2 * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 2000-2003 Internet Software Consortium.
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
18 /* $Id: validator.c,v 1.119.18.41.2.1 2009/03/17 02:23:49 marka Exp $ */
25 #include <isc/print.h>
26 #include <isc/string.h>
33 #include <dns/dnssec.h>
34 #include <dns/events.h>
35 #include <dns/keytable.h>
37 #include <dns/message.h>
38 #include <dns/ncache.h>
40 #include <dns/rdata.h>
41 #include <dns/rdatastruct.h>
42 #include <dns/rdataset.h>
43 #include <dns/rdatatype.h>
44 #include <dns/resolver.h>
45 #include <dns/result.h>
46 #include <dns/validator.h>
51 * Basic processing sequences.
53 * \li When called with rdataset and sigrdataset:
54 * validator_start -> validate -> proveunsecure -> startfinddlvsep ->
55 * dlv_validator_start -> validator_start -> validate -> proveunsecure
57 * validator_start -> validate -> nsecvalidate (secure wildcard answer)
59 * \li When called with rdataset, sigrdataset and with DNS_VALIDATOR_DLV:
60 * validator_start -> startfinddlvsep -> dlv_validator_start ->
61 * validator_start -> validate -> proveunsecure
63 * \li When called with rdataset:
64 * validator_start -> proveunsecure -> startfinddlvsep ->
65 * dlv_validator_start -> validator_start -> proveunsecure
67 * \li When called with rdataset and with DNS_VALIDATOR_DLV:
68 * validator_start -> startfinddlvsep -> dlv_validator_start ->
69 * validator_start -> proveunsecure
71 * \li When called without a rdataset:
72 * validator_start -> nsecvalidate -> proveunsecure -> startfinddlvsep ->
73 * dlv_validator_start -> validator_start -> nsecvalidate -> proveunsecure
75 * Note: there isn't a case for DNS_VALIDATOR_DLV here as we want nsecvalidate()
76 * to always validate the authority section even when it does not contain
79 * validator_start: determines what type of validation to do.
80 * validate: attempts to perform a positive validation.
81 * proveunsecure: attempts to prove the answer comes from a unsecure zone.
82 * nsecvalidate: attempts to prove a negative response.
83 * startfinddlvsep: starts the DLV record lookup.
84 * dlv_validator_start: resets state and restarts the lookup using the
85 * DLV RRset found by startfinddlvsep.
88 #define VALIDATOR_MAGIC ISC_MAGIC('V', 'a', 'l', '?')
89 #define VALID_VALIDATOR(v) ISC_MAGIC_VALID(v, VALIDATOR_MAGIC)
91 #define VALATTR_SHUTDOWN 0x0001 /*%< Shutting down. */
92 #define VALATTR_CANCELED 0x0002 /*%< Cancelled. */
93 #define VALATTR_TRIEDVERIFY 0x0004 /*%< We have found a key and
94 * have attempted a verify. */
95 #define VALATTR_INSECURITY 0x0010 /*%< Attempting proveunsecure. */
96 #define VALATTR_DLVTRIED 0x0020 /*%< Looked for a DLV record. */
99 * NSEC proofs to be looked for.
101 #define VALATTR_NEEDNOQNAME 0x0100
102 #define VALATTR_NEEDNOWILDCARD 0x0200
103 #define VALATTR_NEEDNODATA 0x0400
106 * NSEC proofs that have been found.
108 #define VALATTR_FOUNDNOQNAME 0x1000
109 #define VALATTR_FOUNDNOWILDCARD 0x2000
110 #define VALATTR_FOUNDNODATA 0x4000
112 #define NEEDNODATA(val) ((val->attributes & VALATTR_NEEDNODATA) != 0)
113 #define NEEDNOQNAME(val) ((val->attributes & VALATTR_NEEDNOQNAME) != 0)
114 #define NEEDNOWILDCARD(val) ((val->attributes & VALATTR_NEEDNOWILDCARD) != 0)
115 #define DLVTRIED(val) ((val->attributes & VALATTR_DLVTRIED) != 0)
117 #define SHUTDOWN(v) (((v)->attributes & VALATTR_SHUTDOWN) != 0)
118 #define CANCELED(v) (((v)->attributes & VALATTR_CANCELED) != 0)
121 destroy(dns_validator_t *val);
124 get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo,
125 dns_rdataset_t *rdataset);
128 validate(dns_validator_t *val, isc_boolean_t resume);
131 validatezonekey(dns_validator_t *val);
134 nsecvalidate(dns_validator_t *val, isc_boolean_t resume);
137 proveunsecure(dns_validator_t *val, isc_boolean_t have_ds,
138 isc_boolean_t resume);
141 validator_logv(dns_validator_t *val, isc_logcategory_t *category,
142 isc_logmodule_t *module, int level, const char *fmt, va_list ap)
143 ISC_FORMAT_PRINTF(5, 0);
146 validator_log(dns_validator_t *val, int level, const char *fmt, ...)
147 ISC_FORMAT_PRINTF(3, 4);
150 validator_logcreate(dns_validator_t *val,
151 dns_name_t *name, dns_rdatatype_t type,
152 const char *caller, const char *operation);
155 dlv_validatezonekey(dns_validator_t *val);
158 dlv_validator_start(dns_validator_t *val);
161 finddlvsep(dns_validator_t *val, isc_boolean_t resume);
164 startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure);
167 * Mark the RRsets as a answer.
170 markanswer(dns_validator_t *val) {
171 validator_log(val, ISC_LOG_DEBUG(3), "marking as answer");
172 if (val->event->rdataset != NULL)
173 val->event->rdataset->trust = dns_trust_answer;
174 if (val->event->sigrdataset != NULL)
175 val->event->sigrdataset->trust = dns_trust_answer;
179 validator_done(dns_validator_t *val, isc_result_t result) {
182 if (val->event == NULL)
186 * Caller must be holding the lock.
189 val->event->result = result;
190 task = val->event->ev_sender;
191 val->event->ev_sender = val;
192 val->event->ev_type = DNS_EVENT_VALIDATORDONE;
193 val->event->ev_action = val->action;
194 val->event->ev_arg = val->arg;
195 isc_task_sendanddetach(&task, (isc_event_t **)&val->event);
198 static inline isc_boolean_t
199 exit_check(dns_validator_t *val) {
201 * Caller must be holding the lock.
206 INSIST(val->event == NULL);
208 if (val->fetch != NULL || val->subvalidator != NULL)
215 * Check that we have atleast one supported algorithm in the DLV RRset.
217 static inline isc_boolean_t
218 dlv_algorithm_supported(dns_validator_t *val) {
219 dns_rdata_t rdata = DNS_RDATA_INIT;
223 for (result = dns_rdataset_first(&val->dlv);
224 result == ISC_R_SUCCESS;
225 result = dns_rdataset_next(&val->dlv)) {
226 dns_rdata_reset(&rdata);
227 dns_rdataset_current(&val->dlv, &rdata);
228 result = dns_rdata_tostruct(&rdata, &dlv, NULL);
229 RUNTIME_CHECK(result == ISC_R_SUCCESS);
231 if (!dns_resolver_algorithm_supported(val->view->resolver,
236 if (dlv.digest_type != DNS_DSDIGEST_SHA256 &&
237 dlv.digest_type != DNS_DSDIGEST_SHA1)
246 * Look in the NSEC record returned from a DS query to see if there is
247 * a NS RRset at this name. If it is found we are at a delegation point.
250 isdelegation(dns_name_t *name, dns_rdataset_t *rdataset,
251 isc_result_t dbresult)
254 dns_rdata_t rdata = DNS_RDATA_INIT;
258 REQUIRE(dbresult == DNS_R_NXRRSET || dbresult == DNS_R_NCACHENXRRSET);
260 dns_rdataset_init(&set);
261 if (dbresult == DNS_R_NXRRSET)
262 dns_rdataset_clone(rdataset, &set);
264 result = dns_ncache_getrdataset(rdataset, name,
265 dns_rdatatype_nsec, &set);
266 if (result != ISC_R_SUCCESS)
270 INSIST(set.type == dns_rdatatype_nsec);
273 result = dns_rdataset_first(&set);
274 if (result == ISC_R_SUCCESS) {
275 dns_rdataset_current(&set, &rdata);
276 found = dns_nsec_typepresent(&rdata, dns_rdatatype_ns);
278 dns_rdataset_disassociate(&set);
283 * We have been asked to to look for a key.
284 * If found resume the validation process.
285 * If not found fail the validation process.
288 fetch_callback_validator(isc_task_t *task, isc_event_t *event) {
289 dns_fetchevent_t *devent;
290 dns_validator_t *val;
291 dns_rdataset_t *rdataset;
292 isc_boolean_t want_destroy;
294 isc_result_t eresult;
297 INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
298 devent = (dns_fetchevent_t *)event;
299 val = devent->ev_arg;
300 rdataset = &val->frdataset;
301 eresult = devent->result;
303 /* Free resources which are not of interest. */
304 if (devent->node != NULL)
305 dns_db_detachnode(devent->db, &devent->node);
306 if (devent->db != NULL)
307 dns_db_detach(&devent->db);
308 if (dns_rdataset_isassociated(&val->fsigrdataset))
309 dns_rdataset_disassociate(&val->fsigrdataset);
310 isc_event_free(&event);
311 dns_resolver_destroyfetch(&val->fetch);
313 INSIST(val->event != NULL);
315 validator_log(val, ISC_LOG_DEBUG(3), "in fetch_callback_validator");
318 validator_done(val, ISC_R_CANCELED);
319 } else if (eresult == ISC_R_SUCCESS) {
320 validator_log(val, ISC_LOG_DEBUG(3),
321 "keyset with trust %d", rdataset->trust);
323 * Only extract the dst key if the keyset is secure.
325 if (rdataset->trust >= dns_trust_secure) {
326 result = get_dst_key(val, val->siginfo, rdataset);
327 if (result == ISC_R_SUCCESS)
328 val->keyset = &val->frdataset;
330 result = validate(val, ISC_TRUE);
331 if (result != DNS_R_WAIT)
332 validator_done(val, result);
334 validator_log(val, ISC_LOG_DEBUG(3),
335 "fetch_callback_validator: got %s",
336 isc_result_totext(eresult));
337 if (eresult == ISC_R_CANCELED)
338 validator_done(val, eresult);
340 validator_done(val, DNS_R_NOVALIDKEY);
342 want_destroy = exit_check(val);
349 * We were asked to look for a DS record as part of following a key chain
350 * upwards. If found resume the validation process. If not found fail the
351 * validation process.
354 dsfetched(isc_task_t *task, isc_event_t *event) {
355 dns_fetchevent_t *devent;
356 dns_validator_t *val;
357 dns_rdataset_t *rdataset;
358 isc_boolean_t want_destroy;
360 isc_result_t eresult;
363 INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
364 devent = (dns_fetchevent_t *)event;
365 val = devent->ev_arg;
366 rdataset = &val->frdataset;
367 eresult = devent->result;
369 /* Free resources which are not of interest. */
370 if (devent->node != NULL)
371 dns_db_detachnode(devent->db, &devent->node);
372 if (devent->db != NULL)
373 dns_db_detach(&devent->db);
374 if (dns_rdataset_isassociated(&val->fsigrdataset))
375 dns_rdataset_disassociate(&val->fsigrdataset);
376 isc_event_free(&event);
377 dns_resolver_destroyfetch(&val->fetch);
379 INSIST(val->event != NULL);
381 validator_log(val, ISC_LOG_DEBUG(3), "in dsfetched");
384 validator_done(val, ISC_R_CANCELED);
385 } else if (eresult == ISC_R_SUCCESS) {
386 validator_log(val, ISC_LOG_DEBUG(3),
387 "dsset with trust %d", rdataset->trust);
388 val->dsset = &val->frdataset;
389 result = validatezonekey(val);
390 if (result != DNS_R_WAIT)
391 validator_done(val, result);
392 } else if (eresult == DNS_R_NXRRSET ||
393 eresult == DNS_R_NCACHENXRRSET ||
394 eresult == DNS_R_SERVFAIL) /* RFC 1034 parent? */
396 validator_log(val, ISC_LOG_DEBUG(3),
397 "falling back to insecurity proof (%s)",
398 dns_result_totext(eresult));
399 val->attributes |= VALATTR_INSECURITY;
400 result = proveunsecure(val, ISC_FALSE, ISC_FALSE);
401 if (result != DNS_R_WAIT)
402 validator_done(val, result);
404 validator_log(val, ISC_LOG_DEBUG(3),
406 isc_result_totext(eresult));
407 if (eresult == ISC_R_CANCELED)
408 validator_done(val, eresult);
410 validator_done(val, DNS_R_NOVALIDDS);
412 want_destroy = exit_check(val);
419 * We were asked to look for the DS record as part of proving that a
422 * If the DS record doesn't exist and the query name corresponds to
423 * a delegation point we are transitioning from a secure zone to a
426 * If the DS record exists it will be secure. We can continue looking
427 * for the break point in the chain of trust.
