parent 64e3bc885a2cb8b46a1aaa4bf4f121ee7f5d44a6

author Karl Erik Õunapuu <karlerik@kreative.ee> 1591359032 +0300 committer Alex Sherman <yul.golem@gmail.com> 1617029320 +0500 CsyncJob: Don't respect IPv6 if nessecary
2025-08-04 00:42:04 +02:00 · 2020-06-05 15:10:32 +03:00 · 2020-06-05 15:10:32 +03:00 · 88e1bc3727
commit 88e1bc3727
parent e46fdd57af
33 changed files with 1475 additions and 119 deletions
--- a/app/models/concerns/csync_record/diggable.rb
+++ b/app/models/concerns/csync_record/diggable.rb
@ -0,0 +1,45 @@
+module CsyncRecord::Diggable
+  extend ActiveSupport::Concern
+
+  def valid_security_level?(post: false)
+    res = post ? valid_post_action? : valid_pre_action?
+
+    log_dnssec_entry(valid: res, post: post)
+    res
+  rescue Dnsruby::NXDomain
+    log.info("CsyncRecord: #{domain.name}: Could not resolve (NXDomain)")
+    false
+  end
+
+  def valid_pre_action?
+    case domain.dnssec_security_level
+    when Dnsruby::Message::SecurityLevel.SECURE
+      return true if %w[rollover deactivate].include?(action)
+    when Dnsruby::Message::SecurityLevel.INSECURE, Dnsruby::Message::SecurityLevel.BOGUS
+      return true if action == 'initialized'
+    end
+
+    false
+  end
+
+  def valid_post_action?
+    secure_msg = Dnsruby::Message::SecurityLevel.SECURE
+    security_level = domain.dnssec_security_level(stubber: dnskey)
+    return true if action == 'deactivate' && security_level != secure_msg
+    return true if %w[rollover initialized].include?(action) && security_level == secure_msg
+
+    false
+  end
+
+  def dnssec_validates?
+    return false unless dnskey.valid?
+    return true if valid_security_level? && valid_security_level?(post: true)
+
+    false
+  end
+
+  def log_dnssec_entry(valid:, post:)
+    log.info("#{domain.name}: #{post ? 'Post' : 'Pre'} DNSSEC validation " \
+             "#{valid ? 'PASSED' : 'FAILED'} for action '#{action}'")
+  end
+end