2 * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 2000-2003 Internet Software Consortium.
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
18 /* $Id: validator.c,v 1.119.18.29 2007/01/08 02:41:59 marka Exp $ */
25 #include <isc/print.h>
26 #include <isc/string.h>
32 #include <dns/dnssec.h>
33 #include <dns/events.h>
34 #include <dns/keytable.h>
36 #include <dns/message.h>
37 #include <dns/ncache.h>
39 #include <dns/rdata.h>
40 #include <dns/rdatastruct.h>
41 #include <dns/rdataset.h>
42 #include <dns/rdatatype.h>
43 #include <dns/resolver.h>
44 #include <dns/result.h>
45 #include <dns/validator.h>
50 * Basic processing sequences.
52 * \li When called with rdataset and sigrdataset:
53 * validator_start -> validate -> proveunsecure -> startfinddlvsep ->
54 * dlv_validator_start -> validator_start -> validate -> proveunsecure
56 * validator_start -> validate -> nsecvalidate (secure wildcard answer)
58 * \li When called with rdataset, sigrdataset and with DNS_VALIDATOR_DLV:
59 * validator_start -> startfinddlvsep -> dlv_validator_start ->
60 * validator_start -> validate -> proveunsecure
62 * \li When called with rdataset:
63 * validator_start -> proveunsecure -> startfinddlvsep ->
64 * dlv_validator_start -> validator_start -> proveunsecure
66 * \li When called with rdataset and with DNS_VALIDATOR_DLV:
67 * validator_start -> startfinddlvsep -> dlv_validator_start ->
68 * validator_start -> proveunsecure
70 * \li When called without a rdataset:
71 * validator_start -> nsecvalidate -> proveunsecure -> startfinddlvsep ->
72 * dlv_validator_start -> validator_start -> nsecvalidate -> proveunsecure
74 * Note: there isn't a case for DNS_VALIDATOR_DLV here as we want nsecvalidate()
75 * to always validate the authority section even when it does not contain
78 * validator_start: determines what type of validation to do.
79 * validate: attempts to perform a positive validation.
80 * proveunsecure: attempts to prove the answer comes from a unsecure zone.
81 * nsecvalidate: attempts to prove a negative response.
82 * startfinddlvsep: starts the DLV record lookup.
83 * dlv_validator_start: resets state and restarts the lookup using the
84 * DLV RRset found by startfinddlvsep.
87 #define VALIDATOR_MAGIC ISC_MAGIC('V', 'a', 'l', '?')
88 #define VALID_VALIDATOR(v) ISC_MAGIC_VALID(v, VALIDATOR_MAGIC)
90 #define VALATTR_SHUTDOWN 0x0001 /*%< Shutting down. */
91 #define VALATTR_TRIEDVERIFY 0x0004 /*%< We have found a key and
92 * have attempted a verify. */
93 #define VALATTR_INSECURITY 0x0010 /*%< Attempting proveunsecure. */
94 #define VALATTR_DLVTRIED 0x0020 /*%< Looked for a DLV record. */
97 * NSEC proofs to be looked for.
99 #define VALATTR_NEEDNOQNAME 0x0100
100 #define VALATTR_NEEDNOWILDCARD 0x0200
101 #define VALATTR_NEEDNODATA 0x0400
104 * NSEC proofs that have been found.
106 #define VALATTR_FOUNDNOQNAME 0x1000
107 #define VALATTR_FOUNDNOWILDCARD 0x2000
108 #define VALATTR_FOUNDNODATA 0x4000
110 #define NEEDNODATA(val) ((val->attributes & VALATTR_NEEDNODATA) != 0)
111 #define NEEDNOQNAME(val) ((val->attributes & VALATTR_NEEDNOQNAME) != 0)
112 #define NEEDNOWILDCARD(val) ((val->attributes & VALATTR_NEEDNOWILDCARD) != 0)
113 #define DLVTRIED(val) ((val->attributes & VALATTR_DLVTRIED) != 0)
115 #define SHUTDOWN(v) (((v)->attributes & VALATTR_SHUTDOWN) != 0)
118 destroy(dns_validator_t *val);
121 get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo,
122 dns_rdataset_t *rdataset);
125 validate(dns_validator_t *val, isc_boolean_t resume);
128 validatezonekey(dns_validator_t *val);
131 nsecvalidate(dns_validator_t *val, isc_boolean_t resume);
134 proveunsecure(dns_validator_t *val, isc_boolean_t resume);
137 validator_logv(dns_validator_t *val, isc_logcategory_t *category,
138 isc_logmodule_t *module, int level, const char *fmt, va_list ap)
139 ISC_FORMAT_PRINTF(5, 0);
142 validator_log(dns_validator_t *val, int level, const char *fmt, ...)
143 ISC_FORMAT_PRINTF(3, 4);
146 validator_logcreate(dns_validator_t *val,
147 dns_name_t *name, dns_rdatatype_t type,
148 const char *caller, const char *operation);
151 dlv_validatezonekey(dns_validator_t *val);
154 dlv_validator_start(dns_validator_t *val);
157 finddlvsep(dns_validator_t *val, isc_boolean_t resume);
160 startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure);
163 * Mark the RRsets as a answer.
166 markanswer(dns_validator_t *val) {
167 validator_log(val, ISC_LOG_DEBUG(3), "marking as answer");
168 if (val->event->rdataset != NULL)
169 val->event->rdataset->trust = dns_trust_answer;
170 if (val->event->sigrdataset != NULL)
171 val->event->sigrdataset->trust = dns_trust_answer;
175 validator_done(dns_validator_t *val, isc_result_t result) {
178 if (val->event == NULL)
182 * Caller must be holding the lock.
185 val->event->result = result;
186 task = val->event->ev_sender;
187 val->event->ev_sender = val;
188 val->event->ev_type = DNS_EVENT_VALIDATORDONE;
189 val->event->ev_action = val->action;
190 val->event->ev_arg = val->arg;
191 isc_task_sendanddetach(&task, (isc_event_t **)&val->event);
194 static inline isc_boolean_t
195 exit_check(dns_validator_t *val) {
197 * Caller must be holding the lock.
202 INSIST(val->event == NULL);
204 if (val->fetch != NULL || val->subvalidator != NULL)
211 * Look in the NSEC record returned from a DS query to see if there is
212 * a NS RRset at this name. If it is found we are at a delegation point.
215 isdelegation(dns_name_t *name, dns_rdataset_t *rdataset,
216 isc_result_t dbresult)
219 dns_rdata_t rdata = DNS_RDATA_INIT;
223 REQUIRE(dbresult == DNS_R_NXRRSET || dbresult == DNS_R_NCACHENXRRSET);
225 dns_rdataset_init(&set);
226 if (dbresult == DNS_R_NXRRSET)
227 dns_rdataset_clone(rdataset, &set);
229 result = dns_ncache_getrdataset(rdataset, name,
230 dns_rdatatype_nsec, &set);
231 if (result != ISC_R_SUCCESS)
235 INSIST(set.type == dns_rdatatype_nsec);
238 result = dns_rdataset_first(&set);
239 if (result == ISC_R_SUCCESS) {
240 dns_rdataset_current(&set, &rdata);
241 found = dns_nsec_typepresent(&rdata, dns_rdatatype_ns);
243 dns_rdataset_disassociate(&set);
248 * We have been asked to to look for a key.
249 * If found resume the validation process.
250 * If not found fail the validation process.
253 fetch_callback_validator(isc_task_t *task, isc_event_t *event) {
254 dns_fetchevent_t *devent;
255 dns_validator_t *val;
256 dns_rdataset_t *rdataset;
257 isc_boolean_t want_destroy;
259 isc_result_t eresult;
262 INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
263 devent = (dns_fetchevent_t *)event;
264 val = devent->ev_arg;
265 rdataset = &val->frdataset;
266 eresult = devent->result;
268 /* Free resources which are not of interest. */
269 if (devent->node != NULL)
270 dns_db_detachnode(devent->db, &devent->node);
271 if (devent->db != NULL)
272 dns_db_detach(&devent->db);
273 if (dns_rdataset_isassociated(&val->fsigrdataset))
274 dns_rdataset_disassociate(&val->fsigrdataset);
275 isc_event_free(&event);
276 dns_resolver_destroyfetch(&val->fetch);
278 INSIST(val->event != NULL);
280 validator_log(val, ISC_LOG_DEBUG(3), "in fetch_callback_validator");
282 if (eresult == ISC_R_SUCCESS) {
283 validator_log(val, ISC_LOG_DEBUG(3),
284 "keyset with trust %d", rdataset->trust);
286 * Only extract the dst key if the keyset is secure.
288 if (rdataset->trust >= dns_trust_secure) {
289 result = get_dst_key(val, val->siginfo, rdataset);
290 if (result == ISC_R_SUCCESS)
291 val->keyset = &val->frdataset;
293 result = validate(val, ISC_TRUE);
294 if (result != DNS_R_WAIT)
295 validator_done(val, result);
297 validator_log(val, ISC_LOG_DEBUG(3),
298 "fetch_callback_validator: got %s",
299 isc_result_totext(eresult));
300 if (eresult == ISC_R_CANCELED)
301 validator_done(val, eresult);
303 validator_done(val, DNS_R_NOVALIDKEY);
305 want_destroy = exit_check(val);
312 * We were asked to look for a DS record as part of following a key chain
313 * upwards. If found resume the validation process. If not found fail the
314 * validation process.
317 dsfetched(isc_task_t *task, isc_event_t *event) {
318 dns_fetchevent_t *devent;
319 dns_validator_t *val;
320 dns_rdataset_t *rdataset;
321 isc_boolean_t want_destroy;
323 isc_result_t eresult;
326 INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
327 devent = (dns_fetchevent_t *)event;
328 val = devent->ev_arg;
329 rdataset = &val->frdataset;
330 eresult = devent->result;
332 /* Free resources which are not of interest. */
333 if (devent->node != NULL)
334 dns_db_detachnode(devent->db, &devent->node);
335 if (devent->db != NULL)
336 dns_db_detach(&devent->db);
337 if (dns_rdataset_isassociated(&val->fsigrdataset))
338 dns_rdataset_disassociate(&val->fsigrdataset);
339 isc_event_free(&event);
340 dns_resolver_destroyfetch(&val->fetch);
342 INSIST(val->event != NULL);
344 validator_log(val, ISC_LOG_DEBUG(3), "in dsfetched");
346 if (eresult == ISC_R_SUCCESS) {
347 validator_log(val, ISC_LOG_DEBUG(3),
348 "dsset with trust %d", rdataset->trust);
349 val->dsset = &val->frdataset;
350 result = validatezonekey(val);
351 if (result != DNS_R_WAIT)
352 validator_done(val, result);
353 } else if (eresult == DNS_R_NXRRSET ||
354 eresult == DNS_R_NCACHENXRRSET)
356 validator_log(val, ISC_LOG_DEBUG(3),
357 "falling back to insecurity proof");
358 val->attributes |= VALATTR_INSECURITY;
359 result = proveunsecure(val, ISC_FALSE);
360 if (result != DNS_R_WAIT)
361 validator_done(val, result);
363 validator_log(val, ISC_LOG_DEBUG(3),
365 isc_result_totext(eresult));
366 if (eresult == ISC_R_CANCELED)
367 validator_done(val, eresult);
369 validator_done(val, DNS_R_NOVALIDDS);
371 want_destroy = exit_check(val);
378 * We were asked to look for the DS record as part of proving that a
381 * If the DS record doesn't exist and the query name corresponds to
382 * a delegation point we are transitioning from a secure zone to a
385 * If the DS record exists it will be secure. We can continue looking
386 * for the break point in the chain of trust.
