sigrecs.each {|sig|
|
|
660
660
|
if ((key.key_tag == sig.key_tag) && (key.algorithm == sig.algorithm))
|
|
661
|
-
# print "Found key #{key.key_tag}\n"
|
|
661
|
+
# print "Found key #{key.key_tag}\n"
|
|
662
662
|
return key, sig
|
|
663
663
|
end
|
|
664
664
|
}
|
|
@@ -745,8 +745,10 @@ module Dnsruby
|
|
|
745
745
|
if [Algorithms.RSASHA1,
|
|
746
746
|
Algorithms.RSASHA1_NSEC3_SHA1].include?(sigrec.algorithm)
|
|
747
747
|
verified = keyrec.public_key.verify(OpenSSL::Digest::SHA1.new, sigrec.signature, sig_data)
|
|
748
|
-
|
|
749
|
-
|
|
748
|
+
elsif (sigrec.algorithm == Algorithms.RSASHA256)
|
|
749
|
+
verified = keyrec.public_key.verify(OpenSSL::Digest::SHA256.new, sigrec.signature, sig_data)
|
|
750
|
+
elsif (sigrec.algorithm == Algorithms.RSASHA512)
|
|
751
|
+
verified = keyrec.public_key.verify(OpenSSL::Digest::SHA512.new, sigrec.signature, sig_data)
|
|
750
752
|
elsif [Algorithms.DSA,
|
|
751
753
|
Algorithms.DSA_NSEC3_SHA1].include?(sigrec.algorithm)
|
|
752
754
|
# we are ignoring T for now
|
|
@@ -770,7 +772,7 @@ module Dnsruby
|
|
|
770
772
|
expiration_diff = (sigrec.expiration.to_i - Time.now.to_i).abs
|
|
771
773
|
rrset.ttl = ([rrset.ttl, sigrec.ttl, sigrec.original_ttl,
|
|
772
774
|
expiration_diff].sort)[0]
|
|
773
|
-
# print "VERIFIED OK\n"
|
|
775
|
+
# print "VERIFIED OK\n"
|
|
774
776
|
return true
|
|
775
777
|
end
|
|
776
778
|
|
|
@@ -1102,7 +1104,7 @@ module Dnsruby
|
|
|
1102
1104
|
if (Dnssec.default_resolver)
|
|
1103
1105
|
return Dnssec.default_resolver
|
|
1104
1106
|
else
|
|
1105
|
-
|
|
1107
|
+
return Resolver.new
|
|
1106
1108
|
end
|
|
1107
1109
|
end
|
|
1108
1110
|
end
|
|
@@ -1172,22 +1174,22 @@ module Dnsruby
|
|
|
1172
1174
|
end
|
|
1173
1175
|
|
|
1174
1176
|
def validate_no_rrsigs(msg) # :nodoc:
|
|
1175
|
-
# print "Validating unsigned response\n"
|
|
1177
|
+
# print "Validating unsigned response\n"
|
|
1176
1178
|
# WHAT IF THERE ARE NO RRSIGS IN MSG?
|
|
1177
1179
|
# Then we need to check that we do not expect any RRSIGs
|
|
1178
1180
|
if (!msg.question()[0] && msg.answer.length == 0)
|
|
1179
|
-
# print "Returning Message insecure OK\n"
|
|
1181
|
+
# print "Returning Message insecure OK\n"
|
|
1180
1182
|
msg.security_level = Message::SecurityLevel.INSECURE
|
|
1181
1183
|
return true
|
|
1182
1184
|
end
|
|
1183
1185
|
qname = msg.question()[0].qname
|
|
1184
1186
|
closest_anchor = find_closest_anchor_for(qname)
|
|
1185
|
-
# print "Found closest anchor :#{closest_anchor}\n"
|
|
1187
|
+
# print "Found closest anchor :#{closest_anchor}\n"
|
|
1186
1188
|
if (closest_anchor)
|
|
1187
1189
|
actual_anchor = follow_chain(closest_anchor, qname)
|
|
1188
|
-
# print "Actual anchor : #{actual_anchor}\n"
|
|
1190
|
+
# print "Actual anchor : #{actual_anchor}\n"
|
|
1189
1191
|
if (actual_anchor)
|
|
1190
|
-
# print("Anchor exists for #{qname}, but no signatures in #{msg}\n")
|
|
1192
|
+
# print("Anchor exists for #{qname}, but no signatures in #{msg}\n")
|
|
1191
1193
|
TheLog.error("Anchor exists for #{qname}, but no signatures in #{msg}")
|
|
1192
1194
|
msg.security_level = Message::SecurityLevel.BOGUS
|
|
1193
1195
|
return false
|
|
@@ -1196,14 +1198,14 @@ module Dnsruby
|
|
|
1196
1198
|
if ((@verifier_type == VerifierType::DLV) &&
|
|
1197
1199
|
@added_dlv_key)
