def do_basic_nsec3param_checks(line)
rr = RR.create(line)
if (@config.denial.nsec)
log(LOG_ERR, "NSEC3PARAM RRs included in NSEC-signed zone")
return
end
if (rr.flags != 0)
log(LOG_ERR, "NSEC3PARAM flags should be 0, but were #{rr.flags} for #{rr.name}")
end
if (rr.name.to_s.downcase != @config.name.to_s.downcase)
log(LOG_ERR, "NSEC3PARAM seen at #{rr.name} : should be at zone apex (#{@config.name}")
end
if (!@nsec3param)
@nsec3param = rr
else
log(LOG_ERR, "Multiple NSEC3PARAM RRs for #{@config.name}")
end
if (rr.salt != @config.denial.nsec3.hash.salt)
log(LOG_ERR, "NSEC3PARAM has wrong salt : should be #{@config.denial.nsec3.hash.salt} but was #{(rr.salt)}")
end
if (rr.iterations != @config.denial.nsec3.hash.iterations)
log(LOG_ERR, "NSEC3PARAM has wrong iterations : should be #{@config.denial.nsec3.hash.iterations} but was #{rr.iterations}")
end
if (rr.hash_alg != @config.denial.nsec3.hash.algorithm)
log(LOG_ERR, "NSEC3PARAM has wrong algorithm : should be #{@config.denial.nsec3.hash.algorithm} but was #{rr.hash_alg.to_i}")
end
end