fNdZddlZddlZddlZddlZddlZddlZddlmZddlm Z m Z m Z m Z m Z mZmZmZddlZddlZddlZddlZddlZddlZddlZddlZddlZddlZddlZddlmZmZm Z ddlm!Z!m"Z"m#Z#m$Z$ddl%m&Z&ddl'm(Z(dd l)m*Z*dd l+m,Z,dd l-m.Z.m/Z/dd l0m1Z1dd l2m3Z3m4Z4ddl5m6Z6edZ7edZ8e ejrjtejvjxgdfZ=de>defdZ?deee@fde>fdZAdeee>eBe@fde@fdZCdee*e&fde@fdZDGddZEGddeEZFeFejejejejhejejejhejejejhejhZNeFeOeOeOeOZPeNZQ d`deejje>fdejjdeee>fd e ejjd!e eEd"eVde,fd#ZW dadeejje>fdejjdeee>fd e ejjde(f d$ZXd%e ejjeejjejjffd&e3de e e*fd'Z]d(eejvjxeejjejjffdeejjejjffd)Z^d*e_d+e_de*ddfd,Z` dbd(eejvjxeejjejjffd&e3d%e ejjeejjejjffd e ejjd-e eBd!e eEddfd.Za dbd(eejvjxeejjejjffd/eejvjxeejjejjffd%e ejjeejjejjffd e ejjd-e eBd!e eEddfd0Zb dcd(eejvjxeejjejjffd1e8d2ejjd3e*d4e eee>e@eBfd5e eee>e@eBfd6e e@d7eVd!e eEd e ejjde3fd8Zc dad(eejvjxeejjejjffd&e3d e ejjde_fd9Zde6jd:fd;e7dee@e>fdZfe6jd:fd;e7dee@e>fdfdAe ee>e_fdBe@dee@e>fde>f dCZh dad(eejvjxeejjejjffdDe eee>fd e ejjdejjfdEZidFejjdejjfdGZj dadeejje>fdFejjdeee>fd e ejjdejjf dHZkdFejjdejjfdIZl dddJejrjtd(ejvjxd2ejjdKe ee8e*fdLe ee8e*fd4e eee>e@eBfd5e eee>e@eBfd6e e@d!e eEd e ejjddfdMZm dedOejjdJe ejrjtd%e e ee8e*fdPeVdQe e@d4e eee>e@eBfd5e eee>e@eBfd6e e@dRe e1dSe e=d!e eEddfdTZp dadOejjdJejrjtdSe e=ddfdUZqdVZrejjdWrAddXlumvZvddYlwmxZxddZlwmyZydd[lwmzZzdd\lwm{Z{dd]lwm|Z|dd^l}m~Z~mZdd_lmZmZebZeaZecZefZegZdNZn erZerZerZerZerZdZejZGejZejZHejZejZejZIejZejZejZejZJejZej Zej"Zej$Zej&Zej(Zej*Zy)fz.Common DNSSEC-related functions and constants.N)datetime)CallableDictListOptionalSetTupleUnioncast) AlgorithmDSDigest NSEC3Hash)AlgorithmKeyMismatchDeniedByPolicyUnsupportedAlgorithmValidationFailure)CDNSKEY)CDS)DNSKEY)DS)NSECBitmap) NSEC3PARAM)RRSIGsigtime_to_posixtime)Flag)GenericPublicKeyzrsa.RSAPublicKeyzec.EllipticCurvePublicKeyzed25519.Ed25519PublicKeyzed448.Ed448PublicKey)GenericPrivateKeyzrsa.RSAPrivateKeyzec.EllipticCurvePrivateKeyzed25519.Ed25519PrivateKeyzed448.Ed448PrivateKeytextreturnc,tj|S)zConvert text into a DNSSEC algorithm value. *text*, a ``str``, the text to convert to into an algorithm value. Returns an ``int``. )r from_text)rs S/var/lib/jenkins/workspace/mettalog/venv/lib/python3.12/site-packages/dns/dnssec.pyalgorithm_from_textr$Ls   t $$valuec,tj|S)zConvert a DNSSEC algorithm value to text *value*, a ``dns.dnssec.Algorithm``. Returns a ``str``, the name of a DNSSEC algorithm. )r to_textr&s r#algorithm_to_textr*Ws   U ##r%ct|trt|jSt|tr t |St|t r t|St|tr|Std)z%Convert various format to a timestampzUnsupported timestamp type) isinstancerint timestampstrrfloat TypeErrorr)s r# to_timestampr2bsb%"5??$%% E3 #E** E5 !5z E3  455r%keycX|j}|jtjk(r|ddz|dzSd}t t |dzD]}||d|zdz|d|zdzzz }t |dzdk7r||t |dz dzz }||dz dzz }|dzS) zReturn the key id (a 16-bit number) for the specified key. *key*, a ``dns.rdtypes.ANY.DNSKEY.DNSKEY`` Returns an ``int`` between 0 and 65535 ri)to_wire algorithmr RSAMD5rangelen)r3rdatatotalis r#key_idrCps KKME }} (((b Q%)++s5zQ'A eAEla'5Q+;; ;E( u:>Q  U3u:>*a/ /E %2+''v~r%cReZdZdZdedefdZdedefdZdedefdZ dedefdZ y) PolicycyN)selfs r#__init__zPolicy.