2 * validator/val_utils.c - validator utility functions.
4 * Copyright (c) 2007, NLnet Labs. All rights reserved.
6 * This software is open source.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 * This file contains helper functions for the validator module.
42 #include "validator/val_utils.h"
43 #include "validator/validator.h"
44 #include "validator/val_kentry.h"
45 #include "validator/val_sigcrypt.h"
46 #include "validator/val_anchor.h"
47 #include "validator/val_nsec.h"
48 #include "validator/val_neg.h"
49 #include "services/cache/rrset.h"
50 #include "services/cache/dns.h"
51 #include "util/data/msgreply.h"
52 #include "util/data/packed_rrset.h"
53 #include "util/data/dname.h"
54 #include "util/net_help.h"
55 #include "util/module.h"
56 #include "util/regional.h"
57 #include "util/config_file.h"
58 #include "sldns/wire2str.h"
59 #include "sldns/parseutil.h"
61 enum val_classification
62 val_classify_response(uint16_t query_flags, struct query_info* origqinf,
63 struct query_info* qinf, struct reply_info* rep, size_t skip)
65 int rcode = (int)FLAGS_GET_RCODE(rep->flags);
68 /* Normal Name Error's are easy to detect -- but don't mistake a CNAME
69 * chain ending in NXDOMAIN. */
70 if(rcode == LDNS_RCODE_NXDOMAIN && rep->an_numrrsets == 0)
71 return VAL_CLASS_NAMEERROR;
73 /* check for referral: nonRD query and it looks like a nodata */
74 if(!(query_flags&BIT_RD) && rep->an_numrrsets == 0 &&
75 rcode == LDNS_RCODE_NOERROR) {
76 /* SOA record in auth indicates it is NODATA instead.
77 * All validation requiring NODATA messages have SOA in
78 * authority section. */
79 /* uses fact that answer section is empty */
81 for(i=0; i<rep->ns_numrrsets; i++) {
82 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_SOA)
83 return VAL_CLASS_NODATA;
84 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_DS)
85 return VAL_CLASS_REFERRAL;
86 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NS)
89 return saw_ns?VAL_CLASS_REFERRAL:VAL_CLASS_NODATA;
91 /* root referral where NS set is in the answer section */
92 if(!(query_flags&BIT_RD) && rep->ns_numrrsets == 0 &&
93 rep->an_numrrsets == 1 && rcode == LDNS_RCODE_NOERROR &&
94 ntohs(rep->rrsets[0]->rk.type) == LDNS_RR_TYPE_NS &&
95 query_dname_compare(rep->rrsets[0]->rk.dname,
96 origqinf->qname) != 0)
97 return VAL_CLASS_REFERRAL;
99 /* dump bad messages */
100 if(rcode != LDNS_RCODE_NOERROR && rcode != LDNS_RCODE_NXDOMAIN)
101 return VAL_CLASS_UNKNOWN;
102 /* next check if the skip into the answer section shows no answer */
103 if(skip>0 && rep->an_numrrsets <= skip)
104 return VAL_CLASS_CNAMENOANSWER;
107 if(rcode == LDNS_RCODE_NOERROR && rep->an_numrrsets == 0)
108 return VAL_CLASS_NODATA;
110 /* We distinguish between CNAME response and other positive/negative
111 * responses because CNAME answers require extra processing. */
113 /* We distinguish between ANY and CNAME or POSITIVE because
114 * ANY responses are validated differently. */
115 if(rcode == LDNS_RCODE_NOERROR && qinf->qtype == LDNS_RR_TYPE_ANY)
116 return VAL_CLASS_ANY;
118 /* Note that DNAMEs will be ignored here, unless qtype=DNAME. Unless
119 * qtype=CNAME, this will yield a CNAME response. */
120 for(i=skip; i<rep->an_numrrsets; i++) {
121 if(rcode == LDNS_RCODE_NOERROR &&
122 ntohs(rep->rrsets[i]->rk.type) == qinf->qtype)
123 return VAL_CLASS_POSITIVE;
124 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_CNAME)
125 return VAL_CLASS_CNAME;
127 log_dns_msg("validator: error. failed to classify response message: ",
129 return VAL_CLASS_UNKNOWN;
132 /** Get signer name from RRSIG */
134 rrsig_get_signer(uint8_t* data, size_t len, uint8_t** sname, size_t* slen)
136 /* RRSIG rdata is not allowed to be compressed, it is stored
137 * uncompressed in memory as well, so return a ptr to the name */
140 * short, byte, byte, long, long, long, short, "." is
141 * 2 1 1 4 4 4 2 1 = 19
142 * and a skip of 18 bytes to the name.
143 * +2 for the rdatalen is 21 bytes len for root label */
148 data += 20; /* skip the fixed size bits */
150 *slen = dname_valid(data, len);
152 /* bad dname in this rrsig. */
160 val_find_rrset_signer(struct ub_packed_rrset_key* rrset, uint8_t** sname,
163 struct packed_rrset_data* d = (struct packed_rrset_data*)
165 /* return signer for first signature, or NULL */
166 if(d->rrsig_count == 0) {
171 /* get rrsig signer name out of the signature */
172 rrsig_get_signer(d->rr_data[d->count], d->rr_len[d->count],
177 * Find best signer name in this set of rrsigs.
