2 * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 2000-2003 Internet Software Consortium.
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
18 /* $Id: validator.c,v 1.119.18.35 2007/09/26 04:39:45 each Exp $ */
25 #include <isc/print.h>
26 #include <isc/string.h>
33 #include <dns/dnssec.h>
34 #include <dns/events.h>
35 #include <dns/keytable.h>
37 #include <dns/message.h>
38 #include <dns/ncache.h>
40 #include <dns/rdata.h>
41 #include <dns/rdatastruct.h>
42 #include <dns/rdataset.h>
43 #include <dns/rdatatype.h>
44 #include <dns/resolver.h>
45 #include <dns/result.h>
46 #include <dns/validator.h>
51 * Basic processing sequences.
53 * \li When called with rdataset and sigrdataset:
54 * validator_start -> validate -> proveunsecure -> startfinddlvsep ->
55 * dlv_validator_start -> validator_start -> validate -> proveunsecure
57 * validator_start -> validate -> nsecvalidate (secure wildcard answer)
59 * \li When called with rdataset, sigrdataset and with DNS_VALIDATOR_DLV:
60 * validator_start -> startfinddlvsep -> dlv_validator_start ->
61 * validator_start -> validate -> proveunsecure
63 * \li When called with rdataset:
64 * validator_start -> proveunsecure -> startfinddlvsep ->
65 * dlv_validator_start -> validator_start -> proveunsecure
67 * \li When called with rdataset and with DNS_VALIDATOR_DLV:
68 * validator_start -> startfinddlvsep -> dlv_validator_start ->
69 * validator_start -> proveunsecure
71 * \li When called without a rdataset:
72 * validator_start -> nsecvalidate -> proveunsecure -> startfinddlvsep ->
73 * dlv_validator_start -> validator_start -> nsecvalidate -> proveunsecure
75 * Note: there isn't a case for DNS_VALIDATOR_DLV here as we want nsecvalidate()
76 * to always validate the authority section even when it does not contain
79 * validator_start: determines what type of validation to do.
80 * validate: attempts to perform a positive validation.
81 * proveunsecure: attempts to prove the answer comes from a unsecure zone.
82 * nsecvalidate: attempts to prove a negative response.
83 * startfinddlvsep: starts the DLV record lookup.
84 * dlv_validator_start: resets state and restarts the lookup using the
85 * DLV RRset found by startfinddlvsep.
88 #define VALIDATOR_MAGIC ISC_MAGIC('V', 'a', 'l', '?')
89 #define VALID_VALIDATOR(v) ISC_MAGIC_VALID(v, VALIDATOR_MAGIC)
91 #define VALATTR_SHUTDOWN 0x0001 /*%< Shutting down. */
92 #define VALATTR_CANCELED 0x0002 /*%< Cancelled. */
93 #define VALATTR_TRIEDVERIFY 0x0004 /*%< We have found a key and
94 * have attempted a verify. */
95 #define VALATTR_INSECURITY 0x0010 /*%< Attempting proveunsecure. */
96 #define VALATTR_DLVTRIED 0x0020 /*%< Looked for a DLV record. */
99 * NSEC proofs to be looked for.
101 #define VALATTR_NEEDNOQNAME 0x0100
102 #define VALATTR_NEEDNOWILDCARD 0x0200
103 #define VALATTR_NEEDNODATA 0x0400
106 * NSEC proofs that have been found.
108 #define VALATTR_FOUNDNOQNAME 0x1000
109 #define VALATTR_FOUNDNOWILDCARD 0x2000
110 #define VALATTR_FOUNDNODATA 0x4000
112 #define NEEDNODATA(val) ((val->attributes & VALATTR_NEEDNODATA) != 0)
113 #define NEEDNOQNAME(val) ((val->attributes & VALATTR_NEEDNOQNAME) != 0)
114 #define NEEDNOWILDCARD(val) ((val->attributes & VALATTR_NEEDNOWILDCARD) != 0)
115 #define DLVTRIED(val) ((val->attributes & VALATTR_DLVTRIED) != 0)
117 #define SHUTDOWN(v) (((v)->attributes & VALATTR_SHUTDOWN) != 0)
118 #define CANCELED(v) (((v)->attributes & VALATTR_CANCELED) != 0)
121 destroy(dns_validator_t *val);
124 get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo,
125 dns_rdataset_t *rdataset);
128 validate(dns_validator_t *val, isc_boolean_t resume);
131 validatezonekey(dns_validator_t *val);
134 nsecvalidate(dns_validator_t *val, isc_boolean_t resume);
137 proveunsecure(dns_validator_t *val, isc_boolean_t resume);
140 validator_logv(dns_validator_t *val, isc_logcategory_t *category,
141 isc_logmodule_t *module, int level, const char *fmt, va_list ap)
142 ISC_FORMAT_PRINTF(5, 0);
145 validator_log(dns_validator_t *val, int level, const char *fmt, ...)
146 ISC_FORMAT_PRINTF(3, 4);
149 validator_logcreate(dns_validator_t *val,
150 dns_name_t *name, dns_rdatatype_t type,
151 const char *caller, const char *operation);
154 dlv_validatezonekey(dns_validator_t *val);
157 dlv_validator_start(dns_validator_t *val);
160 finddlvsep(dns_validator_t *val, isc_boolean_t resume);
163 startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure);
166 * Mark the RRsets as a answer.
169 markanswer(dns_validator_t *val) {
170 validator_log(val, ISC_LOG_DEBUG(3), "marking as answer");
171 if (val->event->rdataset != NULL)
172 val->event->rdataset->trust = dns_trust_answer;
173 if (val->event->sigrdataset != NULL)
174 val->event->sigrdataset->trust = dns_trust_answer;
178 validator_done(dns_validator_t *val, isc_result_t result) {
181 if (val->event == NULL)
185 * Caller must be holding the lock.
188 val->event->result = result;
189 task = val->event->ev_sender;
190 val->event->ev_sender = val;
191 val->event->ev_type = DNS_EVENT_VALIDATORDONE;
192 val->event->ev_action = val->action;
193 val->event->ev_arg = val->arg;
194 isc_task_sendanddetach(&task, (isc_event_t **)&val->event);
197 static inline isc_boolean_t
198 exit_check(dns_validator_t *val) {
200 * Caller must be holding the lock.
205 INSIST(val->event == NULL);
207 if (val->fetch != NULL || val->subvalidator != NULL)
214 * Look in the NSEC record returned from a DS query to see if there is
215 * a NS RRset at this name. If it is found we are at a delegation point.
218 isdelegation(dns_name_t *name, dns_rdataset_t *rdataset,
219 isc_result_t dbresult)
222 dns_rdata_t rdata = DNS_RDATA_INIT;
226 REQUIRE(dbresult == DNS_R_NXRRSET || dbresult == DNS_R_NCACHENXRRSET);
228 dns_rdataset_init(&set);
229 if (dbresult == DNS_R_NXRRSET)
230 dns_rdataset_clone(rdataset, &set);
232 result = dns_ncache_getrdataset(rdataset, name,
233 dns_rdatatype_nsec, &set);
234 if (result != ISC_R_SUCCESS)
238 INSIST(set.type == dns_rdatatype_nsec);
241 result = dns_rdataset_first(&set);
242 if (result == ISC_R_SUCCESS) {
243 dns_rdataset_current(&set, &rdata);
244 found = dns_nsec_typepresent(&rdata, dns_rdatatype_ns);
246 dns_rdataset_disassociate(&set);
251 * We have been asked to to look for a key.
252 * If found resume the validation process.
253 * If not found fail the validation process.
256 fetch_callback_validator(isc_task_t *task, isc_event_t *event) {
257 dns_fetchevent_t *devent;
258 dns_validator_t *val;
259 dns_rdataset_t *rdataset;
260 isc_boolean_t want_destroy;
262 isc_result_t eresult;
265 INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
266 devent = (dns_fetchevent_t *)event;
267 val = devent->ev_arg;
268 rdataset = &val->frdataset;
269 eresult = devent->result;
271 /* Free resources which are not of interest. */
272 if (devent->node != NULL)
273 dns_db_detachnode(devent->db, &devent->node);
274 if (devent->db != NULL)
275 dns_db_detach(&devent->db);
276 if (dns_rdataset_isassociated(&val->fsigrdataset))
277 dns_rdataset_disassociate(&val->fsigrdataset);
278 isc_event_free(&event);
279 dns_resolver_destroyfetch(&val->fetch);
281 INSIST(val->event != NULL);
283 validator_log(val, ISC_LOG_DEBUG(3), "in fetch_callback_validator");
286 validator_done(val, ISC_R_CANCELED);
287 } else if (eresult == ISC_R_SUCCESS) {
288 validator_log(val, ISC_LOG_DEBUG(3),
289 "keyset with trust %d", rdataset->trust);
291 * Only extract the dst key if the keyset is secure.
293 if (rdataset->trust >= dns_trust_secure) {
294 result = get_dst_key(val, val->siginfo, rdataset);
295 if (result == ISC_R_SUCCESS)
296 val->keyset = &val->frdataset;
298 result = validate(val, ISC_TRUE);
299 if (result != DNS_R_WAIT)
300 validator_done(val, result);
302 validator_log(val, ISC_LOG_DEBUG(3),
303 "fetch_callback_validator: got %s",
304 isc_result_totext(eresult));
305 if (eresult == ISC_R_CANCELED)
306 validator_done(val, eresult);
308 validator_done(val, DNS_R_NOVALIDKEY);
310 want_destroy = exit_check(val);
317 * We were asked to look for a DS record as part of following a key chain
318 * upwards. If found resume the validation process. If not found fail the
319 * validation process.
322 dsfetched(isc_task_t *task, isc_event_t *event) {
323 dns_fetchevent_t *devent;
324 dns_validator_t *val;
325 dns_rdataset_t *rdataset;
326 isc_boolean_t want_destroy;
328 isc_result_t eresult;
331 INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
332 devent = (dns_fetchevent_t *)event;
333 val = devent->ev_arg;
334 rdataset = &val->frdataset;
335 eresult = devent->result;
337 /* Free resources which are not of interest. */
338 if (devent->node != NULL)
339 dns_db_detachnode(devent->db, &devent->node);
340 if (devent->db != NULL)
341 dns_db_detach(&devent->db);
342 if (dns_rdataset_isassociated(&val->fsigrdataset))
343 dns_rdataset_disassociate(&val->fsigrdataset);
344 isc_event_free(&event);
345 dns_resolver_destroyfetch(&val->fetch);
347 INSIST(val->event != NULL);
349 validator_log(val, ISC_LOG_DEBUG(3), "in dsfetched");
352 validator_done(val, ISC_R_CANCELED);
353 } else if (eresult == ISC_R_SUCCESS) {
354 validator_log(val, ISC_LOG_DEBUG(3),
355 "dsset with trust %d", rdataset->trust);
356 val->dsset = &val->frdataset;
357 result = validatezonekey(val);
358 if (result != DNS_R_WAIT)
359 validator_done(val, result);
360 } else if (eresult == DNS_R_NXRRSET ||
361 eresult == DNS_R_NCACHENXRRSET ||
362 eresult == DNS_R_SERVFAIL) /* RFC 1034 parent? */
364 validator_log(val, ISC_LOG_DEBUG(3),
365 "falling back to insecurity proof (%s)",
366 dns_result_totext(eresult));
367 val->attributes |= VALATTR_INSECURITY;
368 result = proveunsecure(val, ISC_FALSE);
369 if (result != DNS_R_WAIT)
370 validator_done(val, result);
372 validator_log(val, ISC_LOG_DEBUG(3),
374 isc_result_totext(eresult));
375 if (eresult == ISC_R_CANCELED)
376 validator_done(val, eresult);
378 validator_done(val, DNS_R_NOVALIDDS);
380 want_destroy = exit_check(val);
387 * We were asked to look for the DS record as part of proving that a
390 * If the DS record doesn't exist and the query name corresponds to
391 * a delegation point we are transitioning from a secure zone to a
394 * If the DS record exists it will be secure. We can continue looking
395 * for the break point in the chain of trust.
