class Dnsruby::RR::NSEC3

The NSEC3 Resource Record (RR) provides authenticated denial of existence for DNS Resource Record Sets.

The NSEC3 RR lists RR types present at the original owner name of the NSEC3 RR. It includes the next hashed owner name in the hash order of the zone. The complete set of NSEC3 RRs in a zone indicates which RRSets exist for the original owner name of the RR and form a chain of hashed owner names in the zone. This information is used to provide authenticated denial of existence for DNS data. To provide protection against zone enumeration, the owner names used in the NSEC3 RR are cryptographic hashes of the original owner name prepended as a single label to the name of the zone. The NSEC3 RR indicates which hash function is used to construct the hash, which salt is used, and how many iterations of the hash function are performed over the original owner name.

Constants

OPT_OUT

Attributes

flags[R]

The Flags field contains 8 one-bit flags that can be used to indicate different processing. All undefined flags must be zero. The only flag defined by the NSEC3 specification is the Opt-Out flag.

hash_alg[R]

The Hash Algorithm field identifies the cryptographic hash algorithm used to construct the hash-value.

hash_length[R]

The Hash Length field defines the length of the Next Hashed Owner Name field, ranging in value from 1 to 255 octets.

iterations[RW]

The Iterations field defines the number of additional times the hash function has been performed.

next_hashed[RW]

The Next Hashed Owner Name field contains the next hashed owner name in hash order.

salt_length[R]

The Salt Length field defines the length of the Salt field in octets, ranging in value from 0 to 255.

types[R]

The Type Bit Maps field identifies the RRset types that exist at the NSEC RR's owner name

Public Class Methods

calculate_hash(name, iterations, salt, hash_alg) click to toggle source
# File lib/dnsruby/resource/NSEC3.rb, line 107
def NSEC3.calculate_hash(name, iterations, salt, hash_alg)
  #  RFC5155
  # 5.  Calculation of the Hash

  #    Define H(x) to be the hash of x using the Hash Algorithm selected by
  #    the NSEC3 RR, k to be the number of Iterations, and || to indicate
  #    concatenation.  Then define:
  #
  #       IH(salt, x, 0) = H(x || salt), and
  #
  #       IH(salt, x, k) = H(IH(salt, x, k-1) || salt), if k > 0
  #
  #    Then the calculated hash of an owner name is
  #
  #       IH(salt, owner name, iterations),
  #
  #    where the owner name is in the canonical form, defined as:
  #
  #    The wire format of the owner name where:
  #
  #    1.  The owner name is fully expanded (no DNS name compression) and
  #        fully qualified;
  #    2.  All uppercase US-ASCII letters are replaced by the corresponding
  #        lowercase US-ASCII letters;
  #    3.  If the owner name is a wildcard name, the owner name is in its
  #        original unexpanded form, including the '*' label (no wildcard
  #        substitution);
  #
  #    This form is as defined in Section 6.2 of [RFC 4034].
  #

  n = Name.create(name)
  out = n.canonical
  begin
    (iterations + 1).times { out = NSEC3.h(out + salt, hash_alg) }
    return Base32.encode32hex(out).downcase
  rescue ArgumentError
    TheLog.error("Unknown hash algorithm #{hash_alg} used for NSEC3 hash")
    return 'Unknown NSEC3 hash algorithm'
  end
end
decode_next_hashed(input) click to toggle source
# File lib/dnsruby/resource/NSEC3.rb, line 247
def NSEC3.decode_next_hashed(input)
  return Base32.decode32hex(input)
end
decode_salt(input) click to toggle source
# File lib/dnsruby/resource/NSEC3.rb, line 235
def NSEC3.decode_salt(input)
  input == '-' ? '' : [input].pack('H*')
end
encode_next_hashed(n) click to toggle source
# File lib/dnsruby/resource/NSEC3.rb, line 255
def NSEC3.encode_next_hashed(n)
  return Base32.encode32hex(n).downcase
end
encode_salt(s) click to toggle source
# File lib/dnsruby/resource/NSEC3.rb, line 239
def NSEC3.encode_salt(s)
  (!s || s.length == 0) ? '-' : s.unpack('H*')[0]
end