178 * @param rrset: which rrsigs to look through.
179 * @param qinf: the query name that needs validation.
180 * @param signer_name: the best signer_name. Updated if a better one is found.
181 * @param signer_len: length of signer name.
182 * @param matchcount: count of current best name (starts at 0 for no match).
183 * Updated if match is improved.
186 val_find_best_signer(struct ub_packed_rrset_key* rrset,
187 struct query_info* qinf, uint8_t** signer_name, size_t* signer_len,
190 struct packed_rrset_data* d = (struct packed_rrset_data*)
195 for(i=d->count; i<d->count+d->rrsig_count; i++) {
196 sign = d->rr_data[i]+2+18;
197 /* look at signatures that are valid (long enough),
198 * and have a signer name that is a superdomain of qname,
199 * and then check the number of labels in the shared topdomain
200 * improve the match if possible */
201 if(d->rr_len[i] > 2+19 && /* rdata, sig + root label*/
202 dname_subdomain_c(qinf->qname, sign)) {
203 (void)dname_lab_cmp(qinf->qname,
204 dname_count_labels(qinf->qname),
205 sign, dname_count_labels(sign), &m);
206 if(m > *matchcount) {
209 (void)dname_count_size_labels(*signer_name,
217 val_find_signer(enum val_classification subtype, struct query_info* qinf,
218 struct reply_info* rep, size_t skip, uint8_t** signer_name,
223 if(subtype == VAL_CLASS_POSITIVE) {
224 /* check for the answer rrset */
225 for(i=skip; i<rep->an_numrrsets; i++) {
226 if(query_dname_compare(qinf->qname,
227 rep->rrsets[i]->rk.dname) == 0) {
228 val_find_rrset_signer(rep->rrsets[i],
229 signer_name, signer_len);
235 } else if(subtype == VAL_CLASS_CNAME) {
236 /* check for the first signed cname/dname rrset */
237 for(i=skip; i<rep->an_numrrsets; i++) {
238 val_find_rrset_signer(rep->rrsets[i],
239 signer_name, signer_len);
242 if(ntohs(rep->rrsets[i]->rk.type) != LDNS_RR_TYPE_DNAME)
243 break; /* only check CNAME after a DNAME */
247 } else if(subtype == VAL_CLASS_NAMEERROR
248 || subtype == VAL_CLASS_NODATA) {
249 /*Check to see if the AUTH section NSEC record(s) have rrsigs*/
250 for(i=rep->an_numrrsets; i<
251 rep->an_numrrsets+rep->ns_numrrsets; i++) {
252 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NSEC
253 || ntohs(rep->rrsets[i]->rk.type) ==
254 LDNS_RR_TYPE_NSEC3) {
255 val_find_rrset_signer(rep->rrsets[i],
256 signer_name, signer_len);
260 } else if(subtype == VAL_CLASS_CNAMENOANSWER) {
261 /* find closest superdomain signer name in authority section
266 for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->
268 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NSEC
269 || ntohs(rep->rrsets[i]->rk.type) ==
270 LDNS_RR_TYPE_NSEC3) {
271 val_find_best_signer(rep->rrsets[i], qinf,
272 signer_name, signer_len, &matchcount);
275 } else if(subtype == VAL_CLASS_ANY) {
276 /* check for one of the answer rrset that has signatures,
277 * or potentially a DNAME is in use with a different qname */
278 for(i=skip; i<rep->an_numrrsets; i++) {
279 if(query_dname_compare(qinf->qname,
280 rep->rrsets[i]->rk.dname) == 0) {
281 val_find_rrset_signer(rep->rrsets[i],
282 signer_name, signer_len);
287 /* no answer RRSIGs with qname, try a DNAME */
288 if(skip < rep->an_numrrsets &&
289 ntohs(rep->rrsets[skip]->rk.type) ==
290 LDNS_RR_TYPE_DNAME) {
291 val_find_rrset_signer(rep->rrsets[skip],
292 signer_name, signer_len);
298 } else if(subtype == VAL_CLASS_REFERRAL) {
299 /* find keys for the item at skip */
300 if(skip < rep->rrset_count) {
301 val_find_rrset_signer(rep->rrsets[skip],
302 signer_name, signer_len);
308 verbose(VERB_QUERY, "find_signer: could not find signer name"
309 " for unknown type response");
315 /** return number of rrs in an rrset */
317 rrset_get_count(struct ub_packed_rrset_key* rrset)
319 struct packed_rrset_data* d = (struct packed_rrset_data*)
325 /** return TTL of rrset */
327 rrset_get_ttl(struct ub_packed_rrset_key* rrset)
329 struct packed_rrset_data* d = (struct packed_rrset_data*)
336 val_verify_rrset(struct module_env* env, struct val_env* ve,
337 struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* keys,
338 uint8_t* sigalg, char** reason)
341 struct packed_rrset_data* d = (struct packed_rrset_data*)rrset->
343 if(d->security == sec_status_secure) {
344 /* re-verify all other statuses, because keyset may change*/
345 log_nametypeclass(VERB_ALGO, "verify rrset cached",
