diff options
author | Casey Deccio <casey@deccio.net> | 2021-09-28 17:36:07 +0300 |
---|---|---|
committer | Casey Deccio <casey@deccio.net> | 2021-09-28 17:36:07 +0300 |
commit | 9427a5c7d287664199315a2438b45521854a0c7d (patch) | |
tree | 8ea60e2e6215273de72db0891db16410419762a4 /dnsviz/analysis/status.py | |
parent | 881485e6c59a1fb0d596e10996ee2d93d184ad32 (diff) |
Check original TTL field twice: once for RRSIG TTL and once for RRset
TTL.
Fixes #85
Diffstat (limited to 'dnsviz/analysis/status.py')
-rw-r--r-- | dnsviz/analysis/status.py | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/dnsviz/analysis/status.py b/dnsviz/analysis/status.py index f63c5fa..e43a01e 100644 --- a/dnsviz/analysis/status.py +++ b/dnsviz/analysis/status.py @@ -235,11 +235,20 @@ class RRSIGStatus(object): elif self.rrsig.algorithm in DNSKEY_ALGS_NOT_RECOMMENDED: self.warnings.append(Errors.AlgorithmNotRecommended(algorithm=self.rrsig.algorithm)) + # If we are comparing TTLs (i.e., for authoritative server responses), + # then check that the TTL of the RRset matches the TTL of the RRSIG if self.rrset.ttl_cmp: if self.rrset.rrset.ttl != self.rrset.rrsig_info[self.rrsig].ttl: self.warnings.append(Errors.RRsetTTLMismatch(rrset_ttl=self.rrset.rrset.ttl, rrsig_ttl=self.rrset.rrsig_info[self.rrsig].ttl)) + + # Check that the TTL of the RRset does not exceed the value in the + # original TTL field of the RRSIG + if self.rrset.rrset.ttl > self.rrsig.original_ttl: + self.errors.append(Errors.OriginalTTLExceededRRset(rrset_ttl=self.rrset.rrset.ttl, original_ttl=self.rrsig.original_ttl)) + # Check that the TTL of the RRSIG does not exceed the value in the + # original TTL field of the RRSIG if self.rrset.rrsig_info[self.rrsig].ttl > self.rrsig.original_ttl: - self.errors.append(Errors.OriginalTTLExceeded(rrset_ttl=self.rrset.rrset.ttl, original_ttl=self.rrsig.original_ttl)) + self.errors.append(Errors.OriginalTTLExceededRRSIG(rrsig_ttl=self.rrset.rrsig_info[self.rrsig].ttl, original_ttl=self.rrsig.original_ttl)) min_ttl = min(self.rrset.rrset.ttl, self.rrset.rrsig_info[self.rrsig].ttl, self.rrsig.original_ttl) |