430 dsfetched2(isc_task_t *task, isc_event_t *event) {
431 dns_fetchevent_t *devent;
432 dns_validator_t *val;
434 isc_boolean_t want_destroy;
436 isc_result_t eresult;
439 INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
440 devent = (dns_fetchevent_t *)event;
441 val = devent->ev_arg;
442 eresult = devent->result;
444 /* Free resources which are not of interest. */
445 if (devent->node != NULL)
446 dns_db_detachnode(devent->db, &devent->node);
447 if (devent->db != NULL)
448 dns_db_detach(&devent->db);
449 if (dns_rdataset_isassociated(&val->fsigrdataset))
450 dns_rdataset_disassociate(&val->fsigrdataset);
451 dns_resolver_destroyfetch(&val->fetch);
453 INSIST(val->event != NULL);
455 validator_log(val, ISC_LOG_DEBUG(3), "in dsfetched2: %s",
456 dns_result_totext(eresult));
459 validator_done(val, ISC_R_CANCELED);
460 } else if (eresult == DNS_R_NXRRSET || eresult == DNS_R_NCACHENXRRSET) {
462 * There is no DS. If this is a delegation, we're done.
464 tname = dns_fixedname_name(&devent->foundname);
465 if (isdelegation(tname, &val->frdataset, eresult)) {
466 if (val->mustbesecure) {
467 validator_log(val, ISC_LOG_WARNING,
468 "must be secure failure");
469 validator_done(val, DNS_R_MUSTBESECURE);
470 } else if (val->view->dlv == NULL || DLVTRIED(val)) {
472 validator_done(val, ISC_R_SUCCESS);
474 result = startfinddlvsep(val, tname);
475 if (result != DNS_R_WAIT)
476 validator_done(val, result);
479 result = proveunsecure(val, ISC_FALSE, ISC_TRUE);
480 if (result != DNS_R_WAIT)
481 validator_done(val, result);
483 } else if (eresult == ISC_R_SUCCESS ||
484 eresult == DNS_R_NXDOMAIN ||
485 eresult == DNS_R_NCACHENXDOMAIN)
488 * There is a DS which may or may not be a zone cut.
489 * In either case we are still in a secure zone resume
492 result = proveunsecure(val, ISC_TF(eresult == ISC_R_SUCCESS),
494 if (result != DNS_R_WAIT)
495 validator_done(val, result);
497 if (eresult == ISC_R_CANCELED)
498 validator_done(val, eresult);
500 validator_done(val, DNS_R_NOVALIDDS);
502 isc_event_free(&event);
503 want_destroy = exit_check(val);
510 * Callback from when a DNSKEY RRset has been validated.
512 * Resumes the stalled validation process.
515 keyvalidated(isc_task_t *task, isc_event_t *event) {
516 dns_validatorevent_t *devent;
517 dns_validator_t *val;
518 isc_boolean_t want_destroy;
520 isc_result_t eresult;
523 INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
525 devent = (dns_validatorevent_t *)event;
526 val = devent->ev_arg;
527 eresult = devent->result;
529 isc_event_free(&event);
530 dns_validator_destroy(&val->subvalidator);
532 INSIST(val->event != NULL);
534 validator_log(val, ISC_LOG_DEBUG(3), "in keyvalidated");
537 validator_done(val, ISC_R_CANCELED);
538 } else if (eresult == ISC_R_SUCCESS) {
539 validator_log(val, ISC_LOG_DEBUG(3),
540 "keyset with trust %d", val->frdataset.trust);
542 * Only extract the dst key if the keyset is secure.
544 if (val->frdataset.trust >= dns_trust_secure)
545 (void) get_dst_key(val, val->siginfo, &val->frdataset);
546 result = validate(val, ISC_TRUE);
547 if (result != DNS_R_WAIT)
548 validator_done(val, result);
550 validator_log(val, ISC_LOG_DEBUG(3),
551 "keyvalidated: got %s",
552 isc_result_totext(eresult));
553 validator_done(val, eresult);
555 want_destroy = exit_check(val);
562 * Callback when the DS record has been validated.
564 * Resumes validation of the zone key or the unsecure zone proof.
567 dsvalidated(isc_task_t *task, isc_event_t *event) {
568 dns_validatorevent_t *devent;
569 dns_validator_t *val;
570 isc_boolean_t want_destroy;
572 isc_result_t eresult;
575 INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
577 devent = (dns_validatorevent_t *)event;
578 val = devent->ev_arg;
579 eresult = devent->result;
581 isc_event_free(&event);
582 dns_validator_destroy(&val->subvalidator);
584 INSIST(val->event != NULL);
586 validator_log(val, ISC_LOG_DEBUG(3), "in dsvalidated");
589 validator_done(val, ISC_R_CANCELED);
590 } else if (eresult == ISC_R_SUCCESS) {
591 validator_log(val, ISC_LOG_DEBUG(3),
592 "dsset with trust %d", val->frdataset.trust);
593 if ((val->attributes & VALATTR_INSECURITY) != 0)
594 result = proveunsecure(val, ISC_TRUE, ISC_TRUE);
596 result = validatezonekey(val);
597 if (result != DNS_R_WAIT)
598 validator_done(val, result);
600 validator_log(val, ISC_LOG_DEBUG(3),
601 "dsvalidated: got %s",
602 isc_result_totext(eresult));
603 validator_done(val, eresult);
605 want_destroy = exit_check(val);
612 * Return ISC_R_SUCCESS if we can determine that the name doesn't exist
613 * or we can determine whether there is data or not at the name.
614 * If the name does not exist return the wildcard name.
616 * Return ISC_R_IGNORE when the NSEC is not the appropriate one.
619 nsecnoexistnodata(dns_validator_t *val, dns_name_t* name, dns_name_t *nsecname,
620 dns_rdataset_t *nsecset, isc_boolean_t *exists,
621 isc_boolean_t *data, dns_name_t *wild)
624 dns_rdata_t rdata = DNS_RDATA_INIT;
626 dns_namereln_t relation;
627 unsigned int olabels, nlabels, labels;
628 dns_rdata_nsec_t nsec;
629 isc_boolean_t atparent;
633 REQUIRE(exists != NULL);
634 REQUIRE(data != NULL);
635 REQUIRE(nsecset != NULL &&
636 nsecset->type == dns_rdatatype_nsec);
638 result = dns_rdataset_first(nsecset);
639 if (result != ISC_R_SUCCESS) {
640 validator_log(val, ISC_LOG_DEBUG(3),
641 "failure processing NSEC set");
644 dns_rdataset_current(nsecset, &rdata);
646 validator_log(val, ISC_LOG_DEBUG(3), "looking for relevant nsec");
647 relation = dns_name_fullcompare(name, nsecname, &order, &olabels);
651 * The name is not within the NSEC range.
653 validator_log(val, ISC_LOG_DEBUG(3),
654 "NSEC does not cover name, before NSEC");
655 return (ISC_R_IGNORE);
660 * The names are the same.
662 atparent = dns_rdatatype_atparent(val->event->type);
663 ns = dns_nsec_typepresent(&rdata, dns_rdatatype_ns);
664 soa = dns_nsec_typepresent(&rdata, dns_rdatatype_soa);
668 * This NSEC record is from somewhere higher in
669 * the DNS, and at the parent of a delegation.
670 * It can not be legitimately used here.
672 validator_log(val, ISC_LOG_DEBUG(3),
673 "ignoring parent nsec");
674 return (ISC_R_IGNORE);
676 } else if (atparent && ns && soa) {
678 * This NSEC record is from the child.
679 * It can not be legitimately used here.
681 validator_log(val, ISC_LOG_DEBUG(3),
682 "ignoring child nsec");
683 return (ISC_R_IGNORE);
685 if (val->event->type == dns_rdatatype_cname ||
686 val->event->type == dns_rdatatype_nxt ||
687 val->event->type == dns_rdatatype_nsec ||
688 val->event->type == dns_rdatatype_key ||
689 !dns_nsec_typepresent(&rdata, dns_rdatatype_cname)) {
691 *data = dns_nsec_typepresent(&rdata, val->event->type);
692 validator_log(val, ISC_LOG_DEBUG(3),
693 "nsec proves name exists (owner) data=%d",
695 return (ISC_R_SUCCESS);
697 validator_log(val, ISC_LOG_DEBUG(3), "NSEC proves CNAME exists");
698 return (ISC_R_IGNORE);
701 if (relation == dns_namereln_subdomain &&
702 dns_nsec_typepresent(&rdata, dns_rdatatype_ns) &&
703 !dns_nsec_typepresent(&rdata, dns_rdatatype_soa))
706 * This NSEC record is from somewhere higher in
707 * the DNS, and at the parent of a delegation.
708 * It can not be legitimately used here.
710 validator_log(val, ISC_LOG_DEBUG(3), "ignoring parent nsec");
711 return (ISC_R_IGNORE);
714 result = dns_rdata_tostruct(&rdata, &nsec, NULL);
715 if (result != ISC_R_SUCCESS)
717 relation = dns_name_fullcompare(&nsec.next, name, &order, &nlabels);
719 dns_rdata_freestruct(&nsec);
720 validator_log(val, ISC_LOG_DEBUG(3),
721 "ignoring nsec matches next name");
722 return (ISC_R_IGNORE);
725 if (order < 0 && !dns_name_issubdomain(nsecname, &nsec.next)) {
727 * The name is not within the NSEC range.
729 dns_rdata_freestruct(&nsec);
730 validator_log(val, ISC_LOG_DEBUG(3),
731 "ignoring nsec because name is past end of range");
732 return (ISC_R_IGNORE);
735 if (order > 0 && relation == dns_namereln_subdomain) {
736 validator_log(val, ISC_LOG_DEBUG(3),
737 "nsec proves name exist (empty)");
738 dns_rdata_freestruct(&nsec);
741 return (ISC_R_SUCCESS);
745 dns_name_init(&common, NULL);
746 if (olabels > nlabels) {
747 labels = dns_name_countlabels(nsecname);
748 dns_name_getlabelsequence(nsecname, labels - olabels,
751 labels = dns_name_countlabels(&nsec.next);
752 dns_name_getlabelsequence(&nsec.next, labels - nlabels,
755 result = dns_name_concatenate(dns_wildcardname, &common,
757 if (result != ISC_R_SUCCESS) {
758 dns_rdata_freestruct(&nsec);
759 validator_log(val, ISC_LOG_DEBUG(3),
760 "failure generating wildcard name");
764 dns_rdata_freestruct(&nsec);
765 validator_log(val, ISC_LOG_DEBUG(3), "nsec range ok");
767 return (ISC_R_SUCCESS);
771 * Callback for when NSEC records have been validated.
773 * Looks for NOQNAME and NODATA proofs.
775 * Resumes nsecvalidate.
778 authvalidated(isc_task_t *task, isc_event_t *event) {
779 dns_validatorevent_t *devent;
780 dns_validator_t *val;
781 dns_rdataset_t *rdataset;
782 isc_boolean_t want_destroy;
784 isc_boolean_t exists, data;
787 INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
789 devent = (dns_validatorevent_t *)event;
790 rdataset = devent->rdataset;
791 val = devent->ev_arg;
792 result = devent->result;
793 dns_validator_destroy(&val->subvalidator);
795 INSIST(val->event != NULL);
797 validator_log(val, ISC_LOG_DEBUG(3), "in authvalidated");
800 validator_done(val, ISC_R_CANCELED);
801 } else if (result != ISC_R_SUCCESS) {
802 validator_log(val, ISC_LOG_DEBUG(3),
803 "authvalidated: got %s",
804 isc_result_totext(result));
805 if (result == ISC_R_CANCELED)
806 validator_done(val, result);
808 result = nsecvalidate(val, ISC_TRUE);
809 if (result != DNS_R_WAIT)
810 validator_done(val, result);
813 dns_name_t **proofs = val->event->proofs;
814 dns_name_t *wild = dns_fixedname_name(&val->wild);
816 if (rdataset->trust == dns_trust_secure)
817 val->seensig = ISC_TRUE;
819 if (rdataset->type == dns_rdatatype_nsec &&
820 rdataset->trust == dns_trust_secure &&
821 ((val->attributes & VALATTR_NEEDNODATA) != 0 ||
822 (val->attributes & VALATTR_NEEDNOQNAME) != 0) &&
823 (val->attributes & VALATTR_FOUNDNODATA) == 0 &&
824 (val->attributes & VALATTR_FOUNDNOQNAME) == 0 &&
825 nsecnoexistnodata(val, val->event->name, devent->name,
826 rdataset, &exists, &data, wild)
829 if (exists && !data) {
830 val->attributes |= VALATTR_FOUNDNODATA;
832 proofs[DNS_VALIDATOR_NODATAPROOF] =
836 val->attributes |= VALATTR_FOUNDNOQNAME;
837 if (NEEDNOQNAME(val))
838 proofs[DNS_VALIDATOR_NOQNAMEPROOF] =
842 result = nsecvalidate(val, ISC_TRUE);
843 if (result != DNS_R_WAIT)
844 validator_done(val, result);
846 want_destroy = exit_check(val);
852 * Free stuff from the event.
