protected Collection<Record> processGenericANYRecordRequest(String name) throws DNSException { DnsRecord records[]; try { records = proxy.getDNSByNameAndType(name, Type.ANY); } catch (Exception e) { throw new DNSException( DNSError.newError(Rcode.SERVFAIL), "DNS service proxy call for DNS records failed: " + e.getMessage(), e); } if (records == null || records.length == 0) return null; Collection<Record> retVal = new ArrayList<Record>(); try { for (DnsRecord record : records) { Record rec = Record.newRecord( Name.fromString(record.getName()), record.getType(), record.getDclass(), record.getTtl(), record.getData()); retVal.add(rec); } } catch (Exception e) { throw new DNSException( DNSError.newError(Rcode.SERVFAIL), "Failure while parsing generic record data: " + e.getMessage(), e); } return retVal; }
/** * Processes all DNS CERT requests. * * @param name The record name. In many cases this a email address. * @return Returns a set of record responses to the request. * @throws DNSException */ @SuppressWarnings("unused") protected RRset processCERTRecordRequest(String name) throws DNSException { if (name.endsWith(".")) name = name.substring(0, name.length() - 1); Certificate[] certs; // use the certificate configuration service try { certs = proxy.getCertificatesForOwner(name, null); } catch (Exception e) { throw new DNSException( DNSError.newError(Rcode.SERVFAIL), "DNS service proxy call for certificates failed: " + e.getMessage(), e); } if (certs == null || certs.length == 0) { // unless the call above was for an org level cert, it will probably always fail because the // "name" parameter has had all instances of "@" replaced with ".". The certificate service // stores owners using "@". // This is horrible, but try hitting the cert service replacing each "." with "@" one by one. // Start at the beginning of the address because this is more than likely where the "@" // character // will be. int previousIndex = 0; int replaceIndex = 0; while ((replaceIndex = name.indexOf(".", previousIndex)) > -1) { char[] chars = name.toCharArray(); chars[replaceIndex] = '@'; try { certs = proxy.getCertificatesForOwner(String.copyValueOf(chars), null); } catch (Exception e) { throw new DNSException( DNSError.newError(Rcode.SERVFAIL), "DNS service proxy call for certificates failed: " + e.getMessage(), e); } if (certs != null && certs.length > 0) break; if (replaceIndex >= (name.length() - 1)) break; previousIndex = replaceIndex + 1; } } if (certs == null || certs.length == 0) return null; if (!name.endsWith(".")) name += "."; RRset retVal = new RRset(); try { for (Certificate cert : certs) { int certRecordType = CERTRecord.PKIX; byte[] retData = null; X509Certificate xCert = null; try { // need to convert to cert container because this might be // a certificate with wrapped private key data final CertUtils.CertContainer cont = CertUtils.toCertContainer(cert.getData()); xCert = cont.getCert(); // check if this is a compliant certificate with the configured policy... if not, move on if (!isCertCompliantWithPolicy(xCert)) continue; retData = xCert.getEncoded(); } catch (CertificateConversionException e) { // probably not a Certificate... might be a URL } if (xCert == null) { // see if it's a URL try { retData = cert.getData(); URL url = new URL(new String(retData)); certRecordType = CERTRecord.URI; } catch (Exception e) { throw new DNSException( DNSError.newError(Rcode.SERVFAIL), "Failure while parsing CERT record data: " + e.getMessage(), e); } } int keyTag = 0; int alg = 0; if (xCert != null && xCert.getPublicKey() instanceof RSAKey) { RSAKey key = (RSAKey) xCert.getPublicKey(); byte[] modulus = key.getModulus().toByteArray(); keyTag = (modulus[modulus.length - 2] << 8) & 0xFF00; keyTag |= modulus[modulus.length - 1] & 0xFF; alg = 5; } CERTRecord rec = new CERTRecord( Name.fromString(name), DClass.IN, 86400L, certRecordType, keyTag, alg /*public key alg, RFC 4034*/, retData); retVal.addRR(rec); } } catch (Exception e) { throw new DNSException( DNSError.newError(Rcode.SERVFAIL), "Failure while parsing CERT record data: " + e.getMessage(), e); } // because of policy filtering, it's possible that we could have filtered out every cert // resulting in an empty RR set return (retVal.size() == 0) ? null : retVal; }
