Class KASPAuditor::Auditor
In: ../../auditor/lib/kasp_auditor/auditor.rb
Parent: Object

@TODO@ SOA Checks - format, etc.

Methods

Classes and Modules

Class KASPAuditor::Auditor::FatalError
Class KASPAuditor::Auditor::Nsec3Auditor

Constants

EMPTY_NAME = Name.create(".")

Attributes

config  [R] 
ret_val  [RW] 

Public Class methods

Check the DNSKEY against all the configured keys

Create a new Auditor - pass in the created syslog for logging, the path of the working (temporary) directory, and the //Enforcer/Interval Once created, use the check_zone method to audit a zone. An Auditor class can be reset using the reset method, but it‘s probably best to create a new Auditor for each zone you want to audit. This class is thread-safe.

Public Instance methods

Check if we ar at the zone apex - if we are, then check we have seen DNSKEYs both with SEP set and clear.

Check this NSEC record

Check this NSEC3 record

Check this NSEC3PARAM record

Check the next_domain/next_hashed for this NSEC(3) Names are expected rather than Strings

Check the TTL of the NSEC(3) record

Check the types covered by this NSEC record

Check the RRSIG for this RRSet

Actually audit a zone. Pass in the Config object, and the paths to :

 the parsed and sorted signed file
 the parsed and sorted unsigned file
 the original (unparsed) unsigned file
 the original (unparsed) signed file

Returns an error code equivalent to the worst log level message created. A non-zero return is only generated if LOG_ERR or worse log level messages were created. If the zone to be audited is NSEC3-signed, then additional temporary files will be created during the audit. These will be deleted at the end of the audit. In order to track keys over time, a "permanent temporary" file is created, in a "tracker" folder in the working directory. This will not be deleted by the auditor, as it is required to keep state on the zone over time.

Are n1 and n2 in the same subdomain of the zone SOA?

Make sure that the last NSEC(3) record points back to the first one

Work out the Name that next_hashed points to (adds the zone name) Name returned from String input

Load the next RR from the specified file

Load the SOA from an unparsed file

Work out which subdomain of the zone we want to load next

Work out what RRSet type this belongs to

Turn the types_covered array into a string to display in the log

Load the next subdomain of the zone from the signed file This method also audits the subdomain. It is passed the loaded subdomain from the unsigned file, which it checks against.

Load the SOAs from the unparsed files.

Load in the next subdomain of the zone from the unsigned file

Log the message, and set the return value to the most serious code so far

Get rid of the last label in the Name

Get the string for the type of denial this zone is using : either "NSEC" or "NSEC3"

Check if the name is out of the zone

There is an extra RR in the signed file. If it is not a DNSSEC record, then error (unless it is an SOA, in which case we info the serial change

There is an extra RR in the unsigned file to the signed file. Error if it is in zone, warn if it is out of zone.

Reset the auditor - used privately. It‘s best to instantiate a new Auditor for each zone you want to audit.

Check to see if we are still in the same subdomain of the zone e.g. true for ("a.b.c", "b.c.", "c") but false for ("z.a.b.c", "a.b.c", "c")

This method is called if an NSEC3-sgned zone is being audited. It records the types actually seen at the owner name, and the hashed owner name. At the end of the auditing run, this is checked against the notes of what the NSEC3 RR claimed should be at the owner name.

It builds a transient file (<zone_file>.types) which has records of the following form:

  <hashed_name> <unhashed_name> <[type1] [type2] ...>

It is passed the domain, and the types seen at the domain

[Validate]