2 * validator/val_utils.c - validator utility functions.
4 * Copyright (c) 2007, NLnet Labs. All rights reserved.
6 * This software is open source.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
25 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
26 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
27 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
28 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
29 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
30 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
31 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
32 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33 * POSSIBILITY OF SUCH DAMAGE.
39 * This file contains helper functions for the validator module.
42 #include "validator/val_utils.h"
43 #include "validator/validator.h"
44 #include "validator/val_kentry.h"
45 #include "validator/val_sigcrypt.h"
46 #include "validator/val_anchor.h"
47 #include "validator/val_nsec.h"
48 #include "validator/val_neg.h"
49 #include "services/cache/rrset.h"
50 #include "services/cache/dns.h"
51 #include "util/data/msgreply.h"
52 #include "util/data/packed_rrset.h"
53 #include "util/data/dname.h"
54 #include "util/net_help.h"
55 #include "util/module.h"
56 #include "util/regional.h"
58 enum val_classification
59 val_classify_response(uint16_t query_flags, struct query_info* origqinf,
60 struct query_info* qinf, struct reply_info* rep, size_t skip)
62 int rcode = (int)FLAGS_GET_RCODE(rep->flags);
65 /* Normal Name Error's are easy to detect -- but don't mistake a CNAME
66 * chain ending in NXDOMAIN. */
67 if(rcode == LDNS_RCODE_NXDOMAIN && rep->an_numrrsets == 0)
68 return VAL_CLASS_NAMEERROR;
70 /* check for referral: nonRD query and it looks like a nodata */
71 if(!(query_flags&BIT_RD) && rep->an_numrrsets == 0 &&
72 rcode == LDNS_RCODE_NOERROR) {
73 /* SOA record in auth indicates it is NODATA instead.
74 * All validation requiring NODATA messages have SOA in
75 * authority section. */
76 /* uses fact that answer section is empty */
78 for(i=0; i<rep->ns_numrrsets; i++) {
79 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_SOA)
80 return VAL_CLASS_NODATA;
81 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_DS)
82 return VAL_CLASS_REFERRAL;
83 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NS)
86 return saw_ns?VAL_CLASS_REFERRAL:VAL_CLASS_NODATA;
88 /* root referral where NS set is in the answer section */
89 if(!(query_flags&BIT_RD) && rep->ns_numrrsets == 0 &&
90 rep->an_numrrsets == 1 && rcode == LDNS_RCODE_NOERROR &&
91 ntohs(rep->rrsets[0]->rk.type) == LDNS_RR_TYPE_NS &&
92 query_dname_compare(rep->rrsets[0]->rk.dname,
93 origqinf->qname) != 0)
94 return VAL_CLASS_REFERRAL;
96 /* dump bad messages */
97 if(rcode != LDNS_RCODE_NOERROR && rcode != LDNS_RCODE_NXDOMAIN)
98 return VAL_CLASS_UNKNOWN;
99 /* next check if the skip into the answer section shows no answer */
100 if(skip>0 && rep->an_numrrsets <= skip)
101 return VAL_CLASS_CNAMENOANSWER;
104 if(rcode == LDNS_RCODE_NOERROR && rep->an_numrrsets == 0)
105 return VAL_CLASS_NODATA;
107 /* We distinguish between CNAME response and other positive/negative
108 * responses because CNAME answers require extra processing. */
110 /* We distinguish between ANY and CNAME or POSITIVE because
111 * ANY responses are validated differently. */
112 if(rcode == LDNS_RCODE_NOERROR && qinf->qtype == LDNS_RR_TYPE_ANY)
113 return VAL_CLASS_ANY;
115 /* Note that DNAMEs will be ignored here, unless qtype=DNAME. Unless
116 * qtype=CNAME, this will yield a CNAME response. */
117 for(i=skip; i<rep->an_numrrsets; i++) {
118 if(rcode == LDNS_RCODE_NOERROR &&
119 ntohs(rep->rrsets[i]->rk.type) == qinf->qtype)
120 return VAL_CLASS_POSITIVE;
121 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_CNAME)
122 return VAL_CLASS_CNAME;
124 log_dns_msg("validator: error. failed to classify response message: ",
126 return VAL_CLASS_UNKNOWN;
129 /** Get signer name from RRSIG */
131 rrsig_get_signer(uint8_t* data, size_t len, uint8_t** sname, size_t* slen)
133 /* RRSIG rdata is not allowed to be compressed, it is stored
134 * uncompressed in memory as well, so return a ptr to the name */
137 * short, byte, byte, long, long, long, short, "." is
138 * 2 1 1 4 4 4 2 1 = 19
139 * and a skip of 18 bytes to the name.