/** {@inheritDoc} */ @SuppressWarnings("unchecked") @Override public Message get(Message request) throws DNSException { LOGGER.trace("get(Message) Entered"); /* for testing time out cases try { Thread.sleep(1000000); } catch (Exception e) { } */ if (request == null) throw new DNSException(DNSError.newError(Rcode.FORMERR)); Header header = request.getHeader(); if (header.getFlag(Flags.QR) || header.getRcode() != Rcode.NOERROR) throw new DNSException(DNSError.newError(Rcode.FORMERR)); if (header.getOpcode() != Opcode.QUERY) throw new DNSException(DNSError.newError(Rcode.NOTIMP)); Record question = request.getQuestion(); if (question == null || question.getDClass() != DClass.IN) { throw new DNSException(DNSError.newError(Rcode.NOTIMP)); } Record queryRecord = request.getQuestion(); Name name = queryRecord.getName(); int type = queryRecord.getType(); if (LOGGER.isDebugEnabled()) { StringBuilder builder = new StringBuilder("Recieved Query Request:"); builder.append("\r\n\tName: " + name.toString()); builder.append("\r\n\tType: " + type); builder.append("\r\n\tDClass: " + queryRecord.getDClass()); LOGGER.debug(builder.toString()); } Collection<Record> lookupRecords = null; switch (question.getType()) { case Type.A: case Type.MX: case Type.SOA: case Type.SRV: case Type.NS: case Type.CNAME: { try { final RRset set = processGenericRecordRequest(name.toString(), type); if (set != null) { lookupRecords = new ArrayList<Record>(); Iterator<Record> iter = set.rrs(); while (iter.hasNext()) lookupRecords.add(iter.next()); } } catch (Exception e) { throw new DNSException( DNSError.newError(Rcode.SERVFAIL), "DNS service proxy call failed: " + e.getMessage(), e); } break; } case Type.CERT: { final RRset set = processCERTRecordRequest(name.toString()); if (set != null) { lookupRecords = new ArrayList<Record>(); Iterator<Record> iter = set.rrs(); while (iter.hasNext()) lookupRecords.add(iter.next()); } break; } case Type.ANY: { Collection<Record> genRecs = processGenericANYRecordRequest(name.toString()); RRset certRecs = processCERTRecordRequest(name.toString()); if (genRecs != null || certRecs != null) { lookupRecords = new ArrayList<Record>(); if (genRecs != null) lookupRecords.addAll(genRecs); if (certRecs != null) { Iterator<Record> iter = certRecs.rrs(); while (iter.hasNext()) lookupRecords.add(iter.next()); } } break; } default: { LOGGER.debug("Query Type " + type + " not implemented"); throw new DNSException( DNSError.newError(Rcode.NOTIMP), "Query Type " + type + " not implemented"); } } if (lookupRecords == null || lookupRecords.size() == 0) { LOGGER.debug("No records found."); return null; } final Message response = new Message(request.getHeader().getID()); response.getHeader().setFlag(Flags.QR); if (request.getHeader().getFlag(Flags.RD)) response.getHeader().setFlag(Flags.RD); response.addRecord(queryRecord, Section.QUESTION); final Iterator<Record> iter = lookupRecords.iterator(); while (iter.hasNext()) response.addRecord(iter.next(), Section.ANSWER); // we are authoritative only response.getHeader().setFlag(Flags.AA); // look for an SOA record final Record soaRecord = checkForSoaRecord(name.toString()); if (soaRecord != null) response.addRecord(soaRecord, Section.AUTHORITY); LOGGER.trace("get(Message) Exit"); return response; }