dnsjava
diff --git a/‎src/main/java/org/xbill/DNS/dnssec/DnsSecVerifier.java‎
Lines changed: 17 additions & 4 deletions b/‎src/main/java/org/xbill/DNS/dnssec/DnsSecVerifier.java‎
Lines changed: 17 additions & 4 deletions
diff --git a/‎src/main/java/org/xbill/DNS/dnssec/KeyEntry.java‎
Lines changed: 2 additions & 2 deletions b/‎src/main/java/org/xbill/DNS/dnssec/KeyEntry.java‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎src/main/java/org/xbill/DNS/dnssec/NSEC3ValUtils.java‎
Lines changed: 41 additions & 24 deletions b/‎src/main/java/org/xbill/DNS/dnssec/NSEC3ValUtils.java‎
Lines changed: 41 additions & 24 deletions
diff --git a/‎src/main/java/org/xbill/DNS/dnssec/ValUtils.java‎
Lines changed: 46 additions & 17 deletions b/‎src/main/java/org/xbill/DNS/dnssec/ValUtils.java‎
Lines changed: 46 additions & 17 deletions
@@ -164,13 +164,17 @@ public JustifiedSecStatus verify(SRRset rrset, RRset keyRrset, Instant date) {
    * @param date The date against which to verify the rrset.
    * @return SecurityStatus.SECURE if the rrset verified, BOGUS otherwise.
    */
-  public SecurityStatus verify(RRset rrset, DNSKEYRecord dnskey, Instant date) {
+  public JustifiedSecStatus verify(RRset rrset, DNSKEYRecord dnskey, Instant date) {
     List<RRSIGRecord> sigs = rrset.sigs();
     if (sigs.isEmpty()) {
       log.info("RRset failed to verify due to lack of signatures");
-      return SecurityStatus.BOGUS;
+      return new JustifiedSecStatus(
+          SecurityStatus.BOGUS,
+          ExtendedErrorCodeOption.RRSIGS_MISSING,
+          R.get("dnskey.no_sigs", rrset.getName()));
     }
 
+    DNSSECException lastException = null;
     for (RRSIGRecord sigrec : sigs) {
       // Skip RRSIGs that do not match our given key's footprint.
       if (sigrec.getFootprint() != dnskey.getFootprint()) {
@@ -179,13 +183,22 @@ public SecurityStatus verify(RRset rrset, DNSKEYRecord dnskey, Instant date) {
 
       try {
         DNSSEC.verify(rrset, sigrec, dnskey, date);
-        return SecurityStatus.SECURE;
+        return new JustifiedSecStatus(SecurityStatus.SECURE, -1, null);
       } catch (DNSSECException e) {
         log.error("Failed to validate RRset", e);
+        lastException = e;
       }
     }
 
     log.info("RRset failed to verify: all signatures were BOGUS");
-    return SecurityStatus.BOGUS;
+    int edeReason = ExtendedErrorCodeOption.DNSSEC_BOGUS;
+    String reason = "dnskey.invalid";
+    if (lastException instanceof SignatureExpiredException) {
+      edeReason = ExtendedErrorCodeOption.SIGNATURE_EXPIRED;
+    } else if (lastException instanceof SignatureNotYetValidException) {
+      edeReason = ExtendedErrorCodeOption.SIGNATURE_NOT_YET_VALID;
+    }
+
+    return new JustifiedSecStatus(SecurityStatus.BOGUS, edeReason, reason);
   }
 }
@@ -19,9 +19,9 @@
 @Slf4j
 @EqualsAndHashCode(
     callSuper = true,
-    of = {"badReason", "isEmpty"})
+    of = {"edeReason", "badReason", "isEmpty"})
 final class KeyEntry extends SRRset {
-  private int edeReason;
+  private int edeReason = -1;
   private String badReason;
   private boolean isEmpty;
 
 
@@ -3,6 +3,9 @@
 // Copyright (c) 2013-2021 Ingo Bauersachs
 package org.xbill.DNS.dnssec;
 
