3 * Where all the hard work concerning secure tracing is done
5 * (c) 2005, 2006 NLnet Labs
7 * See the file LICENSE for the license
12 #include <ldns/ldns.h>
14 #define SELF "[S]" /* self sig ok */
15 #define TRUST "[T]" /* chain from parent */
16 #define BOGUS "[B]" /* bogus */
17 #define UNSIGNED "[U]" /* no relevant dnssec data found */
20 /* See if there is a key/ds in trusted that matches
24 ds_key_match(ldns_rr_list *ds, ldns_rr_list *trusted)
31 if (!trusted || !ds) {
36 keys = ldns_rr_list_new();
41 if (!ds || !trusted) {
45 for (i = 0; i < ldns_rr_list_rr_count(trusted); i++) {
46 rr_i = ldns_rr_list_rr(trusted, i);
47 for (j = 0; j < ldns_rr_list_rr_count(ds); j++) {
49 rr_j = ldns_rr_list_rr(ds, j);
50 if (ldns_rr_compare_ds(rr_i, rr_j)) {
52 /* only allow unique RRs to match */
53 ldns_rr_set_push_rr(keys, rr_i);
66 get_dnssec_pkt(ldns_resolver *r, ldns_rdf *name, ldns_rr_type t)
69 p = ldns_resolver_query(r, name, t, LDNS_RR_CLASS_IN, 0);
74 ldns_pkt_print(stdout, p);
82 * retrieve keys for this zone
85 get_key(ldns_pkt *p, ldns_rdf *apexname, ldns_rr_list **rrlist, ldns_rr_list **opt_sig)
87 return get_dnssec_rr(p, apexname, LDNS_RR_TYPE_DNSKEY, rrlist, opt_sig);
91 * check to see if we can find a DS rrset here which we can then follow
94 get_ds(ldns_pkt *p, ldns_rdf *ownername, ldns_rr_list **rrlist, ldns_rr_list **opt_sig)
96 return get_dnssec_rr(p, ownername, LDNS_RR_TYPE_DS, rrlist, opt_sig);
101 remove_resolver_nameservers(ldns_resolver *res)
105 /* remove the old nameserver from the resolver */
106 while((pop = ldns_resolver_pop_nameserver(res))) {
107 ldns_rdf_deep_free(pop);
115 do_secure_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t,
116 ldns_rr_class c, ldns_rr_list *trusted_keys, ldns_rdf *start_name
120 ldns_pkt *p, *local_p;
121 ldns_rr_list *new_nss;
122 ldns_rr_list *ns_addr;
124 ldns_rdf **labels = NULL;
125 ldns_status status, st;
130 uint8_t labels_count = 0;
133 ldns_rr_list *key_list;
134 ldns_rr_list *key_sig_list;
135 ldns_rr_list *ds_list;
136 ldns_rr_list *ds_sig_list;
137 ldns_rr_list *correct_key_list;
138 ldns_rr_list *trusted_ds_rrs;
139 bool new_keys_trusted = false;
140 ldns_rr_list *current_correct_keys;
141 ldns_rr_list *dataset;
143 ldns_rr_list *nsec_rrs = NULL;
144 ldns_rr_list *nsec_rr_sigs = NULL;
146 /* empty non-terminal check */
148 ldns_rr *nsecrr; /* The nsec that proofs the non-terminal */
149 ldns_rdf *hashed_name; /* The query hashed with nsec3 params */
150 ldns_rdf *label0; /* The first label of an nsec3 owner name */
153 ldns_rr_list *new_ns_addr;
154 ldns_rr_list *old_ns_addr;
159 /* printing niceness */
160 const ldns_rr_descriptor *descriptor;
162 descriptor = ldns_rr_descript(t);
171 res = ldns_resolver_new();
176 error("Memory allocation failed");
181 correct_key_list = ldns_rr_list_new();
182 if (!correct_key_list) {
183 error("Memory allocation failed");
188 trusted_ds_rrs = ldns_rr_list_new();
189 if (!trusted_ds_rrs) {
190 error("Memory allocation failed");
194 /* Add all preset trusted DS signatures to the list of trusted DS RRs. */
