org.xbill.DNS
Class DNSSEC

java.lang.Object
  org.xbill.DNS.DNSSEC

public class DNSSEC
extends Object

Constants and methods relating to DNSSEC. DNSSEC provides authentication for DNS information.

Author:

Brian Wellington

See Also:

RRSIGRecord, DNSKEYRecord, RRset

Nested Class Summary

static class	DNSSEC.Algorithm
static class	DNSSEC.DNSSECException A DNSSEC exception.
static class	DNSSEC.IncompatibleKeyException The key data provided is inconsistent.
static class	DNSSEC.KeyMismatchException A DNSSEC verification failed because fields in the DNSKEY and RRSIG records do not match.
static class	DNSSEC.MalformedKeyException The cryptographic data in a DNSSEC key is malformed.
static class	DNSSEC.SignatureExpiredException A DNSSEC verification failed because the signature has expired.
static class	DNSSEC.SignatureNotYetValidException A DNSSEC verification failed because the signature has not yet become valid.
static class	DNSSEC.SignatureVerificationException A DNSSEC verification failed because the cryptographic signature verification failed.
static class	DNSSEC.UnsupportedAlgorithmException An algorithm is unsupported by this DNSSEC implementation.

Method Summary

static String	algString(int alg) Convert an algorithm number to the corresponding JCA string.
static byte[]	digestMessage(SIGRecord sig, Message msg, byte[] previous) Creates a byte array containing the concatenation of the fields of the SIG(0) record and the message to be signed.
static byte[]	digestRRset(RRSIGRecord rrsig, RRset rrset) Creates a byte array containing the concatenation of the fields of the SIG record and the RRsets to be signed/verified.
static RRSIGRecord	sign(RRset rrset, DNSKEYRecord key, PrivateKey privkey, Date inception, Date expiration) Generate a DNSSEC signature.
static RRSIGRecord	sign(RRset rrset, DNSKEYRecord key, PrivateKey privkey, Date inception, Date expiration, String provider) Generate a DNSSEC signature.
static void	verify(RRset rrset, RRSIGRecord rrsig, DNSKEYRecord key) Verify a DNSSEC signature.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

digestRRset

public static byte[] digestRRset(RRSIGRecord rrsig,
                                 RRset rrset)

Creates a byte array containing the concatenation of the fields of the SIG record and the RRsets to be signed/verified. This does not perform a cryptographic digest.

Parameters:

rrsig - The RRSIG record used to sign/verify the rrset.

rrset - The data to be signed/verified.

Returns:

The data to be cryptographically signed or verified.

digestMessage

public static byte[] digestMessage(SIGRecord sig,
                                   Message msg,
                                   byte[] previous)

Creates a byte array containing the concatenation of the fields of the SIG(0) record and the message to be signed. This does not perform a cryptographic digest.

Parameters:

sig - The SIG record used to sign the rrset.

msg - The message to be signed.

previous - If this is a response, the signature from the query.

Returns:

The data to be cryptographically signed.

algString

public static String algString(int alg)
                        throws DNSSEC.UnsupportedAlgorithmException

Convert an algorithm number to the corresponding JCA string.

Parameters:

alg - The algorithm number.

Throws:

DNSSEC.UnsupportedAlgorithmException - The algorithm is unknown.

verify

public static void verify(RRset rrset,
                          RRSIGRecord rrsig,
                          DNSKEYRecord key)
                   throws DNSSEC.DNSSECException

Verify a DNSSEC signature.

Parameters:

rrset - The data to be verified.

rrsig - The RRSIG record containing the signature.

key - The DNSKEY record to verify the signature with.

Throws:

DNSSEC.UnsupportedAlgorithmException - The algorithm is unknown

DNSSEC.MalformedKeyException - The key is malformed

DNSSEC.KeyMismatchException - The key and signature do not match

DNSSEC.SignatureExpiredException - The signature has expired

DNSSEC.SignatureNotYetValidException - The signature is not yet valid

DNSSEC.SignatureVerificationException - The signature does not verify.

DNSSEC.DNSSECException - Some other error occurred.

sign

public static RRSIGRecord sign(RRset rrset,
                               DNSKEYRecord key,
                               PrivateKey privkey,
                               Date inception,
                               Date expiration)
                        throws DNSSEC.DNSSECException

Generate a DNSSEC signature. key and privateKey must refer to the same underlying cryptographic key.

Parameters:

rrset - The data to be signed

key - The DNSKEY record to use as part of signing

privkey - The PrivateKey to use when signing

inception - The time at which the signatures should become valid

expiration - The time at which the signatures should expire

Returns:

The generated signature

Throws:

DNSSEC.UnsupportedAlgorithmException - The algorithm is unknown

DNSSEC.MalformedKeyException - The key is malformed

DNSSEC.DNSSECException - Some other error occurred.

sign

public static RRSIGRecord sign(RRset rrset,
                               DNSKEYRecord key,
                               PrivateKey privkey,
                               Date inception,
                               Date expiration,
                               String provider)
                        throws DNSSEC.DNSSECException

Generate a DNSSEC signature. key and privateKey must refer to the same underlying cryptographic key.

Parameters:

rrset - The data to be signed

key - The DNSKEY record to use as part of signing

privkey - The PrivateKey to use when signing

inception - The time at which the signatures should become valid

expiration - The time at which the signatures should expire

provider - The name of the JCA provider. If non-null, it will be passed to JCA getInstance() methods.

Returns:

The generated signature

Throws:

DNSSEC.UnsupportedAlgorithmException - The algorithm is unknown

DNSSEC.MalformedKeyException - The key is malformed

DNSSEC.DNSSECException - Some other error occurred.