+import static org.xbill.DNS.ExtendedErrorCodeOption.DNSSEC_BOGUS;
+import static org.xbill.DNS.ExtendedErrorCodeOption.NSEC_MISSING;
+
 import java.security.NoSuchAlgorithmException;
 import java.security.interfaces.DSAPublicKey;
 import java.security.interfaces.ECPublicKey;
@@ -17,6 +20,7 @@
 import org.xbill.DNS.DNSKEYRecord;
 import org.xbill.DNS.DNSSEC.Algorithm;
 import org.xbill.DNS.DNSSEC.DNSSECException;
+import org.xbill.DNS.ExtendedErrorCodeOption;
 import org.xbill.DNS.NSEC3Record;
 import org.xbill.DNS.NSEC3Record.Flags;
 import org.xbill.DNS.Name;
@@ -492,38 +496,43 @@ public SecurityStatus proveNameError(List<SRRset> nsec3s, Name qname, Name zonen
    * @return {@link SecurityStatus#SECURE} if the NSEC3s prove the proposition, {@link
    *     SecurityStatus#INSECURE} if qname is under opt-out, {@link SecurityStatus#BOGUS} otherwise.
    */
-  public SecurityStatus proveNodata(List<SRRset> nsec3s, Name qname, int qtype, Name zonename) {
+  public JustifiedSecStatus proveNodata(List<SRRset> nsec3s, Name qname, int qtype, Name zonename) {
     if (nsec3s == null || nsec3s.isEmpty()) {
-      return SecurityStatus.BOGUS;
+      return new JustifiedSecStatus(
+          SecurityStatus.BOGUS, ExtendedErrorCodeOption.NSEC_MISSING, R.get("failed.nsec3.none"));
     }
 
     NSEC3Record nsec3 = this.findMatchingNSEC3(qname, zonename, nsec3s);
     // Cases 1 & 2.
     if (nsec3 != null) {
       if (nsec3.hasType(qtype)) {
         log.debug("proveNodata: Matching NSEC3 proved that type existed!");
-        return SecurityStatus.BOGUS;
+        return new JustifiedSecStatus(
+            SecurityStatus.BOGUS, DNSSEC_BOGUS, R.get("failed.nsec3.type_exists"));
       }
 
       if (nsec3.hasType(Type.CNAME)) {
         log.debug("proveNodata: Matching NSEC3 proved that a CNAME existed!");
-        return SecurityStatus.BOGUS;
+        return new JustifiedSecStatus(
+            SecurityStatus.BOGUS, DNSSEC_BOGUS, R.get("failed.nsec3.cname_exists"));
       }
 
       if (qtype == Type.DS && nsec3.hasType(Type.SOA) && !Name.root.equals(qname)) {
         log.debug("proveNodata: apex NSEC3 abused for no DS proof, bogus");
-        return SecurityStatus.BOGUS;
+        return new JustifiedSecStatus(
+            SecurityStatus.BOGUS, DNSSEC_BOGUS, R.get("failed.nsec3.apex_abuse"));
       } else if (qtype != Type.DS && nsec3.hasType(Type.NS) && !nsec3.hasType(Type.SOA)) {
         if (!nsec3.hasType(Type.DS)) {
           log.debug("proveNodata: matching NSEC3 is insecure delegation");
-          return SecurityStatus.INSECURE;
+          return new JustifiedSecStatus(SecurityStatus.INSECURE, -1, null);
         }
 
         log.debug("proveNodata: matching NSEC3 is a delegation, bogus");
-        return SecurityStatus.BOGUS;
+        return new JustifiedSecStatus(
+            SecurityStatus.BOGUS, DNSSEC_BOGUS, R.get("failed.nsec3.delegation"));
       }
 
-      return SecurityStatus.SECURE;
+      return new JustifiedSecStatus(SecurityStatus.SECURE, -1, null);
     }
 
     // For cases 3 - 5, we need the proven closest encloser, and it can't
@@ -534,11 +543,12 @@ public SecurityStatus proveNodata(List<SRRset> nsec3s, Name qname, int qtype, Na
     // At this point, not finding a match or a proven closest encloser is a
     // problem.
     if (ce.status == SecurityStatus.BOGUS) {
-      log.debug("proveNodata: did not match qname, nor found a proven closest encloser.");
-      return SecurityStatus.BOGUS;
+      log.debug("proveNodata: did not match qname, nor found a proven closest encloser");
+      return new JustifiedSecStatus(
+          SecurityStatus.BOGUS, DNSSEC_BOGUS, R.get("failed.nsec3.qname_ce"));
     } else if (ce.status == SecurityStatus.INSECURE && qtype != Type.DS) {
-      log.debug("proveNodata: closest nsec3 is insecure delegation.");
-      return SecurityStatus.INSECURE;
+      log.debug("proveNodata: closest nsec3 is insecure delegation");
+      return new JustifiedSecStatus(SecurityStatus.INSECURE, -1, null);
     }
 
