3 * Where all the hard work concerning secure tracing is done
5 * (c) 2005, 2006 NLnet Labs
7 * See the file LICENSE for the license
12 #include <ldns/ldns.h>
14 #define SELF "[S]" /* self sig ok */
15 #define TRUST "[T]" /* chain from parent */
16 #define BOGUS "[B]" /* bogus */
17 #define UNSIGNED "[U]" /* no relevant dnssec data found */
20 /* See if there is a key/ds in trusted that matches
24 ds_key_match(ldns_rr_list *ds, ldns_rr_list *trusted)
31 if (!trusted || !ds) {
36 keys = ldns_rr_list_new();
41 if (!ds || !trusted) {
45 for (i = 0; i < ldns_rr_list_rr_count(trusted); i++) {
46 rr_i = ldns_rr_list_rr(trusted, i);
47 for (j = 0; j < ldns_rr_list_rr_count(ds); j++) {
49 rr_j = ldns_rr_list_rr(ds, j);
50 if (ldns_rr_compare_ds(rr_i, rr_j)) {
52 /* only allow unique RRs to match */
53 ldns_rr_set_push_rr(keys, rr_i);
66 get_dnssec_pkt(ldns_resolver *r, ldns_rdf *name, ldns_rr_type t)
69 p = ldns_resolver_query(r, name, t, LDNS_RR_CLASS_IN, 0);
74 ldns_pkt_print(stdout, p);
82 * retrieve keys for this zone
85 get_key(ldns_pkt *p, ldns_rdf *apexname, ldns_rr_list **rrlist, ldns_rr_list **opt_sig)
87 return get_dnssec_rr(p, apexname, LDNS_RR_TYPE_DNSKEY, rrlist, opt_sig);
91 * check to see if we can find a DS rrset here which we can then follow
94 get_ds(ldns_pkt *p, ldns_rdf *ownername, ldns_rr_list **rrlist, ldns_rr_list **opt_sig)
96 return get_dnssec_rr(p, ownername, LDNS_RR_TYPE_DS, rrlist, opt_sig);
101 remove_resolver_nameservers(ldns_resolver *res)
105 /* remove the old nameserver from the resolver */
106 while((pop = ldns_resolver_pop_nameserver(res))) {
107 ldns_rdf_deep_free(pop);
113 show_current_nameservers(FILE *out, ldns_resolver *res)
116 fprintf(out, "Current nameservers for resolver object:\n");
117 for (i = 0; i < ldns_resolver_nameserver_count(res); i++) {
118 ldns_rdf_print(out, ldns_resolver_nameservers(res)[i]);
126 do_secure_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t,
127 ldns_rr_class c, ldns_rr_list *trusted_keys, ldns_rdf *start_name
131 ldns_pkt *p, *local_p;
132 ldns_rr_list *new_nss;
133 ldns_rr_list *ns_addr;
135 ldns_rdf **labels = NULL;
136 ldns_status status, st;
141 uint8_t labels_count = 0;
144 ldns_rr_list *key_list;
145 ldns_rr_list *key_sig_list;
146 ldns_rr_list *ds_list;
147 ldns_rr_list *ds_sig_list;
148 ldns_rr_list *correct_key_list;
149 ldns_rr_list *trusted_ds_rrs;
150 bool new_keys_trusted = false;
151 ldns_rr_list *current_correct_keys;
152 ldns_rr_list *dataset;
154 ldns_rr_list *nsec_rrs = NULL;
155 ldns_rr_list *nsec_rr_sigs = NULL;
157 /* empty non-terminal check */
159 ldns_rr *nsecrr; /* The nsec that proofs the non-terminal */
160 ldns_rdf *hashed_name; /* The query hashed with nsec3 params */
161 ldns_rdf *label0; /* The first label of an nsec3 owner name */
164 ldns_rr_list *new_ns_addr;
165 ldns_rr_list *old_ns_addr;
170 /* printing niceness */
171 const ldns_rr_descriptor *descriptor;
173 descriptor = ldns_rr_descript(t);
182 res = ldns_resolver_new();
187 error("Memory allocation failed");
192 correct_key_list = ldns_rr_list_new();
193 if (!correct_key_list) {