398 dsfetched2(isc_task_t *task, isc_event_t *event) {
399 dns_fetchevent_t *devent;
400 dns_validator_t *val;
402 isc_boolean_t want_destroy;
404 isc_result_t eresult;
407 INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
408 devent = (dns_fetchevent_t *)event;
409 val = devent->ev_arg;
410 eresult = devent->result;
412 /* Free resources which are not of interest. */
413 if (devent->node != NULL)
414 dns_db_detachnode(devent->db, &devent->node);
415 if (devent->db != NULL)
416 dns_db_detach(&devent->db);
417 if (dns_rdataset_isassociated(&val->fsigrdataset))
418 dns_rdataset_disassociate(&val->fsigrdataset);
419 dns_resolver_destroyfetch(&val->fetch);
421 INSIST(val->event != NULL);
423 validator_log(val, ISC_LOG_DEBUG(3), "in dsfetched2: %s",
424 dns_result_totext(eresult));
427 validator_done(val, ISC_R_CANCELED);
428 } else if (eresult == DNS_R_NXRRSET || eresult == DNS_R_NCACHENXRRSET) {
430 * There is no DS. If this is a delegation, we're done.
432 tname = dns_fixedname_name(&devent->foundname);
433 if (isdelegation(tname, &val->frdataset, eresult)) {
434 if (val->mustbesecure) {
435 validator_log(val, ISC_LOG_WARNING,
436 "must be secure failure");
437 validator_done(val, DNS_R_MUSTBESECURE);
438 } else if (val->view->dlv == NULL || DLVTRIED(val)) {
440 validator_done(val, ISC_R_SUCCESS);
442 result = startfinddlvsep(val, tname);
443 if (result != DNS_R_WAIT)
444 validator_done(val, result);
447 result = proveunsecure(val, ISC_TRUE);
448 if (result != DNS_R_WAIT)
449 validator_done(val, result);
451 } else if (eresult == ISC_R_SUCCESS ||
452 eresult == DNS_R_NXDOMAIN ||
453 eresult == DNS_R_NCACHENXDOMAIN)
456 * There is a DS which may or may not be a zone cut.
457 * In either case we are still in a secure zone resume
460 result = proveunsecure(val, ISC_TRUE);
461 if (result != DNS_R_WAIT)
462 validator_done(val, result);
464 if (eresult == ISC_R_CANCELED)
465 validator_done(val, eresult);
467 validator_done(val, DNS_R_NOVALIDDS);
469 isc_event_free(&event);
470 want_destroy = exit_check(val);
477 * Callback from when a DNSKEY RRset has been validated.
479 * Resumes the stalled validation process.
482 keyvalidated(isc_task_t *task, isc_event_t *event) {
483 dns_validatorevent_t *devent;
484 dns_validator_t *val;
485 isc_boolean_t want_destroy;
487 isc_result_t eresult;
490 INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
492 devent = (dns_validatorevent_t *)event;
493 val = devent->ev_arg;
494 eresult = devent->result;
496 isc_event_free(&event);
497 dns_validator_destroy(&val->subvalidator);
499 INSIST(val->event != NULL);
501 validator_log(val, ISC_LOG_DEBUG(3), "in keyvalidated");
504 validator_done(val, ISC_R_CANCELED);
505 } else if (eresult == ISC_R_SUCCESS) {
506 validator_log(val, ISC_LOG_DEBUG(3),
507 "keyset with trust %d", val->frdataset.trust);
509 * Only extract the dst key if the keyset is secure.
511 if (val->frdataset.trust >= dns_trust_secure)
512 (void) get_dst_key(val, val->siginfo, &val->frdataset);
513 result = validate(val, ISC_TRUE);
514 if (result != DNS_R_WAIT)
515 validator_done(val, result);
517 validator_log(val, ISC_LOG_DEBUG(3),
518 "keyvalidated: got %s",
519 isc_result_totext(eresult));
520 validator_done(val, eresult);
522 want_destroy = exit_check(val);
529 * Callback when the DS record has been validated.
531 * Resumes validation of the zone key or the unsecure zone proof.
534 dsvalidated(isc_task_t *task, isc_event_t *event) {
535 dns_validatorevent_t *devent;
536 dns_validator_t *val;
537 isc_boolean_t want_destroy;
539 isc_result_t eresult;
542 INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
544 devent = (dns_validatorevent_t *)event;
545 val = devent->ev_arg;
546 eresult = devent->result;
548 isc_event_free(&event);
549 dns_validator_destroy(&val->subvalidator);
551 INSIST(val->event != NULL);
553 validator_log(val, ISC_LOG_DEBUG(3), "in dsvalidated");
556 validator_done(val, ISC_R_CANCELED);
557 } else if (eresult == ISC_R_SUCCESS) {
558 validator_log(val, ISC_LOG_DEBUG(3),
559 "dsset with trust %d", val->frdataset.trust);
560 if ((val->attributes & VALATTR_INSECURITY) != 0)
561 result = proveunsecure(val, ISC_TRUE);
563 result = validatezonekey(val);
564 if (result != DNS_R_WAIT)
565 validator_done(val, result);
567 validator_log(val, ISC_LOG_DEBUG(3),
568 "dsvalidated: got %s",
569 isc_result_totext(eresult));
570 validator_done(val, eresult);
572 want_destroy = exit_check(val);
579 * Return ISC_R_SUCCESS if we can determine that the name doesn't exist
580 * or we can determine whether there is data or not at the name.
581 * If the name does not exist return the wildcard name.
583 * Return ISC_R_IGNORE when the NSEC is not the appropriate one.
586 nsecnoexistnodata(dns_validator_t *val, dns_name_t* name, dns_name_t *nsecname,
587 dns_rdataset_t *nsecset, isc_boolean_t *exists,
588 isc_boolean_t *data, dns_name_t *wild)
591 dns_rdata_t rdata = DNS_RDATA_INIT;
593 dns_namereln_t relation;
594 unsigned int olabels, nlabels, labels;
595 dns_rdata_nsec_t nsec;
596 isc_boolean_t atparent;
600 REQUIRE(exists != NULL);
601 REQUIRE(data != NULL);
602 REQUIRE(nsecset != NULL &&
603 nsecset->type == dns_rdatatype_nsec);
605 result = dns_rdataset_first(nsecset);
606 if (result != ISC_R_SUCCESS) {
607 validator_log(val, ISC_LOG_DEBUG(3),
608 "failure processing NSEC set");
611 dns_rdataset_current(nsecset, &rdata);
613 validator_log(val, ISC_LOG_DEBUG(3), "looking for relevant nsec");
614 relation = dns_name_fullcompare(name, nsecname, &order, &olabels);
618 * The name is not within the NSEC range.
620 validator_log(val, ISC_LOG_DEBUG(3),
621 "NSEC does not cover name, before NSEC");
622 return (ISC_R_IGNORE);
627 * The names are the same.
629 atparent = dns_rdatatype_atparent(val->event->type);
630 ns = dns_nsec_typepresent(&rdata, dns_rdatatype_ns);
631 soa = dns_nsec_typepresent(&rdata, dns_rdatatype_soa);
635 * This NSEC record is from somewhere higher in
636 * the DNS, and at the parent of a delegation.
637 * It can not be legitimately used here.
639 validator_log(val, ISC_LOG_DEBUG(3),
640 "ignoring parent nsec");
641 return (ISC_R_IGNORE);
643 } else if (atparent && ns && soa) {
645 * This NSEC record is from the child.
646 * It can not be legitimately used here.
648 validator_log(val, ISC_LOG_DEBUG(3),
649 "ignoring child nsec");
650 return (ISC_R_IGNORE);
652 if (val->event->type == dns_rdatatype_cname ||
653 val->event->type == dns_rdatatype_nxt ||
654 val->event->type == dns_rdatatype_nsec ||
655 val->event->type == dns_rdatatype_key ||
656 !dns_nsec_typepresent(&rdata, dns_rdatatype_cname)) {
658 *data = dns_nsec_typepresent(&rdata, val->event->type);
659 validator_log(val, ISC_LOG_DEBUG(3),
660 "nsec proves name exists (owner) data=%d",
662 return (ISC_R_SUCCESS);
664 validator_log(val, ISC_LOG_DEBUG(3), "NSEC proves CNAME exists");
665 return (ISC_R_IGNORE);
668 if (relation == dns_namereln_subdomain &&
669 dns_nsec_typepresent(&rdata, dns_rdatatype_ns) &&
670 !dns_nsec_typepresent(&rdata, dns_rdatatype_soa))
673 * This NSEC record is from somewhere higher in
674 * the DNS, and at the parent of a delegation.
675 * It can not be legitimately used here.
677 validator_log(val, ISC_LOG_DEBUG(3), "ignoring parent nsec");
678 return (ISC_R_IGNORE);
681 result = dns_rdata_tostruct(&rdata, &nsec, NULL);
682 if (result != ISC_R_SUCCESS)
684 relation = dns_name_fullcompare(&nsec.next, name, &order, &nlabels);
686 dns_rdata_freestruct(&nsec);
687 validator_log(val, ISC_LOG_DEBUG(3),
688 "ignoring nsec matches next name");
689 return (ISC_R_IGNORE);
692 if (order < 0 && !dns_name_issubdomain(nsecname, &nsec.next)) {
694 * The name is not within the NSEC range.
696 dns_rdata_freestruct(&nsec);
697 validator_log(val, ISC_LOG_DEBUG(3),
698 "ignoring nsec because name is past end of range");
699 return (ISC_R_IGNORE);
702 if (order > 0 && relation == dns_namereln_subdomain) {
703 validator_log(val, ISC_LOG_DEBUG(3),
704 "nsec proves name exist (empty)");
705 dns_rdata_freestruct(&nsec);
708 return (ISC_R_SUCCESS);
712 dns_name_init(&common, NULL);
713 if (olabels > nlabels) {
714 labels = dns_name_countlabels(nsecname);
715 dns_name_getlabelsequence(nsecname, labels - olabels,
718 labels = dns_name_countlabels(&nsec.next);
719 dns_name_getlabelsequence(&nsec.next, labels - nlabels,
722 result = dns_name_concatenate(dns_wildcardname, &common,
724 if (result != ISC_R_SUCCESS) {
725 dns_rdata_freestruct(&nsec);
726 validator_log(val, ISC_LOG_DEBUG(3),
727 "failure generating wildcard name");
731 dns_rdata_freestruct(&nsec);
732 validator_log(val, ISC_LOG_DEBUG(3), "nsec range ok");
734 return (ISC_R_SUCCESS);
738 * Callback for when NSEC records have been validated.
740 * Looks for NOQNAME and NODATA proofs.
742 * Resumes nsecvalidate.
745 authvalidated(isc_task_t *task, isc_event_t *event) {
746 dns_validatorevent_t *devent;
747 dns_validator_t *val;
748 dns_rdataset_t *rdataset;
749 isc_boolean_t want_destroy;
751 isc_boolean_t exists, data;
754 INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
756 devent = (dns_validatorevent_t *)event;
757 rdataset = devent->rdataset;
758 val = devent->ev_arg;
759 result = devent->result;
760 dns_validator_destroy(&val->subvalidator);
762 INSIST(val->event != NULL);
764 validator_log(val, ISC_LOG_DEBUG(3), "in authvalidated");
767 validator_done(val, ISC_R_CANCELED);
768 } else if (result != ISC_R_SUCCESS) {
769 validator_log(val, ISC_LOG_DEBUG(3),
770 "authvalidated: got %s",
771 isc_result_totext(result));
772 if (result == ISC_R_CANCELED)
773 validator_done(val, result);
775 result = nsecvalidate(val, ISC_TRUE);
776 if (result != DNS_R_WAIT)
777 validator_done(val, result);
780 dns_name_t **proofs = val->event->proofs;
781 dns_name_t *wild = dns_fixedname_name(&val->wild);
783 if (rdataset->trust == dns_trust_secure)
784 val->seensig = ISC_TRUE;
786 if (rdataset->type == dns_rdatatype_nsec &&
787 rdataset->trust == dns_trust_secure &&
788 ((val->attributes & VALATTR_NEEDNODATA) != 0 ||
789 (val->attributes & VALATTR_NEEDNOQNAME) != 0) &&
790 (val->attributes & VALATTR_FOUNDNODATA) == 0 &&
791 (val->attributes & VALATTR_FOUNDNOQNAME) == 0 &&
792 nsecnoexistnodata(val, val->event->name, devent->name,
793 rdataset, &exists, &data, wild)
796 if (exists && !data) {
797 val->attributes |= VALATTR_FOUNDNODATA;
799 proofs[DNS_VALIDATOR_NODATAPROOF] =
803 val->attributes |= VALATTR_FOUNDNOQNAME;
804 if (NEEDNOQNAME(val))
805 proofs[DNS_VALIDATOR_NOQNAMEPROOF] =
809 result = nsecvalidate(val, ISC_TRUE);
810 if (result != DNS_R_WAIT)
811 validator_done(val, result);
813 want_destroy = exit_check(val);
819 * Free stuff from the event.