140 * +2 for the rdatalen is 21 bytes len for root label */
145 data += 20; /* skip the fixed size bits */
147 *slen = dname_valid(data, len);
149 /* bad dname in this rrsig. */
157 val_find_rrset_signer(struct ub_packed_rrset_key* rrset, uint8_t** sname,
160 struct packed_rrset_data* d = (struct packed_rrset_data*)
162 /* return signer for first signature, or NULL */
163 if(d->rrsig_count == 0) {
168 /* get rrsig signer name out of the signature */
169 rrsig_get_signer(d->rr_data[d->count], d->rr_len[d->count],
174 * Find best signer name in this set of rrsigs.
175 * @param rrset: which rrsigs to look through.
176 * @param qinf: the query name that needs validation.
177 * @param signer_name: the best signer_name. Updated if a better one is found.
178 * @param signer_len: length of signer name.
179 * @param matchcount: count of current best name (starts at 0 for no match).
180 * Updated if match is improved.
183 val_find_best_signer(struct ub_packed_rrset_key* rrset,
184 struct query_info* qinf, uint8_t** signer_name, size_t* signer_len,
187 struct packed_rrset_data* d = (struct packed_rrset_data*)
192 for(i=d->count; i<d->count+d->rrsig_count; i++) {
193 sign = d->rr_data[i]+2+18;
194 /* look at signatures that are valid (long enough),
195 * and have a signer name that is a superdomain of qname,
196 * and then check the number of labels in the shared topdomain
197 * improve the match if possible */
198 if(d->rr_len[i] > 2+19 && /* rdata, sig + root label*/
199 dname_subdomain_c(qinf->qname, sign)) {
200 (void)dname_lab_cmp(qinf->qname,
201 dname_count_labels(qinf->qname),
202 sign, dname_count_labels(sign), &m);
203 if(m > *matchcount) {
206 (void)dname_count_size_labels(*signer_name,
214 val_find_signer(enum val_classification subtype, struct query_info* qinf,
215 struct reply_info* rep, size_t skip, uint8_t** signer_name,
220 if(subtype == VAL_CLASS_POSITIVE || subtype == VAL_CLASS_ANY) {
221 /* check for the answer rrset */
222 for(i=skip; i<rep->an_numrrsets; i++) {
223 if(query_dname_compare(qinf->qname,
224 rep->rrsets[i]->rk.dname) == 0) {
225 val_find_rrset_signer(rep->rrsets[i],
226 signer_name, signer_len);
232 } else if(subtype == VAL_CLASS_CNAME) {
233 /* check for the first signed cname/dname rrset */
234 for(i=skip; i<rep->an_numrrsets; i++) {
235 val_find_rrset_signer(rep->rrsets[i],
236 signer_name, signer_len);
239 if(ntohs(rep->rrsets[i]->rk.type) != LDNS_RR_TYPE_DNAME)
240 break; /* only check CNAME after a DNAME */
244 } else if(subtype == VAL_CLASS_NAMEERROR
245 || subtype == VAL_CLASS_NODATA) {
246 /*Check to see if the AUTH section NSEC record(s) have rrsigs*/
247 for(i=rep->an_numrrsets; i<
248 rep->an_numrrsets+rep->ns_numrrsets; i++) {
249 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NSEC
250 || ntohs(rep->rrsets[i]->rk.type) ==
251 LDNS_RR_TYPE_NSEC3) {
252 val_find_rrset_signer(rep->rrsets[i],
253 signer_name, signer_len);
257 } else if(subtype == VAL_CLASS_CNAMENOANSWER) {
258 /* find closest superdomain signer name in authority section
263 for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->
265 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NSEC
266 || ntohs(rep->rrsets[i]->rk.type) ==
267 LDNS_RR_TYPE_NSEC3) {
268 val_find_best_signer(rep->rrsets[i], qinf,
269 signer_name, signer_len, &matchcount);
272 } else if(subtype == VAL_CLASS_REFERRAL) {
273 /* find keys for the item at skip */
274 if(skip < rep->rrset_count) {
