2 * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 2000-2003 Internet Software Consortium.
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
18 /* $Id: validator.c,v 1.91.2.5.8.27.6.1 2007/01/11 04:51:39 marka Exp $ */
23 #include <isc/print.h>
24 #include <isc/string.h>
30 #include <dns/dnssec.h>
31 #include <dns/events.h>
32 #include <dns/keytable.h>
34 #include <dns/message.h>
35 #include <dns/ncache.h>
37 #include <dns/rdata.h>
38 #include <dns/rdatastruct.h>
39 #include <dns/rdataset.h>
40 #include <dns/rdatatype.h>
41 #include <dns/resolver.h>
42 #include <dns/result.h>
43 #include <dns/validator.h>
48 * Basic processing sequences.
50 * \li When called with rdataset and sigrdataset:
51 * validator_start -> validate -> proveunsecure -> startfinddlvsep ->
52 * dlv_validator_start -> validator_start -> validate -> proveunsecure
54 * validator_start -> validate -> nsecvalidate (secure wildcard answer)
56 * \li When called with rdataset, sigrdataset and with DNS_VALIDATOR_DLV:
57 * validator_start -> startfinddlvsep -> dlv_validator_start ->
58 * validator_start -> validate -> proveunsecure
60 * \li When called with rdataset:
61 * validator_start -> proveunsecure -> startfinddlvsep ->
62 * dlv_validator_start -> validator_start -> proveunsecure
64 * \li When called with rdataset and with DNS_VALIDATOR_DLV:
65 * validator_start -> startfinddlvsep -> dlv_validator_start ->
66 * validator_start -> proveunsecure
68 * \li When called without a rdataset:
69 * validator_start -> nsecvalidate -> proveunsecure -> startfinddlvsep ->
70 * dlv_validator_start -> validator_start -> nsecvalidate -> proveunsecure
72 * \li When called without a rdataset and with DNS_VALIDATOR_DLV:
73 * validator_start -> startfinddlvsep -> dlv_validator_start ->
74 * validator_start -> nsecvalidate -> proveunsecure
76 * validator_start: determines what type of validation to do.
77 * validate: attempts to perform a positive validation.
78 * proveunsecure: attempts to prove the answer comes from a unsecure zone.
79 * nsecvalidate: attempts to prove a negative response.
80 * startfinddlvsep: starts the DLV record lookup.
81 * dlv_validator_start: resets state and restarts the lookup using the
82 * DLV RRset found by startfinddlvsep.
85 #define VALIDATOR_MAGIC ISC_MAGIC('V', 'a', 'l', '?')
86 #define VALID_VALIDATOR(v) ISC_MAGIC_VALID(v, VALIDATOR_MAGIC)
88 #define VALATTR_SHUTDOWN 0x0001 /*%< Shutting down. */
89 #define VALATTR_TRIEDVERIFY 0x0004 /*%< We have found a key and
90 * have attempted a verify. */
91 #define VALATTR_INSECURITY 0x0010 /*%< Attempting proveunsecure. */
92 #define VALATTR_DLVTRIED 0x0020 /*%< Looked for a DLV record. */
93 #define VALATTR_AUTHNONPENDING 0x0040 /*%< Tidy up pending auth. */
96 * NSEC proofs to be looked for.
98 #define VALATTR_NEEDNOQNAME 0x0100
99 #define VALATTR_NEEDNOWILDCARD 0x0200
100 #define VALATTR_NEEDNODATA 0x0400
103 * NSEC proofs that have been found.
105 #define VALATTR_FOUNDNOQNAME 0x1000
106 #define VALATTR_FOUNDNOWILDCARD 0x2000
107 #define VALATTR_FOUNDNODATA 0x4000
109 #define NEEDNODATA(val) ((val->attributes & VALATTR_NEEDNODATA) != 0)
110 #define NEEDNOQNAME(val) ((val->attributes & VALATTR_NEEDNOQNAME) != 0)
111 #define NEEDNOWILDCARD(val) ((val->attributes & VALATTR_NEEDNOWILDCARD) != 0)
112 #define DLVTRIED(val) ((val->attributes & VALATTR_DLVTRIED) != 0)
114 #define SHUTDOWN(v) (((v)->attributes & VALATTR_SHUTDOWN) != 0)
117 destroy(dns_validator_t *val);
120 get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo,
121 dns_rdataset_t *rdataset);
124 validate(dns_validator_t *val, isc_boolean_t resume);
127 validatezonekey(dns_validator_t *val);
130 nsecvalidate(dns_validator_t *val, isc_boolean_t resume);
133 proveunsecure(dns_validator_t *val, isc_boolean_t resume);
136 validator_logv(dns_validator_t *val, isc_logcategory_t *category,
137 isc_logmodule_t *module, int level, const char *fmt, va_list ap)
138 ISC_FORMAT_PRINTF(5, 0);
141 validator_log(dns_validator_t *val, int level, const char *fmt, ...)
142 ISC_FORMAT_PRINTF(3, 4);
145 validator_logcreate(dns_validator_t *val,
146 dns_name_t *name, dns_rdatatype_t type,
147 const char *caller, const char *operation);
150 dlv_validatezonekey(dns_validator_t *val);
153 dlv_validator_start(dns_validator_t *val);
156 finddlvsep(dns_validator_t *val, isc_boolean_t resume);
159 auth_nonpending(dns_message_t *message);
162 startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure);
165 * Mark the RRsets as a answer.
167 * If VALATTR_AUTHNONPENDING is set then this is a negative answer
168 * in a insecure zone. We need to mark any pending RRsets as
169 * dns_trust_authauthority answers (this is deferred from resolver.c).
172 markanswer(dns_validator_t *val) {
173 validator_log(val, ISC_LOG_DEBUG(3), "marking as answer");
174 if (val->event->rdataset != NULL)
175 val->event->rdataset->trust = dns_trust_answer;
176 if (val->event->sigrdataset != NULL)
177 val->event->sigrdataset->trust = dns_trust_answer;
178 if (val->event->message != NULL &&
179 (val->attributes & VALATTR_AUTHNONPENDING) != 0)
180 auth_nonpending(val->event->message);
184 validator_done(dns_validator_t *val, isc_result_t result) {
187 if (val->event == NULL)
191 * Caller must be holding the lock.
194 val->event->result = result;
195 task = val->event->ev_sender;
196 val->event->ev_sender = val;
197 val->event->ev_type = DNS_EVENT_VALIDATORDONE;
198 val->event->ev_action = val->action;
199 val->event->ev_arg = val->arg;
200 isc_task_sendanddetach(&task, (isc_event_t **)&val->event);
203 static inline isc_boolean_t
204 exit_check(dns_validator_t *val) {
206 * Caller must be holding the lock.
211 INSIST(val->event == NULL);
213 if (val->fetch != NULL || val->subvalidator != NULL)
220 * Mark pending answers in the authority section as dns_trust_authauthority.
223 auth_nonpending(dns_message_t *message) {
226 dns_rdataset_t *rdataset;
228 for (result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
229 result == ISC_R_SUCCESS;
230 result = dns_message_nextname(message, DNS_SECTION_AUTHORITY))
233 dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
234 for (rdataset = ISC_LIST_HEAD(name->list);
236 rdataset = ISC_LIST_NEXT(rdataset, link))
238 if (rdataset->trust == dns_trust_pending)
239 rdataset->trust = dns_trust_authauthority;
245 * Look in the NSEC record returned from a DS query to see if there is
246 * a NS RRset at this name. If it is found we are at a delegation point.
249 isdelegation(dns_name_t *name, dns_rdataset_t *rdataset,
250 isc_result_t dbresult)
253 dns_rdata_t rdata = DNS_RDATA_INIT;
257 REQUIRE(dbresult == DNS_R_NXRRSET || dbresult == DNS_R_NCACHENXRRSET);
259 dns_rdataset_init(&set);
260 if (dbresult == DNS_R_NXRRSET)
261 dns_rdataset_clone(rdataset, &set);
263 result = dns_ncache_getrdataset(rdataset, name,
264 dns_rdatatype_nsec, &set);
265 if (result != ISC_R_SUCCESS)
269 INSIST(set.type == dns_rdatatype_nsec);
272 result = dns_rdataset_first(&set);
273 if (result == ISC_R_SUCCESS) {
274 dns_rdataset_current(&set, &rdata);
275 found = dns_nsec_typepresent(&rdata, dns_rdatatype_ns);
277 dns_rdataset_disassociate(&set);
282 * We have been asked to to look for a key.
283 * If found resume the validation process.
284 * If not found fail the validation process.
287 fetch_callback_validator(isc_task_t *task, isc_event_t *event) {
288 dns_fetchevent_t *devent;
289 dns_validator_t *val;
290 dns_rdataset_t *rdataset;
291 isc_boolean_t want_destroy;
293 isc_result_t eresult;
296 INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
297 devent = (dns_fetchevent_t *)event;
298 val = devent->ev_arg;
299 rdataset = &val->frdataset;
300 eresult = devent->result;
302 /* Free resources which are not of interest. */
303 if (devent->node != NULL)
304 dns_db_detachnode(devent->db, &devent->node);
305 if (devent->db != NULL)
306 dns_db_detach(&devent->db);
307 if (dns_rdataset_isassociated(&val->fsigrdataset))
308 dns_rdataset_disassociate(&val->fsigrdataset);
309 isc_event_free(&event);
310 dns_resolver_destroyfetch(&val->fetch);
312 INSIST(val->event != NULL);
314 validator_log(val, ISC_LOG_DEBUG(3), "in fetch_callback_validator");
316 if (eresult == ISC_R_SUCCESS) {
317 validator_log(val, ISC_LOG_DEBUG(3),
318 "keyset with trust %d", rdataset->trust);
320 * Only extract the dst key if the keyset is secure.
322 if (rdataset->trust >= dns_trust_secure) {
323 result = get_dst_key(val, val->siginfo, rdataset);
324 if (result == ISC_R_SUCCESS)
325 val->keyset = &val->frdataset;
327 result = validate(val, ISC_TRUE);
328 if (result != DNS_R_WAIT)
329 validator_done(val, result);
331 validator_log(val, ISC_LOG_DEBUG(3),
332 "fetch_callback_validator: got %s",
333 isc_result_totext(eresult));
334 if (eresult == ISC_R_CANCELED)
335 validator_done(val, eresult);
337 validator_done(val, DNS_R_NOVALIDKEY);
339 want_destroy = exit_check(val);
346 * We were asked to look for a DS record as part of following a key chain
347 * upwards. If found resume the validation process. If not found fail the
348 * validation process.
351 dsfetched(isc_task_t *task, isc_event_t *event) {
352 dns_fetchevent_t *devent;
353 dns_validator_t *val;
354 dns_rdataset_t *rdataset;
355 isc_boolean_t want_destroy;
357 isc_result_t eresult;
360 INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
361 devent = (dns_fetchevent_t *)event;
362 val = devent->ev_arg;
363 rdataset = &val->frdataset;
364 eresult = devent->result;
366 /* Free resources which are not of interest. */
367 if (devent->node != NULL)
368 dns_db_detachnode(devent->db, &devent->node);
369 if (devent->db != NULL)
370 dns_db_detach(&devent->db);
371 if (dns_rdataset_isassociated(&val->fsigrdataset))
372 dns_rdataset_disassociate(&val->fsigrdataset);
373 isc_event_free(&event);
374 dns_resolver_destroyfetch(&val->fetch);
376 INSIST(val->event != NULL);
378 validator_log(val, ISC_LOG_DEBUG(3), "in dsfetched");
380 if (eresult == ISC_R_SUCCESS) {
381 validator_log(val, ISC_LOG_DEBUG(3),
382 "dsset with trust %d", rdataset->trust);
383 val->dsset = &val->frdataset;
384 result = validatezonekey(val);
385 if (result != DNS_R_WAIT)
386 validator_done(val, result);
387 } else if (eresult == DNS_R_NXRRSET ||
388 eresult == DNS_R_NCACHENXRRSET)
390 validator_log(val, ISC_LOG_DEBUG(3),
391 "falling back to insecurity proof");
392 val->attributes |= VALATTR_INSECURITY;
393 result = proveunsecure(val, ISC_FALSE);
394 if (result != DNS_R_WAIT)
395 validator_done(val, result);
397 validator_log(val, ISC_LOG_DEBUG(3),
399 isc_result_totext(eresult));
400 if (eresult == ISC_R_CANCELED)
401 validator_done(val, eresult);
403 validator_done(val, DNS_R_NOVALIDDS);
405 want_destroy = exit_check(val);
412 * We were asked to look for the DS record as part of proving that a
415 * If the DS record doesn't exist and the query name corresponds to
416 * a delegation point we are transitioning from a secure zone to a
419 * If the DS record exists it will be secure. We can continue looking
420 * for the break point in the chain of trust.
