swamig / nhin-d

Automatically exported from code.google.com/p/nhin-d
0 stars 0 forks source link

Unable to exchange with HISP that uses IP addresses in NS records #231

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
RI based HISPs are not able to send Direct messages to foreign HISPs that have 
NS records pointing directly to an IP addresses.

Let me explain, if dig +short NS direct.domain returns a list of IP addresses 
instead of host names, the Direct RI will report failure to trust the foreign 
HISP.

This is all because NS records end with a period/dot and when you drill into 
org.xbill.DNS.SimpleResolver you find it's taking the name server address 
retrieved from the NS record (that the RI code retrieved by calling code in 
org.xbill.DNS.Lookup) and passing it through java.net.InetAddress.getByName 
which handles host names ending in a dot just fine but throws an 
UnknownHostException if passed an IP address ending in a dot.

To resolve this I modified org.nhindirect.stagent.cert.impl.DNSCertificateStore 
in the following way

In method protected Collection<X509Certificate> lookupDNS(String name)

REPLACE

remoteServers[i] = ((NSRecord)retRecords[i]).getTarget().toString();

WITH

remoteServers[i] = 
((NSRecord)retRecords[i]).getTarget().toString().replaceFirst("\\.$", "");

However a more robust change like the following may be better

REPLACE

protected ExtendedResolver createExResolver(String[] servers, int retries, int 
timeout)
{
        ExtendedResolver retVal = null;
        try
        {
                retVal = new ExtendedResolver(servers);
                retVal.setRetries(retries);
                retVal.setTimeout(timeout);
                retVal.setTCP(useTCP);
        }
        catch (UnknownHostException e) {/* no-op */}
        return retVal;
}

WITH

protected ExtendedResolver createExResolver(String[] servers, int retries, int 
timeout)
{
        ExtendedResolver retVal = null;
        for (int i = 0; servers != null && i < servers.length; i++) {
                servers[i] = servers[i].replaceFirst("\\.$", "");
        }
        try
        {
                retVal = new ExtendedResolver(servers);
                retVal.setRetries(retries);
                retVal.setTimeout(timeout);
                retVal.setTCP(useTCP);
        }
        catch (UnknownHostException e) {/* no-op */}
        return retVal;
}

Original issue reported on code.google.com by phillip....@nitorgroup.com on 26 Feb 2014 at 4:34

GoogleCodeExporter commented 9 years ago
Changes have been applied to the DNS certificate resolver.

Original comment by gm2...@cerner.com on 16 Apr 2014 at 10:48

GoogleCodeExporter commented 9 years ago
Updating defect attributes.

Original comment by gm2...@cerner.com on 16 Apr 2014 at 10:48