Class Dnsruby::RR::NSEC3
In: lib/Dnsruby/resource/NSEC3.rb
Parent: RR
ResolvError EncodeError OtherResolvError ServFail FormErr DecodeError NXRRSet YXDomain NotImp NXDomain VerifyError NotAuth YXRRSet NotZone Refused TsigError Message Update CodeMapper Types MetaTypes QTypes Nsec3HashAlgorithms Algorithms OpCode Classes ExtendedRCode RCode Modes Comparable Name RRSet Resolver SingleResolver StandardError TimeoutError ResolvTimeout DNS Dnssec Hosts SelectThread\n[lib/Dnsruby/select_thread.rb\nlib/Dnsruby/select_thread.rb.michael.rb] Recursor IPv6 IPv4 ZoneTransfer MessageDecoder MessageEncoder Question Header TheLog RR\n[lib/Dnsruby/resource/A.rb\nlib/Dnsruby/resource/AAAA.rb\nlib/Dnsruby/resource/AFSDB.rb\nlib/Dnsruby/resource/CERT.rb\nlib/Dnsruby/resource/DLV.rb\nlib/Dnsruby/resource/DNSKEY.rb\nlib/Dnsruby/resource/DS.rb\nlib/Dnsruby/resource/HINFO.rb\nlib/Dnsruby/resource/IN.rb\nlib/Dnsruby/resource/ISDN.rb\nlib/Dnsruby/resource/LOC.rb\nlib/Dnsruby/resource/MINFO.rb\nlib/Dnsruby/resource/MX.rb\nlib/Dnsruby/resource/NAPTR.rb\nlib/Dnsruby/resource/NSAP.rb\nlib/Dnsruby/resource/NSEC.rb\nlib/Dnsruby/resource/NSEC3.rb\nlib/Dnsruby/resource/NSEC3PARAM.rb\nlib/Dnsruby/resource/OPT.rb\nlib/Dnsruby/resource/PX.rb\nlib/Dnsruby/resource/RP.rb\nlib/Dnsruby/resource/RRSIG.rb\nlib/Dnsruby/resource/RT.rb\nlib/Dnsruby/resource/SOA.rb\nlib/Dnsruby/resource/SPF.rb\nlib/Dnsruby/resource/SRV.rb\nlib/Dnsruby/resource/TKEY.rb\nlib/Dnsruby/resource/TSIG.rb\nlib/Dnsruby/resource/TXT.rb\nlib/Dnsruby/resource/X25.rb\nlib/Dnsruby/resource/domain_name.rb\nlib/Dnsruby/resource/generic.rb\nlib/Dnsruby/resource/resource.rb] ValidatorThread PacketSender ResolverRuby Config KeyCache Cache SingleVerifier Resolv Iana lib/Dnsruby/DNS.rb lib/Dnsruby/dnssec.rb lib/Dnsruby/Hosts.rb lib/Dnsruby/select_thread.rb.michael.rb lib/Dnsruby/Recursor.rb lib/Dnsruby/update.rb lib/Dnsruby/ipv6.rb lib/Dnsruby/ipv4.rb lib/Dnsruby/code_mapper.rb lib/Dnsruby/zone_transfer.rb lib/Dnsruby/message.rb lib/Dnsruby/TheLog.rb lib/Dnsruby/resource/resource.rb lib/Dnsruby/validator_thread.rb lib/Dnsruby/PacketSender.rb lib/Dnsruby/Resolver.rb lib/Dnsruby/Config.rb lib/Dnsruby/key_cache.rb lib/Dnsruby/Cache.rb lib/Dnsruby/single_verifier.rb lib/Dnsruby/SingleResolver.rb lib/Dnsruby/name.rb lib/dnsruby.rb lib/Dnsruby/resource/TKEY.rb lib/Dnsruby/iana_ports.rb Dnsruby dot/m_56_0.png

The NSEC3 Resource Record (RR) provides authenticated denial of existence for DNS Resource Record Sets.

The NSEC3 RR lists RR types present at the original owner name of the NSEC3 RR. It includes the next hashed owner name in the hash order of the zone. The complete set of NSEC3 RRs in a zone indicates which RRSets exist for the original owner name of the RR and form a chain of hashed owner names in the zone. This information is used to provide authenticated denial of existence for DNS data. To provide protection against zone enumeration, the owner names used in the NSEC3 RR are cryptographic hashes of the original owner name prepended as a single label to the name of the zone. The NSEC3 RR indicates which hash function is used to construct the hash, which salt is used, and how many iterations of the hash function are performed over the original owner name.