__init__s r%_r cyNFrHrIrKs r# ok_to_signzPolicy.ok_to_signr%cyrMrHrNs r#ok_to_validatezPolicy.ok_to_validaterPr%cyrMrHrNs r#ok_to_create_dszPolicy.ok_to_create_dsrPr%cyrMrHrNs r#ok_to_validate_dszPolicy.ok_to_validate_dsrPr%N) __name__ __module__ __qualname__rJrboolrOrRr rTrVrHr%r#rErEsS Ft4d8r%rEc^eZdZfdZdedefdZdedefdZdedefdZ dedefdZ xZ S) SimpleDenycZt|||_||_||_||_yrG)superrJ _deny_sign_deny_validate_deny_create_ds_deny_validate_ds)rI deny_sign deny_validatedeny_create_dsdeny_validate_ds __class__s r#rJzSimpleDeny.__init__s- #+-!1r%r3r c2|j|jvSrG)r<r_rIr3s r#rOzSimpleDeny.ok_to_signs}}DOO33r%c2|j|jvSrG)r<r`ris r#rRzSimpleDeny.ok_to_validates}}D$7$777r%r<c||jvSrG)rarIr<s r#rTzSimpleDeny.ok_to_create_dss 4 444r%c||jvSrG)rbrls r#rVzSimpleDeny.ok_to_validate_dss 6 666r%) rWrXrYrJrrZrOrRr rTrV __classcell__)rgs@r#r\r\sT24f448&8T855d57877r%r\Fnamer<originpolicy validatingc |t} t|trt|j }|r |j}n |j}||stt|ttfs td|tjk(rtj}n^|tj k(rtj"}n6|tj$k(rtj&}nt d|zt|tr t(j*j-||}|j/j1}|J|j3||j3|j1||j5} t7j8dt;||j<|| z} t(j>jAt(jBjDt(jFjH| dtK| } tMtH| S#t $rt d|zwxYw)aCreate a DS record for a DNSSEC key. *name*, a ``dns.name.Name`` or ``str``, the owner name of the DS record. *key*, a ``dns.rdtypes.ANY.DNSKEY.DNSKEY`` or ``dns.rdtypes.ANY.DNSKEY.CDNSKEY``, the key the DS is about. *algorithm*, a ``str`` or ``int`` specifying the hash algorithm. The currently supported hashes are "SHA1", "SHA256", and "SHA384". Case does not matter for these strings. *origin*, a ``dns.name.Name`` or ``None``. If *key* is a relative name, then it will be made absolute using the specified origin. *policy*, a ``dns.dnssec.Policy`` or ``None``. If ``None``, the default policy, ``dns.dnssec.default_policy`` is used; this policy defaults to that of RFC 8624. *validating*, a ``bool``. If ``True``, then policy is checked in validating mode, i.e. "Is it ok to validate using this digest algorithm?". Otherwise the policy is checked in creating mode, i.e. "Is it ok to create a DS with this digest algorithm?". Raises ``UnsupportedAlgorithm`` if the algorithm is unknown. Raises ``DeniedByPolicy`` if the algorithm is denied by policy. Returns a ``dns.rdtypes.ANY.DS.DS`` unsupported algorithm "%s"zkey is not a DNSKEY/CDNSKEYrpz!HBBr)'default_policyr,r/r upper ExceptionrrVrTrrr ValueErrorSHA1hashlibsha1SHA256sha256SHA384sha384dnsror" canonicalizer;updatedigeststructpackrCr<r@ from_wire rdataclassIN rdatatyperr?r ) ror3r<rprqrrcheckdshashwirerdsrdatadss r#make_dsrsJ~M i % !23I((&&   cFG, -677HMM! hoo %! hoo %!"#?)#KLL$xx!!$/     & & (D    MM$ MM#++V+,- ]]_Fkk&&+s}}iH6QG    3==++WaW B B<? M"#?)