Class Dnsruby::RR::NSEC3
In: lib/Dnsruby/resource/NSEC3.rb
Parent: RR
Message Update ResolvError EncodeError OtherResolvError ServFail FormErr DecodeError NXRRSet YXDomain NotImp NXDomain VerifyError NotAuth YXRRSet NotZone Refused TsigError CodeMapper Types MetaTypes QTypes Nsec3HashAlgorithms Algorithms OpCode Classes ExtendedRCode Modes RCode Comparable Name RRSet TsigNotSignedResponseError Resolver SingleResolver StandardError TimeoutError ResolvTimeout DNS Dnssec Hosts RR\n[lib/Dnsruby/resource/A.rb\nlib/Dnsruby/resource/AAAA.rb\nlib/Dnsruby/resource/AFSDB.rb\nlib/Dnsruby/resource/CERT.rb\nlib/Dnsruby/resource/DHCID.rb\nlib/Dnsruby/resource/DLV.rb\nlib/Dnsruby/resource/DNSKEY.rb\nlib/Dnsruby/resource/DS.rb\nlib/Dnsruby/resource/HINFO.rb\nlib/Dnsruby/resource/HIP.rb\nlib/Dnsruby/resource/IN.rb\nlib/Dnsruby/resource/IPSECKEY.rb\nlib/Dnsruby/resource/ISDN.rb\nlib/Dnsruby/resource/KX.rb\nlib/Dnsruby/resource/LOC.rb\nlib/Dnsruby/resource/MINFO.rb\nlib/Dnsruby/resource/MX.rb\nlib/Dnsruby/resource/NAPTR.rb\nlib/Dnsruby/resource/NSAP.rb\nlib/Dnsruby/resource/NSEC.rb\nlib/Dnsruby/resource/NSEC3.rb\nlib/Dnsruby/resource/NSEC3PARAM.rb\nlib/Dnsruby/resource/OPT.rb\nlib/Dnsruby/resource/PX.rb\nlib/Dnsruby/resource/RP.rb\nlib/Dnsruby/resource/RRSIG.rb\nlib/Dnsruby/resource/RT.rb\nlib/Dnsruby/resource/SOA.rb\nlib/Dnsruby/resource/SPF.rb\nlib/Dnsruby/resource/SRV.rb\nlib/Dnsruby/resource/SSHFP.rb\nlib/Dnsruby/resource/TKEY.rb\nlib/Dnsruby/resource/TSIG.rb\nlib/Dnsruby/resource/TXT.rb\nlib/Dnsruby/resource/X25.rb\nlib/Dnsruby/resource/domain_name.rb\nlib/Dnsruby/resource/generic.rb\nlib/Dnsruby/resource/resource.rb] Recursor IPv6 IPv4 ZoneTransfer MessageDecoder MessageEncoder Question Header TheLog ValidatorThread PacketSender ResolverRuby Config KeyCache Cache SingleVerifier SelectThread Resolv ZoneReader lib/Dnsruby/DNS.rb lib/Dnsruby/dnssec.rb lib/Dnsruby/Hosts.rb lib/Dnsruby/resource/PX.rb lib/Dnsruby/Recursor.rb lib/Dnsruby/update.rb lib/Dnsruby/ipv6.rb lib/Dnsruby/ipv4.rb lib/Dnsruby/code_mapper.rb lib/Dnsruby/zone_transfer.rb lib/Dnsruby/message.rb lib/Dnsruby/TheLog.rb lib/Dnsruby/resource/resource.rb lib/Dnsruby/validator_thread.rb lib/Dnsruby/PacketSender.rb lib/Dnsruby/Resolver.rb lib/Dnsruby/Config.rb lib/Dnsruby/key_cache.rb lib/Dnsruby/Cache.rb lib/Dnsruby/single_verifier.rb lib/Dnsruby/SingleResolver.rb lib/Dnsruby/select_thread.rb lib/Dnsruby/name.rb lib/dnsruby.rb lib/Dnsruby/resource/TKEY.rb lib/Dnsruby/zone_reader.rb Dnsruby dot/m_61_0.png

The NSEC3 Resource Record (RR) provides authenticated denial of existence for DNS Resource Record Sets.

The NSEC3 RR lists RR types present at the original owner name of the NSEC3 RR. It includes the next hashed owner name in the hash order of the zone. The complete set of NSEC3 RRs in a zone indicates which RRSets exist for the original owner name of the RR and form a chain of hashed owner names in the zone. This information is used to provide authenticated denial of existence for DNS data. To provide protection against zone enumeration, the owner names used in the NSEC3 RR are cryptographic hashes of the original owner name prepended as a single label to the name of the zone. The NSEC3 RR indicates which hash function is used to construct the hash, which salt is used, and how many iterations of the hash function are performed over the original owner name.