     // Case 3: REMOVED
@@ -549,26 +559,30 @@ public SecurityStatus proveNodata(List<SRRset> nsec3s, Name qname, int qtype, Na
     if (nsec3 != null) {
       if (nsec3.hasType(qtype)) {
         log.debug("proveNodata: matching wildcard had qtype!");
-        return SecurityStatus.BOGUS;
+        return new JustifiedSecStatus(
+            SecurityStatus.BOGUS, DNSSEC_BOGUS, R.get("failed.nsec3.type_exists_wc"));
       } else if (nsec3.hasType(Type.CNAME)) {
         log.debug("nsec3 nodata proof: matching wildcard had a CNAME, bogus");
-        return SecurityStatus.BOGUS;
+        return new JustifiedSecStatus(
+            SecurityStatus.BOGUS, DNSSEC_BOGUS, R.get("failed.nsec3.cname_exists_wc"));
       }
 
       if (qtype == Type.DS && qname.labels() != 1 && nsec3.hasType(Type.SOA)) {
         log.debug("nsec3 nodata proof: matching wildcard for no DS proof has a SOA, bogus");
-        return SecurityStatus.BOGUS;
+        return new JustifiedSecStatus(
+            SecurityStatus.BOGUS, DNSSEC_BOGUS, R.get("failed.nsec3.wc_soa"));
       } else if (qtype != Type.DS && nsec3.hasType(Type.NS) && !nsec3.hasType(Type.SOA)) {
         log.debug("nsec3 nodata proof: matching wilcard is a delegation, bogus");
-        return SecurityStatus.BOGUS;
+        return new JustifiedSecStatus(
+            SecurityStatus.BOGUS, DNSSEC_BOGUS, R.get("failed.nsec3.delegation_wc"));
       }
 
       if (ce.ncNsec3 != null && (ce.ncNsec3.getFlags() & Flags.OPT_OUT) == Flags.OPT_OUT) {
         log.debug("nsec3 nodata proof: matching wildcard is in optout range, insecure");
-        return SecurityStatus.INSECURE;
+        return new JustifiedSecStatus(SecurityStatus.INSECURE, -1, null);
       }
 
-      return SecurityStatus.SECURE;
+      return new JustifiedSecStatus(SecurityStatus.SECURE, -1, null);
     }
 
     // Case 5.
@@ -577,24 +591,27 @@ public SecurityStatus proveNodata(List<SRRset> nsec3s, Name qname, int qtype, Na
     // insecure delegation under an optout here */
     if (ce.ncNsec3 == null) {
       log.debug("nsec3 nodata proof: no next closer nsec3");
-      return SecurityStatus.BOGUS;
+      return new JustifiedSecStatus(
+          SecurityStatus.BOGUS, NSEC_MISSING, R.get("failed.nsec3.no_next"));
     }
 
     // We need to make sure that the covering NSEC3 is opt-out.
     if ((ce.ncNsec3.getFlags() & Flags.OPT_OUT) == 0) {
       if (qtype != Type.DS) {
         log.debug(
-            "proveNodata: covering NSEC3 was not opt-out in an opt-out DS NOERROR/NODATA case.");
+            "proveNodata: covering NSEC3 was not opt-out in an opt-out DS NOERROR/NODATA case");
+        return new JustifiedSecStatus(
+            SecurityStatus.BOGUS, DNSSEC_BOGUS, R.get("failed.nsec3.not_optout"));
       } else {
         log.debug(
-            "proveNodata: could not find matching NSEC3, nor matching wildcard, and qtype is not DS -- no more options.");
+            "proveNodata: could not find matching NSEC3, nor matching wildcard, and qtype is not DS -- no more options");
+        return new JustifiedSecStatus(
+            SecurityStatus.BOGUS, NSEC_MISSING, R.get("failed.nsec3.not_found"));
       }
-
-      return SecurityStatus.BOGUS;
     }
 