194 error("Memory allocation failed");
199 trusted_ds_rrs = ldns_rr_list_new();
200 if (!trusted_ds_rrs) {
201 error("Memory allocation failed");
205 /* Add all preset trusted DS signatures to the list of trusted DS RRs. */
206 for (j = 0; j < ldns_rr_list_rr_count(trusted_keys); j++) {
207 ldns_rr* one_rr = ldns_rr_list_rr(trusted_keys, j);
208 if (ldns_rr_get_type(one_rr) == LDNS_RR_TYPE_DS) {
209 ldns_rr_list_push_rr(trusted_ds_rrs, ldns_rr_clone(one_rr));
213 /* transfer some properties of local_res to res */
214 ldns_resolver_set_ip6(res,
215 ldns_resolver_ip6(local_res));
216 ldns_resolver_set_port(res,
217 ldns_resolver_port(local_res));
218 ldns_resolver_set_debug(res,
219 ldns_resolver_debug(local_res));
220 ldns_resolver_set_fail(res,
221 ldns_resolver_fail(local_res));
222 ldns_resolver_set_usevc(res,
223 ldns_resolver_usevc(local_res));
224 ldns_resolver_set_random(res,
225 ldns_resolver_random(local_res));
226 ldns_resolver_set_source(res,
227 ldns_resolver_source(local_res));
228 ldns_resolver_set_recursive(local_res, true);
230 ldns_resolver_set_recursive(res, false);
231 ldns_resolver_set_dnssec_cd(res, false);
232 ldns_resolver_set_dnssec(res, true);
234 /* setup the root nameserver in the new resolver */
235 status = ldns_resolver_push_nameserver_rr_list(res, global_dns_root);
236 if (status != LDNS_STATUS_OK) {
237 printf("ERRRRR: %s\n", ldns_get_errorstr_by_id(status));
238 ldns_rr_list_print(stdout, global_dns_root);
242 labels_count = ldns_dname_label_count(name);
244 if (ldns_dname_is_subdomain(name, start_name)) {
245 labels_count -= ldns_dname_label_count(start_name);
247 fprintf(stderr, "Error; ");
248 ldns_rdf_print(stderr, name);
249 fprintf(stderr, " is not a subdomain of ");
250 ldns_rdf_print(stderr, start_name);
251 fprintf(stderr, "\n");
255 labels = LDNS_XMALLOC(ldns_rdf*, labels_count + 2);
259 labels[0] = ldns_dname_new_frm_str(LDNS_ROOT_LABEL_STR);
260 labels[1] = ldns_rdf_clone(name);
261 for(i = 2 ; i < (ssize_t)labels_count + 2; i++) {
262 labels[i] = ldns_dname_left_chop(labels[i - 1]);
265 /* get the nameserver for the label
266 * ask: dnskey and ds for the label
268 for(i = (ssize_t)labels_count + 1; i > 0; i--) {
269 status = ldns_resolver_send(&local_p, res, labels[i], LDNS_RR_TYPE_NS, c, 0);
271 if (verbosity >= 5) {
272 ldns_pkt_print(stdout, local_p);
275 new_nss = ldns_pkt_rr_list_by_type(local_p,
276 LDNS_RR_TYPE_NS, LDNS_SECTION_ANSWER);
278 /* if it's a delegation, servers put them in the auth section */
279 new_nss = ldns_pkt_rr_list_by_type(local_p,
280 LDNS_RR_TYPE_NS, LDNS_SECTION_AUTHORITY);
283 /* if this is the final step there might not be nameserver records
284 of course if the data is in the apex, there are, so cover both
286 if (new_nss || i > 1) {
287 for(j = 0; j < ldns_rr_list_rr_count(new_nss); j++) {
288 ns_rr = ldns_rr_list_rr(new_nss, j);
289 pop = ldns_rr_rdf(ns_rr, 0);
294 /* retrieve it's addresses */
297 if (ldns_dname_is_subdomain(pop, labels[i])) {
298 new_ns_addr = ldns_pkt_rr_list_by_name_and_type(local_p, pop, LDNS_RR_TYPE_A, LDNS_SECTION_ADDITIONAL);
