Package org.xbill.DNS
Class DNSSEC
java.lang.Object
org.xbill.DNS.DNSSEC
Constants and methods relating to DNSSEC.
DNSSEC provides authentication for DNS information.
- Author:
- Brian Wellington
- See Also:
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionstatic classDomain Name System Security (DNSSEC) Algorithm Numbers.static classDNSSEC Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms.static classA DNSSEC exception.static classThe key data provided is inconsistent.static classTheDNSKEYRecordused for the validation is not a zone signing key.static classA DNSSEC verification failed because fields in the DNSKEY and RRSIG records do not match.static classThe cryptographic data in a DNSSEC key is malformed.static classNo signature was found.static classA DNSSEC verification failed because the signature has expired.static classA DNSSEC verification failed because the signature has not yet become valid.static classA DNSSEC verification failed because the cryptographic signature verification failed.static classAn algorithm is unsupported by this DNSSEC implementation. -
Method Summary
Modifier and TypeMethodDescriptionstatic StringalgString(int alg) Convert an algorithm number to the corresponding JCA string.static byte[]digestMessage(SIGRecord sig, Message msg, byte[] previous) Creates a byte array containing the concatenation of the fields of the SIG(0) record and the message to be signed.static byte[]digestRRset(RRSIGRecord rrsig, RRset rrset) Creates a byte array containing the concatenation of the fields of the SIG record and the RRsets to be signed/verified.static RRSIGRecordsign(RRset rrset, DNSKEYRecord key, PrivateKey privkey, Instant inception, Instant expiration) Generate a DNSSEC signature. key and privateKey must refer to the same underlying cryptographic key.static RRSIGRecordsign(RRset rrset, DNSKEYRecord key, PrivateKey privkey, Instant inception, Instant expiration, String provider) Generate a DNSSEC signature. key and privateKey must refer to the same underlying cryptographic key.static RRSIGRecordsign(RRset rrset, DNSKEYRecord key, PrivateKey privkey, Date inception, Date expiration) Deprecated.static RRSIGRecordsign(RRset rrset, DNSKEYRecord key, PrivateKey privkey, Date inception, Date expiration, String provider) Deprecated.static voidverify(RRset rrset, RRSIGRecord rrsig, DNSKEYRecord key) Verify a DNSSEC signature.static voidverify(RRset rrset, RRSIGRecord rrsig, DNSKEYRecord key, Instant date) Verify a DNSSEC signature.static voidverify(RRset rrset, RRSIGRecord rrsig, DNSKEYRecord key, Date date) Deprecated.
-
Method Details
-
digestRRset
Creates a byte array containing the concatenation of the fields of the SIG record and the RRsets to be signed/verified. This does not perform a cryptographic digest.- Parameters:
rrsig- The RRSIG record used to sign/verify the rrset.rrset- The data to be signed/verified.- Returns:
- The data to be cryptographically signed or verified.
-
digestMessage
Creates a byte array containing the concatenation of the fields of the SIG(0) record and the message to be signed. This does not perform a cryptographic digest.- Parameters:
sig- The SIG record used to sign the rrset.msg- The message to be signed.previous- If this is a response, the signature from the query.- Returns:
- The data to be cryptographically signed.
-
algString
Convert an algorithm number to the corresponding JCA string.- Parameters:
alg- The algorithm number.- Throws:
DNSSEC.UnsupportedAlgorithmException- The algorithm is unknown.
-
verify
public static void verify(RRset rrset, RRSIGRecord rrsig, DNSKEYRecord key) throws DNSSEC.DNSSECException Verify a DNSSEC signature.- Parameters:
rrset- The data to be verified.rrsig- The RRSIG record containing the signature.key- The DNSKEY record to verify the signature with.- Throws:
DNSSEC.UnsupportedAlgorithmException- The algorithm is unknownDNSSEC.MalformedKeyException- The key is malformedDNSSEC.KeyMismatchException- The key and signature do not matchDNSSEC.SignatureExpiredException- The signature has expiredDNSSEC.SignatureNotYetValidException- The signature is not yet validDNSSEC.SignatureVerificationException- The signature does not verify.DNSSEC.DNSSECException- Some other error occurred.