Methods

add_type   calculate_hash   calculate_hash   check_name_in_range   check_name_in_wildcard_range   decode_next_hashed   decode_next_hashed   decode_salt   encode_next_hashed   encode_next_hashed   encode_salt   flags=   from_string   hash_alg=   hash_length=   opt_out?   salt   salt=   types=  

Constants

TypeValue = Types::NSEC3 #:nodoc: all
OPT_OUT = 1

Attributes

flags  [R]  The Flags field contains 8 one-bit flags that can be used to indicate different processing. All undefined flags must be zero. The only flag defined by the NSEC3 specification is the Opt-Out flag.
hash_alg  [R]  The Hash Algorithm field identifies the cryptographic hash algorithm used to construct the hash-value.
hash_length  [R]  The Hash Length field defines the length of the Next Hashed Owner Name field, ranging in value from 1 to 255 octets.
iterations  [RW]  The Iterations field defines the number of additional times the hash function has been performed.
next_hashed  [RW]  The Next Hashed Owner Name field contains the next hashed owner name in hash order.
salt_length  [R]  The Salt Length field defines the length of the Salt field in octets, ranging in value from 0 to 255.
types  [R]  The Type Bit Maps field identifies the RRset types that exist at the NSEC RR‘s owner name

Public Class methods

calculate_hash(name, iterations, salt, hash_alg)

[Source]

     # File lib/Dnsruby/resource/NSEC3.rb, line 101
101:       def NSEC3.calculate_hash(name, iterations, salt, hash_alg)
102:         # RFC5155

103:         #5.  Calculation of the Hash

104: 
105:         #   Define H(x) to be the hash of x using the Hash Algorithm selected by

106:         #   the NSEC3 RR, k to be the number of Iterations, and || to indicate

107:         #   concatenation.  Then define:

108:         #

109:         #      IH(salt, x, 0) = H(x || salt), and

110:         #

111:         #      IH(salt, x, k) = H(IH(salt, x, k-1) || salt), if k > 0

112:         #

113:         #   Then the calculated hash of an owner name is

114:         #

115:         #      IH(salt, owner name, iterations),

116:         #

117:         #   where the owner name is in the canonical form, defined as:

118:         #

119:         #   The wire format of the owner name where:

120:         #

121:         #   1.  The owner name is fully expanded (no DNS name compression) and

122:         #       fully qualified;

123:         #   2.  All uppercase US-ASCII letters are replaced by the corresponding

124:         #       lowercase US-ASCII letters;

125:         #   3.  If the owner name is a wildcard name, the owner name is in its

126:         #       original unexpanded form, including the "*" label (no wildcard

127:         #       substitution);

128:         #

129:         #   This form is as defined in Section 6.2 of [RFC 4034].

130:         #

131: 
132:         n = Name.create(name)
133:         out = n.canonical
134:         begin
135:         (0..iterations).each  {
136:           out =NSEC3.h(out + salt, hash_alg);
137:         }
138:         return Base32.encode32hex(out).downcase
139:         rescue ArgumentError
140:         TheLog.error("Unknown hash algorithm #{hash_alg} used for NSEC3 hash")
141:         return "Unknown NSEC3 hash algorithm"
142:         end
143:       end
decode_next_hashed(input)

[Source]

     # File lib/Dnsruby/resource/NSEC3.rb, line 253
253:       def NSEC3.decode_next_hashed(input)
254:         return Base32.decode32hex(input)
255:       end
decode_salt(input)

[Source]

     # File lib/Dnsruby/resource/NSEC3.rb, line 235
235:       def NSEC3.decode_salt(input)
236:         if (input == "-")
237:           return ""
238:         end
239:         return [input].pack("H*")
240:       end
encode_next_hashed(n)

[Source]

     # File lib/Dnsruby/resource/NSEC3.rb, line 261
261:       def NSEC3.encode_next_hashed(n)
262:         return Base32.encode32hex(n).downcase
263:       end
encode_salt(s)

[Source]

     # File lib/Dnsruby/resource/NSEC3.rb, line 242
242:       def NSEC3.encode_salt(s)
243:         if (!s || s.length == 0)
244:           return "-"
245:         end
246:         return s.unpack("H*")[0]
247:       end

Public Instance methods

add_type(t)

[Source]

     # File lib/Dnsruby/resource/NSEC3.rb, line 178
178:       def add_type(t)
179:         self.types=(@types + [t])
180:       end
calculate_hash()

[Source]