     // RFC5155 section 9.2: if nc has optout then no AD flag set
-    return SecurityStatus.INSECURE;
+    return new JustifiedSecStatus(SecurityStatus.INSECURE, -1, null);
   }
 
   /**
 
@@ -14,6 +14,7 @@
 import org.xbill.DNS.DNSSEC.Algorithm;
 import org.xbill.DNS.DSRecord;
 import org.xbill.DNS.ExtendedErrorCodeOption;
+import org.xbill.DNS.Flags;
 import org.xbill.DNS.Message;
 import org.xbill.DNS.NSECRecord;
 import org.xbill.DNS.Name;
@@ -132,7 +133,9 @@ public static ResponseClassification classifyResponse(Message request, SMessage
     }
 
     // check for referral: nonRD query and it looks like a nodata
-    if (m.getCount(Section.ANSWER) == 0 && m.getRcode() != Rcode.NOERROR) {
+    if (!request.getHeader().getFlag(Flags.RD)
+        && m.getCount(Section.ANSWER) == 0
+        && m.getRcode() != Rcode.NOERROR) {
       // SOA record in auth indicates it is NODATA instead.
       // All validation requiring NODATA messages have SOA in
       // authority section.
@@ -173,7 +176,7 @@ public static ResponseClassification classifyResponse(Message request, SMessage
     }
 
     // Next is NODATA
-    if (m.getCount(Section.ANSWER) == 0) {
+    if (m.getRcode() == Rcode.NOERROR && m.getCount(Section.ANSWER) == 0) {
       return ResponseClassification.NODATA;
     }
 
@@ -209,7 +212,7 @@ public static ResponseClassification classifyResponse(Message request, SMessage
       }
     }
 
-    log.warn("Failed to classify response message:\n" + m);
+    log.warn("Failed to classify response message:\n{}", m);
     return ResponseClassification.UNKNOWN;
   }
 
@@ -249,6 +252,7 @@ public KeyEntry verifyNewDNSKEYs(
     }
 
     int favoriteDigestID = this.favoriteDSDigestID(dsRrset);
+    KeyEntry ke = null;
     for (Record dsr : dsRrset.rrs()) {
       DSRecord ds = (DSRecord) dsr;
       if (this.digestHardenDowngrade && ds.getDigestID() != favoriteDigestID) {
@@ -264,8 +268,8 @@ public KeyEntry verifyNewDNSKEYs(
           continue;
         }
 
-        KeyEntry ke = getKeyEntry(dnskeyRrset, date, ds, dnskey);
-        if (ke != null) {
+        ke = getKeyEntry(dnskeyRrset, date, ds, dnskey);
+        if (ke.isGood()) {
           return ke;
         }
 
@@ -274,9 +278,11 @@ public KeyEntry verifyNewDNSKEYs(
     }
 
     // If any were understandable, then it is bad.
-    KeyEntry badKey = KeyEntry.newBadKeyEntry(dsRrset.getName(), dsRrset.getDClass(), badKeyTTL);
-    badKey.setBadReason(ExtendedErrorCodeOption.DNSSEC_BOGUS, R.get("dnskey.no_ds_match"));
-    return badKey;
+    if (ke == null) {
+      ke = KeyEntry.newBadKeyEntry(dsRrset.getName(), dsRrset.getDClass(), badKeyTTL);
+      ke.setBadReason(ExtendedErrorCodeOption.DNSKEY_MISSING, R.get("dnskey.no_ds_match"));
+    }
+    return ke;
   }
 
   private KeyEntry getKeyEntry(SRRset dnskeyRrset, Instant date, DSRecord ds, DNSKEYRecord dnskey) {
@@ -287,25 +293,38 @@ private KeyEntry getKeyEntry(SRRset dnskeyRrset, Instant date, DSRecord ds, DNSK
     byte[] dsHash = ds.getDigest();
 
     // see if there is a length mismatch (unlikely)
+    KeyEntry ke;
     if (keyHash.length != dsHash.length) {
-      return null;
+      ke = KeyEntry.newBadKeyEntry(ds.getName(), ds.getDClass(), ds.getTTL());
+      ke.setBadReason(ExtendedErrorCodeOption.DNSSEC_BOGUS, R.get("dnskey.invalid"));
+      return ke;
     }
 
     for (int k = 0; k < keyHash.length; k++) {
       if (keyHash[k] != dsHash[k]) {
-        return null;
+        ke = KeyEntry.newBadKeyEntry(ds.getName(), ds.getDClass(), ds.getTTL());
+        ke.setBadReason(ExtendedErrorCodeOption.DNSSEC_BOGUS, R.get("dnskey.invalid"));
+        return ke;
       }
     }
 
