/usr/share/doc/opendnssec-auditor/html/classes/KASPAuditor/Auditor/Nsec3Auditor.src/M000149.html is in opendnssec-auditor 1.3.4-1ubuntu1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 | <?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>check_nsec3_types_and_opt_out (KASPAuditor::Auditor::Nsec3Auditor)</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<link rel="stylesheet" href="../../../.././rdoc-style.css" type="text/css" media="screen" />
</head>
<body class="standalone-code">
<pre><span class="ruby-comment cmt"># File ../../auditor/lib/kasp_auditor/auditor.rb, line 1160</span>
<span class="ruby-keyword kw">def</span> <span class="ruby-identifier">check_nsec3_types_and_opt_out</span>(<span class="ruby-identifier">unknown_nsecs</span>)
<span class="ruby-comment cmt"># First of all we will have to sort the types file.</span>
<span class="ruby-identifier">system</span>(<span class="ruby-node">"#{Commands.sort} -t' ' #{@working}#{File::SEPARATOR}audit.types.#{Process.pid} > #{@working}#{File::SEPARATOR}audit.types.sorted.#{Process.pid}"</span>)
<span class="ruby-comment cmt"># Go through each name in the files and check them</span>
<span class="ruby-comment cmt"># We want to check two things :</span>
<span class="ruby-comment cmt"># a) types covered</span>
<span class="ruby-comment cmt"># b) no hashes in between non-opt-out names</span>
<span class="ruby-comment cmt"># This checks the types covered for each domain name</span>
<span class="ruby-keyword kw">if</span> (<span class="ruby-operator">!</span><span class="ruby-constant">File</span>.<span class="ruby-identifier">exists?</span>(<span class="ruby-ivar">@working</span> <span class="ruby-operator">+</span>
<span class="ruby-node">"#{File::SEPARATOR}audit.optout.#{Process.pid}"</span>))
<span class="ruby-constant">File</span>.<span class="ruby-identifier">new</span>(<span class="ruby-ivar">@working</span> <span class="ruby-operator">+</span>
<span class="ruby-node">"#{File::SEPARATOR}audit.optout.#{Process.pid}"</span>, <span class="ruby-value str">"w"</span>)
<span class="ruby-keyword kw">end</span>
<span class="ruby-keyword kw">if</span> (<span class="ruby-operator">!</span><span class="ruby-constant">File</span>.<span class="ruby-identifier">exists?</span>(<span class="ruby-ivar">@working</span> <span class="ruby-operator">+</span>
<span class="ruby-node">"#{File::SEPARATOR}audit.nsec3.#{Process.pid}"</span>))
<span class="ruby-constant">File</span>.<span class="ruby-identifier">new</span>(<span class="ruby-ivar">@working</span> <span class="ruby-operator">+</span>
<span class="ruby-node">"#{File::SEPARATOR}audit.nsec3.#{Process.pid}"</span>, <span class="ruby-value str">"w"</span>)
<span class="ruby-keyword kw">end</span>
<span class="ruby-constant">File</span>.<span class="ruby-identifier">open</span>(<span class="ruby-ivar">@working</span> <span class="ruby-operator">+</span>
<span class="ruby-node">"#{File::SEPARATOR}audit.types.sorted.#{Process.pid}"</span>) {<span class="ruby-operator">|</span><span class="ruby-identifier">ftypes</span><span class="ruby-operator">|</span>
<span class="ruby-constant">File</span>.<span class="ruby-identifier">open</span>(<span class="ruby-ivar">@working</span> <span class="ruby-operator">+</span>
<span class="ruby-node">"#{File::SEPARATOR}audit.nsec3.#{Process.pid}"</span>) {<span class="ruby-operator">|</span><span class="ruby-identifier">fnsec3</span><span class="ruby-operator">|</span>
<span class="ruby-constant">File</span>.<span class="ruby-identifier">open</span>(<span class="ruby-ivar">@working</span> <span class="ruby-operator">+</span>
<span class="ruby-node">"#{File::SEPARATOR}audit.optout.#{Process.pid}"</span>) {<span class="ruby-operator">|</span><span class="ruby-identifier">foptout</span><span class="ruby-operator">|</span>
<span class="ruby-identifier">dont_load_next_types</span> = <span class="ruby-keyword kw">false</span>
<span class="ruby-keyword kw">while</span> (<span class="ruby-operator">!</span><span class="ruby-identifier">ftypes</span>.<span class="ruby-identifier">eof?</span> <span class="ruby-operator">&&</span> <span class="ruby-operator">!</span><span class="ruby-identifier">fnsec3</span>.<span class="ruby-identifier">eof?</span> <span class="ruby-operator">&&</span> <span class="ruby-operator">!</span><span class="ruby-identifier">foptout</span>.<span class="ruby-identifier">eof?</span>)
<span class="ruby-keyword kw">if</span> (<span class="ruby-operator">!</span><span class="ruby-identifier">dont_load_next_types</span>)