300 if (!new_ns_addr || ldns_rr_list_rr_count(new_ns_addr) == 0) {
301 new_ns_addr = ldns_get_rr_list_addr_by_name(res, pop, c, 0);
303 if (!new_ns_addr || ldns_rr_list_rr_count(new_ns_addr) == 0) {
304 new_ns_addr = ldns_get_rr_list_addr_by_name(local_res, pop, c, 0);
308 old_ns_addr = ns_addr;
309 ns_addr = ldns_rr_list_cat_clone(ns_addr, new_ns_addr);
310 ldns_rr_list_deep_free(old_ns_addr);
312 ldns_rr_list_deep_free(new_ns_addr);
314 ldns_rr_list_deep_free(new_nss);
317 remove_resolver_nameservers(res);
319 if (ldns_resolver_push_nameserver_rr_list(res, ns_addr) !=
321 error("Error adding new nameservers");
322 ldns_pkt_free(local_p);
325 ldns_rr_list_deep_free(ns_addr);
327 status = ldns_verify_denial(local_p, labels[i], LDNS_RR_TYPE_NS, &nsec_rrs, &nsec_rr_sigs);
329 /* verify the nsec3 themselves*/
330 if (verbosity >= 4) {
331 printf("NSEC(3) Records to verify:\n");
332 ldns_rr_list_print(stdout, nsec_rrs);
333 printf("With signatures:\n");
334 ldns_rr_list_print(stdout, nsec_rr_sigs);
335 printf("correct keys:\n");
336 ldns_rr_list_print(stdout, correct_key_list);
339 if (status == LDNS_STATUS_OK) {
340 if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) {
341 fprintf(stdout, "%s ", TRUST);
342 fprintf(stdout, "Existence denied: ");
343 ldns_rdf_print(stdout, labels[i]);
345 if (descriptor && descriptor->_name) {
346 printf(" %s", descriptor->_name);
348 printf(" TYPE%u", t);
350 */ fprintf(stdout, " NS\n");
351 } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) {
352 fprintf(stdout, "%s ", SELF);
353 fprintf(stdout, "Existence denied: ");
354 ldns_rdf_print(stdout, labels[i]);
356 if (descriptor && descriptor->_name) {
357 printf(" %s", descriptor->_name);
359 printf(" TYPE%u", t);
362 fprintf(stdout, " NS\n");
364 fprintf(stdout, "%s ", BOGUS);
366 printf(";; Error verifying denial of existence for name ");
367 ldns_rdf_print(stdout, labels[i]);
370 if (descriptor && descriptor->_name) {
371 printf("%s", descriptor->_name);
375 */ printf("NS: %s\n", ldns_get_errorstr_by_id(st));
378 fprintf(stdout, "%s ", BOGUS);
380 printf(";; Error verifying denial of existence for name ");
381 ldns_rdf_print(stdout, labels[i]);
382 printf("NS: %s\n", ldns_get_errorstr_by_id(status));
385 /* there might be an empty non-terminal, in which case we need to continue */
387 for (j = 0; j < ldns_rr_list_rr_count(nsec_rrs); j++) {
388 nsecrr = ldns_rr_list_rr(nsec_rrs, j);
389 /* For NSEC when the next name is a subdomain of the question */
390 if (ldns_rr_get_type(nsecrr) == LDNS_RR_TYPE_NSEC &&
391 ldns_dname_is_subdomain(ldns_rr_rdf(nsecrr, 0), labels[i])) {
394 /* For NSEC3, the hash matches the name and the type bitmap is empty*/
395 } else if (ldns_rr_get_type(nsecrr) == LDNS_RR_TYPE_NSEC3) {
396 hashed_name = ldns_nsec3_hash_name_frm_nsec3(nsecrr, labels[i]);
397 label0 = ldns_dname_label(ldns_rr_owner(nsecrr), 0);
398 if (hashed_name && label0 &&
399 ldns_dname_compare(hashed_name, label0) == 0 &&
400 ldns_nsec3_bitmap(nsecrr) == NULL) {
407 LDNS_FREE(hashed_name);
412 ldns_rr_list_deep_free(nsec_rrs);
413 ldns_rr_list_deep_free(nsec_rr_sigs);
414 ldns_pkt_free(local_p);