346 rrset->rk.dname, ntohs(rrset->rk.type),
347 ntohs(rrset->rk.rrset_class));
350 /* check in the cache if verification has already been done */
351 rrset_check_sec_status(env->rrset_cache, rrset, *env->now);
352 if(d->security == sec_status_secure) {
353 log_nametypeclass(VERB_ALGO, "verify rrset from cache",
354 rrset->rk.dname, ntohs(rrset->rk.type),
355 ntohs(rrset->rk.rrset_class));
358 log_nametypeclass(VERB_ALGO, "verify rrset", rrset->rk.dname,
359 ntohs(rrset->rk.type), ntohs(rrset->rk.rrset_class));
360 sec = dnskeyset_verify_rrset(env, ve, rrset, keys, sigalg, reason);
361 verbose(VERB_ALGO, "verify result: %s", sec_status_to_string(sec));
362 regional_free_all(env->scratch);
364 /* update rrset security status
365 * only improves security status
366 * and bogus is set only once, even if we rechecked the status */
367 if(sec > d->security) {
369 if(sec == sec_status_secure)
370 d->trust = rrset_trust_validated;
371 else if(sec == sec_status_bogus) {
373 /* update ttl for rrset to fixed value. */
374 d->ttl = ve->bogus_ttl;
375 for(i=0; i<d->count+d->rrsig_count; i++)
376 d->rr_ttl[i] = ve->bogus_ttl;
377 /* leave RR specific TTL: not used for determine
378 * if RRset timed out and clients see proper value. */
379 lock_basic_lock(&ve->bogus_lock);
380 ve->num_rrset_bogus++;
381 lock_basic_unlock(&ve->bogus_lock);
383 /* if status updated - store in cache for reuse */
384 rrset_update_sec_status(env->rrset_cache, rrset, *env->now);
391 val_verify_rrset_entry(struct module_env* env, struct val_env* ve,
392 struct ub_packed_rrset_key* rrset, struct key_entry_key* kkey,
395 /* temporary dnskey rrset-key */
396 struct ub_packed_rrset_key dnskey;
397 struct key_entry_data* kd = (struct key_entry_data*)kkey->entry.data;
399 dnskey.rk.type = htons(kd->rrset_type);
400 dnskey.rk.rrset_class = htons(kkey->key_class);
402 dnskey.rk.dname = kkey->name;
403 dnskey.rk.dname_len = kkey->namelen;
404 dnskey.entry.key = &dnskey;
405 dnskey.entry.data = kd->rrset_data;
406 sec = val_verify_rrset(env, ve, rrset, &dnskey, kd->algo, reason);
410 /** verify that a DS RR hashes to a key and that key signs the set */
411 static enum sec_status
412 verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve,
413 struct ub_packed_rrset_key* dnskey_rrset,
414 struct ub_packed_rrset_key* ds_rrset, size_t ds_idx, char** reason)
416 enum sec_status sec = sec_status_bogus;
417 size_t i, num, numchecked = 0, numhashok = 0;
418 num = rrset_get_count(dnskey_rrset);
419 for(i=0; i<num; i++) {
420 /* Skip DNSKEYs that don't match the basic criteria. */
421 if(ds_get_key_algo(ds_rrset, ds_idx)
422 != dnskey_get_algo(dnskey_rrset, i)
423 || dnskey_calc_keytag(dnskey_rrset, i)
424 != ds_get_keytag(ds_rrset, ds_idx)) {
428 verbose(VERB_ALGO, "attempt DS match algo %d keytag %d",
429 ds_get_key_algo(ds_rrset, ds_idx),
430 ds_get_keytag(ds_rrset, ds_idx));
432 /* Convert the candidate DNSKEY into a hash using the
433 * same DS hash algorithm. */
434 if(!ds_digest_match_dnskey(env, dnskey_rrset, i, ds_rrset,
436 verbose(VERB_ALGO, "DS match attempt failed");
440 verbose(VERB_ALGO, "DS match digest ok, trying signature");
442 /* Otherwise, we have a match! Make sure that the DNSKEY
443 * verifies *with this key* */
444 sec = dnskey_verify_rrset(env, ve, dnskey_rrset,
445 dnskey_rrset, i, reason);
446 if(sec == sec_status_secure) {
449 /* If it didn't validate with the DNSKEY, try the next one! */
452 algo_needs_reason(env, ds_get_key_algo(ds_rrset, ds_idx),
453 reason, "no keys have a DS");
454 else if(numhashok == 0)
455 *reason = "DS hash mismatches key";
457 *reason = "keyset not secured by DNSKEY that matches DS";
458 return sec_status_bogus;
461 int val_favorite_ds_algo(struct ub_packed_rrset_key* ds_rrset)
463 size_t i, num = rrset_get_count(ds_rrset);
464 int d, digest_algo = 0; /* DS digest algo 0 is not used. */
465 /* find favorite algo, for now, highest number supported */
466 for(i=0; i<num; i++) {
467 if(!ds_digest_algo_is_supported(ds_rrset, i) ||
468 !ds_key_algo_is_supported(ds_rrset, i)) {
471 d = ds_get_digest_algo(ds_rrset, i);
479 val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve,
480 struct ub_packed_rrset_key* dnskey_rrset,
481 struct ub_packed_rrset_key* ds_rrset, uint8_t* sigalg, char** reason)
483 /* as long as this is false, we can consider this DS rrset to be