854 isc_event_free(&event);
858 * Looks for the requested name and type in the view (zones and cache).
860 * When looking for a DLV record also checks to make sure the NSEC record
861 * returns covers the query name as part of aggressive negative caching.
866 * \li DNS_R_NCACHENXDOMAIN
867 * \li DNS_R_NCACHENXRRSET
871 static inline isc_result_t
872 view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) {
873 dns_fixedname_t fixedname;
874 dns_name_t *foundname;
875 dns_rdata_nsec_t nsec;
876 dns_rdata_t rdata = DNS_RDATA_INIT;
878 unsigned int options;
879 char buf1[DNS_NAME_FORMATSIZE];
880 char buf2[DNS_NAME_FORMATSIZE];
881 char buf3[DNS_NAME_FORMATSIZE];
883 if (dns_rdataset_isassociated(&val->frdataset))
884 dns_rdataset_disassociate(&val->frdataset);
885 if (dns_rdataset_isassociated(&val->fsigrdataset))
886 dns_rdataset_disassociate(&val->fsigrdataset);
888 if (val->view->zonetable == NULL)
889 return (ISC_R_CANCELED);
891 options = DNS_DBFIND_PENDINGOK;
892 if (type == dns_rdatatype_dlv)
893 options |= DNS_DBFIND_COVERINGNSEC;
894 dns_fixedname_init(&fixedname);
895 foundname = dns_fixedname_name(&fixedname);
896 result = dns_view_find(val->view, name, type, 0, options,
897 ISC_FALSE, NULL, NULL, foundname,
898 &val->frdataset, &val->fsigrdataset);
899 if (result == DNS_R_NXDOMAIN) {
900 if (dns_rdataset_isassociated(&val->frdataset))
901 dns_rdataset_disassociate(&val->frdataset);
902 if (dns_rdataset_isassociated(&val->fsigrdataset))
903 dns_rdataset_disassociate(&val->fsigrdataset);
904 } else if (result == DNS_R_COVERINGNSEC) {
905 validator_log(val, ISC_LOG_DEBUG(3), "DNS_R_COVERINGNSEC");
907 * Check if the returned NSEC covers the name.
909 INSIST(type == dns_rdatatype_dlv);
910 if (val->frdataset.trust != dns_trust_secure) {
911 validator_log(val, ISC_LOG_DEBUG(3),
912 "covering nsec: trust %u",
913 val->frdataset.trust);
916 result = dns_rdataset_first(&val->frdataset);
917 if (result != ISC_R_SUCCESS)
919 dns_rdataset_current(&val->frdataset, &rdata);
920 if (dns_nsec_typepresent(&rdata, dns_rdatatype_ns) &&
921 !dns_nsec_typepresent(&rdata, dns_rdatatype_soa)) {
922 /* Parent NSEC record. */
923 if (dns_name_issubdomain(name, foundname)) {
924 validator_log(val, ISC_LOG_DEBUG(3),
925 "covering nsec: for parent");
929 result = dns_rdata_tostruct(&rdata, &nsec, NULL);
930 if (result != ISC_R_SUCCESS)
932 if (dns_name_compare(foundname, &nsec.next) >= 0) {
933 /* End of zone chain. */
934 if (!dns_name_issubdomain(name, &nsec.next)) {
936 * XXXMPA We could look for a parent NSEC
937 * at nsec.next and if found retest with
940 dns_rdata_freestruct(&nsec);
941 validator_log(val, ISC_LOG_DEBUG(3),
942 "covering nsec: not in zone");
945 } else if (dns_name_compare(name, &nsec.next) >= 0) {
947 * XXXMPA We could check if this NSEC is at a zone
948 * apex and if the qname is not below it and look for
949 * a parent NSEC with the same name. This requires
950 * that we can cache both NSEC records which we
951 * currently don't support.
953 dns_rdata_freestruct(&nsec);
954 validator_log(val, ISC_LOG_DEBUG(3),
955 "covering nsec: not in range");
958 if (isc_log_wouldlog(dns_lctx,ISC_LOG_DEBUG(3))) {
959 dns_name_format(name, buf1, sizeof buf1);
960 dns_name_format(foundname, buf2, sizeof buf2);
961 dns_name_format(&nsec.next, buf3, sizeof buf3);
962 validator_log(val, ISC_LOG_DEBUG(3),
963 "covering nsec found: '%s' '%s' '%s'",
966 if (dns_rdataset_isassociated(&val->frdataset))
967 dns_rdataset_disassociate(&val->frdataset);
968 if (dns_rdataset_isassociated(&val->fsigrdataset))
969 dns_rdataset_disassociate(&val->fsigrdataset);
970 dns_rdata_freestruct(&nsec);
971 result = DNS_R_NCACHENXDOMAIN;
972 } else if (result != ISC_R_SUCCESS &&
973 result != DNS_R_NCACHENXDOMAIN &&
974 result != DNS_R_NCACHENXRRSET &&
975 result != DNS_R_EMPTYNAME &&
976 result != DNS_R_NXRRSET &&
977 result != ISC_R_NOTFOUND) {
983 if (dns_rdataset_isassociated(&val->frdataset))
984 dns_rdataset_disassociate(&val->frdataset);
985 if (dns_rdataset_isassociated(&val->fsigrdataset))
986 dns_rdataset_disassociate(&val->fsigrdataset);
987 return (ISC_R_NOTFOUND);
991 * Checks to make sure we are not going to loop. As we use a SHARED fetch
992 * the validation process will stall if looping was to occur.
994 static inline isc_boolean_t
995 check_deadlock(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) {
996 dns_validator_t *parent;
998 for (parent = val; parent != NULL; parent = parent->parent) {
999 if (parent->event != NULL &&
1000 parent->event->type == type &&
1001 dns_name_equal(parent->event->name, name))
1003 validator_log(val, ISC_LOG_DEBUG(3),
1004 "continuing validation would lead to "
1005 "deadlock: aborting validation");
1013 * Start a fetch for the requested name and type.
1015 static inline isc_result_t
1016 create_fetch(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
1017 isc_taskaction_t callback, const char *caller)
1019 if (dns_rdataset_isassociated(&val->frdataset))
1020 dns_rdataset_disassociate(&val->frdataset);
1021 if (dns_rdataset_isassociated(&val->fsigrdataset))
1022 dns_rdataset_disassociate(&val->fsigrdataset);
1024 if (check_deadlock(val, name, type))
1025 return (DNS_R_NOVALIDSIG);
1027 validator_logcreate(val, name, type, caller, "fetch");
1028 return (dns_resolver_createfetch(val->view->resolver, name, type,
1029 NULL, NULL, NULL, 0,
1030 val->event->ev_sender,
1038 * Start a subvalidation process.
1040 static inline isc_result_t
1041 create_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
1042 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
1043 isc_taskaction_t action, const char *caller)
1045 isc_result_t result;
1047 if (check_deadlock(val, name, type))
1048 return (DNS_R_NOVALIDSIG);
1050 validator_logcreate(val, name, type, caller, "validator");
1051 result = dns_validator_create(val->view, name, type,
1052 rdataset, sigrdataset, NULL, 0,
1053 val->task, action, val,
1054 &val->subvalidator);
1055 if (result == ISC_R_SUCCESS) {
1056 val->subvalidator->parent = val;
1057 val->subvalidator->depth = val->depth + 1;
1063 * Try to find a key that could have signed 'siginfo' among those
1064 * in 'rdataset'. If found, build a dst_key_t for it and point
1067 * If val->key is non-NULL, this returns the next matching key.
1070 get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo,
1071 dns_rdataset_t *rdataset)
1073 isc_result_t result;
1075 dns_rdata_t rdata = DNS_RDATA_INIT;
1076 dst_key_t *oldkey = val->key;
1077 isc_boolean_t foundold;
1080 foundold = ISC_TRUE;
1082 foundold = ISC_FALSE;
1086 result = dns_rdataset_first(rdataset);
1087 if (result != ISC_R_SUCCESS)
1090 dns_rdataset_current(rdataset, &rdata);
1092 isc_buffer_init(&b, rdata.data, rdata.length);
1093 isc_buffer_add(&b, rdata.length);
1094 INSIST(val->key == NULL);
1095 result = dst_key_fromdns(&siginfo->signer, rdata.rdclass, &b,
1096 val->view->mctx, &val->key);
1097 if (result != ISC_R_SUCCESS)
1099 if (siginfo->algorithm ==
1100 (dns_secalg_t)dst_key_alg(val->key) &&
1102 (dns_keytag_t)dst_key_id(val->key) &&
1103 dst_key_iszonekey(val->key))
1107 * This is the key we're looking for.
1109 return (ISC_R_SUCCESS);
1110 else if (dst_key_compare(oldkey, val->key) == ISC_TRUE)
1112 foundold = ISC_TRUE;
1113 dst_key_free(&oldkey);
1116 dst_key_free(&val->key);
1117 dns_rdata_reset(&rdata);
1118 result = dns_rdataset_next(rdataset);
1119 } while (result == ISC_R_SUCCESS);
1120 if (result == ISC_R_NOMORE)
1121 result = ISC_R_NOTFOUND;
1125 dst_key_free(&oldkey);
1131 * Get the key that genertated this signature.
1134 get_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo) {
1135 isc_result_t result;
1136 unsigned int nlabels;
1138 dns_namereln_t namereln;
1141 * Is the signer name appropriate for this signature?
1143 * The signer name must be at the same level as the owner name
1144 * or closer to the the DNS root.
1146 namereln = dns_name_fullcompare(val->event->name, &siginfo->signer,
1148 if (namereln != dns_namereln_subdomain &&
1149 namereln != dns_namereln_equal)
1150 return (DNS_R_CONTINUE);
1152 if (namereln == dns_namereln_equal) {
1154 * If this is a self-signed keyset, it must not be a zone key
1155 * (since get_key is not called from validatezonekey).
1157 if (val->event->rdataset->type == dns_rdatatype_dnskey)
1158 return (DNS_R_CONTINUE);
1161 * Records appearing in the parent zone at delegation
1162 * points cannot be self-signed.
1164 if (dns_rdatatype_atparent(val->event->rdataset->type))
1165 return (DNS_R_CONTINUE);
1169 * Do we know about this key?
1171 result = view_find(val, &siginfo->signer, dns_rdatatype_dnskey);
1172 if (result == ISC_R_SUCCESS) {
1174 * We have an rrset for the given keyname.
1176 val->keyset = &val->frdataset;
1177 if (val->frdataset.trust == dns_trust_pending &&
1178 dns_rdataset_isassociated(&val->fsigrdataset))
1181 * We know the key but haven't validated it yet.
1183 result = create_validator(val, &siginfo->signer,
1184 dns_rdatatype_dnskey,
1189 if (result != ISC_R_SUCCESS)
1191 return (DNS_R_WAIT);
1192 } else if (val->frdataset.trust == dns_trust_pending) {
1194 * Having a pending key with no signature means that
1195 * something is broken.
1197 result = DNS_R_CONTINUE;
1198 } else if (val->frdataset.trust < dns_trust_secure) {
1200 * The key is legitimately insecure. There's no
1201 * point in even attempting verification.
1204 result = ISC_R_SUCCESS;
1207 * See if we've got the key used in the signature.
1209 validator_log(val, ISC_LOG_DEBUG(3),
1210 "keyset with trust %d",
1211 val->frdataset.trust);
1212 result = get_dst_key(val, siginfo, val->keyset);
1213 if (result != ISC_R_SUCCESS) {
1215 * Either the key we're looking for is not
1216 * in the rrset, or something bad happened.
1219 result = DNS_R_CONTINUE;
1222 } else if (result == ISC_R_NOTFOUND) {
1224 * We don't know anything about this key.
