adamfisk/DNSSEC4J

Doesn't properly handle the case where the answer section of DNS responses is empty

adamfisk opened this issue · 0 comments

adamfisk commented

See for example this result from www.dnsec.org and note that no attempt is made to verify the org signature.

  TESTING www.dnssec.org

Verifying record: www.dnssec.org.
Sending query...
RESPONSE: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56247
;; flags: qr rd ra ; qd: 1 an: 2 au: 0 ad: 1
;; QUESTIONS:
;; www.dnssec.org., type = A, class = IN

;; ANSWERS:
www.dnssec.org. 300 IN A 72.13.32.43
www.dnssec.org. 300 IN RRSIG A 8 3 300 20120214125759 20120131125759 54650 dnssec.org. JiJesM9KG5T21lJBsKhn2+/NdIo2HcPYTPWtALOA1MKGNNeEri+asrQ6p6rTaBxr+LtLSLgytdtQ9vV0UemPOWsKIPoz4sBKIZAsecU1zP0NpBwWPG4og6T7QJpRpAXVAYq7eragT5TIleFVK1fPW9rtwBEdlqOoLwQxbT+JlvQ=

;; AUTHORITY RECORDS:

;; ADDITIONAL RECORDS:
. 32768 CLASS4096 OPT ; payload 4096, xrcode 0, version 0, flags 32768

;; Message size: 229 bytes

;; RRset to chase:
www.dnssec.org. 300 IN A 72.13.32.43

;; RRSIG of the RRset to chase:
www.dnssec.org. 300 IN RRSIG A 8 3 300 20120214125759 20120131125759 54650 dnssec.org. JiJesM9KG5T21lJBsKhn2+/NdIo2HcPYTPWtALOA1MKGNNeEri+asrQ6p6rTaBxr+LtLSLgytdtQ9vV0UemPOWsKIPoz4sBKIZAsecU1zP0NpBwWPG4og6T7QJpRpAXVAYq7eragT5TIleFVK1fPW9rtwBEdlqOoLwQxbT+JlvQ=

Launch a query to find a RRset of type DNSKEY for zone: dnssec.org.
Looking for tag: 54650
Sent query...

;; DNSKEYset that signs the RRset to chase:
dnssec.org. 3600 IN DNSKEY 256 3 8 (
AQO56gSZvWOQC4dV3ud8DYy9rjeWcAkKCZEB4k3carnAgRk7BEaSgrD1nOzLOCCs
s4AJndDEayUmmAiYHkQKKMzYKZyZGPrsDPHxMQVC9wU+k9uSZuZQjRSH5n/IO7oX
b1NZmuaL3yFTZW7S/Embts6K6gk9IqKzhQmcmtCEPp/C5w== ) ; key_tag = 54650

Found matching DNSKEY for tag!! 54650

dnssec.org. 3600 IN DNSKEY 257 3 8 (
AQPDnQJgLD1wqZnPGAnbN9AoHFKUJmxQNrDv+ZKNiFczzfaSXBOJZYdIzcWl5dk+
ntFicmjfBLAdLiC00yRiyptGZC1fPASm3puGYjkKjr9WV2Xx4Vdt8+meySs50Cjr
dPcAPHwyPaytoR9R6Y3PwQ4ZuIWtk1yPhjf+NHYpa2j2IY4sMFoMUXKz06nsOCHY
ex5CkQGqfOTGzX25XtfZM8tUvL8MdjCTV8+GoqvY5G7QrXP5DOwxn8ejngUyObui
lfDEO8cojHecVHeVZAZBLp/np4ygL1LUmSqvuWFBSHmld3Rmmvt6oOwthMmv8IfY
KdDV0HepC22k5N1kf7GPewPL ) ; key_tag = 58494

