def check_signature(rrset, is_glue, delegation)
return if is_glue
if (delegation && ([Types::AAAA, Types::A].include?rrset.type) && (rrset.name != @soa.name))
if rrset.sigs.length > 0
log(LOG_ERR, "Glue should not be signed : #{rrset.name}, #{rrset.type}")
end
return
end
if (out_of_zone(rrset.name))
if rrset.sigs.length > 0
log(LOG_ERR, "Out of zone data should not be signed : #{rrset.name}, #{rrset.type}")
end
return
end
if ((rrset.type == Types::NS) && (rrset.name != @soa.name))
if rrset.sigs.length > 0
log(LOG_ERR, "Delegation should not be signed : #{rrset.name}, #{rrset.type}")
end
return
end
rrset_sig_types = []
rrset.sigs.each {|sig| rrset_sig_types.push(sig.algorithm)}
@algs.each {|alg|
if !(rrset_sig_types.include?alg)
if ((rrset.type == Types::NS) && (rrset.name != @soa.name))
else
s = ""
rrset_sig_types.each {|t| s = s + " #{t} "}
log(LOG_ERR, "RRSIGS should include algorithm #{alg} for #{rrset.name}, #{rrset.type}, have :#{s}")
end
end
}
if ((rrset.type == Types::NS) && ((rrset.name != @soa.name)))
elsif (@unknown_nsecs[rrset.name.to_s+"."])
log(LOG_INFO,"Skipping verification test for #{rrset.name}, #{rrset.type} : Original type is not supported")
else
begin
Dnssec.verify_rrset(rrset, @keys)
rescue VerifyError => e
log(LOG_ERR, "RRSet (#{rrset.name}, #{rrset.type}) failed verification : #{e}, tag = #{rrset.sigs()[0] ? rrset.sigs()[0].key_tag : 'none'}")
end
rrset.sigs.each {|sig|
if (!@keys_used.include?sig.key_tag)
@keys_used.push(sig.key_tag)
end
}
end
check_policy_changes
rrset.sigs.each {|sig|
if (@policy_has_changed)
if (!@inception_offset_has_changed)
if (sig.inception < (@policy_change_timestamp - @config.signatures.inception_offset))
log(LOG_WARNING, "Skipping signature lifetime check for #{sig.name}, #{sig.type_covered} : policy has changed since #{sig.inception} (at #{@policy_change_timestamp})\n")
next
end
else
if (sig.inception < (@policy_change_timestamp - (3600 * 24)))
log(LOG_WARNING, "Skipping signature lifetime check for #{sig.name}, #{sig.type_covered} : policy has changed since #{sig.inception} (at #{@policy_change_timestamp})\n")
next
end
end
end
time_now = Time.now.to_i
if (sig.inception > (time_now + @config.signatures.inception_offset))
log(LOG_ERR, "Inception error for #{sig.name}, #{sig.type_covered} : Signature inception is #{sig.inception}, time now is #{time_now}, inception offset is #{@config.signatures.inception_offset}, difference = #{time_now - sig.inception}")
else
end
refresh = @config.signatures.refresh
resign = @config.signatures.resign
if ((time_now <= sig.expiration) && time_now > (sig.expiration - refresh + resign))
log(LOG_ERR, "Signature expiration (#{sig.expiration}) for #{sig.name}, #{sig.type_covered} should be later than (the refresh period (#{refresh}) - the resign period (#{resign})) from now (#{time_now})")
else
end
validity = @config.signatures.validity.default
if ([Types::NSEC, Types::NSEC3].include?sig.type_covered)
validity = @config.signatures.validity.denial
end
min_lifetime = @config.signatures.inception_offset + validity - @config.signatures.jitter
max_lifetime = @config.signatures.inception_offset + validity + @config.signatures.jitter
actual_lifetime = sig.expiration - sig.inception
if (min_lifetime > actual_lifetime)
log(LOG_ERR, "Signature lifetime for #{sig.name}, #{sig.type_covered} too short - should be at least #{min_lifetime} but was #{actual_lifetime}")
end
if (max_lifetime < actual_lifetime)
log(LOG_ERR, "Signature lifetime for #{sig.name}, #{sig.type_covered} too long - should be at most #{max_lifetime} but was #{actual_lifetime}")
end
}
end