1226 result = create_fetch(val, &siginfo->signer, dns_rdatatype_dnskey,
1227 fetch_callback_validator, "get_key");
1228 if (result != ISC_R_SUCCESS)
1230 return (DNS_R_WAIT);
1231 } else if (result == DNS_R_NCACHENXDOMAIN ||
1232 result == DNS_R_NCACHENXRRSET ||
1233 result == DNS_R_EMPTYNAME ||
1234 result == DNS_R_NXDOMAIN ||
1235 result == DNS_R_NXRRSET)
1238 * This key doesn't exist.
1240 result = DNS_R_CONTINUE;
1243 if (dns_rdataset_isassociated(&val->frdataset) &&
1244 val->keyset != &val->frdataset)
1245 dns_rdataset_disassociate(&val->frdataset);
1246 if (dns_rdataset_isassociated(&val->fsigrdataset))
1247 dns_rdataset_disassociate(&val->fsigrdataset);
1253 compute_keytag(dns_rdata_t *rdata, dns_rdata_dnskey_t *key) {
1256 dns_rdata_toregion(rdata, &r);
1257 return (dst_region_computeid(&r, key->algorithm));
1261 * Is this keyset self-signed?
1263 static isc_boolean_t
1264 isselfsigned(dns_validator_t *val) {
1265 dns_rdataset_t *rdataset, *sigrdataset;
1266 dns_rdata_t rdata = DNS_RDATA_INIT;
1267 dns_rdata_t sigrdata = DNS_RDATA_INIT;
1268 dns_rdata_dnskey_t key;
1269 dns_rdata_rrsig_t sig;
1270 dns_keytag_t keytag;
1271 isc_result_t result;
1273 rdataset = val->event->rdataset;
1274 sigrdataset = val->event->sigrdataset;
1276 INSIST(rdataset->type == dns_rdatatype_dnskey);
1278 for (result = dns_rdataset_first(rdataset);
1279 result == ISC_R_SUCCESS;
1280 result = dns_rdataset_next(rdataset))
1282 dns_rdata_reset(&rdata);
1283 dns_rdataset_current(rdataset, &rdata);
1284 result = dns_rdata_tostruct(&rdata, &key, NULL);
1285 RUNTIME_CHECK(result == ISC_R_SUCCESS);
1286 keytag = compute_keytag(&rdata, &key);
1287 for (result = dns_rdataset_first(sigrdataset);
1288 result == ISC_R_SUCCESS;
1289 result = dns_rdataset_next(sigrdataset))
1291 dns_rdata_reset(&sigrdata);
1292 dns_rdataset_current(sigrdataset, &sigrdata);
1293 result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
1294 RUNTIME_CHECK(result == ISC_R_SUCCESS);
1296 if (sig.algorithm == key.algorithm &&
1297 sig.keyid == keytag)
1305 * Attempt to verify the rdataset using the given key and rdata (RRSIG).
1306 * The signature was good and from a wildcard record and the QNAME does
1307 * not match the wildcard we need to look for a NOQNAME proof.
1310 * \li ISC_R_SUCCESS if the verification succeeds.
1311 * \li Others if the verification fails.
1314 verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata,
1317 isc_result_t result;
1318 dns_fixedname_t fixed;
1319 isc_boolean_t ignore = ISC_FALSE;
1321 val->attributes |= VALATTR_TRIEDVERIFY;
1322 dns_fixedname_init(&fixed);
1324 result = dns_dnssec_verify2(val->event->name, val->event->rdataset,
1325 key, ignore, val->view->mctx, rdata,
1326 dns_fixedname_name(&fixed));
1327 if (result == DNS_R_SIGEXPIRED && val->view->acceptexpired) {
1331 if (ignore && (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD))
1332 validator_log(val, ISC_LOG_INFO,
1333 "accepted expired %sRRSIG (keyid=%u)",
1334 (result == DNS_R_FROMWILDCARD) ?
1335 "wildcard " : "", keyid);
1337 validator_log(val, ISC_LOG_DEBUG(3),
1338 "verify rdataset (keyid=%u): %s",
1339 keyid, isc_result_totext(result));
1340 if (result == DNS_R_FROMWILDCARD) {
1341 if (!dns_name_equal(val->event->name,
1342 dns_fixedname_name(&fixed)))
1343 val->attributes |= VALATTR_NEEDNOQNAME;
1344 result = ISC_R_SUCCESS;
1350 * Attempts positive response validation of a normal RRset.
1353 * \li ISC_R_SUCCESS Validation completed successfully
1354 * \li DNS_R_WAIT Validation has started but is waiting
1356 * \li Other return codes are possible and all indicate failure.
1359 validate(dns_validator_t *val, isc_boolean_t resume) {
1360 isc_result_t result;
1361 dns_validatorevent_t *event;
1362 dns_rdata_t rdata = DNS_RDATA_INIT;
1365 * Caller must be holding the validator lock.
1372 * We already have a sigrdataset.
1374 result = ISC_R_SUCCESS;
1375 validator_log(val, ISC_LOG_DEBUG(3), "resuming validate");
1377 result = dns_rdataset_first(event->sigrdataset);
1381 result == ISC_R_SUCCESS;
1382 result = dns_rdataset_next(event->sigrdataset))
1384 dns_rdata_reset(&rdata);
1385 dns_rdataset_current(event->sigrdataset, &rdata);
1386 if (val->siginfo == NULL) {
1387 val->siginfo = isc_mem_get(val->view->mctx,
1388 sizeof(*val->siginfo));
1389 if (val->siginfo == NULL)
1390 return (ISC_R_NOMEMORY);
1392 result = dns_rdata_tostruct(&rdata, val->siginfo, NULL);
1393 if (result != ISC_R_SUCCESS)
1397 * At this point we could check that the signature algorithm
1398 * was known and "sufficiently good".
1400 if (!dns_resolver_algorithm_supported(val->view->resolver,
1402 val->siginfo->algorithm))
1406 result = get_key(val, val->siginfo);
1407 if (result == DNS_R_CONTINUE)
1408 continue; /* Try the next SIG RR. */
1409 if (result != ISC_R_SUCCESS)
1414 * The key is insecure, so mark the data as insecure also.
1416 if (val->key == NULL) {
1417 if (val->mustbesecure) {
1418 validator_log(val, ISC_LOG_WARNING,
1419 "must be secure failure");
1420 return (DNS_R_MUSTBESECURE);
1423 return (ISC_R_SUCCESS);
1427 result = verify(val, val->key, &rdata,
1428 val->siginfo->keyid);
1429 if (result == ISC_R_SUCCESS)
1431 if (val->keynode != NULL) {
1432 dns_keynode_t *nextnode = NULL;
1433 result = dns_keytable_findnextkeynode(
1437 dns_keytable_detachkeynode(val->keytable,
1439 val->keynode = nextnode;
1440 if (result != ISC_R_SUCCESS) {
1444 val->key = dns_keynode_key(val->keynode);
1446 if (get_dst_key(val, val->siginfo, val->keyset)
1451 if (result != ISC_R_SUCCESS)
1452 validator_log(val, ISC_LOG_DEBUG(3),
1453 "failed to verify rdataset");
1458 isc_stdtime_get(&now);
1459 ttl = ISC_MIN(event->rdataset->ttl,
1460 val->siginfo->timeexpire - now);
1461 if (val->keyset != NULL)
1462 ttl = ISC_MIN(ttl, val->keyset->ttl);
1463 event->rdataset->ttl = ttl;
1464 event->sigrdataset->ttl = ttl;
1467 if (val->keynode != NULL)
1468 dns_keytable_detachkeynode(val->keytable,
1471 if (val->key != NULL)
1472 dst_key_free(&val->key);
1473 if (val->keyset != NULL) {
1474 dns_rdataset_disassociate(val->keyset);
1479 if ((val->attributes & VALATTR_NEEDNOQNAME) != 0) {
1480 if (val->event->message == NULL) {
1481 validator_log(val, ISC_LOG_DEBUG(3),
1482 "no message available for noqname proof");
1483 return (DNS_R_NOVALIDSIG);
1485 validator_log(val, ISC_LOG_DEBUG(3),
1486 "looking for noqname proof");
1487 return (nsecvalidate(val, ISC_FALSE));
1488 } else if (result == ISC_R_SUCCESS) {
1489 event->rdataset->trust = dns_trust_secure;
1490 event->sigrdataset->trust = dns_trust_secure;
1491 validator_log(val, ISC_LOG_DEBUG(3),
1492 "marking as secure");
1495 validator_log(val, ISC_LOG_DEBUG(3),
1496 "verify failure: %s",
1497 isc_result_totext(result));
1501 if (result != ISC_R_NOMORE) {
1502 validator_log(val, ISC_LOG_DEBUG(3),
1503 "failed to iterate signatures: %s",
1504 isc_result_totext(result));
1508 validator_log(val, ISC_LOG_INFO, "no valid signature found");
1509 return (DNS_R_NOVALIDSIG);
1513 * Validate the DNSKEY RRset by looking for a DNSKEY that matches a
1514 * DLV record and that also verifies the DNSKEY RRset.
1517 dlv_validatezonekey(dns_validator_t *val) {
1518 dns_keytag_t keytag;
1519 dns_rdata_dlv_t dlv;
1520 dns_rdata_dnskey_t key;
1521 dns_rdata_rrsig_t sig;
1522 dns_rdata_t dlvrdata = DNS_RDATA_INIT;
1523 dns_rdata_t keyrdata = DNS_RDATA_INIT;
1524 dns_rdata_t newdsrdata = DNS_RDATA_INIT;
1525 dns_rdata_t sigrdata = DNS_RDATA_INIT;
1526 dns_rdataset_t trdataset;
1528 isc_boolean_t supported_algorithm;
1529 isc_result_t result;
1530 unsigned char dsbuf[DNS_DS_BUFFERSIZE];
1531 isc_uint8_t digest_type;
1533 validator_log(val, ISC_LOG_DEBUG(3), "dlv_validatezonekey");
1536 * Look through the DLV record and find the keys that can sign the
1537 * key set and the matching signature. For each such key, attempt
1540 supported_algorithm = ISC_FALSE;
1543 * If DNS_DSDIGEST_SHA256 is present we are required to prefer
1544 * it over DNS_DSDIGEST_SHA1. This in practice means that we
1545 * need to ignore DNS_DSDIGEST_SHA1 if a DNS_DSDIGEST_SHA256
1548 digest_type = DNS_DSDIGEST_SHA1;
1549 for (result = dns_rdataset_first(&val->dlv);
1550 result == ISC_R_SUCCESS;
1551 result = dns_rdataset_next(&val->dlv)) {
1552 dns_rdata_reset(&dlvrdata);
1553 dns_rdataset_current(&val->dlv, &dlvrdata);
1554 result = dns_rdata_tostruct(&dlvrdata, &dlv, NULL);
1555 RUNTIME_CHECK(result == ISC_R_SUCCESS);
1557 if (!dns_resolver_algorithm_supported(val->view->resolver,
1562 if (dlv.digest_type == DNS_DSDIGEST_SHA256 &&
1563 dlv.length == ISC_SHA256_DIGESTLENGTH) {
1564 digest_type = DNS_DSDIGEST_SHA256;
1569 for (result = dns_rdataset_first(&val->dlv);
1570 result == ISC_R_SUCCESS;
1571 result = dns_rdataset_next(&val->dlv))
1573 dns_rdata_reset(&dlvrdata);
1574 dns_rdataset_current(&val->dlv, &dlvrdata);
1575 result = dns_rdata_tostruct(&dlvrdata, &dlv, NULL);
1576 RUNTIME_CHECK(result == ISC_R_SUCCESS);
1578 if (!dns_resolver_digest_supported(val->view->resolver,
1582 if (dlv.digest_type != digest_type)
1585 if (!dns_resolver_algorithm_supported(val->view->resolver,
1590 supported_algorithm = ISC_TRUE;
1592 dns_rdataset_init(&trdataset);
1593 dns_rdataset_clone(val->event->rdataset, &trdataset);
1595 for (result = dns_rdataset_first(&trdataset);
1596 result == ISC_R_SUCCESS;
1597 result = dns_rdataset_next(&trdataset))
1599 dns_rdata_reset(&keyrdata);
1600 dns_rdataset_current(&trdataset, &keyrdata);
1601 result = dns_rdata_tostruct(&keyrdata, &key, NULL);
1602 RUNTIME_CHECK(result == ISC_R_SUCCESS);
1603 keytag = compute_keytag(&keyrdata, &key);
1604 if (dlv.key_tag != keytag ||
1605 dlv.algorithm != key.algorithm)
1607 dns_rdata_reset(&newdsrdata);
1608 result = dns_ds_buildrdata(val->event->name,
1609 &keyrdata, dlv.digest_type,
1610 dsbuf, &newdsrdata);
1611 if (result != ISC_R_SUCCESS) {
1612 validator_log(val, ISC_LOG_DEBUG(3),
1613 "dns_ds_buildrdata() -> %s",
1614 dns_result_totext(result));
1618 newdsrdata.type = dns_rdatatype_dlv;
1619 if (dns_rdata_compare(&dlvrdata, &newdsrdata) == 0)
1622 if (result != ISC_R_SUCCESS) {
1623 validator_log(val, ISC_LOG_DEBUG(3),
1624 "no DNSKEY matching DLV");
1627 validator_log(val, ISC_LOG_DEBUG(3),
1628 "Found matching DLV record: checking for signature");
1630 for (result = dns_rdataset_first(val->event->sigrdataset);
1631 result == ISC_R_SUCCESS;
1632 result = dns_rdataset_next(val->event->sigrdataset))
1634 dns_rdata_reset(&sigrdata);
1635 dns_rdataset_current(val->event->sigrdataset,
1637 result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
1638 RUNTIME_CHECK(result == ISC_R_SUCCESS);
1639 if (dlv.key_tag != sig.keyid &&
1640 dlv.algorithm != sig.algorithm)
1643 result = dns_dnssec_keyfromrdata(val->event->name,
1647 if (result != ISC_R_SUCCESS)
1649 * This really shouldn't happen, but...
