001 /*
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements. See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership. The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License. You may obtain a copy of the License at
009 *
010 * http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing,
013 * software distributed under the License is distributed on an
014 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
015 * KIND, either express or implied. See the License for the
016 * specific language governing permissions and limitations
017 * under the License.
018 *
019 */
020
021 package org.apache.directory.server.dns.io.encoder;
022
023
024 /**
025 * 4.1 SIG RDATA Format
026 *
027 * The RDATA portion of a SIG RR is as shown below. The integrity of
028 * the RDATA information is protected by the signature field.
029 *
030 * 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
031 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
032 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
033 * | type covered | algorithm | labels |
034 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
035 * | original TTL |
036 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
037 * | signature expiration |
038 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
039 * | signature inception |
040 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
041 * | key tag | |
042 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ signer's name +
043 * | /
044 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-/
045 * / /
046 * / signature /
047 * / /
048 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
049 *
050 * 4.1.1 Type Covered Field
051 *
052 * The "type covered" is the type of the other RRs covered by this SIG.
053 *
054 * 4.1.2 Algorithm Number Field
055 *
056 * This octet is as described in section 3.2.
057 *
058 * 4.1.3 Labels Field
059 *
060 * The "labels" octet is an unsigned count of how many labels there are
061 * in the original SIG RR owner name not counting the null label for
062 * root and not counting any initial "*" for a wildcard. If a secured
063 * retrieval is the result of wild card substitution, it is necessary
064 * for the resolver to use the original form of the name in verifying
065 * the digital signature. This field makes it easy to determine the
066 * original form.
067 *
068 * If, on retrieval, the RR appears to have a longer name than indicated
069 * by "labels", the resolver can tell it is the result of wildcard
070 * substitution. If the RR owner name appears to be shorter than the
071 * labels count, the SIG RR must be considered corrupt and ignored. The
072 * maximum number of labels allowed in the current DNS is 127 but the
073 * entire octet is reserved and would be required should DNS names ever
074 * be expanded to 255 labels. The following table gives some examples.
075 * The value of "labels" is at the top, the retrieved owner name on the
076 * left, and the table entry is the name to use in signature
077 * verification except that "bad" means the RR is corrupt.
078 *
079 * labels= | 0 | 1 | 2 | 3 | 4 |
080 * --------+-----+------+--------+----------+----------+
081 * .| . | bad | bad | bad | bad |
082 * d.| *. | d. | bad | bad | bad |
083 * c.d.| *. | *.d. | c.d. | bad | bad |
084 * b.c.d.| *. | *.d. | *.c.d. | b.c.d. | bad |
085 * a.b.c.d.| *. | *.d. | *.c.d. | *.b.c.d. | a.b.c.d. |
086 *
087 * 4.1.4 Original TTL Field
088 *
089 * The "original TTL" field is included in the RDATA portion to avoid
090 * (1) authentication problems that caching servers would otherwise
091 * cause by decrementing the real TTL field and (2) security problems
092 * that unscrupulous servers could otherwise cause by manipulating the
093 * real TTL field. This original TTL is protected by the signature
094 * while the current TTL field is not.
095 *
096 * NOTE: The "original TTL" must be restored into the covered RRs when
097 * the signature is verified (see Section 8). This generaly implies
098 * that all RRs for a particular type, name, and class, that is, all the
099 * RRs in any particular RRset, must have the same TTL to start with.
100 *
101 * 4.1.5 Signature Expiration and Inception Fields
102 *
103 * The SIG is valid from the "signature inception" time until the
104 * "signature expiration" time. Both are unsigned numbers of seconds
105 * since the start of 1 January 1970, GMT, ignoring leap seconds. (See
106 * also Section 4.4.) Ring arithmetic is used as for DNS SOA serial
107 * numbers [RFC 1982] which means that these times can never be more
108 * than about 68 years in the past or the future. This means that these
109 * times are ambiguous modulo ~136.09 years. However there is no
110 * security flaw because keys are required to be changed to new random
111 * keys by [RFC 2541] at least every five years. This means that the
112 * probability that the same key is in use N*136.09 years later should
113 * be the same as the probability that a random guess will work.
114 *
115 * A SIG RR may have an expiration time numerically less than the
116 * inception time if the expiration time is near the 32 bit wrap around
117 * point and/or the signature is long lived.
118 *
119 * (To prevent misordering of network requests to update a zone
120 * dynamically, monotonically increasing "signature inception" times may
121 * be necessary.)
122 *
123 * A secure zone must be considered changed for SOA serial number
124 * purposes not only when its data is updated but also when new SIG RRs
125 * are inserted (ie, the zone or any part of it is re-signed).
126 *
127 * 4.1.6 Key Tag Field
128 *
129 * The "key Tag" is a two octet quantity that is used to efficiently
130 * select between multiple keys which may be applicable and thus check
131 * that a public key about to be used for the computationally expensive
132 * effort to check the signature is possibly valid. For algorithm 1
133 * (MD5/RSA) as defined in [RFC 2537], it is the next to the bottom two
134 * octets of the public key modulus needed to decode the signature
135 * field. That is to say, the most significant 16 of the least
136 * significant 24 bits of the modulus in network (big endian) order. For
137 * all other algorithms, including private algorithms, it is calculated
138 * as a simple checksum of the KEY RR as described in Appendix C.
139 *
140 * 4.1.7 Signer's Name Field
141 *
142 * The "signer's name" field is the domain name of the signer generating
143 * the SIG RR. This is the owner name of the public KEY RR that can be
144 * used to verify the signature. It is frequently the zone which
145 * contained the RRset being authenticated. Which signers should be
146 * authorized to sign what is a significant resolver policy question as
147 * discussed in Section 6. The signer's name may be compressed with
148 * standard DNS name compression when being transmitted over the
149 * network.
150 *
151 * 4.1.8 Signature Field
152 *
153 * The actual signature portion of the SIG RR binds the other RDATA
154 * fields to the RRset of the "type covered" RRs with that owner name
155 * and class. This covered RRset is thereby authenticated. To
156 * accomplish this, a data sequence is constructed as follows:
157 *
158 * data = RDATA | RR(s)...
159 *
160 * where "|" is concatenation,
161 *
162 * RDATA is the wire format of all the RDATA fields in the SIG RR itself
163 * (including the canonical form of the signer's name) before but not
164 * including the signature, and
165 *
166 * RR(s) is the RRset of the RR(s) of the type covered with the same
167 * owner name and class as the SIG RR in canonical form and order as
168 * defined in Section 8.
169 *
170 * How this data sequence is processed into the signature is algorithm
171 * dependent. These algorithm dependent formats and procedures are
172 * described in separate documents (Section 3.2).
173 *
174 * SIGs SHOULD NOT be included in a zone for any "meta-type" such as
175 * ANY, AXFR, etc. (but see section 5.6.2 with regard to IXFR).
176 *
177 * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
178 * @version $Rev: 501160 $, $Date: 2007-01-29 21:41:33 +0200 (Mon, 29 Jan 2007) $
179 */
180 public class SignatureRecordEncoder
181 {
182 }