275 val_find_rrset_signer(rep->rrsets[skip],
276 signer_name, signer_len);
282 verbose(VERB_QUERY, "find_signer: could not find signer name"
283 " for unknown type response");
289 /** return number of rrs in an rrset */
291 rrset_get_count(struct ub_packed_rrset_key* rrset)
293 struct packed_rrset_data* d = (struct packed_rrset_data*)
299 /** return TTL of rrset */
301 rrset_get_ttl(struct ub_packed_rrset_key* rrset)
303 struct packed_rrset_data* d = (struct packed_rrset_data*)
310 val_verify_rrset(struct module_env* env, struct val_env* ve,
311 struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* keys,
312 uint8_t* sigalg, char** reason)
315 struct packed_rrset_data* d = (struct packed_rrset_data*)rrset->
317 if(d->security == sec_status_secure) {
318 /* re-verify all other statuses, because keyset may change*/
319 log_nametypeclass(VERB_ALGO, "verify rrset cached",
320 rrset->rk.dname, ntohs(rrset->rk.type),
321 ntohs(rrset->rk.rrset_class));
324 /* check in the cache if verification has already been done */
325 rrset_check_sec_status(env->rrset_cache, rrset, *env->now);
326 if(d->security == sec_status_secure) {
327 log_nametypeclass(VERB_ALGO, "verify rrset from cache",
328 rrset->rk.dname, ntohs(rrset->rk.type),
329 ntohs(rrset->rk.rrset_class));
332 log_nametypeclass(VERB_ALGO, "verify rrset", rrset->rk.dname,
333 ntohs(rrset->rk.type), ntohs(rrset->rk.rrset_class));
334 sec = dnskeyset_verify_rrset(env, ve, rrset, keys, sigalg, reason);
335 verbose(VERB_ALGO, "verify result: %s", sec_status_to_string(sec));
336 regional_free_all(env->scratch);
338 /* update rrset security status
339 * only improves security status
340 * and bogus is set only once, even if we rechecked the status */
341 if(sec > d->security) {
343 if(sec == sec_status_secure)
344 d->trust = rrset_trust_validated;
345 else if(sec == sec_status_bogus) {
347 /* update ttl for rrset to fixed value. */
348 d->ttl = ve->bogus_ttl;
349 for(i=0; i<d->count+d->rrsig_count; i++)
350 d->rr_ttl[i] = ve->bogus_ttl;
351 /* leave RR specific TTL: not used for determine
352 * if RRset timed out and clients see proper value. */
353 lock_basic_lock(&ve->bogus_lock);
354 ve->num_rrset_bogus++;
355 lock_basic_unlock(&ve->bogus_lock);
357 /* if status updated - store in cache for reuse */
358 rrset_update_sec_status(env->rrset_cache, rrset, *env->now);
365 val_verify_rrset_entry(struct module_env* env, struct val_env* ve,
366 struct ub_packed_rrset_key* rrset, struct key_entry_key* kkey,
369 /* temporary dnskey rrset-key */
370 struct ub_packed_rrset_key dnskey;
371 struct key_entry_data* kd = (struct key_entry_data*)kkey->entry.data;
373 dnskey.rk.type = htons(kd->rrset_type);
374 dnskey.rk.rrset_class = htons(kkey->key_class);
376 dnskey.rk.dname = kkey->name;
377 dnskey.rk.dname_len = kkey->namelen;
378 dnskey.entry.key = &dnskey;
379 dnskey.entry.data = kd->rrset_data;
380 sec = val_verify_rrset(env, ve, rrset, &dnskey, kd->algo, reason);
384 /** verify that a DS RR hashes to a key and that key signs the set */
385 static enum sec_status
386 verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve,
387 struct ub_packed_rrset_key* dnskey_rrset,
388 struct ub_packed_rrset_key* ds_rrset, size_t ds_idx, char** reason)
390 enum sec_status sec = sec_status_bogus;
391 size_t i, num, numchecked = 0, numhashok = 0;
392 num = rrset_get_count(dnskey_rrset);
393 for(i=0; i<num; i++) {
394 /* Skip DNSKEYs that don't match the basic criteria. */