1653 result = verify(val, dstkey, &sigrdata, sig.keyid);
1654 dst_key_free(&dstkey);
1655 if (result == ISC_R_SUCCESS)
1658 dns_rdataset_disassociate(&trdataset);
1659 if (result == ISC_R_SUCCESS)
1661 validator_log(val, ISC_LOG_DEBUG(3),
1662 "no RRSIG matching DLV key");
1664 if (result == ISC_R_SUCCESS) {
1665 val->event->rdataset->trust = dns_trust_secure;
1666 val->event->sigrdataset->trust = dns_trust_secure;
1667 validator_log(val, ISC_LOG_DEBUG(3), "marking as secure");
1669 } else if (result == ISC_R_NOMORE && !supported_algorithm) {
1670 if (val->mustbesecure) {
1671 validator_log(val, ISC_LOG_WARNING,
1672 "must be secure failure");
1673 return (DNS_R_MUSTBESECURE);
1675 validator_log(val, ISC_LOG_DEBUG(3),
1676 "no supported algorithm/digest (dlv)");
1678 return (ISC_R_SUCCESS);
1680 return (DNS_R_NOVALIDSIG);
1684 * Attempts positive response validation of an RRset containing zone keys.
1687 * \li ISC_R_SUCCESS Validation completed successfully
1688 * \li DNS_R_WAIT Validation has started but is waiting
1690 * \li Other return codes are possible and all indicate failure.
1693 validatezonekey(dns_validator_t *val) {
1694 isc_result_t result;
1695 dns_validatorevent_t *event;
1696 dns_rdataset_t trdataset;
1697 dns_rdata_t dsrdata = DNS_RDATA_INIT;
1698 dns_rdata_t newdsrdata = DNS_RDATA_INIT;
1699 dns_rdata_t keyrdata = DNS_RDATA_INIT;
1700 dns_rdata_t sigrdata = DNS_RDATA_INIT;
1701 unsigned char dsbuf[DNS_DS_BUFFERSIZE];
1702 char namebuf[DNS_NAME_FORMATSIZE];
1703 dns_keytag_t keytag;
1705 dns_rdata_dnskey_t key;
1706 dns_rdata_rrsig_t sig;
1708 isc_boolean_t supported_algorithm;
1709 isc_boolean_t atsep = ISC_FALSE;
1710 isc_uint8_t digest_type;
1713 * Caller must be holding the validator lock.
1718 if (val->havedlvsep && val->dlv.trust >= dns_trust_secure &&
1719 dns_name_equal(event->name, dns_fixedname_name(&val->dlvsep)))
1720 return (dlv_validatezonekey(val));
1722 if (val->dsset == NULL) {
1724 * First, see if this key was signed by a trusted key.
1726 for (result = dns_rdataset_first(val->event->sigrdataset);
1727 result == ISC_R_SUCCESS;
1728 result = dns_rdataset_next(val->event->sigrdataset))
1730 dns_keynode_t *keynode = NULL, *nextnode = NULL;
1732 dns_rdata_reset(&sigrdata);
1733 dns_rdataset_current(val->event->sigrdataset,
1735 result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
1736 RUNTIME_CHECK(result == ISC_R_SUCCESS);
1737 result = dns_keytable_findkeynode(val->keytable,
1742 if (result == DNS_R_PARTIALMATCH ||
1743 result == ISC_R_SUCCESS)
1745 while (result == ISC_R_SUCCESS) {
1746 dstkey = dns_keynode_key(keynode);
1747 result = verify(val, dstkey, &sigrdata,
1749 if (result == ISC_R_SUCCESS) {
1750 dns_keytable_detachkeynode(val->keytable,
1754 result = dns_keytable_findnextkeynode(
1758 dns_keytable_detachkeynode(val->keytable,
1762 if (result == ISC_R_SUCCESS) {
1763 event->rdataset->trust = dns_trust_secure;
1764 event->sigrdataset->trust = dns_trust_secure;
1765 validator_log(val, ISC_LOG_DEBUG(3),
1766 "signed by trusted key; "
1767 "marking as secure");
1773 * If this is the root name and there was no trusted key,
1774 * give up, since there's no DS at the root.
1776 if (dns_name_equal(event->name, dns_rootname)) {
1777 if ((val->attributes & VALATTR_TRIEDVERIFY) != 0)
1778 return (DNS_R_NOVALIDSIG);
1780 return (DNS_R_NOVALIDDS);
1785 * We have not found a key to verify this DNSKEY
1786 * RRset. As this is a SEP we have to assume that
1787 * the RRset is invalid.
1789 dns_name_format(val->event->name, namebuf,
1791 validator_log(val, ISC_LOG_DEBUG(2),
1792 "unable to find a DNSKEY which verifies "
1793 "the DNSKEY RRset and also matches one "
1794 "of specified trusted-keys for '%s'",
1796 return (DNS_R_NOVALIDKEY);
1800 * Otherwise, try to find the DS record.
1802 result = view_find(val, val->event->name, dns_rdatatype_ds);
1803 if (result == ISC_R_SUCCESS) {
1805 * We have DS records.
1807 val->dsset = &val->frdataset;
1808 if (val->frdataset.trust == dns_trust_pending &&
1809 dns_rdataset_isassociated(&val->fsigrdataset))
1811 result = create_validator(val,
1818 if (result != ISC_R_SUCCESS)
1820 return (DNS_R_WAIT);
1821 } else if (val->frdataset.trust == dns_trust_pending) {
1823 * There should never be an unsigned DS.
1825 dns_rdataset_disassociate(&val->frdataset);
1826 validator_log(val, ISC_LOG_DEBUG(2),
1827 "unsigned DS record");
1828 return (DNS_R_NOVALIDSIG);
1830 result = ISC_R_SUCCESS;
1831 } else if (result == ISC_R_NOTFOUND) {
1833 * We don't have the DS. Find it.
1835 result = create_fetch(val, val->event->name,
1836 dns_rdatatype_ds, dsfetched,
1838 if (result != ISC_R_SUCCESS)
1840 return (DNS_R_WAIT);
1841 } else if (result == DNS_R_NCACHENXDOMAIN ||
1842 result == DNS_R_NCACHENXRRSET ||
1843 result == DNS_R_EMPTYNAME ||
1844 result == DNS_R_NXDOMAIN ||
1845 result == DNS_R_NXRRSET)
1848 * The DS does not exist.
1850 if (dns_rdataset_isassociated(&val->frdataset))
1851 dns_rdataset_disassociate(&val->frdataset);
1852 if (dns_rdataset_isassociated(&val->fsigrdataset))
1853 dns_rdataset_disassociate(&val->fsigrdataset);
1854 validator_log(val, ISC_LOG_DEBUG(2), "no DS record");
1855 return (DNS_R_NOVALIDSIG);
1862 INSIST(val->dsset != NULL);
1864 if (val->dsset->trust < dns_trust_secure) {
1865 if (val->mustbesecure) {
1866 validator_log(val, ISC_LOG_WARNING,
1867 "must be secure failure");
1868 return (DNS_R_MUSTBESECURE);
1871 return (ISC_R_SUCCESS);
1875 * Look through the DS record and find the keys that can sign the
1876 * key set and the matching signature. For each such key, attempt
1880 supported_algorithm = ISC_FALSE;
1883 * If DNS_DSDIGEST_SHA256 is present we are required to prefer
1884 * it over DNS_DSDIGEST_SHA1. This in practice means that we
1885 * need to ignore DNS_DSDIGEST_SHA1 if a DNS_DSDIGEST_SHA256
1888 digest_type = DNS_DSDIGEST_SHA1;
1889 for (result = dns_rdataset_first(val->dsset);
1890 result == ISC_R_SUCCESS;
1891 result = dns_rdataset_next(val->dsset)) {
1892 dns_rdata_reset(&dsrdata);
1893 dns_rdataset_current(val->dsset, &dsrdata);
1894 result = dns_rdata_tostruct(&dsrdata, &ds, NULL);
1895 RUNTIME_CHECK(result == ISC_R_SUCCESS);
1897 if (!dns_resolver_algorithm_supported(val->view->resolver,
1902 if (ds.digest_type == DNS_DSDIGEST_SHA256 &&
1903 ds.length == ISC_SHA256_DIGESTLENGTH) {
1904 digest_type = DNS_DSDIGEST_SHA256;
1909 for (result = dns_rdataset_first(val->dsset);
1910 result == ISC_R_SUCCESS;
1911 result = dns_rdataset_next(val->dsset))
1913 dns_rdata_reset(&dsrdata);
1914 dns_rdataset_current(val->dsset, &dsrdata);
1915 result = dns_rdata_tostruct(&dsrdata, &ds, NULL);
1916 RUNTIME_CHECK(result == ISC_R_SUCCESS);
1918 if (!dns_resolver_digest_supported(val->view->resolver,
1922 if (ds.digest_type != digest_type)
1925 if (!dns_resolver_algorithm_supported(val->view->resolver,
1930 supported_algorithm = ISC_TRUE;
1932 dns_rdataset_init(&trdataset);
1933 dns_rdataset_clone(val->event->rdataset, &trdataset);
1936 * Look for the KEY that matches the DS record.
1938 for (result = dns_rdataset_first(&trdataset);
1939 result == ISC_R_SUCCESS;
1940 result = dns_rdataset_next(&trdataset))
1942 dns_rdata_reset(&keyrdata);
1943 dns_rdataset_current(&trdataset, &keyrdata);
1944 result = dns_rdata_tostruct(&keyrdata, &key, NULL);
1945 RUNTIME_CHECK(result == ISC_R_SUCCESS);
1946 keytag = compute_keytag(&keyrdata, &key);
1947 if (ds.key_tag != keytag ||
1948 ds.algorithm != key.algorithm)
1950 dns_rdata_reset(&newdsrdata);
1951 result = dns_ds_buildrdata(val->event->name,
1952 &keyrdata, ds.digest_type,
1953 dsbuf, &newdsrdata);
1954 if (result != ISC_R_SUCCESS)
1956 if (dns_rdata_compare(&dsrdata, &newdsrdata) == 0)
1959 if (result != ISC_R_SUCCESS) {
1960 validator_log(val, ISC_LOG_DEBUG(3),
1961 "no DNSKEY matching DS");
1965 for (result = dns_rdataset_first(val->event->sigrdataset);
1966 result == ISC_R_SUCCESS;
1967 result = dns_rdataset_next(val->event->sigrdataset))
1969 dns_rdata_reset(&sigrdata);
1970 dns_rdataset_current(val->event->sigrdataset,
1972 result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
1973 RUNTIME_CHECK(result == ISC_R_SUCCESS);
1974 if (ds.key_tag != sig.keyid ||
1975 ds.algorithm != sig.algorithm)
1979 result = dns_dnssec_keyfromrdata(val->event->name,
1983 if (result != ISC_R_SUCCESS)
1985 * This really shouldn't happen, but...