423 dsfetched2(isc_task_t *task, isc_event_t *event) {
424 dns_fetchevent_t *devent;
425 dns_validator_t *val;
427 isc_boolean_t want_destroy;
429 isc_result_t eresult;
432 INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
433 devent = (dns_fetchevent_t *)event;
434 val = devent->ev_arg;
435 eresult = devent->result;
437 /* Free resources which are not of interest. */
438 if (devent->node != NULL)
439 dns_db_detachnode(devent->db, &devent->node);
440 if (devent->db != NULL)
441 dns_db_detach(&devent->db);
442 if (dns_rdataset_isassociated(&val->fsigrdataset))
443 dns_rdataset_disassociate(&val->fsigrdataset);
444 dns_resolver_destroyfetch(&val->fetch);
446 INSIST(val->event != NULL);
448 validator_log(val, ISC_LOG_DEBUG(3), "in dsfetched2: %s",
449 dns_result_totext(eresult));
451 if (eresult == DNS_R_NXRRSET || eresult == DNS_R_NCACHENXRRSET) {
453 * There is no DS. If this is a delegation, we're done.
455 tname = dns_fixedname_name(&devent->foundname);
456 if (isdelegation(tname, &val->frdataset, eresult)) {
457 if (val->mustbesecure) {
458 validator_log(val, ISC_LOG_WARNING,
459 "must be secure failure");
460 validator_done(val, DNS_R_MUSTBESECURE);
461 } else if (val->view->dlv == NULL || DLVTRIED(val)) {
463 validator_done(val, ISC_R_SUCCESS);
465 result = startfinddlvsep(val, tname);
466 if (result != DNS_R_WAIT)
467 validator_done(val, result);
470 result = proveunsecure(val, ISC_TRUE);
471 if (result != DNS_R_WAIT)
472 validator_done(val, result);
474 } else if (eresult == ISC_R_SUCCESS ||
475 eresult == DNS_R_NXDOMAIN ||
476 eresult == DNS_R_NCACHENXDOMAIN)
479 * There is a DS which may or may not be a zone cut.
480 * In either case we are still in a secure zone resume
483 result = proveunsecure(val, ISC_TRUE);
484 if (result != DNS_R_WAIT)
485 validator_done(val, result);
487 if (eresult == ISC_R_CANCELED)
488 validator_done(val, eresult);
490 validator_done(val, DNS_R_NOVALIDDS);
492 isc_event_free(&event);
493 want_destroy = exit_check(val);
500 * Callback from when a DNSKEY RRset has been validated.
502 * Resumes the stalled validation process.
505 keyvalidated(isc_task_t *task, isc_event_t *event) {
506 dns_validatorevent_t *devent;
507 dns_validator_t *val;
508 isc_boolean_t want_destroy;
510 isc_result_t eresult;
513 INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
515 devent = (dns_validatorevent_t *)event;
516 val = devent->ev_arg;
517 eresult = devent->result;
519 isc_event_free(&event);
520 dns_validator_destroy(&val->subvalidator);
522 INSIST(val->event != NULL);
524 validator_log(val, ISC_LOG_DEBUG(3), "in keyvalidated");
526 if (eresult == ISC_R_SUCCESS) {
527 validator_log(val, ISC_LOG_DEBUG(3),
528 "keyset with trust %d", val->frdataset.trust);
530 * Only extract the dst key if the keyset is secure.
532 if (val->frdataset.trust >= dns_trust_secure)
533 (void) get_dst_key(val, val->siginfo, &val->frdataset);
534 result = validate(val, ISC_TRUE);
535 if (result != DNS_R_WAIT)
536 validator_done(val, result);
538 validator_log(val, ISC_LOG_DEBUG(3),
539 "keyvalidated: got %s",
540 isc_result_totext(eresult));
541 validator_done(val, eresult);
543 want_destroy = exit_check(val);
550 * Callback when the DS record has been validated.
552 * Resumes validation of the zone key or the unsecure zone proof.
555 dsvalidated(isc_task_t *task, isc_event_t *event) {
556 dns_validatorevent_t *devent;
557 dns_validator_t *val;
558 isc_boolean_t want_destroy;
560 isc_result_t eresult;
563 INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
565 devent = (dns_validatorevent_t *)event;
566 val = devent->ev_arg;
567 eresult = devent->result;
569 isc_event_free(&event);
570 dns_validator_destroy(&val->subvalidator);
572 INSIST(val->event != NULL);
574 validator_log(val, ISC_LOG_DEBUG(3), "in dsvalidated");
576 if (eresult == ISC_R_SUCCESS) {
577 validator_log(val, ISC_LOG_DEBUG(3),
578 "dsset with trust %d", val->frdataset.trust);
579 if ((val->attributes & VALATTR_INSECURITY) != 0)
580 result = proveunsecure(val, ISC_TRUE);
582 result = validatezonekey(val);
583 if (result != DNS_R_WAIT)
584 validator_done(val, result);
586 validator_log(val, ISC_LOG_DEBUG(3),
587 "dsvalidated: got %s",
588 isc_result_totext(eresult));
589 validator_done(val, eresult);
591 want_destroy = exit_check(val);
598 * Return ISC_R_SUCCESS if we can determine that the name doesn't exist
599 * or we can determine whether there is data or not at the name.
600 * If the name does not exist return the wildcard name.
602 * Return ISC_R_IGNORE when the NSEC is not the appropriate one.
605 nsecnoexistnodata(dns_validator_t *val, dns_name_t* name, dns_name_t *nsecname,
606 dns_rdataset_t *nsecset, isc_boolean_t *exists,
607 isc_boolean_t *data, dns_name_t *wild)
610 dns_rdata_t rdata = DNS_RDATA_INIT;
612 dns_namereln_t relation;
613 unsigned int olabels, nlabels, labels;
614 dns_rdata_nsec_t nsec;
615 isc_boolean_t atparent;
617 REQUIRE(exists != NULL);
618 REQUIRE(data != NULL);
619 REQUIRE(nsecset != NULL &&
620 nsecset->type == dns_rdatatype_nsec);
622 result = dns_rdataset_first(nsecset);
623 if (result != ISC_R_SUCCESS) {
624 validator_log(val, ISC_LOG_DEBUG(3),
625 "failure processing NSEC set");
628 dns_rdataset_current(nsecset, &rdata);
630 validator_log(val, ISC_LOG_DEBUG(3), "looking for relevant nsec");
631 relation = dns_name_fullcompare(name, nsecname, &order, &olabels);
635 * The name is not within the NSEC range.
637 validator_log(val, ISC_LOG_DEBUG(3),
638 "NSEC does not cover name, before NSEC");
639 return (ISC_R_IGNORE);
644 * The names are the same.
646 atparent = dns_rdatatype_atparent(val->event->type);
647 if (dns_nsec_typepresent(&rdata, dns_rdatatype_ns) &&
648 !dns_nsec_typepresent(&rdata, dns_rdatatype_soa))
652 * This NSEC record is from somewhere higher in
653 * the DNS, and at the parent of a delegation.
654 * It can not be legitimately used here.
656 validator_log(val, ISC_LOG_DEBUG(3),
657 "ignoring parent nsec");
658 return (ISC_R_IGNORE);
660 } else if (atparent) {
662 * This NSEC record is from the child.
663 * It can not be legitimately used here.
665 validator_log(val, ISC_LOG_DEBUG(3),
666 "ignoring child nsec");
667 return (ISC_R_IGNORE);
670 *data = dns_nsec_typepresent(&rdata, val->event->type);
671 validator_log(val, ISC_LOG_DEBUG(3),
672 "nsec proves name exists (owner) data=%d",
674 return (ISC_R_SUCCESS);
677 if (relation == dns_namereln_subdomain &&
678 dns_nsec_typepresent(&rdata, dns_rdatatype_ns) &&
679 !dns_nsec_typepresent(&rdata, dns_rdatatype_soa))
682 * This NSEC record is from somewhere higher in
683 * the DNS, and at the parent of a delegation.
684 * It can not be legitimately used here.
686 validator_log(val, ISC_LOG_DEBUG(3), "ignoring parent nsec");
687 return (ISC_R_IGNORE);
690 result = dns_rdata_tostruct(&rdata, &nsec, NULL);
691 if (result != ISC_R_SUCCESS)
693 relation = dns_name_fullcompare(&nsec.next, name, &order, &nlabels);
695 dns_rdata_freestruct(&nsec);
696 validator_log(val, ISC_LOG_DEBUG(3),
697 "ignoring nsec matches next name");
698 return (ISC_R_IGNORE);
701 if (order < 0 && !dns_name_issubdomain(nsecname, &nsec.next)) {
703 * The name is not within the NSEC range.
705 dns_rdata_freestruct(&nsec);
706 validator_log(val, ISC_LOG_DEBUG(3),
707 "ignoring nsec because name is past end of range");
708 return (ISC_R_IGNORE);
711 if (order > 0 && relation == dns_namereln_subdomain) {
712 validator_log(val, ISC_LOG_DEBUG(3),
713 "nsec proves name exist (empty)");
714 dns_rdata_freestruct(&nsec);
717 return (ISC_R_SUCCESS);
721 dns_name_init(&common, NULL);
722 if (olabels > nlabels) {
723 labels = dns_name_countlabels(nsecname);
724 dns_name_getlabelsequence(nsecname, labels - olabels,
727 labels = dns_name_countlabels(&nsec.next);
728 dns_name_getlabelsequence(&nsec.next, labels - nlabels,
731 result = dns_name_concatenate(dns_wildcardname, &common,
733 if (result != ISC_R_SUCCESS) {
734 validator_log(val, ISC_LOG_DEBUG(3),
735 "failure generating wildcard name");
739 dns_rdata_freestruct(&nsec);
740 validator_log(val, ISC_LOG_DEBUG(3), "nsec range ok");
742 return (ISC_R_SUCCESS);
746 * Callback for when NSEC records have been validated.
748 * Looks for NOQNAME and NODATA proofs.
750 * Resumes nsecvalidate.
