def check_nsec3_types_and_opt_out(unknown_nsecs)
system("#{Commands.sort} -t' ' #{@working}#{File::SEPARATOR}audit.types.#{Process.pid} > #{@working}#{File::SEPARATOR}audit.types.sorted.#{Process.pid}")
if (!File.exists?(@working +
"#{File::SEPARATOR}audit.optout.#{Process.pid}"))
File.new(@working +
"#{File::SEPARATOR}audit.optout.#{Process.pid}", "w")
end
if (!File.exists?(@working +
"#{File::SEPARATOR}audit.nsec3.#{Process.pid}"))
File.new(@working +
"#{File::SEPARATOR}audit.nsec3.#{Process.pid}", "w")
end
File.open(@working +
"#{File::SEPARATOR}audit.types.sorted.#{Process.pid}") {|ftypes|
File.open(@working +
"#{File::SEPARATOR}audit.nsec3.#{Process.pid}") {|fnsec3|
File.open(@working +
"#{File::SEPARATOR}audit.optout.#{Process.pid}") {|foptout|
dont_load_next_types = false
while (!ftypes.eof? && !fnsec3.eof? && !foptout.eof?)
if (!dont_load_next_types)
types_name, types_name_unhashed, types_types = get_name_and_types(ftypes, true)
else
dont_load_next_types = false
end
nsec3_name, nsec3_types = get_name_and_types(fnsec3)
owner, next_hashed = get_next_non_optout(foptout)
owner, next_hashed = check_optout(types_name_unhashed, owner, next_hashed, types_name, foptout)
while ((nsec3_name < types_name) && (!fnsec3.eof?))
if (types_name < owner)
log(LOG_ERROR, "Found NSEC3 record for hashed domain which couldn't be found in the zone (#{nsec3_name})")
end
nsec3_name, nsec3_types = get_name_and_types(fnsec3)
end
while ((types_name < nsec3_name) && (!ftypes.eof?))
if (!unknown_nsecs[types_name_unhashed+"."])
if (types_types.length > 0)
log(LOG_ERR, "Found RRs for #{types_name_unhashed} (#{types_name}) which was not covered by an NSEC3 record")
else
log(LOG_ERR, "Can't find NSEC3 for empty nonterminal #{types_name_unhashed} (should be #{types_name})")
end
end
types_name, types_name_unhashed, types_types = get_name_and_types(ftypes, true)
owner, next_hashed = check_optout(types_name_unhashed, owner, next_hashed, types_name, foptout)
end
if (@parent.config.denial.nsec3.optout && (nsec3_types.include?Types::NS) && nsec3_types.include?(Types::RRSIG) && (nsec3_types.length == 2))
log(LOG_WARNING, "NSEC3 record found for #{types_name_unhashed} (#{nsec3_name}). Only an NS record is present, and opt out is being used, so no NSEC3 is expected")
end
if (types_types != nsec3_types)
old_types_name = types_name
old_types_name_unhashed = types_name_unhashed
old_types_types = types_types
while (old_types_name == types_name)
types_name, types_name_unhashed, types_types = get_name_and_types(ftypes, true)
if (types_name == old_types_name)
dont_load_next_types = false
old_types_name = types_name
old_types_name_unhashed = types_name_unhashed
old_types_types = types_types
else
dont_load_next_types = true
end
end
if (old_types_types != nsec3_types)
log(LOG_ERR, "ERROR : expected #{@parent.get_types_string(nsec3_types)}" +
" at #{old_types_name_unhashed} (#{nsec3_name}) but found " +
"#{@parent.get_types_string(old_types_types)}")
end
end
end
}
}
}
delete_nsec3_files()
end