1988 result = verify(val, dstkey, &sigrdata, sig.keyid);
1989 dst_key_free(&dstkey);
1990 if (result == ISC_R_SUCCESS)
1993 dns_rdataset_disassociate(&trdataset);
1994 if (result == ISC_R_SUCCESS)
1996 validator_log(val, ISC_LOG_DEBUG(3),
1997 "no RRSIG matching DS key");
1999 if (result == ISC_R_SUCCESS) {
2000 event->rdataset->trust = dns_trust_secure;
2001 event->sigrdataset->trust = dns_trust_secure;
2002 validator_log(val, ISC_LOG_DEBUG(3), "marking as secure");
2004 } else if (result == ISC_R_NOMORE && !supported_algorithm) {
2005 if (val->mustbesecure) {
2006 validator_log(val, ISC_LOG_WARNING,
2007 "must be secure failure");
2008 return (DNS_R_MUSTBESECURE);
2010 validator_log(val, ISC_LOG_DEBUG(3),
2011 "no supported algorithm/digest (DS)");
2013 return (ISC_R_SUCCESS);
2015 return (DNS_R_NOVALIDSIG);
2019 * Starts a positive response validation.
2022 * \li ISC_R_SUCCESS Validation completed successfully
2023 * \li DNS_R_WAIT Validation has started but is waiting
2025 * \li Other return codes are possible and all indicate failure.
2028 start_positive_validation(dns_validator_t *val) {
2030 * If this is not a key, go straight into validate().
2032 if (val->event->type != dns_rdatatype_dnskey || !isselfsigned(val))
2033 return (validate(val, ISC_FALSE));
2035 return (validatezonekey(val));
2039 * Look for NODATA at the wildcard and NOWILDCARD proofs in the
2040 * previously validated NSEC records. As these proofs are mutually
2041 * exclusive we stop when one is found.
2047 checkwildcard(dns_validator_t *val) {
2048 dns_name_t *name, *wild;
2049 dns_message_t *message = val->event->message;
2050 isc_result_t result;
2051 isc_boolean_t exists, data;
2052 char namebuf[DNS_NAME_FORMATSIZE];
2054 wild = dns_fixedname_name(&val->wild);
2055 dns_name_format(wild, namebuf, sizeof(namebuf));
2056 validator_log(val, ISC_LOG_DEBUG(3), "in checkwildcard: %s", namebuf);
2058 for (result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
2059 result == ISC_R_SUCCESS;
2060 result = dns_message_nextname(message, DNS_SECTION_AUTHORITY))
2062 dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
2065 dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
2067 for (rdataset = ISC_LIST_HEAD(name->list);
2069 rdataset = ISC_LIST_NEXT(rdataset, link))
2071 if (rdataset->type != dns_rdatatype_nsec)
2073 val->nsecset = rdataset;
2075 for (sigrdataset = ISC_LIST_HEAD(name->list);
2076 sigrdataset != NULL;
2077 sigrdataset = ISC_LIST_NEXT(sigrdataset, link))
2079 if (sigrdataset->type == dns_rdatatype_rrsig &&
2080 sigrdataset->covers == rdataset->type)
2083 if (sigrdataset == NULL)
2086 if (rdataset->trust != dns_trust_secure)
2089 if (((val->attributes & VALATTR_NEEDNODATA) != 0 ||
2090 (val->attributes & VALATTR_NEEDNOWILDCARD) != 0) &&
2091 (val->attributes & VALATTR_FOUNDNODATA) == 0 &&
2092 (val->attributes & VALATTR_FOUNDNOWILDCARD) == 0 &&
2093 nsecnoexistnodata(val, wild, name, rdataset,
2094 &exists, &data, NULL)
2097 dns_name_t **proofs = val->event->proofs;
2098 if (exists && !data)
2099 val->attributes |= VALATTR_FOUNDNODATA;
2100 if (exists && !data && NEEDNODATA(val))
2101 proofs[DNS_VALIDATOR_NODATAPROOF] =
2105 VALATTR_FOUNDNOWILDCARD;
2106 if (!exists && NEEDNOQNAME(val))
2107 proofs[DNS_VALIDATOR_NOWILDCARDPROOF] =
2109 return (ISC_R_SUCCESS);
2113 if (result == ISC_R_NOMORE)
2114 result = ISC_R_SUCCESS;
2119 * Prove a negative answer is good or that there is a NOQNAME when the
2120 * answer is from a wildcard.
2122 * Loop through the authority section looking for NODATA, NOWILDCARD
2123 * and NOQNAME proofs in the NSEC records by calling authvalidated().
2125 * If the required proofs are found we are done.
2127 * If the proofs are not found attempt to prove this is a unsecure
2131 nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
2133 dns_message_t *message = val->event->message;
2134 isc_result_t result;
2137 result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
2139 result = ISC_R_SUCCESS;
2140 validator_log(val, ISC_LOG_DEBUG(3), "resuming nsecvalidate");
2144 result == ISC_R_SUCCESS;
2145 result = dns_message_nextname(message, DNS_SECTION_AUTHORITY))
2147 dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
2150 dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
2152 rdataset = ISC_LIST_NEXT(val->currentset, link);
2153 val->currentset = NULL;
2156 rdataset = ISC_LIST_HEAD(name->list);
2160 rdataset = ISC_LIST_NEXT(rdataset, link))
2162 if (rdataset->type == dns_rdatatype_rrsig)
2165 for (sigrdataset = ISC_LIST_HEAD(name->list);
2166 sigrdataset != NULL;
2167 sigrdataset = ISC_LIST_NEXT(sigrdataset,
2170 if (sigrdataset->type == dns_rdatatype_rrsig &&
2171 sigrdataset->covers == rdataset->type)
2175 * If a signed zone is missing the zone key, bad
2176 * things could happen. A query for data in the zone
2177 * would lead to a query for the zone key, which
2178 * would return a negative answer, which would contain
2179 * an SOA and an NSEC signed by the missing key, which
2180 * would trigger another query for the DNSKEY (since
2181 * the first one is still in progress), and go into an
2182 * infinite loop. Avoid that.
2184 if (val->event->type == dns_rdatatype_dnskey &&
2185 dns_name_equal(name, val->event->name))
2187 dns_rdata_t nsec = DNS_RDATA_INIT;
2189 if (rdataset->type != dns_rdatatype_nsec)
2192 result = dns_rdataset_first(rdataset);
2193 if (result != ISC_R_SUCCESS)
2195 dns_rdataset_current(rdataset, &nsec);
2196 if (dns_nsec_typepresent(&nsec,
2200 val->currentset = rdataset;
2201 result = create_validator(val, name, rdataset->type,
2202 rdataset, sigrdataset,
2205 if (result != ISC_R_SUCCESS)
2207 return (DNS_R_WAIT);
2211 if (result == ISC_R_NOMORE)
2212 result = ISC_R_SUCCESS;
2213 if (result != ISC_R_SUCCESS)
2217 * Do we only need to check for NOQNAME? To get here we must have
2218 * had a secure wildcard answer.
2220 if ((val->attributes & VALATTR_NEEDNODATA) == 0 &&
2221 (val->attributes & VALATTR_NEEDNOWILDCARD) == 0 &&
2222 (val->attributes & VALATTR_NEEDNOQNAME) != 0) {
2223 if ((val->attributes & VALATTR_FOUNDNOQNAME) != 0) {
2224 validator_log(val, ISC_LOG_DEBUG(3),
2225 "noqname proof found");
2226 validator_log(val, ISC_LOG_DEBUG(3),
2227 "marking as secure");
2228 val->event->rdataset->trust = dns_trust_secure;
2229 val->event->sigrdataset->trust = dns_trust_secure;
2230 return (ISC_R_SUCCESS);
2232 validator_log(val, ISC_LOG_DEBUG(3),
2233 "noqname proof not found");
2234 return (DNS_R_NOVALIDNSEC);
2238 * Do we need to check for the wildcard?
2240 if ((val->attributes & VALATTR_FOUNDNOQNAME) != 0 &&
2241 (((val->attributes & VALATTR_NEEDNODATA) != 0 &&
2242 (val->attributes & VALATTR_FOUNDNODATA) == 0) ||
2243 (val->attributes & VALATTR_NEEDNOWILDCARD) != 0)) {
2244 result = checkwildcard(val);
2245 if (result != ISC_R_SUCCESS)
2249 if (((val->attributes & VALATTR_NEEDNODATA) != 0 &&
2250 (val->attributes & VALATTR_FOUNDNODATA) != 0) ||
2251 ((val->attributes & VALATTR_NEEDNOQNAME) != 0 &&
2252 (val->attributes & VALATTR_FOUNDNOQNAME) != 0 &&
2253 (val->attributes & VALATTR_NEEDNOWILDCARD) != 0 &&
2254 (val->attributes & VALATTR_FOUNDNOWILDCARD) != 0)) {
2255 validator_log(val, ISC_LOG_DEBUG(3),
2256 "nonexistence proof(s) found");
2257 return (ISC_R_SUCCESS);
2260 validator_log(val, ISC_LOG_DEBUG(3),
2261 "nonexistence proof(s) not found");
2262 val->attributes |= VALATTR_INSECURITY;
2263 return (proveunsecure(val, ISC_FALSE, ISC_FALSE));
2266 static isc_boolean_t
2267 check_ds(dns_validator_t *val, dns_name_t *name, dns_rdataset_t *rdataset) {
2268 dns_rdata_t dsrdata = DNS_RDATA_INIT;
2270 isc_result_t result;
2272 for (result = dns_rdataset_first(rdataset);
2273 result == ISC_R_SUCCESS;
2274 result = dns_rdataset_next(rdataset)) {
2275 dns_rdataset_current(rdataset, &dsrdata);
2276 result = dns_rdata_tostruct(&dsrdata, &ds, NULL);
2277 RUNTIME_CHECK(result == ISC_R_SUCCESS);
2279 if (dns_resolver_digest_supported(val->view->resolver,
2281 dns_resolver_algorithm_supported(val->view->resolver,
2282 name, ds.algorithm)) {
2283 dns_rdata_reset(&dsrdata);
2286 dns_rdata_reset(&dsrdata);
2292 * Callback from fetching a DLV record.
2294 * Resumes the DLV lookup process.
2297 dlvfetched(isc_task_t *task, isc_event_t *event) {
2298 char namebuf[DNS_NAME_FORMATSIZE];
2299 dns_fetchevent_t *devent;
2300 dns_validator_t *val;
2301 isc_boolean_t want_destroy;
2302 isc_result_t eresult;
2303 isc_result_t result;
2306 INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
2307 devent = (dns_fetchevent_t *)event;
2308 val = devent->ev_arg;
2309 eresult = devent->result;
2311 /* Free resources which are not of interest. */
2312 if (devent->node != NULL)
2313 dns_db_detachnode(devent->db, &devent->node);
2314 if (devent->db != NULL)
2315 dns_db_detach(&devent->db);
2316 if (dns_rdataset_isassociated(&val->fsigrdataset))
2317 dns_rdataset_disassociate(&val->fsigrdataset);
2318 isc_event_free(&event);
2319 dns_resolver_destroyfetch(&val->fetch);
2321 INSIST(val->event != NULL);
2322 validator_log(val, ISC_LOG_DEBUG(3), "in dlvfetched: %s",
2323 dns_result_totext(eresult));
2326 if (eresult == ISC_R_SUCCESS) {
2327 dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf,
2329 dns_rdataset_clone(&val->frdataset, &val->dlv);
2330 val->havedlvsep = ISC_TRUE;
2331 if (dlv_algorithm_supported(val)) {
2332 validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found",
2334 dlv_validator_start(val);
2336 validator_log(val, ISC_LOG_DEBUG(3),
2337 "DLV %s found with no supported algorithms",
2340 validator_done(val, ISC_R_SUCCESS);
2342 } else if (eresult == DNS_R_NXRRSET ||
2343 eresult == DNS_R_NXDOMAIN ||
2344 eresult == DNS_R_NCACHENXRRSET ||
2345 eresult == DNS_R_NCACHENXDOMAIN) {
2346 result = finddlvsep(val, ISC_TRUE);
2347 if (result == ISC_R_SUCCESS) {
2348 if (dlv_algorithm_supported(val)) {
2349 dns_name_format(dns_fixedname_name(&val->dlvsep),
2350 namebuf, sizeof(namebuf));
2351 validator_log(val, ISC_LOG_DEBUG(3),
2352 "DLV %s found", namebuf);
2353 dlv_validator_start(val);
2355 validator_log(val, ISC_LOG_DEBUG(3),
2356 "DLV %s found with no supported "
2357 "algorithms", namebuf);
2359 validator_done(val, ISC_R_SUCCESS);
2361 } else if (result == ISC_R_NOTFOUND) {
2362 validator_log(val, ISC_LOG_DEBUG(3), "DLV not found");
2364 validator_done(val, ISC_R_SUCCESS);
2366 validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s",
2367 dns_result_totext(result));
2368 if (result != DNS_R_WAIT)
2369 validator_done(val, result);
2372 validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s",
2373 dns_result_totext(eresult));
2374 validator_done(val, eresult);
2376 want_destroy = exit_check(val);
2383 * Start the DLV lookup proccess.
