Source code for dns_sprockets_lib.validators.nsec_missing

'''
nsec_missing - RRSet test: NsecMissing

.. Copyright (c) 2015 Neustar, Inc. All rights reserved.
.. See COPYRIGHT.txt for full notice.  See LICENSE.txt for terms and conditions.
'''


import dns.rdatatype

import dns_sprockets_lib.dnssec_nsecx as nsecx
import dns_sprockets_lib.validators as validators


[docs]class NsecMissing(validators.RRSetTest): # pylint: disable=too-few-public-methods ''' Checks that all (non-NSEC/RRSIG, non-delegated) RRSets are covered with an NSEC. ''' TEST_DNSSECTYPE = 'NSEC'
[docs] def run(self, context, suggested_tested, name, rdataset): tested = None result = None # Only run test for non-NSEC/RRSIG, non-delegated RRSets: if (rdataset.rdtype != dns.rdatatype.NSEC and rdataset.rdtype != dns.rdatatype.RRSIG and not context.is_delegated(name)): tested = suggested_tested # Make sure there's an NSEC for the rdataset name: nsec_rdataset = context.zone_obj.get_rdataset(name, 'NSEC') if not nsec_rdataset: result = 'No NSEC\'s found for name: %s' % (name) if not result: # Look in found nsec_rdataset for an NSEC that covers the # rdataset type: got_one = False for nsec in nsec_rdataset.items: if nsecx.covers(nsec, rdataset.rdtype): got_one = True break if not got_one: result = 'No NSEC that covers type=%s for name: %s' % ( dns.rdatatype.to_text(rdataset.rdtype), name) return (tested, result) # end of file