484 * equivalent to no DS rrset. */
485 int has_useful_ds = 0, digest_algo, alg;
486 struct algo_needs needs;
490 if(dnskey_rrset->rk.dname_len != ds_rrset->rk.dname_len ||
491 query_dname_compare(dnskey_rrset->rk.dname, ds_rrset->rk.dname)
493 verbose(VERB_QUERY, "DNSKEY RRset did not match DS RRset "
495 *reason = "DNSKEY RRset did not match DS RRset by name";
496 return sec_status_bogus;
500 /* harden against algo downgrade is enabled */
501 digest_algo = val_favorite_ds_algo(ds_rrset);
502 algo_needs_init_ds(&needs, ds_rrset, digest_algo, sigalg);
504 /* accept any key algo, any digest algo */
507 num = rrset_get_count(ds_rrset);
508 for(i=0; i<num; i++) {
509 /* Check to see if we can understand this DS.
510 * And check it is the strongest digest */
511 if(!ds_digest_algo_is_supported(ds_rrset, i) ||
512 !ds_key_algo_is_supported(ds_rrset, i) ||
513 (sigalg && (ds_get_digest_algo(ds_rrset, i) != digest_algo))) {
517 /* Once we see a single DS with a known digestID and
518 * algorithm, we cannot return INSECURE (with a
519 * "null" KeyEntry). */
522 sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset,
523 ds_rrset, i, reason);
524 if(sec == sec_status_secure) {
525 if(!sigalg || algo_needs_set_secure(&needs,
526 (uint8_t)ds_get_key_algo(ds_rrset, i))) {
527 verbose(VERB_ALGO, "DS matched DNSKEY.");
528 return sec_status_secure;
530 } else if(sigalg && sec == sec_status_bogus) {
531 algo_needs_set_bogus(&needs,
532 (uint8_t)ds_get_key_algo(ds_rrset, i));
536 /* None of the DS's worked out. */
538 /* If no DSs were understandable, then this is OK. */
540 verbose(VERB_ALGO, "No usable DS records were found -- "
541 "treating as insecure.");
542 return sec_status_insecure;
544 /* If any were understandable, then it is bad. */
545 verbose(VERB_QUERY, "Failed to match any usable DS to a DNSKEY.");
546 if(sigalg && (alg=algo_needs_missing(&needs)) != 0) {
547 algo_needs_reason(env, alg, reason, "missing verification of "
550 return sec_status_bogus;
553 struct key_entry_key*
554 val_verify_new_DNSKEYs(struct regional* region, struct module_env* env,
555 struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset,
556 struct ub_packed_rrset_key* ds_rrset, int downprot, char** reason)
558 uint8_t sigalg[ALGO_NEEDS_MAX+1];
559 enum sec_status sec = val_verify_DNSKEY_with_DS(env, ve,
560 dnskey_rrset, ds_rrset, downprot?sigalg:NULL, reason);
562 if(sec == sec_status_secure) {
563 return key_entry_create_rrset(region,
564 ds_rrset->rk.dname, ds_rrset->rk.dname_len,
565 ntohs(ds_rrset->rk.rrset_class), dnskey_rrset,
566 downprot?sigalg:NULL, *env->now);
567 } else if(sec == sec_status_insecure) {
568 return key_entry_create_null(region, ds_rrset->rk.dname,
569 ds_rrset->rk.dname_len,
570 ntohs(ds_rrset->rk.rrset_class),
571 rrset_get_ttl(ds_rrset), *env->now);
573 return key_entry_create_bad(region, ds_rrset->rk.dname,
574 ds_rrset->rk.dname_len, ntohs(ds_rrset->rk.rrset_class),
575 BOGUS_KEY_TTL, *env->now);
579 val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve,
580 struct ub_packed_rrset_key* dnskey_rrset,
581 struct ub_packed_rrset_key* ta_ds,
582 struct ub_packed_rrset_key* ta_dnskey, uint8_t* sigalg, char** reason)
584 /* as long as this is false, we can consider this anchor to be
585 * equivalent to no anchor. */
586 int has_useful_ta = 0, digest_algo = 0, alg;
587 struct algo_needs needs;
591 if(ta_ds && (dnskey_rrset->rk.dname_len != ta_ds->rk.dname_len ||
592 query_dname_compare(dnskey_rrset->rk.dname, ta_ds->rk.dname)
594 verbose(VERB_QUERY, "DNSKEY RRset did not match DS RRset "
596 *reason = "DNSKEY RRset did not match DS RRset by name";
597 return sec_status_bogus;
599 if(ta_dnskey && (dnskey_rrset->rk.dname_len != ta_dnskey->rk.dname_len
600 || query_dname_compare(dnskey_rrset->rk.dname, ta_dnskey->rk.dname)
602 verbose(VERB_QUERY, "DNSKEY RRset did not match anchor RRset "
604 *reason = "DNSKEY RRset did not match anchor RRset by name";
605 return sec_status_bogus;
609 digest_algo = val_favorite_ds_algo(ta_ds);
612 algo_needs_init_ds(&needs, ta_ds, digest_algo, sigalg);
613 else memset(&needs, 0, sizeof(needs));
615 algo_needs_init_dnskey_add(&needs, ta_dnskey, sigalg);
618 num = rrset_get_count(ta_ds);
619 for(i=0; i<num; i++) {
620 /* Check to see if we can understand this DS.
