diff options
Diffstat (limited to 'dnsviz/analysis/status.py')
-rw-r--r-- | dnsviz/analysis/status.py | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/dnsviz/analysis/status.py b/dnsviz/analysis/status.py index f63c5fa..e43a01e 100644 --- a/dnsviz/analysis/status.py +++ b/dnsviz/analysis/status.py @@ -235,11 +235,20 @@ class RRSIGStatus(object): elif self.rrsig.algorithm in DNSKEY_ALGS_NOT_RECOMMENDED: self.warnings.append(Errors.AlgorithmNotRecommended(algorithm=self.rrsig.algorithm)) + # If we are comparing TTLs (i.e., for authoritative server responses), + # then check that the TTL of the RRset matches the TTL of the RRSIG if self.rrset.ttl_cmp: if self.rrset.rrset.ttl != self.rrset.rrsig_info[self.rrsig].ttl: self.warnings.append(Errors.RRsetTTLMismatch(rrset_ttl=self.rrset.rrset.ttl, rrsig_ttl=self.rrset.rrsig_info[self.rrsig].ttl)) + + # Check that the TTL of the RRset does not exceed the value in the + # original TTL field of the RRSIG + if self.rrset.rrset.ttl > self.rrsig.original_ttl: + self.errors.append(Errors.OriginalTTLExceededRRset(rrset_ttl=self.rrset.rrset.ttl, original_ttl=self.rrsig.original_ttl)) + # Check that the TTL of the RRSIG does not exceed the value in the + # original TTL field of the RRSIG if self.rrset.rrsig_info[self.rrsig].ttl > self.rrsig.original_ttl: - self.errors.append(Errors.OriginalTTLExceeded(rrset_ttl=self.rrset.rrset.ttl, original_ttl=self.rrsig.original_ttl)) + self.errors.append(Errors.OriginalTTLExceededRRSIG(rrsig_ttl=self.rrset.rrsig_info[self.rrsig].ttl, original_ttl=self.rrsig.original_ttl)) min_ttl = min(self.rrset.rrset.ttl, self.rrset.rrsig_info[self.rrsig].ttl, self.rrsig.original_ttl) |