389 dsfetched2(isc_task_t *task, isc_event_t *event) {
390 dns_fetchevent_t *devent;
391 dns_validator_t *val;
393 isc_boolean_t want_destroy;
395 isc_result_t eresult;
398 INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
399 devent = (dns_fetchevent_t *)event;
400 val = devent->ev_arg;
401 eresult = devent->result;
403 /* Free resources which are not of interest. */
404 if (devent->node != NULL)
405 dns_db_detachnode(devent->db, &devent->node);
406 if (devent->db != NULL)
407 dns_db_detach(&devent->db);
408 if (dns_rdataset_isassociated(&val->fsigrdataset))
409 dns_rdataset_disassociate(&val->fsigrdataset);
410 dns_resolver_destroyfetch(&val->fetch);
412 INSIST(val->event != NULL);
414 validator_log(val, ISC_LOG_DEBUG(3), "in dsfetched2: %s",
415 dns_result_totext(eresult));
417 if (eresult == DNS_R_NXRRSET || eresult == DNS_R_NCACHENXRRSET) {
419 * There is no DS. If this is a delegation, we're done.
421 tname = dns_fixedname_name(&devent->foundname);
422 if (isdelegation(tname, &val->frdataset, eresult)) {
423 if (val->mustbesecure) {
424 validator_log(val, ISC_LOG_WARNING,
425 "must be secure failure");
426 validator_done(val, DNS_R_MUSTBESECURE);
427 } else if (val->view->dlv == NULL || DLVTRIED(val)) {
429 validator_done(val, ISC_R_SUCCESS);
431 result = startfinddlvsep(val, tname);
432 if (result != DNS_R_WAIT)
433 validator_done(val, result);
436 result = proveunsecure(val, ISC_TRUE);
437 if (result != DNS_R_WAIT)
438 validator_done(val, result);
440 } else if (eresult == ISC_R_SUCCESS ||
441 eresult == DNS_R_NXDOMAIN ||
442 eresult == DNS_R_NCACHENXDOMAIN)
445 * There is a DS which may or may not be a zone cut.
446 * In either case we are still in a secure zone resume
449 result = proveunsecure(val, ISC_TRUE);
450 if (result != DNS_R_WAIT)
451 validator_done(val, result);
453 if (eresult == ISC_R_CANCELED)
454 validator_done(val, eresult);
456 validator_done(val, DNS_R_NOVALIDDS);
458 isc_event_free(&event);
459 want_destroy = exit_check(val);
466 * Callback from when a DNSKEY RRset has been validated.
468 * Resumes the stalled validation process.
471 keyvalidated(isc_task_t *task, isc_event_t *event) {
472 dns_validatorevent_t *devent;
473 dns_validator_t *val;
474 isc_boolean_t want_destroy;
476 isc_result_t eresult;
479 INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
481 devent = (dns_validatorevent_t *)event;
482 val = devent->ev_arg;
483 eresult = devent->result;
485 isc_event_free(&event);
486 dns_validator_destroy(&val->subvalidator);
488 INSIST(val->event != NULL);
490 validator_log(val, ISC_LOG_DEBUG(3), "in keyvalidated");
492 if (eresult == ISC_R_SUCCESS) {
493 validator_log(val, ISC_LOG_DEBUG(3),
494 "keyset with trust %d", val->frdataset.trust);
496 * Only extract the dst key if the keyset is secure.
498 if (val->frdataset.trust >= dns_trust_secure)
499 (void) get_dst_key(val, val->siginfo, &val->frdataset);
500 result = validate(val, ISC_TRUE);
501 if (result != DNS_R_WAIT)
502 validator_done(val, result);
504 validator_log(val, ISC_LOG_DEBUG(3),
505 "keyvalidated: got %s",
506 isc_result_totext(eresult));
507 validator_done(val, eresult);
509 want_destroy = exit_check(val);
516 * Callback when the DS record has been validated.
518 * Resumes validation of the zone key or the unsecure zone proof.
521 dsvalidated(isc_task_t *task, isc_event_t *event) {
522 dns_validatorevent_t *devent;
523 dns_validator_t *val;
524 isc_boolean_t want_destroy;
526 isc_result_t eresult;
529 INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
531 devent = (dns_validatorevent_t *)event;
532 val = devent->ev_arg;
533 eresult = devent->result;
535 isc_event_free(&event);
536 dns_validator_destroy(&val->subvalidator);
538 INSIST(val->event != NULL);
540 validator_log(val, ISC_LOG_DEBUG(3), "in dsvalidated");
542 if (eresult == ISC_R_SUCCESS) {
543 validator_log(val, ISC_LOG_DEBUG(3),
544 "dsset with trust %d", val->frdataset.trust);
545 if ((val->attributes & VALATTR_INSECURITY) != 0)
546 result = proveunsecure(val, ISC_TRUE);
548 result = validatezonekey(val);
549 if (result != DNS_R_WAIT)
550 validator_done(val, result);
552 validator_log(val, ISC_LOG_DEBUG(3),
553 "dsvalidated: got %s",
554 isc_result_totext(eresult));
555 validator_done(val, eresult);
557 want_destroy = exit_check(val);
564 * Return ISC_R_SUCCESS if we can determine that the name doesn't exist
565 * or we can determine whether there is data or not at the name.
566 * If the name does not exist return the wildcard name.
568 * Return ISC_R_IGNORE when the NSEC is not the appropriate one.
571 nsecnoexistnodata(dns_validator_t *val, dns_name_t* name, dns_name_t *nsecname,
572 dns_rdataset_t *nsecset, isc_boolean_t *exists,
573 isc_boolean_t *data, dns_name_t *wild)
576 dns_rdata_t rdata = DNS_RDATA_INIT;
578 dns_namereln_t relation;
579 unsigned int olabels, nlabels, labels;
580 dns_rdata_nsec_t nsec;
581 isc_boolean_t atparent;
585 REQUIRE(exists != NULL);
586 REQUIRE(data != NULL);
587 REQUIRE(nsecset != NULL &&
588 nsecset->type == dns_rdatatype_nsec);
590 result = dns_rdataset_first(nsecset);
591 if (result != ISC_R_SUCCESS) {
592 validator_log(val, ISC_LOG_DEBUG(3),
593 "failure processing NSEC set");
596 dns_rdataset_current(nsecset, &rdata);
598 validator_log(val, ISC_LOG_DEBUG(3), "looking for relevant nsec");
599 relation = dns_name_fullcompare(name, nsecname, &order, &olabels);
603 * The name is not within the NSEC range.
605 validator_log(val, ISC_LOG_DEBUG(3),
606 "NSEC does not cover name, before NSEC");
607 return (ISC_R_IGNORE);
612 * The names are the same.
614 atparent = dns_rdatatype_atparent(val->event->type);
615 ns = dns_nsec_typepresent(&rdata, dns_rdatatype_ns);
616 soa = dns_nsec_typepresent(&rdata, dns_rdatatype_soa);
620 * This NSEC record is from somewhere higher in
621 * the DNS, and at the parent of a delegation.
622 * It can not be legitimately used here.
624 validator_log(val, ISC_LOG_DEBUG(3),
625 "ignoring parent nsec");
626 return (ISC_R_IGNORE);
628 } else if (atparent && ns && soa) {
630 * This NSEC record is from the child.
631 * It can not be legitimately used here.
633 validator_log(val, ISC_LOG_DEBUG(3),
634 "ignoring child nsec");
635 return (ISC_R_IGNORE);
637 if (val->event->type == dns_rdatatype_cname ||
638 val->event->type == dns_rdatatype_nxt ||
639 val->event->type == dns_rdatatype_nsec ||
640 val->event->type == dns_rdatatype_key ||
641 !dns_nsec_typepresent(&rdata, dns_rdatatype_cname)) {
643 *data = dns_nsec_typepresent(&rdata, val->event->type);
644 validator_log(val, ISC_LOG_DEBUG(3),
645 "nsec proves name exists (owner) data=%d",
647 return (ISC_R_SUCCESS);
649 validator_log(val, ISC_LOG_DEBUG(3), "NSEC proves CNAME exists");
650 return (ISC_R_IGNORE);
653 if (relation == dns_namereln_subdomain &&
654 dns_nsec_typepresent(&rdata, dns_rdatatype_ns) &&
655 !dns_nsec_typepresent(&rdata, dns_rdatatype_soa))
658 * This NSEC record is from somewhere higher in
659 * the DNS, and at the parent of a delegation.
660 * It can not be legitimately used here.
662 validator_log(val, ISC_LOG_DEBUG(3), "ignoring parent nsec");
663 return (ISC_R_IGNORE);
666 result = dns_rdata_tostruct(&rdata, &nsec, NULL);
667 if (result != ISC_R_SUCCESS)
669 relation = dns_name_fullcompare(&nsec.next, name, &order, &nlabels);
671 dns_rdata_freestruct(&nsec);
672 validator_log(val, ISC_LOG_DEBUG(3),
673 "ignoring nsec matches next name");
674 return (ISC_R_IGNORE);
677 if (order < 0 && !dns_name_issubdomain(nsecname, &nsec.next)) {
679 * The name is not within the NSEC range.
681 dns_rdata_freestruct(&nsec);
682 validator_log(val, ISC_LOG_DEBUG(3),
683 "ignoring nsec because name is past end of range");
684 return (ISC_R_IGNORE);
687 if (order > 0 && relation == dns_namereln_subdomain) {
688 validator_log(val, ISC_LOG_DEBUG(3),
689 "nsec proves name exist (empty)");
690 dns_rdata_freestruct(&nsec);
693 return (ISC_R_SUCCESS);
697 dns_name_init(&common, NULL);
698 if (olabels > nlabels) {
699 labels = dns_name_countlabels(nsecname);
700 dns_name_getlabelsequence(nsecname, labels - olabels,
703 labels = dns_name_countlabels(&nsec.next);
704 dns_name_getlabelsequence(&nsec.next, labels - nlabels,
707 result = dns_name_concatenate(dns_wildcardname, &common,
709 if (result != ISC_R_SUCCESS) {
710 dns_rdata_freestruct(&nsec);
711 validator_log(val, ISC_LOG_DEBUG(3),
712 "failure generating wildcard name");
716 dns_rdata_freestruct(&nsec);
717 validator_log(val, ISC_LOG_DEBUG(3), "nsec range ok");
719 return (ISC_R_SUCCESS);
723 * Callback for when NSEC records have been validated.
725 * Looks for NOQNAME and NODATA proofs.
727 * Resumes nsecvalidate.
730 authvalidated(isc_task_t *task, isc_event_t *event) {
731 dns_validatorevent_t *devent;
732 dns_validator_t *val;
733 dns_rdataset_t *rdataset;
734 isc_boolean_t want_destroy;
736 isc_boolean_t exists, data;
739 INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
741 devent = (dns_validatorevent_t *)event;
742 rdataset = devent->rdataset;
743 val = devent->ev_arg;
744 result = devent->result;
745 dns_validator_destroy(&val->subvalidator);
747 INSIST(val->event != NULL);
749 validator_log(val, ISC_LOG_DEBUG(3), "in authvalidated");
751 if (result != ISC_R_SUCCESS) {
752 validator_log(val, ISC_LOG_DEBUG(3),
753 "authvalidated: got %s",
754 isc_result_totext(result));
755 if (result == ISC_R_CANCELED)
756 validator_done(val, result);
758 result = nsecvalidate(val, ISC_TRUE);
759 if (result != DNS_R_WAIT)
760 validator_done(val, result);
763 dns_name_t **proofs = val->event->proofs;
764 dns_name_t *wild = dns_fixedname_name(&val->wild);
766 if (rdataset->trust == dns_trust_secure)
767 val->seensig = ISC_TRUE;
769 if (rdataset->type == dns_rdatatype_nsec &&
770 rdataset->trust == dns_trust_secure &&
771 ((val->attributes & VALATTR_NEEDNODATA) != 0 ||
772 (val->attributes & VALATTR_NEEDNOQNAME) != 0) &&
773 (val->attributes & VALATTR_FOUNDNODATA) == 0 &&
774 (val->attributes & VALATTR_FOUNDNOQNAME) == 0 &&
775 nsecnoexistnodata(val, val->event->name, devent->name,
776 rdataset, &exists, &data, wild)
779 if (exists && !data) {
780 val->attributes |= VALATTR_FOUNDNODATA;
782 proofs[DNS_VALIDATOR_NODATAPROOF] =
786 val->attributes |= VALATTR_FOUNDNOQNAME;
787 if (NEEDNOQNAME(val))
788 proofs[DNS_VALIDATOR_NOQNAMEPROOF] =
792 result = nsecvalidate(val, ISC_TRUE);
793 if (result != DNS_R_WAIT)
794 validator_done(val, result);
796 want_destroy = exit_check(val);
802 * Free stuff from the event.
