dns_sprockets_lib.validators package

Subpackages

Submodules

dns_sprockets_lib.validators.dnskey_bits module

dnskey_bits - Record test: DnskeyBits

class DnskeyBits(args)[source]

Bases: dns_sprockets_lib.validators.RecTest

Checks DNSKEY flags and protocol.

TEST_DNSSECTYPE = True
TEST_RRTYPE = 'DNSKEY'
run(context, suggested_tested, name, ttl, rdata)[source]

dns_sprockets_lib.validators.dnskey_origin module

dnskey_origin - Zone test: DnskeyOrigin

class DnskeyOrigin(args)[source]

Bases: dns_sprockets_lib.validators.ZoneTest

Checks for a ZSK at zone origin.

TEST_DNSSECTYPE = True
run(context, suggested_tested)[source]

dns_sprockets_lib.validators.dnssectype_ambiguous module

dnssectype_ambiguous - Zone test: DnssectypeAmbiguous

class DnssectypeAmbiguous(args)[source]

Bases: dns_sprockets_lib.validators.ZoneTest

Checks for existence of both NSEC and NSEC3 in the zone.

run(context, suggested_tested)[source]

dns_sprockets_lib.validators.ns_origin module

ns_origin - Zone test: NsOrigin

class NsOrigin(args)[source]

Bases: dns_sprockets_lib.validators.ZoneTest

Checks for at least one NS at zone origin.

run(context, suggested_tested)[source]

dns_sprockets_lib.validators.nsec3_chain module

nsec3_chain - Zone test: Nsec3Chain

class Nsec3Chain(args)[source]

Bases: dns_sprockets_lib.validators.ZoneTest

Checks for valid NSEC3 chain.

TEST_DNSSECTYPE = 'NSEC3'
run(context, suggested_tested)[source]

dns_sprockets_lib.validators.nsec3_missing module

nsec3_missing - RRSet test: Nsec3Missing

class Nsec3Missing(args)[source]

Bases: dns_sprockets_lib.validators.RRSetTest

Checks that all (non-NSEC3/RRSIG, non-delegated) RRSets are covered with an NSEC3.

TEST_DNSSECTYPE = 'NSEC3'
run(context, suggested_tested, name, rdataset)[source]

dns_sprockets_lib.validators.nsec3_orphan module

nsec3_orphan - Record test: Nsec3Orphan

class Nsec3Orphan(args)[source]

Bases: dns_sprockets_lib.validators.RecTest

Checks for orphan or invalid-covers NSEC3s.

TEST_DNSSECTYPE = 'NSEC3'
TEST_RRTYPE = 'NSEC3'
run(context, suggested_tested, name, ttl, rdata)[source]

dns_sprockets_lib.validators.nsec3param_origin module

nsec3param_origin - Zone test: Nsec3paramOrigin

class Nsec3paramOrigin(args)[source]

Bases: dns_sprockets_lib.validators.ZoneTest

Checks for an NSEC3PARAM at zone origin for nsec3-type zones.

TEST_DNSSECTYPE = 'NSEC3'
run(context, suggested_tested)[source]

dns_sprockets_lib.validators.nsec_chain module

nsec_chain - Zone test: NsecChain

class NsecChain(args)[source]

Bases: dns_sprockets_lib.validators.ZoneTest

Checks for valid NSEC chain.

TEST_DNSSECTYPE = 'NSEC'
run(context, suggested_tested)[source]

dns_sprockets_lib.validators.nsec_missing module

nsec_missing - RRSet test: NsecMissing

class NsecMissing(args)[source]

Bases: dns_sprockets_lib.validators.RRSetTest

Checks that all (non-NSEC/RRSIG, non-delegated) RRSets are covered with an NSEC.

TEST_DNSSECTYPE = 'NSEC'
run(context, suggested_tested, name, rdataset)[source]

dns_sprockets_lib.validators.nsec_orphan module

nsec_orphan - Record test: NsecOrphan

class NsecOrphan(args)[source]

Bases: dns_sprockets_lib.validators.RecTest

Checks for orphan or invalid-covers NSECs.

TEST_DNSSECTYPE = 'NSEC'
TEST_RRTYPE = 'NSEC'
run(context, suggested_tested, name, ttl, rdata)[source]

dns_sprockets_lib.validators.nsecx_ttls_match module

nsecx_ttls_match - Record test: NsecxTtlsMatch

class NsecxTtlsMatch(args)[source]

Bases: dns_sprockets_lib.validators.RecTest

Checks that NSECx TTL’s match SOA’s minimum.