195 for (j = 0; j < ldns_rr_list_rr_count(trusted_keys); j++) {
196 ldns_rr* one_rr = ldns_rr_list_rr(trusted_keys, j);
197 if (ldns_rr_get_type(one_rr) == LDNS_RR_TYPE_DS) {
198 ldns_rr_list_push_rr(trusted_ds_rrs, ldns_rr_clone(one_rr));
202 /* transfer some properties of local_res to res */
203 ldns_resolver_set_ip6(res,
204 ldns_resolver_ip6(local_res));
205 ldns_resolver_set_port(res,
206 ldns_resolver_port(local_res));
207 ldns_resolver_set_debug(res,
208 ldns_resolver_debug(local_res));
209 ldns_resolver_set_fail(res,
210 ldns_resolver_fail(local_res));
211 ldns_resolver_set_usevc(res,
212 ldns_resolver_usevc(local_res));
213 ldns_resolver_set_random(res,
214 ldns_resolver_random(local_res));
215 ldns_resolver_set_source(res,
216 ldns_resolver_source(local_res));
217 ldns_resolver_set_recursive(local_res, true);
219 ldns_resolver_set_recursive(res, false);
220 ldns_resolver_set_dnssec_cd(res, false);
221 ldns_resolver_set_dnssec(res, true);
223 /* setup the root nameserver in the new resolver */
224 status = ldns_resolver_push_nameserver_rr_list(res, global_dns_root);
225 if (status != LDNS_STATUS_OK) {
226 printf("ERRRRR: %s\n", ldns_get_errorstr_by_id(status));
227 ldns_rr_list_print(stdout, global_dns_root);
231 labels_count = ldns_dname_label_count(name);
233 if (ldns_dname_is_subdomain(name, start_name)) {
234 labels_count -= ldns_dname_label_count(start_name);
236 fprintf(stderr, "Error; ");
237 ldns_rdf_print(stderr, name);
238 fprintf(stderr, " is not a subdomain of ");
239 ldns_rdf_print(stderr, start_name);
240 fprintf(stderr, "\n");
244 labels = LDNS_XMALLOC(ldns_rdf*, labels_count + 2);
248 labels[0] = ldns_dname_new_frm_str(LDNS_ROOT_LABEL_STR);
249 labels[1] = ldns_rdf_clone(name);
250 for(i = 2 ; i < (ssize_t)labels_count + 2; i++) {
251 labels[i] = ldns_dname_left_chop(labels[i - 1]);
254 /* get the nameserver for the label
255 * ask: dnskey and ds for the label
257 for(i = (ssize_t)labels_count + 1; i > 0; i--) {
258 status = ldns_resolver_send(&local_p, res, labels[i], LDNS_RR_TYPE_NS, c, 0);
260 if (verbosity >= 5) {
261 ldns_pkt_print(stdout, local_p);
264 new_nss = ldns_pkt_rr_list_by_type(local_p,
265 LDNS_RR_TYPE_NS, LDNS_SECTION_ANSWER);
267 /* if it's a delegation, servers put them in the auth section */
268 new_nss = ldns_pkt_rr_list_by_type(local_p,
269 LDNS_RR_TYPE_NS, LDNS_SECTION_AUTHORITY);
272 /* if this is the final step there might not be nameserver records
273 of course if the data is in the apex, there are, so cover both
275 if (new_nss || i > 1) {
276 for(j = 0; j < ldns_rr_list_rr_count(new_nss); j++) {
277 ns_rr = ldns_rr_list_rr(new_nss, j);
278 pop = ldns_rr_rdf(ns_rr, 0);
283 /* retrieve it's addresses */
286 if (ldns_dname_is_subdomain(pop, labels[i])) {
287 new_ns_addr = ldns_pkt_rr_list_by_name_and_type(local_p, pop, LDNS_RR_TYPE_A, LDNS_SECTION_ADDITIONAL);
289 if (!new_ns_addr || ldns_rr_list_rr_count(new_ns_addr) == 0) {
290 new_ns_addr = ldns_get_rr_list_addr_by_name(res, pop, c, 0);
292 if (!new_ns_addr || ldns_rr_list_rr_count(new_ns_addr) == 0) {