804 isc_event_free(&event);
808 * Looks for the requested name and type in the view (zones and cache).
810 * When looking for a DLV record also checks to make sure the NSEC record
811 * returns covers the query name as part of aggressive negative caching.
816 * \li DNS_R_NCACHENXDOMAIN
817 * \li DNS_R_NCACHENXRRSET
821 static inline isc_result_t
822 view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) {
823 dns_fixedname_t fixedname;
824 dns_name_t *foundname;
825 dns_rdata_nsec_t nsec;
826 dns_rdata_t rdata = DNS_RDATA_INIT;
828 unsigned int options;
829 char buf1[DNS_NAME_FORMATSIZE];
830 char buf2[DNS_NAME_FORMATSIZE];
831 char buf3[DNS_NAME_FORMATSIZE];
833 if (dns_rdataset_isassociated(&val->frdataset))
834 dns_rdataset_disassociate(&val->frdataset);
835 if (dns_rdataset_isassociated(&val->fsigrdataset))
836 dns_rdataset_disassociate(&val->fsigrdataset);
838 if (val->view->zonetable == NULL)
839 return (ISC_R_CANCELED);
841 options = DNS_DBFIND_PENDINGOK;
842 if (type == dns_rdatatype_dlv)
843 options |= DNS_DBFIND_COVERINGNSEC;
844 dns_fixedname_init(&fixedname);
845 foundname = dns_fixedname_name(&fixedname);
846 result = dns_view_find(val->view, name, type, 0, options,
847 ISC_FALSE, NULL, NULL, foundname,
848 &val->frdataset, &val->fsigrdataset);
849 if (result == DNS_R_NXDOMAIN) {
850 if (dns_rdataset_isassociated(&val->frdataset))
851 dns_rdataset_disassociate(&val->frdataset);
852 if (dns_rdataset_isassociated(&val->fsigrdataset))
853 dns_rdataset_disassociate(&val->fsigrdataset);
854 } else if (result == DNS_R_COVERINGNSEC) {
855 validator_log(val, ISC_LOG_DEBUG(3), "DNS_R_COVERINGNSEC");
857 * Check if the returned NSEC covers the name.
859 INSIST(type == dns_rdatatype_dlv);
860 if (val->frdataset.trust != dns_trust_secure) {
861 validator_log(val, ISC_LOG_DEBUG(3),
862 "covering nsec: trust %u",
863 val->frdataset.trust);
866 result = dns_rdataset_first(&val->frdataset);
867 if (result != ISC_R_SUCCESS)
869 dns_rdataset_current(&val->frdataset, &rdata);
870 if (dns_nsec_typepresent(&rdata, dns_rdatatype_ns) &&
871 !dns_nsec_typepresent(&rdata, dns_rdatatype_soa)) {
872 /* Parent NSEC record. */
873 if (dns_name_issubdomain(name, foundname)) {
874 validator_log(val, ISC_LOG_DEBUG(3),
875 "covering nsec: for parent");
879 result = dns_rdata_tostruct(&rdata, &nsec, NULL);
880 if (result != ISC_R_SUCCESS)
882 if (dns_name_compare(foundname, &nsec.next) >= 0) {
883 /* End of zone chain. */
884 if (!dns_name_issubdomain(name, &nsec.next)) {
886 * XXXMPA We could look for a parent NSEC
887 * at nsec.next and if found retest with
890 dns_rdata_freestruct(&nsec);
891 validator_log(val, ISC_LOG_DEBUG(3),
892 "covering nsec: not in zone");
895 } else if (dns_name_compare(name, &nsec.next) >= 0) {
897 * XXXMPA We could check if this NSEC is at a zone
898 * apex and if the qname is not below it and look for
899 * a parent NSEC with the same name. This requires
900 * that we can cache both NSEC records which we
901 * currently don't support.
903 dns_rdata_freestruct(&nsec);
904 validator_log(val, ISC_LOG_DEBUG(3),
905 "covering nsec: not in range");
908 if (isc_log_wouldlog(dns_lctx,ISC_LOG_DEBUG(3))) {
909 dns_name_format(name, buf1, sizeof buf1);
910 dns_name_format(foundname, buf2, sizeof buf2);
911 dns_name_format(&nsec.next, buf3, sizeof buf3);
912 validator_log(val, ISC_LOG_DEBUG(3),
913 "covering nsec found: '%s' '%s' '%s'",
916 if (dns_rdataset_isassociated(&val->frdataset))
917 dns_rdataset_disassociate(&val->frdataset);
918 if (dns_rdataset_isassociated(&val->fsigrdataset))
919 dns_rdataset_disassociate(&val->fsigrdataset);
920 dns_rdata_freestruct(&nsec);
921 result = DNS_R_NCACHENXDOMAIN;
922 } else if (result != ISC_R_SUCCESS &&
923 result != DNS_R_NCACHENXDOMAIN &&
924 result != DNS_R_NCACHENXRRSET &&
925 result != DNS_R_NXRRSET &&
926 result != ISC_R_NOTFOUND) {
932 if (dns_rdataset_isassociated(&val->frdataset))
933 dns_rdataset_disassociate(&val->frdataset);
934 if (dns_rdataset_isassociated(&val->fsigrdataset))
935 dns_rdataset_disassociate(&val->fsigrdataset);
936 return (ISC_R_NOTFOUND);
940 * Checks to make sure we are not going to loop. As we use a SHARED fetch
941 * the validation process will stall if looping was to occur.
943 static inline isc_boolean_t
944 check_deadlock(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) {
945 dns_validator_t *parent;
947 for (parent = val; parent != NULL; parent = parent->parent) {
948 if (parent->event != NULL &&
949 parent->event->type == type &&
950 dns_name_equal(parent->event->name, name))
952 validator_log(val, ISC_LOG_DEBUG(3),
953 "continuing validation would lead to "
954 "deadlock: aborting validation");
962 * Start a fetch for the requested name and type.
964 static inline isc_result_t
965 create_fetch(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
966 isc_taskaction_t callback, const char *caller)
968 if (dns_rdataset_isassociated(&val->frdataset))
969 dns_rdataset_disassociate(&val->frdataset);
970 if (dns_rdataset_isassociated(&val->fsigrdataset))
971 dns_rdataset_disassociate(&val->fsigrdataset);
973 if (check_deadlock(val, name, type))
974 return (DNS_R_NOVALIDSIG);
976 validator_logcreate(val, name, type, caller, "fetch");
977 return (dns_resolver_createfetch(val->view->resolver, name, type,
979 val->event->ev_sender,
987 * Start a subvalidation process.
989 static inline isc_result_t
990 create_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
991 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
992 isc_taskaction_t action, const char *caller)
996 if (check_deadlock(val, name, type))
997 return (DNS_R_NOVALIDSIG);
999 validator_logcreate(val, name, type, caller, "validator");
1000 result = dns_validator_create(val->view, name, type,
1001 rdataset, sigrdataset, NULL, 0,
1002 val->task, action, val,
1003 &val->subvalidator);
1004 if (result == ISC_R_SUCCESS) {
1005 val->subvalidator->parent = val;
1006 val->subvalidator->depth = val->depth + 1;
1012 * Try to find a key that could have signed 'siginfo' among those
1013 * in 'rdataset'. If found, build a dst_key_t for it and point
1016 * If val->key is non-NULL, this returns the next matching key.
1019 get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo,
1020 dns_rdataset_t *rdataset)
1022 isc_result_t result;
1024 dns_rdata_t rdata = DNS_RDATA_INIT;
1025 dst_key_t *oldkey = val->key;
1026 isc_boolean_t foundold;
1029 foundold = ISC_TRUE;
1031 foundold = ISC_FALSE;
1035 result = dns_rdataset_first(rdataset);
1036 if (result != ISC_R_SUCCESS)
1039 dns_rdataset_current(rdataset, &rdata);
1041 isc_buffer_init(&b, rdata.data, rdata.length);
1042 isc_buffer_add(&b, rdata.length);
1043 INSIST(val->key == NULL);
1044 result = dst_key_fromdns(&siginfo->signer, rdata.rdclass, &b,
1045 val->view->mctx, &val->key);
1046 if (result != ISC_R_SUCCESS)
1048 if (siginfo->algorithm ==
1049 (dns_secalg_t)dst_key_alg(val->key) &&
1051 (dns_keytag_t)dst_key_id(val->key) &&
1052 dst_key_iszonekey(val->key))
1056 * This is the key we're looking for.
1058 return (ISC_R_SUCCESS);
1059 else if (dst_key_compare(oldkey, val->key) == ISC_TRUE)
1061 foundold = ISC_TRUE;
1062 dst_key_free(&oldkey);
1065 dst_key_free(&val->key);
1066 dns_rdata_reset(&rdata);
1067 result = dns_rdataset_next(rdataset);
1068 } while (result == ISC_R_SUCCESS);
1069 if (result == ISC_R_NOMORE)
1070 result = ISC_R_NOTFOUND;
1074 dst_key_free(&oldkey);
1080 * Get the key that genertated this signature.
1083 get_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo) {
1084 isc_result_t result;
1085 unsigned int nlabels;
1087 dns_namereln_t namereln;
1090 * Is the signer name appropriate for this signature?
1092 * The signer name must be at the same level as the owner name
1093 * or closer to the the DNS root.
1095 namereln = dns_name_fullcompare(val->event->name, &siginfo->signer,
1097 if (namereln != dns_namereln_subdomain &&
1098 namereln != dns_namereln_equal)
1099 return (DNS_R_CONTINUE);
1101 if (namereln == dns_namereln_equal) {
1103 * If this is a self-signed keyset, it must not be a zone key
1104 * (since get_key is not called from validatezonekey).
1106 if (val->event->rdataset->type == dns_rdatatype_dnskey)
1107 return (DNS_R_CONTINUE);
1110 * Records appearing in the parent zone at delegation
1111 * points cannot be self-signed.
1113 if (dns_rdatatype_atparent(val->event->rdataset->type))
1114 return (DNS_R_CONTINUE);
1118 * Do we know about this key?
1120 result = view_find(val, &siginfo->signer, dns_rdatatype_dnskey);
1121 if (result == ISC_R_SUCCESS) {
1123 * We have an rrset for the given keyname.
1125 val->keyset = &val->frdataset;
1126 if (val->frdataset.trust == dns_trust_pending &&
1127 dns_rdataset_isassociated(&val->fsigrdataset))
1130 * We know the key but haven't validated it yet.
1132 result = create_validator(val, &siginfo->signer,
1133 dns_rdatatype_dnskey,
1138 if (result != ISC_R_SUCCESS)
1140 return (DNS_R_WAIT);
1141 } else if (val->frdataset.trust == dns_trust_pending) {
1143 * Having a pending key with no signature means that
1144 * something is broken.
1146 result = DNS_R_CONTINUE;
1147 } else if (val->frdataset.trust < dns_trust_secure) {
1149 * The key is legitimately insecure. There's no
1150 * point in even attempting verification.
1153 result = ISC_R_SUCCESS;
1156 * See if we've got the key used in the signature.
1158 validator_log(val, ISC_LOG_DEBUG(3),
1159 "keyset with trust %d",
1160 val->frdataset.trust);
1161 result = get_dst_key(val, siginfo, val->keyset);
1162 if (result != ISC_R_SUCCESS) {
1164 * Either the key we're looking for is not
1165 * in the rrset, or something bad happened.
1168 result = DNS_R_CONTINUE;
1171 } else if (result == ISC_R_NOTFOUND) {
1173 * We don't know anything about this key.