753 authvalidated(isc_task_t *task, isc_event_t *event) {
754 dns_validatorevent_t *devent;
755 dns_validator_t *val;
756 dns_rdataset_t *rdataset;
757 isc_boolean_t want_destroy;
759 isc_boolean_t exists, data;
762 INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
764 devent = (dns_validatorevent_t *)event;
765 rdataset = devent->rdataset;
766 val = devent->ev_arg;
767 result = devent->result;
768 dns_validator_destroy(&val->subvalidator);
770 INSIST(val->event != NULL);
772 validator_log(val, ISC_LOG_DEBUG(3), "in authvalidated");
774 if (result != ISC_R_SUCCESS) {
775 validator_log(val, ISC_LOG_DEBUG(3),
776 "authvalidated: got %s",
777 isc_result_totext(result));
778 if (result == ISC_R_CANCELED)
779 validator_done(val, result);
781 result = nsecvalidate(val, ISC_TRUE);
782 if (result != DNS_R_WAIT)
783 validator_done(val, result);
786 dns_name_t **proofs = val->event->proofs;
788 if (rdataset->trust == dns_trust_secure)
789 val->seensig = ISC_TRUE;
791 if (rdataset->type == dns_rdatatype_nsec &&
792 rdataset->trust == dns_trust_secure &&
793 ((val->attributes & VALATTR_NEEDNODATA) != 0 ||
794 (val->attributes & VALATTR_NEEDNOQNAME) != 0) &&
795 (val->attributes & VALATTR_FOUNDNODATA) == 0 &&
796 (val->attributes & VALATTR_FOUNDNOQNAME) == 0 &&
797 nsecnoexistnodata(val, val->event->name, devent->name,
798 rdataset, &exists, &data,
799 dns_fixedname_name(&val->wild))
802 if (exists && !data) {
803 val->attributes |= VALATTR_FOUNDNODATA;
805 proofs[DNS_VALIDATOR_NODATAPROOF] =
809 val->attributes |= VALATTR_FOUNDNOQNAME;
810 if (NEEDNOQNAME(val))
811 proofs[DNS_VALIDATOR_NOQNAMEPROOF] =
815 result = nsecvalidate(val, ISC_TRUE);
816 if (result != DNS_R_WAIT)
817 validator_done(val, result);
819 want_destroy = exit_check(val);
825 * Free stuff from the event.
827 isc_event_free(&event);
831 * Looks for the requested name and type in the view (zones and cache).
833 * When looking for a DLV record also checks to make sure the NSEC record
834 * returns covers the query name as part of aggressive negative caching.
839 * \li DNS_R_NCACHENXDOMAIN
840 * \li DNS_R_NCACHENXRRSET
844 static inline isc_result_t
845 view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) {
846 dns_fixedname_t fixedname;
847 dns_name_t *foundname;
848 dns_rdata_nsec_t nsec;
849 dns_rdata_t rdata = DNS_RDATA_INIT;
851 unsigned int options;
852 char buf1[DNS_NAME_FORMATSIZE];
853 char buf2[DNS_NAME_FORMATSIZE];
854 char buf3[DNS_NAME_FORMATSIZE];
856 if (dns_rdataset_isassociated(&val->frdataset))
857 dns_rdataset_disassociate(&val->frdataset);
858 if (dns_rdataset_isassociated(&val->fsigrdataset))
859 dns_rdataset_disassociate(&val->fsigrdataset);
861 if (val->view->zonetable == NULL)
862 return (ISC_R_CANCELED);
864 options = DNS_DBFIND_PENDINGOK;
865 if (type == dns_rdatatype_dlv)
866 options |= DNS_DBFIND_COVERINGNSEC;
867 dns_fixedname_init(&fixedname);
868 foundname = dns_fixedname_name(&fixedname);
869 result = dns_view_find(val->view, name, type, 0, options,
870 ISC_FALSE, NULL, NULL, foundname,
871 &val->frdataset, &val->fsigrdataset);
872 if (result == DNS_R_NXDOMAIN) {
873 if (dns_rdataset_isassociated(&val->frdataset))
874 dns_rdataset_disassociate(&val->frdataset);
875 if (dns_rdataset_isassociated(&val->fsigrdataset))
876 dns_rdataset_disassociate(&val->fsigrdataset);
877 } else if (result == DNS_R_COVERINGNSEC) {
878 validator_log(val, ISC_LOG_DEBUG(3), "DNS_R_COVERINGNSEC");
880 * Check if the returned NSEC covers the name.
882 INSIST(type == dns_rdatatype_dlv);
883 if (val->frdataset.trust != dns_trust_secure) {
884 validator_log(val, ISC_LOG_DEBUG(3),
885 "covering nsec: trust %u",
886 val->frdataset.trust);
889 result = dns_rdataset_first(&val->frdataset);
890 if (result != ISC_R_SUCCESS)
892 dns_rdataset_current(&val->frdataset, &rdata);
893 if (dns_nsec_typepresent(&rdata, dns_rdatatype_ns) &&
894 !dns_nsec_typepresent(&rdata, dns_rdatatype_soa)) {
895 /* Parent NSEC record. */
896 if (dns_name_issubdomain(name, foundname)) {
897 validator_log(val, ISC_LOG_DEBUG(3),
898 "covering nsec: for parent");
902 result = dns_rdata_tostruct(&rdata, &nsec, NULL);
903 if (result != ISC_R_SUCCESS)
905 if (dns_name_compare(foundname, &nsec.next) >= 0) {
906 /* End of zone chain. */
907 if (!dns_name_issubdomain(name, &nsec.next)) {
909 * XXXMPA We could look for a parent NSEC
910 * at nsec.next and if found retest with
913 dns_rdata_freestruct(&nsec);
914 validator_log(val, ISC_LOG_DEBUG(3),
915 "covering nsec: not in zone");
918 } else if (dns_name_compare(name, &nsec.next) >= 0) {
920 * XXXMPA We could check if this NSEC is at a zone
921 * apex and if the qname is not below it and look for
922 * a parent NSEC with the same name. This requires
923 * that we can cache both NSEC records which we
924 * currently don't support.
926 dns_rdata_freestruct(&nsec);
927 validator_log(val, ISC_LOG_DEBUG(3),
928 "covering nsec: not in range");
931 if (isc_log_wouldlog(dns_lctx,ISC_LOG_DEBUG(3))) {
932 dns_name_format(name, buf1, sizeof buf1);
933 dns_name_format(foundname, buf2, sizeof buf2);
934 dns_name_format(&nsec.next, buf3, sizeof buf3);
935 validator_log(val, ISC_LOG_DEBUG(3),
936 "covering nsec found: '%s' '%s' '%s'",
939 if (dns_rdataset_isassociated(&val->frdataset))
940 dns_rdataset_disassociate(&val->frdataset);
941 if (dns_rdataset_isassociated(&val->fsigrdataset))
942 dns_rdataset_disassociate(&val->fsigrdataset);
943 dns_rdata_freestruct(&nsec);
944 result = DNS_R_NCACHENXDOMAIN;
945 } else if (result != ISC_R_SUCCESS &&
946 result != DNS_R_NCACHENXDOMAIN &&
947 result != DNS_R_NCACHENXRRSET &&
948 result != DNS_R_NXRRSET &&
949 result != ISC_R_NOTFOUND) {
955 if (dns_rdataset_isassociated(&val->frdataset))
956 dns_rdataset_disassociate(&val->frdataset);
957 if (dns_rdataset_isassociated(&val->fsigrdataset))
958 dns_rdataset_disassociate(&val->fsigrdataset);
959 return (ISC_R_NOTFOUND);
963 * Checks to make sure we are not going to loop. As we use a SHARED fetch
964 * the validation process will stall if looping was to occur.
966 static inline isc_boolean_t
967 check_deadlock(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) {
968 dns_validator_t *parent;
970 for (parent = val; parent != NULL; parent = parent->parent) {
971 if (parent->event != NULL &&
972 parent->event->type == type &&
973 dns_name_equal(parent->event->name, name))
975 validator_log(val, ISC_LOG_DEBUG(3),
976 "continuing validation would lead to "
977 "deadlock: aborting validation");
985 * Start a fetch for the requested name and type.
987 static inline isc_result_t
988 create_fetch(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
989 isc_taskaction_t callback, const char *caller)
991 if (dns_rdataset_isassociated(&val->frdataset))
992 dns_rdataset_disassociate(&val->frdataset);
993 if (dns_rdataset_isassociated(&val->fsigrdataset))
994 dns_rdataset_disassociate(&val->fsigrdataset);
996 if (check_deadlock(val, name, type))
997 return (DNS_R_NOVALIDSIG);
999 validator_logcreate(val, name, type, caller, "fetch");
1000 return (dns_resolver_createfetch(val->view->resolver, name, type,
1001 NULL, NULL, NULL, 0,
1002 val->event->ev_sender,
1010 * Start a subvalidation process.
1012 static inline isc_result_t
1013 create_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
1014 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
1015 isc_taskaction_t action, const char *caller)
1017 isc_result_t result;
1019 if (check_deadlock(val, name, type))
1020 return (DNS_R_NOVALIDSIG);
1022 validator_logcreate(val, name, type, caller, "validator");
1023 result = dns_validator_create(val->view, name, type,
1024 rdataset, sigrdataset, NULL, 0,
1025 val->task, action, val,
1026 &val->subvalidator);
1027 if (result == ISC_R_SUCCESS) {
1028 val->subvalidator->parent = val;
1029 val->subvalidator->depth = val->depth + 1;
1035 * Try to find a key that could have signed 'siginfo' among those
1036 * in 'rdataset'. If found, build a dst_key_t for it and point
1039 * If val->key is non-NULL, this returns the next matching key.
1042 get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo,
1043 dns_rdataset_t *rdataset)
1045 isc_result_t result;
1047 dns_rdata_t rdata = DNS_RDATA_INIT;
1048 dst_key_t *oldkey = val->key;
1049 isc_boolean_t foundold;
1052 foundold = ISC_TRUE;
1054 foundold = ISC_FALSE;
1058 result = dns_rdataset_first(rdataset);
1059 if (result != ISC_R_SUCCESS)
1062 dns_rdataset_current(rdataset, &rdata);
1064 isc_buffer_init(&b, rdata.data, rdata.length);
1065 isc_buffer_add(&b, rdata.length);
1066 INSIST(val->key == NULL);
1067 result = dst_key_fromdns(&siginfo->signer, rdata.rdclass, &b,
1068 val->view->mctx, &val->key);
1069 if (result != ISC_R_SUCCESS)
1071 if (siginfo->algorithm ==
1072 (dns_secalg_t)dst_key_alg(val->key) &&
1074 (dns_keytag_t)dst_key_id(val->key) &&
1075 dst_key_iszonekey(val->key))
1079 * This is the key we're looking for.
1081 return (ISC_R_SUCCESS);
1082 else if (dst_key_compare(oldkey, val->key) == ISC_TRUE)
1084 foundold = ISC_TRUE;
1085 dst_key_free(&oldkey);
1088 dst_key_free(&val->key);
1089 dns_rdata_reset(&rdata);
1090 result = dns_rdataset_next(rdataset);
1091 } while (result == ISC_R_SUCCESS);
1092 if (result == ISC_R_NOMORE)
1093 result = ISC_R_NOTFOUND;
1097 dst_key_free(&oldkey);
1103 * Get the key that genertated this signature.
1106 get_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo) {
1107 isc_result_t result;
1108 unsigned int nlabels;
1110 dns_namereln_t namereln;
1113 * Is the signer name appropriate for this signature?
1115 * The signer name must be at the same level as the owner name
1116 * or closer to the the DNS root.
1118 namereln = dns_name_fullcompare(val->event->name, &siginfo->signer,
1120 if (namereln != dns_namereln_subdomain &&
1121 namereln != dns_namereln_equal)
1122 return (DNS_R_CONTINUE);
1124 if (namereln == dns_namereln_equal) {
1126 * If this is a self-signed keyset, it must not be a zone key
1127 * (since get_key is not called from validatezonekey).
1129 if (val->event->rdataset->type == dns_rdatatype_dnskey)
1130 return (DNS_R_CONTINUE);
1133 * Records appearing in the parent zone at delegation
1134 * points cannot be self-signed.
1136 if (dns_rdatatype_atparent(val->event->rdataset->type))
1137 return (DNS_R_CONTINUE);
1141 * Do we know about this key?
1143 result = view_find(val, &siginfo->signer, dns_rdatatype_dnskey);
1144 if (result == ISC_R_SUCCESS) {
1146 * We have an rrset for the given keyname.
1148 val->keyset = &val->frdataset;
1149 if (val->frdataset.trust == dns_trust_pending &&
1150 dns_rdataset_isassociated(&val->fsigrdataset))
1153 * We know the key but haven't validated it yet.