621 * And check it is the strongest digest */
622 if(!ds_digest_algo_is_supported(ta_ds, i) ||
623 !ds_key_algo_is_supported(ta_ds, i) ||
624 ds_get_digest_algo(ta_ds, i) != digest_algo)
627 /* Once we see a single DS with a known digestID and
628 * algorithm, we cannot return INSECURE (with a
629 * "null" KeyEntry). */
632 sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset,
634 if(sec == sec_status_secure) {
635 if(!sigalg || algo_needs_set_secure(&needs,
636 (uint8_t)ds_get_key_algo(ta_ds, i))) {
637 verbose(VERB_ALGO, "DS matched DNSKEY.");
638 return sec_status_secure;
640 } else if(sigalg && sec == sec_status_bogus) {
641 algo_needs_set_bogus(&needs,
642 (uint8_t)ds_get_key_algo(ta_ds, i));
647 /* None of the DS's worked out: check the DNSKEYs. */
649 num = rrset_get_count(ta_dnskey);
650 for(i=0; i<num; i++) {
651 /* Check to see if we can understand this DNSKEY */
652 if(!dnskey_algo_is_supported(ta_dnskey, i))
655 /* we saw a useful TA */
658 sec = dnskey_verify_rrset(env, ve, dnskey_rrset,
659 ta_dnskey, i, reason);
660 if(sec == sec_status_secure) {
661 if(!sigalg || algo_needs_set_secure(&needs,
662 (uint8_t)dnskey_get_algo(ta_dnskey, i))) {
663 verbose(VERB_ALGO, "anchor matched DNSKEY.");
664 return sec_status_secure;
666 } else if(sigalg && sec == sec_status_bogus) {
667 algo_needs_set_bogus(&needs,
668 (uint8_t)dnskey_get_algo(ta_dnskey, i));
673 /* If no DSs were understandable, then this is OK. */
675 verbose(VERB_ALGO, "No usable trust anchors were found -- "
676 "treating as insecure.");
677 return sec_status_insecure;
679 /* If any were understandable, then it is bad. */
680 verbose(VERB_QUERY, "Failed to match any usable anchor to a DNSKEY.");
681 if(sigalg && (alg=algo_needs_missing(&needs)) != 0) {
682 algo_needs_reason(env, alg, reason, "missing verification of "
685 return sec_status_bogus;
688 struct key_entry_key*
689 val_verify_new_DNSKEYs_with_ta(struct regional* region, struct module_env* env,
690 struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset,
691 struct ub_packed_rrset_key* ta_ds_rrset,
692 struct ub_packed_rrset_key* ta_dnskey_rrset, int downprot,
695 uint8_t sigalg[ALGO_NEEDS_MAX+1];
696 enum sec_status sec = val_verify_DNSKEY_with_TA(env, ve,
697 dnskey_rrset, ta_ds_rrset, ta_dnskey_rrset,
698 downprot?sigalg:NULL, reason);
700 if(sec == sec_status_secure) {
701 return key_entry_create_rrset(region,
702 dnskey_rrset->rk.dname, dnskey_rrset->rk.dname_len,
703 ntohs(dnskey_rrset->rk.rrset_class), dnskey_rrset,
704 downprot?sigalg:NULL, *env->now);
705 } else if(sec == sec_status_insecure) {
706 return key_entry_create_null(region, dnskey_rrset->rk.dname,
707 dnskey_rrset->rk.dname_len,
708 ntohs(dnskey_rrset->rk.rrset_class),
709 rrset_get_ttl(dnskey_rrset), *env->now);
711 return key_entry_create_bad(region, dnskey_rrset->rk.dname,
712 dnskey_rrset->rk.dname_len, ntohs(dnskey_rrset->rk.rrset_class),
713 BOGUS_KEY_TTL, *env->now);
717 val_dsset_isusable(struct ub_packed_rrset_key* ds_rrset)
720 for(i=0; i<rrset_get_count(ds_rrset); i++) {
721 if(ds_digest_algo_is_supported(ds_rrset, i) &&
722 ds_key_algo_is_supported(ds_rrset, i))
725 if(verbosity < VERB_ALGO)
727 if(rrset_get_count(ds_rrset) == 0)
728 verbose(VERB_ALGO, "DS is not usable");
730 /* report usability for the first DS RR */
731 sldns_lookup_table *lt;
732 char herr[64], aerr[64];
733 lt = sldns_lookup_by_id(sldns_hashes,
734 (int)ds_get_digest_algo(ds_rrset, i));
735 if(lt) snprintf(herr, sizeof(herr), "%s", lt->name);
736 else snprintf(herr, sizeof(herr), "%d",
737 (int)ds_get_digest_algo(ds_rrset, i));
738 lt = sldns_lookup_by_id(sldns_algorithms,
739 (int)ds_get_key_algo(ds_rrset, i));
740 if(lt) snprintf(aerr, sizeof(aerr), "%s", lt->name);
741 else snprintf(aerr, sizeof(aerr), "%d",
742 (int)ds_get_key_algo(ds_rrset, i));
743 verbose(VERB_ALGO, "DS unsupported, hash %s %s, "
744 "key algorithm %s %s", herr,
745 (ds_digest_algo_is_supported(ds_rrset, 0)?