#KLLMs 'H//Ict||||}t|jtjj|j |j |j|jS)aCreate a CDS record for a DNSSEC key. *name*, a ``dns.name.Name`` or ``str``, the owner name of the DS record. *key*, a ``dns.rdtypes.ANY.DNSKEY.DNSKEY`` or ``dns.rdtypes.ANY.DNSKEY.CDNSKEY``, the key the DS is about. *algorithm*, a ``str`` or ``int`` specifying the hash algorithm. The currently supported hashes are "SHA1", "SHA256", and "SHA384". Case does not matter for these strings. *origin*, a ``dns.name.Name`` or ``None``. If *key* is a relative name, then it will be made absolute using the specified origin. Raises ``UnsupportedAlgorithm`` if the algorithm is unknown. Returns a ``dns.rdtypes.ANY.DS.CDS`` rdclassrdtypekey_tagr< digest_typer) rrrrrrr<rr)ror3r<rprs r#make_cdsrsQ2 sIv .B  }}   ,,NNyy  r%keysrrsigc2|j|j}t|tjj rC|j tjjtjj}n|}|y|Dcgc]}|j|jk(ret||jk(rM|jtj ztj k(r|j"dk(rt%t|c}Scc}w)N)getsignerr,rnodeNode get_rdatasetrrrrr<rCrflagsrZONEprotocolr )rrr&rdatasetrds r#_find_candidate_keysr(s HHU\\ "E%'%%cnn&7&79M9MN   <<5?? * 2J%-- ' XX !dii / KK1  VR  s BDrrsetcRt|tr |d|dfS|j|fS)Nrr9)r,tuplero)rs r#_get_rrname_rdatasetr<s0%Qxq!!zz5  r%sigdatact|j} |j|}|j ||y#t$r t dwxYw)Nzinvalid public key)get_algorithm_cls_from_dnskey public_cls from_dnskeyryrverify)rrr3r public_keys r#_validate_signaturerEsV.s3>>J6++C0 c4  6 4556s ;Anowc|t}t||}| td|tj}|j|kr td|j |kDr tdt |||}|D]-}|j|s t|j||ytd#ttf$rYLwxYw)aValidate an RRset against a single signature rdata, throwing an exception if validation is not successful. *rrset*, the RRset to validate. This can be a ``dns.rrset.RRset`` or a (``dns.name.Name``, ``dns.rdataset.Rdataset``) tuple. *rrsig*, a ``dns.rdata.Rdata``, the signature to validate. *keys*, the key dictionary, used to find the DNSKEY associated with a given name. The dictionary is keyed by a ``dns.name.Name``, and has ``dns.node.Node`` or ``dns.rdataset.Rdataset`` values. *origin*, a ``dns.name.Name`` or ``None``, the origin to use for relative names. *now*, a ``float`` or ``None``, the time, in seconds since the epoch, to use as the current time when validating. If ``None``, the actual current time is used. *policy*, a ``dns.dnssec.Policy`` or ``None``. If ``None``, the default policy, ``dns.dnssec.default_policy`` is used; this policy defaults to that of RFC 8624. Raises ``ValidationFailure`` if the signature is expired, not yet valid, the public key is invalid, the algorithm is unknown, the verification fails, etc. Raises ``UnsupportedAlgorithm`` if the algorithm is recognized by dnspython but not implemented. Nz unknown keyexpiredz not yet validzverify failure) rvrrtime expiration inception_make_rrsig_signature_datarRr signatureInvalidSignature) rrrrprrqcandidate_keysr candidate_keys r#_validate_rrsigrNsP~)$6N .. {iik # ** 00 %eUF ;D' $$]3   } E  ( , -- !"34   sB66CCrrsigsetc D|t}t|tr8tjj |tjj }t|tr|d}n |j}t|tr |d}|d}n|j}|}|j|}|j|}||k7r td|D]/} t| ts td t|| ||||ytd#ttf$rYNwxYw)aValidate an RRset against a signature RRset, throwing an exception if none of the signatures validate. *rrset*, the RRset to validate. This can be a ``dns.rrset.RRset`` or a (``dns.name.Name``, ``dns.rdataset.Rdataset``) tuple. *rrsigset*, the signature RRset. This can be a ``dns.rrset.RRset`` or a (``dns.name.Name``, ``dns.rdataset.Rdataset``) tuple. *keys*, the key dictionary, used to find the DNSKEY associated with a given name. The dictionary is keyed by a ``dns.name.Name``, and has ``dns.node.Node`` or ``dns.rdataset.Rdataset`` values. *origin*, a ``dns.name.Name``, the origin to use for relative names; defaults to None. *now*, an ``int`` or ``None``, the time, in seconds since the epoch, to use as the current time when validating. If ``None``, the actual current time is used. *policy*, a ``dns.dnssec.Policy`` or ``None``. If ``None``, the default policy, ``dns.dnssec.default_policy`` is used; this policy defaults to that of RFC 8624. Raises ``ValidationFailure`` if the signature is expired, not yet valid, the public key is invalid, the algorithm is unknown, the verification fails, etc. Nrr9zowner names do not matchzexpected an RRSIGzno RRSIGs validated) rvr,r/rror"rootrchoose_relativityrrrr) rrrrprrqrrname rrsigname rrsigrdatasetrs r# _validatersN~&###FCHHMM:%q(E"QK   MM   % %f -F++F3I  :;;%'#$78 8  E5$V D   1 22"#78   s/D  DD private_keyrdnskeyrrlifetimerc |t}|j|stt|tr3|dj } |dj } |d} |dj} n0|j } |j } |j} |j} | t|}nttj}| t|}n|||z}n td| | j| } t| dz }| jr|dz}t!| t"j$j | |j&|| ||t)||d }t"j*j-||| }t|t.r|}n t1|}||}|j7||}t9t |j;|S#t2$r t5dwxYw) aSign RRset using private key. *rrset*, the RRset to validate. This can be a ``dns.rrset.RRset`` or a (``dns.name.Name``, ``dns.rdataset.Rdataset``) tuple. *private_key*, the private key to use for signing, a ``cryptography.hazmat.primitives.asymmetric`` private key class applicable for DNSSEC. *signer*, a ``dns.name.Name``, the Signer's name. *dnskey*, a ``DNSKEY`` matching ``private_key``. *inception*, a ``datetime``, ``str``, ``int``, ``float`` or ``None``, the signature inception time. If ``None``, the current time is used. If a ``str``, the format is "YYYYMMDDHHMMSS" or alternatively the number of seconds since the UNIX epoch in text form; this is the same the RRSIG rdata's text form. Values of type `int` or `float` are interpreted as seconds since the UNIX epoch. *expiration*, a ``datetime``, ``str``, ``int``, ``float`` or ``None``, the signature expiration time. If ``None``, the expiration time will be the inception time plus the value of the *lifetime* parameter. See the description of *inception* above for how the various parameter types are interpreted. *lifetime*, an ``int`` or ``None``, the signature lifetime in seconds. This parameter is only meaningful if *expiration* is ``None``. *verify*, a ``bool``. If set to ``True``, the signer will verify signatures after they are created; the default is ``False``. *policy*, a ``dns.dnssec.Policy`` or ``None``. If ``None``, the default policy, ``dns.dnssec.default_policy`` is used; this policy defaults to that of RFC 8624. *origin*, a ``dns.name.Name`` or ``None``. If ``None``, the default, then all names in the rrset (including its owner name) must be absolute; otherwise the specified origin will be used to make names absolute when signing. Raises ``DeniedByPolicy`` if the signature is denied by policy. r9rz(expiration or lifetime must be specifiedr%) rr type_coveredr<labels original_ttlrrrrrr3zUnsupported key algorithm)r)rvrOrr,rrrttlror2r-rry derelativizer?is_wildrrrr<rCdnssecrrrrr1signr replace)rrrrrrrrrqrprrrrrrsig_inceptionrrsig_expirationrrrsig_templater signing_key private_clsrs r#_signrsj~   V $%(""qqQx|| --yy &y1diik*' 3  *X5CDD$$V, [1_F~~! }}""""!