# File ../../auditor/lib/kasp_auditor/partial_auditor.rb, line 631 def check_domain(rrsets, types, delegation) # Given an array of resource records for a particular owner name, # check that : # Each domain has a corresponding NSEC record. [E] # Each NSEC record has bits correctly set to indicate the types of RRs associated with the domain. [E] # Each NSEC3 record has bits correctly set to indicate the types of RRs associated with the domain. [E] # # Then, for each RRSet : # There is an RRSIG record for each algorithm for which there is a DNSKEY RR (unless the domain is glue, an unsigned delegation or out of zone) [E] # The RRSIG record(s) validate the RRset(s) for the domain using one of the keys in the DNSKEY RRset. (Note: except for the zone apex, there should be no RRSIG for NS RRsets, glue records, unsigned delegations or out of zone data.) [E] processed_nsec = false return if rrsets.length == 0 is_glue = false rrsets.each {|rrset| if ([Types::NSEC, Types::NSEC3].include?rrset.type) if (rrset.rrs.length > 1) # RAISE ERROR - MORE THAN ONE NSEC! @parent.log("Multiple NSEC(3) records seen for #{rrset.name}") end # Process NSEC check_nsec_types(rrset.rrs()[0], types) processed_nsec = true end # How do we know if this domain is glue?! We can't, without sorting the zone. # So, if there is no RRSIG, then we have to assume that it is glue - should we then ignore it? if (rrset.sigs.length > 0) check_signature(rrset, delegation) else is_glue = true end } if (!processed_nsec && @config.denial.nsec && !is_glue) # Couldn't find any NSEC record for the domain!! # But it might be glue... @parent.log(LOG_ERR, "No NSEC record for #{rrsets[0].name}") end # @TODO@ Check there is an NSEC3 record for the domain! end