746 "(supported)":"(unsupported)"), aerr,
747 (ds_key_algo_is_supported(ds_rrset, 0)?
748 "(supported)":"(unsupported)"));
753 /** get label count for a signature */
755 rrsig_get_labcount(struct packed_rrset_data* d, size_t sig)
757 if(d->rr_len[sig] < 2+4)
758 return 0; /* bad sig length */
759 return d->rr_data[sig][2+3];
763 val_rrset_wildcard(struct ub_packed_rrset_key* rrset, uint8_t** wc)
765 struct packed_rrset_data* d = (struct packed_rrset_data*)rrset->
771 if(d->rrsig_count == 0) {
774 labcount = rrsig_get_labcount(d, d->count + 0);
775 /* check rest of signatures identical */
776 for(i=1; i<d->rrsig_count; i++) {
777 if(labcount != rrsig_get_labcount(d, d->count + i)) {
781 /* OK the rrsigs check out */
782 /* if the RRSIG label count is shorter than the number of actual
783 * labels, then this rrset was synthesized from a wildcard.
784 * Note that the RRSIG label count doesn't count the root label. */
785 wn = rrset->rk.dname;
786 wl = rrset->rk.dname_len;
787 /* skip a leading wildcard label in the dname (RFC4035 2.2) */
788 if(dname_is_wild(wn)) {
792 labdiff = (dname_count_labels(wn) - 1) - (int)labcount;
795 dname_remove_labels(wc, &wl, labdiff);
802 val_chase_cname(struct query_info* qchase, struct reply_info* rep,
803 size_t* cname_skip) {
805 /* skip any DNAMEs, go to the CNAME for next part */
806 for(i = *cname_skip; i < rep->an_numrrsets; i++) {
807 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_CNAME &&
808 query_dname_compare(qchase->qname, rep->rrsets[i]->
810 qchase->qname = NULL;
811 get_cname_target(rep->rrsets[i], &qchase->qname,
814 return 0; /* bad CNAME rdata */
819 return 0; /* CNAME classified but no matching CNAME ?! */
822 /** see if rrset has signer name as one of the rrsig signers */
824 rrset_has_signer(struct ub_packed_rrset_key* rrset, uint8_t* name, size_t len)
826 struct packed_rrset_data* d = (struct packed_rrset_data*)rrset->
829 for(i = d->count; i< d->count+d->rrsig_count; i++) {
830 if(d->rr_len[i] > 2+18+len) {
831 /* at least rdatalen + signature + signame (+1 sig)*/
832 if(!dname_valid(d->rr_data[i]+2+18, d->rr_len[i]-2-18))
834 if(query_dname_compare(name, d->rr_data[i]+2+18) == 0)
844 val_fill_reply(struct reply_info* chase, struct reply_info* orig,
845 size_t skip, uint8_t* name, size_t len, uint8_t* signer)
849 chase->rrset_count = 0;
850 chase->an_numrrsets = 0;
851 chase->ns_numrrsets = 0;
852 chase->ar_numrrsets = 0;
854 for(i=skip; i<orig->an_numrrsets; i++) {
856 if(query_dname_compare(name,
857 orig->rrsets[i]->rk.dname) == 0)
858 chase->rrsets[chase->an_numrrsets++] =
860 } else if(seen_dname && ntohs(orig->rrsets[i]->rk.type) ==
861 LDNS_RR_TYPE_CNAME) {
862 chase->rrsets[chase->an_numrrsets++] = orig->rrsets[i];
864 } else if(rrset_has_signer(orig->rrsets[i], name, len)) {
865 chase->rrsets[chase->an_numrrsets++] = orig->rrsets[i];
866 if(ntohs(orig->rrsets[i]->rk.type) ==
867 LDNS_RR_TYPE_DNAME) {
872 /* AUTHORITY section */
873 for(i = (skip > orig->an_numrrsets)?skip:orig->an_numrrsets;
874 i<orig->an_numrrsets+orig->ns_numrrsets;
877 if(query_dname_compare(name,
878 orig->rrsets[i]->rk.dname) == 0)
879 chase->rrsets[chase->an_numrrsets+
880 chase->ns_numrrsets++] = orig->rrsets[i];
881 } else if(rrset_has_signer(orig->rrsets[i], name, len)) {
882 chase->rrsets[chase->an_numrrsets+
883 chase->ns_numrrsets++] = orig->rrsets[i];
886 /* ADDITIONAL section */
887 for(i= (skip>orig->an_numrrsets+orig->ns_numrrsets)?