417 printf(";; There is an empty non-terminal here, continue\n");
422 if (ldns_resolver_nameserver_count(res) == 0) {
423 error("No nameservers found for this node");
427 ldns_pkt_free(local_p);
429 fprintf(stdout, ";; Domain: ");
430 ldns_rdf_print(stdout, labels[i]);
431 fprintf(stdout, "\n");
433 /* retrieve keys for current domain, and verify them
434 if they match an already trusted DS, or if one of the
435 keys used to sign these is trusted, add the keys to
437 p = get_dnssec_pkt(res, labels[i], LDNS_RR_TYPE_DNSKEY);
438 (void) get_key(p, labels[i], &key_list, &key_sig_list);
441 current_correct_keys = ldns_rr_list_new();
442 if ((st = ldns_verify(key_list, key_sig_list, key_list, current_correct_keys)) ==
444 /* add all signed keys (don't just add current_correct, you'd miss
446 for (j = 0; j < ldns_rr_list_rr_count(key_list); j++) {
447 ldns_rr_list_push_rr(correct_key_list, ldns_rr_clone(ldns_rr_list_rr(key_list, j)));
450 /* check whether these keys were signed
451 * by a trusted keys. if so, these
452 * keys are also trusted */
453 new_keys_trusted = false;
454 for (k = 0; k < ldns_rr_list_rr_count(current_correct_keys); k++) {
455 for (j = 0; j < ldns_rr_list_rr_count(trusted_ds_rrs); j++) {
456 if (ldns_rr_compare_ds(ldns_rr_list_rr(current_correct_keys, k),
457 ldns_rr_list_rr(trusted_ds_rrs, j))) {
458 new_keys_trusted = true;
463 /* also all keys are trusted if one of the current correct keys is trusted */
464 for (k = 0; k < ldns_rr_list_rr_count(current_correct_keys); k++) {
465 for (j = 0; j < ldns_rr_list_rr_count(trusted_keys); j++) {
466 if (ldns_rr_compare(ldns_rr_list_rr(current_correct_keys, k),
467 ldns_rr_list_rr(trusted_keys, j)) == 0) {
468 new_keys_trusted = true;
474 if (new_keys_trusted) {
475 ldns_rr_list_push_rr_list(trusted_keys, key_list);
476 print_rr_list_abbr(stdout, key_list, TRUST);
477 ldns_rr_list_free(key_list);
480 if (verbosity >= 2) {
481 printf(";; Signature ok but no chain to a trusted key or ds record\n");
483 print_rr_list_abbr(stdout, key_list, SELF);
484 ldns_rr_list_deep_free(key_list);
488 print_rr_list_abbr(stdout, key_list, BOGUS);
490 ldns_rr_list_deep_free(key_list);
493 ldns_rr_list_free(current_correct_keys);
494 current_correct_keys = NULL;
496 printf(";; No DNSKEY record found for ");
497 ldns_rdf_print(stdout, labels[i]);
503 ldns_rr_list_deep_free(key_sig_list);
506 /* check the DS records for the next child domain */
508 p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS);
509 (void) get_ds(p, labels[i-1], &ds_list, &ds_sig_list);
513 ldns_rr_list_deep_free(ds_sig_list);
515 p = get_dnssec_pkt(res, name, LDNS_RR_TYPE_DNSKEY);
516 (void) get_ds(p, NULL, &ds_list, &ds_sig_list);
520 if (verbosity >= 4) {
521 printf("VERIFYING:\n");
522 printf("DS LIST:\n");
523 ldns_rr_list_print(stdout, ds_list);
525 ldns_rr_list_print(stdout, ds_sig_list);
527 ldns_rr_list_print(stdout, correct_key_list);
530 current_correct_keys = ldns_rr_list_new();
532 if ((st = ldns_verify(ds_list, ds_sig_list, correct_key_list, current_correct_keys)) ==
534 /* if the ds is signed by a trusted key and a key from correct keys