<span class="ruby-identifier">types_name</span>, <span class="ruby-identifier">types_name_unhashed</span>, <span class="ruby-identifier">types_types</span> = <span class="ruby-identifier">get_name_and_types</span>(<span class="ruby-identifier">ftypes</span>, <span class="ruby-keyword kw">true</span>)
<span class="ruby-keyword kw">else</span>
<span class="ruby-identifier">dont_load_next_types</span> = <span class="ruby-keyword kw">false</span>
<span class="ruby-keyword kw">end</span>
<span class="ruby-identifier">nsec3_name</span>, <span class="ruby-identifier">nsec3_types</span> = <span class="ruby-identifier">get_name_and_types</span>(<span class="ruby-identifier">fnsec3</span>)
<span class="ruby-identifier">owner</span>, <span class="ruby-identifier">next_hashed</span> = <span class="ruby-identifier">get_next_non_optout</span>(<span class="ruby-identifier">foptout</span>)
<span class="ruby-identifier">owner</span>, <span class="ruby-identifier">next_hashed</span> = <span class="ruby-identifier">check_optout</span>(<span class="ruby-identifier">types_name_unhashed</span>, <span class="ruby-identifier">owner</span>, <span class="ruby-identifier">next_hashed</span>, <span class="ruby-identifier">types_name</span>, <span class="ruby-identifier">foptout</span>)
<span class="ruby-keyword kw">while</span> ((<span class="ruby-identifier">nsec3_name</span> <span class="ruby-operator"><</span> <span class="ruby-identifier">types_name</span>) <span class="ruby-operator">&&</span> (<span class="ruby-operator">!</span><span class="ruby-identifier">fnsec3</span>.<span class="ruby-identifier">eof?</span>))
<span class="ruby-keyword kw">if</span> (<span class="ruby-identifier">types_name</span> <span class="ruby-operator"><</span> <span class="ruby-identifier">owner</span>) <span class="ruby-comment cmt"># Don't forget about the optout list! If optout on empty nonterminal, then types_name == owner</span>
<span class="ruby-identifier">log</span>(<span class="ruby-constant">LOG_ERROR</span>, <span class="ruby-node">"Found NSEC3 record for hashed domain which couldn't be found in the zone (#{nsec3_name})"</span>)
<span class="ruby-keyword kw">end</span>
<span class="ruby-identifier">nsec3_name</span>, <span class="ruby-identifier">nsec3_types</span> = <span class="ruby-identifier">get_name_and_types</span>(<span class="ruby-identifier">fnsec3</span>)
<span class="ruby-keyword kw">end</span>
<span class="ruby-keyword kw">while</span> ((<span class="ruby-identifier">types_name</span> <span class="ruby-operator"><</span> <span class="ruby-identifier">nsec3_name</span>) <span class="ruby-operator">&&</span> (<span class="ruby-operator">!</span><span class="ruby-identifier">ftypes</span>.<span class="ruby-identifier">eof?</span>))
<span class="ruby-keyword kw">if</span> (<span class="ruby-operator">!</span><span class="ruby-identifier">unknown_nsecs</span>[<span class="ruby-identifier">types_name_unhashed</span><span class="ruby-operator">+</span><span class="ruby-value str">"."</span>])
<span class="ruby-keyword kw">if</span> (<span class="ruby-identifier">types_types</span>.<span class="ruby-identifier">length</span> <span class="ruby-operator">></span> <span class="ruby-value">0</span>)
<span class="ruby-identifier">log</span>(<span class="ruby-constant">LOG_ERR</span>, <span class="ruby-node">"Found RRs for #{types_name_unhashed} (#{types_name}) which was not covered by an NSEC3 record"</span>)
<span class="ruby-keyword kw">else</span>
<span class="ruby-identifier">log</span>(<span class="ruby-constant">LOG_ERR</span>, <span class="ruby-node">"Can't find NSEC3 for empty nonterminal #{types_name_unhashed} (should be #{types_name})"</span>)
<span class="ruby-keyword kw">end</span>
<span class="ruby-keyword kw">end</span>
<span class="ruby-identifier">types_name</span>, <span class="ruby-identifier">types_name_unhashed</span>, <span class="ruby-identifier">types_types</span> = <span class="ruby-identifier">get_name_and_types</span>(<span class="ruby-identifier">ftypes</span>, <span class="ruby-keyword kw">true</span>)
<span class="ruby-comment cmt"># Check the optout names as we load in more types</span>
<span class="ruby-identifier">owner</span>, <span class="ruby-identifier">next_hashed</span> = <span class="ruby-identifier">check_optout</span>(<span class="ruby-identifier">types_name_unhashed</span>, <span class="ruby-identifier">owner</span>, <span class="ruby-identifier">next_hashed</span>, <span class="ruby-identifier">types_name</span>, <span class="ruby-identifier">foptout</span>)