1155 result = create_validator(val, &siginfo->signer,
1156 dns_rdatatype_dnskey,
1161 if (result != ISC_R_SUCCESS)
1163 return (DNS_R_WAIT);
1164 } else if (val->frdataset.trust == dns_trust_pending) {
1166 * Having a pending key with no signature means that
1167 * something is broken.
1169 result = DNS_R_CONTINUE;
1170 } else if (val->frdataset.trust < dns_trust_secure) {
1172 * The key is legitimately insecure. There's no
1173 * point in even attempting verification.
1176 result = ISC_R_SUCCESS;
1179 * See if we've got the key used in the signature.
1181 validator_log(val, ISC_LOG_DEBUG(3),
1182 "keyset with trust %d",
1183 val->frdataset.trust);
1184 result = get_dst_key(val, siginfo, val->keyset);
1185 if (result != ISC_R_SUCCESS) {
1187 * Either the key we're looking for is not
1188 * in the rrset, or something bad happened.
1191 result = DNS_R_CONTINUE;
1194 } else if (result == ISC_R_NOTFOUND) {
1196 * We don't know anything about this key.
1198 result = create_fetch(val, &siginfo->signer, dns_rdatatype_dnskey,
1199 fetch_callback_validator, "get_key");
1200 if (result != ISC_R_SUCCESS)
1202 return (DNS_R_WAIT);
1203 } else if (result == DNS_R_NCACHENXDOMAIN ||
1204 result == DNS_R_NCACHENXRRSET ||
1205 result == DNS_R_NXDOMAIN ||
1206 result == DNS_R_NXRRSET)
1209 * This key doesn't exist.
1211 result = DNS_R_CONTINUE;
1214 if (dns_rdataset_isassociated(&val->frdataset) &&
1215 val->keyset != &val->frdataset)
1216 dns_rdataset_disassociate(&val->frdataset);
1217 if (dns_rdataset_isassociated(&val->fsigrdataset))
1218 dns_rdataset_disassociate(&val->fsigrdataset);
1224 compute_keytag(dns_rdata_t *rdata, dns_rdata_dnskey_t *key) {
1227 dns_rdata_toregion(rdata, &r);
1228 return (dst_region_computeid(&r, key->algorithm));
1232 * Is this keyset self-signed?
1234 static isc_boolean_t
1235 isselfsigned(dns_validator_t *val) {
1236 dns_rdataset_t *rdataset, *sigrdataset;
1237 dns_rdata_t rdata = DNS_RDATA_INIT;
1238 dns_rdata_t sigrdata = DNS_RDATA_INIT;
1239 dns_rdata_dnskey_t key;
1240 dns_rdata_rrsig_t sig;
1241 dns_keytag_t keytag;
1242 isc_result_t result;
1244 rdataset = val->event->rdataset;
1245 sigrdataset = val->event->sigrdataset;
1247 INSIST(rdataset->type == dns_rdatatype_dnskey);
1249 for (result = dns_rdataset_first(rdataset);
1250 result == ISC_R_SUCCESS;
1251 result = dns_rdataset_next(rdataset))
1253 dns_rdata_reset(&rdata);
1254 dns_rdataset_current(rdataset, &rdata);
1255 (void)dns_rdata_tostruct(&rdata, &key, NULL);
1256 keytag = compute_keytag(&rdata, &key);
1257 for (result = dns_rdataset_first(sigrdataset);
1258 result == ISC_R_SUCCESS;
1259 result = dns_rdataset_next(sigrdataset))
1261 dns_rdata_reset(&sigrdata);
1262 dns_rdataset_current(sigrdataset, &sigrdata);
1263 (void)dns_rdata_tostruct(&sigrdata, &sig, NULL);
1265 if (sig.algorithm == key.algorithm &&
1266 sig.keyid == keytag)
1274 * Attempt to verify the rdataset using the given key and rdata (RRSIG).
1275 * The signature was good and from a wildcard record and the QNAME does
1276 * not match the wildcard we need to look for a NOQNAME proof.
1279 * \li ISC_R_SUCCESS if the verification succeeds.
1280 * \li Others if the verification fails.
1283 verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata,
1286 isc_result_t result;
1287 dns_fixedname_t fixed;
1289 val->attributes |= VALATTR_TRIEDVERIFY;
1290 dns_fixedname_init(&fixed);
1291 result = dns_dnssec_verify2(val->event->name, val->event->rdataset,
1292 key, ISC_FALSE, val->view->mctx, rdata,
1293 dns_fixedname_name(&fixed));
1294 validator_log(val, ISC_LOG_DEBUG(3),
1295 "verify rdataset (keyid=%u): %s",
1296 keyid, isc_result_totext(result));
1297 if (result == DNS_R_FROMWILDCARD) {
1298 if (!dns_name_equal(val->event->name,
1299 dns_fixedname_name(&fixed)))
1300 val->attributes |= VALATTR_NEEDNOQNAME;
1301 result = ISC_R_SUCCESS;
1307 * Attempts positive response validation of a normal RRset.
1310 * \li ISC_R_SUCCESS Validation completed successfully
1311 * \li DNS_R_WAIT Validation has started but is waiting
1313 * \li Other return codes are possible and all indicate failure.
1316 validate(dns_validator_t *val, isc_boolean_t resume) {
1317 isc_result_t result;
1318 dns_validatorevent_t *event;
1319 dns_rdata_t rdata = DNS_RDATA_INIT;
1322 * Caller must be holding the validator lock.
1329 * We already have a sigrdataset.
1331 result = ISC_R_SUCCESS;
1332 validator_log(val, ISC_LOG_DEBUG(3), "resuming validate");
1334 result = dns_rdataset_first(event->sigrdataset);
1338 result == ISC_R_SUCCESS;
1339 result = dns_rdataset_next(event->sigrdataset))
1341 dns_rdata_reset(&rdata);
1342 dns_rdataset_current(event->sigrdataset, &rdata);
1343 if (val->siginfo == NULL) {
1344 val->siginfo = isc_mem_get(val->view->mctx,
1345 sizeof(*val->siginfo));
1346 if (val->siginfo == NULL)
1347 return (ISC_R_NOMEMORY);
1349 result = dns_rdata_tostruct(&rdata, val->siginfo, NULL);
1350 if (result != ISC_R_SUCCESS)
1354 * At this point we could check that the signature algorithm
1355 * was known and "sufficiently good".
1357 if (!dns_resolver_algorithm_supported(val->view->resolver,
1359 val->siginfo->algorithm))
1363 result = get_key(val, val->siginfo);
1364 if (result == DNS_R_CONTINUE)
1365 continue; /* Try the next SIG RR. */
1366 if (result != ISC_R_SUCCESS)
1371 * The key is insecure, so mark the data as insecure also.
1373 if (val->key == NULL) {
1374 if (val->mustbesecure) {
1375 validator_log(val, ISC_LOG_WARNING,
1376 "must be secure failure");
1377 return (DNS_R_MUSTBESECURE);
1380 return (ISC_R_SUCCESS);
1384 result = verify(val, val->key, &rdata,
1385 val->siginfo->keyid);
1386 if (result == ISC_R_SUCCESS)
1388 if (val->keynode != NULL) {
1389 dns_keynode_t *nextnode = NULL;
1390 result = dns_keytable_findnextkeynode(
1394 dns_keytable_detachkeynode(val->keytable,
1396 val->keynode = nextnode;
1397 if (result != ISC_R_SUCCESS) {
1401 val->key = dns_keynode_key(val->keynode);
1403 if (get_dst_key(val, val->siginfo, val->keyset)
1408 if (result != ISC_R_SUCCESS)
1409 validator_log(val, ISC_LOG_DEBUG(3),
1410 "failed to verify rdataset");
1415 isc_stdtime_get(&now);
1416 ttl = ISC_MIN(event->rdataset->ttl,
1417 val->siginfo->timeexpire - now);
1418 if (val->keyset != NULL)
1419 ttl = ISC_MIN(ttl, val->keyset->ttl);
1420 event->rdataset->ttl = ttl;
1421 event->sigrdataset->ttl = ttl;
1424 if (val->keynode != NULL)
1425 dns_keytable_detachkeynode(val->keytable,
1428 if (val->key != NULL)
1429 dst_key_free(&val->key);
1430 if (val->keyset != NULL) {
1431 dns_rdataset_disassociate(val->keyset);
1436 if ((val->attributes & VALATTR_NEEDNOQNAME) != 0) {
1437 if (val->event->message == NULL) {
1438 validator_log(val, ISC_LOG_DEBUG(3),
1439 "no message available for noqname proof");
1440 return (DNS_R_NOVALIDSIG);
1442 validator_log(val, ISC_LOG_DEBUG(3),
1443 "looking for noqname proof");
1444 return (nsecvalidate(val, ISC_FALSE));
1445 } else if (result == ISC_R_SUCCESS) {
1446 event->rdataset->trust = dns_trust_secure;
1447 event->sigrdataset->trust = dns_trust_secure;
1448 validator_log(val, ISC_LOG_DEBUG(3),
1449 "marking as secure");
1452 validator_log(val, ISC_LOG_DEBUG(3),
1453 "verify failure: %s",
1454 isc_result_totext(result));
1458 if (result != ISC_R_NOMORE) {
1459 validator_log(val, ISC_LOG_DEBUG(3),
1460 "failed to iterate signatures: %s",
1461 isc_result_totext(result));
1465 validator_log(val, ISC_LOG_INFO, "no valid signature found");
1466 return (DNS_R_NOVALIDSIG);
1470 * Validate the DNSKEY RRset by looking for a DNSKEY that matches a
1471 * DLV record and that also verifies the DNSKEY RRset.
1474 dlv_validatezonekey(dns_validator_t *val) {
1475 dns_keytag_t keytag;
1476 dns_rdata_dlv_t dlv;
1477 dns_rdata_dnskey_t key;
1478 dns_rdata_rrsig_t sig;
1479 dns_rdata_t dlvrdata = DNS_RDATA_INIT;
1480 dns_rdata_t keyrdata = DNS_RDATA_INIT;
1481 dns_rdata_t newdsrdata = DNS_RDATA_INIT;
1482 dns_rdata_t sigrdata = DNS_RDATA_INIT;
1483 dns_rdataset_t trdataset;
1485 isc_boolean_t supported_algorithm;
1486 isc_result_t result;
1487 unsigned char dsbuf[DNS_DS_BUFFERSIZE];
1489 validator_log(val, ISC_LOG_DEBUG(3), "dlv_validatezonekey");
1492 * Look through the DLV record and find the keys that can sign the
1493 * key set and the matching signature. For each such key, attempt
1496 supported_algorithm = ISC_FALSE;
1498 for (result = dns_rdataset_first(&val->dlv);
1499 result == ISC_R_SUCCESS;
1500 result = dns_rdataset_next(&val->dlv))
1502 dns_rdata_reset(&dlvrdata);
1503 dns_rdataset_current(&val->dlv, &dlvrdata);
1504 (void)dns_rdata_tostruct(&dlvrdata, &dlv, NULL);
1506 if (dlv.digest_type != DNS_DSDIGEST_SHA1 ||
1507 !dns_resolver_algorithm_supported(val->view->resolver,
1512 supported_algorithm = ISC_TRUE;
1514 dns_rdataset_init(&trdataset);
1515 dns_rdataset_clone(val->event->rdataset, &trdataset);
1517 for (result = dns_rdataset_first(&trdataset);
1518 result == ISC_R_SUCCESS;
1519 result = dns_rdataset_next(&trdataset))
1521 dns_rdata_reset(&keyrdata);
1522 dns_rdataset_current(&trdataset, &keyrdata);
1523 (void)dns_rdata_tostruct(&keyrdata, &key, NULL);
1524 keytag = compute_keytag(&keyrdata, &key);
1525 if (dlv.key_tag != keytag ||
1526 dlv.algorithm != key.algorithm)
1528 dns_rdata_reset(&newdsrdata);
1529 result = dns_ds_buildrdata(val->event->name,
1530 &keyrdata, dlv.digest_type,
1531 dsbuf, &newdsrdata);
1532 if (result != ISC_R_SUCCESS) {
1533 validator_log(val, ISC_LOG_DEBUG(3),
1534 "dns_ds_buildrdata() -> %s",
1535 dns_result_totext(result));
1539 newdsrdata.type = dns_rdatatype_dlv;
1540 if (dns_rdata_compare(&dlvrdata, &newdsrdata) == 0)
1543 if (result != ISC_R_SUCCESS) {
1544 validator_log(val, ISC_LOG_DEBUG(3),
1545 "no DNSKEY matching DLV");
1548 validator_log(val, ISC_LOG_DEBUG(3),
1549 "Found matching DLV record: checking for signature");
1551 for (result = dns_rdataset_first(val->event->sigrdataset);
1552 result == ISC_R_SUCCESS;
1553 result = dns_rdataset_next(val->event->sigrdataset))
1555 dns_rdata_reset(&sigrdata);
1556 dns_rdataset_current(val->event->sigrdataset,
1558 (void)dns_rdata_tostruct(&sigrdata, &sig, NULL);
1559 if (dlv.key_tag != sig.keyid &&
1560 dlv.algorithm != sig.algorithm)
1563 result = dns_dnssec_keyfromrdata(val->event->name,
1567 if (result != ISC_R_SUCCESS)
1569 * This really shouldn't happen, but...