535 matches that ds, add that key to the trusted keys */
536 new_keys_trusted = false;
537 if (verbosity >= 2) {
538 printf("Checking if signing key is trusted:\n");
540 for (j = 0; j < ldns_rr_list_rr_count(current_correct_keys); j++) {
541 if (verbosity >= 2) {
543 ldns_rr_print(stdout, ldns_rr_list_rr(current_correct_keys, j));
545 for (k = 0; k < ldns_rr_list_rr_count(trusted_keys); k++) {
546 if (verbosity >= 2) {
547 printf("\tTrusted key: ");
548 ldns_rr_print(stdout, ldns_rr_list_rr(trusted_keys, k));
550 if (ldns_rr_compare(ldns_rr_list_rr(current_correct_keys, j),
551 ldns_rr_list_rr(trusted_keys, k)) == 0) {
552 if (verbosity >= 2) {
553 printf("Key is now trusted!\n");
555 for (l = 0; l < ldns_rr_list_rr_count(ds_list); l++) {
556 ldns_rr_list_push_rr(trusted_ds_rrs, ldns_rr_clone(ldns_rr_list_rr(ds_list, l)));
557 new_keys_trusted = true;
562 if (new_keys_trusted) {
563 print_rr_list_abbr(stdout, ds_list, TRUST);
565 print_rr_list_abbr(stdout, ds_list, SELF);
569 print_rr_list_abbr(stdout, ds_list, BOGUS);
572 ldns_rr_list_free(current_correct_keys);
573 current_correct_keys = NULL;
575 /* wait apparently there were no keys either, go back to the ds packet */
577 ldns_rr_list_deep_free(ds_sig_list);
578 p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS);
579 (void) get_ds(p, labels[i-1], &ds_list, &ds_sig_list);
581 status = ldns_verify_denial(p, labels[i-1], LDNS_RR_TYPE_DS, &nsec_rrs, &nsec_rr_sigs);
583 if (verbosity >= 4) {
584 printf("NSEC(3) Records to verify:\n");
585 ldns_rr_list_print(stdout, nsec_rrs);
586 printf("With signatures:\n");
587 ldns_rr_list_print(stdout, nsec_rr_sigs);
588 printf("correct keys:\n");
589 ldns_rr_list_print(stdout, correct_key_list);
592 if (status == LDNS_STATUS_OK) {
593 if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) {
594 fprintf(stdout, "%s ", TRUST);
595 fprintf(stdout, "Existence denied: ");
596 ldns_rdf_print(stdout, labels[i-1]);
598 fprintf(stdout, "\n");
599 } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) {
600 fprintf(stdout, "%s ", SELF);
601 fprintf(stdout, "Existence denied: ");
602 ldns_rdf_print(stdout, labels[i-1]);
604 fprintf(stdout, "\n");
607 fprintf(stdout, "%s ", BOGUS);
608 printf("Error verifying denial of existence for ");
609 ldns_rdf_print(stdout, labels[i-1]);
611 printf(": %s\n", ldns_get_errorstr_by_id(st));
616 if (status == LDNS_STATUS_CRYPTO_NO_RRSIG) {
617 printf(";; No DS for ");
618 ldns_rdf_print(stdout, labels[i - 1]);
620 printf("[B] Unable to verify denial of existence for ");
621 ldns_rdf_print(stdout, labels[i - 1]);
622 printf(" DS: %s\n", ldns_get_errorstr_by_id(status));
625 if (verbosity >= 2) {
626 printf(";; No ds record for delegation\n");
630 ldns_rr_list_deep_free(ds_list);
633 /* if this is the last label, just verify the data and stop */
634 p = get_dnssec_pkt(res, labels[i], t);
635 (void) get_dnssec_rr(p, labels[i], t, &dataset, &key_sig_list);
636 if (dataset && ldns_rr_list_rr_count(dataset) > 0) {
637 if (key_sig_list && ldns_rr_list_rr_count(key_sig_list) > 0) {