#!v N :: 0 0 OD+01!  97?K%+6K  v.I ~-- -B CC $ 978 8 9s GG&ct|tr8tjj |tjj }|j }|js| td|j|}t|\}}d}||j|ddz }||j j|z }|js| td|j|}t|}|jr|j|dz k7r td|dz |jkr td |j|dz krA|j!|jdzd}tjj d |}|j} t#j$d |j&|j(|j*} |D cgc]} | j|} } t-| D]5} || z }|| z }t#j$d t| } || z }|| z }7|Scc} w) aCreate signature rdata. *rrset*, the RRset to sign/validate. This can be a ``dns.rrset.RRset`` or a (``dns.name.Name``, ``dns.rdataset.Rdataset``) tuple. *rrsig*, a ``dns.rdata.Rdata``, the signature to validate, or the signature template used when signing. *origin*, a ``dns.name.Name`` or ``None``, the origin to use for relative names. Raises ``UnsupportedAlgorithm`` if the algorithm is recognized by dnspython but not implemented. Nz,relative RR name without an origin specifiedr%rur8z&wild owner name has wrong label lengthr9z#owner name longer than RRSIG labels*z!HHIz!H)r,r/rror"rr is_absoluterrrr; to_digestabler?rrsplitrrrrrsorted)rrrprrrrname_lensuffix rrnamebufrrfixedr@rdatasrrlens r#rrUs *&###FCHHMM: \\F     >#$RS S$$V,,E2FH DEMMM (" --DELL & &v ..D     >#$RS S$$V,6{H ~~ELLHqL8 HII!|ell" EFF 1 $ellQ./2##C0$$&Ikk&(//83C3CUEWEWXG7? @ee!!&) @F @   D#e*-       KAs)Irrrrctj|}t|tr|j ||St |j }||j ||S)aConvert a public key to DNSKEY Rdata *public_key*, a ``PublicKey`` (``GenericPublicKey`` or ``cryptography.hazmat.primitives.asymmetric``) to convert. *algorithm*, a ``str`` or ``int`` specifying the DNSKEY algorithm. *flags*: DNSKEY flags field as an integer. *protocol*: DNSKEY protocol field as an integer. Raises ``ValueError`` if the specified key algorithm parameters are not unsupported, ``TypeError`` if the key type is unsupported, `UnsupportedAlgorithm` if the algorithm is unknown and `AlgorithmKeyMismatch` if the algorithm does not match the key type. Return DNSKEY ``Rdata``. )rrr)r maker,r to_dnskeyget_algorithm_clsr)rr<rrrs r# _make_dnskeyrs^2y)I*./##%(#CC&y1<< j)33%(3SSr%ct||||}t|jtjj|j |j |j|jS)aConvert a public key to CDNSKEY Rdata *public_key*, the public key to convert, a ``cryptography.hazmat.primitives.asymmetric`` public key class applicable for DNSSEC. *algorithm*, a ``str`` or ``int`` specifying the DNSKEY algorithm. *flags*: DNSKEY flags field as an integer. *protocol*: DNSKEY protocol field as an integer. Raises ``ValueError`` if the specified key algorithm parameters are not unsupported, ``TypeError`` if the key type is unsupported, `UnsupportedAlgorithm` if the algorithm is unknown and `AlgorithmKeyMismatch` if the algorithm does not match the key type. Return CDNSKEY ``Rdata``. rrrrr<r3) rrrrrrrr<r3)rr<rrrs r# _make_cdnskeyrsS4*i AF }}$$ll"" JJ  r%domainsalt iterationscltjdd} t|trt|j }|tjk7r t d|d}nDt|tr2t|dzdk(rtj|}n t d|}t|tjjstjj|}|jj!