821 isc_event_free(&event);
825 * Looks for the requested name and type in the view (zones and cache).
827 * When looking for a DLV record also checks to make sure the NSEC record
828 * returns covers the query name as part of aggressive negative caching.
833 * \li DNS_R_NCACHENXDOMAIN
834 * \li DNS_R_NCACHENXRRSET
838 static inline isc_result_t
839 view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) {
840 dns_fixedname_t fixedname;
841 dns_name_t *foundname;
842 dns_rdata_nsec_t nsec;
843 dns_rdata_t rdata = DNS_RDATA_INIT;
845 unsigned int options;
846 char buf1[DNS_NAME_FORMATSIZE];
847 char buf2[DNS_NAME_FORMATSIZE];
848 char buf3[DNS_NAME_FORMATSIZE];
850 if (dns_rdataset_isassociated(&val->frdataset))
851 dns_rdataset_disassociate(&val->frdataset);
852 if (dns_rdataset_isassociated(&val->fsigrdataset))
853 dns_rdataset_disassociate(&val->fsigrdataset);
855 if (val->view->zonetable == NULL)
856 return (ISC_R_CANCELED);
858 options = DNS_DBFIND_PENDINGOK;
859 if (type == dns_rdatatype_dlv)
860 options |= DNS_DBFIND_COVERINGNSEC;
861 dns_fixedname_init(&fixedname);
862 foundname = dns_fixedname_name(&fixedname);
863 result = dns_view_find(val->view, name, type, 0, options,
864 ISC_FALSE, NULL, NULL, foundname,
865 &val->frdataset, &val->fsigrdataset);
866 if (result == DNS_R_NXDOMAIN) {
867 if (dns_rdataset_isassociated(&val->frdataset))
868 dns_rdataset_disassociate(&val->frdataset);
869 if (dns_rdataset_isassociated(&val->fsigrdataset))
870 dns_rdataset_disassociate(&val->fsigrdataset);
871 } else if (result == DNS_R_COVERINGNSEC) {
872 validator_log(val, ISC_LOG_DEBUG(3), "DNS_R_COVERINGNSEC");
874 * Check if the returned NSEC covers the name.
876 INSIST(type == dns_rdatatype_dlv);
877 if (val->frdataset.trust != dns_trust_secure) {
878 validator_log(val, ISC_LOG_DEBUG(3),
879 "covering nsec: trust %u",
880 val->frdataset.trust);
883 result = dns_rdataset_first(&val->frdataset);
884 if (result != ISC_R_SUCCESS)
886 dns_rdataset_current(&val->frdataset, &rdata);
887 if (dns_nsec_typepresent(&rdata, dns_rdatatype_ns) &&
888 !dns_nsec_typepresent(&rdata, dns_rdatatype_soa)) {
889 /* Parent NSEC record. */
890 if (dns_name_issubdomain(name, foundname)) {
891 validator_log(val, ISC_LOG_DEBUG(3),
892 "covering nsec: for parent");
896 result = dns_rdata_tostruct(&rdata, &nsec, NULL);
897 if (result != ISC_R_SUCCESS)
899 if (dns_name_compare(foundname, &nsec.next) >= 0) {
900 /* End of zone chain. */
901 if (!dns_name_issubdomain(name, &nsec.next)) {
903 * XXXMPA We could look for a parent NSEC
904 * at nsec.next and if found retest with
907 dns_rdata_freestruct(&nsec);
908 validator_log(val, ISC_LOG_DEBUG(3),
909 "covering nsec: not in zone");
912 } else if (dns_name_compare(name, &nsec.next) >= 0) {
914 * XXXMPA We could check if this NSEC is at a zone
915 * apex and if the qname is not below it and look for
916 * a parent NSEC with the same name. This requires
917 * that we can cache both NSEC records which we
918 * currently don't support.
920 dns_rdata_freestruct(&nsec);
921 validator_log(val, ISC_LOG_DEBUG(3),
922 "covering nsec: not in range");
925 if (isc_log_wouldlog(dns_lctx,ISC_LOG_DEBUG(3))) {
926 dns_name_format(name, buf1, sizeof buf1);
927 dns_name_format(foundname, buf2, sizeof buf2);
928 dns_name_format(&nsec.next, buf3, sizeof buf3);
929 validator_log(val, ISC_LOG_DEBUG(3),
930 "covering nsec found: '%s' '%s' '%s'",
933 if (dns_rdataset_isassociated(&val->frdataset))
934 dns_rdataset_disassociate(&val->frdataset);
935 if (dns_rdataset_isassociated(&val->fsigrdataset))
936 dns_rdataset_disassociate(&val->fsigrdataset);
937 dns_rdata_freestruct(&nsec);
938 result = DNS_R_NCACHENXDOMAIN;
939 } else if (result != ISC_R_SUCCESS &&
940 result != DNS_R_NCACHENXDOMAIN &&
941 result != DNS_R_NCACHENXRRSET &&
942 result != DNS_R_NXRRSET &&
943 result != ISC_R_NOTFOUND) {
949 if (dns_rdataset_isassociated(&val->frdataset))
950 dns_rdataset_disassociate(&val->frdataset);
951 if (dns_rdataset_isassociated(&val->fsigrdataset))
952 dns_rdataset_disassociate(&val->fsigrdataset);
953 return (ISC_R_NOTFOUND);
957 * Checks to make sure we are not going to loop. As we use a SHARED fetch
958 * the validation process will stall if looping was to occur.
960 static inline isc_boolean_t
961 check_deadlock(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) {
962 dns_validator_t *parent;
964 for (parent = val; parent != NULL; parent = parent->parent) {
965 if (parent->event != NULL &&
966 parent->event->type == type &&
967 dns_name_equal(parent->event->name, name))
969 validator_log(val, ISC_LOG_DEBUG(3),
970 "continuing validation would lead to "
971 "deadlock: aborting validation");
979 * Start a fetch for the requested name and type.
981 static inline isc_result_t
982 create_fetch(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
983 isc_taskaction_t callback, const char *caller)
985 if (dns_rdataset_isassociated(&val->frdataset))
986 dns_rdataset_disassociate(&val->frdataset);
987 if (dns_rdataset_isassociated(&val->fsigrdataset))
988 dns_rdataset_disassociate(&val->fsigrdataset);
990 if (check_deadlock(val, name, type))
991 return (DNS_R_NOVALIDSIG);
993 validator_logcreate(val, name, type, caller, "fetch");
994 return (dns_resolver_createfetch(val->view->resolver, name, type,
996 val->event->ev_sender,
1004 * Start a subvalidation process.
1006 static inline isc_result_t
1007 create_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
1008 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
1009 isc_taskaction_t action, const char *caller)
1011 isc_result_t result;
1013 if (check_deadlock(val, name, type))
1014 return (DNS_R_NOVALIDSIG);
1016 validator_logcreate(val, name, type, caller, "validator");
1017 result = dns_validator_create(val->view, name, type,
1018 rdataset, sigrdataset, NULL, 0,
1019 val->task, action, val,
1020 &val->subvalidator);
1021 if (result == ISC_R_SUCCESS) {
1022 val->subvalidator->parent = val;
1023 val->subvalidator->depth = val->depth + 1;
1029 * Try to find a key that could have signed 'siginfo' among those
1030 * in 'rdataset'. If found, build a dst_key_t for it and point
1033 * If val->key is non-NULL, this returns the next matching key.
1036 get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo,
1037 dns_rdataset_t *rdataset)
1039 isc_result_t result;
1041 dns_rdata_t rdata = DNS_RDATA_INIT;
1042 dst_key_t *oldkey = val->key;
1043 isc_boolean_t foundold;
1046 foundold = ISC_TRUE;
1048 foundold = ISC_FALSE;
1052 result = dns_rdataset_first(rdataset);
1053 if (result != ISC_R_SUCCESS)
1056 dns_rdataset_current(rdataset, &rdata);
1058 isc_buffer_init(&b, rdata.data, rdata.length);
1059 isc_buffer_add(&b, rdata.length);
1060 INSIST(val->key == NULL);
1061 result = dst_key_fromdns(&siginfo->signer, rdata.rdclass, &b,
1062 val->view->mctx, &val->key);
1063 if (result != ISC_R_SUCCESS)
1065 if (siginfo->algorithm ==
1066 (dns_secalg_t)dst_key_alg(val->key) &&
1068 (dns_keytag_t)dst_key_id(val->key) &&
1069 dst_key_iszonekey(val->key))
1073 * This is the key we're looking for.
1075 return (ISC_R_SUCCESS);
1076 else if (dst_key_compare(oldkey, val->key) == ISC_TRUE)
1078 foundold = ISC_TRUE;
1079 dst_key_free(&oldkey);
1082 dst_key_free(&val->key);
1083 dns_rdata_reset(&rdata);
1084 result = dns_rdataset_next(rdataset);
1085 } while (result == ISC_R_SUCCESS);
1086 if (result == ISC_R_NOMORE)
1087 result = ISC_R_NOTFOUND;
1091 dst_key_free(&oldkey);
1097 * Get the key that genertated this signature.
1100 get_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo) {
1101 isc_result_t result;
1102 unsigned int nlabels;
1104 dns_namereln_t namereln;
1107 * Is the signer name appropriate for this signature?
1109 * The signer name must be at the same level as the owner name
1110 * or closer to the the DNS root.
1112 namereln = dns_name_fullcompare(val->event->name, &siginfo->signer,
1114 if (namereln != dns_namereln_subdomain &&
1115 namereln != dns_namereln_equal)
1116 return (DNS_R_CONTINUE);
1118 if (namereln == dns_namereln_equal) {
1120 * If this is a self-signed keyset, it must not be a zone key
1121 * (since get_key is not called from validatezonekey).
1123 if (val->event->rdataset->type == dns_rdatatype_dnskey)
1124 return (DNS_R_CONTINUE);
1127 * Records appearing in the parent zone at delegation
1128 * points cannot be self-signed.
1130 if (dns_rdatatype_atparent(val->event->rdataset->type))
1131 return (DNS_R_CONTINUE);
1135 * Do we know about this key?
1137 result = view_find(val, &siginfo->signer, dns_rdatatype_dnskey);
1138 if (result == ISC_R_SUCCESS) {
1140 * We have an rrset for the given keyname.
1142 val->keyset = &val->frdataset;
1143 if (val->frdataset.trust == dns_trust_pending &&
1144 dns_rdataset_isassociated(&val->fsigrdataset))
1147 * We know the key but haven't validated it yet.
1149 result = create_validator(val, &siginfo->signer,
1150 dns_rdatatype_dnskey,
1155 if (result != ISC_R_SUCCESS)
1157 return (DNS_R_WAIT);
1158 } else if (val->frdataset.trust == dns_trust_pending) {
1160 * Having a pending key with no signature means that
1161 * something is broken.
1163 result = DNS_R_CONTINUE;
1164 } else if (val->frdataset.trust < dns_trust_secure) {
1166 * The key is legitimately insecure. There's no
1167 * point in even attempting verification.
1170 result = ISC_R_SUCCESS;
1173 * See if we've got the key used in the signature.
1175 validator_log(val, ISC_LOG_DEBUG(3),
1176 "keyset with trust %d",
1177 val->frdataset.trust);
1178 result = get_dst_key(val, siginfo, val->keyset);
1179 if (result != ISC_R_SUCCESS) {
1181 * Either the key we're looking for is not
1182 * in the rrset, or something bad happened.
1185 result = DNS_R_CONTINUE;
1188 } else if (result == ISC_R_NOTFOUND) {
1190 * We don't know anything about this key.