|
|
1198
1200
|
# Remember to check DLV registry as well (if appropriate!)
|
|
1199
|
-
# print "Checking DLV for closest anchor\n"
|
|
1201
|
+
# print "Checking DLV for closest anchor\n"
|
|
1200
1202
|
dlv_anchor = find_closest_dlv_anchor_for(qname)
|
|
1201
|
-
# print "Found DLV closest anchor :#{dlv_anchor}\n"
|
|
1203
|
+
# print "Found DLV closest anchor :#{dlv_anchor}\n"
|
|
1202
1204
|
if (dlv_anchor)
|
|
1203
1205
|
actual_anchor = follow_chain(dlv_anchor, qname)
|
|
1204
|
-
# print "Actual anchor : #{actual_anchor}\n"
|
|
1206
|
+
# print "Actual anchor : #{actual_anchor}\n"
|
|
1205
1207
|
if (actual_anchor)
|
|
1206
|
-
# print("DLV Anchor exists for #{qname}, but no signatures in #{msg}\n")
|
|
1208
|
+
# print("DLV Anchor exists for #{qname}, but no signatures in #{msg}\n")
|
|
1207
1209
|
TheLog.error("DLV Anchor exists for #{qname}, but no signatures in #{msg}")
|
|
1208
1210
|
msg.security_level = Message::SecurityLevel.BOGUS
|
|
1209
1211
|
return false
|
|
@@ -1211,7 +1213,7 @@ module Dnsruby
|
|
|
1211
1213
|
|
|
1212
1214
|
end
|
|
1213
1215
|
end
|
|
1214
|
-
# print "Returning Message insecure OK\n"
|
|
1216
|
+
# print "Returning Message insecure OK\n"
|
|
1215
1217
|
msg.security_level = Message::SecurityLevel.INSECURE
|
|
1216
1218
|
return true
|
|
1217
1219
|
end
|
data/lib/dnsruby.rb
CHANGED
data/test/tc_verifier.rb
CHANGED
|
@@ -18,12 +18,92 @@ require 'test/unit'
|
|
|
18
18
|
require 'dnsruby'
|
|
19
19
|
|
|
20
20
|
class VerifierTest < Test::Unit::TestCase
|
|
21
|
+
|
|
22
|
+
def test_sha256
|
|
23
|
+
key256 = Dnsruby::RR.create("example.net. 3600 IN DNSKEY (256 3 8 AwEAAcFcGsaxxdgiuuGmCkVI
|
|
24
|
+
my4h99CqT7jwY3pexPGcnUFtR2Fh36BponcwtkZ4cAgtvd4Qs8P
|
|
25
|
+
kxUdp6p/DlUmObdk= );{id = 9033 (zsk), size = 512b}")
|
|
26
|
+
a = Dnsruby::RR.create("www.example.net. 3600 IN A 192.0.2.91")
|
|
27
|
+
sig = Dnsruby::RR.create("www.example.net. 3600 IN RRSIG (A 8 3 3600 20300101000000
|
|
28
|
+
20000101000000 9033 example.net. kRCOH6u7l0QGy9qpC9
|
|
29
|
+
l1sLncJcOKFLJ7GhiUOibu4teYp5VE9RncriShZNz85mwlMgNEa
|
|
30
|
+
cFYK/lPtPiVYP4bwg==) ;{id = 9033}")
|
|
31
|
+
rrset = Dnsruby::RRSet.new(a)
|
|
32
|
+
rrset.add(sig)
|
|
33
|
+
verifier = Dnsruby::SingleVerifier.new(nil)
|
|
34
|
+
verifier.verify_rrset(rrset, key256)
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
def test_sha512
|
|
38
|
+