Methods

Constants

TypeValue = Types::NSEC3 #:nodoc: all
OPT_OUT = 1

Attributes

flags  [R]  The Flags field contains 8 one-bit flags that can be used to indicate different processing. All undefined flags must be zero. The only flag defined by the NSEC3 specification is the Opt-Out flag.
hash_alg  [R]  The Hash Algorithm field identifies the cryptographic hash algorithm used to construct the hash-value.
hash_length  [R]  The Hash Length field defines the length of the Next Hashed Owner Name field, ranging in value from 1 to 255 octets.
iterations  [RW]  The Iterations field defines the number of additional times the hash function has been performed.
next_hashed  [RW]  The Next Hashed Owner Name field contains the next hashed owner name in hash order.
salt_length  [R]  The Salt Length field defines the length of the Salt field in octets, ranging in value from 0 to 255.
types  [R]  The Type Bit Maps field identifies the RRset types that exist at the NSEC RR‘s owner name

Public Class methods

[Source]

     # File lib/Dnsruby/resource/NSEC3.rb, line 101
101:       def NSEC3.calculate_hash(name, iterations, salt, hash_alg)
102:         # RFC5155

103:         #5.  Calculation of the Hash

104: 
105:         #   Define H(x) to be the hash of x using the Hash Algorithm selected by

106:         #   the NSEC3 RR, k to be the number of Iterations, and || to indicate

107:         #   concatenation.  Then define:

108:         #

109:         #      IH(salt, x, 0) = H(x || salt), and

110:         #

111:         #      IH(salt, x, k) = H(IH(salt, x, k-1) || salt), if k > 0

112:         #

113:         #   Then the calculated hash of an owner name is

114:         #

115:         #      IH(salt, owner name, iterations),

116:         #

117:         #   where the owner name is in the canonical form, defined as:

118:         #

119:         #   The wire format of the owner name where:

120:         #

121:         #   1.  The owner name is fully expanded (no DNS name compression) and

122:         #       fully qualified;

123:         #   2.  All uppercase US-ASCII letters are replaced by the corresponding

124:         #       lowercase US-ASCII letters;

125:         #   3.  If the owner name is a wildcard name, the owner name is in its

126:         #       original unexpanded form, including the "*" label (no wildcard

127:         #       substitution);

128:         #

129:         #   This form is as defined in Section 6.2 of [RFC 4034].

130:         #

131: 
132:         n = Name.create(name)
133:         out = n.canonical
134:         (0..iterations).each  {
135:           out =NSEC3.h(out + salt, hash_alg);
136:         }
137:         return Base32.encode32hex(out).downcase
138:       end

[Source]

     # File lib/Dnsruby/resource/NSEC3.rb, line 245
245:       def NSEC3.decode_next_hashed(input)
246:         return Base32.decode32hex(input)
247:       end

[Source]

     # File lib/Dnsruby/resource/NSEC3.rb, line 227
227:       def NSEC3.decode_salt(input)
228:         if (input == "-")
229:           return []
230:         end
231:         return [input].pack("H*")
232:       end

[Source]

     # File lib/Dnsruby/resource/NSEC3.rb, line 253
253:       def NSEC3.encode_next_hashed(n)
254:         return Base32.encode32hex(n).downcase
255:       end

[Source]

     # File lib/Dnsruby/resource/NSEC3.rb, line 234
234:       def NSEC3.encode_salt(s)
235:         if (!s || s.length == 0)
236:           return "-"
237:         end
238:         return s.unpack("H*")[0]
239:       end

Public Instance methods

[Source]

     # File lib/Dnsruby/resource/NSEC3.rb, line 170
170:       def add_type(t)
171:         self.types=(@types + [t])
172:       end

[Source]

    # File lib/Dnsruby/resource/NSEC3.rb, line 97
97:       def calculate_hash
98:         return NSEC3.calculate_hash(@name, @iterations, @salt, @hash_alg)
99:       end

[Source]