1192 result = create_fetch(val, &siginfo->signer, dns_rdatatype_dnskey,
1193 fetch_callback_validator, "get_key");
1194 if (result != ISC_R_SUCCESS)
1196 return (DNS_R_WAIT);
1197 } else if (result == DNS_R_NCACHENXDOMAIN ||
1198 result == DNS_R_NCACHENXRRSET ||
1199 result == DNS_R_NXDOMAIN ||
1200 result == DNS_R_NXRRSET)
1203 * This key doesn't exist.
1205 result = DNS_R_CONTINUE;
1208 if (dns_rdataset_isassociated(&val->frdataset) &&
1209 val->keyset != &val->frdataset)
1210 dns_rdataset_disassociate(&val->frdataset);
1211 if (dns_rdataset_isassociated(&val->fsigrdataset))
1212 dns_rdataset_disassociate(&val->fsigrdataset);
1218 compute_keytag(dns_rdata_t *rdata, dns_rdata_dnskey_t *key) {
1221 dns_rdata_toregion(rdata, &r);
1222 return (dst_region_computeid(&r, key->algorithm));
1226 * Is this keyset self-signed?
1228 static isc_boolean_t
1229 isselfsigned(dns_validator_t *val) {
1230 dns_rdataset_t *rdataset, *sigrdataset;
1231 dns_rdata_t rdata = DNS_RDATA_INIT;
1232 dns_rdata_t sigrdata = DNS_RDATA_INIT;
1233 dns_rdata_dnskey_t key;
1234 dns_rdata_rrsig_t sig;
1235 dns_keytag_t keytag;
1236 isc_result_t result;
1238 rdataset = val->event->rdataset;
1239 sigrdataset = val->event->sigrdataset;
1241 INSIST(rdataset->type == dns_rdatatype_dnskey);
1243 for (result = dns_rdataset_first(rdataset);
1244 result == ISC_R_SUCCESS;
1245 result = dns_rdataset_next(rdataset))
1247 dns_rdata_reset(&rdata);
1248 dns_rdataset_current(rdataset, &rdata);
1249 (void)dns_rdata_tostruct(&rdata, &key, NULL);
1250 keytag = compute_keytag(&rdata, &key);
1251 for (result = dns_rdataset_first(sigrdataset);
1252 result == ISC_R_SUCCESS;
1253 result = dns_rdataset_next(sigrdataset))
1255 dns_rdata_reset(&sigrdata);
1256 dns_rdataset_current(sigrdataset, &sigrdata);
1257 (void)dns_rdata_tostruct(&sigrdata, &sig, NULL);
1259 if (sig.algorithm == key.algorithm &&
1260 sig.keyid == keytag)
1268 * Attempt to verify the rdataset using the given key and rdata (RRSIG).
1269 * The signature was good and from a wildcard record and the QNAME does
1270 * not match the wildcard we need to look for a NOQNAME proof.
1273 * \li ISC_R_SUCCESS if the verification succeeds.
1274 * \li Others if the verification fails.
1277 verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata,
1280 isc_result_t result;
1281 dns_fixedname_t fixed;
1282 isc_boolean_t ignore = ISC_FALSE;
1284 val->attributes |= VALATTR_TRIEDVERIFY;
1285 dns_fixedname_init(&fixed);
1287 result = dns_dnssec_verify2(val->event->name, val->event->rdataset,
1288 key, ignore, val->view->mctx, rdata,
1289 dns_fixedname_name(&fixed));
1290 if (result == DNS_R_SIGEXPIRED && val->view->acceptexpired) {
1294 if (ignore && (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD))
1295 validator_log(val, ISC_LOG_INFO,
1296 "accepted expired %sRRSIG (keyid=%u)",
1297 (result == DNS_R_FROMWILDCARD) ?
1298 "wildcard " : "", keyid);
1300 validator_log(val, ISC_LOG_DEBUG(3),
1301 "verify rdataset (keyid=%u): %s",
1302 keyid, isc_result_totext(result));
1303 if (result == DNS_R_FROMWILDCARD) {
1304 if (!dns_name_equal(val->event->name,
1305 dns_fixedname_name(&fixed)))
1306 val->attributes |= VALATTR_NEEDNOQNAME;
1307 result = ISC_R_SUCCESS;
1313 * Attempts positive response validation of a normal RRset.
1316 * \li ISC_R_SUCCESS Validation completed successfully
1317 * \li DNS_R_WAIT Validation has started but is waiting
1319 * \li Other return codes are possible and all indicate failure.
1322 validate(dns_validator_t *val, isc_boolean_t resume) {
1323 isc_result_t result;
1324 dns_validatorevent_t *event;
1325 dns_rdata_t rdata = DNS_RDATA_INIT;
1328 * Caller must be holding the validator lock.
1335 * We already have a sigrdataset.
1337 result = ISC_R_SUCCESS;
1338 validator_log(val, ISC_LOG_DEBUG(3), "resuming validate");
1340 result = dns_rdataset_first(event->sigrdataset);
1344 result == ISC_R_SUCCESS;
1345 result = dns_rdataset_next(event->sigrdataset))
1347 dns_rdata_reset(&rdata);
1348 dns_rdataset_current(event->sigrdataset, &rdata);
1349 if (val->siginfo == NULL) {
1350 val->siginfo = isc_mem_get(val->view->mctx,
1351 sizeof(*val->siginfo));
1352 if (val->siginfo == NULL)
1353 return (ISC_R_NOMEMORY);
1355 result = dns_rdata_tostruct(&rdata, val->siginfo, NULL);
1356 if (result != ISC_R_SUCCESS)
1360 * At this point we could check that the signature algorithm
1361 * was known and "sufficiently good".
1363 if (!dns_resolver_algorithm_supported(val->view->resolver,
1365 val->siginfo->algorithm))
1369 result = get_key(val, val->siginfo);
1370 if (result == DNS_R_CONTINUE)
1371 continue; /* Try the next SIG RR. */
1372 if (result != ISC_R_SUCCESS)
1377 * The key is insecure, so mark the data as insecure also.
1379 if (val->key == NULL) {
1380 if (val->mustbesecure) {
1381 validator_log(val, ISC_LOG_WARNING,
1382 "must be secure failure");
1383 return (DNS_R_MUSTBESECURE);
1386 return (ISC_R_SUCCESS);
1390 result = verify(val, val->key, &rdata,
1391 val->siginfo->keyid);
1392 if (result == ISC_R_SUCCESS)
1394 if (val->keynode != NULL) {
1395 dns_keynode_t *nextnode = NULL;
1396 result = dns_keytable_findnextkeynode(
1400 dns_keytable_detachkeynode(val->keytable,
1402 val->keynode = nextnode;
1403 if (result != ISC_R_SUCCESS) {
1407 val->key = dns_keynode_key(val->keynode);
1409 if (get_dst_key(val, val->siginfo, val->keyset)
1414 if (result != ISC_R_SUCCESS)
1415 validator_log(val, ISC_LOG_DEBUG(3),
1416 "failed to verify rdataset");
1421 isc_stdtime_get(&now);
1422 ttl = ISC_MIN(event->rdataset->ttl,
1423 val->siginfo->timeexpire - now);
1424 if (val->keyset != NULL)
1425 ttl = ISC_MIN(ttl, val->keyset->ttl);
1426 event->rdataset->ttl = ttl;
1427 event->sigrdataset->ttl = ttl;
1430 if (val->keynode != NULL)
1431 dns_keytable_detachkeynode(val->keytable,
1434 if (val->key != NULL)
1435 dst_key_free(&val->key);
1436 if (val->keyset != NULL) {
1437 dns_rdataset_disassociate(val->keyset);
1442 if ((val->attributes & VALATTR_NEEDNOQNAME) != 0) {
1443 if (val->event->message == NULL) {
1444 validator_log(val, ISC_LOG_DEBUG(3),
1445 "no message available for noqname proof");
1446 return (DNS_R_NOVALIDSIG);
1448 validator_log(val, ISC_LOG_DEBUG(3),
1449 "looking for noqname proof");
1450 return (nsecvalidate(val, ISC_FALSE));
1451 } else if (result == ISC_R_SUCCESS) {
1452 event->rdataset->trust = dns_trust_secure;
1453 event->sigrdataset->trust = dns_trust_secure;
1454 validator_log(val, ISC_LOG_DEBUG(3),
1455 "marking as secure");
1458 validator_log(val, ISC_LOG_DEBUG(3),
1459 "verify failure: %s",
1460 isc_result_totext(result));
1464 if (result != ISC_R_NOMORE) {
1465 validator_log(val, ISC_LOG_DEBUG(3),
1466 "failed to iterate signatures: %s",
1467 isc_result_totext(result));
1471 validator_log(val, ISC_LOG_INFO, "no valid signature found");
1472 return (DNS_R_NOVALIDSIG);
1476 * Validate the DNSKEY RRset by looking for a DNSKEY that matches a
1477 * DLV record and that also verifies the DNSKEY RRset.
1480 dlv_validatezonekey(dns_validator_t *val) {
1481 dns_keytag_t keytag;
1482 dns_rdata_dlv_t dlv;
1483 dns_rdata_dnskey_t key;
1484 dns_rdata_rrsig_t sig;
1485 dns_rdata_t dlvrdata = DNS_RDATA_INIT;
1486 dns_rdata_t keyrdata = DNS_RDATA_INIT;
1487 dns_rdata_t newdsrdata = DNS_RDATA_INIT;
1488 dns_rdata_t sigrdata = DNS_RDATA_INIT;
1489 dns_rdataset_t trdataset;
1491 isc_boolean_t supported_algorithm;
1492 isc_result_t result;
1493 unsigned char dsbuf[DNS_DS_BUFFERSIZE];
1494 isc_uint8_t digest_type;
1496 validator_log(val, ISC_LOG_DEBUG(3), "dlv_validatezonekey");
1499 * Look through the DLV record and find the keys that can sign the
1500 * key set and the matching signature. For each such key, attempt
1503 supported_algorithm = ISC_FALSE;
1506 * If DNS_DSDIGEST_SHA256 is present we are required to prefer
1507 * it over DNS_DSDIGEST_SHA1. This in practice means that we
1508 * need to ignore DNS_DSDIGEST_SHA1 if a DNS_DSDIGEST_SHA256
1511 digest_type = DNS_DSDIGEST_SHA1;
1512 for (result = dns_rdataset_first(&val->dlv);
1513 result == ISC_R_SUCCESS;
1514 result = dns_rdataset_next(&val->dlv)) {
1515 dns_rdata_reset(&dlvrdata);
1516 dns_rdataset_current(&val->dlv, &dlvrdata);
1517 dns_rdata_tostruct(&dlvrdata, &dlv, NULL);
1519 if (!dns_resolver_algorithm_supported(val->view->resolver,
1524 if (dlv.digest_type == DNS_DSDIGEST_SHA256 &&
1525 dlv.length == ISC_SHA256_DIGESTLENGTH) {
1526 digest_type = DNS_DSDIGEST_SHA256;
1531 for (result = dns_rdataset_first(&val->dlv);
1532 result == ISC_R_SUCCESS;
1533 result = dns_rdataset_next(&val->dlv))
1535 dns_rdata_reset(&dlvrdata);
1536 dns_rdataset_current(&val->dlv, &dlvrdata);
1537 (void)dns_rdata_tostruct(&dlvrdata, &dlv, NULL);
1539 if (!dns_resolver_digest_supported(val->view->resolver,
1543 if (dlv.digest_type != digest_type)
1546 if (!dns_resolver_algorithm_supported(val->view->resolver,
1551 supported_algorithm = ISC_TRUE;
1553 dns_rdataset_init(&trdataset);
1554 dns_rdataset_clone(val->event->rdataset, &trdataset);
1556 for (result = dns_rdataset_first(&trdataset);
1557 result == ISC_R_SUCCESS;
1558 result = dns_rdataset_next(&trdataset))
1560 dns_rdata_reset(&keyrdata);
1561 dns_rdataset_current(&trdataset, &keyrdata);
1562 (void)dns_rdata_tostruct(&keyrdata, &key, NULL);
1563 keytag = compute_keytag(&keyrdata, &key);
1564 if (dlv.key_tag != keytag ||
1565 dlv.algorithm != key.algorithm)
1567 dns_rdata_reset(&newdsrdata);
1568 result = dns_ds_buildrdata(val->event->name,
1569 &keyrdata, dlv.digest_type,
1570 dsbuf, &newdsrdata);
1571 if (result != ISC_R_SUCCESS) {
1572 validator_log(val, ISC_LOG_DEBUG(3),
1573 "dns_ds_buildrdata() -> %s",
1574 dns_result_totext(result));
1578 newdsrdata.type = dns_rdatatype_dlv;
1579 if (dns_rdata_compare(&dlvrdata, &newdsrdata) == 0)
1582 if (result != ISC_R_SUCCESS) {
1583 validator_log(val, ISC_LOG_DEBUG(3),
1584 "no DNSKEY matching DLV");
1587 validator_log(val, ISC_LOG_DEBUG(3),
1588 "Found matching DLV record: checking for signature");
1590 for (result = dns_rdataset_first(val->event->sigrdataset);
1591 result == ISC_R_SUCCESS;
1592 result = dns_rdataset_next(val->event->sigrdataset))
1594 dns_rdata_reset(&sigrdata);
1595 dns_rdataset_current(val->event->sigrdataset,
1597 (void)dns_rdata_tostruct(&sigrdata, &sig, NULL);
1598 if (dlv.key_tag != sig.keyid &&
1599 dlv.algorithm != sig.algorithm)
1602 result = dns_dnssec_keyfromrdata(val->event->name,
1606 if (result != ISC_R_SUCCESS)
1608 * This really shouldn't happen, but...
