Source code for dns_sprockets_lib.validators.nsec_orphan
'''
nsec_orphan - Record test: NsecOrphan
.. Copyright (c) 2015 Neustar, Inc. All rights reserved.
.. See COPYRIGHT.txt for full notice. See LICENSE.txt for terms and conditions.
'''
import dns.rdatatype
import dns_sprockets_lib.dnssec_nsecx as nsecx
import dns_sprockets_lib.validators as validators
[docs]class NsecOrphan(validators.RecTest):
# pylint: disable=too-few-public-methods
'''
Checks for orphan or invalid-covers NSECs.
'''
TEST_DNSSECTYPE = 'NSEC'
TEST_RRTYPE = 'NSEC'
[docs] def run(self, context, suggested_tested, name, ttl, rdata):
# pylint: disable=too-many-arguments
result = None
# Get the types covered by the NSEC and those in the node:
covered_types = nsecx.get_covered_types(rdata)
node = context.zone_obj.get_node(name)
node_rdatasets = node and node.rdatasets or []
node_types = [rdataset.rdtype for rdataset in node_rdatasets]
# Check for any node types not covered:
not_covered = [t for t in node_types if t not in covered_types]
if not_covered:
result = 'Doesn\'t cover types: %s' % (
' '.join([dns.rdatatype.to_text(t) for t in not_covered]))
# Check for any extra covered types not needed:
extra_covered = [t for t in covered_types if t not in node_types]
if extra_covered:
if not result:
result = ''
else:
result += ' and '
result += 'Covers non-existent RRSet types: %s' % (
' '.join([dns.rdatatype.to_text(t) for t in extra_covered]))
return (suggested_tested, result)
# end of file