class Dnsruby::RR::NSEC3
The NSEC3
Resource Record (RR
) provides authenticated denial of existence for DNS
Resource Record Sets.
The NSEC3
RR
lists RR
types present at the original owner name of the NSEC3
RR
. It includes the next hashed owner name in the hash order of the zone. The complete set of NSEC3
RRs in a zone indicates which RRSets exist for the original owner name of the RR
and form a chain of hashed owner names in the zone. This information is used to provide authenticated denial of existence for DNS
data. To provide protection against zone enumeration, the owner names used in the NSEC3
RR
are cryptographic hashes of the original owner name prepended as a single label to the name of the zone. The NSEC3
RR
indicates which hash function is used to construct the hash, which salt is used, and how many iterations of the hash function are performed over the original owner name.
Constants
- OPT_OUT
Attributes
The Flags field contains 8 one-bit flags that can be used to indicate different processing. All undefined flags must be zero. The only flag defined by the NSEC3
specification is the Opt-Out flag.
The Hash Algorithm field identifies the cryptographic hash algorithm used to construct the hash-value.
The Hash Length field defines the length of the Next Hashed Owner Name
field, ranging in value from 1 to 255 octets.
The Iterations field defines the number of additional times the hash function has been performed.
The Next Hashed Owner Name
field contains the next hashed owner name in hash order.
The Salt Length field defines the length of the Salt field in octets, ranging in value from 0 to 255.
The Type Bit Maps field identifies the RRset types that exist at the NSEC
RR's owner name
Public Class Methods
# File lib/dnsruby/resource/NSEC3.rb, line 107 def NSEC3.calculate_hash(name, iterations, salt, hash_alg) # RFC5155 # 5. Calculation of the Hash # Define H(x) to be the hash of x using the Hash Algorithm selected by # the NSEC3 RR, k to be the number of Iterations, and || to indicate # concatenation. Then define: # # IH(salt, x, 0) = H(x || salt), and # # IH(salt, x, k) = H(IH(salt, x, k-1) || salt), if k > 0 # # Then the calculated hash of an owner name is # # IH(salt, owner name, iterations), # # where the owner name is in the canonical form, defined as: # # The wire format of the owner name where: # # 1. The owner name is fully expanded (no DNS name compression) and # fully qualified; # 2. All uppercase US-ASCII letters are replaced by the corresponding # lowercase US-ASCII letters; # 3. If the owner name is a wildcard name, the owner name is in its # original unexpanded form, including the '*' label (no wildcard # substitution); # # This form is as defined in Section 6.2 of [RFC 4034]. # n = Name.create(name) out = n.canonical begin (iterations + 1).times { out = NSEC3.h(out + salt, hash_alg) } return Base32.encode32hex(out).downcase rescue ArgumentError TheLog.error("Unknown hash algorithm #{hash_alg} used for NSEC3 hash") return 'Unknown NSEC3 hash algorithm' end end
# File lib/dnsruby/resource/NSEC3.rb, line 247 def NSEC3.decode_next_hashed(input) return Base32.decode32hex(input) end
# File lib/dnsruby/resource/NSEC3.rb, line 235 def NSEC3.decode_salt(input) input == '-' ? '' : [input].pack('H*') end
# File lib/dnsruby/resource/NSEC3.rb, line 255 def NSEC3.encode_next_hashed(n) return Base32.encode32hex(n).downcase end
# File lib/dnsruby/resource/NSEC3.rb, line 239 def NSEC3.encode_salt(s) (!s || s.length == 0) ? '-' : s.unpack('H*')[0] end
Public Instance Methods
# File lib/dnsruby/resource/NSEC3.rb, line 178 def add_type(t) self.types = (@types + [t]) end
# File lib/dnsruby/resource/NSEC3.rb, line 103 def calculate_hash NSEC3.calculate_hash(@name, @iterations, @salt, @hash_alg) end
# File lib/dnsruby/resource/NSEC3.rb, line 93 def check_name_in_range(_name) # @TODO@ Check if the name is covered by this record false end
# File lib/dnsruby/resource/NSEC3.rb, line 98 def check_name_in_wildcard_range(_name) # @TODO@ Check if the name is covered by this record false end
# File lib/dnsruby/resource/NSEC3.rb, line 243 def decode_next_hashed(input) @next_hashed = NSEC3.decode_next_hashed(input) end
# File lib/dnsruby/resource/NSEC3.rb, line 251 def encode_next_hashed(n) return NSEC3.encode_next_hashed(n) end
# File lib/dnsruby/resource/NSEC3.rb, line 183 def flags=(f) if f == 0 || f == OPT_OUT @flags = f else raise DecodeError.new("Unknown NSEC3 flags field - #{f}") end end
# File lib/dnsruby/resource/NSEC3.rb, line 259 def from_string(input) if input.length > 0 data = input.split self.hash_alg = (data[0]).to_i self.flags = (data[1]).to_i self.iterations = (data[2]).to_i self.salt = (data[3]) len = data[0].length + data[1].length + data[2].length + data[3].length + 4 # There may or may not be brackets around next_hashed if data[4] == '(' len += data[4].length + 1 end next_hashed_and_types = (input[len, input.length-len]) data2 = next_hashed_and_types.split() self.next_hashed = decode_next_hashed(data2[0]) self.hash_length = @next_hashed.length len2 = data2[0].length + 1 self.types = next_hashed_and_types[len2, next_hashed_and_types.length - len2] # self.types=data2[1] # # len = data[0].length + data[1].length + data[2].length + data[3].length + data[5].length + 7 # # self.types=(input[len, input.length-len]) end end
# File lib/dnsruby/resource/NSEC3.rb, line 160 def hash_alg=(a) if a.instance_of?(String) if a.length == 1 a = a.to_i end end begin alg = Nsec3HashAlgorithms.new(a) @hash_alg = alg rescue ArgumentError => e raise DecodeError.new(e) end end
def salt_length
=(l)
if ((l < 0) || (l > 255)) raise DecodeError.new('NSEC3 salt length must be between 0 and 255') end @salt_length = l
end
# File lib/dnsruby/resource/NSEC3.rb, line 204 def hash_length=(l) if (l < 0) || (l > 255) raise DecodeError.new("NSEC3 hash length must be between 0 and 255 but was #{l}") end @hash_length = l end
If the Opt-Out flag is set, the NSEC3
record covers zero or more unsigned delegations.
# File lib/dnsruby/resource/NSEC3.rb, line 193 def opt_out? @flags == OPT_OUT end
The Salt field is appended to the original owner name before hashing in order to defend against pre-calculated dictionary attacks.
# File lib/dnsruby/resource/NSEC3.rb, line 226 def salt return NSEC3.encode_salt(@salt) end
# File lib/dnsruby/resource/NSEC3.rb, line 230 def salt=(s) @salt = NSEC3.decode_salt(s) @salt_length = @salt.length end
# File lib/dnsruby/resource/NSEC3.rb, line 174 def types=(t) @types = (t && t.length > 0) ? NSEC.get_types(t) : [] end