1612 result = verify(val, dstkey, &sigrdata, sig.keyid);
1613 dst_key_free(&dstkey);
1614 if (result == ISC_R_SUCCESS)
1617 dns_rdataset_disassociate(&trdataset);
1618 if (result == ISC_R_SUCCESS)
1620 validator_log(val, ISC_LOG_DEBUG(3),
1621 "no RRSIG matching DLV key");
1623 if (result == ISC_R_SUCCESS) {
1624 val->event->rdataset->trust = dns_trust_secure;
1625 val->event->sigrdataset->trust = dns_trust_secure;
1626 validator_log(val, ISC_LOG_DEBUG(3), "marking as secure");
1628 } else if (result == ISC_R_NOMORE && !supported_algorithm) {
1629 if (val->mustbesecure) {
1630 validator_log(val, ISC_LOG_WARNING,
1631 "must be secure failure");
1632 return (DNS_R_MUSTBESECURE);
1634 validator_log(val, ISC_LOG_DEBUG(3),
1635 "no supported algorithm/digest (dlv)");
1637 return (ISC_R_SUCCESS);
1639 return (DNS_R_NOVALIDSIG);
1643 * Attempts positive response validation of an RRset containing zone keys.
1646 * \li ISC_R_SUCCESS Validation completed successfully
1647 * \li DNS_R_WAIT Validation has started but is waiting
1649 * \li Other return codes are possible and all indicate failure.
1652 validatezonekey(dns_validator_t *val) {
1653 isc_result_t result;
1654 dns_validatorevent_t *event;
1655 dns_rdataset_t trdataset;
1656 dns_rdata_t dsrdata = DNS_RDATA_INIT;
1657 dns_rdata_t newdsrdata = DNS_RDATA_INIT;
1658 dns_rdata_t keyrdata = DNS_RDATA_INIT;
1659 dns_rdata_t sigrdata = DNS_RDATA_INIT;
1660 unsigned char dsbuf[DNS_DS_BUFFERSIZE];
1661 char namebuf[DNS_NAME_FORMATSIZE];
1662 dns_keytag_t keytag;
1664 dns_rdata_dnskey_t key;
1665 dns_rdata_rrsig_t sig;
1667 isc_boolean_t supported_algorithm;
1668 isc_boolean_t atsep = ISC_FALSE;
1669 isc_uint8_t digest_type;
1672 * Caller must be holding the validator lock.
1677 if (val->havedlvsep && val->dlv.trust >= dns_trust_secure &&
1678 dns_name_equal(event->name, dns_fixedname_name(&val->dlvsep)))
1679 return (dlv_validatezonekey(val));
1681 if (val->dsset == NULL) {
1683 * First, see if this key was signed by a trusted key.
1685 for (result = dns_rdataset_first(val->event->sigrdataset);
1686 result == ISC_R_SUCCESS;
1687 result = dns_rdataset_next(val->event->sigrdataset))
1689 dns_keynode_t *keynode = NULL, *nextnode = NULL;
1691 dns_rdata_reset(&sigrdata);
1692 dns_rdataset_current(val->event->sigrdataset,
1694 (void)dns_rdata_tostruct(&sigrdata, &sig, NULL);
1695 result = dns_keytable_findkeynode(val->keytable,
1700 if (result == DNS_R_PARTIALMATCH ||
1701 result == ISC_R_SUCCESS)
1703 while (result == ISC_R_SUCCESS) {
1704 dstkey = dns_keynode_key(keynode);
1705 result = verify(val, dstkey, &sigrdata,
1707 if (result == ISC_R_SUCCESS) {
1708 dns_keytable_detachkeynode(val->keytable,
1712 result = dns_keytable_findnextkeynode(
1716 dns_keytable_detachkeynode(val->keytable,
1720 if (result == ISC_R_SUCCESS) {
1721 event->rdataset->trust = dns_trust_secure;
1722 event->sigrdataset->trust = dns_trust_secure;
1723 validator_log(val, ISC_LOG_DEBUG(3),
1724 "signed by trusted key; "
1725 "marking as secure");
1731 * If this is the root name and there was no trusted key,
1732 * give up, since there's no DS at the root.
1734 if (dns_name_equal(event->name, dns_rootname)) {
1735 if ((val->attributes & VALATTR_TRIEDVERIFY) != 0)
1736 return (DNS_R_NOVALIDSIG);
1738 return (DNS_R_NOVALIDDS);
1743 * We have not found a key to verify this DNSKEY
1744 * RRset. As this is a SEP we have to assume that
1745 * the RRset is invalid.
1747 dns_name_format(val->event->name, namebuf,
1749 validator_log(val, ISC_LOG_DEBUG(2),
1750 "unable to find a DNSKEY which verifies "
1751 "the DNSKEY RRset and also matches one "
1752 "of specified trusted-keys for '%s'",
1754 return (DNS_R_NOVALIDKEY);
1758 * Otherwise, try to find the DS record.
1760 result = view_find(val, val->event->name, dns_rdatatype_ds);
1761 if (result == ISC_R_SUCCESS) {
1763 * We have DS records.
1765 val->dsset = &val->frdataset;
1766 if (val->frdataset.trust == dns_trust_pending &&
1767 dns_rdataset_isassociated(&val->fsigrdataset))
1769 result = create_validator(val,
1776 if (result != ISC_R_SUCCESS)
1778 return (DNS_R_WAIT);
1779 } else if (val->frdataset.trust == dns_trust_pending) {
1781 * There should never be an unsigned DS.
1783 dns_rdataset_disassociate(&val->frdataset);
1784 validator_log(val, ISC_LOG_DEBUG(2),
1785 "unsigned DS record");
1786 return (DNS_R_NOVALIDSIG);
1788 result = ISC_R_SUCCESS;
1789 } else if (result == ISC_R_NOTFOUND) {
1791 * We don't have the DS. Find it.
1793 result = create_fetch(val, val->event->name,
1794 dns_rdatatype_ds, dsfetched,
1796 if (result != ISC_R_SUCCESS)
1798 return (DNS_R_WAIT);
1799 } else if (result == DNS_R_NCACHENXDOMAIN ||
1800 result == DNS_R_NCACHENXRRSET ||
1801 result == DNS_R_NXDOMAIN ||
1802 result == DNS_R_NXRRSET)
1805 * The DS does not exist.
1807 if (dns_rdataset_isassociated(&val->frdataset))
1808 dns_rdataset_disassociate(&val->frdataset);
1809 if (dns_rdataset_isassociated(&val->fsigrdataset))
1810 dns_rdataset_disassociate(&val->fsigrdataset);
1811 validator_log(val, ISC_LOG_DEBUG(2), "no DS record");
1812 return (DNS_R_NOVALIDSIG);
1819 INSIST(val->dsset != NULL);
1821 if (val->dsset->trust < dns_trust_secure) {
1822 if (val->mustbesecure) {
1823 validator_log(val, ISC_LOG_WARNING,
1824 "must be secure failure");
1825 return (DNS_R_MUSTBESECURE);
1828 return (ISC_R_SUCCESS);
1832 * Look through the DS record and find the keys that can sign the
1833 * key set and the matching signature. For each such key, attempt
1837 supported_algorithm = ISC_FALSE;
1840 * If DNS_DSDIGEST_SHA256 is present we are required to prefer
1841 * it over DNS_DSDIGEST_SHA1. This in practice means that we
1842 * need to ignore DNS_DSDIGEST_SHA1 if a DNS_DSDIGEST_SHA256
1845 digest_type = DNS_DSDIGEST_SHA1;
1846 for (result = dns_rdataset_first(val->dsset);
1847 result == ISC_R_SUCCESS;
1848 result = dns_rdataset_next(val->dsset)) {
1849 dns_rdata_reset(&dsrdata);
1850 dns_rdataset_current(val->dsset, &dsrdata);
1851 dns_rdata_tostruct(&dsrdata, &ds, NULL);
1853 if (!dns_resolver_algorithm_supported(val->view->resolver,
1858 if (ds.digest_type == DNS_DSDIGEST_SHA256 &&
1859 ds.length == ISC_SHA256_DIGESTLENGTH) {
1860 digest_type = DNS_DSDIGEST_SHA256;
1865 for (result = dns_rdataset_first(val->dsset);
1866 result == ISC_R_SUCCESS;
1867 result = dns_rdataset_next(val->dsset))
1869 dns_rdata_reset(&dsrdata);
1870 dns_rdataset_current(val->dsset, &dsrdata);
1871 (void)dns_rdata_tostruct(&dsrdata, &ds, NULL);
1873 if (!dns_resolver_digest_supported(val->view->resolver,
1877 if (ds.digest_type != digest_type)
1880 if (!dns_resolver_algorithm_supported(val->view->resolver,
1885 supported_algorithm = ISC_TRUE;
1887 dns_rdataset_init(&trdataset);
1888 dns_rdataset_clone(val->event->rdataset, &trdataset);
1891 * Look for the KEY that matches the DS record.
1893 for (result = dns_rdataset_first(&trdataset);
1894 result == ISC_R_SUCCESS;
1895 result = dns_rdataset_next(&trdataset))
1897 dns_rdata_reset(&keyrdata);
1898 dns_rdataset_current(&trdataset, &keyrdata);
1899 (void)dns_rdata_tostruct(&keyrdata, &key, NULL);
1900 keytag = compute_keytag(&keyrdata, &key);
1901 if (ds.key_tag != keytag ||
1902 ds.algorithm != key.algorithm)
1904 dns_rdata_reset(&newdsrdata);
1905 result = dns_ds_buildrdata(val->event->name,
1906 &keyrdata, ds.digest_type,
1907 dsbuf, &newdsrdata);
1908 if (result != ISC_R_SUCCESS)
1910 if (dns_rdata_compare(&dsrdata, &newdsrdata) == 0)
1913 if (result != ISC_R_SUCCESS) {
1914 validator_log(val, ISC_LOG_DEBUG(3),
1915 "no DNSKEY matching DS");
1919 for (result = dns_rdataset_first(val->event->sigrdataset);
1920 result == ISC_R_SUCCESS;
1921 result = dns_rdataset_next(val->event->sigrdataset))
1923 dns_rdata_reset(&sigrdata);
1924 dns_rdataset_current(val->event->sigrdataset,
1926 (void)dns_rdata_tostruct(&sigrdata, &sig, NULL);
1927 if (ds.key_tag != sig.keyid ||
1928 ds.algorithm != sig.algorithm)
1932 result = dns_dnssec_keyfromrdata(val->event->name,
1936 if (result != ISC_R_SUCCESS)
1938 * This really shouldn't happen, but...