}|Jt#j$||zj'}t)|D](}t#j$||zj'}*t+j,|j/d} | j1|} | S#t $r t dwxYw) a Calculate the NSEC3 hash, according to https://tools.ietf.org/html/rfc5155#section-5 *domain*, a ``dns.name.Name`` or ``str``, the name to hash. *salt*, a ``str``, ``bytes``, or ``None``, the hash salt. If a string, it is decoded as a hex string. *iterations*, an ``int``, the number of iterations. *algorithm*, a ``str`` or ``int``, the hash algorithm. The only defined algorithm is SHA1. Returns a ``str``, the encoded NSEC3 hash. ABCDEFGHIJKLMNOPQRSTUVWXYZ234567 0123456789ABCDEFGHIJKLMNOPQRSTUVz-Wrong hash algorithm (only SHA1 is supported)r%r8rzInvalid salt lengthzutf-8)r/ maketransr,rrwrxryrzr?bytesfromhexrroNamer"rr;r{r|rr>base64 b32encodedecode translate) rrrr<b32_conversion salt_encodeddomain_encodedrrKoutputs r# nsec3_hashrsw.]]*,NNJ i %!)//"34IINN"HII | D#  t9q=A  ==.L23 3 fchhmm ,##F+((*224N  %% % \\.<7 8 ? ? AF : f|34;;=  f % , ,W 5F   n -F M9 JHIIJs 'FF3 algorithmsc t|\}}|jtjjtjj tjj fvr tdt}|D];} t|trt|j}|j|=|jtjj k(rug}t!|D]"}|j"|vs|j%|$t'|dk(r tdtj(j+|j,|Sg}|D]}|j/t1||||!tj(j+|j,|S#t$rtd|zwxYw)aCreate a DS record from DNSKEY/CDNSKEY/CDS. *rrset*, the RRset to create DS Rdataset for. This can be a ``dns.rrset.RRset`` or a (``dns.name.Name``, ``dns.rdataset.Rdataset``) tuple. *algorithms*, a set of ``str`` or ``int`` specifying the hash algorithms. The currently supported hashes are "SHA1", "SHA256", and "SHA384". Case does not matter for these strings. If the RRset is a CDS, only digest algorithms matching algorithms are accepted. *origin*, a ``dns.name.Name`` or ``None``. If `key` is a relative name, then it will be made absolute using the specified origin. Raises ``UnsupportedAlgorithm`` if any of the algorithms are unknown and ``ValueError`` if the given RRset is not usable. Returns a ``dns.rdataset.Rdataset`` zrrset not a DNSKEY/CDNSKEY/CDSrtrzno acceptable CDS rdata found)rrrrrrrrysetr,r/r rwrxraddcds_rdataset_to_ds_rdatasetrappendr?rfrom_rdata_listrextenddnskey_rdataset_to_cds_rdataset) rrrprr _algorithmsr<resr@s r#make_ds_rdatasetrsz2,E2FH    9::%K  Q)S)$Y__%67   "  #--+++0:E  K/ 5!; s8q=<= =||++HLL#>> C  268YPVWX! << ' ' c ::! Q&'Ci'OP P Qs 'F))Grc |jtjjk7r t dg}|D]l}|j t|j tjj|j|j|j|jntjj|j|S)zCreate a CDS record from DS. *rdataset*, a ``dns.rdataset.Rdataset``, to create DS Rdataset for. Raises ``ValueError`` if the rdataset is not CDS. Returns a ``dns.rdataset.Rdataset`` zrdataset not a CDSr)rrrrryr rrrr<rrrr rrrr@s r#rrUs#--+++-.. C  }}'' //!--||    << ' ' c ::r%c 8|jtjjtjjfvr t dg}|D]}|j t||||!tjj|j|S)aCreate a CDS record from DNSKEY/CDNSKEY. *name*, a ``dns.name.Name`` or ``str``, the owner name of the CDS record. *rdataset*, a ``dns.rdataset.Rdataset``, to create DS Rdataset for. *algorithm*, a ``str`` or ``int`` specifying the hash algorithm. The currently supported hashes are "SHA1", "SHA256", and "SHA384". Case does not matter for these strings. *origin*, a ``dns.name.Name`` or ``None``. If `key` is a relative name, then it will be made absolute using the specified origin. Raises ``UnsupportedAlgorithm`` if the