395 if(ds_get_key_algo(ds_rrset, ds_idx)
396 != dnskey_get_algo(dnskey_rrset, i)
397 || dnskey_calc_keytag(dnskey_rrset, i)
398 != ds_get_keytag(ds_rrset, ds_idx)) {
402 verbose(VERB_ALGO, "attempt DS match algo %d keytag %d",
403 ds_get_key_algo(ds_rrset, ds_idx),
404 ds_get_keytag(ds_rrset, ds_idx));
406 /* Convert the candidate DNSKEY into a hash using the
407 * same DS hash algorithm. */
408 if(!ds_digest_match_dnskey(env, dnskey_rrset, i, ds_rrset,
410 verbose(VERB_ALGO, "DS match attempt failed");
414 verbose(VERB_ALGO, "DS match digest ok, trying signature");
416 /* Otherwise, we have a match! Make sure that the DNSKEY
417 * verifies *with this key* */
418 sec = dnskey_verify_rrset(env, ve, dnskey_rrset,
419 dnskey_rrset, i, reason);
420 if(sec == sec_status_secure) {
423 /* If it didn't validate with the DNSKEY, try the next one! */
426 algo_needs_reason(env, ds_get_key_algo(ds_rrset, ds_idx),
427 reason, "no keys have a DS");
428 else if(numhashok == 0)
429 *reason = "DS hash mismatches key";
431 *reason = "keyset not secured by DNSKEY that matches DS";
432 return sec_status_bogus;
435 int val_favorite_ds_algo(struct ub_packed_rrset_key* ds_rrset)
437 size_t i, num = rrset_get_count(ds_rrset);
438 int d, digest_algo = 0; /* DS digest algo 0 is not used. */
439 /* find favorite algo, for now, highest number supported */
440 for(i=0; i<num; i++) {
441 if(!ds_digest_algo_is_supported(ds_rrset, i) ||
442 !ds_key_algo_is_supported(ds_rrset, i)) {
445 d = ds_get_digest_algo(ds_rrset, i);
453 val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve,
454 struct ub_packed_rrset_key* dnskey_rrset,
455 struct ub_packed_rrset_key* ds_rrset, uint8_t* sigalg, char** reason)
457 /* as long as this is false, we can consider this DS rrset to be
458 * equivalent to no DS rrset. */
459 int has_useful_ds = 0, digest_algo, alg;
460 struct algo_needs needs;
464 if(dnskey_rrset->rk.dname_len != ds_rrset->rk.dname_len ||
465 query_dname_compare(dnskey_rrset->rk.dname, ds_rrset->rk.dname)
467 verbose(VERB_QUERY, "DNSKEY RRset did not match DS RRset "
469 *reason = "DNSKEY RRset did not match DS RRset by name";
470 return sec_status_bogus;
473 digest_algo = val_favorite_ds_algo(ds_rrset);
475 algo_needs_init_ds(&needs, ds_rrset, digest_algo, sigalg);
476 num = rrset_get_count(ds_rrset);
477 for(i=0; i<num; i++) {
478 /* Check to see if we can understand this DS.
479 * And check it is the strongest digest */
480 if(!ds_digest_algo_is_supported(ds_rrset, i) ||
481 !ds_key_algo_is_supported(ds_rrset, i) ||
482 ds_get_digest_algo(ds_rrset, i) != digest_algo) {
486 /* Once we see a single DS with a known digestID and
487 * algorithm, we cannot return INSECURE (with a
488 * "null" KeyEntry). */
489 has_useful_ds = true;
491 sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset,
492 ds_rrset, i, reason);
493 if(sec == sec_status_secure) {
494 if(!sigalg || algo_needs_set_secure(&needs,
495 (uint8_t)ds_get_key_algo(ds_rrset, i))) {
496 verbose(VERB_ALGO, "DS matched DNSKEY.");
497 return sec_status_secure;
499 } else if(sigalg && sec == sec_status_bogus) {
500 algo_needs_set_bogus(&needs,
501 (uint8_t)ds_get_key_algo(ds_rrset, i));
505 /* None of the DS's worked out. */
507 /* If no DSs were understandable, then this is OK. */
509 verbose(VERB_ALGO, "No usable DS records were found -- "
510 "treating as insecure.");
511 return sec_status_insecure;
513 /* If any were understandable, then it is bad. */