1175 result = create_fetch(val, &siginfo->signer, dns_rdatatype_dnskey,
1176 fetch_callback_validator, "get_key");
1177 if (result != ISC_R_SUCCESS)
1179 return (DNS_R_WAIT);
1180 } else if (result == DNS_R_NCACHENXDOMAIN ||
1181 result == DNS_R_NCACHENXRRSET ||
1182 result == DNS_R_NXDOMAIN ||
1183 result == DNS_R_NXRRSET)
1186 * This key doesn't exist.
1188 result = DNS_R_CONTINUE;
1191 if (dns_rdataset_isassociated(&val->frdataset) &&
1192 val->keyset != &val->frdataset)
1193 dns_rdataset_disassociate(&val->frdataset);
1194 if (dns_rdataset_isassociated(&val->fsigrdataset))
1195 dns_rdataset_disassociate(&val->fsigrdataset);
1201 compute_keytag(dns_rdata_t *rdata, dns_rdata_dnskey_t *key) {
1204 dns_rdata_toregion(rdata, &r);
1205 return (dst_region_computeid(&r, key->algorithm));
1209 * Is this keyset self-signed?
1211 static isc_boolean_t
1212 isselfsigned(dns_validator_t *val) {
1213 dns_rdataset_t *rdataset, *sigrdataset;
1214 dns_rdata_t rdata = DNS_RDATA_INIT;
1215 dns_rdata_t sigrdata = DNS_RDATA_INIT;
1216 dns_rdata_dnskey_t key;
1217 dns_rdata_rrsig_t sig;
1218 dns_keytag_t keytag;
1219 isc_result_t result;
1221 rdataset = val->event->rdataset;
1222 sigrdataset = val->event->sigrdataset;
1224 INSIST(rdataset->type == dns_rdatatype_dnskey);
1226 for (result = dns_rdataset_first(rdataset);
1227 result == ISC_R_SUCCESS;
1228 result = dns_rdataset_next(rdataset))
1230 dns_rdata_reset(&rdata);
1231 dns_rdataset_current(rdataset, &rdata);
1232 (void)dns_rdata_tostruct(&rdata, &key, NULL);
1233 keytag = compute_keytag(&rdata, &key);
1234 for (result = dns_rdataset_first(sigrdataset);
1235 result == ISC_R_SUCCESS;
1236 result = dns_rdataset_next(sigrdataset))
1238 dns_rdata_reset(&sigrdata);
1239 dns_rdataset_current(sigrdataset, &sigrdata);
1240 (void)dns_rdata_tostruct(&sigrdata, &sig, NULL);
1242 if (sig.algorithm == key.algorithm &&
1243 sig.keyid == keytag)
1251 * Attempt to verify the rdataset using the given key and rdata (RRSIG).
1252 * The signature was good and from a wildcard record and the QNAME does
1253 * not match the wildcard we need to look for a NOQNAME proof.
1256 * \li ISC_R_SUCCESS if the verification succeeds.
1257 * \li Others if the verification fails.
1260 verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata,
1263 isc_result_t result;
1264 dns_fixedname_t fixed;
1265 isc_boolean_t ignore = ISC_FALSE;
1267 val->attributes |= VALATTR_TRIEDVERIFY;
1268 dns_fixedname_init(&fixed);
1270 result = dns_dnssec_verify2(val->event->name, val->event->rdataset,
1271 key, ignore, val->view->mctx, rdata,
1272 dns_fixedname_name(&fixed));
1273 if (result == DNS_R_SIGEXPIRED && val->view->acceptexpired) {
1277 if (ignore && (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD))
1278 validator_log(val, ISC_LOG_INFO,
1279 "accepted expired %sRRSIG (keyid=%u)",
1280 (result == DNS_R_FROMWILDCARD) ?
1281 "wildcard " : "", keyid);
1283 validator_log(val, ISC_LOG_DEBUG(3),
1284 "verify rdataset (keyid=%u): %s",
1285 keyid, isc_result_totext(result));
1286 if (result == DNS_R_FROMWILDCARD) {
1287 if (!dns_name_equal(val->event->name,
1288 dns_fixedname_name(&fixed)))
1289 val->attributes |= VALATTR_NEEDNOQNAME;
1290 result = ISC_R_SUCCESS;
1296 * Attempts positive response validation of a normal RRset.
1299 * \li ISC_R_SUCCESS Validation completed successfully
1300 * \li DNS_R_WAIT Validation has started but is waiting
1302 * \li Other return codes are possible and all indicate failure.
1305 validate(dns_validator_t *val, isc_boolean_t resume) {
1306 isc_result_t result;
1307 dns_validatorevent_t *event;
1308 dns_rdata_t rdata = DNS_RDATA_INIT;
1311 * Caller must be holding the validator lock.
1318 * We already have a sigrdataset.
1320 result = ISC_R_SUCCESS;
1321 validator_log(val, ISC_LOG_DEBUG(3), "resuming validate");
1323 result = dns_rdataset_first(event->sigrdataset);
1327 result == ISC_R_SUCCESS;
1328 result = dns_rdataset_next(event->sigrdataset))
1330 dns_rdata_reset(&rdata);
1331 dns_rdataset_current(event->sigrdataset, &rdata);
1332 if (val->siginfo == NULL) {
1333 val->siginfo = isc_mem_get(val->view->mctx,
1334 sizeof(*val->siginfo));
1335 if (val->siginfo == NULL)
1336 return (ISC_R_NOMEMORY);
1338 result = dns_rdata_tostruct(&rdata, val->siginfo, NULL);
1339 if (result != ISC_R_SUCCESS)
1343 * At this point we could check that the signature algorithm
1344 * was known and "sufficiently good".
1346 if (!dns_resolver_algorithm_supported(val->view->resolver,
1348 val->siginfo->algorithm))
1352 result = get_key(val, val->siginfo);
1353 if (result == DNS_R_CONTINUE)
1354 continue; /* Try the next SIG RR. */
1355 if (result != ISC_R_SUCCESS)
1360 * The key is insecure, so mark the data as insecure also.
1362 if (val->key == NULL) {
1363 if (val->mustbesecure) {
1364 validator_log(val, ISC_LOG_WARNING,
1365 "must be secure failure");
1366 return (DNS_R_MUSTBESECURE);
1369 return (ISC_R_SUCCESS);
1373 result = verify(val, val->key, &rdata,
1374 val->siginfo->keyid);
1375 if (result == ISC_R_SUCCESS)
1377 if (val->keynode != NULL) {
1378 dns_keynode_t *nextnode = NULL;
1379 result = dns_keytable_findnextkeynode(
1383 dns_keytable_detachkeynode(val->keytable,
1385 val->keynode = nextnode;
1386 if (result != ISC_R_SUCCESS) {
1390 val->key = dns_keynode_key(val->keynode);
1392 if (get_dst_key(val, val->siginfo, val->keyset)
1397 if (result != ISC_R_SUCCESS)
1398 validator_log(val, ISC_LOG_DEBUG(3),
1399 "failed to verify rdataset");
1404 isc_stdtime_get(&now);
1405 ttl = ISC_MIN(event->rdataset->ttl,
1406 val->siginfo->timeexpire - now);
1407 if (val->keyset != NULL)
1408 ttl = ISC_MIN(ttl, val->keyset->ttl);
1409 event->rdataset->ttl = ttl;
1410 event->sigrdataset->ttl = ttl;
1413 if (val->keynode != NULL)
1414 dns_keytable_detachkeynode(val->keytable,
1417 if (val->key != NULL)
1418 dst_key_free(&val->key);
1419 if (val->keyset != NULL) {
1420 dns_rdataset_disassociate(val->keyset);
1425 if ((val->attributes & VALATTR_NEEDNOQNAME) != 0) {
1426 if (val->event->message == NULL) {
1427 validator_log(val, ISC_LOG_DEBUG(3),
1428 "no message available for noqname proof");
1429 return (DNS_R_NOVALIDSIG);
1431 validator_log(val, ISC_LOG_DEBUG(3),
1432 "looking for noqname proof");
1433 return (nsecvalidate(val, ISC_FALSE));
1434 } else if (result == ISC_R_SUCCESS) {
1435 event->rdataset->trust = dns_trust_secure;
1436 event->sigrdataset->trust = dns_trust_secure;
1437 validator_log(val, ISC_LOG_DEBUG(3),
1438 "marking as secure");
1441 validator_log(val, ISC_LOG_DEBUG(3),
1442 "verify failure: %s",
1443 isc_result_totext(result));
1447 if (result != ISC_R_NOMORE) {
1448 validator_log(val, ISC_LOG_DEBUG(3),
1449 "failed to iterate signatures: %s",
1450 isc_result_totext(result));
1454 validator_log(val, ISC_LOG_INFO, "no valid signature found");
1455 return (DNS_R_NOVALIDSIG);
1459 * Validate the DNSKEY RRset by looking for a DNSKEY that matches a
1460 * DLV record and that also verifies the DNSKEY RRset.
1463 dlv_validatezonekey(dns_validator_t *val) {
1464 dns_keytag_t keytag;
1465 dns_rdata_dlv_t dlv;
1466 dns_rdata_dnskey_t key;
1467 dns_rdata_rrsig_t sig;
1468 dns_rdata_t dlvrdata = DNS_RDATA_INIT;
1469 dns_rdata_t keyrdata = DNS_RDATA_INIT;
1470 dns_rdata_t newdsrdata = DNS_RDATA_INIT;
1471 dns_rdata_t sigrdata = DNS_RDATA_INIT;
1472 dns_rdataset_t trdataset;
1474 isc_boolean_t supported_algorithm;
1475 isc_result_t result;
1476 unsigned char dsbuf[DNS_DS_BUFFERSIZE];
1477 isc_uint8_t digest_type;
1479 validator_log(val, ISC_LOG_DEBUG(3), "dlv_validatezonekey");
1482 * Look through the DLV record and find the keys that can sign the
1483 * key set and the matching signature. For each such key, attempt
1486 supported_algorithm = ISC_FALSE;
1489 * If DNS_DSDIGEST_SHA256 is present we are required to prefer
1490 * it over DNS_DSDIGEST_SHA1. This in practice means that we
1491 * need to ignore DNS_DSDIGEST_SHA1 if a DNS_DSDIGEST_SHA256
1494 digest_type = DNS_DSDIGEST_SHA1;
1495 for (result = dns_rdataset_first(&val->dlv);
1496 result == ISC_R_SUCCESS;
1497 result = dns_rdataset_next(&val->dlv)) {
1498 dns_rdata_reset(&dlvrdata);
1499 dns_rdataset_current(&val->dlv, &dlvrdata);
1500 dns_rdata_tostruct(&dlvrdata, &dlv, NULL);
1502 if (!dns_resolver_algorithm_supported(val->view->resolver,
1507 if (dlv.digest_type == DNS_DSDIGEST_SHA256) {
1508 digest_type = DNS_DSDIGEST_SHA256;
1513 for (result = dns_rdataset_first(&val->dlv);
1514 result == ISC_R_SUCCESS;
1515 result = dns_rdataset_next(&val->dlv))
1517 dns_rdata_reset(&dlvrdata);
1518 dns_rdataset_current(&val->dlv, &dlvrdata);
1519 (void)dns_rdata_tostruct(&dlvrdata, &dlv, NULL);
1521 if (!dns_resolver_digest_supported(val->view->resolver,
1525 if (dlv.digest_type != digest_type)
1528 if (!dns_resolver_algorithm_supported(val->view->resolver,
1533 supported_algorithm = ISC_TRUE;
1535 dns_rdataset_init(&trdataset);
1536 dns_rdataset_clone(val->event->rdataset, &trdataset);
1538 for (result = dns_rdataset_first(&trdataset);
1539 result == ISC_R_SUCCESS;
1540 result = dns_rdataset_next(&trdataset))
1542 dns_rdata_reset(&keyrdata);
1543 dns_rdataset_current(&trdataset, &keyrdata);
1544 (void)dns_rdata_tostruct(&keyrdata, &key, NULL);
1545 keytag = compute_keytag(&keyrdata, &key);
1546 if (dlv.key_tag != keytag ||
1547 dlv.algorithm != key.algorithm)
1549 dns_rdata_reset(&newdsrdata);
1550 result = dns_ds_buildrdata(val->event->name,
1551 &keyrdata, dlv.digest_type,
1552 dsbuf, &newdsrdata);
1553 if (result != ISC_R_SUCCESS) {
1554 validator_log(val, ISC_LOG_DEBUG(3),
1555 "dns_ds_buildrdata() -> %s",
1556 dns_result_totext(result));
1560 newdsrdata.type = dns_rdatatype_dlv;
1561 if (dns_rdata_compare(&dlvrdata, &newdsrdata) == 0)
1564 if (result != ISC_R_SUCCESS) {
1565 validator_log(val, ISC_LOG_DEBUG(3),
1566 "no DNSKEY matching DLV");
1569 validator_log(val, ISC_LOG_DEBUG(3),
1570 "Found matching DLV record: checking for signature");
1572 for (result = dns_rdataset_first(val->event->sigrdataset);
1573 result == ISC_R_SUCCESS;
1574 result = dns_rdataset_next(val->event->sigrdataset))
1576 dns_rdata_reset(&sigrdata);
1577 dns_rdataset_current(val->event->sigrdataset,
1579 (void)dns_rdata_tostruct(&sigrdata, &sig, NULL);
1580 if (dlv.key_tag != sig.keyid &&
1581 dlv.algorithm != sig.algorithm)
1584 result = dns_dnssec_keyfromrdata(val->event->name,
1588 if (result != ISC_R_SUCCESS)
1590 * This really shouldn't happen, but...