-
verify
@Deprecated public static void verify(RRset rrset, RRSIGRecord rrsig, DNSKEYRecord key, Date date) throws DNSSEC.DNSSECException Deprecated.Verify a DNSSEC signature.- Parameters:
rrset- The data to be verified.rrsig- The RRSIG record containing the signature.key- The DNSKEY record to verify the signature with.date- The date against which the signature is verified.- Throws:
DNSSEC.UnsupportedAlgorithmException- The algorithm is unknownDNSSEC.MalformedKeyException- The key is malformedDNSSEC.KeyMismatchException- The key and signature do not matchDNSSEC.SignatureExpiredException- The signature has expiredDNSSEC.SignatureNotYetValidException- The signature is not yet validDNSSEC.SignatureVerificationException- The signature does not verify.DNSSEC.DNSSECException- Some other error occurred.
-
verify
public static void verify(RRset rrset, RRSIGRecord rrsig, DNSKEYRecord key, Instant date) throws DNSSEC.DNSSECException Verify a DNSSEC signature.- Parameters:
rrset- The data to be verified.rrsig- The RRSIG record containing the signature.key- The DNSKEY record to verify the signature with.date- The date against which the signature is verified.- Throws:
DNSSEC.UnsupportedAlgorithmException- The algorithm is unknownDNSSEC.MalformedKeyException- The key is malformedDNSSEC.KeyMismatchException- The key and signature do not matchDNSSEC.SignatureExpiredException- The signature has expiredDNSSEC.SignatureNotYetValidException- The signature is not yet validDNSSEC.SignatureVerificationException- The signature does not verify.DNSSEC.DNSSECException- Some other error occurred.
-
sign
@Deprecated public static RRSIGRecord sign(RRset rrset, DNSKEYRecord key, PrivateKey privkey, Date inception, Date expiration) throws DNSSEC.DNSSECException Deprecated.Generate a DNSSEC signature. key and privateKey must refer to the same underlying cryptographic key.- Parameters:
rrset- The data to be signedkey- The DNSKEY record to use as part of signingprivkey- The PrivateKey to use when signinginception- The time at which the signatures should become validexpiration- The time at which the signatures should expire- Returns:
- The generated signature
- Throws:
DNSSEC.UnsupportedAlgorithmException- The algorithm is unknownDNSSEC.MalformedKeyException- The key is malformedDNSSEC.DNSSECException- Some other error occurred.
-
sign
@Deprecated public static RRSIGRecord sign(RRset rrset, DNSKEYRecord key, PrivateKey privkey, Date inception, Date expiration, String provider) throws DNSSEC.DNSSECException Deprecated.Generate a DNSSEC signature. key and privateKey must refer to the same underlying cryptographic key.- Parameters:
rrset- The data to be signedkey- The DNSKEY record to use as part of signingprivkey- The PrivateKey to use when signinginception- The time at which the signatures should become validexpiration- The time at which the signatures should expire- Returns:
- The generated signature
- Throws:
DNSSEC.UnsupportedAlgorithmException- The algorithm is unknownDNSSEC.MalformedKeyException- The key is malformedDNSSEC.DNSSECException- Some other error occurred.
-
sign
public static RRSIGRecord sign(RRset rrset, DNSKEYRecord key, PrivateKey privkey, Instant inception, Instant expiration) throws DNSSEC.DNSSECException Generate a DNSSEC signature. key and privateKey must refer to the same underlying cryptographic key.- Parameters:
rrset- The data to be signedkey- The DNSKEY record to use as part of signingprivkey- The PrivateKey to use when signinginception- The time at which the signatures should become validexpiration- The time at which the signatures should expire- Returns:
- The generated signature
- Throws:
DNSSEC.UnsupportedAlgorithmException- The algorithm is unknownDNSSEC.MalformedKeyException- The key is malformedDNSSEC.DNSSECException- Some other error occurred.
-
sign
public static RRSIGRecord sign(RRset rrset, DNSKEYRecord key, PrivateKey privkey, Instant inception, Instant expiration, String provider) throws DNSSEC.DNSSECException Generate a DNSSEC signature. key and privateKey must refer to the same underlying cryptographic key.- Parameters:
rrset- The data to be signedkey- The DNSKEY record to use as part of signingprivkey- The PrivateKey to use when signinginception- The time at which the signatures should become validexpiration- The time at which the signatures should expireprovider- The name of the JCA provider. If non-null, it will be passed to JCA getInstance() methods.- Returns:
- The generated signature
- Throws:
DNSSEC.UnsupportedAlgorithmException- The algorithm is unknownDNSSEC.MalformedKeyException- The key is malformedDNSSEC.DNSSECException- Some other error occurred.
-
sign(RRset, DNSKEYRecord, PrivateKey, Instant, Instant)