Public Instance Methods

add_type(t) click to toggle source
# File lib/dnsruby/resource/NSEC3.rb, line 178
def add_type(t)
  self.types = (@types + [t])
end
calculate_hash() click to toggle source
# File lib/dnsruby/resource/NSEC3.rb, line 103
def calculate_hash
  NSEC3.calculate_hash(@name, @iterations, @salt, @hash_alg)
end
check_name_in_range(_name) click to toggle source
# File lib/dnsruby/resource/NSEC3.rb, line 93
def check_name_in_range(_name)
  #  @TODO@ Check if the name is covered by this record
  false
end
check_name_in_wildcard_range(_name) click to toggle source
# File lib/dnsruby/resource/NSEC3.rb, line 98
def check_name_in_wildcard_range(_name)
  #  @TODO@ Check if the name is covered by this record
  false
end
decode_next_hashed(input) click to toggle source
# File lib/dnsruby/resource/NSEC3.rb, line 243
def decode_next_hashed(input)
  @next_hashed = NSEC3.decode_next_hashed(input)
end
encode_next_hashed(n) click to toggle source
# File lib/dnsruby/resource/NSEC3.rb, line 251
def encode_next_hashed(n)
  return NSEC3.encode_next_hashed(n)
end
flags=(f) click to toggle source
# File lib/dnsruby/resource/NSEC3.rb, line 183
def flags=(f)
  if f == 0 || f == OPT_OUT
    @flags = f
  else
    raise DecodeError.new("Unknown NSEC3 flags field - #{f}")
  end
end
from_string(input) click to toggle source
# File lib/dnsruby/resource/NSEC3.rb, line 259
def from_string(input)
  if input.length > 0
    data = input.split
    self.hash_alg = (data[0]).to_i
    self.flags = (data[1]).to_i
    self.iterations = (data[2]).to_i
    self.salt = (data[3])

    len = data[0].length + data[1].length + data[2].length + data[3].length + 4
    #  There may or may not be brackets around next_hashed
    if data[4] == '('
      len += data[4].length + 1
    end
    next_hashed_and_types = (input[len, input.length-len])
    data2 = next_hashed_and_types.split()


    self.next_hashed = decode_next_hashed(data2[0])
    self.hash_length = @next_hashed.length
    len2 = data2[0].length + 1
    self.types = next_hashed_and_types[len2, next_hashed_and_types.length - len2]
    #           self.types=data2[1]
    #           #          len = data[0].length + data[1].length + data[2].length + data[3].length + data[5].length + 7
    #           #          self.types=(input[len, input.length-len])
  end
end
hash_alg=(a) click to toggle source
# File lib/dnsruby/resource/NSEC3.rb, line 160
def hash_alg=(a)
  if a.instance_of?(String)
    if a.length == 1
      a = a.to_i
    end
  end
  begin
    alg = Nsec3HashAlgorithms.new(a)
    @hash_alg = alg
  rescue ArgumentError => e
    raise DecodeError.new(e)
  end
end
hash_length=(l) click to toggle source

def salt_length=(l)

if ((l < 0) || (l > 255))
  raise DecodeError.new('NSEC3 salt length must be between 0 and 255')
end
@salt_length = l

end

# File lib/dnsruby/resource/NSEC3.rb, line 204
def hash_length=(l)
  if (l < 0) || (l > 255)
    raise DecodeError.new("NSEC3 hash length must be between 0 and 255 but was #{l}")
  end
  @hash_length = l
end
opt_out?() click to toggle source

If the Opt-Out flag is set, the NSEC3 record covers zero or more unsigned delegations.

# File lib/dnsruby/resource/NSEC3.rb, line 193
def opt_out?
  @flags == OPT_OUT
end
salt() click to toggle source

The Salt field is appended to the original owner name before hashing in order to defend against pre-calculated dictionary attacks.

# File lib/dnsruby/resource/NSEC3.rb, line 226
def salt
  return NSEC3.encode_salt(@salt)
end
salt=(s) click to toggle source
# File lib/dnsruby/resource/NSEC3.rb, line 230
def salt=(s)
  @salt = NSEC3.decode_salt(s)
  @salt_length = @salt.length
end
types=(t) click to toggle source
# File lib/dnsruby/resource/NSEC3.rb, line 174
def types=(t)
  @types = (t && t.length > 0) ? NSEC.get_types(t) : []
end