293 new_ns_addr = ldns_get_rr_list_addr_by_name(local_res, pop, c, 0);
297 old_ns_addr = ns_addr;
298 ns_addr = ldns_rr_list_cat_clone(ns_addr, new_ns_addr);
299 ldns_rr_list_deep_free(old_ns_addr);
301 ldns_rr_list_deep_free(new_ns_addr);
303 ldns_rr_list_deep_free(new_nss);
306 remove_resolver_nameservers(res);
308 if (ldns_resolver_push_nameserver_rr_list(res, ns_addr) !=
310 error("Error adding new nameservers");
311 ldns_pkt_free(local_p);
314 ldns_rr_list_deep_free(ns_addr);
316 status = ldns_verify_denial(local_p, labels[i], LDNS_RR_TYPE_NS, &nsec_rrs, &nsec_rr_sigs);
318 /* verify the nsec3 themselves*/
319 if (verbosity >= 4) {
320 printf("NSEC(3) Records to verify:\n");
321 ldns_rr_list_print(stdout, nsec_rrs);
322 printf("With signatures:\n");
323 ldns_rr_list_print(stdout, nsec_rr_sigs);
324 printf("correct keys:\n");
325 ldns_rr_list_print(stdout, correct_key_list);
328 if (status == LDNS_STATUS_OK) {
329 if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) {
330 fprintf(stdout, "%s ", TRUST);
331 fprintf(stdout, "Existence denied: ");
332 ldns_rdf_print(stdout, labels[i]);
334 if (descriptor && descriptor->_name) {
335 printf(" %s", descriptor->_name);
337 printf(" TYPE%u", t);
339 */ fprintf(stdout, " NS\n");
340 } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) {
341 fprintf(stdout, "%s ", SELF);
342 fprintf(stdout, "Existence denied: ");
343 ldns_rdf_print(stdout, labels[i]);
345 if (descriptor && descriptor->_name) {
346 printf(" %s", descriptor->_name);
348 printf(" TYPE%u", t);
351 fprintf(stdout, " NS\n");
353 fprintf(stdout, "%s ", BOGUS);
355 printf(";; Error verifying denial of existence for name ");
356 ldns_rdf_print(stdout, labels[i]);
359 if (descriptor && descriptor->_name) {
360 printf("%s", descriptor->_name);
364 */ printf("NS: %s\n", ldns_get_errorstr_by_id(st));
367 fprintf(stdout, "%s ", BOGUS);
369 printf(";; Error verifying denial of existence for name ");
370 ldns_rdf_print(stdout, labels[i]);
371 printf("NS: %s\n", ldns_get_errorstr_by_id(status));
374 /* there might be an empty non-terminal, in which case we need to continue */
376 for (j = 0; j < ldns_rr_list_rr_count(nsec_rrs); j++) {
377 nsecrr = ldns_rr_list_rr(nsec_rrs, j);
378 /* For NSEC when the next name is a subdomain of the question */
379 if (ldns_rr_get_type(nsecrr) == LDNS_RR_TYPE_NSEC &&
380 ldns_dname_is_subdomain(ldns_rr_rdf(nsecrr, 0), labels[i])) {
383 /* For NSEC3, the hash matches the name and the type bitmap is empty*/
384 } else if (ldns_rr_get_type(nsecrr) == LDNS_RR_TYPE_NSEC3) {
385 hashed_name = ldns_nsec3_hash_name_frm_nsec3(nsecrr, labels[i]);
386 label0 = ldns_dname_label(ldns_rr_owner(nsecrr), 0);
387 if (hashed_name && label0 &&
388 ldns_dname_compare(hashed_name, label0) == 0 &&
389 ldns_nsec3_bitmap(nsecrr) == NULL) {
396 LDNS_FREE(hashed_name);
401 ldns_rr_list_deep_free(nsec_rrs);
402 ldns_rr_list_deep_free(nsec_rr_sigs);
403 ldns_pkt_free(local_p);
406 printf(";; There is an empty non-terminal here, continue\n");
411 if (ldns_resolver_nameserver_count(res) == 0) {
