Parent

Class Index [+]

Quicksearch

Dnsruby::RR::NSEC3

The NSEC3 Resource Record (RR) provides authenticated denial of existence for DNS Resource Record Sets.

The NSEC3 RR lists RR types present at the original owner name of the NSEC3 RR. It includes the next hashed owner name in the hash order of the zone. The complete set of NSEC3 RRs in a zone indicates which RRSets exist for the original owner name of the RR and form a chain of hashed owner names in the zone. This information is used to provide authenticated denial of existence for DNS data. To provide protection against zone enumeration, the owner names used in the NSEC3 RR are cryptographic hashes of the original owner name prepended as a single label to the name of the zone. The NSEC3 RR indicates which hash function is used to construct the hash, which salt is used, and how many iterations of the hash function are performed over the original owner name.

Constants

TypeValue
OPT_OUT

Attributes

hash_alg[R]

The Hash Algorithm field identifies the cryptographic hash algorithm used to construct the hash-value.

flags[R]

The Flags field contains 8 one-bit flags that can be used to indicate different processing. All undefined flags must be zero. The only flag defined by the NSEC3 specification is the Opt-Out flag.

iterations[RW]

The Iterations field defines the number of additional times the hash function has been performed.

salt_length[R]

The Salt Length field defines the length of the Salt field in octets, ranging in value from 0 to 255.

hash_length[R]

The Hash Length field defines the length of the Next Hashed Owner Name field, ranging in value from 1 to 255 octets.

next_hashed[RW]

The Next Hashed Owner Name field contains the next hashed owner name in hash order.

types[R]

The Type Bit Maps field identifies the RRset types that exist at the NSEC RR’s owner name

Public Class Methods

calculate_hash(name, iterations, salt, hash_alg) click to toggle source
     # File lib/Dnsruby/resource/NSEC3.rb, line 101
101:       def NSEC3.calculate_hash(name, iterations, salt, hash_alg)
102:         # RFC5155

103:         #5.  Calculation of the Hash

104: 
105:         #   Define H(x) to be the hash of x using the Hash Algorithm selected by

106:         #   the NSEC3 RR, k to be the number of Iterations, and || to indicate

107:         #   concatenation.  Then define:

108:         #

109:         #      IH(salt, x, 0) = H(x || salt), and

110:         #

111:         #      IH(salt, x, k) = H(IH(salt, x, k-1) || salt), if k > 0

112:         #

113:         #   Then the calculated hash of an owner name is

114:         #

115:         #      IH(salt, owner name, iterations),

116:         #

117:         #   where the owner name is in the canonical form, defined as:

118:         #

119:         #   The wire format of the owner name where:

120:         #

121:         #   1.  The owner name is fully expanded (no DNS name compression) and

122:         #       fully qualified;

123:         #   2.  All uppercase US-ASCII letters are replaced by the corresponding

124:         #       lowercase US-ASCII letters;

125:         #   3.  If the owner name is a wildcard name, the owner name is in its

126:         #       original unexpanded form, including the "*" label (no wildcard

127:         #       substitution);

128:         #

129:         #   This form is as defined in Section 6.2 of [RFC 4034].

130:         #

131: 
132:         n = Name.create(name)
133:         out = n.canonical
134:         begin
135:         (0..iterations).each  {
136:           out =NSEC3.h(out + salt, hash_alg);
137:         }
138:         return Base32.encode32hex(out).downcase
139:         rescue ArgumentError
140:         TheLog.error("Unknown hash algorithm #{hash_alg} used for NSEC3 hash")
141:         return "Unknown NSEC3 hash algorithm"
142:         end
143:       end
decode_next_hashed(input) click to toggle source
     # File lib/Dnsruby/resource/NSEC3.rb, line 253
253:       def NSEC3.decode_next_hashed(input)
254:         return Base32.decode32hex(input)
255:       end
decode_salt(input) click to toggle source
     # File lib/Dnsruby/resource/NSEC3.rb, line 235
235:       def NSEC3.decode_salt(input)
236:         if (input == "-")
237:           return ""
238:         end
239:         return [input].pack("H*")
240:       end
encode_next_hashed(n) click to toggle source
     # File lib/Dnsruby/resource/NSEC3.rb, line 261
261:       def NSEC3.encode_next_hashed(n)
262:         return Base32.encode32hex(n).downcase
263:       end
encode_salt(s) click to toggle source
     # File lib/Dnsruby/resource/NSEC3.rb, line 242
242:       def NSEC3.encode_salt(s)
243:         if (!s || s.length == 0)
244:           return "-"
245:         end
246:         return s.unpack("H*")[0]
247:       end

