diff options
author | Casey Deccio <casey@deccio.net> | 2021-09-28 18:26:32 +0300 |
---|---|---|
committer | Casey Deccio <casey@deccio.net> | 2021-09-28 18:28:47 +0300 |
commit | 14d7d3d57e880e505dfff2129d06ed3b7b01108e (patch) | |
tree | e13215abcf363e6c7ad92eeeadfa9c8943fb75d3 | |
parent | 9427a5c7d287664199315a2438b45521854a0c7d (diff) |
Check number of labels.check_label_count
Fixes #86
-rw-r--r-- | dnsviz/analysis/errors.py | 15 | ||||
-rw-r--r-- | dnsviz/analysis/status.py | 5 |
2 files changed, 20 insertions, 0 deletions
diff --git a/dnsviz/analysis/errors.py b/dnsviz/analysis/errors.py index b30a692..93aec58 100644 --- a/dnsviz/analysis/errors.py +++ b/dnsviz/analysis/errors.py @@ -183,6 +183,21 @@ class SignerNotZone(RRSIGError): references = ['RFC 4035, Sec. 5.3.1'] required_params = ['zone_name', 'signer_name'] +class RRSIGLabelsExceedRRsetOwnerLabels(RRSIGError): + ''' + >>> e = RRSIGLabelsExceedRRsetOwnerLabels(rrsig_labels=2, rrset_owner_labels=1) + >>> e.args + [2, 1] + >>> e.description + 'The value of the labels field of the RRSIG RR (2) exceeds the number of labels in the RRset owner name (1).' + ''' + + _abstract = False + code = 'RRSIG_LABELS_EXCEED_RRSET_OWNER_LABELS' + description_template = 'The value of the labels field of the RRSIG RR (%(rrsig_labels)d) exceeds the number of labels in the RRset owner name (%(rrset_owner_labels)d).' + references = ['RFC 4035, Sec. 5.3.1'] + required_params = ['rrsig_labels', 'rrset_owner_labels'] + class RRsetTTLMismatch(RRSIGError): ''' >>> e = RRsetTTLMismatch(rrset_ttl=50, rrsig_ttl=10) diff --git a/dnsviz/analysis/status.py b/dnsviz/analysis/status.py index e43a01e..2896b1d 100644 --- a/dnsviz/analysis/status.py +++ b/dnsviz/analysis/status.py @@ -262,6 +262,11 @@ class RRSIGStatus(object): zn = zone_name self.errors.append(Errors.SignerNotZone(zone_name=fmt.humanize_name(zn), signer_name=fmt.humanize_name(self.rrsig.signer))) + if self.rrsig.labels > len(self.rrset.rrset.name) - 1: + self.errors.append(Errors.RRSIGLabelsExceedRRsetOwnerLabels(rrsig_labels=self.rrsig.labels, rrset_owner_labels=len(self.rrset.rrset.name) - 1)) + if self.validation_status == RRSIG_STATUS_VALID: + self.validation_status = RRSIG_STATUS_INVALID + if self.dnskey is not None and \ self.dnskey.rdata.flags & fmt.DNSKEY_FLAGS['revoke'] and self.rrsig.covers() != dns.rdatatype.DNSKEY: if self.rrsig.key_tag != self.dnskey.key_tag: |