412 error("No nameservers found for this node");
416 ldns_pkt_free(local_p);
418 fprintf(stdout, ";; Domain: ");
419 ldns_rdf_print(stdout, labels[i]);
420 fprintf(stdout, "\n");
422 /* retrieve keys for current domain, and verify them
423 if they match an already trusted DS, or if one of the
424 keys used to sign these is trusted, add the keys to
426 p = get_dnssec_pkt(res, labels[i], LDNS_RR_TYPE_DNSKEY);
427 (void) get_key(p, labels[i], &key_list, &key_sig_list);
430 current_correct_keys = ldns_rr_list_new();
431 if ((st = ldns_verify(key_list, key_sig_list, key_list, current_correct_keys)) ==
433 /* add all signed keys (don't just add current_correct, you'd miss
435 for (j = 0; j < ldns_rr_list_rr_count(key_list); j++) {
436 ldns_rr_list_push_rr(correct_key_list, ldns_rr_clone(ldns_rr_list_rr(key_list, j)));
439 /* check whether these keys were signed
440 * by a trusted keys. if so, these
441 * keys are also trusted */
442 new_keys_trusted = false;
443 for (k = 0; k < ldns_rr_list_rr_count(current_correct_keys); k++) {
444 for (j = 0; j < ldns_rr_list_rr_count(trusted_ds_rrs); j++) {
445 if (ldns_rr_compare_ds(ldns_rr_list_rr(current_correct_keys, k),
446 ldns_rr_list_rr(trusted_ds_rrs, j))) {
447 new_keys_trusted = true;
452 /* also all keys are trusted if one of the current correct keys is trusted */
453 for (k = 0; k < ldns_rr_list_rr_count(current_correct_keys); k++) {
454 for (j = 0; j < ldns_rr_list_rr_count(trusted_keys); j++) {
455 if (ldns_rr_compare(ldns_rr_list_rr(current_correct_keys, k),
456 ldns_rr_list_rr(trusted_keys, j)) == 0) {
457 new_keys_trusted = true;
463 if (new_keys_trusted) {
464 ldns_rr_list_push_rr_list(trusted_keys, key_list);
465 print_rr_list_abbr(stdout, key_list, TRUST);
466 ldns_rr_list_free(key_list);
469 if (verbosity >= 2) {
470 printf(";; Signature ok but no chain to a trusted key or ds record\n");
472 print_rr_list_abbr(stdout, key_list, SELF);
473 ldns_rr_list_deep_free(key_list);
477 print_rr_list_abbr(stdout, key_list, BOGUS);
479 ldns_rr_list_deep_free(key_list);
482 ldns_rr_list_free(current_correct_keys);
483 current_correct_keys = NULL;
485 printf(";; No DNSKEY record found for ");
486 ldns_rdf_print(stdout, labels[i]);
492 ldns_rr_list_deep_free(key_sig_list);
495 /* check the DS records for the next child domain */
497 p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS);
498 (void) get_ds(p, labels[i-1], &ds_list, &ds_sig_list);
502 ldns_rr_list_deep_free(ds_sig_list);
504 p = get_dnssec_pkt(res, name, LDNS_RR_TYPE_DNSKEY);
505 (void) get_ds(p, NULL, &ds_list, &ds_sig_list);
509 if (verbosity >= 4) {
510 printf("VERIFYING:\n");
511 printf("DS LIST:\n");
512 ldns_rr_list_print(stdout, ds_list);
514 ldns_rr_list_print(stdout, ds_sig_list);
516 ldns_rr_list_print(stdout, correct_key_list);
519 current_correct_keys = ldns_rr_list_new();
521 if ((st = ldns_verify(ds_list, ds_sig_list, correct_key_list, current_correct_keys)) ==
523 /* if the ds is signed by a trusted key and a key from correct keys
524 matches that ds, add that key to the trusted keys */