1573 result = verify(val, dstkey, &sigrdata, sig.keyid);
1574 dst_key_free(&dstkey);
1575 if (result == ISC_R_SUCCESS)
1578 dns_rdataset_disassociate(&trdataset);
1579 if (result == ISC_R_SUCCESS)
1581 validator_log(val, ISC_LOG_DEBUG(3),
1582 "no RRSIG matching DLV key");
1584 if (result == ISC_R_SUCCESS) {
1585 val->event->rdataset->trust = dns_trust_secure;
1586 val->event->sigrdataset->trust = dns_trust_secure;
1587 validator_log(val, ISC_LOG_DEBUG(3), "marking as secure");
1589 } else if (result == ISC_R_NOMORE && !supported_algorithm) {
1590 if (val->mustbesecure) {
1591 validator_log(val, ISC_LOG_WARNING,
1592 "must be secure failure");
1593 return (DNS_R_MUSTBESECURE);
1595 validator_log(val, ISC_LOG_DEBUG(3),
1596 "no supported algorithm/digest (dlv)");
1598 return (ISC_R_SUCCESS);
1600 return (DNS_R_NOVALIDSIG);
1604 * Attempts positive response validation of an RRset containing zone keys.
1607 * \li ISC_R_SUCCESS Validation completed successfully
1608 * \li DNS_R_WAIT Validation has started but is waiting
1610 * \li Other return codes are possible and all indicate failure.
1613 validatezonekey(dns_validator_t *val) {
1614 isc_result_t result;
1615 dns_validatorevent_t *event;
1616 dns_rdataset_t trdataset;
1617 dns_rdata_t dsrdata = DNS_RDATA_INIT;
1618 dns_rdata_t newdsrdata = DNS_RDATA_INIT;
1619 dns_rdata_t keyrdata = DNS_RDATA_INIT;
1620 dns_rdata_t sigrdata = DNS_RDATA_INIT;
1621 unsigned char dsbuf[DNS_DS_BUFFERSIZE];
1622 char namebuf[DNS_NAME_FORMATSIZE];
1623 dns_keytag_t keytag;
1625 dns_rdata_dnskey_t key;
1626 dns_rdata_rrsig_t sig;
1628 isc_boolean_t supported_algorithm;
1629 isc_boolean_t atsep = ISC_FALSE;
1632 * Caller must be holding the validator lock.
1637 if (val->havedlvsep && val->dlv.trust >= dns_trust_secure &&
1638 dns_name_equal(event->name, dns_fixedname_name(&val->dlvsep)))
1639 return (dlv_validatezonekey(val));
1641 if (val->dsset == NULL) {
1643 * First, see if this key was signed by a trusted key.
1645 for (result = dns_rdataset_first(val->event->sigrdataset);
1646 result == ISC_R_SUCCESS;
1647 result = dns_rdataset_next(val->event->sigrdataset))
1649 dns_keynode_t *keynode = NULL, *nextnode = NULL;
1651 dns_rdata_reset(&sigrdata);
1652 dns_rdataset_current(val->event->sigrdataset,
1654 (void)dns_rdata_tostruct(&sigrdata, &sig, NULL);
1655 result = dns_keytable_findkeynode(val->keytable,
1660 if (result == DNS_R_PARTIALMATCH ||
1661 result == ISC_R_SUCCESS)
1663 while (result == ISC_R_SUCCESS) {
1664 dstkey = dns_keynode_key(keynode);
1665 result = verify(val, dstkey, &sigrdata,
1667 if (result == ISC_R_SUCCESS) {
1668 dns_keytable_detachkeynode(val->keytable,
1672 result = dns_keytable_findnextkeynode(
1676 dns_keytable_detachkeynode(val->keytable,
1680 if (result == ISC_R_SUCCESS) {
1681 event->rdataset->trust = dns_trust_secure;
1682 event->sigrdataset->trust = dns_trust_secure;
1683 validator_log(val, ISC_LOG_DEBUG(3),
1684 "signed by trusted key; "
1685 "marking as secure");
1691 * If this is the root name and there was no trusted key,
1692 * give up, since there's no DS at the root.
1694 if (dns_name_equal(event->name, dns_rootname)) {
1695 if ((val->attributes & VALATTR_TRIEDVERIFY) != 0)
1696 return (DNS_R_NOVALIDSIG);
1698 return (DNS_R_NOVALIDDS);
1703 * We have not found a key to verify this DNSKEY
1704 * RRset. As this is a SEP we have to assume that
1705 * the RRset is invalid.
1707 dns_name_format(val->event->name, namebuf,
1709 validator_log(val, ISC_LOG_DEBUG(2),
1710 "unable to find a DNSKEY which verifies "
1711 "the DNSKEY RRset and also matches one "
1712 "of specified trusted-keys for '%s'",
1714 return (DNS_R_NOVALIDKEY);
1718 * Otherwise, try to find the DS record.
1720 result = view_find(val, val->event->name, dns_rdatatype_ds);
1721 if (result == ISC_R_SUCCESS) {
1723 * We have DS records.
1725 val->dsset = &val->frdataset;
1726 if (val->frdataset.trust == dns_trust_pending &&
1727 dns_rdataset_isassociated(&val->fsigrdataset))
1729 result = create_validator(val,
1736 if (result != ISC_R_SUCCESS)
1738 return (DNS_R_WAIT);
1739 } else if (val->frdataset.trust == dns_trust_pending) {
1741 * There should never be an unsigned DS.
1743 dns_rdataset_disassociate(&val->frdataset);
1744 validator_log(val, ISC_LOG_DEBUG(2),
1745 "unsigned DS record");
1746 return (DNS_R_NOVALIDSIG);
1748 result = ISC_R_SUCCESS;
1749 } else if (result == ISC_R_NOTFOUND) {
1751 * We don't have the DS. Find it.
1753 result = create_fetch(val, val->event->name,
1754 dns_rdatatype_ds, dsfetched,
1756 if (result != ISC_R_SUCCESS)
1758 return (DNS_R_WAIT);
1759 } else if (result == DNS_R_NCACHENXDOMAIN ||
1760 result == DNS_R_NCACHENXRRSET ||
1761 result == DNS_R_NXDOMAIN ||
1762 result == DNS_R_NXRRSET)
1765 * The DS does not exist.
1767 if (dns_rdataset_isassociated(&val->frdataset))
1768 dns_rdataset_disassociate(&val->frdataset);
1769 if (dns_rdataset_isassociated(&val->fsigrdataset))
1770 dns_rdataset_disassociate(&val->fsigrdataset);
1771 validator_log(val, ISC_LOG_DEBUG(2), "no DS record");
1772 return (DNS_R_NOVALIDSIG);
1779 INSIST(val->dsset != NULL);
1781 if (val->dsset->trust < dns_trust_secure) {
1782 if (val->mustbesecure) {
1783 validator_log(val, ISC_LOG_WARNING,
1784 "must be secure failure");
1785 return (DNS_R_MUSTBESECURE);
1788 return (ISC_R_SUCCESS);
1792 * Look through the DS record and find the keys that can sign the
1793 * key set and the matching signature. For each such key, attempt
1797 supported_algorithm = ISC_FALSE;
1799 for (result = dns_rdataset_first(val->dsset);
1800 result == ISC_R_SUCCESS;
1801 result = dns_rdataset_next(val->dsset))
1803 dns_rdata_reset(&dsrdata);
1804 dns_rdataset_current(val->dsset, &dsrdata);
1805 (void)dns_rdata_tostruct(&dsrdata, &ds, NULL);
1807 if (ds.digest_type != DNS_DSDIGEST_SHA1)
1809 if (!dns_resolver_algorithm_supported(val->view->resolver,
1814 supported_algorithm = ISC_TRUE;
1816 dns_rdataset_init(&trdataset);
1817 dns_rdataset_clone(val->event->rdataset, &trdataset);
1820 * Look for the KEY that matches the DS record.
1822 for (result = dns_rdataset_first(&trdataset);
1823 result == ISC_R_SUCCESS;
1824 result = dns_rdataset_next(&trdataset))
1826 dns_rdata_reset(&keyrdata);
1827 dns_rdataset_current(&trdataset, &keyrdata);
1828 (void)dns_rdata_tostruct(&keyrdata, &key, NULL);
1829 keytag = compute_keytag(&keyrdata, &key);
1830 if (ds.key_tag != keytag ||
1831 ds.algorithm != key.algorithm)
1833 dns_rdata_reset(&newdsrdata);
1834 result = dns_ds_buildrdata(val->event->name,
1835 &keyrdata, ds.digest_type,
1836 dsbuf, &newdsrdata);
1837 if (result != ISC_R_SUCCESS)
1839 if (dns_rdata_compare(&dsrdata, &newdsrdata) == 0)
1842 if (result != ISC_R_SUCCESS) {
1843 validator_log(val, ISC_LOG_DEBUG(3),
1844 "no DNSKEY matching DS");
1848 for (result = dns_rdataset_first(val->event->sigrdataset);
1849 result == ISC_R_SUCCESS;
1850 result = dns_rdataset_next(val->event->sigrdataset))
1852 dns_rdata_reset(&sigrdata);
1853 dns_rdataset_current(val->event->sigrdataset,
1855 (void)dns_rdata_tostruct(&sigrdata, &sig, NULL);
1856 if (ds.key_tag != sig.keyid ||
1857 ds.algorithm != sig.algorithm)
1861 result = dns_dnssec_keyfromrdata(val->event->name,
1865 if (result != ISC_R_SUCCESS)
1867 * This really shouldn't happen, but...
1870 result = verify(val, dstkey, &sigrdata, sig.keyid);
1871 dst_key_free(&dstkey);
1872 if (result == ISC_R_SUCCESS)
1875 dns_rdataset_disassociate(&trdataset);
1876 if (result == ISC_R_SUCCESS)
1878 validator_log(val, ISC_LOG_DEBUG(3),
1879 "no RRSIG matching DS key");
1881 if (result == ISC_R_SUCCESS) {
1882 event->rdataset->trust = dns_trust_secure;
1883 event->sigrdataset->trust = dns_trust_secure;
1884 validator_log(val, ISC_LOG_DEBUG(3), "marking as secure");
1886 } else if (result == ISC_R_NOMORE && !supported_algorithm) {
1887 if (val->mustbesecure) {
1888 validator_log(val, ISC_LOG_WARNING,
1889 "must be secure failure");
1890 return (DNS_R_MUSTBESECURE);
1892 validator_log(val, ISC_LOG_DEBUG(3),
1893 "no supported algorithm/digest (DS)");
1895 return (ISC_R_SUCCESS);
1897 return (DNS_R_NOVALIDSIG);
1901 * Starts a positive response validation.