    # File lib/Dnsruby/resource/NSEC3.rb, line 97
97:       def calculate_hash
98:         return NSEC3.calculate_hash(@name, @iterations, @salt, @hash_alg)
99:       end
check_name_in_range(name)

[Source]

    # File lib/Dnsruby/resource/NSEC3.rb, line 87
87:       def check_name_in_range(name)
88:         # @TODO@ Check if the name is covered by this record

89:         return false
90:       end
check_name_in_wildcard_range(name)

[Source]

    # File lib/Dnsruby/resource/NSEC3.rb, line 92
92:       def check_name_in_wildcard_range(name)
93:         # @TODO@ Check if the name is covered by this record

94:         return false
95:       end
decode_next_hashed(input)

[Source]

     # File lib/Dnsruby/resource/NSEC3.rb, line 249
249:       def decode_next_hashed(input)
250:         @next_hashed = NSEC3.decode_next_hashed(input)
251:         end
encode_next_hashed(n)

[Source]

     # File lib/Dnsruby/resource/NSEC3.rb, line 257
257:       def encode_next_hashed(n)
258:         return NSEC3.encode_next_hashed(n)
259:       end
flags=(f)

[Source]

     # File lib/Dnsruby/resource/NSEC3.rb, line 183
183:       def flags=(f)
184:         if (f==0 || f==OPT_OUT)
185:           @flags=f
186:         else
187:           raise DecodeError.new("Unknown NSEC3 flags field - #{f}")
188:         end
189:       end
from_string(input)

[Source]

     # File lib/Dnsruby/resource/NSEC3.rb, line 265
265:       def from_string(input)
266:         if (input.length > 0)
267:           data = input.split
268:           self.hash_alg=(data[0]).to_i
269:           self.flags=(data[1]).to_i
270:           self.iterations=(data[2]).to_i
271:           self.salt=(data[3])
272: 
273:           len = data[0].length + data[1].length + data[2].length + data[3].length + 4
274:           # There may or may not be brackets around next_hashed

275:           if (data[4] == "(")
276:             len = len + data[4].length + 1
277:           end
278:           next_hashed_and_types = (input[len, input.length-len])
279:           data2 = next_hashed_and_types.split()
280: 
281: 
282:           self.next_hashed=decode_next_hashed(data2[0])
283:           self.hash_length=(@next_hashed.length)
284:           len2 = data2[0].length + 1
285:           self.types = next_hashed_and_types[len2, next_hashed_and_types.length - len2]
286:           #          self.types=data2[1]

287:           #          #          len = data[0].length + data[1].length + data[2].length + data[3].length + data[5].length + 7

288:           #          #          self.types=(input[len, input.length-len])

289:         end
290:       end
hash_alg=(a)

[Source]

     # File lib/Dnsruby/resource/NSEC3.rb, line 156
156:       def hash_alg=(a)
157:         if (a.instance_of?String)
158:           if (a.length == 1)
159:             a = a.to_i
160:           end
161:         end
162:         begin
163:           alg = Nsec3HashAlgorithms.new(a)
164:           @hash_alg = alg
165:         rescue ArgumentError => e
166:           raise DecodeError.new(e)
167:         end        
168:       end
hash_length=(l)

def salt_length=(l) 

  if ((l < 0) || (l > 255))
    raise DecodeError.new("NSEC3 salt length must be between 0 and 255")
  end
  @salt_length = l

end

[Source]

     # File lib/Dnsruby/resource/NSEC3.rb, line 204
204:       def hash_length=(l)
205:         if ((l < 0) || (l > 255))
206:           raise DecodeError.new("NSEC3 hash length must be between 0 and 255")
207:         end
208:         @hash_length = l        
209:       end
opt_out?()

If the Opt-Out flag is set, the NSEC3 record covers zero or more unsigned delegations.

[Source]

     # File lib/Dnsruby/resource/NSEC3.rb, line 193
193:       def opt_out?
194:         return (@flags==OPT_OUT)
195:       end
salt()

The Salt field is appended to the original owner name before hashing in order to defend against pre-calculated dictionary attacks.

[Source]

     # File lib/Dnsruby/resource/NSEC3.rb, line 226
226:       def salt
227:         return NSEC3.encode_salt(@salt)
228:       end
salt=(s)

[Source]

     # File lib/Dnsruby/resource/NSEC3.rb, line 230
230:       def salt=(s)
231:         @salt = NSEC3.decode_salt(s)
232:         @salt_length = @salt.length
233:       end
types=(t)

[Source]

     # File lib/Dnsruby/resource/NSEC3.rb, line 170
170:       def types=(t)
171:         if (t && t.length > 0)
172:         @types = NSEC.get_types(t)
173:         else
174:           @types = []
175:         end
176:       end

[Validate]