TEST_DNSSECTYPE = True
TEST_RRTYPE = 'NSEC,NSEC3'
run(context, suggested_tested, name, ttl, rdata)[source]

dns_sprockets_lib.validators.rrsig_covers module

rrsig_covers - Record test: RrsigCovers

class RrsigCovers(args)[source]

Bases: dns_sprockets_lib.validators.RecTest

Checks RRSIG’s don’t cover RRSIG’s.

TEST_DNSSECTYPE = True
TEST_RRTYPE = 'RRSIG'
run(context, suggested_tested, name, ttl, rdata)[source]

dns_sprockets_lib.validators.rrsig_missing module

rrsig_missing - RRSet test: RrsigMissing

class RrsigMissing(args)[source]

Bases: dns_sprockets_lib.validators.RRSetTest

Checks that all (non-RRSIG, non-delegated) RRSets are covered with an RRSIG.

TEST_DNSSECTYPE = True
TEST_OPTARGS = {'now': (None, 'Time to use for validating RRSIG time windows, e.g. 20150101123000')}
__init__(args)[source]
run(context, suggested_tested, name, rdataset)[source]

dns_sprockets_lib.validators.rrsig_orphan module

rrsig_orphan - Record test: RrsigOrphan

class RrsigOrphan(args)[source]

Bases: dns_sprockets_lib.validators.RecTest

Checks for orphan RRSIGs.

TEST_DNSSECTYPE = True
TEST_OPTARGS = {'now': (None, 'Time to use for validating RRSIG time windows, e.g. 20150101123000')}
TEST_RRTYPE = 'RRSIG'
__init__(args)[source]
run(context, suggested_tested, name, ttl, rdata)[source]

dns_sprockets_lib.validators.rrsig_signer_match module

rrsig_signer_match - Record test: RrsigSignerMatch

class RrsigSignerMatch(args)[source]

Bases: dns_sprockets_lib.validators.RecTest

Checks RRSIG signers match the zone.

TEST_DNSSECTYPE = True
TEST_RRTYPE = 'RRSIG'
run(context, suggested_tested, name, ttl, rdata)[source]

dns_sprockets_lib.validators.rrsig_time module

rrsig_time - Record test: RrsigTime

class RrsigTime(args)[source]

Bases: dns_sprockets_lib.validators.RecTest

Checks RRSIG’s inception <= expiration.

TEST_DNSSECTYPE = True
TEST_RRTYPE = 'RRSIG'
run(context, suggested_tested, name, ttl, rdata)[source]

dns_sprockets_lib.validators.rrsig_ttls_match module

rrsig_ttls_match - Record test: RrsigTtlsMatch

class RrsigTtlsMatch(args)[source]

Bases: dns_sprockets_lib.validators.RecTest

Checks RRSIG TTL’s match original and covered TTL’s.

TEST_DNSSECTYPE = True
TEST_RRTYPE = 'RRSIG'
run(context, suggested_tested, name, ttl, rdata)[source]

dns_sprockets_lib.validators.soa_origin module

soa_origin - Zone test: SoaOrigin

class SoaOrigin(args)[source]

Bases: dns_sprockets_lib.validators.ZoneTest

Checks for an SOA at zone origin.

run(context, suggested_tested)[source]

dns_sprockets_lib.validators.soa_unique module

soa_unique - Zone test: SoaUnique

class SoaUnique(args)[source]

Bases: dns_sprockets_lib.validators.ZoneTest

Checks for a single SOA in the zone.

run(context, suggested_tested)[source]

Module contents

__init__.py - Validators library for dns_sprockets zone validator.

class Context(args, zone_obj)[source]

Bases: object

A testing context containing the zone name, zone_obj, etc.

__init__(args, zone_obj)[source]

Ctor.

Parameters:
  • args (obj) – The application arguments.
  • zone_obj (obj) – The dns.zone.Zone instance.
is_delegated(name)[source]
Returns:True if name is delegated w.r.t. the context.
class NodeTest(args)[source]

Bases: dns_sprockets_lib.validators._Validator

[Base class for node-type validators. Derived classes may be restricted to specific RRType’s by specifying a TEST_RRTYPE]

TEST_TYPE = 1
run(context, suggested_tested, name, node)[source]

Runs the node-type validator. If a TEST_RRTYPE specified, the node presented to the validator will be filtered accordingly.