1904 * \li ISC_R_SUCCESS Validation completed successfully
1905 * \li DNS_R_WAIT Validation has started but is waiting
1907 * \li Other return codes are possible and all indicate failure.
1910 start_positive_validation(dns_validator_t *val) {
1912 * If this is not a key, go straight into validate().
1914 if (val->event->type != dns_rdatatype_dnskey || !isselfsigned(val))
1915 return (validate(val, ISC_FALSE));
1917 return (validatezonekey(val));
1921 * Look for NODATA at the wildcard and NOWILDCARD proofs in the
1922 * previously validated NSEC records. As these proofs are mutually
1923 * exclusive we stop when one is found.
1929 checkwildcard(dns_validator_t *val) {
1930 dns_name_t *name, *wild;
1931 dns_message_t *message = val->event->message;
1932 isc_result_t result;
1933 isc_boolean_t exists, data;
1934 char namebuf[DNS_NAME_FORMATSIZE];
1936 wild = dns_fixedname_name(&val->wild);
1937 dns_name_format(wild, namebuf, sizeof(namebuf));
1938 validator_log(val, ISC_LOG_DEBUG(3), "in checkwildcard: %s", namebuf);
1940 for (result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
1941 result == ISC_R_SUCCESS;
1942 result = dns_message_nextname(message, DNS_SECTION_AUTHORITY))
1944 dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
1947 dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
1949 for (rdataset = ISC_LIST_HEAD(name->list);
1951 rdataset = ISC_LIST_NEXT(rdataset, link))
1953 if (rdataset->type != dns_rdatatype_nsec)
1955 val->nsecset = rdataset;
1957 for (sigrdataset = ISC_LIST_HEAD(name->list);
1958 sigrdataset != NULL;
1959 sigrdataset = ISC_LIST_NEXT(sigrdataset, link))
1961 if (sigrdataset->type == dns_rdatatype_rrsig &&
1962 sigrdataset->covers == rdataset->type)
1965 if (sigrdataset == NULL)
1968 if (rdataset->trust != dns_trust_secure)
1971 if (((val->attributes & VALATTR_NEEDNODATA) != 0 ||
1972 (val->attributes & VALATTR_NEEDNOWILDCARD) != 0) &&
1973 (val->attributes & VALATTR_FOUNDNODATA) == 0 &&
1974 (val->attributes & VALATTR_FOUNDNOWILDCARD) == 0 &&
1975 nsecnoexistnodata(val, wild, name, rdataset,
1976 &exists, &data, NULL)
1979 dns_name_t **proofs = val->event->proofs;
1980 if (exists && !data)
1981 val->attributes |= VALATTR_FOUNDNODATA;
1982 if (exists && !data && NEEDNODATA(val))
1983 proofs[DNS_VALIDATOR_NODATAPROOF] =
1987 VALATTR_FOUNDNOWILDCARD;
1988 if (!exists && NEEDNOQNAME(val))
1989 proofs[DNS_VALIDATOR_NOWILDCARDPROOF] =
1991 return (ISC_R_SUCCESS);
1995 if (result == ISC_R_NOMORE)
1996 result = ISC_R_SUCCESS;
2001 * Prove a negative answer is good or that there is a NOQNAME when the
2002 * answer is from a wildcard.
2004 * Loop through the authority section looking for NODATA, NOWILDCARD
2005 * and NOQNAME proofs in the NSEC records by calling authvalidated().
2007 * If the required proofs are found we are done.
2009 * If the proofs are not found attempt to prove this is a unsecure
2013 nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
2015 dns_message_t *message = val->event->message;
2016 isc_result_t result;
2019 result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
2021 result = ISC_R_SUCCESS;
2022 validator_log(val, ISC_LOG_DEBUG(3), "resuming nsecvalidate");
2026 result == ISC_R_SUCCESS;
2027 result = dns_message_nextname(message, DNS_SECTION_AUTHORITY))
2029 dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
2032 dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
2034 rdataset = ISC_LIST_NEXT(val->currentset, link);
2035 val->currentset = NULL;
2038 rdataset = ISC_LIST_HEAD(name->list);
2042 rdataset = ISC_LIST_NEXT(rdataset, link))
2044 if (rdataset->type == dns_rdatatype_rrsig)
2047 if (rdataset->type == dns_rdatatype_soa) {
2048 val->soaset = rdataset;
2049 val->soaname = name;
2050 } else if (rdataset->type == dns_rdatatype_nsec)
2051 val->nsecset = rdataset;
2053 for (sigrdataset = ISC_LIST_HEAD(name->list);
2054 sigrdataset != NULL;
2055 sigrdataset = ISC_LIST_NEXT(sigrdataset,
2058 if (sigrdataset->type == dns_rdatatype_rrsig &&
2059 sigrdataset->covers == rdataset->type)
2062 if (sigrdataset == NULL)
2065 * If a signed zone is missing the zone key, bad
2066 * things could happen. A query for data in the zone
2067 * would lead to a query for the zone key, which
2068 * would return a negative answer, which would contain
2069 * an SOA and an NSEC signed by the missing key, which
2070 * would trigger another query for the DNSKEY (since
2071 * the first one is still in progress), and go into an
2072 * infinite loop. Avoid that.
2074 if (val->event->type == dns_rdatatype_dnskey &&
2075 dns_name_equal(name, val->event->name))
2077 dns_rdata_t nsec = DNS_RDATA_INIT;
2079 if (rdataset->type != dns_rdatatype_nsec)
2082 result = dns_rdataset_first(rdataset);
2083 if (result != ISC_R_SUCCESS)
2085 dns_rdataset_current(rdataset, &nsec);
2086 if (dns_nsec_typepresent(&nsec,
2090 val->currentset = rdataset;
2091 result = create_validator(val, name, rdataset->type,
2092 rdataset, sigrdataset,
2095 if (result != ISC_R_SUCCESS)
2097 return (DNS_R_WAIT);
2101 if (result == ISC_R_NOMORE)
2102 result = ISC_R_SUCCESS;
2103 if (result != ISC_R_SUCCESS)
2107 * Do we only need to check for NOQNAME? To get here we must have
2108 * had a secure wildcard answer.
2110 if ((val->attributes & VALATTR_NEEDNODATA) == 0 &&
2111 (val->attributes & VALATTR_NEEDNOWILDCARD) == 0 &&
2112 (val->attributes & VALATTR_NEEDNOQNAME) != 0) {
2113 if ((val->attributes & VALATTR_FOUNDNOQNAME) != 0) {
2114 validator_log(val, ISC_LOG_DEBUG(3),
2115 "noqname proof found");
2116 validator_log(val, ISC_LOG_DEBUG(3),
2117 "marking as secure");
2118 val->event->rdataset->trust = dns_trust_secure;
2119 val->event->sigrdataset->trust = dns_trust_secure;
2120 return (ISC_R_SUCCESS);
2122 validator_log(val, ISC_LOG_DEBUG(3),
2123 "noqname proof not found");
2124 return (DNS_R_NOVALIDNSEC);
2128 * Do we need to check for the wildcard?
2130 if ((val->attributes & VALATTR_FOUNDNOQNAME) != 0 &&
2131 (((val->attributes & VALATTR_NEEDNODATA) != 0 &&
2132 (val->attributes & VALATTR_FOUNDNODATA) == 0) ||
2133 (val->attributes & VALATTR_NEEDNOWILDCARD) != 0)) {
2134 result = checkwildcard(val);
2135 if (result != ISC_R_SUCCESS)
2139 if (((val->attributes & VALATTR_NEEDNODATA) != 0 &&
2140 (val->attributes & VALATTR_FOUNDNODATA) != 0) ||
2141 ((val->attributes & VALATTR_NEEDNOQNAME) != 0 &&
2142 (val->attributes & VALATTR_FOUNDNOQNAME) != 0 &&
2143 (val->attributes & VALATTR_NEEDNOWILDCARD) != 0 &&
2144 (val->attributes & VALATTR_FOUNDNOWILDCARD) != 0)) {
2145 validator_log(val, ISC_LOG_DEBUG(3),
2146 "nonexistence proof(s) found");
2147 return (ISC_R_SUCCESS);
2150 validator_log(val, ISC_LOG_DEBUG(3),
2151 "nonexistence proof(s) not found");
2152 val->attributes |= VALATTR_AUTHNONPENDING;
2153 val->attributes |= VALATTR_INSECURITY;
2154 return (proveunsecure(val, ISC_FALSE));
2157 static isc_boolean_t
2158 check_ds(dns_validator_t *val, dns_name_t *name, dns_rdataset_t *rdataset) {
2159 dns_rdata_t dsrdata = DNS_RDATA_INIT;
2161 isc_result_t result;
2163 for (result = dns_rdataset_first(rdataset);
2164 result == ISC_R_SUCCESS;
2165 result = dns_rdataset_next(rdataset)) {
2166 dns_rdataset_current(rdataset, &dsrdata);
2167 (void)dns_rdata_tostruct(&dsrdata, &ds, NULL);
2169 if (ds.digest_type == DNS_DSDIGEST_SHA1 &&
2170 dns_resolver_algorithm_supported(val->view->resolver,
2171 name, ds.algorithm)) {
2172 dns_rdata_reset(&dsrdata);
2175 dns_rdata_reset(&dsrdata);
2181 * Callback from fetching a DLV record.
2183 * Resumes the DLV lookup process.
2186 dlvfetched(isc_task_t *task, isc_event_t *event) {
2187 char namebuf[DNS_NAME_FORMATSIZE];
2188 dns_fetchevent_t *devent;
2189 dns_validator_t *val;
2190 isc_boolean_t want_destroy;
2191 isc_result_t eresult;
2192 isc_result_t result;
2195 INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
2196 devent = (dns_fetchevent_t *)event;
2197 val = devent->ev_arg;
2198 eresult = devent->result;
2200 /* Free resources which are not of interest. */
2201 if (devent->node != NULL)
2202 dns_db_detachnode(devent->db, &devent->node);
2203 if (devent->db != NULL)
2204 dns_db_detach(&devent->db);
2205 if (dns_rdataset_isassociated(&val->fsigrdataset))
2206 dns_rdataset_disassociate(&val->fsigrdataset);
2207 isc_event_free(&event);
2208 dns_resolver_destroyfetch(&val->fetch);
2210 INSIST(val->event != NULL);
2211 validator_log(val, ISC_LOG_DEBUG(3), "in dlvfetched: %s",
2212 dns_result_totext(eresult));
2215 if (eresult == ISC_R_SUCCESS) {
2216 dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf,
2218 dns_rdataset_clone(&val->frdataset, &val->dlv);
2219 val->havedlvsep = ISC_TRUE;
2220 validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
2221 dlv_validator_start(val);
2222 } else if (eresult == DNS_R_NXRRSET ||
2223 eresult == DNS_R_NXDOMAIN ||
2224 eresult == DNS_R_NCACHENXRRSET ||
2225 eresult == DNS_R_NCACHENXDOMAIN) {
2226 result = finddlvsep(val, ISC_TRUE);
2227 if (result == ISC_R_SUCCESS) {
2228 dns_name_format(dns_fixedname_name(&val->dlvsep),
2229 namebuf, sizeof(namebuf));
2230 validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found",
2232 dlv_validator_start(val);
2233 } else if (result == ISC_R_NOTFOUND) {
2234 validator_log(val, ISC_LOG_DEBUG(3), "DLV not found");
2236 validator_done(val, ISC_R_SUCCESS);
2238 validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s",
2239 dns_result_totext(result));
2240 if (result != DNS_R_WAIT)
2241 validator_done(val, result);
2244 validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s",
2245 dns_result_totext(eresult));
2246 validator_done(val, eresult);
2248 want_destroy = exit_check(val);
2255 * Start the DLV lookup proccess.