key512 = Dnsruby::RR.create("example.net. 3600 IN DNSKEY (256 3 10 AwEAAdHoNTOW+et86KuJOWRD
|
|
39
|
+
p1pndvwb6Y83nSVXXyLA3DLroROUkN6X0O6pnWnjJQujX/AyhqFD
|
|
40
|
+
xj13tOnD9u/1kTg7cV6rklMrZDtJCQ5PCl/D7QNPsgVsMu1J2Q8g
|
|
41
|
+
pMpztNFLpPBz1bWXjDtaR7ZQBlZ3PFY12ZTSncorffcGmhOL
|
|
42
|
+
);{id = 3740 (zsk), size = 1024b}")
|
|
43
|
+
a = Dnsruby::RR.create("www.example.net. 3600 IN A 192.0.2.91")
|
|
44
|
+
sig = Dnsruby::RR.create("www.example.net. 3600 IN RRSIG (A 10 3 3600 20300101000000
|
|
45
|
+
20000101000000 3740 example.net. tsb4wnjRUDnB1BUi+t
|
|
46
|
+
6TMTXThjVnG+eCkWqjvvjhzQL1d0YRoOe0CbxrVDYd0xDtsuJRa
|
|
47
|
+
eUw1ep94PzEWzr0iGYgZBWm/zpq+9fOuagYJRfDqfReKBzMweOL
|
|
48
|
+
DiNa8iP5g9vMhpuv6OPlvpXwm9Sa9ZXIbNl1MBGk0fthPgxdDLw
|
|
49
|
+
=);{id = 3740}")
|
|
50
|
+
rrset = Dnsruby::RRSet.new(a)
|
|
51
|
+
rrset.add(sig)
|
|
52
|
+
verifier = Dnsruby::SingleVerifier.new(nil)
|
|
53
|
+
verifier.verify_rrset(rrset, key512)
|
|
54
|
+
end
|
|
55
|
+
|
|
56
|
+
def test_sha2_zone
|
|
57
|
+
key1 = Dnsruby::RR.create("example.com. 3600 IN DNSKEY 256 3 8 AwEAAeTXG9RkEnPqrs1gTA
|
|
58
|
+
+7R2YdovW5HrObuMcsgIjfgAupTXX7NHBVUVX0oF2x8fJIeYt9pTuogTuUhw9/
|
|
59
|
+
kJrCI43VWa7xbsMkTbyj1/
|
|
60
|
+
wrfZB25nZnt4DQiqpYm8AZ3XmRBilibsGubVvrzWiQLC1gGXKUJ7JyQyL98G9ODUH2bmnb
|
|
61
|
+
;{id = 43938 (zsk), size = 1024b}")
|
|
62
|
+
key2 = Dnsruby::RR.create("example.com. 3600 IN DNSKEY 257 3 8
|
|
63
|
+
AwEAAeLAE37+XYbieMtOqPRMbimhCjcyc/bSTbMQtKioxzjzgBPu/gVgHTeITJa
|
|
64
|
+
+IBFOD763HkzmG6ZIEcNAagCLg6+xeTnp017CBWWgnU+ksXdjgQ5KLfM/g4d2TL/Xf/BZJP
|
|
65
|
+
+JcIYqx3BNDT//bJpuwXqk6WkMtHGDSfSugel26TvgxG9X9xTaJh0u/
|
|
66
|
+
QMFpm9H4IyQ8557cYAG04z8Yx3PszE5niE6JGho7Qpv2YhpsuLh7dneUTtdqFajdyqU0lZ3iDHnrfm7ve75LorIMPB0FqIo8Q
|
|
67
|
+
+hqV/U44QB/gTuXiBPjxje6D6WLWJdisIKflYZjUBD0FxuOXZQ5+RFVMV5RSc= ;{id =
|
|
68
|
+
18976 (ksk), size = 2048b}")
|
|
69
|
+
rrset = Dnsruby::RRSet.new(key1)
|
|
70
|
+
rrset.add(key2)
|
|
71
|
+
sig2 = Dnsruby::RR.create("example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20091109083537
|
|
72
|
+
20091012083537 18976 example.com. 0S/8cNh9otTenbcqQ2C5fxglGLrkI/EHp/
|
|
73
|
+
8Y3NDbJ5M50xUzrXd91wjDCE2X/z7UNGeBtyFRqm2ZeId4MygBIBsFaqOr98X8qQo3qpZ/
|
|
74
|
+
ZtudmSSlk8X77bnKzsBxdLQgtE/REiT6j556zJJ9LtQ/
|
|
75
|
+
yHgdMmJa5BNPYbQDpJdzJGIYLe1Gx8edOqcPt0LAc3FmjB096Gmlt7JpIWJXrh2Q82eDTkLiEpv7ePAimduKh14
|
|
76
|
+