1941 result = verify(val, dstkey, &sigrdata, sig.keyid);
1942 dst_key_free(&dstkey);
1943 if (result == ISC_R_SUCCESS)
1946 dns_rdataset_disassociate(&trdataset);
1947 if (result == ISC_R_SUCCESS)
1949 validator_log(val, ISC_LOG_DEBUG(3),
1950 "no RRSIG matching DS key");
1952 if (result == ISC_R_SUCCESS) {
1953 event->rdataset->trust = dns_trust_secure;
1954 event->sigrdataset->trust = dns_trust_secure;
1955 validator_log(val, ISC_LOG_DEBUG(3), "marking as secure");
1957 } else if (result == ISC_R_NOMORE && !supported_algorithm) {
1958 if (val->mustbesecure) {
1959 validator_log(val, ISC_LOG_WARNING,
1960 "must be secure failure");
1961 return (DNS_R_MUSTBESECURE);
1963 validator_log(val, ISC_LOG_DEBUG(3),
1964 "no supported algorithm/digest (DS)");
1966 return (ISC_R_SUCCESS);
1968 return (DNS_R_NOVALIDSIG);
1972 * Starts a positive response validation.
1975 * \li ISC_R_SUCCESS Validation completed successfully
1976 * \li DNS_R_WAIT Validation has started but is waiting
1978 * \li Other return codes are possible and all indicate failure.
1981 start_positive_validation(dns_validator_t *val) {
1983 * If this is not a key, go straight into validate().
1985 if (val->event->type != dns_rdatatype_dnskey || !isselfsigned(val))
1986 return (validate(val, ISC_FALSE));
1988 return (validatezonekey(val));
1992 * Look for NODATA at the wildcard and NOWILDCARD proofs in the
1993 * previously validated NSEC records. As these proofs are mutually
1994 * exclusive we stop when one is found.
2000 checkwildcard(dns_validator_t *val) {
2001 dns_name_t *name, *wild;
2002 dns_message_t *message = val->event->message;
2003 isc_result_t result;
2004 isc_boolean_t exists, data;
2005 char namebuf[DNS_NAME_FORMATSIZE];
2007 wild = dns_fixedname_name(&val->wild);
2008 dns_name_format(wild, namebuf, sizeof(namebuf));
2009 validator_log(val, ISC_LOG_DEBUG(3), "in checkwildcard: %s", namebuf);
2011 for (result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
2012 result == ISC_R_SUCCESS;
2013 result = dns_message_nextname(message, DNS_SECTION_AUTHORITY))
2015 dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
2018 dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
2020 for (rdataset = ISC_LIST_HEAD(name->list);
2022 rdataset = ISC_LIST_NEXT(rdataset, link))
2024 if (rdataset->type != dns_rdatatype_nsec)
2026 val->nsecset = rdataset;
2028 for (sigrdataset = ISC_LIST_HEAD(name->list);
2029 sigrdataset != NULL;
2030 sigrdataset = ISC_LIST_NEXT(sigrdataset, link))
2032 if (sigrdataset->type == dns_rdatatype_rrsig &&
2033 sigrdataset->covers == rdataset->type)
2036 if (sigrdataset == NULL)
2039 if (rdataset->trust != dns_trust_secure)
2042 if (((val->attributes & VALATTR_NEEDNODATA) != 0 ||
2043 (val->attributes & VALATTR_NEEDNOWILDCARD) != 0) &&
2044 (val->attributes & VALATTR_FOUNDNODATA) == 0 &&
2045 (val->attributes & VALATTR_FOUNDNOWILDCARD) == 0 &&
2046 nsecnoexistnodata(val, wild, name, rdataset,
2047 &exists, &data, NULL)
2050 dns_name_t **proofs = val->event->proofs;
2051 if (exists && !data)
2052 val->attributes |= VALATTR_FOUNDNODATA;
2053 if (exists && !data && NEEDNODATA(val))
2054 proofs[DNS_VALIDATOR_NODATAPROOF] =
2058 VALATTR_FOUNDNOWILDCARD;
2059 if (!exists && NEEDNOQNAME(val))
2060 proofs[DNS_VALIDATOR_NOWILDCARDPROOF] =
2062 return (ISC_R_SUCCESS);
2066 if (result == ISC_R_NOMORE)
2067 result = ISC_R_SUCCESS;
2072 * Prove a negative answer is good or that there is a NOQNAME when the
2073 * answer is from a wildcard.
2075 * Loop through the authority section looking for NODATA, NOWILDCARD
2076 * and NOQNAME proofs in the NSEC records by calling authvalidated().
2078 * If the required proofs are found we are done.
2080 * If the proofs are not found attempt to prove this is a unsecure
2084 nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
2086 dns_message_t *message = val->event->message;
2087 isc_result_t result;
2090 result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
2092 result = ISC_R_SUCCESS;
2093 validator_log(val, ISC_LOG_DEBUG(3), "resuming nsecvalidate");
2097 result == ISC_R_SUCCESS;
2098 result = dns_message_nextname(message, DNS_SECTION_AUTHORITY))
2100 dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
2103 dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
2105 rdataset = ISC_LIST_NEXT(val->currentset, link);
2106 val->currentset = NULL;
2109 rdataset = ISC_LIST_HEAD(name->list);
2113 rdataset = ISC_LIST_NEXT(rdataset, link))
2115 if (rdataset->type == dns_rdatatype_rrsig)
2118 for (sigrdataset = ISC_LIST_HEAD(name->list);
2119 sigrdataset != NULL;
2120 sigrdataset = ISC_LIST_NEXT(sigrdataset,
2123 if (sigrdataset->type == dns_rdatatype_rrsig &&
2124 sigrdataset->covers == rdataset->type)
2128 * If a signed zone is missing the zone key, bad
2129 * things could happen. A query for data in the zone
2130 * would lead to a query for the zone key, which
2131 * would return a negative answer, which would contain
2132 * an SOA and an NSEC signed by the missing key, which
2133 * would trigger another query for the DNSKEY (since
2134 * the first one is still in progress), and go into an
2135 * infinite loop. Avoid that.
2137 if (val->event->type == dns_rdatatype_dnskey &&
2138 dns_name_equal(name, val->event->name))
2140 dns_rdata_t nsec = DNS_RDATA_INIT;
2142 if (rdataset->type != dns_rdatatype_nsec)
2145 result = dns_rdataset_first(rdataset);
2146 if (result != ISC_R_SUCCESS)
2148 dns_rdataset_current(rdataset, &nsec);
2149 if (dns_nsec_typepresent(&nsec,
2153 val->currentset = rdataset;
2154 result = create_validator(val, name, rdataset->type,
2155 rdataset, sigrdataset,
2158 if (result != ISC_R_SUCCESS)
2160 return (DNS_R_WAIT);
2164 if (result == ISC_R_NOMORE)
2165 result = ISC_R_SUCCESS;
2166 if (result != ISC_R_SUCCESS)
2170 * Do we only need to check for NOQNAME? To get here we must have
2171 * had a secure wildcard answer.
2173 if ((val->attributes & VALATTR_NEEDNODATA) == 0 &&
2174 (val->attributes & VALATTR_NEEDNOWILDCARD) == 0 &&
2175 (val->attributes & VALATTR_NEEDNOQNAME) != 0) {
2176 if ((val->attributes & VALATTR_FOUNDNOQNAME) != 0) {
2177 validator_log(val, ISC_LOG_DEBUG(3),
2178 "noqname proof found");
2179 validator_log(val, ISC_LOG_DEBUG(3),
2180 "marking as secure");
2181 val->event->rdataset->trust = dns_trust_secure;
2182 val->event->sigrdataset->trust = dns_trust_secure;
2183 return (ISC_R_SUCCESS);
2185 validator_log(val, ISC_LOG_DEBUG(3),
2186 "noqname proof not found");
2187 return (DNS_R_NOVALIDNSEC);
2191 * Do we need to check for the wildcard?
2193 if ((val->attributes & VALATTR_FOUNDNOQNAME) != 0 &&
2194 (((val->attributes & VALATTR_NEEDNODATA) != 0 &&
2195 (val->attributes & VALATTR_FOUNDNODATA) == 0) ||
2196 (val->attributes & VALATTR_NEEDNOWILDCARD) != 0)) {
2197 result = checkwildcard(val);
2198 if (result != ISC_R_SUCCESS)
2202 if (((val->attributes & VALATTR_NEEDNODATA) != 0 &&
2203 (val->attributes & VALATTR_FOUNDNODATA) != 0) ||
2204 ((val->attributes & VALATTR_NEEDNOQNAME) != 0 &&
2205 (val->attributes & VALATTR_FOUNDNOQNAME) != 0 &&
2206 (val->attributes & VALATTR_NEEDNOWILDCARD) != 0 &&
2207 (val->attributes & VALATTR_FOUNDNOWILDCARD) != 0)) {
2208 validator_log(val, ISC_LOG_DEBUG(3),
2209 "nonexistence proof(s) found");
2210 return (ISC_R_SUCCESS);
2213 validator_log(val, ISC_LOG_DEBUG(3),
2214 "nonexistence proof(s) not found");
2215 val->attributes |= VALATTR_INSECURITY;
2216 return (proveunsecure(val, ISC_FALSE));
2219 static isc_boolean_t
2220 check_ds(dns_validator_t *val, dns_name_t *name, dns_rdataset_t *rdataset) {
2221 dns_rdata_t dsrdata = DNS_RDATA_INIT;
2223 isc_result_t result;
2225 for (result = dns_rdataset_first(rdataset);
2226 result == ISC_R_SUCCESS;
2227 result = dns_rdataset_next(rdataset)) {
2228 dns_rdataset_current(rdataset, &dsrdata);
2229 (void)dns_rdata_tostruct(&dsrdata, &ds, NULL);
2231 if (dns_resolver_digest_supported(val->view->resolver,
2233 dns_resolver_algorithm_supported(val->view->resolver,
2234 name, ds.algorithm)) {
2235 dns_rdata_reset(&dsrdata);
2238 dns_rdata_reset(&dsrdata);
2244 * Callback from fetching a DLV record.
2246 * Resumes the DLV lookup process.
2249 dlvfetched(isc_task_t *task, isc_event_t *event) {
2250 char namebuf[DNS_NAME_FORMATSIZE];
2251 dns_fetchevent_t *devent;
2252 dns_validator_t *val;
2253 isc_boolean_t want_destroy;
2254 isc_result_t eresult;
2255 isc_result_t result;
2258 INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
2259 devent = (dns_fetchevent_t *)event;
2260 val = devent->ev_arg;
2261 eresult = devent->result;
2263 /* Free resources which are not of interest. */
2264 if (devent->node != NULL)
2265 dns_db_detachnode(devent->db, &devent->node);
2266 if (devent->db != NULL)
2267 dns_db_detach(&devent->db);
2268 if (dns_rdataset_isassociated(&val->fsigrdataset))
2269 dns_rdataset_disassociate(&val->fsigrdataset);
2270 isc_event_free(&event);
2271 dns_resolver_destroyfetch(&val->fetch);
2273 INSIST(val->event != NULL);
2274 validator_log(val, ISC_LOG_DEBUG(3), "in dlvfetched: %s",
2275 dns_result_totext(eresult));
2278 if (eresult == ISC_R_SUCCESS) {
2279 dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf,
2281 dns_rdataset_clone(&val->frdataset, &val->dlv);
2282 val->havedlvsep = ISC_TRUE;
2283 validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
2284 dlv_validator_start(val);
2285 } else if (eresult == DNS_R_NXRRSET ||
2286 eresult == DNS_R_NXDOMAIN ||
2287 eresult == DNS_R_NCACHENXRRSET ||
2288 eresult == DNS_R_NCACHENXDOMAIN) {
2289 result = finddlvsep(val, ISC_TRUE);
2290 if (result == ISC_R_SUCCESS) {
2291 dns_name_format(dns_fixedname_name(&val->dlvsep),
2292 namebuf, sizeof(namebuf));
2293 validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found",
2295 dlv_validator_start(val);
2296 } else if (result == ISC_R_NOTFOUND) {
2297 validator_log(val, ISC_LOG_DEBUG(3), "DLV not found");
2299 validator_done(val, ISC_R_SUCCESS);
2301 validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s",
2302 dns_result_totext(result));
2303 if (result != DNS_R_WAIT)
2304 validator_done(val, result);
2307 validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s",
2308 dns_result_totext(eresult));
2309 validator_done(val, eresult);
2311 want_destroy = exit_check(val);
2318 * Start the DLV lookup proccess.