888 skip:orig->an_numrrsets+orig->ns_numrrsets;
889 i<orig->rrset_count; i++) {
891 if(query_dname_compare(name,
892 orig->rrsets[i]->rk.dname) == 0)
893 chase->rrsets[chase->an_numrrsets
894 +orig->ns_numrrsets+chase->ar_numrrsets++]
896 } else if(rrset_has_signer(orig->rrsets[i], name, len)) {
897 chase->rrsets[chase->an_numrrsets+orig->ns_numrrsets+
898 chase->ar_numrrsets++] = orig->rrsets[i];
901 chase->rrset_count = chase->an_numrrsets + chase->ns_numrrsets +
905 void val_reply_remove_auth(struct reply_info* rep, size_t index)
907 log_assert(index < rep->rrset_count);
908 log_assert(index >= rep->an_numrrsets);
909 log_assert(index < rep->an_numrrsets+rep->ns_numrrsets);
910 memmove(rep->rrsets+index, rep->rrsets+index+1,
911 sizeof(struct ub_packed_rrset_key*)*
912 (rep->rrset_count - index - 1));
918 val_check_nonsecure(struct module_env* env, struct reply_info* rep)
922 for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->ns_numrrsets; i++) {
923 if(((struct packed_rrset_data*)rep->rrsets[i]->entry.data)
924 ->security != sec_status_secure) {
925 /* because we want to return the authentic original
926 * message when presented with CD-flagged queries,
927 * we need to preserve AUTHORITY section data.
928 * However, this rrset is not signed or signed
929 * with the wrong keys. Validation has tried to
930 * verify this rrset with the keysets of import.
931 * But this rrset did not verify.
932 * Therefore the message is bogus.
935 /* check if authority has an NS record
936 * which is bad, and there is an answer section with
937 * data. In that case, delete NS and additional to
938 * be lenient and make a minimal response */
939 if(rep->an_numrrsets != 0 &&
940 ntohs(rep->rrsets[i]->rk.type)
941 == LDNS_RR_TYPE_NS) {
942 verbose(VERB_ALGO, "truncate to minimal");
943 rep->ar_numrrsets = 0;
944 rep->rrset_count = rep->an_numrrsets +
946 /* remove this unneeded authority rrset */
947 memmove(rep->rrsets+i, rep->rrsets+i+1,
948 sizeof(struct ub_packed_rrset_key*)*
949 (rep->rrset_count - i - 1));
956 log_nametypeclass(VERB_QUERY, "message is bogus, "
958 rep->rrsets[i]->rk.dname,
959 ntohs(rep->rrsets[i]->rk.type),
960 ntohs(rep->rrsets[i]->rk.rrset_class));
961 rep->security = sec_status_bogus;
966 if(!env->cfg->val_clean_additional)
968 for(i=rep->an_numrrsets+rep->ns_numrrsets; i<rep->rrset_count; i++) {
969 if(((struct packed_rrset_data*)rep->rrsets[i]->entry.data)
970 ->security != sec_status_secure) {
971 /* This does not cause message invalidation. It was
972 * simply unsigned data in the additional. The
973 * RRSIG must have been truncated off the message.
975 * However, we do not want to return possible bogus
976 * data to clients that rely on this service for
977 * their authentication.
