def load_signed_subdomain(file, last_rr, unsigned_domain_rrs = nil)
return if !last_rr
subdomain = get_subdomain_to_load(last_rr)
seen_dnskey_sep_set = false
seen_dnskey_sep_clear = false
l_rr = last_rr
old_rr = last_rr
types_covered = [l_rr.type]
current_domain = l_rr.name
seen_nsec_for_domain = false
current_rrset = RRSet.new
is_glue = false
delegation = false
while (l_rr && test_subdomain(l_rr, subdomain))
if (l_rr.name != current_domain)
if (@config.denial.nsec3)
write_types_to_file(current_domain, types_covered, last_rr.name, is_glue)
end
delegation = false
if !(test_subdomain(current_domain, subdomain))
is_glue = false
else
is_glue = true
end
seen_nsec_for_domain = false
types_covered = []
types_covered.push(l_rr.type)
current_domain = l_rr.name
last_rr = old_rr
if last_rr.type == Types::NS
delegation = true
end
else
if l_rr.type == Types::NS
delegation = true
end
end
if !([Types::A, Types::AAAA, Types::RRSIG].include?l_rr.type)
is_glue = false
end
if (current_rrset.add(l_rr, false))
if (l_rr.type == Types::RRSIG)
if !(types_covered.include?Types::RRSIG)
types_covered.push(Types.RRSIG)
end
else
if (!types_covered.include?l_rr.type)
types_covered.push(l_rr.type)
end
end
else
check_signature(current_rrset, is_glue, delegation)
current_rrset = RRSet.new
current_rrset.add(l_rr, false)
types_covered.push(l_rr.type)
end
if (l_rr.type == Types::DNSKEY)
if (l_rr.sep_key?)
seen_dnskey_sep_set = true
else
seen_dnskey_sep_clear = true
end
@keys.push(l_rr)
@keys_to_check.push(l_rr.clone)
@algs.push(l_rr.algorithm) if !@algs.include?l_rr.algorithm
elsif (l_rr.type == Types::NSEC)
if (!@first_nsec)
@first_nsec = l_rr
end
seen_nsec_for_domain = true
check_nsec(l_rr, types_covered)
elsif (l_rr.type == Types::NSEC3PARAM)
check_nsec3param(l_rr, subdomain)
elsif (l_rr.type == Types::NSEC3)
if (!@first_nsec)
@first_nsec = l_rr
end
check_nsec3(l_rr)
end
if (unsigned_domain_rrs && !(unsigned_domain_rrs.delete(l_rr)))
process_additional_signed_rr(l_rr)
if (l_rr.type == Types::SOA)
unsigned_domain_rrs.each {|u_rr|
unsigned_domain_rrs.delete(u_rr) if u_rr.type == Types::SOA
}
end
end
old_rr = l_rr
l_rr = get_next_rr(file)
end
if (@config.denial.nsec3)
write_types_to_file(current_domain, types_covered, last_rr.name, is_glue)
end
check_signature(current_rrset, is_glue, delegation)
if (@config.denial.nsec)
if (!is_glue)
if (!seen_nsec_for_domain)
if (@unknown_nsecs[current_rrset.name.to_s+"."])
else
log(LOG_ERR, "No #{nsec_string()} record for #{current_domain}")
end
end
else
if (current_rrset.length == 0)
if (seen_nsec_for_domain)
log(LOG_ERR, "#{nsec_string()} record seen for #{current_domain}, which is glue")
end
end
end
end
if (unsigned_domain_rrs && unsigned_domain_rrs.length > 0)
unsigned_domain_rrs.each { |unsigned_rr|
process_additional_unsigned_rr(unsigned_rr)
}
end
if (!subdomain || subdomain == "")
check_dnskeys_at_zone_apex(seen_dnskey_sep_set, seen_dnskey_sep_clear)
end
return l_rr
end