    # File lib/Dnsruby/resource/NSEC3.rb, line 87
87:       def check_name_in_range(name)
88:         # @TODO@ Check if the name is covered by this record

89:         return false
90:       end

[Source]

    # File lib/Dnsruby/resource/NSEC3.rb, line 92
92:       def check_name_in_wildcard_range(name)
93:         # @TODO@ Check if the name is covered by this record

94:         return false
95:       end

[Source]

     # File lib/Dnsruby/resource/NSEC3.rb, line 241
241:       def decode_next_hashed(input)
242:         @next_hashed = NSEC3.decode_next_hashed(input)
243:         end

[Source]

     # File lib/Dnsruby/resource/NSEC3.rb, line 249
249:       def encode_next_hashed(n)
250:         return NSEC3.encode_next_hashed(n)
251:       end

[Source]

     # File lib/Dnsruby/resource/NSEC3.rb, line 175
175:       def flags=(f)
176:         if (f==0 || f==OPT_OUT)
177:           @flags=f
178:         else
179:           raise DecodeError.new("Unknown NSEC3 flags field - #{f}")
180:         end
181:       end

[Source]

     # File lib/Dnsruby/resource/NSEC3.rb, line 257
257:       def from_string(input)
258:         if (input.length > 0)
259:           data = input.split(" ")
260:           self.hash_alg=(data[0]).to_i
261:           self.flags=(data[1]).to_i
262:           self.iterations=(data[2]).to_i
263:           #          self.salt=NSEC3.decode_salt(data[3])

264:           self.salt=(data[3])
265:           #          self.salt_length=(@salt.length)

266: 
267:           len = data[0].length + data[1].length + data[2].length + data[3].length + 4
268:           # There may or may not be brackets around next_hashed

269:           if (data[4] == "(")
270:             len = len + data[4].length + 1
271:           end
272:           next_hashed_and_types = (input[len, input.length-len])
273:           data2 = next_hashed_and_types.split()
274: 
275: 
276:           self.next_hashed=decode_next_hashed(data2[0])
277:           self.hash_length=(@next_hashed.length)
278:           len2 = data2[0].length + 1
279:           self.types = next_hashed_and_types[len2, next_hashed_and_types.length - len2]
280:           #          self.types=data2[1]

281:           #          #          len = data[0].length + data[1].length + data[2].length + data[3].length + data[5].length + 7

282:           #          #          self.types=(input[len, input.length-len])

283:         end
284:       end

[Source]

     # File lib/Dnsruby/resource/NSEC3.rb, line 152
152:       def hash_alg=(a)
153:         if (a.instance_of?String)
154:           if (a.length == 1)
155:             a = a.to_i
156:           end
157:         end
158:         begin
159:           alg = Nsec3HashAlgorithms.new(a)
160:           @hash_alg = alg
161:         rescue ArgumentError => e
162:           raise DecodeError.new(e)
163:         end        
164:       end

def salt_length=(l)

  if ((l < 0) || (l > 255))
    raise DecodeError.new("NSEC3 salt length must be between 0 and 255")
  end
  @salt_length = l

end

[Source]

     # File lib/Dnsruby/resource/NSEC3.rb, line 196
196:       def hash_length=(l)
197:         if ((l < 0) || (l > 255))
198:           raise DecodeError.new("NSEC3 hash length must be between 0 and 255")
199:         end
200:         @hash_length = l        
201:       end

If the Opt-Out flag is set, the NSEC3 record covers zero or more unsigned delegations.

[Source]

     # File lib/Dnsruby/resource/NSEC3.rb, line 185
185:       def opt_out?
186:         return (@flags==OPT_OUT)
187:       end

The Salt field is appended to the original owner name before hashing in order to defend against pre-calculated dictionary attacks.

[Source]

     # File lib/Dnsruby/resource/NSEC3.rb, line 218
218:       def salt
219:         return NSEC3.encode_salt(@salt)
220:       end

[Source]

     # File lib/Dnsruby/resource/NSEC3.rb, line 222
222:       def salt=(s)
223:         @salt = NSEC3.decode_salt(s)
224:         @salt_length = @salt.length
225:       end

[Source]

     # File lib/Dnsruby/resource/NSEC3.rb, line 166
166:       def types=(t)
167:         @types = NSEC.get_types(t)
168:       end

[Validate]