2323 * \li Others on validation failures.
2326 startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure) {
2327 char namebuf[DNS_NAME_FORMATSIZE];
2328 isc_result_t result;
2330 INSIST(!DLVTRIED(val));
2332 val->attributes |= VALATTR_DLVTRIED;
2334 dns_name_format(unsecure, namebuf, sizeof(namebuf));
2335 validator_log(val, ISC_LOG_DEBUG(3),
2336 "plain DNSSEC returns unsecure (%s): looking for DLV",
2339 if (dns_name_issubdomain(val->event->name, val->view->dlv)) {
2340 validator_log(val, ISC_LOG_WARNING, "must be secure failure");
2341 return (DNS_R_MUSTBESECURE);
2344 val->dlvlabels = dns_name_countlabels(unsecure) - 1;
2345 result = finddlvsep(val, ISC_FALSE);
2346 if (result == ISC_R_NOTFOUND) {
2347 validator_log(val, ISC_LOG_DEBUG(3), "DLV not found");
2349 return (ISC_R_SUCCESS);
2351 if (result != ISC_R_SUCCESS) {
2352 validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s",
2353 dns_result_totext(result));
2356 dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf,
2358 validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
2359 dlv_validator_start(val);
2360 return (DNS_R_WAIT);
2364 * Continue the DLV lookup process.
2368 * \li ISC_R_NOTFOUND
2370 * \li Others on validation failure.
2373 finddlvsep(dns_validator_t *val, isc_boolean_t resume) {
2374 char namebuf[DNS_NAME_FORMATSIZE];
2375 dns_fixedname_t dlvfixed;
2376 dns_name_t *dlvname;
2379 isc_result_t result;
2380 unsigned int labels;
2382 INSIST(val->view->dlv != NULL);
2386 if (dns_name_issubdomain(val->event->name, val->view->dlv)) {
2387 validator_log(val, ISC_LOG_WARNING,
2388 "must be secure failure");
2389 return (DNS_R_MUSTBESECURE);
2392 dns_fixedname_init(&val->dlvsep);
2393 dlvsep = dns_fixedname_name(&val->dlvsep);
2394 dns_name_copy(val->event->name, dlvsep, NULL);
2396 * If this is a response to a DS query, we need to look in
2397 * the parent zone for the trust anchor.
2399 if (val->event->type == dns_rdatatype_ds) {
2400 labels = dns_name_countlabels(dlvsep);
2402 return (ISC_R_NOTFOUND);
2403 dns_name_getlabelsequence(dlvsep, 1, labels - 1,
2407 dlvsep = dns_fixedname_name(&val->dlvsep);
2408 labels = dns_name_countlabels(dlvsep);
2409 dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep);
2411 dns_name_init(&noroot, NULL);
2412 dns_fixedname_init(&dlvfixed);
2413 dlvname = dns_fixedname_name(&dlvfixed);
2414 labels = dns_name_countlabels(dlvsep);
2416 return (ISC_R_NOTFOUND);
2417 dns_name_getlabelsequence(dlvsep, 0, labels - 1, &noroot);
2418 result = dns_name_concatenate(&noroot, val->view->dlv, dlvname, NULL);
2419 while (result == ISC_R_NOSPACE) {
2420 labels = dns_name_countlabels(dlvsep);
2421 dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep);
2422 dns_name_getlabelsequence(dlvsep, 0, labels - 2, &noroot);
2423 result = dns_name_concatenate(&noroot, val->view->dlv,
2426 if (result != ISC_R_SUCCESS) {
2427 validator_log(val, ISC_LOG_DEBUG(2), "DLV concatenate failed");
2428 return (DNS_R_NOVALIDSIG);
2431 while (dns_name_countlabels(dlvname) >=
2432 dns_name_countlabels(val->view->dlv) + val->dlvlabels) {
2433 dns_name_format(dlvname, namebuf, sizeof(namebuf));
2434 validator_log(val, ISC_LOG_DEBUG(3), "looking for DLV %s",
2436 result = view_find(val, dlvname, dns_rdatatype_dlv);
2437 if (result == ISC_R_SUCCESS) {
2438 if (val->frdataset.trust < dns_trust_secure)
2439 return (DNS_R_NOVALIDSIG);
2440 val->havedlvsep = ISC_TRUE;
2441 dns_rdataset_clone(&val->frdataset, &val->dlv);
2442 return (ISC_R_SUCCESS);
2444 if (result == ISC_R_NOTFOUND) {
2445 result = create_fetch(val, dlvname, dns_rdatatype_dlv,
2446 dlvfetched, "finddlvsep");
2447 if (result != ISC_R_SUCCESS)
2449 return (DNS_R_WAIT);
2451 if (result != DNS_R_NXRRSET &&
2452 result != DNS_R_NXDOMAIN &&
2453 result != DNS_R_NCACHENXRRSET &&
2454 result != DNS_R_NCACHENXDOMAIN)
2457 * Strip first labels from both dlvsep and dlvname.
2459 labels = dns_name_countlabels(dlvsep);
2462 dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep);
2463 labels = dns_name_countlabels(dlvname);
2464 dns_name_getlabelsequence(dlvname, 1, labels - 1, dlvname);
2466 return (ISC_R_NOTFOUND);
2470 * proveunsecure walks down from the SEP looking for a break in the
2471 * chain of trust. That occurs when we can prove the DS record does
2472 * not exist at a delegation point or the DS exists at a delegation
2473 * but we don't support the algorithm/digest.
2475 * If DLV is active and we look for a DLV record at or below the
2476 * point we go insecure. If found we restart the validation process.
2477 * If not found or DLV isn't active we mark the response as a answer.
2480 * \li ISC_R_SUCCESS val->event->name is in a unsecure zone
2481 * \li DNS_R_WAIT validation is in progress.
2482 * \li DNS_R_MUSTBESECURE val->event->name is supposed to be secure
2483 * (policy) but we proved that it is unsecure.
2484 * \li DNS_R_NOVALIDSIG
2485 * \li DNS_R_NOVALIDNSEC
2486 * \li DNS_R_NOTINSECURE
2489 proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
2490 isc_result_t result;
2491 dns_fixedname_t fixedsecroot;
2492 dns_name_t *secroot;
2494 char namebuf[DNS_NAME_FORMATSIZE];
2496 dns_fixedname_init(&fixedsecroot);
2497 secroot = dns_fixedname_name(&fixedsecroot);
2498 if (val->havedlvsep)
2499 dns_name_copy(dns_fixedname_name(&val->dlvsep), secroot, NULL);
2501 dns_name_copy(val->event->name, secroot, NULL);
2503 * If this is a response to a DS query, we need to look in
2504 * the parent zone for the trust anchor.
2506 if (val->event->type == dns_rdatatype_ds &&
2507 dns_name_countlabels(secroot) > 1U)
2508 dns_name_split(secroot, 1, NULL, secroot);
2509 result = dns_keytable_finddeepestmatch(val->keytable,
2512 if (result == ISC_R_NOTFOUND) {
2513 validator_log(val, ISC_LOG_DEBUG(3),
2514 "not beneath secure root");
2515 if (val->mustbesecure) {
2516 validator_log(val, ISC_LOG_WARNING,
2517 "must be secure failure");
2518 result = DNS_R_MUSTBESECURE;
2521 if (val->view->dlv == NULL || DLVTRIED(val)) {
2523 return (ISC_R_SUCCESS);
2525 return (startfinddlvsep(val, dns_rootname));
2526 } else if (result != ISC_R_SUCCESS)
2532 * We are looking for breaks below the SEP so add a label.
2534 val->labels = dns_name_countlabels(secroot) + 1;
2536 validator_log(val, ISC_LOG_DEBUG(3), "resuming proveunsecure");
2537 if (val->frdataset.trust >= dns_trust_secure &&
2538 !check_ds(val, dns_fixedname_name(&val->fname),
2540 dns_name_format(dns_fixedname_name(&val->fname),
2541 namebuf, sizeof(namebuf));
2542 if (val->mustbesecure) {
2543 validator_log(val, ISC_LOG_WARNING,
2544 "must be secure failure at '%s'",
2546 result = DNS_R_MUSTBESECURE;
2549 validator_log(val, ISC_LOG_DEBUG(3),
2550 "no supported algorithm/digest (%s/DS)",
2552 if (val->view->dlv == NULL || DLVTRIED(val)) {
2554 result = ISC_R_SUCCESS;
2557 result = startfinddlvsep(val,
2558 dns_fixedname_name(&val->fname));
2565 val->labels <= dns_name_countlabels(val->event->name);
2569 dns_fixedname_init(&val->fname);
2570 tname = dns_fixedname_name(&val->fname);
2571 if (val->labels == dns_name_countlabels(val->event->name))
2572 dns_name_copy(val->event->name, tname, NULL);
2574 dns_name_split(val->event->name, val->labels,
2577 dns_name_format(tname, namebuf, sizeof(namebuf));
2578 validator_log(val, ISC_LOG_DEBUG(3),
2579 "checking existence of DS at '%s'",
2582 result = view_find(val, tname, dns_rdatatype_ds);
2584 if (result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) {
2586 * There is no DS. If this is a delegation,
2589 if (val->frdataset.trust == dns_trust_pending) {
2590 result = create_fetch(val, tname,
2594 if (result != ISC_R_SUCCESS)
2596 return (DNS_R_WAIT);
2598 if (val->frdataset.trust < dns_trust_secure) {
2600 * This shouldn't happen, since the negative
2601 * response should have been validated. Since
2602 * there's no way of validating existing
2603 * negative response blobs, give up.
2605 result = DNS_R_NOVALIDSIG;
2608 if (isdelegation(tname, &val->frdataset, result)) {
2609 if (val->mustbesecure) {
2610 validator_log(val, ISC_LOG_WARNING,
2611 "must be secure failure");
2612 return (DNS_R_MUSTBESECURE);
2614 if (val->view->dlv == NULL || DLVTRIED(val)) {
2616 return (ISC_R_SUCCESS);
2618 return (startfinddlvsep(val, tname));
2621 } else if (result == ISC_R_SUCCESS) {
2623 * There is a DS here. Verify that it's secure and
2626 if (val->frdataset.trust >= dns_trust_secure) {
2627 if (!check_ds(val, tname, &val->frdataset)) {
2628 validator_log(val, ISC_LOG_DEBUG(3),
2629 "no supported algorithm/"
2630 "digest (%s/DS)", namebuf);
2631 if (val->mustbesecure) {
2634 "must be secure failure");
2635 result = DNS_R_MUSTBESECURE;
2638 if (val->view->dlv == NULL ||
2641 result = ISC_R_SUCCESS;
2644 result = startfinddlvsep(val, tname);
2649 else if (!dns_rdataset_isassociated(&val->fsigrdataset))
2651 result = DNS_R_NOVALIDSIG;
2654 result = create_validator(val, tname, dns_rdatatype_ds,
2659 if (result != ISC_R_SUCCESS)
2661 return (DNS_R_WAIT);
2662 } else if (result == DNS_R_NXDOMAIN ||
2663 result == DNS_R_NCACHENXDOMAIN) {
2665 * This is not a zone cut. Assuming things are
2666 * as expected, continue.
2668 if (!dns_rdataset_isassociated(&val->frdataset)) {
2670 * There should be an NSEC here, since we
2671 * are still in a secure zone.
2673 result = DNS_R_NOVALIDNSEC;
2675 } else if (val->frdataset.trust < dns_trust_secure) {
2677 * This shouldn't happen, since the negative
2678 * response should have been validated. Since
2679 * there's no way of validating existing
2680 * negative response blobs, give up.
2682 result = DNS_R_NOVALIDSIG;
2686 } else if (result == ISC_R_NOTFOUND) {
2688 * We don't know anything about the DS. Find it.