+ERi6mLKFDaQjnfkwZ7/zjw6Ekp3a7L9Pa4S/OKUis/TarEQJf
|
|
77
|
+
+w9yAVKKL8HCIFKOXfn1rOWZ8LIEzlmUmOVOV03F1Paww+9fJaG+WDhpQ== ;{id =
|
|
78
|
+
18976}")
|
|
79
|
+
rrset.add(sig2)
|
|
80
|
+
verifier = Dnsruby::SingleVerifier.new(nil)
|
|
81
|
+
verifier.verify_rrset(rrset, key2)
|
|
82
|
+
sig = Dnsruby::RR.create("example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20091109083537
|
|
83
|
+
20091012083537 43938 example.com. TXaNGZ4QklUIlPtXaGhNegER
|
|
84
|
+
+uwJAvM9fSmnSt55FiMrMgkJDb6b/
|
|
85
|
+
GTyOF6INgKopO1wZRZI0iWaPUI0SRow6
|
|
86
|
+
+X8Idpk05uG7Two5R9uMGX0hu8PWc8BzuAxgeyawCYkXwXQ6Ah0PF9xkc/
|
|
87
|
+
Xlieo6T34XsoeHmKjmjMWs1KdFkU= ;{id = 43938}")
|
|
88
|
+
rrset.add(sig)
|
|
89
|
+
verifier.verify_rrset(rrset, key1)
|
|
90
|
+
txt = Dnsruby::RR.create('example.com. 86400 IN TXT "v=spf1 -all"')
|
|
91
|
+
rrset = Dnsruby::RRSet.new(txt)
|
|
92
|
+
txt_sig = Dnsruby::RR.create("example.com. 86400 IN RRSIG TXT 8 2 86400 20091109083536
|
|
93
|
+
20091012083536 43938 example.com. rZcuxDZ7QO1oBSqwlV
|
|
94
|
+
+1ar7RTvwWOCYpgZy6oxXQMWkxONXnHVQO32yl
|
|
95
|
+
+3WzROW4tYHfFpsdyvo1BCT1PRRXLcLFGJd/
|
|
96
|
+
T3Y6ciiq5ZzsesfYV0aChOUhseX7MnMjsaLGbmDDVmGqW78nsoBjv9g
|
|
97
|
+
+0YshQa7E1ctz2aQ2sorWN+E= ;{id = 43938}")
|
|
98
|
+
rrset.add(txt_sig)
|
|
99
|
+
verifier.verify_rrset(rrset, key1)
|
|
100
|
+
end
|
|
21
101
|
|
|
22
102
|
def test_se_query
|
|
23
103
|
# Run some queries on the .se zone
|
|
24
104
|
Dnsruby::Dnssec.clear_trusted_keys
|
|
25
105
|
Dnsruby::Dnssec.clear_trust_anchors
|
|
26
|
-
res = Dnsruby::Resolver.new("a.ns.se")
|
|
106
|
+
res = Dnsruby::Resolver.new(Dnsruby::Resolv.getaddress("a.ns.se"))
|
|
27
107
|
res.dnssec = true
|
|
28
108
|
r = res.query("se", Dnsruby::Types.ANY)
|
|
29
109
|
# See comment below
|
|
@@ -36,7 +116,7 @@ class VerifierTest < Test::Unit::TestCase
|
|
|
36
116
|
def test_verify_message
|
|
37
117
|
Dnsruby::Dnssec.clear_trusted_keys
|
|
38
118
|
Dnsruby::Dnssec.clear_trust_anchors
|
|
39
|
-
res = Dnsruby::Resolver.new("a.ns.se")
|
|
119
|
+
res = Dnsruby::Resolver.new(Dnsruby::Resolv.getaddress("a.ns.se"))
|
|
40
120
|
res.udp_size = 5000
|
|
41
121
|
r = res.query("se", Dnsruby::Types.DNSKEY)
|
|
42
122
|
# This shouldn't be in the code - but the key is rotated by the .se registry
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dnsruby
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: "1.