979 /* remove this unneeded additional rrset */
980 memmove(rep->rrsets+i, rep->rrsets+i+1,
981 sizeof(struct ub_packed_rrset_key*)*
982 (rep->rrset_count - i - 1));
990 /** check no anchor and unlock */
992 check_no_anchor(struct val_anchors* anchors, uint8_t* nm, size_t l, uint16_t c)
994 struct trust_anchor* ta;
995 if((ta=anchors_lookup(anchors, nm, l, c))) {
996 lock_basic_unlock(&ta->lock);
1002 val_mark_indeterminate(struct reply_info* rep, struct val_anchors* anchors,
1003 struct rrset_cache* r, struct module_env* env)
1006 struct packed_rrset_data* d;
1007 for(i=0; i<rep->rrset_count; i++) {
1008 d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data;
1009 if(d->security == sec_status_unchecked &&
1010 check_no_anchor(anchors, rep->rrsets[i]->rk.dname,
1011 rep->rrsets[i]->rk.dname_len,
1012 ntohs(rep->rrsets[i]->rk.rrset_class)))
1014 /* mark as indeterminate */
1015 d->security = sec_status_indeterminate;
1016 rrset_update_sec_status(r, rep->rrsets[i], *env->now);
1022 val_mark_insecure(struct reply_info* rep, uint8_t* kname,
1023 struct rrset_cache* r, struct module_env* env)
1026 struct packed_rrset_data* d;
1027 for(i=0; i<rep->rrset_count; i++) {
1028 d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data;
1029 if(d->security == sec_status_unchecked &&
1030 dname_subdomain_c(rep->rrsets[i]->rk.dname, kname)) {
1031 /* mark as insecure */
1032 d->security = sec_status_insecure;
1033 rrset_update_sec_status(r, rep->rrsets[i], *env->now);
1039 val_next_unchecked(struct reply_info* rep, size_t skip)
1042 struct packed_rrset_data* d;
1043 for(i=skip+1; i<rep->rrset_count; i++) {
1044 d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data;
1045 if(d->security == sec_status_unchecked) {
1049 return rep->rrset_count;
1053 val_classification_to_string(enum val_classification subtype)
1056 case VAL_CLASS_UNTYPED: return "untyped";
1057 case VAL_CLASS_UNKNOWN: return "unknown";
1058 case VAL_CLASS_POSITIVE: return "positive";
1059 case VAL_CLASS_CNAME: return "cname";
1060 case VAL_CLASS_NODATA: return "nodata";
1061 case VAL_CLASS_NAMEERROR: return "nameerror";
1062 case VAL_CLASS_CNAMENOANSWER: return "cnamenoanswer";
1063 case VAL_CLASS_REFERRAL: return "referral";
1064 case VAL_CLASS_ANY: return "qtype_any";
1066 return "bad_val_classification";
1070 /** log a sock_list entry */
1072 sock_list_logentry(enum verbosity_value v, const char* s, struct sock_list* p)
1075 log_addr(v, s, &p->addr, p->len);
1076 else verbose(v, "%s cache", s);
1079 void val_blacklist(struct sock_list** blacklist, struct regional* region,
1080 struct sock_list* origin, int cross)
1082 /* debug printout */
1083 if(verbosity >= VERB_ALGO) {
1084 struct sock_list* p;
1085 for(p=*blacklist; p; p=p->next)
1086 sock_list_logentry(VERB_ALGO, "blacklist", p);
1088 verbose(VERB_ALGO, "blacklist add: cache");
1089 for(p=origin; p; p=p->next)
1090 sock_list_logentry(VERB_ALGO, "blacklist add", p);
1092 /* blacklist the IPs or the cache */
1094 /* only add if nothing there. anything else also stops cache*/
1096 sock_list_insert(blacklist, NULL, 0, region);
1098 sock_list_prepend(blacklist, origin);
1099 else sock_list_merge(blacklist, region, origin);
1102 int val_has_signed_nsecs(struct reply_info* rep, char** reason)
1104 size_t i, num_nsec = 0, num_nsec3 = 0;
1105 struct packed_rrset_data* d;
1106 for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->ns_numrrsets; i++) {
1107 if(rep->rrsets[i]->rk.type == htons(LDNS_RR_TYPE_NSEC))
1109 else if(rep->rrsets[i]->rk.type == htons(LDNS_RR_TYPE_NSEC3))
1112 d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data;
1113 if(d && d->rrsig_count != 0) {
1117 if(num_nsec == 0 && num_nsec3 == 0)
1118 *reason = "no DNSSEC records";
1119 else if(num_nsec != 0)
1120 *reason = "no signatures over NSECs";
1121 else *reason = "no signatures over NSEC3s";
1126 val_find_DS(struct module_env* env, uint8_t* nm, size_t nmlen, uint16_t c,
1127 struct regional* region, uint8_t* topname)
1129 struct dns_msg* msg;
1130 struct query_info qinfo;
1131 struct ub_packed_rrset_key *rrset = rrset_cache_lookup(
1132 env->rrset_cache, nm, nmlen, LDNS_RR_TYPE_DS, c, 0,
1135 /* DS rrset exists. Return it to the validator immediately*/
1136 struct ub_packed_rrset_key* copy = packed_rrset_copy_region(
1137 rrset, region, *env->now);
1138 lock_rw_unlock(&rrset->entry.lock);
1141 msg = dns_msg_create(nm, nmlen, LDNS_RR_TYPE_DS, c, region, 1);
1144 msg->rep->rrsets[0] = copy;
1145 msg->rep->rrset_count++;
1146 msg->rep->an_numrrsets++;
1149 /* lookup in rrset and negative cache for NSEC/NSEC3 */
1151 qinfo.qname_len = nmlen;
1152 qinfo.qtype = LDNS_RR_TYPE_DS;
1154 qinfo.local_alias = NULL;
1155 /* do not add SOA to reply message, it is going to be used internal */
1156 msg = val_neg_getmsg(env->neg_cache, &qinfo, region, env->rrset_cache,
1157 env->scratch_buffer, *env->now, 0, topname);