2690 result = create_fetch(val, tname, dns_rdatatype_ds,
2691 dsfetched2, "proveunsecure");
2692 if (result != ISC_R_SUCCESS)
2694 return (DNS_R_WAIT);
2697 validator_log(val, ISC_LOG_DEBUG(3), "insecurity proof failed");
2698 return (DNS_R_NOTINSECURE); /* Couldn't complete insecurity proof */
2701 if (dns_rdataset_isassociated(&val->frdataset))
2702 dns_rdataset_disassociate(&val->frdataset);
2703 if (dns_rdataset_isassociated(&val->fsigrdataset))
2704 dns_rdataset_disassociate(&val->fsigrdataset);
2709 * Reset state and revalidate the answer using DLV.
2712 dlv_validator_start(dns_validator_t *val) {
2715 validator_log(val, ISC_LOG_DEBUG(3), "dlv_validator_start");
2718 * Reset state and try again.
2720 val->attributes &= VALATTR_DLVTRIED;
2721 val->options &= ~DNS_VALIDATOR_DLV;
2723 event = (isc_event_t *)val->event;
2724 isc_task_send(val->task, &event);
2728 * Start the validation process.
2730 * Attempt to valididate the answer based on the category it appears to
2732 * \li 1. secure positive answer.
2733 * \li 2. unsecure positive answer.
2734 * \li 3. a negative answer (secure or unsecure).
2736 * Note a answer that appears to be a secure positive answer may actually
2737 * be a unsecure positive answer.
2740 validator_start(isc_task_t *task, isc_event_t *event) {
2741 dns_validator_t *val;
2742 dns_validatorevent_t *vevent;
2743 isc_boolean_t want_destroy = ISC_FALSE;
2744 isc_result_t result = ISC_R_FAILURE;
2747 REQUIRE(event->ev_type == DNS_EVENT_VALIDATORSTART);
2748 vevent = (dns_validatorevent_t *)event;
2749 val = vevent->validator;
2751 /* If the validator has been cancelled, val->event == NULL */
2752 if (val->event == NULL)
2756 validator_log(val, ISC_LOG_DEBUG(3), "restarting using DLV");
2758 validator_log(val, ISC_LOG_DEBUG(3), "starting");
2762 if ((val->options & DNS_VALIDATOR_DLV) != 0 &&
2763 val->event->rdataset != NULL) {
2764 validator_log(val, ISC_LOG_DEBUG(3), "looking for DLV");
2765 result = startfinddlvsep(val, dns_rootname);
2766 } else if (val->event->rdataset != NULL &&
2767 val->event->sigrdataset != NULL) {
2768 isc_result_t saved_result;
2771 * This looks like a simple validation. We say "looks like"
2772 * because it might end up requiring an insecurity proof.
2774 validator_log(val, ISC_LOG_DEBUG(3),
2775 "attempting positive response validation");
2777 INSIST(dns_rdataset_isassociated(val->event->rdataset));
2778 INSIST(dns_rdataset_isassociated(val->event->sigrdataset));
2779 result = start_positive_validation(val);
2780 if (result == DNS_R_NOVALIDSIG &&
2781 (val->attributes & VALATTR_TRIEDVERIFY) == 0)
2783 saved_result = result;
2784 validator_log(val, ISC_LOG_DEBUG(3),
2785 "falling back to insecurity proof");
2786 val->attributes |= VALATTR_INSECURITY;
2787 result = proveunsecure(val, ISC_FALSE);
2788 if (result == DNS_R_NOTINSECURE)
2789 result = saved_result;
2791 } else if (val->event->rdataset != NULL) {
2793 * This is either an unsecure subdomain or a response from
2796 INSIST(dns_rdataset_isassociated(val->event->rdataset));
2797 validator_log(val, ISC_LOG_DEBUG(3),
2798 "attempting insecurity proof");
2800 val->attributes |= VALATTR_INSECURITY;
2801 result = proveunsecure(val, ISC_FALSE);
2802 } else if (val->event->rdataset == NULL &&
2803 val->event->sigrdataset == NULL)
2806 * This is a nonexistence validation.
2808 validator_log(val, ISC_LOG_DEBUG(3),
2809 "attempting negative response validation");
2811 if (val->event->message->rcode == dns_rcode_nxdomain) {
2812 val->attributes |= VALATTR_NEEDNOQNAME;
2813 val->attributes |= VALATTR_NEEDNOWILDCARD;
2815 val->attributes |= VALATTR_NEEDNODATA;
2816 result = nsecvalidate(val, ISC_FALSE);
2819 * This shouldn't happen.
2824 if (result != DNS_R_WAIT) {
2825 want_destroy = exit_check(val);
2826 validator_done(val, result);
2835 dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
2836 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
2837 dns_message_t *message, unsigned int options,
2838 isc_task_t *task, isc_taskaction_t action, void *arg,
2839 dns_validator_t **validatorp)
2841 isc_result_t result;
2842 dns_validator_t *val;
2844 dns_validatorevent_t *event;
2846 REQUIRE(name != NULL);
2847 REQUIRE(rdataset != NULL ||
2848 (rdataset == NULL && sigrdataset == NULL && message != NULL));
2849 REQUIRE(validatorp != NULL && *validatorp == NULL);
2852 result = ISC_R_FAILURE;
2854 val = isc_mem_get(view->mctx, sizeof(*val));
2856 return (ISC_R_NOMEMORY);
2858 dns_view_weakattach(view, &val->view);
2859 event = (dns_validatorevent_t *)
2860 isc_event_allocate(view->mctx, task,
2861 DNS_EVENT_VALIDATORSTART,
2862 validator_start, NULL,
2863 sizeof(dns_validatorevent_t));
2864 if (event == NULL) {
2865 result = ISC_R_NOMEMORY;
2868 isc_task_attach(task, &tclone);
2869 event->validator = val;
2870 event->result = ISC_R_FAILURE;
2873 event->rdataset = rdataset;
2874 event->sigrdataset = sigrdataset;
2875 event->message = message;
2876 memset(event->proofs, 0, sizeof(event->proofs));
2877 result = isc_mutex_init(&val->lock);
2878 if (result != ISC_R_SUCCESS)
2881 val->options = options;
2882 val->attributes = 0;
2884 val->subvalidator = NULL;
2886 val->keytable = NULL;
2887 dns_keytable_attach(val->view->secroots, &val->keytable);
2888 val->keynode = NULL;
2890 val->siginfo = NULL;
2892 val->action = action;
2895 val->currentset = NULL;
2898 dns_rdataset_init(&val->dlv);
2899 val->seensig = ISC_FALSE;
2900 val->havedlvsep = ISC_FALSE;
2902 val->mustbesecure = dns_resolver_getmustbesecure(view->resolver, name);
2903 dns_rdataset_init(&val->frdataset);
2904 dns_rdataset_init(&val->fsigrdataset);
2905 dns_fixedname_init(&val->wild);
2906 ISC_LINK_INIT(val, link);
2907 val->magic = VALIDATOR_MAGIC;
2909 if ((options & DNS_VALIDATOR_DEFER) == 0)
2910 isc_task_send(task, ISC_EVENT_PTR(&event));
2914 return (ISC_R_SUCCESS);
2917 isc_task_detach(&tclone);
2918 isc_event_free(ISC_EVENT_PTR(&event));
2921 dns_view_weakdetach(&val->view);
2922 isc_mem_put(view->mctx, val, sizeof(*val));
2928 dns_validator_send(dns_validator_t *validator) {
2930 REQUIRE(VALID_VALIDATOR(validator));
2932 LOCK(&validator->lock);
2934 INSIST((validator->options & DNS_VALIDATOR_DEFER) != 0);
2935 event = (isc_event_t *)validator->event;
2936 validator->options &= ~DNS_VALIDATOR_DEFER;
2937 UNLOCK(&validator->lock);
2939 isc_task_send(validator->task, ISC_EVENT_PTR(&event));
2943 dns_validator_cancel(dns_validator_t *validator) {
2944 REQUIRE(VALID_VALIDATOR(validator));
2946 LOCK(&validator->lock);
2948 validator_log(validator, ISC_LOG_DEBUG(3), "dns_validator_cancel");
2950 if (validator->event != NULL) {
2951 if (validator->fetch != NULL)
2952 dns_resolver_cancelfetch(validator->fetch);
2954 if (validator->subvalidator != NULL)
2955 dns_validator_cancel(validator->subvalidator);
2956 if ((validator->options & DNS_VALIDATOR_DEFER) != 0) {
2957 isc_task_t *task = validator->event->ev_sender;
2958 validator->options &= ~DNS_VALIDATOR_DEFER;
2959 isc_event_free((isc_event_t **)&validator->event);
2960 isc_task_detach(&task);
2962 validator->attributes |= VALATTR_CANCELED;
2964 UNLOCK(&validator->lock);
2968 destroy(dns_validator_t *val) {
2971 REQUIRE(SHUTDOWN(val));
2972 REQUIRE(val->event == NULL);
2973 REQUIRE(val->fetch == NULL);
2975 if (val->keynode != NULL)
2976 dns_keytable_detachkeynode(val->keytable, &val->keynode);
2977 else if (val->key != NULL)
2978 dst_key_free(&val->key);
2979 if (val->keytable != NULL)
2980 dns_keytable_detach(&val->keytable);
2981 if (val->subvalidator != NULL)
2982 dns_validator_destroy(&val->subvalidator);
2983 if (val->havedlvsep)
2984 dns_rdataset_disassociate(&val->dlv);
2985 if (dns_rdataset_isassociated(&val->frdataset))
2986 dns_rdataset_disassociate(&val->frdataset);
2987 if (dns_rdataset_isassociated(&val->fsigrdataset))
2988 dns_rdataset_disassociate(&val->fsigrdataset);
2989 mctx = val->view->mctx;
2990 if (val->siginfo != NULL)
2991 isc_mem_put(mctx, val->siginfo, sizeof(*val->siginfo));
2992 DESTROYLOCK(&val->lock);
2993 dns_view_weakdetach(&val->view);
2995 isc_mem_put(mctx, val, sizeof(*val));
2999 dns_validator_destroy(dns_validator_t **validatorp) {
3000 dns_validator_t *val;
3001 isc_boolean_t want_destroy = ISC_FALSE;
3003 REQUIRE(validatorp != NULL);
3005 REQUIRE(VALID_VALIDATOR(val));
3009 val->attributes |= VALATTR_SHUTDOWN;
3010 validator_log(val, ISC_LOG_DEBUG(3), "dns_validator_destroy");
3012 want_destroy = exit_check(val);
3023 validator_logv(dns_validator_t *val, isc_logcategory_t *category,
3024 isc_logmodule_t *module, int level, const char *fmt, va_list ap)
3027 static const char spaces[] = " *";
3028 int depth = val->depth * 2;
3030 vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
3032 if ((unsigned int) depth >= sizeof spaces)
3033 depth = sizeof spaces - 1;
3035 if (val->event != NULL && val->event->name != NULL) {
3036 char namebuf[DNS_NAME_FORMATSIZE];
3037 char typebuf[DNS_RDATATYPE_FORMATSIZE];
3039 dns_name_format(val->event->name, namebuf, sizeof(namebuf));
3040 dns_rdatatype_format(val->event->type, typebuf,
3042 isc_log_write(dns_lctx, category, module, level,
3043 "%.*svalidating @%p: %s %s: %s", depth, spaces,
3044 val, namebuf, typebuf, msgbuf);
3046 isc_log_write(dns_lctx, category, module, level,
3047 "%.*svalidator @%p: %s", depth, spaces,
3053 validator_log(dns_validator_t *val, int level, const char *fmt, ...) {
3056 if (! isc_log_wouldlog(dns_lctx, level))
3061 validator_logv(val, DNS_LOGCATEGORY_DNSSEC,
3062 DNS_LOGMODULE_VALIDATOR, level, fmt, ap);
3067 validator_logcreate(dns_validator_t *val,
3068 dns_name_t *name, dns_rdatatype_t type,
3069 const char *caller, const char *operation)
3071 char namestr[DNS_NAME_FORMATSIZE];
3072 char typestr[DNS_RDATATYPE_FORMATSIZE];
3074 dns_name_format(name, namestr, sizeof(namestr));
3075 dns_rdatatype_format(type, typestr, sizeof(typestr));
3076 validator_log(val, ISC_LOG_DEBUG(9), "%s: creating %s for %s %s",
3077 caller, operation, namestr, typestr);