From 9427a5c7d287664199315a2438b45521854a0c7d Mon Sep 17 00:00:00 2001 From: Casey Deccio Date: Tue, 28 Sep 2021 08:36:07 -0600 Subject: Fix check of exceeding original TTL Check original TTL field twice: once for RRSIG TTL and once for RRset TTL. Fixes #85 --- dnsviz/analysis/errors.py | 22 +++++++++++++++++++--- dnsviz/analysis/status.py | 11 ++++++++++- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/dnsviz/analysis/errors.py b/dnsviz/analysis/errors.py index 02bf1e9..b30a692 100644 --- a/dnsviz/analysis/errors.py +++ b/dnsviz/analysis/errors.py @@ -199,8 +199,11 @@ class RRsetTTLMismatch(RRSIGError): required_params = ['rrset_ttl', 'rrsig_ttl'] class OriginalTTLExceeded(RRSIGError): + references = ['RFC 4035, Sec. 2.2'] + +class OriginalTTLExceededRRset(OriginalTTLExceeded): ''' - >>> e = OriginalTTLExceeded(original_ttl=10, rrset_ttl=50) + >>> e = OriginalTTLExceededRRset(original_ttl=10, rrset_ttl=50) >>> e.args [10, 50] >>> e.description @@ -208,11 +211,24 @@ class OriginalTTLExceeded(RRSIGError): ''' _abstract = False - code = 'ORIGINAL_TTL_EXCEEDED' + code = 'ORIGINAL_TTL_EXCEEDED_RRSET' description_template = 'The TTL of the RRset (%(rrset_ttl)d) exceeds the value of the Original TTL field of the RRSIG RR covering it (%(original_ttl)d).' - references = ['RFC 4035, Sec. 2.2'] required_params = ['original_ttl', 'rrset_ttl'] +class OriginalTTLExceededRRSIG(OriginalTTLExceeded): + ''' + >>> e = OriginalTTLExceededRRSIG(original_ttl=10, rrsig_ttl=50) + >>> e.args + [10, 50] + >>> e.description + 'The TTL of the RRSIG (50) exceeds the value of its Original TTL field (10).' + ''' + + _abstract = False + code = 'ORIGINAL_TTL_EXCEEDED_RRSIG' + description_template = 'The TTL of the RRSIG (%(rrsig_ttl)d) exceeds the value of its Original TTL field (%(original_ttl)d).' + required_params = ['original_ttl', 'rrsig_ttl'] + class TTLBeyondExpiration(RRSIGError): ''' >>> e = TTLBeyondExpiration(expiration=datetime.datetime(2015,1,10), rrsig_ttl=86401, reference_time=datetime.datetime(2015,1,9)) diff --git a/dnsviz/analysis/status.py b/dnsviz/analysis/status.py index f63c5fa..e43a01e 100644 --- a/dnsviz/analysis/status.py +++ b/dnsviz/analysis/status.py @@ -235,11 +235,20 @@ class RRSIGStatus(object): elif self.rrsig.algorithm in DNSKEY_ALGS_NOT_RECOMMENDED: self.warnings.append(Errors.AlgorithmNotRecommended(algorithm=self.rrsig.algorithm)) + # If we are comparing TTLs (i.e., for authoritative server responses), + # then check that the TTL of the RRset matches the TTL of the RRSIG if self.rrset.ttl_cmp: if self.rrset.rrset.ttl != self.rrset.rrsig_info[self.rrsig].ttl: self.warnings.append(Errors.RRsetTTLMismatch(rrset_ttl=self.rrset.rrset.ttl, rrsig_ttl=self.rrset.rrsig_info[self.rrsig].ttl)) + + # Check that the TTL of the RRset does not exceed the value in the + # original TTL field of the RRSIG + if self.rrset.rrset.ttl > self.rrsig.original_ttl: + self.errors.append(Errors.OriginalTTLExceededRRset(rrset_ttl=self.rrset.rrset.ttl, original_ttl=self.rrsig.original_ttl)) + # Check that the TTL of the RRSIG does not exceed the value in the + # original TTL field of the RRSIG if self.rrset.rrsig_info[self.rrsig].ttl > self.rrsig.original_ttl: - self.errors.append(Errors.OriginalTTLExceeded(rrset_ttl=self.rrset.rrset.ttl, original_ttl=self.rrsig.original_ttl)) + self.errors.append(Errors.OriginalTTLExceededRRSIG(rrsig_ttl=self.rrset.rrsig_info[self.rrsig].ttl, original_ttl=self.rrsig.original_ttl)) min_ttl = min(self.rrset.rrset.ttl, self.rrset.rrsig_info[self.rrsig].ttl, self.rrsig.original_ttl) -- cgit v1.2.3