| /* |
| * Licensed to the Apache Software Foundation (ASF) under one |
| * or more contributor license agreements. See the NOTICE file |
| * distributed with this work for additional information |
| * regarding copyright ownership. The ASF licenses this file |
| * to you under the Apache License, Version 2.0 (the |
| * "License"); you may not use this file except in compliance |
| * with the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, |
| * software distributed under the License is distributed on an |
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| * KIND, either express or implied. See the License for the |
| * specific language governing permissions and limitations |
| * under the License. |
| * |
| */ |
| |
| package org.apache.directory.server.dns.io.encoder; |
| |
| |
| /** |
| * 4.1 SIG RDATA Format |
| * |
| * The RDATA portion of a SIG RR is as shown below. The integrity of |
| * the RDATA information is protected by the signature field. |
| * |
| * 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 |
| * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 |
| * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| * | type covered | algorithm | labels | |
| * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| * | original TTL | |
| * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| * | signature expiration | |
| * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| * | signature inception | |
| * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| * | key tag | | |
| * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ signer's name + |
| * | / |
| * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-/ |
| * / / |
| * / signature / |
| * / / |
| * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| * |
| * 4.1.1 Type Covered Field |
| * |
| * The "type covered" is the type of the other RRs covered by this SIG. |
| * |
| * 4.1.2 Algorithm Number Field |
| * |
| * This octet is as described in section 3.2. |
| * |
| * 4.1.3 Labels Field |
| * |
| * The "labels" octet is an unsigned count of how many labels there are |
| * in the original SIG RR owner name not counting the null label for |
| * root and not counting any initial "*" for a wildcard. If a secured |
| * retrieval is the result of wild card substitution, it is necessary |
| * for the resolver to use the original form of the name in verifying |
| * the digital signature. This field makes it easy to determine the |
| * original form. |
| * |
| * If, on retrieval, the RR appears to have a longer name than indicated |
| * by "labels", the resolver can tell it is the result of wildcard |
| * substitution. If the RR owner name appears to be shorter than the |
| * labels count, the SIG RR must be considered corrupt and ignored. The |
| * maximum number of labels allowed in the current DNS is 127 but the |
| * entire octet is reserved and would be required should DNS names ever |
| * be expanded to 255 labels. The following table gives some examples. |
| * The value of "labels" is at the top, the retrieved owner name on the |
| * left, and the table entry is the name to use in signature |
| * verification except that "bad" means the RR is corrupt. |
| * |
| * labels= | 0 | 1 | 2 | 3 | 4 | |
| * --------+-----+------+--------+----------+----------+ |
| * .| . | bad | bad | bad | bad | |
| * d.| *. | d. | bad | bad | bad | |
| * c.d.| *. | *.d. | c.d. | bad | bad | |
| * b.c.d.| *. | *.d. | *.c.d. | b.c.d. | bad | |
| * a.b.c.d.| *. | *.d. | *.c.d. | *.b.c.d. | a.b.c.d. | |
| * |
| * 4.1.4 Original TTL Field |
| * |
| * The "original TTL" field is included in the RDATA portion to avoid |
| * (1) authentication problems that caching servers would otherwise |
| * cause by decrementing the real TTL field and (2) security problems |
| * that unscrupulous servers could otherwise cause by manipulating the |
| * real TTL field. This original TTL is protected by the signature |
| * while the current TTL field is not. |
| * |
| * NOTE: The "original TTL" must be restored into the covered RRs when |
| * the signature is verified (see Section 8). This generaly implies |
| * that all RRs for a particular type, name, and class, that is, all the |
| * RRs in any particular RRset, must have the same TTL to start with. |
| * |
| * 4.1.5 Signature Expiration and Inception Fields |
| * |
| * The SIG is valid from the "signature inception" time until the |
| * "signature expiration" time. Both are unsigned numbers of seconds |
| * since the start of 1 January 1970, GMT, ignoring leap seconds. (See |
| * also Section 4.4.) Ring arithmetic is used as for DNS SOA serial |
| * numbers [RFC 1982] which means that these times can never be more |
| * than about 68 years in the past or the future. This means that these |
| * times are ambiguous modulo ~136.09 years. However there is no |
| * security flaw because keys are required to be changed to new random |
| * keys by [RFC 2541] at least every five years. This means that the |
| * probability that the same key is in use N*136.09 years later should |
| * be the same as the probability that a random guess will work. |
| * |
| * A SIG RR may have an expiration time numerically less than the |
| * inception time if the expiration time is near the 32 bit wrap around |
| * point and/or the signature is long lived. |
| * |
| * (To prevent misordering of network requests to update a zone |
| * dynamically, monotonically increasing "signature inception" times may |
| * be necessary.) |
| * |
| * A secure zone must be considered changed for SOA serial number |
| * purposes not only when its data is updated but also when new SIG RRs |
| * are inserted (ie, the zone or any part of it is re-signed). |
| * |
| * 4.1.6 Key Tag Field |
| * |
| * The "key Tag" is a two octet quantity that is used to efficiently |
| * select between multiple keys which may be applicable and thus check |
| * that a public key about to be used for the computationally expensive |
| * effort to check the signature is possibly valid. For algorithm 1 |
| * (MD5/RSA) as defined in [RFC 2537], it is the next to the bottom two |
| * octets of the public key modulus needed to decode the signature |
| * field. That is to say, the most significant 16 of the least |
| * significant 24 bits of the modulus in network (big endian) order. For |
| * all other algorithms, including private algorithms, it is calculated |
| * as a simple checksum of the KEY RR as described in Appendix C. |
| * |
| * 4.1.7 Signer's Name Field |
| * |
| * The "signer's name" field is the domain name of the signer generating |
| * the SIG RR. This is the owner name of the public KEY RR that can be |
| * used to verify the signature. It is frequently the zone which |
| * contained the RRset being authenticated. Which signers should be |
| * authorized to sign what is a significant resolver policy question as |
| * discussed in Section 6. The signer's name may be compressed with |
| * standard DNS name compression when being transmitted over the |
| * network. |
| * |
| * 4.1.8 Signature Field |
| * |
| * The actual signature portion of the SIG RR binds the other RDATA |
| * fields to the RRset of the "type covered" RRs with that owner name |
| * and class. This covered RRset is thereby authenticated. To |
| * accomplish this, a data sequence is constructed as follows: |
| * |
| * data = RDATA | RR(s)... |
| * |
| * where "|" is concatenation, |
| * |
| * RDATA is the wire format of all the RDATA fields in the SIG RR itself |
| * (including the canonical form of the signer's name) before but not |
| * including the signature, and |
| * |
| * RR(s) is the RRset of the RR(s) of the type covered with the same |
| * owner name and class as the SIG RR in canonical form and order as |
| * defined in Section 8. |
| * |
| * How this data sequence is processed into the signature is algorithm |
| * dependent. These algorithm dependent formats and procedures are |
| * described in separate documents (Section 3.2). |
| * |
| * SIGs SHOULD NOT be included in a zone for any "meta-type" such as |
| * ANY, AXFR, etc. (but see section 5.6.2 with regard to IXFR). |
| * |
| * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a> |
| * @version $Rev$, $Date$ |
| */ |
| public class SignatureRecordEncoder |
| { |
| } |