1594 result = verify(val, dstkey, &sigrdata, sig.keyid);
1595 dst_key_free(&dstkey);
1596 if (result == ISC_R_SUCCESS)
1599 dns_rdataset_disassociate(&trdataset);
1600 if (result == ISC_R_SUCCESS)
1602 validator_log(val, ISC_LOG_DEBUG(3),
1603 "no RRSIG matching DLV key");
1605 if (result == ISC_R_SUCCESS) {
1606 val->event->rdataset->trust = dns_trust_secure;
1607 val->event->sigrdataset->trust = dns_trust_secure;
1608 validator_log(val, ISC_LOG_DEBUG(3), "marking as secure");
1610 } else if (result == ISC_R_NOMORE && !supported_algorithm) {
1611 if (val->mustbesecure) {
1612 validator_log(val, ISC_LOG_WARNING,
1613 "must be secure failure");
1614 return (DNS_R_MUSTBESECURE);
1616 validator_log(val, ISC_LOG_DEBUG(3),
1617 "no supported algorithm/digest (dlv)");
1619 return (ISC_R_SUCCESS);
1621 return (DNS_R_NOVALIDSIG);
1625 * Attempts positive response validation of an RRset containing zone keys.
1628 * \li ISC_R_SUCCESS Validation completed successfully
1629 * \li DNS_R_WAIT Validation has started but is waiting
1631 * \li Other return codes are possible and all indicate failure.
1634 validatezonekey(dns_validator_t *val) {
1635 isc_result_t result;
1636 dns_validatorevent_t *event;
1637 dns_rdataset_t trdataset;
1638 dns_rdata_t dsrdata = DNS_RDATA_INIT;
1639 dns_rdata_t newdsrdata = DNS_RDATA_INIT;
1640 dns_rdata_t keyrdata = DNS_RDATA_INIT;
1641 dns_rdata_t sigrdata = DNS_RDATA_INIT;
1642 unsigned char dsbuf[DNS_DS_BUFFERSIZE];
1643 char namebuf[DNS_NAME_FORMATSIZE];
1644 dns_keytag_t keytag;
1646 dns_rdata_dnskey_t key;
1647 dns_rdata_rrsig_t sig;
1649 isc_boolean_t supported_algorithm;
1650 isc_boolean_t atsep = ISC_FALSE;
1651 isc_uint8_t digest_type;
1654 * Caller must be holding the validator lock.
1659 if (val->havedlvsep && val->dlv.trust >= dns_trust_secure &&
1660 dns_name_equal(event->name, dns_fixedname_name(&val->dlvsep)))
1661 return (dlv_validatezonekey(val));
1663 if (val->dsset == NULL) {
1665 * First, see if this key was signed by a trusted key.
1667 for (result = dns_rdataset_first(val->event->sigrdataset);
1668 result == ISC_R_SUCCESS;
1669 result = dns_rdataset_next(val->event->sigrdataset))
1671 dns_keynode_t *keynode = NULL, *nextnode = NULL;
1673 dns_rdata_reset(&sigrdata);
1674 dns_rdataset_current(val->event->sigrdataset,
1676 (void)dns_rdata_tostruct(&sigrdata, &sig, NULL);
1677 result = dns_keytable_findkeynode(val->keytable,
1682 if (result == DNS_R_PARTIALMATCH ||
1683 result == ISC_R_SUCCESS)
1685 while (result == ISC_R_SUCCESS) {
1686 dstkey = dns_keynode_key(keynode);
1687 result = verify(val, dstkey, &sigrdata,
1689 if (result == ISC_R_SUCCESS) {
1690 dns_keytable_detachkeynode(val->keytable,
1694 result = dns_keytable_findnextkeynode(
1698 dns_keytable_detachkeynode(val->keytable,
1702 if (result == ISC_R_SUCCESS) {
1703 event->rdataset->trust = dns_trust_secure;
1704 event->sigrdataset->trust = dns_trust_secure;
1705 validator_log(val, ISC_LOG_DEBUG(3),
1706 "signed by trusted key; "
1707 "marking as secure");
1713 * If this is the root name and there was no trusted key,
1714 * give up, since there's no DS at the root.
1716 if (dns_name_equal(event->name, dns_rootname)) {
1717 if ((val->attributes & VALATTR_TRIEDVERIFY) != 0)
1718 return (DNS_R_NOVALIDSIG);
1720 return (DNS_R_NOVALIDDS);
1725 * We have not found a key to verify this DNSKEY
1726 * RRset. As this is a SEP we have to assume that
1727 * the RRset is invalid.
1729 dns_name_format(val->event->name, namebuf,
1731 validator_log(val, ISC_LOG_DEBUG(2),
1732 "unable to find a DNSKEY which verifies "
1733 "the DNSKEY RRset and also matches one "
1734 "of specified trusted-keys for '%s'",
1736 return (DNS_R_NOVALIDKEY);
1740 * Otherwise, try to find the DS record.
1742 result = view_find(val, val->event->name, dns_rdatatype_ds);
1743 if (result == ISC_R_SUCCESS) {
1745 * We have DS records.
1747 val->dsset = &val->frdataset;
1748 if (val->frdataset.trust == dns_trust_pending &&
1749 dns_rdataset_isassociated(&val->fsigrdataset))
1751 result = create_validator(val,
1758 if (result != ISC_R_SUCCESS)
1760 return (DNS_R_WAIT);
1761 } else if (val->frdataset.trust == dns_trust_pending) {
1763 * There should never be an unsigned DS.
1765 dns_rdataset_disassociate(&val->frdataset);
1766 validator_log(val, ISC_LOG_DEBUG(2),
1767 "unsigned DS record");
1768 return (DNS_R_NOVALIDSIG);
1770 result = ISC_R_SUCCESS;
1771 } else if (result == ISC_R_NOTFOUND) {
1773 * We don't have the DS. Find it.
1775 result = create_fetch(val, val->event->name,
1776 dns_rdatatype_ds, dsfetched,
1778 if (result != ISC_R_SUCCESS)
1780 return (DNS_R_WAIT);
1781 } else if (result == DNS_R_NCACHENXDOMAIN ||
1782 result == DNS_R_NCACHENXRRSET ||
1783 result == DNS_R_NXDOMAIN ||
1784 result == DNS_R_NXRRSET)
1787 * The DS does not exist.
1789 if (dns_rdataset_isassociated(&val->frdataset))
1790 dns_rdataset_disassociate(&val->frdataset);
1791 if (dns_rdataset_isassociated(&val->fsigrdataset))
1792 dns_rdataset_disassociate(&val->fsigrdataset);
1793 validator_log(val, ISC_LOG_DEBUG(2), "no DS record");
1794 return (DNS_R_NOVALIDSIG);
1801 INSIST(val->dsset != NULL);
1803 if (val->dsset->trust < dns_trust_secure) {
1804 if (val->mustbesecure) {
1805 validator_log(val, ISC_LOG_WARNING,
1806 "must be secure failure");
1807 return (DNS_R_MUSTBESECURE);
1810 return (ISC_R_SUCCESS);
1814 * Look through the DS record and find the keys that can sign the
1815 * key set and the matching signature. For each such key, attempt
1819 supported_algorithm = ISC_FALSE;
1822 * If DNS_DSDIGEST_SHA256 is present we are required to prefer
1823 * it over DNS_DSDIGEST_SHA1. This in practice means that we
1824 * need to ignore DNS_DSDIGEST_SHA1 if a DNS_DSDIGEST_SHA256
1827 digest_type = DNS_DSDIGEST_SHA1;
1828 for (result = dns_rdataset_first(val->dsset);
1829 result == ISC_R_SUCCESS;
1830 result = dns_rdataset_next(val->dsset)) {
1831 dns_rdata_reset(&dsrdata);
1832 dns_rdataset_current(val->dsset, &dsrdata);
1833 dns_rdata_tostruct(&dsrdata, &ds, NULL);
1835 if (!dns_resolver_algorithm_supported(val->view->resolver,
1840 if (ds.digest_type == DNS_DSDIGEST_SHA256) {
1841 digest_type = DNS_DSDIGEST_SHA256;
1846 for (result = dns_rdataset_first(val->dsset);
1847 result == ISC_R_SUCCESS;
1848 result = dns_rdataset_next(val->dsset))
1850 dns_rdata_reset(&dsrdata);
1851 dns_rdataset_current(val->dsset, &dsrdata);
1852 (void)dns_rdata_tostruct(&dsrdata, &ds, NULL);
1854 if (!dns_resolver_digest_supported(val->view->resolver,
1858 if (ds.digest_type != digest_type)
1861 if (!dns_resolver_algorithm_supported(val->view->resolver,
1866 supported_algorithm = ISC_TRUE;
1868 dns_rdataset_init(&trdataset);
1869 dns_rdataset_clone(val->event->rdataset, &trdataset);
1872 * Look for the KEY that matches the DS record.
1874 for (result = dns_rdataset_first(&trdataset);
1875 result == ISC_R_SUCCESS;
1876 result = dns_rdataset_next(&trdataset))
1878 dns_rdata_reset(&keyrdata);
1879 dns_rdataset_current(&trdataset, &keyrdata);
1880 (void)dns_rdata_tostruct(&keyrdata, &key, NULL);
1881 keytag = compute_keytag(&keyrdata, &key);
1882 if (ds.key_tag != keytag ||
1883 ds.algorithm != key.algorithm)
1885 dns_rdata_reset(&newdsrdata);
1886 result = dns_ds_buildrdata(val->event->name,
1887 &keyrdata, ds.digest_type,
1888 dsbuf, &newdsrdata);
1889 if (result != ISC_R_SUCCESS)
1891 if (dns_rdata_compare(&dsrdata, &newdsrdata) == 0)
1894 if (result != ISC_R_SUCCESS) {
1895 validator_log(val, ISC_LOG_DEBUG(3),
1896 "no DNSKEY matching DS");
1900 for (result = dns_rdataset_first(val->event->sigrdataset);
1901 result == ISC_R_SUCCESS;
1902 result = dns_rdataset_next(val->event->sigrdataset))
1904 dns_rdata_reset(&sigrdata);
1905 dns_rdataset_current(val->event->sigrdataset,
1907 (void)dns_rdata_tostruct(&sigrdata, &sig, NULL);
1908 if (ds.key_tag != sig.keyid ||
1909 ds.algorithm != sig.algorithm)
1913 result = dns_dnssec_keyfromrdata(val->event->name,
1917 if (result != ISC_R_SUCCESS)
1919 * This really shouldn't happen, but...