639 /* If this is a wildcard, you must be able to deny exact match */
640 if ((st = ldns_verify(dataset, key_sig_list, trusted_keys, NULL)) == LDNS_STATUS_OK) {
641 fprintf(stdout, "%s ", TRUST);
642 ldns_rr_list_print(stdout, dataset);
643 } else if ((st = ldns_verify(dataset, key_sig_list, correct_key_list, NULL)) == LDNS_STATUS_OK) {
644 fprintf(stdout, "%s ", SELF);
645 ldns_rr_list_print(stdout, dataset);
648 fprintf(stdout, "%s ", BOGUS);
649 ldns_rr_list_print(stdout, dataset);
650 printf(";; Error: %s\n", ldns_get_errorstr_by_id(st));
653 fprintf(stdout, "%s ", UNSIGNED);
654 ldns_rr_list_print(stdout, dataset);
656 ldns_rr_list_deep_free(dataset);
658 status = ldns_verify_denial(p, name, t, &nsec_rrs, &nsec_rr_sigs);
659 if (status == LDNS_STATUS_OK) {
660 /* verify the nsec3 themselves*/
661 if (verbosity >= 5) {
662 printf("NSEC(3) Records to verify:\n");
663 ldns_rr_list_print(stdout, nsec_rrs);
664 printf("With signatures:\n");
665 ldns_rr_list_print(stdout, nsec_rr_sigs);
666 printf("correct keys:\n");
667 ldns_rr_list_print(stdout, correct_key_list);
669 printf("trusted keys at %p:\n", trusted_keys);
670 ldns_rr_list_print(stdout, trusted_keys);
673 if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) {
674 fprintf(stdout, "%s ", TRUST);
675 fprintf(stdout, "Existence denied: ");
676 ldns_rdf_print(stdout, name);
677 if (descriptor && descriptor->_name) {
678 printf(" %s", descriptor->_name);
680 printf(" TYPE%u", t);
682 fprintf(stdout, "\n");
683 } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) {
684 fprintf(stdout, "%s ", SELF);
685 fprintf(stdout, "Existence denied: ");
686 ldns_rdf_print(stdout, name);
687 if (descriptor && descriptor->_name) {
688 printf(" %s", descriptor->_name);
690 printf(" TYPE%u", t);
692 fprintf(stdout, "\n");
695 fprintf(stdout, "%s ", BOGUS);
696 printf("Error verifying denial of existence for ");
697 ldns_rdf_print(stdout, name);
699 if (descriptor && descriptor->_name) {
700 printf("%s", descriptor->_name);
704 printf(": %s\n", ldns_get_errorstr_by_id(st));
707 ldns_rr_list_deep_free(nsec_rrs);
708 ldns_rr_list_deep_free(nsec_rr_sigs);
712 if (status == LDNS_STATUS_CRYPTO_NO_RRSIG) {
713 printf("%s ", UNSIGNED);
714 printf("No data found for: ");
715 ldns_rdf_print(stdout, name);
717 if (descriptor && descriptor->_name) {
718 printf("%s", descriptor->_name);
724 printf("[B] Unable to verify denial of existence for ");
725 ldns_rdf_print(stdout, name);
727 if (descriptor && descriptor->_name) {
728 printf("%s", descriptor->_name);
742 ldns_rr_list_deep_free(key_list);
744 ldns_rr_list_deep_free(key_sig_list);
747 ldns_rr_list_deep_free(ds_sig_list);
750 printf(";;" SELF " self sig OK; " BOGUS " bogus; " TRUST " trusted\n");
752 printf("Trusted keys:\n");
753 ldns_rr_list_print(stdout, trusted_keys);
754 printf("trusted dss:\n");
755 ldns_rr_list_print(stdout, trusted_ds_rrs);
759 ldns_rr_list_deep_free(trusted_ds_rrs);
760 ldns_rr_list_deep_free(correct_key_list);
761 ldns_resolver_deep_free(res);
763 for(i = 0 ; i < (ssize_t)labels_count + 2; i++) {
764 ldns_rdf_deep_free(labels[i]);
770 #endif /* HAVE_SSL */