algorithm is unknown or ``ValueError`` if the rdataset is not DNSKEY/CDNSKEY. Returns a ``dns.rdataset.Rdataset`` zrdataset not a DNSKEY/CDNSKEY) rrrrrryr rrr r)rorr<rprr@s r#r r rsv2s}}33S]]5J5JKK899 C 8D%F;< << ' ' c ::r%c |jtjjk7r t dg}|D]^}|j t |j|j|j|j|j|j`tjj|j|S)zCreate a CDNSKEY record from DNSKEY. *rdataset*, a ``dns.rdataset.Rdataset``, to create CDNSKEY Rdataset for. Returns a ``dns.rdataset.Rdataset`` zrdataset not a DNSKEYr)rrrrryr rrrrr<r3rr rrs r##dnskey_rdataset_to_cdnskey_rdatasetrs#--...011 C  ((kk//II    << ' ' c ::r%txnkskszsksc |jttjjj tjjj tjjjgvr|} n|} | D]T\} } tjj|| | ||||||  } |j|j|j| Vy)zDefault RRset signer) rrrrrrrrqrpN) rrrr RdataTyperrrrrrror)rrrrrrrrrqrprrrrs r#default_rrset_signerrs ||s MM # # * * MM # # ' ' MM # # + + # V #!    EIIu- $r%Tzone add_dnskey dnskey_ttlnsec3 rrset_signerc <g} g} |rS|D]E} | djtjzr| j| 5| j| G| s|} | s|} ng}|rt j |}n|j }|5}|r||j|jtjj}|r |j}n@|j|jtjj}|j}|D]"\}}|j|j||$|r td| xs6t!j"t$|j| | |||| |j }t'|||cdddS#1swYyxYw)a?Sign zone. *zone*, a ``dns.zone.Zone``, the zone to sign. *txn*, a ``dns.transaction.Transaction``, an optional transaction to use for signing. *keys*, a list of (``PrivateKey``, ``DNSKEY``) tuples, to use for signing. KSK/ZSK roles are assigned automatically if the SEP flag is used, otherwise all RRsets are signed by all keys. *add_dnskey*, a ``bool``. If ``True``, the default, all specified DNSKEYs are automatically added to the zone on signing. *dnskey_ttl*, a``int``, specifies the TTL for DNSKEY RRs. If not specified the TTL of the existing DNSKEY RRset used or the TTL of the SOA RRset. *inception*, a ``datetime``, ``str``, ``int``, ``float`` or ``None``, the signature inception time. If ``None``, the current time is used. If a ``str``, the format is "YYYYMMDDHHMMSS" or alternatively the number of seconds since the UNIX epoch in text form; this is the same the RRSIG rdata's text form. Values of type `int` or `float` are interpreted as seconds since the UNIX epoch. *expiration*, a ``datetime``, ``str``, ``int``, ``float`` or ``None``, the signature expiration time. If ``None``, the expiration time will be the inception time plus the value of the *lifetime* parameter. See the description of *inception* above for how the various parameter types are interpreted. *lifetime*, an ``int`` or ``None``, the signature lifetime in seconds. This parameter is only meaningful if *expiration* is ``None``. *nsec3*, a ``NSEC3PARAM`` Rdata, configures signing using NSEC3. Not yet implemented. *rrset_signer*, a ``Callable``, an optional function for signing RRsets. The function requires two arguments: transaction and RRset. If the not specified, ``dns.dnssec.default_rrset_signer`` will be used. Returns ``None``. r9Nz&Signing with NSEC3 not yet implemented)rrrrrrrqrp)rrSEPr  contextlib nullcontextwriterrrprrrrSOArNotImplementedError functoolspartialr_sign_zone_nsec)rrrrrrrrrrrqrrr3cm_txnrsoarK _rrset_signers r# sign_zoner.snl D D C1v||dhh& C  C  DD 0:0F0Fs0K [[] >t !