     // Otherwise, we have a match! Make sure that the DNSKEY
     // verifies *with this key*.
-    SecurityStatus res = this.verifier.verify(dnskeyRrset, dnskey, date);
-    if (res == SecurityStatus.SECURE) {
-      log.trace("DS matched DNSKEY.");
-      dnskeyRrset.setSecurityStatus(SecurityStatus.SECURE);
-      return KeyEntry.newKeyEntry(dnskeyRrset);
+    JustifiedSecStatus res = this.verifier.verify(dnskeyRrset, dnskey, date);
+    switch (res.status) {
+      case SECURE:
+        dnskeyRrset.setSecurityStatus(SecurityStatus.SECURE);
+        ke = KeyEntry.newKeyEntry(dnskeyRrset);
+        break;
+      case BOGUS:
+        ke = KeyEntry.newBadKeyEntry(ds.getName(), ds.getDClass(), ds.getTTL());
+        ke.setBadReason(res.edeReason, res.reason);
+        break;
+      default:
+        throw new IllegalStateException("Unexpected security status");
     }
-    return null;
+
+    return ke;
   }
 
   /**
@@ -598,6 +617,7 @@ public static NsecProvesNodataResponse nsecProvesNodata(
         if (strictSubdomain(qname, ce)) {
           if (nsec.hasType(Type.CNAME)) {
             // should have gotten the wildcard CNAME
+            log.debug("NSEC proofed wildcard CNAME");
             result.result = false;
             return result;
           }
@@ -606,11 +626,13 @@ public static NsecProvesNodataResponse nsecProvesNodata(
             // wrong parentside (wildcard) NSEC used, and it really
             // should not exist anyway:
             // http://tools.ietf.org/html/rfc4592#section-4.2
+            log.debug("Wrong parent (wildcard) NSEC used");
             result.result = false;
             return result;
           }
 
           if (nsec.hasType(qtype)) {
+            log.debug("NSEC proofed that {} exists", Type.string(qtype));
             result.result = false;
             return result;
           }
@@ -629,12 +651,14 @@ public static NsecProvesNodataResponse nsecProvesNodata(
 
     // If the qtype exists, then we should have gotten it.
     if (nsec.hasType(qtype)) {
+      log.debug("NSEC proofed that {} exists", Type.string(qtype));
       result.result = false;
       return result;
     }
 
     // if the name is a CNAME node, then we should have gotten the CNAME
     if (nsec.hasType(Type.CNAME)) {
+      log.debug("NSEC proofed CNAME");
       result.result = false;
       return result;
     }
@@ -645,10 +669,12 @@ public static NsecProvesNodataResponse nsecProvesNodata(
     // The reverse of this check is used when qtype is DS, since that
     // must use the NSEC from above the zone cut.
     if (qtype != Type.DS && nsec.hasType(Type.NS) && !nsec.hasType(Type.SOA)) {
+      log.debug("NSEC proofed missing referral");
       result.result = false;
       return result;
     }
     if (qtype == Type.DS && nsec.hasType(Type.SOA) && !Name.root.equals(qname)) {
+      log.debug("NSEC from wrong zone");
       result.result = false;
       return result;
     }
@@ -680,7 +706,10 @@ public JustifiedSecStatus nsecProvesNodataDsReply(
       // The NSEC must verify, first of all.
       JustifiedSecStatus res = this.verifySRRset(nsecRrset, keyRrset, date);
       if (res.status != SecurityStatus.SECURE) {
-        return new JustifiedSecStatus(SecurityStatus.BOGUS, res.edeReason, R.get("failed.ds.nsec"));
+        return new JustifiedSecStatus(
+            SecurityStatus.BOGUS,
+            ExtendedErrorCodeOption.DNSSEC_BOGUS,
+            R.get("failed.ds.nsec", res.reason));
       }
 
       NSECRecord nsec = (NSECRecord) nsecRrset.first();