2388 * \li Others on validation failures.
2391 startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure) {
2392 char namebuf[DNS_NAME_FORMATSIZE];
2393 isc_result_t result;
2395 INSIST(!DLVTRIED(val));
2397 val->attributes |= VALATTR_DLVTRIED;
2399 dns_name_format(unsecure, namebuf, sizeof(namebuf));
2400 validator_log(val, ISC_LOG_DEBUG(3),
2401 "plain DNSSEC returns unsecure (%s): looking for DLV",
2404 if (dns_name_issubdomain(val->event->name, val->view->dlv)) {
2405 validator_log(val, ISC_LOG_WARNING, "must be secure failure");
2406 return (DNS_R_MUSTBESECURE);
2409 val->dlvlabels = dns_name_countlabels(unsecure) - 1;
2410 result = finddlvsep(val, ISC_FALSE);
2411 if (result == ISC_R_NOTFOUND) {
2412 validator_log(val, ISC_LOG_DEBUG(3), "DLV not found");
2414 return (ISC_R_SUCCESS);
2416 if (result != ISC_R_SUCCESS) {
2417 validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s",
2418 dns_result_totext(result));
2421 dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf,
2423 if (dlv_algorithm_supported(val)) {
2424 validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
2425 dlv_validator_start(val);
2426 return (DNS_R_WAIT);
2428 validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found with no supported "
2429 "algorithms", namebuf);
2431 validator_done(val, ISC_R_SUCCESS);
2432 return (ISC_R_SUCCESS);
2436 * Continue the DLV lookup process.
2440 * \li ISC_R_NOTFOUND
2442 * \li Others on validation failure.
2445 finddlvsep(dns_validator_t *val, isc_boolean_t resume) {
2446 char namebuf[DNS_NAME_FORMATSIZE];
2447 dns_fixedname_t dlvfixed;
2448 dns_name_t *dlvname;
2451 isc_result_t result;
2452 unsigned int labels;
2454 INSIST(val->view->dlv != NULL);
2458 if (dns_name_issubdomain(val->event->name, val->view->dlv)) {
2459 validator_log(val, ISC_LOG_WARNING,
2460 "must be secure failure");
2461 return (DNS_R_MUSTBESECURE);
2464 dns_fixedname_init(&val->dlvsep);
2465 dlvsep = dns_fixedname_name(&val->dlvsep);
2466 dns_name_copy(val->event->name, dlvsep, NULL);
2468 * If this is a response to a DS query, we need to look in
2469 * the parent zone for the trust anchor.
2471 if (val->event->type == dns_rdatatype_ds) {
2472 labels = dns_name_countlabels(dlvsep);
2474 return (ISC_R_NOTFOUND);
2475 dns_name_getlabelsequence(dlvsep, 1, labels - 1,
2479 dlvsep = dns_fixedname_name(&val->dlvsep);
2480 labels = dns_name_countlabels(dlvsep);
2481 dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep);
2483 dns_name_init(&noroot, NULL);
2484 dns_fixedname_init(&dlvfixed);
2485 dlvname = dns_fixedname_name(&dlvfixed);
2486 labels = dns_name_countlabels(dlvsep);
2488 return (ISC_R_NOTFOUND);
2489 dns_name_getlabelsequence(dlvsep, 0, labels - 1, &noroot);
2490 result = dns_name_concatenate(&noroot, val->view->dlv, dlvname, NULL);
2491 while (result == ISC_R_NOSPACE) {
2492 labels = dns_name_countlabels(dlvsep);
2493 dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep);
2494 dns_name_getlabelsequence(dlvsep, 0, labels - 2, &noroot);
2495 result = dns_name_concatenate(&noroot, val->view->dlv,
2498 if (result != ISC_R_SUCCESS) {
2499 validator_log(val, ISC_LOG_DEBUG(2), "DLV concatenate failed");
2500 return (DNS_R_NOVALIDSIG);
2503 while (dns_name_countlabels(dlvname) >=
2504 dns_name_countlabels(val->view->dlv) + val->dlvlabels) {
2505 dns_name_format(dlvname, namebuf, sizeof(namebuf));
2506 validator_log(val, ISC_LOG_DEBUG(3), "looking for DLV %s",
2508 result = view_find(val, dlvname, dns_rdatatype_dlv);
2509 if (result == ISC_R_SUCCESS) {
2510 if (val->frdataset.trust < dns_trust_secure)
2511 return (DNS_R_NOVALIDSIG);
2512 val->havedlvsep = ISC_TRUE;
2513 dns_rdataset_clone(&val->frdataset, &val->dlv);
2514 return (ISC_R_SUCCESS);
2516 if (result == ISC_R_NOTFOUND) {
2517 result = create_fetch(val, dlvname, dns_rdatatype_dlv,
2518 dlvfetched, "finddlvsep");
2519 if (result != ISC_R_SUCCESS)
2521 return (DNS_R_WAIT);
2523 if (result != DNS_R_NXRRSET &&
2524 result != DNS_R_NXDOMAIN &&
2525 result != DNS_R_EMPTYNAME &&
2526 result != DNS_R_NCACHENXRRSET &&
2527 result != DNS_R_NCACHENXDOMAIN)
2530 * Strip first labels from both dlvsep and dlvname.
2532 labels = dns_name_countlabels(dlvsep);
2535 dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep);
2536 labels = dns_name_countlabels(dlvname);
2537 dns_name_getlabelsequence(dlvname, 1, labels - 1, dlvname);
2539 return (ISC_R_NOTFOUND);
2543 * proveunsecure walks down from the SEP looking for a break in the
2544 * chain of trust. That occurs when we can prove the DS record does
2545 * not exist at a delegation point or the DS exists at a delegation
2546 * but we don't support the algorithm/digest.
2548 * If DLV is active and we look for a DLV record at or below the
2549 * point we go insecure. If found we restart the validation process.
2550 * If not found or DLV isn't active we mark the response as a answer.
2553 * \li ISC_R_SUCCESS val->event->name is in a unsecure zone
2554 * \li DNS_R_WAIT validation is in progress.
2555 * \li DNS_R_MUSTBESECURE val->event->name is supposed to be secure
2556 * (policy) but we proved that it is unsecure.
2557 * \li DNS_R_NOVALIDSIG
2558 * \li DNS_R_NOVALIDNSEC
2559 * \li DNS_R_NOTINSECURE
2562 proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
2564 isc_result_t result;
2565 dns_fixedname_t fixedsecroot;
2566 dns_name_t *secroot;
2568 char namebuf[DNS_NAME_FORMATSIZE];
2570 dns_fixedname_init(&fixedsecroot);
2571 secroot = dns_fixedname_name(&fixedsecroot);
2572 if (val->havedlvsep)
2573 dns_name_copy(dns_fixedname_name(&val->dlvsep), secroot, NULL);
2575 dns_name_copy(val->event->name, secroot, NULL);
2577 * If this is a response to a DS query, we need to look in
2578 * the parent zone for the trust anchor.
2580 if (val->event->type == dns_rdatatype_ds &&
2581 dns_name_countlabels(secroot) > 1U)
2582 dns_name_split(secroot, 1, NULL, secroot);
2583 result = dns_keytable_finddeepestmatch(val->keytable,
2586 if (result == ISC_R_NOTFOUND) {
2587 validator_log(val, ISC_LOG_DEBUG(3),
2588 "not beneath secure root");
2589 if (val->mustbesecure) {
2590 validator_log(val, ISC_LOG_WARNING,
2591 "must be secure failure");
2592 result = DNS_R_MUSTBESECURE;
2595 if (val->view->dlv == NULL || DLVTRIED(val)) {
2597 return (ISC_R_SUCCESS);
2599 return (startfinddlvsep(val, dns_rootname));
2600 } else if (result != ISC_R_SUCCESS)
2606 * We are looking for breaks below the SEP so add a label.
2608 val->labels = dns_name_countlabels(secroot) + 1;
2610 validator_log(val, ISC_LOG_DEBUG(3), "resuming proveunsecure");
2612 * If we have a DS rdataset and it is secure then check if
2613 * the DS rdataset has a supported algorithm combination.
2614 * If not this is a insecure delegation as far as this
2615 * resolver is concerned. Fall back to DLV if available.
2617 if (have_ds && val->frdataset.trust >= dns_trust_secure &&
2618 !check_ds(val, dns_fixedname_name(&val->fname),
2620 dns_name_format(dns_fixedname_name(&val->fname),
2621 namebuf, sizeof(namebuf));
2622 if ((val->view->dlv == NULL || DLVTRIED(val)) &&
2623 val->mustbesecure) {
2624 validator_log(val, ISC_LOG_WARNING,
2625 "must be secure failure at '%s'",
2627 result = DNS_R_MUSTBESECURE;
2630 validator_log(val, ISC_LOG_DEBUG(3),
2631 "no supported algorithm/digest (%s/DS)",
2633 if (val->view->dlv == NULL || DLVTRIED(val)) {
2635 result = ISC_R_SUCCESS;
2638 result = startfinddlvsep(val,
2639 dns_fixedname_name(&val->fname));
2646 val->labels <= dns_name_countlabels(val->event->name);
2650 dns_fixedname_init(&val->fname);
2651 tname = dns_fixedname_name(&val->fname);
2652 if (val->labels == dns_name_countlabels(val->event->name))
2653 dns_name_copy(val->event->name, tname, NULL);
2655 dns_name_split(val->event->name, val->labels,
2658 dns_name_format(tname, namebuf, sizeof(namebuf));
2659 validator_log(val, ISC_LOG_DEBUG(3),
2660 "checking existence of DS at '%s'",
2663 result = view_find(val, tname, dns_rdatatype_ds);
2665 if (result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) {
2667 * There is no DS. If this is a delegation,
2670 if (val->frdataset.trust == dns_trust_pending) {
2671 result = create_fetch(val, tname,
2675 if (result != ISC_R_SUCCESS)
2677 return (DNS_R_WAIT);
2679 if (val->frdataset.trust < dns_trust_secure) {
2681 * This shouldn't happen, since the negative
2682 * response should have been validated. Since
2683 * there's no way of validating existing
2684 * negative response blobs, give up.
2686 result = DNS_R_NOVALIDSIG;
2689 if (isdelegation(tname, &val->frdataset, result)) {
2690 if (val->mustbesecure) {
2691 validator_log(val, ISC_LOG_WARNING,
2692 "must be secure failure");
2693 return (DNS_R_MUSTBESECURE);
2695 if (val->view->dlv == NULL || DLVTRIED(val)) {
2697 return (ISC_R_SUCCESS);
2699 return (startfinddlvsep(val, tname));
2702 } else if (result == ISC_R_SUCCESS) {
2704 * There is a DS here. Verify that it's secure and
2707 if (val->frdataset.trust >= dns_trust_secure) {
2708 if (!check_ds(val, tname, &val->frdataset)) {
2709 validator_log(val, ISC_LOG_DEBUG(3),
2710 "no supported algorithm/"
2711 "digest (%s/DS)", namebuf);
2712 if (val->mustbesecure) {
2715 "must be secure failure");
2716 result = DNS_R_MUSTBESECURE;
2719 if (val->view->dlv == NULL ||
2722 result = ISC_R_SUCCESS;
2725 result = startfinddlvsep(val, tname);
2730 else if (!dns_rdataset_isassociated(&val->fsigrdataset))
2732 result = DNS_R_NOVALIDSIG;
2735 result = create_validator(val, tname, dns_rdatatype_ds,
2740 if (result != ISC_R_SUCCESS)
2742 return (DNS_R_WAIT);
2743 } else if (result == DNS_R_NXDOMAIN ||
2744 result == DNS_R_NCACHENXDOMAIN) {
2746 * This is not a zone cut. Assuming things are
2747 * as expected, continue.
2749 if (!dns_rdataset_isassociated(&val->frdataset)) {
2751 * There should be an NSEC here, since we
2752 * are still in a secure zone.
2754 result = DNS_R_NOVALIDNSEC;
2756 } else if (val->frdataset.trust < dns_trust_secure) {
2758 * This shouldn't happen, since the negative
2759 * response should have been validated. Since
2760 * there's no way of validating existing
2761 * negative response blobs, give up.