2260 * \li Others on validation failures.
2263 startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure) {
2264 char namebuf[DNS_NAME_FORMATSIZE];
2265 isc_result_t result;
2267 INSIST(!DLVTRIED(val));
2269 val->attributes |= VALATTR_DLVTRIED;
2271 dns_name_format(unsecure, namebuf, sizeof(namebuf));
2272 validator_log(val, ISC_LOG_DEBUG(3),
2273 "plain DNSSEC returns unsecure (%s): looking for DLV",
2276 if (dns_name_issubdomain(val->event->name, val->view->dlv)) {
2277 validator_log(val, ISC_LOG_WARNING, "must be secure failure");
2278 return (DNS_R_MUSTBESECURE);
2281 val->dlvlabels = dns_name_countlabels(unsecure) - 1;
2282 result = finddlvsep(val, ISC_FALSE);
2283 if (result == ISC_R_NOTFOUND) {
2284 validator_log(val, ISC_LOG_DEBUG(3), "DLV not found");
2286 return (ISC_R_SUCCESS);
2288 if (result != ISC_R_SUCCESS) {
2289 validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s",
2290 dns_result_totext(result));
2293 dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf,
2295 validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
2296 dlv_validator_start(val);
2297 return (DNS_R_WAIT);
2301 * Continue the DLV lookup process.
2305 * \li ISC_R_NOTFOUND
2307 * \li Others on validation failure.
2310 finddlvsep(dns_validator_t *val, isc_boolean_t resume) {
2311 char namebuf[DNS_NAME_FORMATSIZE];
2312 dns_fixedname_t dlvfixed;
2313 dns_name_t *dlvname;
2316 isc_result_t result;
2317 unsigned int labels;
2319 INSIST(val->view->dlv != NULL);
2323 if (dns_name_issubdomain(val->event->name, val->view->dlv)) {
2324 validator_log(val, ISC_LOG_WARNING,
2325 "must be secure failure");
2326 return (DNS_R_MUSTBESECURE);
2329 dns_fixedname_init(&val->dlvsep);
2330 dlvsep = dns_fixedname_name(&val->dlvsep);
2331 dns_name_copy(val->event->name, dlvsep, NULL);
2332 if (val->event->type == dns_rdatatype_ds) {
2333 labels = dns_name_countlabels(dlvsep);
2335 return (ISC_R_NOTFOUND);
2336 dns_name_getlabelsequence(dlvsep, 1, labels - 1,
2340 dlvsep = dns_fixedname_name(&val->dlvsep);
2341 labels = dns_name_countlabels(dlvsep);
2342 dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep);
2344 dns_name_init(&noroot, NULL);
2345 dns_fixedname_init(&dlvfixed);
2346 dlvname = dns_fixedname_name(&dlvfixed);
2347 labels = dns_name_countlabels(dlvsep);
2349 return (ISC_R_NOTFOUND);
2350 dns_name_getlabelsequence(dlvsep, 0, labels - 1, &noroot);
2351 result = dns_name_concatenate(&noroot, val->view->dlv, dlvname, NULL);
2352 while (result == ISC_R_NOSPACE) {
2353 labels = dns_name_countlabels(dlvsep);
2354 dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep);
2355 dns_name_getlabelsequence(dlvsep, 0, labels - 2, &noroot);
2356 result = dns_name_concatenate(&noroot, val->view->dlv,
2359 if (result != ISC_R_SUCCESS) {
2360 validator_log(val, ISC_LOG_DEBUG(2), "DLV concatenate failed");
2361 return (DNS_R_NOVALIDSIG);
2364 while (dns_name_countlabels(dlvname) >=
2365 dns_name_countlabels(val->view->dlv) + val->dlvlabels) {
2366 dns_name_format(dlvname, namebuf, sizeof(namebuf));
2367 validator_log(val, ISC_LOG_DEBUG(3), "looking for DLV %s",
2369 result = view_find(val, dlvname, dns_rdatatype_dlv);
2370 if (result == ISC_R_SUCCESS) {
2371 if (val->frdataset.trust < dns_trust_secure)
2372 return (DNS_R_NOVALIDSIG);
2373 val->havedlvsep = ISC_TRUE;
2374 dns_rdataset_clone(&val->frdataset, &val->dlv);
2375 return (ISC_R_SUCCESS);
2377 if (result == ISC_R_NOTFOUND) {
2378 result = create_fetch(val, dlvname, dns_rdatatype_dlv,
2379 dlvfetched, "finddlvsep");
2380 if (result != ISC_R_SUCCESS)
2382 return (DNS_R_WAIT);
2384 if (result != DNS_R_NXRRSET &&
2385 result != DNS_R_NXDOMAIN &&
2386 result != DNS_R_NCACHENXRRSET &&
2387 result != DNS_R_NCACHENXDOMAIN)
2390 * Strip first labels from both dlvsep and dlvname.
2392 labels = dns_name_countlabels(dlvsep);
2395 dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep);
2396 labels = dns_name_countlabels(dlvname);
2397 dns_name_getlabelsequence(dlvname, 1, labels - 1, dlvname);
2399 return (ISC_R_NOTFOUND);
2403 * proveunsecure walks down from the SEP looking for a break in the
2404 * chain of trust. That occurs when we can prove the DS record does
2405 * not exist at a delegation point or the DS exists at a delegation
2406 * but we don't support the algorithm/digest.
2408 * If DLV is active and we look for a DLV record at or below the
2409 * point we go insecure. If found we restart the validation process.
2410 * If not found or DLV isn't active we mark the response as a answer.
2413 * \li ISC_R_SUCCESS val->event->name is in a unsecure zone
2414 * \li DNS_R_WAIT validation is in progress.
2415 * \li DNS_R_MUSTBESECURE val->event->name is supposed to be secure
2416 * (policy) but we proved that it is unsecure.
2417 * \li DNS_R_NOVALIDSIG
2418 * \li DNS_R_NOVALIDNSEC
2419 * \li DNS_R_NOTINSECURE
2422 proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
2423 isc_result_t result;
2424 dns_fixedname_t fixedsecroot;
2425 dns_name_t *secroot;
2427 char namebuf[DNS_NAME_FORMATSIZE];
2429 dns_fixedname_init(&fixedsecroot);
2430 secroot = dns_fixedname_name(&fixedsecroot);
2431 if (val->havedlvsep)
2432 dns_name_copy(dns_fixedname_name(&val->dlvsep), secroot, NULL);
2434 result = dns_keytable_finddeepestmatch(val->keytable,
2438 if (result == ISC_R_NOTFOUND) {
2439 validator_log(val, ISC_LOG_DEBUG(3),
2440 "not beneath secure root");
2441 if (val->mustbesecure) {
2442 validator_log(val, ISC_LOG_WARNING,
2443 "must be secure failure");
2444 result = DNS_R_MUSTBESECURE;
2447 if (val->view->dlv == NULL || DLVTRIED(val)) {
2449 return (ISC_R_SUCCESS);
2451 return (startfinddlvsep(val, dns_rootname));
2452 } else if (result != ISC_R_SUCCESS)
2458 * We are looking for breaks below the SEP so add a label.
2460 val->labels = dns_name_countlabels(secroot) + 1;
2462 validator_log(val, ISC_LOG_DEBUG(3), "resuming proveunsecure");
2463 if (val->frdataset.trust >= dns_trust_secure &&
2464 !check_ds(val, dns_fixedname_name(&val->fname),
2466 dns_name_format(dns_fixedname_name(&val->fname),
2467 namebuf, sizeof(namebuf));
2468 if (val->mustbesecure) {
2469 validator_log(val, ISC_LOG_WARNING,
2470 "must be secure failure at '%s'",
2472 result = DNS_R_MUSTBESECURE;
2475 validator_log(val, ISC_LOG_DEBUG(3),
2476 "no supported algorithm/digest (%s/DS)",
2478 if (val->view->dlv == NULL || DLVTRIED(val)) {
2480 result = ISC_R_SUCCESS;
2483 result = startfinddlvsep(val,
2484 dns_fixedname_name(&val->fname));
2491 val->labels <= dns_name_countlabels(val->event->name);
2495 dns_fixedname_init(&val->fname);
2496 tname = dns_fixedname_name(&val->fname);
2497 if (val->labels == dns_name_countlabels(val->event->name))
2498 dns_name_copy(val->event->name, tname, NULL);
2500 dns_name_split(val->event->name, val->labels,
2503 dns_name_format(tname, namebuf, sizeof(namebuf));
2504 validator_log(val, ISC_LOG_DEBUG(3),
2505 "checking existence of DS at '%s'",
2508 result = view_find(val, tname, dns_rdatatype_ds);
2509 if (result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) {
2511 * There is no DS. If this is a delegation,
2514 if (val->frdataset.trust < dns_trust_secure) {
2516 * This shouldn't happen, since the negative
2517 * response should have been validated. Since
2518 * there's no way of validating existing
2519 * negative response blobs, give up.
2521 result = DNS_R_NOVALIDSIG;
2524 if (isdelegation(tname, &val->frdataset, result)) {
2525 if (val->mustbesecure) {
2526 validator_log(val, ISC_LOG_WARNING,
2527 "must be secure failure");
2528 return (DNS_R_MUSTBESECURE);
2530 if (val->view->dlv == NULL || DLVTRIED(val)) {
2532 return (ISC_R_SUCCESS);
2534 return (startfinddlvsep(val, tname));
2537 } else if (result == ISC_R_SUCCESS) {
2539 * There is a DS here. Verify that it's secure and
2542 if (val->frdataset.trust >= dns_trust_secure) {
2543 if (!check_ds(val, tname, &val->frdataset)) {
2544 validator_log(val, ISC_LOG_DEBUG(3),
2545 "no supported algorithm/"
2546 "digest (%s/DS)", namebuf);
2547 if (val->mustbesecure) {
2550 "must be secure failure");
2551 result = DNS_R_MUSTBESECURE;
2554 if (val->view->dlv == NULL ||
2557 result = ISC_R_SUCCESS;
2560 result = startfinddlvsep(val, tname);
2565 else if (!dns_rdataset_isassociated(&val->fsigrdataset))
2567 result = DNS_R_NOVALIDSIG;
2570 result = create_validator(val, tname, dns_rdatatype_ds,
2575 if (result != ISC_R_SUCCESS)
2577 return (DNS_R_WAIT);
2578 } else if (result == DNS_R_NXDOMAIN ||
2579 result == DNS_R_NCACHENXDOMAIN) {
2581 * This is not a zone cut. Assuming things are
2582 * as expected, continue.
2584 if (!dns_rdataset_isassociated(&val->frdataset)) {
2586 * There should be an NSEC here, since we
2587 * are still in a secure zone.
2589 result = DNS_R_NOVALIDNSEC;
2591 } else if (val->frdataset.trust < dns_trust_secure) {
2593 * This shouldn't happen, since the negative
2594 * response should have been validated. Since
2595 * there's no way of validating existing
2596 * negative response blobs, give up.
2598 result = DNS_R_NOVALIDSIG;
2602 } else if (result == ISC_R_NOTFOUND) {
2604 * We don't know anything about the DS. Find it.
2606 result = create_fetch(val, tname, dns_rdatatype_ds,
2607 dsfetched2, "proveunsecure");
2608 if (result != ISC_R_SUCCESS)
2610 return (DNS_R_WAIT);
2613 validator_log(val, ISC_LOG_DEBUG(3), "insecurity proof failed");
2614 return (DNS_R_NOTINSECURE); /* Couldn't complete insecurity proof */
2617 if (dns_rdataset_isassociated(&val->frdataset))
2618 dns_rdataset_disassociate(&val->frdataset);
2619 if (dns_rdataset_isassociated(&val->fsigrdataset))
2620 dns_rdataset_disassociate(&val->fsigrdataset);
2625 * Reset state and revalidate the answer using DLV.
