Class | KASPAuditor::Auditor |
In: |
../../auditor/lib/kasp_auditor/auditor.rb
|
Parent: | Object |
@TODO@ SOA Checks - format, etc.
EMPTY_NAME | = | Name.create(".") |
config | [R] | |
ret_val | [RW] |
Create a new Auditor - pass in the created syslog for logging, the path of the working (temporary) directory, and the //Enforcer/Interval Once created, use the check_zone method to audit a zone. An Auditor class can be reset using the reset method, but it‘s probably best to create a new Auditor for each zone you want to audit. This class is thread-safe.
Check if we ar at the zone apex - if we are, then check we have seen DNSKEYs both with SEP set and clear.
Actually audit a zone. Pass in the Config object, and the paths to :
the parsed and sorted signed file the parsed and sorted unsigned file the original (unparsed) unsigned file the original (unparsed) signed file
Returns an error code equivalent to the worst log level message created. A non-zero return is only generated if LOG_ERR or worse log level messages were created. If the zone to be audited is NSEC3-signed, then additional temporary files will be created during the audit. These will be deleted at the end of the audit. In order to track keys over time, a "permanent temporary" file is created, in a "tracker" folder in the working directory. This will not be deleted by the auditor, as it is required to keep state on the zone over time.
Load the next subdomain of the zone from the signed file This method also audits the subdomain. It is passed the loaded subdomain from the unsigned file, which it checks against.
There is an extra RR in the signed file. If it is not a DNSSEC record, then error (unless it is an SOA, in which case we info the serial change
There is an extra RR in the unsigned file to the signed file. Error if it is in zone, warn if it is out of zone.
Check to see if we are still in the same subdomain of the zone e.g. true for ("a.b.c", "b.c.", "c") but false for ("z.a.b.c", "a.b.c", "c")
This method is called if an NSEC3-sgned zone is being audited. It records the types actually seen at the owner name, and the hashed owner name. At the end of the auditing run, this is checked against the notes of what the NSEC3 RR claimed should be at the owner name.
It builds a transient file (<zone_file>.types) which has records of the following form:
<hashed_name> <unhashed_name> <[type1] [type2] ...>
It is passed the domain, and the types seen at the domain