1922 result = verify(val, dstkey, &sigrdata, sig.keyid);
1923 dst_key_free(&dstkey);
1924 if (result == ISC_R_SUCCESS)
1927 dns_rdataset_disassociate(&trdataset);
1928 if (result == ISC_R_SUCCESS)
1930 validator_log(val, ISC_LOG_DEBUG(3),
1931 "no RRSIG matching DS key");
1933 if (result == ISC_R_SUCCESS) {
1934 event->rdataset->trust = dns_trust_secure;
1935 event->sigrdataset->trust = dns_trust_secure;
1936 validator_log(val, ISC_LOG_DEBUG(3), "marking as secure");
1938 } else if (result == ISC_R_NOMORE && !supported_algorithm) {
1939 if (val->mustbesecure) {
1940 validator_log(val, ISC_LOG_WARNING,
1941 "must be secure failure");
1942 return (DNS_R_MUSTBESECURE);
1944 validator_log(val, ISC_LOG_DEBUG(3),
1945 "no supported algorithm/digest (DS)");
1947 return (ISC_R_SUCCESS);
1949 return (DNS_R_NOVALIDSIG);
1953 * Starts a positive response validation.
1956 * \li ISC_R_SUCCESS Validation completed successfully
1957 * \li DNS_R_WAIT Validation has started but is waiting
1959 * \li Other return codes are possible and all indicate failure.
1962 start_positive_validation(dns_validator_t *val) {
1964 * If this is not a key, go straight into validate().
1966 if (val->event->type != dns_rdatatype_dnskey || !isselfsigned(val))
1967 return (validate(val, ISC_FALSE));
1969 return (validatezonekey(val));
1973 * Look for NODATA at the wildcard and NOWILDCARD proofs in the
1974 * previously validated NSEC records. As these proofs are mutually
1975 * exclusive we stop when one is found.
1981 checkwildcard(dns_validator_t *val) {
1982 dns_name_t *name, *wild;
1983 dns_message_t *message = val->event->message;
1984 isc_result_t result;
1985 isc_boolean_t exists, data;
1986 char namebuf[DNS_NAME_FORMATSIZE];
1988 wild = dns_fixedname_name(&val->wild);
1989 dns_name_format(wild, namebuf, sizeof(namebuf));
1990 validator_log(val, ISC_LOG_DEBUG(3), "in checkwildcard: %s", namebuf);
1992 for (result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
1993 result == ISC_R_SUCCESS;
1994 result = dns_message_nextname(message, DNS_SECTION_AUTHORITY))
1996 dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
1999 dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
2001 for (rdataset = ISC_LIST_HEAD(name->list);
2003 rdataset = ISC_LIST_NEXT(rdataset, link))
2005 if (rdataset->type != dns_rdatatype_nsec)
2007 val->nsecset = rdataset;
2009 for (sigrdataset = ISC_LIST_HEAD(name->list);
2010 sigrdataset != NULL;
2011 sigrdataset = ISC_LIST_NEXT(sigrdataset, link))
2013 if (sigrdataset->type == dns_rdatatype_rrsig &&
2014 sigrdataset->covers == rdataset->type)
2017 if (sigrdataset == NULL)
2020 if (rdataset->trust != dns_trust_secure)
2023 if (((val->attributes & VALATTR_NEEDNODATA) != 0 ||
2024 (val->attributes & VALATTR_NEEDNOWILDCARD) != 0) &&
2025 (val->attributes & VALATTR_FOUNDNODATA) == 0 &&
2026 (val->attributes & VALATTR_FOUNDNOWILDCARD) == 0 &&
2027 nsecnoexistnodata(val, wild, name, rdataset,
2028 &exists, &data, NULL)
2031 dns_name_t **proofs = val->event->proofs;
2032 if (exists && !data)
2033 val->attributes |= VALATTR_FOUNDNODATA;
2034 if (exists && !data && NEEDNODATA(val))
2035 proofs[DNS_VALIDATOR_NODATAPROOF] =
2039 VALATTR_FOUNDNOWILDCARD;
2040 if (!exists && NEEDNOQNAME(val))
2041 proofs[DNS_VALIDATOR_NOWILDCARDPROOF] =
2043 return (ISC_R_SUCCESS);
2047 if (result == ISC_R_NOMORE)
2048 result = ISC_R_SUCCESS;
2053 * Prove a negative answer is good or that there is a NOQNAME when the
2054 * answer is from a wildcard.
2056 * Loop through the authority section looking for NODATA, NOWILDCARD
2057 * and NOQNAME proofs in the NSEC records by calling authvalidated().
2059 * If the required proofs are found we are done.
2061 * If the proofs are not found attempt to prove this is a unsecure
2065 nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
2067 dns_message_t *message = val->event->message;
2068 isc_result_t result;
2071 result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
2073 result = ISC_R_SUCCESS;
2074 validator_log(val, ISC_LOG_DEBUG(3), "resuming nsecvalidate");
2078 result == ISC_R_SUCCESS;
2079 result = dns_message_nextname(message, DNS_SECTION_AUTHORITY))
2081 dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
2084 dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
2086 rdataset = ISC_LIST_NEXT(val->currentset, link);
2087 val->currentset = NULL;
2090 rdataset = ISC_LIST_HEAD(name->list);
2094 rdataset = ISC_LIST_NEXT(rdataset, link))
2096 if (rdataset->type == dns_rdatatype_rrsig)
2099 for (sigrdataset = ISC_LIST_HEAD(name->list);
2100 sigrdataset != NULL;
2101 sigrdataset = ISC_LIST_NEXT(sigrdataset,
2104 if (sigrdataset->type == dns_rdatatype_rrsig &&
2105 sigrdataset->covers == rdataset->type)
2109 * If a signed zone is missing the zone key, bad
2110 * things could happen. A query for data in the zone
2111 * would lead to a query for the zone key, which
2112 * would return a negative answer, which would contain
2113 * an SOA and an NSEC signed by the missing key, which
2114 * would trigger another query for the DNSKEY (since
2115 * the first one is still in progress), and go into an
2116 * infinite loop. Avoid that.
2118 if (val->event->type == dns_rdatatype_dnskey &&
2119 dns_name_equal(name, val->event->name))
2121 dns_rdata_t nsec = DNS_RDATA_INIT;
2123 if (rdataset->type != dns_rdatatype_nsec)
2126 result = dns_rdataset_first(rdataset);
2127 if (result != ISC_R_SUCCESS)
2129 dns_rdataset_current(rdataset, &nsec);
2130 if (dns_nsec_typepresent(&nsec,
2134 val->currentset = rdataset;
2135 result = create_validator(val, name, rdataset->type,
2136 rdataset, sigrdataset,
2139 if (result != ISC_R_SUCCESS)
2141 return (DNS_R_WAIT);
2145 if (result == ISC_R_NOMORE)
2146 result = ISC_R_SUCCESS;
2147 if (result != ISC_R_SUCCESS)
2151 * Do we only need to check for NOQNAME? To get here we must have
2152 * had a secure wildcard answer.
2154 if ((val->attributes & VALATTR_NEEDNODATA) == 0 &&
2155 (val->attributes & VALATTR_NEEDNOWILDCARD) == 0 &&
2156 (val->attributes & VALATTR_NEEDNOQNAME) != 0) {
2157 if ((val->attributes & VALATTR_FOUNDNOQNAME) != 0) {
2158 validator_log(val, ISC_LOG_DEBUG(3),
2159 "noqname proof found");
2160 validator_log(val, ISC_LOG_DEBUG(3),
2161 "marking as secure");
2162 val->event->rdataset->trust = dns_trust_secure;
2163 val->event->sigrdataset->trust = dns_trust_secure;
2164 return (ISC_R_SUCCESS);
2166 validator_log(val, ISC_LOG_DEBUG(3),
2167 "noqname proof not found");
2168 return (DNS_R_NOVALIDNSEC);
2172 * Do we need to check for the wildcard?
2174 if ((val->attributes & VALATTR_FOUNDNOQNAME) != 0 &&
2175 (((val->attributes & VALATTR_NEEDNODATA) != 0 &&
2176 (val->attributes & VALATTR_FOUNDNODATA) == 0) ||
2177 (val->attributes & VALATTR_NEEDNOWILDCARD) != 0)) {
2178 result = checkwildcard(val);
2179 if (result != ISC_R_SUCCESS)
2183 if (((val->attributes & VALATTR_NEEDNODATA) != 0 &&
2184 (val->attributes & VALATTR_FOUNDNODATA) != 0) ||
2185 ((val->attributes & VALATTR_NEEDNOQNAME) != 0 &&
2186 (val->attributes & VALATTR_FOUNDNOQNAME) != 0 &&
2187 (val->attributes & VALATTR_NEEDNOWILDCARD) != 0 &&
2188 (val->attributes & VALATTR_FOUNDNOWILDCARD) != 0)) {
2189 validator_log(val, ISC_LOG_DEBUG(3),
2190 "nonexistence proof(s) found");
2191 return (ISC_R_SUCCESS);
2194 validator_log(val, ISC_LOG_DEBUG(3),
2195 "nonexistence proof(s) not found");
2196 val->attributes |= VALATTR_INSECURITY;
2197 return (proveunsecure(val, ISC_FALSE));
2200 static isc_boolean_t
2201 check_ds(dns_validator_t *val, dns_name_t *name, dns_rdataset_t *rdataset) {
2202 dns_rdata_t dsrdata = DNS_RDATA_INIT;
2204 isc_result_t result;
2206 for (result = dns_rdataset_first(rdataset);
2207 result == ISC_R_SUCCESS;
2208 result = dns_rdataset_next(rdataset)) {
2209 dns_rdataset_current(rdataset, &dsrdata);
2210 (void)dns_rdata_tostruct(&dsrdata, &ds, NULL);
2212 if (dns_resolver_digest_supported(val->view->resolver,
2214 dns_resolver_algorithm_supported(val->view->resolver,
2215 name, ds.algorithm)) {
2216 dns_rdata_reset(&dsrdata);
2219 dns_rdata_reset(&dsrdata);
2225 * Callback from fetching a DLV record.
2227 * Resumes the DLV lookup process.
2230 dlvfetched(isc_task_t *task, isc_event_t *event) {
2231 char namebuf[DNS_NAME_FORMATSIZE];
2232 dns_fetchevent_t *devent;
2233 dns_validator_t *val;
2234 isc_boolean_t want_destroy;
2235 isc_result_t eresult;
2236 isc_result_t result;
2239 INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
2240 devent = (dns_fetchevent_t *)event;
2241 val = devent->ev_arg;
2242 eresult = devent->result;
2244 /* Free resources which are not of interest. */
2245 if (devent->node != NULL)
2246 dns_db_detachnode(devent->db, &devent->node);
2247 if (devent->db != NULL)
2248 dns_db_detach(&devent->db);
2249 if (dns_rdataset_isassociated(&val->fsigrdataset))
2250 dns_rdataset_disassociate(&val->fsigrdataset);
2251 isc_event_free(&event);
2252 dns_resolver_destroyfetch(&val->fetch);
2254 INSIST(val->event != NULL);
2255 validator_log(val, ISC_LOG_DEBUG(3), "in dlvfetched: %s",
2256 dns_result_totext(eresult));
2259 if (eresult == ISC_R_SUCCESS) {
2260 dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf,
2262 dns_rdataset_clone(&val->frdataset, &val->dlv);
2263 val->havedlvsep = ISC_TRUE;
2264 validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
2265 dlv_validator_start(val);
2266 } else if (eresult == DNS_R_NXRRSET ||
2267 eresult == DNS_R_NXDOMAIN ||
2268 eresult == DNS_R_NCACHENXRRSET ||
2269 eresult == DNS_R_NCACHENXDOMAIN) {
2270 result = finddlvsep(val, ISC_TRUE);
2271 if (result == ISC_R_SUCCESS) {
2272 dns_name_format(dns_fixedname_name(&val->dlvsep),
2273 namebuf, sizeof(namebuf));
2274 validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found",
2276 dlv_validator_start(val);
2277 } else if (result == ISC_R_NOTFOUND) {
2278 validator_log(val, ISC_LOG_DEBUG(3), "DLV not found");
2280 validator_done(val, ISC_R_SUCCESS);
2282 validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s",
2283 dns_result_totext(result));
2284 if (result != DNS_R_WAIT)
2285 validator_done(val, result);
2288 validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s",
2289 dns_result_totext(eresult));
2290 validator_done(val, eresult);
2292 want_destroy = exit_check(val);
2299 * Start the DLV lookup proccess.
