def check_zone(config, unsigned_file, signed_file, enforcer_interval)
@num_output_lines = 0
pid = Process.pid
temp_unsigned_file = (@working + File::SEPARATOR + File.basename(unsigned_file) + ".#{pid}").untaint
temp_signed_file = (@working + File::SEPARATOR + File.basename(signed_file) + ".#{pid}").untaint
temp_keys_file = (@working + File::SEPARATOR + File.basename(signed_file) + ".keys.#{pid}").untaint
temp_unsigned_keys_file = (@working + File::SEPARATOR + File.basename(signed_file) + ".unsigned.keys.#{pid}").untaint
@nsec_temp_file = (@working + File::SEPARATOR + File.basename(signed_file) + ".nsec.#{pid}").untaint
domain_file = (@working + File::SEPARATOR + File.basename(signed_file) + ".domains.#{pid}").untaint
@nsec_buffer = []
begin
@ret_val = 999
set_config(config)
@keys = []
@keys_original = []
@soa = nil
@enforcer_interval=enforcer_interval
@keys_used = []
@domain_list = []
log(LOG_INFO, "Auditing #{@config.name} zone : #{@config.denial.nsec ? 'NSEC' : 'NSEC3'} SIGNED")
@key_tracker = KeyTracker.new(@working, @config.name, self, @config, @enforcer_interval, @config.signatures.validity.default)
@key_cache = @key_tracker.load_tracker_cache
@scan_options = get_scan_options
types_to_find = {"DNSKEY" => lambda {|split| do_basic_dnskey_checks(split)},
"RRSIG" => lambda {|split| do_basic_rrsig_checks(split)}}
types_to_find["NSEC"]=lambda{|split| do_basic_nsec_checks(split)}
types_to_find["NSEC3"]=lambda{|split| do_basic_nsec3_checks(split)}
types_to_find["NSEC3PARAM"]=lambda{|split| do_basic_nsec3param_checks(split)}
if (@scan_options.num_domains)
load_domains((signed_file.to_s + "").untaint)
end
begin
pids=[]
srd, swr = IO.pipe
new_pid = fork {signed_scanner = SignedZoneScanner.new(self, config, types_to_find)
begin
srd.close
@ret_val = 999
rr_count, soa = signed_scanner.scan_signed_file(signed_file, domain_file)
store_keys_and_keys_used(temp_keys_file)
flush_nsec_buffer
swr.write("#{@ret_val}\n")
swr.write("#{rr_count}\n")
swr.write("#{soa}\n")
swr.close
rescue Exception => e
print e.backtrace
raise e
end
}
swr.close
pids.push(new_pid)
urd, uwr = IO.pipe
new_pid = fork {
urd.close
@ret_val = 999
unsigned_scanner = UnsignedZoneScanner.new(self, config)
rr_count, soa = unsigned_scanner.scan_unsigned_file(unsigned_file, temp_unsigned_file)
unsigned_scanner.store_unsigned_keys(self, temp_unsigned_keys_file)
uwr.write("#{@ret_val}\n")
uwr.write("#{rr_count}\n")
uwr.write("#{soa}\n")
uwr.close
}
uwr.close
pids.push(new_pid)
unsigned_ret_val_string = urd.readline()
rr_count_string = urd.readline()
soa_line = urd.readline()
unsigned_ret_val = unsigned_ret_val_string.split()[0].to_i
unsigned_soa = RR.create(soa_line)
unsigned_rr_count = rr_count_string.to_i
urd.close
signed_ret_val = srd.readline().split()[0].to_i
rr_count_string = srd.readline()
soa_line = srd.readline()
signed_rr_count = rr_count_string.to_i
signed_soa = RR.create(soa_line)
srd.close
pids.each {|id|
ret_id, ret_status = Process.wait2(id)
if (ret_status != 0)
@syslog.log(LOG_ERR, "Error auditing files (#{unsigned_file} and #{signed_file}) : ERR #{ret_status}")
return ret_status
end
}
ensure
end
compare_soas(unsigned_soa, signed_soa)
@soa = signed_soa
load_keys_and_keys_used(temp_keys_file)
unsigned_keys = load_unsigned_keys(temp_unsigned_keys_file)
Auditor.check_key_config(@keys_original, unsigned_keys, @key_cache, @config, self)
found_sep = false
found_non_sep = false
@keys.each {|key|
if (@keys_used.include?key.key_tag)
if (key.sep_key?)
found_sep = true
else
found_non_sep = true
end
end
}
if (!found_sep)
log(LOG_ERR, "No SEP DNSKEY found in use")
end
if (!found_non_sep)
log(LOG_ERR, "No non-SEP DNSKEY found in use")
end
if (@scan_options.follow_nsec_loop)
check_nsec_loop
end
if (unsigned_rr_count != signed_rr_count)
log(LOG_WARNING, "Number of non-DNSSEC resource records differs : #{unsigned_rr_count} in #{unsigned_file}, and #{signed_rr_count} in #{signed_file}")
end
update_key_stores
log(LOG_INFO, "Finished auditing #{@soa.name} zone")
@ret_val = [@ret_val, unsigned_ret_val, signed_ret_val].min
if (@ret_val == 999)
return 0
else
return @ret_val
end
ensure
delete(temp_keys_file)
delete(temp_unsigned_keys_file)
delete(temp_signed_file)
delete(temp_unsigned_file)
delete(@nsec_temp_file)
delete(domain_file)
end
end