;; RRSIG of the DNSKEYset that signs the RRset to chase:
dnssec.org. 3600 IN RRSIG DNSKEY 8 2 3600 (
20120214125759 20120131125759 54650 dnssec.org.
Yf8wEGW13yzMFhAcsv+RvzkMUFqWVeWzSR94LrZB9InWehC/+LgrALjLrnMhMeVe
yxLoiXAOPmb0oJsC8pN+8kn/D7VWaKTQIOns+1gaNjbjtLta/GkKqvEXgUN+tkqi
n7jzyNXDH3NJM71sDeKt4Z+SMcT0NdwFtAtxtu/euZY= )
dnssec.org. 3600 IN RRSIG DNSKEY 8 2 3600 (
20120214125759 20120131125759 58494 dnssec.org.
hGDXq4oZ5B39wE9h6zEM0//IS5cTDHyJC/uIu+6edf2JNHkLpKeWoW79u1bBVv82
5mAJuQwnHCvHeKbPS6bw+MhNulBivXPeAYIu9MZCJhVnrMKexoH30gHyI60nmwDH
bbJ1tgiuy1jTgafLdPvVpSq3TBwra5t2WZjj70UH6K1qiUkVr2kvYuuh6mmnZfiz
8Mleg8J8m70aClK/co00uLYhQkCx+8/gtiNYmCZPPz18EXCZDk798qkSuKZual+O
tvFNpf7vKGqoFj9O7B5oCs8OygUVRJQCfKCK/Xwhr84L6eSVq/LOQiCFl0VPSnU+
vx9qgT3NSPJTQ3k9PvmAyQ== )
0 2012-02-04 19:22:51,934 INFO [main] dnssec4j.DnsSec.verifyZone (DnsSec.java:194) - DNSKEY verified!!

Launch a query to find a RRset of type DS for zone: dnssec.org.
Sent query and got response: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30381
;; flags: qr rd ra ; qd: 1 an: 0 au: 6 ad: 1
;; QUESTIONS:
;; dnssec.org., type = DS, class = IN

;; ANSWERS:

;; AUTHORITY RECORDS:
org. 900 IN SOA a0.org.afilias-nst.info. noc.afilias-nst.info. 2009946788 1800 900 604800 86400
org. 900 IN RRSIG SOA 7 1 900 20120226032210 20120205022210 55440 org. KtsrLYLGjasB7m8MxQS2nvfyrK41DSWYrqmWwdZ6CYe3eq7AEQlSNY8WgXX61K2sH31OiQEOALD6tXhJlJxL75CL8Y+yu7f0WatHZwfHyd5Uks8Jl5L+Bom8QJo/oDGAMsqs0B5rkYgTVNk9mz5nkp6HDKy9QjEHB5AHuhpBPQU=
7pf28nddh26llbbcqlr72eg5vvor842c.org. 900 IN RRSIG NSEC3 7 2 86400 20120222155816 20120201145816 55440 org. YQwVuhsNIYNXCAGiUyPDn9IYo00JYFMLYi6ZFhMqB7m6y84TDdxeOOkqDGebWRLuXlkJfBVWdpCZrjCa2OBz9Fv9MXsnk5IznnQ+pnX2/8SXptoq6ogQ7h3i0ls3N21VgGfkQePdLOuoTQXfIo5cf5TaBC3r1/cByuWeKc8HqWU=
7pf28nddh26llbbcqlr72eg5vvor842c.org. 900 IN NSEC3 1 1 1 D399EAAB 7PGEQ71915U0565ODSOAFMLC5SIQT5JQ A RRSIG
h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 900 IN RRSIG NSEC3 7 2 86400 20120226032210 20120205022210 55440 org. NOg8sGBiNkcP0I0MEtxBYZyn7oTKWjgYGmOFsd89zNyvgyZgVxjYc194XjNYlhG8c3WpRxffX3qWhQjxqKm+UdNXZqj1ad4sK4NyQFMLWy0VsNO7CSxLCIO6zyU38X62m7+IBP957KgEhdXv6m3hMdPRtEHVYr6U6vGV6C+itOU=
h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 900 IN NSEC3 1 1 1 D399EAAB H9RSFB7FPF2L8HG35CMPC765TDK23RP6 NS SOA RRSIG DNSKEY NSEC3PARAM

;; ADDITIONAL RECORDS:
. 32768 CLASS4096 OPT ; payload 4096, xrcode 0, version 0, flags 32768

;; Message size: 758 bytes
;; Out of recursive call

DONE TESTING www.dnssec.org