2763 result = DNS_R_NOVALIDSIG;
2767 } else if (result == ISC_R_NOTFOUND) {
2769 * We don't know anything about the DS. Find it.
2771 result = create_fetch(val, tname, dns_rdatatype_ds,
2772 dsfetched2, "proveunsecure");
2773 if (result != ISC_R_SUCCESS)
2775 return (DNS_R_WAIT);
2778 validator_log(val, ISC_LOG_DEBUG(3), "insecurity proof failed");
2779 return (DNS_R_NOTINSECURE); /* Couldn't complete insecurity proof */
2782 if (dns_rdataset_isassociated(&val->frdataset))
2783 dns_rdataset_disassociate(&val->frdataset);
2784 if (dns_rdataset_isassociated(&val->fsigrdataset))
2785 dns_rdataset_disassociate(&val->fsigrdataset);
2790 * Reset state and revalidate the answer using DLV.
2793 dlv_validator_start(dns_validator_t *val) {
2796 validator_log(val, ISC_LOG_DEBUG(3), "dlv_validator_start");
2799 * Reset state and try again.
2801 val->attributes &= VALATTR_DLVTRIED;
2802 val->options &= ~DNS_VALIDATOR_DLV;
2804 event = (isc_event_t *)val->event;
2805 isc_task_send(val->task, &event);
2809 * Start the validation process.
2811 * Attempt to valididate the answer based on the category it appears to
2813 * \li 1. secure positive answer.
2814 * \li 2. unsecure positive answer.
2815 * \li 3. a negative answer (secure or unsecure).
2817 * Note a answer that appears to be a secure positive answer may actually
2818 * be a unsecure positive answer.
2821 validator_start(isc_task_t *task, isc_event_t *event) {
2822 dns_validator_t *val;
2823 dns_validatorevent_t *vevent;
2824 isc_boolean_t want_destroy = ISC_FALSE;
2825 isc_result_t result = ISC_R_FAILURE;
2828 REQUIRE(event->ev_type == DNS_EVENT_VALIDATORSTART);
2829 vevent = (dns_validatorevent_t *)event;
2830 val = vevent->validator;
2832 /* If the validator has been cancelled, val->event == NULL */
2833 if (val->event == NULL)
2837 validator_log(val, ISC_LOG_DEBUG(3), "restarting using DLV");
2839 validator_log(val, ISC_LOG_DEBUG(3), "starting");
2843 if ((val->options & DNS_VALIDATOR_DLV) != 0 &&
2844 val->event->rdataset != NULL) {
2845 validator_log(val, ISC_LOG_DEBUG(3), "looking for DLV");
2846 result = startfinddlvsep(val, dns_rootname);
2847 } else if (val->event->rdataset != NULL &&
2848 val->event->sigrdataset != NULL) {
2849 isc_result_t saved_result;
2852 * This looks like a simple validation. We say "looks like"
2853 * because it might end up requiring an insecurity proof.
2855 validator_log(val, ISC_LOG_DEBUG(3),
2856 "attempting positive response validation");
2858 INSIST(dns_rdataset_isassociated(val->event->rdataset));
2859 INSIST(dns_rdataset_isassociated(val->event->sigrdataset));
2860 result = start_positive_validation(val);
2861 if (result == DNS_R_NOVALIDSIG &&
2862 (val->attributes & VALATTR_TRIEDVERIFY) == 0)
2864 saved_result = result;
2865 validator_log(val, ISC_LOG_DEBUG(3),
2866 "falling back to insecurity proof");
2867 val->attributes |= VALATTR_INSECURITY;
2868 result = proveunsecure(val, ISC_FALSE, ISC_FALSE);
2869 if (result == DNS_R_NOTINSECURE)
2870 result = saved_result;
2872 } else if (val->event->rdataset != NULL) {
2874 * This is either an unsecure subdomain or a response from
2877 INSIST(dns_rdataset_isassociated(val->event->rdataset));
2878 validator_log(val, ISC_LOG_DEBUG(3),
2879 "attempting insecurity proof");
2881 val->attributes |= VALATTR_INSECURITY;
2882 result = proveunsecure(val, ISC_FALSE, ISC_FALSE);
2883 } else if (val->event->rdataset == NULL &&
2884 val->event->sigrdataset == NULL)
2887 * This is a nonexistence validation.
2889 validator_log(val, ISC_LOG_DEBUG(3),
2890 "attempting negative response validation");
2892 if (val->event->message->rcode == dns_rcode_nxdomain) {
2893 val->attributes |= VALATTR_NEEDNOQNAME;
2894 val->attributes |= VALATTR_NEEDNOWILDCARD;
2896 val->attributes |= VALATTR_NEEDNODATA;
2897 result = nsecvalidate(val, ISC_FALSE);
2900 * This shouldn't happen.
2905 if (result != DNS_R_WAIT) {
2906 want_destroy = exit_check(val);
2907 validator_done(val, result);
2916 dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
2917 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
2918 dns_message_t *message, unsigned int options,
2919 isc_task_t *task, isc_taskaction_t action, void *arg,
2920 dns_validator_t **validatorp)
2922 isc_result_t result;
2923 dns_validator_t *val;
2925 dns_validatorevent_t *event;
2927 REQUIRE(name != NULL);
2928 REQUIRE(rdataset != NULL ||
2929 (rdataset == NULL && sigrdataset == NULL && message != NULL));
2930 REQUIRE(validatorp != NULL && *validatorp == NULL);
2933 result = ISC_R_FAILURE;
2935 val = isc_mem_get(view->mctx, sizeof(*val));
2937 return (ISC_R_NOMEMORY);
2939 dns_view_weakattach(view, &val->view);
2940 event = (dns_validatorevent_t *)
2941 isc_event_allocate(view->mctx, task,
2942 DNS_EVENT_VALIDATORSTART,
2943 validator_start, NULL,
2944 sizeof(dns_validatorevent_t));
2945 if (event == NULL) {
2946 result = ISC_R_NOMEMORY;
2949 isc_task_attach(task, &tclone);
2950 event->validator = val;
2951 event->result = ISC_R_FAILURE;
2954 event->rdataset = rdataset;
2955 event->sigrdataset = sigrdataset;
2956 event->message = message;
2957 memset(event->proofs, 0, sizeof(event->proofs));
2958 result = isc_mutex_init(&val->lock);
2959 if (result != ISC_R_SUCCESS)
2962 val->options = options;
2963 val->attributes = 0;
2965 val->subvalidator = NULL;
2967 val->keytable = NULL;
2968 dns_keytable_attach(val->view->secroots, &val->keytable);
2969 val->keynode = NULL;
2971 val->siginfo = NULL;
2973 val->action = action;
2976 val->currentset = NULL;
2979 dns_rdataset_init(&val->dlv);
2980 val->seensig = ISC_FALSE;
2981 val->havedlvsep = ISC_FALSE;
2983 val->mustbesecure = dns_resolver_getmustbesecure(view->resolver, name);
2984 dns_rdataset_init(&val->frdataset);
2985 dns_rdataset_init(&val->fsigrdataset);
2986 dns_fixedname_init(&val->wild);
2987 ISC_LINK_INIT(val, link);
2988 val->magic = VALIDATOR_MAGIC;
2990 if ((options & DNS_VALIDATOR_DEFER) == 0)
2991 isc_task_send(task, ISC_EVENT_PTR(&event));
2995 return (ISC_R_SUCCESS);
2998 isc_task_detach(&tclone);
2999 isc_event_free(ISC_EVENT_PTR(&event));
3002 dns_view_weakdetach(&val->view);
3003 isc_mem_put(view->mctx, val, sizeof(*val));
3009 dns_validator_send(dns_validator_t *validator) {
3011 REQUIRE(VALID_VALIDATOR(validator));
3013 LOCK(&validator->lock);
3015 INSIST((validator->options & DNS_VALIDATOR_DEFER) != 0);
3016 event = (isc_event_t *)validator->event;
3017 validator->options &= ~DNS_VALIDATOR_DEFER;
3018 UNLOCK(&validator->lock);
3020 isc_task_send(validator->task, ISC_EVENT_PTR(&event));
3024 dns_validator_cancel(dns_validator_t *validator) {
3025 REQUIRE(VALID_VALIDATOR(validator));
3027 LOCK(&validator->lock);
3029 validator_log(validator, ISC_LOG_DEBUG(3), "dns_validator_cancel");
3031 if (validator->event != NULL) {
3032 if (validator->fetch != NULL)
3033 dns_resolver_cancelfetch(validator->fetch);
3035 if (validator->subvalidator != NULL)
3036 dns_validator_cancel(validator->subvalidator);
3037 if ((validator->options & DNS_VALIDATOR_DEFER) != 0) {
3038 isc_task_t *task = validator->event->ev_sender;
3039 validator->options &= ~DNS_VALIDATOR_DEFER;
3040 isc_event_free((isc_event_t **)&validator->event);
3041 isc_task_detach(&task);
3043 validator->attributes |= VALATTR_CANCELED;
3045 UNLOCK(&validator->lock);
3049 destroy(dns_validator_t *val) {
3052 REQUIRE(SHUTDOWN(val));
3053 REQUIRE(val->event == NULL);
3054 REQUIRE(val->fetch == NULL);
3056 if (val->keynode != NULL)
3057 dns_keytable_detachkeynode(val->keytable, &val->keynode);
3058 else if (val->key != NULL)
3059 dst_key_free(&val->key);
3060 if (val->keytable != NULL)
3061 dns_keytable_detach(&val->keytable);
3062 if (val->subvalidator != NULL)
3063 dns_validator_destroy(&val->subvalidator);
3064 if (val->havedlvsep)
3065 dns_rdataset_disassociate(&val->dlv);
3066 if (dns_rdataset_isassociated(&val->frdataset))
3067 dns_rdataset_disassociate(&val->frdataset);
3068 if (dns_rdataset_isassociated(&val->fsigrdataset))
3069 dns_rdataset_disassociate(&val->fsigrdataset);
3070 mctx = val->view->mctx;
3071 if (val->siginfo != NULL)
3072 isc_mem_put(mctx, val->siginfo, sizeof(*val->siginfo));
3073 DESTROYLOCK(&val->lock);
3074 dns_view_weakdetach(&val->view);
3076 isc_mem_put(mctx, val, sizeof(*val));
3080 dns_validator_destroy(dns_validator_t **validatorp) {
3081 dns_validator_t *val;
3082 isc_boolean_t want_destroy = ISC_FALSE;
3084 REQUIRE(validatorp != NULL);
3086 REQUIRE(VALID_VALIDATOR(val));
3090 val->attributes |= VALATTR_SHUTDOWN;
3091 validator_log(val, ISC_LOG_DEBUG(3), "dns_validator_destroy");
3093 want_destroy = exit_check(val);
3104 validator_logv(dns_validator_t *val, isc_logcategory_t *category,
3105 isc_logmodule_t *module, int level, const char *fmt, va_list ap)
3108 static const char spaces[] = " *";
3109 int depth = val->depth * 2;
3111 vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
3113 if ((unsigned int) depth >= sizeof spaces)
3114 depth = sizeof spaces - 1;
3116 if (val->event != NULL && val->event->name != NULL) {
3117 char namebuf[DNS_NAME_FORMATSIZE];
3118 char typebuf[DNS_RDATATYPE_FORMATSIZE];
3120 dns_name_format(val->event->name, namebuf, sizeof(namebuf));
3121 dns_rdatatype_format(val->event->type, typebuf,
3123 isc_log_write(dns_lctx, category, module, level,
3124 "%.*svalidating @%p: %s %s: %s", depth, spaces,
3125 val, namebuf, typebuf, msgbuf);
3127 isc_log_write(dns_lctx, category, module, level,
3128 "%.*svalidator @%p: %s", depth, spaces,
3134 validator_log(dns_validator_t *val, int level, const char *fmt, ...) {
3137 if (! isc_log_wouldlog(dns_lctx, level))
3142 validator_logv(val, DNS_LOGCATEGORY_DNSSEC,
3143 DNS_LOGMODULE_VALIDATOR, level, fmt, ap);
3148 validator_logcreate(dns_validator_t *val,
3149 dns_name_t *name, dns_rdatatype_t type,
3150 const char *caller, const char *operation)
3152 char namestr[DNS_NAME_FORMATSIZE];
3153 char typestr[DNS_RDATATYPE_FORMATSIZE];
3155 dns_name_format(name, namestr, sizeof(namestr));
3156 dns_rdatatype_format(type, typestr, sizeof(typestr));
3157 validator_log(val, ISC_LOG_DEBUG(9), "%s: creating %s for %s %s",
3158 caller, operation, namestr, typestr);