2304 * \li Others on validation failures.
2307 startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure) {
2308 char namebuf[DNS_NAME_FORMATSIZE];
2309 isc_result_t result;
2311 INSIST(!DLVTRIED(val));
2313 val->attributes |= VALATTR_DLVTRIED;
2315 dns_name_format(unsecure, namebuf, sizeof(namebuf));
2316 validator_log(val, ISC_LOG_DEBUG(3),
2317 "plain DNSSEC returns unsecure (%s): looking for DLV",
2320 if (dns_name_issubdomain(val->event->name, val->view->dlv)) {
2321 validator_log(val, ISC_LOG_WARNING, "must be secure failure");
2322 return (DNS_R_MUSTBESECURE);
2325 val->dlvlabels = dns_name_countlabels(unsecure) - 1;
2326 result = finddlvsep(val, ISC_FALSE);
2327 if (result == ISC_R_NOTFOUND) {
2328 validator_log(val, ISC_LOG_DEBUG(3), "DLV not found");
2330 return (ISC_R_SUCCESS);
2332 if (result != ISC_R_SUCCESS) {
2333 validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s",
2334 dns_result_totext(result));
2337 dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf,
2339 validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
2340 dlv_validator_start(val);
2341 return (DNS_R_WAIT);
2345 * Continue the DLV lookup process.
2349 * \li ISC_R_NOTFOUND
2351 * \li Others on validation failure.
2354 finddlvsep(dns_validator_t *val, isc_boolean_t resume) {
2355 char namebuf[DNS_NAME_FORMATSIZE];
2356 dns_fixedname_t dlvfixed;
2357 dns_name_t *dlvname;
2360 isc_result_t result;
2361 unsigned int labels;
2363 INSIST(val->view->dlv != NULL);
2367 if (dns_name_issubdomain(val->event->name, val->view->dlv)) {
2368 validator_log(val, ISC_LOG_WARNING,
2369 "must be secure failure");
2370 return (DNS_R_MUSTBESECURE);
2373 dns_fixedname_init(&val->dlvsep);
2374 dlvsep = dns_fixedname_name(&val->dlvsep);
2375 dns_name_copy(val->event->name, dlvsep, NULL);
2376 if (val->event->type == dns_rdatatype_ds) {
2377 labels = dns_name_countlabels(dlvsep);
2379 return (ISC_R_NOTFOUND);
2380 dns_name_getlabelsequence(dlvsep, 1, labels - 1,
2384 dlvsep = dns_fixedname_name(&val->dlvsep);
2385 labels = dns_name_countlabels(dlvsep);
2386 dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep);
2388 dns_name_init(&noroot, NULL);
2389 dns_fixedname_init(&dlvfixed);
2390 dlvname = dns_fixedname_name(&dlvfixed);
2391 labels = dns_name_countlabels(dlvsep);
2393 return (ISC_R_NOTFOUND);
2394 dns_name_getlabelsequence(dlvsep, 0, labels - 1, &noroot);
2395 result = dns_name_concatenate(&noroot, val->view->dlv, dlvname, NULL);
2396 while (result == ISC_R_NOSPACE) {
2397 labels = dns_name_countlabels(dlvsep);
2398 dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep);
2399 dns_name_getlabelsequence(dlvsep, 0, labels - 2, &noroot);
2400 result = dns_name_concatenate(&noroot, val->view->dlv,
2403 if (result != ISC_R_SUCCESS) {
2404 validator_log(val, ISC_LOG_DEBUG(2), "DLV concatenate failed");
2405 return (DNS_R_NOVALIDSIG);
2408 while (dns_name_countlabels(dlvname) >=
2409 dns_name_countlabels(val->view->dlv) + val->dlvlabels) {
2410 dns_name_format(dlvname, namebuf, sizeof(namebuf));
2411 validator_log(val, ISC_LOG_DEBUG(3), "looking for DLV %s",
2413 result = view_find(val, dlvname, dns_rdatatype_dlv);
2414 if (result == ISC_R_SUCCESS) {
2415 if (val->frdataset.trust < dns_trust_secure)
2416 return (DNS_R_NOVALIDSIG);
2417 val->havedlvsep = ISC_TRUE;
2418 dns_rdataset_clone(&val->frdataset, &val->dlv);
2419 return (ISC_R_SUCCESS);
2421 if (result == ISC_R_NOTFOUND) {
2422 result = create_fetch(val, dlvname, dns_rdatatype_dlv,
2423 dlvfetched, "finddlvsep");
2424 if (result != ISC_R_SUCCESS)
2426 return (DNS_R_WAIT);
2428 if (result != DNS_R_NXRRSET &&
2429 result != DNS_R_NXDOMAIN &&
2430 result != DNS_R_NCACHENXRRSET &&
2431 result != DNS_R_NCACHENXDOMAIN)
2434 * Strip first labels from both dlvsep and dlvname.
2436 labels = dns_name_countlabels(dlvsep);
2439 dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep);
2440 labels = dns_name_countlabels(dlvname);
2441 dns_name_getlabelsequence(dlvname, 1, labels - 1, dlvname);
2443 return (ISC_R_NOTFOUND);
2447 * proveunsecure walks down from the SEP looking for a break in the
2448 * chain of trust. That occurs when we can prove the DS record does
2449 * not exist at a delegation point or the DS exists at a delegation
2450 * but we don't support the algorithm/digest.
2452 * If DLV is active and we look for a DLV record at or below the
2453 * point we go insecure. If found we restart the validation process.
2454 * If not found or DLV isn't active we mark the response as a answer.
2457 * \li ISC_R_SUCCESS val->event->name is in a unsecure zone
2458 * \li DNS_R_WAIT validation is in progress.
2459 * \li DNS_R_MUSTBESECURE val->event->name is supposed to be secure
2460 * (policy) but we proved that it is unsecure.
2461 * \li DNS_R_NOVALIDSIG
2462 * \li DNS_R_NOVALIDNSEC
2463 * \li DNS_R_NOTINSECURE
2466 proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
2467 isc_result_t result;
2468 dns_fixedname_t fixedsecroot;
2469 dns_name_t *secroot;
2471 char namebuf[DNS_NAME_FORMATSIZE];
2473 dns_fixedname_init(&fixedsecroot);
2474 secroot = dns_fixedname_name(&fixedsecroot);
2475 if (val->havedlvsep)
2476 dns_name_copy(dns_fixedname_name(&val->dlvsep), secroot, NULL);
2478 result = dns_keytable_finddeepestmatch(val->keytable,
2482 if (result == ISC_R_NOTFOUND) {
2483 validator_log(val, ISC_LOG_DEBUG(3),
2484 "not beneath secure root");
2485 if (val->mustbesecure) {
2486 validator_log(val, ISC_LOG_WARNING,
2487 "must be secure failure");
2488 result = DNS_R_MUSTBESECURE;
2491 if (val->view->dlv == NULL || DLVTRIED(val)) {
2493 return (ISC_R_SUCCESS);
2495 return (startfinddlvsep(val, dns_rootname));
2496 } else if (result != ISC_R_SUCCESS)
2502 * We are looking for breaks below the SEP so add a label.
2504 val->labels = dns_name_countlabels(secroot) + 1;
2506 validator_log(val, ISC_LOG_DEBUG(3), "resuming proveunsecure");
2507 if (val->frdataset.trust >= dns_trust_secure &&
2508 !check_ds(val, dns_fixedname_name(&val->fname),
2510 dns_name_format(dns_fixedname_name(&val->fname),
2511 namebuf, sizeof(namebuf));
2512 if (val->mustbesecure) {
2513 validator_log(val, ISC_LOG_WARNING,
2514 "must be secure failure at '%s'",
2516 result = DNS_R_MUSTBESECURE;
2519 validator_log(val, ISC_LOG_DEBUG(3),
2520 "no supported algorithm/digest (%s/DS)",
2522 if (val->view->dlv == NULL || DLVTRIED(val)) {
2524 result = ISC_R_SUCCESS;
2527 result = startfinddlvsep(val,
2528 dns_fixedname_name(&val->fname));
2535 val->labels <= dns_name_countlabels(val->event->name);
2539 dns_fixedname_init(&val->fname);
2540 tname = dns_fixedname_name(&val->fname);
2541 if (val->labels == dns_name_countlabels(val->event->name))
2542 dns_name_copy(val->event->name, tname, NULL);
2544 dns_name_split(val->event->name, val->labels,
2547 dns_name_format(tname, namebuf, sizeof(namebuf));
2548 validator_log(val, ISC_LOG_DEBUG(3),
2549 "checking existence of DS at '%s'",
2552 result = view_find(val, tname, dns_rdatatype_ds);
2554 if (result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) {
2556 * There is no DS. If this is a delegation,
2559 if (val->frdataset.trust == dns_trust_pending) {
2560 result = create_fetch(val, tname,
2564 if (result != ISC_R_SUCCESS)
2566 return (DNS_R_WAIT);
2568 if (val->frdataset.trust < dns_trust_secure) {
2570 * This shouldn't happen, since the negative
2571 * response should have been validated. Since
2572 * there's no way of validating existing
2573 * negative response blobs, give up.
2575 result = DNS_R_NOVALIDSIG;
2578 if (isdelegation(tname, &val->frdataset, result)) {
2579 if (val->mustbesecure) {
2580 validator_log(val, ISC_LOG_WARNING,
2581 "must be secure failure");
2582 return (DNS_R_MUSTBESECURE);
2584 if (val->view->dlv == NULL || DLVTRIED(val)) {
2586 return (ISC_R_SUCCESS);
2588 return (startfinddlvsep(val, tname));
2591 } else if (result == ISC_R_SUCCESS) {
2593 * There is a DS here. Verify that it's secure and
2596 if (val->frdataset.trust >= dns_trust_secure) {
2597 if (!check_ds(val, tname, &val->frdataset)) {
2598 validator_log(val, ISC_LOG_DEBUG(3),
2599 "no supported algorithm/"
2600 "digest (%s/DS)", namebuf);
2601 if (val->mustbesecure) {
2604 "must be secure failure");
2605 result = DNS_R_MUSTBESECURE;
2608 if (val->view->dlv == NULL ||
2611 result = ISC_R_SUCCESS;
2614 result = startfinddlvsep(val, tname);
2619 else if (!dns_rdataset_isassociated(&val->fsigrdataset))
2621 result = DNS_R_NOVALIDSIG;
2624 result = create_validator(val, tname, dns_rdatatype_ds,
2629 if (result != ISC_R_SUCCESS)
2631 return (DNS_R_WAIT);
2632 } else if (result == DNS_R_NXDOMAIN ||
2633 result == DNS_R_NCACHENXDOMAIN) {
2635 * This is not a zone cut. Assuming things are
2636 * as expected, continue.
2638 if (!dns_rdataset_isassociated(&val->frdataset)) {
2640 * There should be an NSEC here, since we
2641 * are still in a secure zone.
2643 result = DNS_R_NOVALIDNSEC;
2645 } else if (val->frdataset.trust < dns_trust_secure) {
2647 * This shouldn't happen, since the negative
2648 * response should have been validated. Since
2649 * there's no way of validating existing
2650 * negative response blobs, give up.
2652 result = DNS_R_NOVALIDSIG;
2656 } else if (result == ISC_R_NOTFOUND) {
2658 * We don't know anything about the DS. Find it.