<span class="ruby-keyword kw">end</span>
<span class="ruby-comment cmt"># If there is only an NS record, and we are opt-out, then there should be no NSEC3 record here</span>
<span class="ruby-keyword kw">if</span> (<span class="ruby-ivar">@parent</span>.<span class="ruby-identifier">config</span>.<span class="ruby-identifier">denial</span>.<span class="ruby-identifier">nsec3</span>.<span class="ruby-identifier">optout</span> <span class="ruby-operator">&&</span> (<span class="ruby-identifier">nsec3_types</span>.<span class="ruby-identifier">include?</span><span class="ruby-constant">Types</span><span class="ruby-operator">::</span><span class="ruby-constant">NS</span>) <span class="ruby-operator">&&</span> <span class="ruby-identifier">nsec3_types</span>.<span class="ruby-identifier">include?</span>(<span class="ruby-constant">Types</span><span class="ruby-operator">::</span><span class="ruby-constant">RRSIG</span>) <span class="ruby-operator">&&</span> (<span class="ruby-identifier">nsec3_types</span>.<span class="ruby-identifier">length</span> <span class="ruby-operator">==</span> <span class="ruby-value">2</span>))
<span class="ruby-identifier">log</span>(<span class="ruby-constant">LOG_WARNING</span>, <span class="ruby-node">"NSEC3 record found for #{types_name_unhashed} (#{nsec3_name}). Only an NS record is present, and opt out is being used, so no NSEC3 is expected"</span>)
<span class="ruby-keyword kw">end</span>
<span class="ruby-comment cmt"># Now check the NSEC3 types_covered against the types ACTUALLY at the name</span>
<span class="ruby-keyword kw">if</span> (<span class="ruby-identifier">types_types</span> <span class="ruby-operator">!=</span> <span class="ruby-identifier">nsec3_types</span>)
<span class="ruby-comment cmt"># Let's just check that we haven't misidentified an empty nonterminal...</span>
<span class="ruby-identifier">old_types_name</span> = <span class="ruby-identifier">types_name</span>
<span class="ruby-identifier">old_types_name_unhashed</span> = <span class="ruby-identifier">types_name_unhashed</span>
<span class="ruby-identifier">old_types_types</span> = <span class="ruby-identifier">types_types</span>
<span class="ruby-keyword kw">while</span> (<span class="ruby-identifier">old_types_name</span> <span class="ruby-operator">==</span> <span class="ruby-identifier">types_name</span>)
<span class="ruby-identifier">types_name</span>, <span class="ruby-identifier">types_name_unhashed</span>, <span class="ruby-identifier">types_types</span> = <span class="ruby-identifier">get_name_and_types</span>(<span class="ruby-identifier">ftypes</span>, <span class="ruby-keyword kw">true</span>)
<span class="ruby-keyword kw">if</span> (<span class="ruby-identifier">types_name</span> <span class="ruby-operator">==</span> <span class="ruby-identifier">old_types_name</span>)
<span class="ruby-identifier">dont_load_next_types</span> = <span class="ruby-keyword kw">false</span>
<span class="ruby-identifier">old_types_name</span> = <span class="ruby-identifier">types_name</span>
<span class="ruby-identifier">old_types_name_unhashed</span> = <span class="ruby-identifier">types_name_unhashed</span>
<span class="ruby-identifier">old_types_types</span> = <span class="ruby-identifier">types_types</span>
<span class="ruby-keyword kw">else</span>
<span class="ruby-identifier">dont_load_next_types</span> = <span class="ruby-keyword kw">true</span>
<span class="ruby-keyword kw">end</span>
<span class="ruby-keyword kw">end</span>
<span class="ruby-keyword kw">if</span> (<span class="ruby-identifier">old_types_types</span> <span class="ruby-operator">!=</span> <span class="ruby-identifier">nsec3_types</span>)
<span class="ruby-identifier">log</span>(<span class="ruby-constant">LOG_ERR</span>, <span class="ruby-node">"ERROR : expected #{@parent.get_types_string(nsec3_types)}"</span> <span class="ruby-operator">+</span>
<span class="ruby-node">" at #{old_types_name_unhashed} (#{nsec3_name}) but found "</span> <span class="ruby-operator">+</span>
<span class="ruby-node">"#{@parent.get_types_string(old_types_types)}"</span>)
<span class="ruby-keyword kw">end</span>
<span class="ruby-keyword kw">end</span>
<span class="ruby-keyword kw">end</span>
}
}
}
<span class="ruby-comment cmt"># Now delete any intermediary files, if we're using NSEC3</span>
<span class="ruby-identifier">delete_nsec3_files</span>()
<span class="ruby-keyword kw">end</span></pre>
</body>
</html>
|