def check_nsec3param(l_rr, subdomain)
if (@config.denial.nsec)
log(LOG_ERR, "NSEC3PARAM RRs included in NSEC-signed zone")
return
end
if (l_rr.flags != 0)
log(LOG_ERR, "NSEC3PARAM flags should be 0, but were #{l_rr.flags} for #{@soa.name}")
end
if (subdomain && (subdomain != ""))
log(LOG_ERR, "NSEC3PARAM seen at #{subdomain} subdomain : should be at zone apex")
end
if (!@nsec3param)
@nsec3param = l_rr
else
log(LOG_ERR, "Multiple NSEC3PARAM RRs for #{@soa.name}")
end
if (l_rr.salt != @config.denial.nsec3.hash.salt)
log(LOG_ERR, "NSEC3PARAM has wrong salt : should be #{@config.denial.nsec3.hash.salt} but was #{(l_rr.salt)}")
end
if (l_rr.iterations != @config.denial.nsec3.hash.iterations)
log(LOG_ERR, "NSEC3PARAM has wrong iterations : should be #{@config.denial.nsec3.hash.iterations} but was #{l_rr.iterations}")
end
if (l_rr.hash_alg != @config.denial.nsec3.hash.algorithm)
log(LOG_ERR, "NSEC3PARAM has wrong algorithm : should be #{@config.denial.nsec3.hash.algorithm} but was #{l_rr.hash_alg.string}")
end
end