2660 result = create_fetch(val, tname, dns_rdatatype_ds,
2661 dsfetched2, "proveunsecure");
2662 if (result != ISC_R_SUCCESS)
2664 return (DNS_R_WAIT);
2667 validator_log(val, ISC_LOG_DEBUG(3), "insecurity proof failed");
2668 return (DNS_R_NOTINSECURE); /* Couldn't complete insecurity proof */
2671 if (dns_rdataset_isassociated(&val->frdataset))
2672 dns_rdataset_disassociate(&val->frdataset);
2673 if (dns_rdataset_isassociated(&val->fsigrdataset))
2674 dns_rdataset_disassociate(&val->fsigrdataset);
2679 * Reset state and revalidate the answer using DLV.
2682 dlv_validator_start(dns_validator_t *val) {
2685 validator_log(val, ISC_LOG_DEBUG(3), "dlv_validator_start");
2688 * Reset state and try again.
2690 val->attributes &= VALATTR_DLVTRIED;
2691 val->options &= ~DNS_VALIDATOR_DLV;
2693 event = (isc_event_t *)val->event;
2694 isc_task_send(val->task, &event);
2698 * Start the validation process.
2700 * Attempt to valididate the answer based on the category it appears to
2702 * \li 1. secure positive answer.
2703 * \li 2. unsecure positive answer.
2704 * \li 3. a negative answer (secure or unsecure).
2706 * Note a answer that appears to be a secure positive answer may actually
2707 * be a unsecure positive answer.
2710 validator_start(isc_task_t *task, isc_event_t *event) {
2711 dns_validator_t *val;
2712 dns_validatorevent_t *vevent;
2713 isc_boolean_t want_destroy = ISC_FALSE;
2714 isc_result_t result = ISC_R_FAILURE;
2717 REQUIRE(event->ev_type == DNS_EVENT_VALIDATORSTART);
2718 vevent = (dns_validatorevent_t *)event;
2719 val = vevent->validator;
2721 /* If the validator has been cancelled, val->event == NULL */
2722 if (val->event == NULL)
2726 validator_log(val, ISC_LOG_DEBUG(3), "restarting using DLV");
2728 validator_log(val, ISC_LOG_DEBUG(3), "starting");
2732 if ((val->options & DNS_VALIDATOR_DLV) != 0 &&
2733 val->event->rdataset != NULL) {
2734 validator_log(val, ISC_LOG_DEBUG(3), "looking for DLV");
2735 result = startfinddlvsep(val, dns_rootname);
2736 } else if (val->event->rdataset != NULL &&
2737 val->event->sigrdataset != NULL) {
2738 isc_result_t saved_result;
2741 * This looks like a simple validation. We say "looks like"
2742 * because it might end up requiring an insecurity proof.
2744 validator_log(val, ISC_LOG_DEBUG(3),
2745 "attempting positive response validation");
2747 INSIST(dns_rdataset_isassociated(val->event->rdataset));
2748 INSIST(dns_rdataset_isassociated(val->event->sigrdataset));
2749 result = start_positive_validation(val);
2750 if (result == DNS_R_NOVALIDSIG &&
2751 (val->attributes & VALATTR_TRIEDVERIFY) == 0)
2753 saved_result = result;
2754 validator_log(val, ISC_LOG_DEBUG(3),
2755 "falling back to insecurity proof");
2756 val->attributes |= VALATTR_INSECURITY;
2757 result = proveunsecure(val, ISC_FALSE);
2758 if (result == DNS_R_NOTINSECURE)
2759 result = saved_result;
2761 } else if (val->event->rdataset != NULL) {
2763 * This is either an unsecure subdomain or a response from
2766 INSIST(dns_rdataset_isassociated(val->event->rdataset));
2767 validator_log(val, ISC_LOG_DEBUG(3),
2768 "attempting insecurity proof");
2770 val->attributes |= VALATTR_INSECURITY;
2771 result = proveunsecure(val, ISC_FALSE);
2772 } else if (val->event->rdataset == NULL &&
2773 val->event->sigrdataset == NULL)
2776 * This is a nonexistence validation.
2778 validator_log(val, ISC_LOG_DEBUG(3),
2779 "attempting negative response validation");
2781 if (val->event->message->rcode == dns_rcode_nxdomain) {
2782 val->attributes |= VALATTR_NEEDNOQNAME;
2783 val->attributes |= VALATTR_NEEDNOWILDCARD;
2785 val->attributes |= VALATTR_NEEDNODATA;
2786 result = nsecvalidate(val, ISC_FALSE);
2789 * This shouldn't happen.
2794 if (result != DNS_R_WAIT) {
2795 want_destroy = exit_check(val);
2796 validator_done(val, result);
2805 dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
2806 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
2807 dns_message_t *message, unsigned int options,
2808 isc_task_t *task, isc_taskaction_t action, void *arg,
2809 dns_validator_t **validatorp)
2811 isc_result_t result;
2812 dns_validator_t *val;
2814 dns_validatorevent_t *event;
2816 REQUIRE(name != NULL);
2818 REQUIRE(rdataset != NULL ||
2819 (rdataset == NULL && sigrdataset == NULL && message != NULL));
2820 REQUIRE(validatorp != NULL && *validatorp == NULL);
2823 result = ISC_R_FAILURE;
2825 val = isc_mem_get(view->mctx, sizeof(*val));
2827 return (ISC_R_NOMEMORY);
2829 dns_view_weakattach(view, &val->view);
2830 event = (dns_validatorevent_t *)
2831 isc_event_allocate(view->mctx, task,
2832 DNS_EVENT_VALIDATORSTART,
2833 validator_start, NULL,
2834 sizeof(dns_validatorevent_t));
2835 if (event == NULL) {
2836 result = ISC_R_NOMEMORY;
2839 isc_task_attach(task, &tclone);
2840 event->validator = val;
2841 event->result = ISC_R_FAILURE;
2844 event->rdataset = rdataset;
2845 event->sigrdataset = sigrdataset;
2846 event->message = message;
2847 memset(event->proofs, 0, sizeof(event->proofs));
2848 result = isc_mutex_init(&val->lock);
2849 if (result != ISC_R_SUCCESS)
2852 val->options = options;
2853 val->attributes = 0;
2855 val->subvalidator = NULL;
2857 val->keytable = NULL;
2858 dns_keytable_attach(val->view->secroots, &val->keytable);
2859 val->keynode = NULL;
2861 val->siginfo = NULL;
2863 val->action = action;
2866 val->currentset = NULL;
2869 dns_rdataset_init(&val->dlv);
2870 val->seensig = ISC_FALSE;
2871 val->havedlvsep = ISC_FALSE;
2873 val->mustbesecure = dns_resolver_getmustbesecure(view->resolver, name);
2874 dns_rdataset_init(&val->frdataset);
2875 dns_rdataset_init(&val->fsigrdataset);
2876 dns_fixedname_init(&val->wild);
2877 ISC_LINK_INIT(val, link);
2878 val->magic = VALIDATOR_MAGIC;
2880 if ((options & DNS_VALIDATOR_DEFER) == 0)
2881 isc_task_send(task, ISC_EVENT_PTR(&event));
2885 return (ISC_R_SUCCESS);
2888 isc_task_detach(&tclone);
2889 isc_event_free(ISC_EVENT_PTR(&event));
2892 dns_view_weakdetach(&val->view);
2893 isc_mem_put(view->mctx, val, sizeof(*val));
2899 dns_validator_send(dns_validator_t *validator) {
2901 REQUIRE(VALID_VALIDATOR(validator));
2903 LOCK(&validator->lock);
2905 INSIST((validator->options & DNS_VALIDATOR_DEFER) != 0);
2906 event = (isc_event_t *)validator->event;
2907 validator->options &= ~DNS_VALIDATOR_DEFER;
2908 UNLOCK(&validator->lock);
2910 isc_task_send(validator->task, ISC_EVENT_PTR(&event));
2914 dns_validator_cancel(dns_validator_t *validator) {
2915 REQUIRE(VALID_VALIDATOR(validator));
2917 LOCK(&validator->lock);
2919 validator_log(validator, ISC_LOG_DEBUG(3), "dns_validator_cancel");
2921 if (validator->event != NULL) {
2922 if (validator->fetch != NULL)
2923 dns_resolver_cancelfetch(validator->fetch);
2925 if (validator->subvalidator != NULL)
2926 dns_validator_cancel(validator->subvalidator);
2927 if ((validator->options & DNS_VALIDATOR_DEFER) != 0) {
2928 isc_task_t *task = validator->event->ev_sender;
2929 validator->options &= ~DNS_VALIDATOR_DEFER;
2930 isc_event_free((isc_event_t **)&validator->event);
2931 isc_task_detach(&task);
2934 UNLOCK(&validator->lock);
2938 destroy(dns_validator_t *val) {
2941 REQUIRE(SHUTDOWN(val));
2942 REQUIRE(val->event == NULL);
2943 REQUIRE(val->fetch == NULL);
2945 if (val->keynode != NULL)
2946 dns_keytable_detachkeynode(val->keytable, &val->keynode);
2947 else if (val->key != NULL)
2948 dst_key_free(&val->key);
2949 if (val->keytable != NULL)
2950 dns_keytable_detach(&val->keytable);
2951 if (val->subvalidator != NULL)
2952 dns_validator_destroy(&val->subvalidator);
2953 if (val->havedlvsep)
2954 dns_rdataset_disassociate(&val->dlv);
2955 if (dns_rdataset_isassociated(&val->frdataset))
2956 dns_rdataset_disassociate(&val->frdataset);
2957 if (dns_rdataset_isassociated(&val->fsigrdataset))
2958 dns_rdataset_disassociate(&val->fsigrdataset);
2959 mctx = val->view->mctx;
2960 if (val->siginfo != NULL)
2961 isc_mem_put(mctx, val->siginfo, sizeof(*val->siginfo));
2962 DESTROYLOCK(&val->lock);
2963 dns_view_weakdetach(&val->view);
2965 isc_mem_put(mctx, val, sizeof(*val));
2969 dns_validator_destroy(dns_validator_t **validatorp) {
2970 dns_validator_t *val;
2971 isc_boolean_t want_destroy = ISC_FALSE;
2973 REQUIRE(validatorp != NULL);
2975 REQUIRE(VALID_VALIDATOR(val));
2979 val->attributes |= VALATTR_SHUTDOWN;
2980 validator_log(val, ISC_LOG_DEBUG(3), "dns_validator_destroy");
2982 want_destroy = exit_check(val);
2993 validator_logv(dns_validator_t *val, isc_logcategory_t *category,
2994 isc_logmodule_t *module, int level, const char *fmt, va_list ap)
2997 static const char spaces[] = " *";
2998 int depth = val->depth * 2;
3000 vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
3002 if ((unsigned int) depth >= sizeof spaces)
3003 depth = sizeof spaces - 1;
3005 if (val->event != NULL && val->event->name != NULL) {
3006 char namebuf[DNS_NAME_FORMATSIZE];
3007 char typebuf[DNS_RDATATYPE_FORMATSIZE];
3009 dns_name_format(val->event->name, namebuf, sizeof(namebuf));
3010 dns_rdatatype_format(val->event->type, typebuf,
3012 isc_log_write(dns_lctx, category, module, level,
3013 "%.*svalidating @%p: %s %s: %s", depth, spaces,
3014 val, namebuf, typebuf, msgbuf);
3016 isc_log_write(dns_lctx, category, module, level,
3017 "%.*svalidator @%p: %s", depth, spaces,
3023 validator_log(dns_validator_t *val, int level, const char *fmt, ...) {
3026 if (! isc_log_wouldlog(dns_lctx, level))
3031 validator_logv(val, DNS_LOGCATEGORY_DNSSEC,
3032 DNS_LOGMODULE_VALIDATOR, level, fmt, ap);
3037 validator_logcreate(dns_validator_t *val,
3038 dns_name_t *name, dns_rdatatype_t type,
3039 const char *caller, const char *operation)
3041 char namestr[DNS_NAME_FORMATSIZE];
3042 char typestr[DNS_RDATATYPE_FORMATSIZE];
3044 dns_name_format(name, namestr, sizeof(namestr));
3045 dns_rdatatype_format(type, typestr, sizeof(typestr));
3046 validator_log(val, ISC_LOG_DEBUG(9), "%s: creating %s for %s %s",
3047 caller, operation, namestr, typestr);