525 new_keys_trusted = false;
526 if (verbosity >= 2) {
527 printf("Checking if signing key is trusted:\n");
529 for (j = 0; j < ldns_rr_list_rr_count(current_correct_keys); j++) {
530 if (verbosity >= 2) {
532 ldns_rr_print(stdout, ldns_rr_list_rr(current_correct_keys, j));
534 for (k = 0; k < ldns_rr_list_rr_count(trusted_keys); k++) {
535 if (verbosity >= 2) {
536 printf("\tTrusted key: ");
537 ldns_rr_print(stdout, ldns_rr_list_rr(trusted_keys, k));
539 if (ldns_rr_compare(ldns_rr_list_rr(current_correct_keys, j),
540 ldns_rr_list_rr(trusted_keys, k)) == 0) {
541 if (verbosity >= 2) {
542 printf("Key is now trusted!\n");
544 for (l = 0; l < ldns_rr_list_rr_count(ds_list); l++) {
545 ldns_rr_list_push_rr(trusted_ds_rrs, ldns_rr_clone(ldns_rr_list_rr(ds_list, l)));
546 new_keys_trusted = true;
551 if (new_keys_trusted) {
552 print_rr_list_abbr(stdout, ds_list, TRUST);
554 print_rr_list_abbr(stdout, ds_list, SELF);
558 print_rr_list_abbr(stdout, ds_list, BOGUS);
561 ldns_rr_list_free(current_correct_keys);
562 current_correct_keys = NULL;
564 /* wait apparently there were no keys either, go back to the ds packet */
566 ldns_rr_list_deep_free(ds_sig_list);
567 p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS);
568 (void) get_ds(p, labels[i-1], &ds_list, &ds_sig_list);
570 status = ldns_verify_denial(p, labels[i-1], LDNS_RR_TYPE_DS, &nsec_rrs, &nsec_rr_sigs);
572 if (verbosity >= 4) {
573 printf("NSEC(3) Records to verify:\n");
574 ldns_rr_list_print(stdout, nsec_rrs);
575 printf("With signatures:\n");
576 ldns_rr_list_print(stdout, nsec_rr_sigs);
577 printf("correct keys:\n");
578 ldns_rr_list_print(stdout, correct_key_list);
581 if (status == LDNS_STATUS_OK) {
582 if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) {
583 fprintf(stdout, "%s ", TRUST);
584 fprintf(stdout, "Existence denied: ");
585 ldns_rdf_print(stdout, labels[i-1]);
587 fprintf(stdout, "\n");
588 } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) {
589 fprintf(stdout, "%s ", SELF);
590 fprintf(stdout, "Existence denied: ");
591 ldns_rdf_print(stdout, labels[i-1]);
593 fprintf(stdout, "\n");
596 fprintf(stdout, "%s ", BOGUS);
597 printf("Error verifying denial of existence for ");
598 ldns_rdf_print(stdout, labels[i-1]);
600 printf(": %s\n", ldns_get_errorstr_by_id(st));
605 if (status == LDNS_STATUS_CRYPTO_NO_RRSIG) {
606 printf(";; No DS for ");
607 ldns_rdf_print(stdout, labels[i - 1]);
609 printf("[B] Unable to verify denial of existence for ");
610 ldns_rdf_print(stdout, labels[i - 1]);
611 printf(" DS: %s\n", ldns_get_errorstr_by_id(status));
614 if (verbosity >= 2) {
615 printf(";; No ds record for delegation\n");
619 ldns_rr_list_deep_free(ds_list);
622 /* if this is the last label, just verify the data and stop */
623 p = get_dnssec_pkt(res, labels[i], t);
624 (void) get_dnssec_rr(p, labels[i], t, &dataset, &key_sig_list);
625 if (dataset && ldns_rr_list_rr_count(dataset) > 0) {
626 if (key_sig_list && ldns_rr_list_rr_count(key_sig_list) > 0) {
628 /* If this is a wildcard, you must be able to deny exact match */
