def check_nsec3(l_rr)
if (@config.denial.nsec)
log(LOG_ERR, "NSEC3 RRs included in NSEC-signed zone")
return
end
if (!@nsec3param && !@warned_about_nsec3param)
log(LOG_ERR, "NSEC3 record found for #{l_rr.name}, before NSEC3PARAM record was found - won't report again for this zone")
@warned_about_nsec3param = true
@first_nsec3 = l_rr
end
if (l_rr.salt != @config.denial.nsec3.hash.salt)
log(LOG_ERR, "NSEC3 has wrong salt : should be #{@config.denial.nsec3.hash.salt} but was #{l_rr.salt}")
end
if (l_rr.iterations != @config.denial.nsec3.hash.iterations)
log(LOG_ERR, "NSEC3 has wrong iterations : should be #{@config.denial.nsec3.hash.iterations} but was #{l_rr.iterations}")
end
if (l_rr.hash_alg != @config.denial.nsec3.hash.algorithm)
log(LOG_ERR, "NSEC3 has wrong algorithm : should be #{@config.denial.nsec3.hash.algorithm} but was #{l_rr.hash_alg}")
end
check_nsec_ttl(l_rr)
if (@last_nsec)
check_nsec_next(l_rr, get_next_nsec3_name(@last_nsec))
else
check_nsec_next(l_rr, nil)
end
File.open(@working + "#{File::SEPARATOR}audit.nsec3.#{Process.pid}", "a") { |f|
types = get_types_string(l_rr.types)
f.write("#{l_rr.name.to_s} #{types}\n")
}
if (!l_rr.opt_out?)
File.open(@working + "#{File::SEPARATOR}audit.optout.#{Process.pid}", "a") { |f|
l_rr_name = l_rr.name.to_s
if (@soa.name.to_s == "")
l_rr_name += "."
end
f.write("#{l_rr_name} #{RR::NSEC3.encode_next_hashed(l_rr.next_hashed) + "." + @soa.name.to_s}\n")
}
end
end