|
|
4
|
+
version: "1.38"
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- AlexD
|
|
@@ -9,7 +9,7 @@ autorequire: dnsruby
|
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
11
|
|
|
12
|
-
date: 2009-
|
|
12
|
+
date: 2009-10-12 00:00:00 +01:00
|
|
13
13
|
default_executable:
|
|
14
14
|
dependencies: []
|
|
15
15
|
|
|
@@ -27,7 +27,6 @@ extra_rdoc_files:
|
|
|
27
27
|
files:
|
|
28
28
|
- test/custom.txt
|
|
29
29
|
- test/resolv.conf
|
|
30
|
-
- test/tc_auth.rb
|
|
31
30
|
- test/tc_axfr.rb
|
|
32
31
|
- test/tc_cache.rb
|
|
33
32
|
- test/tc_dlv.rb
|
|
@@ -71,7 +70,6 @@ files:
|
|
|
71
70
|
- test/ts_dnsruby.rb
|
|
72
71
|
- test/ts_offline.rb
|
|
73
72
|
- test/ts_online.rb
|
|
74
|
-
- test/ts_queue.rb
|
|
75
73
|
- lib/Dnsruby
|
|
76
74
|
- lib/Dnsruby/Cache.rb
|
|
77
75
|
- lib/Dnsruby/code_mapper.rb
|
|
@@ -93,7 +91,6 @@ files:
|
|
|
93
91
|
- lib/Dnsruby/resource/AAAA.rb
|
|
94
92
|
- lib/Dnsruby/resource/AFSDB.rb
|
|
95
93
|
- lib/Dnsruby/resource/CERT.rb
|
|
96
|
-
- lib/Dnsruby/resource/delete_me.rhtml
|
|
97
94
|
- lib/Dnsruby/resource/DLV.rb
|
|
98
95
|
- lib/Dnsruby/resource/DNSKEY.rb
|
|
99
96
|
- lib/Dnsruby/resource/domain_name.rb
|
|
@@ -124,7 +121,6 @@ files:
|
|
|
124
121
|
- lib/Dnsruby/resource/TXT.rb
|
|
125
122
|
- lib/Dnsruby/resource/X25.rb
|
|
126
123
|
- lib/Dnsruby/select_thread.rb
|
|
127
|
-
- lib/Dnsruby/select_thread.rb.michael.rb
|
|
128
124
|
- lib/Dnsruby/single_verifier.rb
|
|
129
125
|
- lib/Dnsruby/SingleResolver.rb
|
|
130
126
|
- lib/Dnsruby/TheLog.rb
|
|
@@ -132,19 +128,11 @@ files:
|
|
|
132
128
|
- lib/Dnsruby/validator_thread.rb
|
|
133
129
|
- lib/Dnsruby/zone_transfer.rb
|
|
134
130
|
- lib/dnsruby.rb
|
|
135
|
-
- html/classes
|
|
136
|
-
- html/created.rid
|
|
137
|
-
- html/files
|
|
138
|
-
- html/fr_class_index.html
|
|
139
|
-
- html/fr_file_index.html
|
|
140
|
-
- html/fr_method_index.html
|
|
141
|
-
- html/index.html
|
|
142
131
|
- demo/axfr.rb
|
|
143
132
|
- demo/check_soa.rb
|
|
144
133
|
- demo/check_zone.rb
|
|
145
134
|
- demo/digdlv.rb
|
|
146
135
|
- demo/digitar.rb
|
|
147
|
-
- demo/digroot.rb
|
|
148
136
|
- demo/example_recurse.rb
|
|
149
137
|
- demo/mresolv.rb
|
|
150
138
|
- demo/mx.rb
|
|
@@ -177,7 +165,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
177
165
|
requirements: []
|
|
178
166
|
|
|
179
167
|
rubyforge_project: dnsruby
|
|
180
|
-
rubygems_version: 1.
|
|
168
|
+
rubygems_version: 1.3.1
|
|
181
169
|
signing_key:
|
|
182
170
|
specification_version: 2
|
|
183
171
|
summary: Ruby DNS implementation
|