Class DnssecClient

    • Constructor Detail

      • DnssecClient

        public DnssecClient()
        Create a new DNSSEC aware DNS client using the global default cache.
      • DnssecClient

        public DnssecClient​(DnsCache cache)
        Create a new DNSSEC aware DNS client with the given DNS cache.
        Parameters:
        cache - The backend DNS cache.
    • Method Detail

      • isResponseAcceptable

        protected String isResponseAcceptable​(DnsMessage response)
        Description copied from class: ReliableDnsClient
        Check if the response from the system's nameserver is acceptable. Must return null if the response is acceptable, or a String describing why it is not acceptable. If the response is not acceptable then ReliableDnsClient will fall back to resolve the query iteratively.
        Overrides:
        isResponseAcceptable in class ReliableDnsClient
        Parameters:
        response - the response we got from the system's nameserver.
        Returns:
        null if the response is acceptable, or a String if not.
      • addSecureEntryPoint

        public void addSecureEntryPoint​(DnsName name,
                                        byte[] key)
        Add a new secure entry point to the list of known secure entry points. A secure entry point acts as a trust anchor. By default, the only secure entry point is the key signing key provided by the root zone.
        Parameters:
        name - The domain name originating the key. Once the secure entry point for this domain is requested, the resolver will use this key without further verification instead of using the DNS system to verify the key.
        key - The secure entry point corresponding to the domain name. This key can be retrieved by requesting the DNSKEY record for the domain and using the key with first flags bit set (also called key signing key)
      • removeSecureEntryPoint

        public void removeSecureEntryPoint​(DnsName name)
        Remove the secure entry point stored for a domain name.
        Parameters:
        name - The domain name of which the corresponding secure entry point shall be removed. For the root zone, use the empty string here.
      • clearSecureEntryPoints

        public void clearSecureEntryPoints()
        Clears the list of known secure entry points. This will also remove the secure entry point of the root zone and thus render this instance useless until a new secure entry point is added.
      • isStripSignatureRecords

        public boolean isStripSignatureRecords()
        Whether signature records (RRSIG) are stripped from the resulting DnsMessage. Default is true.
        Returns:
        Whether signature records are stripped.
      • setStripSignatureRecords

        public void setStripSignatureRecords​(boolean stripSignatureRecords)
        Enable or disable stripping of signature records (RRSIG) from the result DnsMessage.
        Parameters:
        stripSignatureRecords - Whether signature records shall be stripped.
      • enableLookasideValidation

        public void enableLookasideValidation()
        Enables DNSSEC Lookaside Validation (DLV) using the default DLV service at dlv.isc.org.
      • configureLookasideValidation

        public void configureLookasideValidation​(DnsName dlv)
        Enables DNSSEC Lookaside Validation (DLV) using the given DLV service.
        Parameters:
        dlv - The domain name of the DLV service to be used or null to disable DLV.