Public Instance Methods

add_type(t) click to toggle source
     # File lib/Dnsruby/resource/NSEC3.rb, line 178
178:       def add_type(t)
179:         self.types=(@types + [t])
180:       end
calculate_hash() click to toggle source
    # File lib/Dnsruby/resource/NSEC3.rb, line 97
97:       def calculate_hash
98:         return NSEC3.calculate_hash(@name, @iterations, @salt, @hash_alg)
99:       end
check_name_in_range(name) click to toggle source
    # File lib/Dnsruby/resource/NSEC3.rb, line 87
87:       def check_name_in_range(name)
88:         # @TODO@ Check if the name is covered by this record

89:         return false
90:       end
check_name_in_wildcard_range(name) click to toggle source
    # File lib/Dnsruby/resource/NSEC3.rb, line 92
92:       def check_name_in_wildcard_range(name)
93:         # @TODO@ Check if the name is covered by this record

94:         return false
95:       end
decode_next_hashed(input) click to toggle source
     # File lib/Dnsruby/resource/NSEC3.rb, line 249
249:       def decode_next_hashed(input)
250:         @next_hashed = NSEC3.decode_next_hashed(input)
251:         end
encode_next_hashed(n) click to toggle source
     # File lib/Dnsruby/resource/NSEC3.rb, line 257
257:       def encode_next_hashed(n)
258:         return NSEC3.encode_next_hashed(n)
259:       end
flags=(f) click to toggle source
     # File lib/Dnsruby/resource/NSEC3.rb, line 183
183:       def flags=(f)
184:         if (f==0 || f==OPT_OUT)
185:           @flags=f
186:         else
187:           raise DecodeError.new("Unknown NSEC3 flags field - #{f}")
188:         end
189:       end
from_string(input) click to toggle source
     # File lib/Dnsruby/resource/NSEC3.rb, line 265
265:       def from_string(input)
266:         if (input.length > 0)
267:           data = input.split
268:           self.hash_alg=(data[0]).to_i
269:           self.flags=(data[1]).to_i
270:           self.iterations=(data[2]).to_i
271:           self.salt=(data[3])
272: 
273:           len = data[0].length + data[1].length + data[2].length + data[3].length + 4
274:           # There may or may not be brackets around next_hashed

275:           if (data[4] == "(")
276:             len = len + data[4].length + 1
277:           end
278:           next_hashed_and_types = (input[len, input.length-len])
279:           data2 = next_hashed_and_types.split()
280: 
281: 
282:           self.next_hashed=decode_next_hashed(data2[0])
283:           self.hash_length=(@next_hashed.length)
284:           len2 = data2[0].length + 1
285:           self.types = next_hashed_and_types[len2, next_hashed_and_types.length - len2]
286:           #          self.types=data2[1]

287:           #          #          len = data[0].length + data[1].length + data[2].length + data[3].length + data[5].length + 7

288:           #          #          self.types=(input[len, input.length-len])

289:         end
290:       end
hash_alg=(a) click to toggle source
     # File lib/Dnsruby/resource/NSEC3.rb, line 156
156:       def hash_alg=(a)
157:         if (a.instance_of?String)
158:           if (a.length == 1)
159:             a = a.to_i
160:           end
161:         end
162:         begin
163:           alg = Nsec3HashAlgorithms.new(a)
164:           @hash_alg = alg
165:         rescue ArgumentError => e
166:           raise DecodeError.new(e)
167:         end        
168:       end
hash_length=(l) click to toggle source

def salt_length=(l)

  if ((l < 0) || (l > 255))
    raise DecodeError.new("NSEC3 salt length must be between 0 and 255")
  end
  @salt_length = l

end

     # File lib/Dnsruby/resource/NSEC3.rb, line 204
204:       def hash_length=(l)
205:         if ((l < 0) || (l > 255))
206:           raise DecodeError.new("NSEC3 hash length must be between 0 and 255")
207:         end
208:         @hash_length = l        
209:       end
opt_out?() click to toggle source

If the Opt-Out flag is set, the NSEC3 record covers zero or more unsigned delegations.

     # File lib/Dnsruby/resource/NSEC3.rb, line 193
193:       def opt_out?
194:         return (@flags==OPT_OUT)
195:       end
salt() click to toggle source

The Salt field is appended to the original owner name before hashing in order to defend against pre-calculated dictionary attacks.

     # File lib/Dnsruby/resource/NSEC3.rb, line 226
226:       def salt
227:         return NSEC3.encode_salt(@salt)
228:       end
salt=(s) click to toggle source
     # File lib/Dnsruby/resource/NSEC3.rb, line 230
230:       def salt=(s)
231:         @salt = NSEC3.decode_salt(s)
232:         @salt_length = @salt.length
233:       end
types=(t) click to toggle source
     # File lib/Dnsruby/resource/NSEC3.rb, line 170
170:       def types=(t)
171:         if (t && t.length > 0)
172:         @types = NSEC.get_types(t)
173:         else
174:           @types = []
175:         end
176:       end

Disabled; run with --debug to generate this.

[Validate]

Generated with the Darkfish Rdoc Generator 1.1.6.