Parameters:
  • context (obj) – The testing context.
  • suggested_tested (str) – A suggested tested value.
  • name (str) – The name being tested.
  • node (obj) – The dns.Node corresponding to the name.
Returns:

A tuple (tested, result)

class RRSetTest(args)[source]

Bases: dns_sprockets_lib.validators._Validator

[Base class for rrset-type validators. Derived classes may be restricted to specific RRType’s by specifying a TEST_RRTYPE]

TEST_TYPE = 2
run(context, suggested_tested, name, rdataset)[source]

Runs the name-type validator. If a TEST_RRTYPE is specified, the RRSet presented to the validator will be filtered accordingly.

Parameters:
  • context (obj) – The testing context.
  • suggested_tested (str) – A suggested tested value.
  • name (str) – The name being tested.
  • rdataset (obj) – The dns.rdataset corresponding to the name.
Returns:

A tuple (tested, result)

class RecTest(args)[source]

Bases: dns_sprockets_lib.validators._Validator

[Base class for record-type validators. Derived classes may be restricted to specific RRType’s by specifying a TEST_RRTYPE]

TEST_TYPE = 3
run(context, suggested_tested, name, ttl, rdata)[source]

Runs the record-type validator. If a TEST_RRTYPE is specified, the validator will only see those types of records.

Parameters:
  • context (obj) – The testing context.
  • suggested_tested (str) – A suggested tested value.
  • name (str) – The name of the record being tested.
  • ttl (int) – The TTL of the record being tested.
  • rdata (obj) – The dns.rdata.Rdata object being tested.
Returns:

A tuple (tested, result)

class ZoneTest(args)[source]

Bases: dns_sprockets_lib.validators._Validator

[Base class for zone-type validators]

TEST_TYPE = 0
run(suggested_tested, context)[source]

Runs the zone-type validator.

Parameters:
  • suggested_tested (str) – A suggested tested value.
  • context (obj) – The testing context.
Returns:

A tuple (tested, result)

dnssec_filter_tests_by_context(tests, context)[source]

Removes any tests from the tests list that do not apply to the context.

Parameters:
  • tests (list) – List of tests to filter.
  • context (obj) – The context being used.
filter_node(node, test_rrtype)[source]

Returns a node that has rdatasets that match the test RR types. If the test_rrtype is specified, a new, temporary node for use by the validator will be generated, which only has those rdatasets mentioned.

Parameters:
  • node (obj) – The node to inspect.
  • test_rrtype (str) – The string description of RR type(s) that the test covers.
Returns:

The node for the validator to examine.

Return type:

obj

make_suggested_tested(test, context, **kwargs)[source]

Generates a description for the test being run. A test description is printed for each test instance being run against zone, node, rrset, or record, and this is the suggested description. Usually, specific test instances will use this value for ‘tested’ return variable, but are free to ignore this description in favor of their own if desired.

Parameters:
  • test (obj) – The test being run.
  • context (obj) – The testing context.
  • kwargs (dict) – Optional, test-type-specific parameters.
Returns:

A string describing the test instance being run.

rec_to_abbrev_text(name, ttl, klass, rdata)[source]

Translates a record to abbreviated text. For most records, this is the same as the to_text(); for others (such as RRSIG), it is truncated to attempt to fit on a single terminal line.

Parameters:
  • name (str) – The owner name of the record.
  • ttl (int) – The TTL for the record.
  • klass (int/str) – The class of the record.
  • rdata (obj) – The rdata of the record.
Returns:

Text description of the record.

test_covers_type(test, rdtype)[source]

Checks to see if a test covers a RR type.

Parameters:
  • test (obj) – The test to examine.
  • rdtype (int) – The dns.rdatatype for the rdataset/record under consideration.
Returns:

True if the test covers the type; False if not.

test_type_to_str(test_type, test_rrtype=None)[source]

Convert a test_type and test_rrtype to a string for output purposes.

Parameters:
  • test_type (int) – The TEST_TYPE attribute from the test.
  • test_rrtype (str) – The string describing record type(s) covered by the test.
Returns:

Description string for test.