629 if ((st = ldns_verify(dataset, key_sig_list, trusted_keys, NULL)) == LDNS_STATUS_OK) {
630 fprintf(stdout, "%s ", TRUST);
631 ldns_rr_list_print(stdout, dataset);
632 } else if ((st = ldns_verify(dataset, key_sig_list, correct_key_list, NULL)) == LDNS_STATUS_OK) {
633 fprintf(stdout, "%s ", SELF);
634 ldns_rr_list_print(stdout, dataset);
637 fprintf(stdout, "%s ", BOGUS);
638 ldns_rr_list_print(stdout, dataset);
639 printf(";; Error: %s\n", ldns_get_errorstr_by_id(st));
642 fprintf(stdout, "%s ", UNSIGNED);
643 ldns_rr_list_print(stdout, dataset);
645 ldns_rr_list_deep_free(dataset);
647 status = ldns_verify_denial(p, name, t, &nsec_rrs, &nsec_rr_sigs);
648 if (status == LDNS_STATUS_OK) {
649 /* verify the nsec3 themselves*/
650 if (verbosity >= 5) {
651 printf("NSEC(3) Records to verify:\n");
652 ldns_rr_list_print(stdout, nsec_rrs);
653 printf("With signatures:\n");
654 ldns_rr_list_print(stdout, nsec_rr_sigs);
655 printf("correct keys:\n");
656 ldns_rr_list_print(stdout, correct_key_list);
658 printf("trusted keys at %p:\n", trusted_keys);
659 ldns_rr_list_print(stdout, trusted_keys);
662 if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) {
663 fprintf(stdout, "%s ", TRUST);
664 fprintf(stdout, "Existence denied: ");
665 ldns_rdf_print(stdout, name);
666 if (descriptor && descriptor->_name) {
667 printf(" %s", descriptor->_name);
669 printf(" TYPE%u", t);
671 fprintf(stdout, "\n");
672 } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) {
673 fprintf(stdout, "%s ", SELF);
674 fprintf(stdout, "Existence denied: ");
675 ldns_rdf_print(stdout, name);
676 if (descriptor && descriptor->_name) {
677 printf(" %s", descriptor->_name);
679 printf(" TYPE%u", t);
681 fprintf(stdout, "\n");
684 fprintf(stdout, "%s ", BOGUS);
685 printf("Error verifying denial of existence for ");
686 ldns_rdf_print(stdout, name);
688 if (descriptor && descriptor->_name) {
689 printf("%s", descriptor->_name);
693 printf(": %s\n", ldns_get_errorstr_by_id(st));
696 ldns_rr_list_deep_free(nsec_rrs);
697 ldns_rr_list_deep_free(nsec_rr_sigs);
701 if (status == LDNS_STATUS_CRYPTO_NO_RRSIG) {
702 printf("%s ", UNSIGNED);
703 printf("No data found for: ");
704 ldns_rdf_print(stdout, name);
706 if (descriptor && descriptor->_name) {
707 printf("%s", descriptor->_name);
713 printf("[B] Unable to verify denial of existence for ");
714 ldns_rdf_print(stdout, name);
716 if (descriptor && descriptor->_name) {
717 printf("%s", descriptor->_name);
731 ldns_rr_list_deep_free(key_list);
733 ldns_rr_list_deep_free(key_sig_list);
736 ldns_rr_list_deep_free(ds_sig_list);
739 printf(";;" SELF " self sig OK; " BOGUS " bogus; " TRUST " trusted\n");
741 printf("Trusted keys:\n");
742 ldns_rr_list_print(stdout, trusted_keys);
743 printf("trusted dss:\n");
744 ldns_rr_list_print(stdout, trusted_ds_rrs);
748 ldns_rr_list_deep_free(trusted_ds_rrs);
749 ldns_rr_list_deep_free(correct_key_list);
750 ldns_resolver_deep_free(res);
752 for(i = 0 ; i < (ssize_t)labels_count + 2; i++) {
753 ldns_rdf_deep_free(labels[i]);
759 #endif /* HAVE_SSL */