2628 dlv_validator_start(dns_validator_t *val) {
2631 validator_log(val, ISC_LOG_DEBUG(3), "dlv_validator_start");
2634 * Reset state and try again.
2636 val->attributes &= VALATTR_DLVTRIED;
2637 val->options &= ~DNS_VALIDATOR_DLV;
2639 event = (isc_event_t *)val->event;
2640 isc_task_send(val->task, &event);
2644 * Start the validation process.
2646 * Attempt to valididate the answer based on the category it appears to
2648 * \li 1. secure positive answer.
2649 * \li 2. unsecure positive answer.
2650 * \li 3. a negative answer (secure or unsecure).
2652 * Note a answer that appears to be a secure positive answer may actually
2653 * be a unsecure positive answer.
2656 validator_start(isc_task_t *task, isc_event_t *event) {
2657 dns_validator_t *val;
2658 dns_validatorevent_t *vevent;
2659 isc_boolean_t want_destroy = ISC_FALSE;
2660 isc_result_t result = ISC_R_FAILURE;
2663 REQUIRE(event->ev_type == DNS_EVENT_VALIDATORSTART);
2664 vevent = (dns_validatorevent_t *)event;
2665 val = vevent->validator;
2667 /* If the validator has been cancelled, val->event == NULL */
2668 if (val->event == NULL)
2672 validator_log(val, ISC_LOG_DEBUG(3), "restarting using DLV");
2674 validator_log(val, ISC_LOG_DEBUG(3), "starting");
2678 if ((val->options & DNS_VALIDATOR_DLV) != 0) {
2679 validator_log(val, ISC_LOG_DEBUG(3), "looking for DLV");
2680 result = startfinddlvsep(val, dns_rootname);
2681 } else if (val->event->rdataset != NULL &&
2682 val->event->sigrdataset != NULL) {
2683 isc_result_t saved_result;
2686 * This looks like a simple validation. We say "looks like"
2687 * because it might end up requiring an insecurity proof.
2689 validator_log(val, ISC_LOG_DEBUG(3),
2690 "attempting positive response validation");
2692 INSIST(dns_rdataset_isassociated(val->event->rdataset));
2693 INSIST(dns_rdataset_isassociated(val->event->sigrdataset));
2694 result = start_positive_validation(val);
2695 if (result == DNS_R_NOVALIDSIG &&
2696 (val->attributes & VALATTR_TRIEDVERIFY) == 0)
2698 saved_result = result;
2699 validator_log(val, ISC_LOG_DEBUG(3),
2700 "falling back to insecurity proof");
2701 val->attributes |= VALATTR_INSECURITY;
2702 result = proveunsecure(val, ISC_FALSE);
2703 if (result == DNS_R_NOTINSECURE)
2704 result = saved_result;
2706 } else if (val->event->rdataset != NULL) {
2708 * This is either an unsecure subdomain or a response from
2711 INSIST(dns_rdataset_isassociated(val->event->rdataset));
2712 validator_log(val, ISC_LOG_DEBUG(3),
2713 "attempting insecurity proof");
2715 val->attributes |= VALATTR_INSECURITY;
2716 result = proveunsecure(val, ISC_FALSE);
2717 } else if (val->event->rdataset == NULL &&
2718 val->event->sigrdataset == NULL)
2721 * This is a nonexistence validation.
2723 validator_log(val, ISC_LOG_DEBUG(3),
2724 "attempting negative response validation");
2726 if (val->event->message->rcode == dns_rcode_nxdomain) {
2727 val->attributes |= VALATTR_NEEDNOQNAME;
2728 val->attributes |= VALATTR_NEEDNOWILDCARD;
2730 val->attributes |= VALATTR_NEEDNODATA;
2731 result = nsecvalidate(val, ISC_FALSE);
2734 * This shouldn't happen.
2739 if (result != DNS_R_WAIT) {
2740 want_destroy = exit_check(val);
2741 validator_done(val, result);
2750 dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
2751 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
2752 dns_message_t *message, unsigned int options,
2753 isc_task_t *task, isc_taskaction_t action, void *arg,
2754 dns_validator_t **validatorp)
2756 isc_result_t result;
2757 dns_validator_t *val;
2759 dns_validatorevent_t *event;
2761 REQUIRE(name != NULL);
2763 REQUIRE(rdataset != NULL ||
2764 (rdataset == NULL && sigrdataset == NULL && message != NULL));
2765 REQUIRE(validatorp != NULL && *validatorp == NULL);
2768 result = ISC_R_FAILURE;
2770 val = isc_mem_get(view->mctx, sizeof(*val));
2772 return (ISC_R_NOMEMORY);
2774 dns_view_weakattach(view, &val->view);
2775 event = (dns_validatorevent_t *)
2776 isc_event_allocate(view->mctx, task,
2777 DNS_EVENT_VALIDATORSTART,
2778 validator_start, NULL,
2779 sizeof(dns_validatorevent_t));
2780 if (event == NULL) {
2781 result = ISC_R_NOMEMORY;
2784 isc_task_attach(task, &tclone);
2785 event->validator = val;
2786 event->result = ISC_R_FAILURE;
2789 event->rdataset = rdataset;
2790 event->sigrdataset = sigrdataset;
2791 event->message = message;
2792 memset(event->proofs, 0, sizeof(event->proofs));
2793 result = isc_mutex_init(&val->lock);
2794 if (result != ISC_R_SUCCESS)
2797 val->options = options;
2798 val->attributes = 0;
2800 val->subvalidator = NULL;
2802 val->keytable = NULL;
2803 dns_keytable_attach(val->view->secroots, &val->keytable);
2804 val->keynode = NULL;
2806 val->siginfo = NULL;
2808 val->action = action;
2811 val->currentset = NULL;
2814 dns_rdataset_init(&val->dlv);
2816 val->nsecset = NULL;
2817 val->soaname = NULL;
2818 val->seensig = ISC_FALSE;
2819 val->havedlvsep = ISC_FALSE;
2821 val->mustbesecure = dns_resolver_getmustbesecure(view->resolver, name);
2822 dns_rdataset_init(&val->frdataset);
2823 dns_rdataset_init(&val->fsigrdataset);
2824 dns_fixedname_init(&val->wild);
2825 ISC_LINK_INIT(val, link);
2826 val->magic = VALIDATOR_MAGIC;
2828 if ((options & DNS_VALIDATOR_DEFER) == 0)
2829 isc_task_send(task, ISC_EVENT_PTR(&event));
2833 return (ISC_R_SUCCESS);
2836 isc_task_detach(&tclone);
2837 isc_event_free(ISC_EVENT_PTR(&event));
2840 dns_view_weakdetach(&val->view);
2841 isc_mem_put(view->mctx, val, sizeof(*val));
2847 dns_validator_send(dns_validator_t *validator) {
2849 REQUIRE(VALID_VALIDATOR(validator));
2851 LOCK(&validator->lock);
2853 INSIST((validator->options & DNS_VALIDATOR_DEFER) != 0);
2854 event = (isc_event_t *)validator->event;
2855 validator->options &= ~DNS_VALIDATOR_DEFER;
2856 UNLOCK(&validator->lock);
2858 isc_task_send(validator->task, ISC_EVENT_PTR(&event));
2862 dns_validator_cancel(dns_validator_t *validator) {
2863 REQUIRE(VALID_VALIDATOR(validator));
2865 LOCK(&validator->lock);
2867 validator_log(validator, ISC_LOG_DEBUG(3), "dns_validator_cancel");
2869 if (validator->event != NULL) {
2870 if (validator->fetch != NULL)
2871 dns_resolver_cancelfetch(validator->fetch);
2873 if (validator->subvalidator != NULL)
2874 dns_validator_cancel(validator->subvalidator);
2875 if ((validator->options & DNS_VALIDATOR_DEFER) != 0) {
2876 isc_task_t *task = validator->event->ev_sender;
2877 validator->options &= ~DNS_VALIDATOR_DEFER;
2878 isc_event_free((isc_event_t **)&validator->event);
2879 isc_task_detach(&task);
2882 UNLOCK(&validator->lock);
2886 destroy(dns_validator_t *val) {
2889 REQUIRE(SHUTDOWN(val));
2890 REQUIRE(val->event == NULL);
2891 REQUIRE(val->fetch == NULL);
2893 if (val->keynode != NULL)
2894 dns_keytable_detachkeynode(val->keytable, &val->keynode);
2895 else if (val->key != NULL)
2896 dst_key_free(&val->key);
2897 if (val->keytable != NULL)
2898 dns_keytable_detach(&val->keytable);
2899 if (val->subvalidator != NULL)
2900 dns_validator_destroy(&val->subvalidator);
2901 if (val->havedlvsep)
2902 dns_rdataset_disassociate(&val->dlv);
2903 if (dns_rdataset_isassociated(&val->frdataset))
2904 dns_rdataset_disassociate(&val->frdataset);
2905 if (dns_rdataset_isassociated(&val->fsigrdataset))
2906 dns_rdataset_disassociate(&val->fsigrdataset);
2907 mctx = val->view->mctx;
2908 if (val->siginfo != NULL)
2909 isc_mem_put(mctx, val->siginfo, sizeof(*val->siginfo));
2910 DESTROYLOCK(&val->lock);
2911 dns_view_weakdetach(&val->view);
2913 isc_mem_put(mctx, val, sizeof(*val));
2917 dns_validator_destroy(dns_validator_t **validatorp) {
2918 dns_validator_t *val;
2919 isc_boolean_t want_destroy = ISC_FALSE;
2921 REQUIRE(validatorp != NULL);
2923 REQUIRE(VALID_VALIDATOR(val));
2927 val->attributes |= VALATTR_SHUTDOWN;
2928 validator_log(val, ISC_LOG_DEBUG(3), "dns_validator_destroy");
2930 want_destroy = exit_check(val);
2941 validator_logv(dns_validator_t *val, isc_logcategory_t *category,
2942 isc_logmodule_t *module, int level, const char *fmt, va_list ap)
2945 static const char spaces[] = " *";
2946 int depth = val->depth * 2;
2948 vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
2950 if ((unsigned int) depth >= sizeof spaces)
2951 depth = sizeof spaces - 1;
2953 if (val->event != NULL && val->event->name != NULL) {
2954 char namebuf[DNS_NAME_FORMATSIZE];
2955 char typebuf[DNS_RDATATYPE_FORMATSIZE];
2957 dns_name_format(val->event->name, namebuf, sizeof(namebuf));
2958 dns_rdatatype_format(val->event->type, typebuf,
2960 isc_log_write(dns_lctx, category, module, level,
2961 "%.*svalidating @%p: %s %s: %s", depth, spaces,
2962 val, namebuf, typebuf, msgbuf);
2964 isc_log_write(dns_lctx, category, module, level,
2965 "%.*svalidator @%p: %s", depth, spaces,
2971 validator_log(dns_validator_t *val, int level, const char *fmt, ...) {
2974 if (! isc_log_wouldlog(dns_lctx, level))
2979 validator_logv(val, DNS_LOGCATEGORY_DNSSEC,
2980 DNS_LOGMODULE_VALIDATOR, level, fmt, ap);
2985 validator_logcreate(dns_validator_t *val,
2986 dns_name_t *name, dns_rdatatype_t type,
2987 const char *caller, const char *operation)
2989 char namestr[DNS_NAME_FORMATSIZE];
2990 char typestr[DNS_RDATATYPE_FORMATSIZE];
2992 dns_name_format(name, namestr, sizeof(namestr));
2993 dns_rdatatype_format(type, typestr, sizeof(typestr));
2994 validator_log(val, ISC_LOG_DEBUG(9), "%s: creating %s for %s %s",
2995 caller, operation, namestr, typestr);