$++s}}/C/CD!'J((4;; 0A0ABC!$J! 6j&9" %&NO O( I,=,=${{#%!{{ -M#4}=5>>>s DFFc d dtjjdtjjdt tjjdtj jdtdt tddfd }|jj}d}d}t|jD]}|r|j|r|j|tj j"r||j$k7r|}nd}|r|j'|}|r|j(D]} | j*tj j,k(r+|r(| j*tj j.k7rUtj0j2|| j4g| } ||| ||||||j6|||}|r"||||j$|j6||yy) zNSEC zone signerNrro next_securerrrr c Tttjjjtjjj g}|j |}|r|rt|jDcgc]}|jc}|z} tjt| } tjj||t |tjjj || } |j| |r ||| yyyycc}w)zNSEC zone signer helper)rrnextwindowsN)rrrrrrget_node rdatasetsrr from_rdtypeslistr from_rdatar) rror0rrrmandatory_typesrrtypesr3rs r# _txn_add_nsecz&_sign_zone_nsec.._txn_add_nsecGs ]] $ $ * *CMM,C,C,H,H I ||D! KT^^DX__DEW ))$u+6GII((#==2277$#  E GGENS%(! 4Ds:D%rG)r transaction Transactionrorrr RdataClassr- RRsetSignerget_soaminimumr iterate_names is_subdomainrrNSrpr4r5rrrrr8rr) rrrr; rrsig_ttl delegation last_securerorrrs r#r)r)@s/3 ) __ ( ()hhmm)chhmm,)** )  ) {+ ) )@ &&IJKs((*+ $++J7  WWT3==++ ,1DJJ <<%D $H#--*=*== #3==;K;K(K # 4 4T8<< S( S$S%0!/  " #{D$,, < X 9,< dkk4<<L r%ctd)Nz.DNSSEC validation requires python cryptography) ImportError)argskwargss r# _need_pycarLs 8 r%r)r)dsa)ec)ed448)rsa)ed25519)rr)rr)NNFrG)NNN)NNNFNN)NNNNN) NNTNNNNNNN)__doc__rr"r'r{rrrtypingrrrrrr r r dns._featuresr dns.exceptiondns.namedns.node dns.rdatadns.rdataclass dns.rdataset dns.rdatatype dns.rrsetdns.transactiondns.zonedns.dnssectypesr r rrrrrdns.rdtypes.ANY.CDNSKEYrdns.rdtypes.ANY.CDSrdns.rdtypes.ANY.DNSKEYrdns.rdtypes.ANY.DSrdns.rdtypes.ANY.NSECrrdns.rdtypes.ANY.NSEC3PARAMrdns.rdtypes.ANY.RRSIGrrdns.rdtypes.dnskeybaser PublicKey PrivateKeyr<r=rRRsetr?r/r$r-r*r0r2rCrEr\r=DSA DSANSEC3SHA1ECCGOSTNULLrzGOSTrfc_8624_policyrallow_all_policyrvrorr@RdatarZrrrRdatasetrrrrrrrrrrrrrrrrr rrrZoner.r)rL _featureshavecryptography.exceptionsr)cryptography.hazmat.primitives.asymmetricrMrNrOrPrQdns.dnssecalgsrrdns.dnssecalgs.baserrvalidatevalidate_rrsigr make_dnskey make_cdnskey _have_pycaDHECCRSASHA1RSASHA1NSEC3SHA1 RSASHA256 RSASHA512ECDSAP256SHA256ECDSAP384SHA384ED25519ED448INDIRECT PRIVATEDNS PRIVATEOIDrHr%r#rs $5 JJJ:: ,#)!-1='    33SYY__EtKL %c%i%$U9c>2$s$ 6hUC78 6S 6fgo&3*"77*y}}i&<&O>OPy}}i&<&<= ]]HMM8==1 ]]O ceSUCE359!'+# I  s" #I IXs]#I SXX]] # I V  I  II`'+ !  s" #! !Xs]#! SXX]] # !  !H sxx}}eCLL$9$9388==$HII JSX d6l(! % s||7L7L(L"MM N! 388==#,,// /0!!U!%!f!!'+# B. % s||7L7L(L"MM NB. B. sxx}}eCHHMM3<<3H3H$HII JB. SXX]] # B. % B. V  B. B.R'+# F3 % s||7L7L(L"MM NF3CIIOOU388==#,,:O:O+O%PPQF3 sxx}}eCHHMM3<<3H3H$HII JF3 SXX]] # F3 % F3 V  F3 F3\=A=A"#&*vD % s||7L7L(L"MM NvDvD HHMMvD  vD hS%789 vD xc589: vDsmvD vD V vD SXX]] #vD vDx'+> % s||7L7L(L"MM N> > SXX]] #> >H TTS#XT T T  TJ ##S#X# # #  #L: #((--$ %: 5e$ %::S#X :  :@'+7; % s||7L7L(L"MM N7;E(C-()7; SXX]] #7; \\ 7;t;ll##;\\;B'+ ;  s" #;ll##;Xs]#; SXX]] # ;  \\ ;B;ll##;\\;B=A=A"#&*%.  $ $%. 99??%. HHMM%. uZ'( ) %. uZ'( ) %. hS%789 %.xc589:%.sm%. V %. SXX]] #%. %.T266: $<@=A""&*.#g> ((--g> #//-- .g> 4j&012 3g> g>  g> hS%789 g>xc589:g>smg> J g>;'g> V g> g>Z+/L ((--L  $ $L ;'L  L ^ ==h8=<?=HH$N DK LJHN DKLJ   \\mmmm   %% --         ++++        ! !  ! ! r%