514 verbose(VERB_QUERY, "Failed to match any usable DS to a DNSKEY.");
515 if(sigalg && (alg=algo_needs_missing(&needs)) != 0) {
516 algo_needs_reason(env, alg, reason, "missing verification of "
519 return sec_status_bogus;
522 struct key_entry_key*
523 val_verify_new_DNSKEYs(struct regional* region, struct module_env* env,
524 struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset,
525 struct ub_packed_rrset_key* ds_rrset, int downprot, char** reason)
527 uint8_t sigalg[ALGO_NEEDS_MAX+1];
528 enum sec_status sec = val_verify_DNSKEY_with_DS(env, ve,
529 dnskey_rrset, ds_rrset, downprot?sigalg:NULL, reason);
531 if(sec == sec_status_secure) {
532 return key_entry_create_rrset(region,
533 ds_rrset->rk.dname, ds_rrset->rk.dname_len,
534 ntohs(ds_rrset->rk.rrset_class), dnskey_rrset,
535 downprot?sigalg:NULL, *env->now);
536 } else if(sec == sec_status_insecure) {
537 return key_entry_create_null(region, ds_rrset->rk.dname,
538 ds_rrset->rk.dname_len,
539 ntohs(ds_rrset->rk.rrset_class),
540 rrset_get_ttl(ds_rrset), *env->now);
542 return key_entry_create_bad(region, ds_rrset->rk.dname,
543 ds_rrset->rk.dname_len, ntohs(ds_rrset->rk.rrset_class),
544 BOGUS_KEY_TTL, *env->now);
548 val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve,
549 struct ub_packed_rrset_key* dnskey_rrset,
550 struct ub_packed_rrset_key* ta_ds,
551 struct ub_packed_rrset_key* ta_dnskey, uint8_t* sigalg, char** reason)
553 /* as long as this is false, we can consider this anchor to be
554 * equivalent to no anchor. */
555 int has_useful_ta = 0, digest_algo = 0, alg;
556 struct algo_needs needs;
560 if(ta_ds && (dnskey_rrset->rk.dname_len != ta_ds->rk.dname_len ||
561 query_dname_compare(dnskey_rrset->rk.dname, ta_ds->rk.dname)
563 verbose(VERB_QUERY, "DNSKEY RRset did not match DS RRset "
565 *reason = "DNSKEY RRset did not match DS RRset by name";
566 return sec_status_bogus;
568 if(ta_dnskey && (dnskey_rrset->rk.dname_len != ta_dnskey->rk.dname_len
569 || query_dname_compare(dnskey_rrset->rk.dname, ta_dnskey->rk.dname)
571 verbose(VERB_QUERY, "DNSKEY RRset did not match anchor RRset "
573 *reason = "DNSKEY RRset did not match anchor RRset by name";
574 return sec_status_bogus;
578 digest_algo = val_favorite_ds_algo(ta_ds);
581 algo_needs_init_ds(&needs, ta_ds, digest_algo, sigalg);
582 else memset(&needs, 0, sizeof(needs));
584 algo_needs_init_dnskey_add(&needs, ta_dnskey, sigalg);
587 num = rrset_get_count(ta_ds);
588 for(i=0; i<num; i++) {
589 /* Check to see if we can understand this DS.
590 * And check it is the strongest digest */
591 if(!ds_digest_algo_is_supported(ta_ds, i) ||
592 !ds_key_algo_is_supported(ta_ds, i) ||
593 ds_get_digest_algo(ta_ds, i) != digest_algo)
596 /* Once we see a single DS with a known digestID and
597 * algorithm, we cannot return INSECURE (with a
598 * "null" KeyEntry). */
599 has_useful_ta = true;
601 sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset,
603 if(sec == sec_status_secure) {
604 if(!sigalg || algo_needs_set_secure(&needs,
605 (uint8_t)ds_get_key_algo(ta_ds, i))) {
606 verbose(VERB_ALGO, "DS matched DNSKEY.");
607 return sec_status_secure;
609 } else if(sigalg && sec == sec_status_bogus) {
610 algo_needs_set_bogus(&needs,
611 (uint8_t)ds_get_key_algo(ta_ds, i));
616 /* None of the DS's worked out: check the DNSKEYs. */
618 num = rrset_get_count(ta_dnskey);
619 for(i=0; i<num; i++) {
620 /* Check to see if we can understand this DNSKEY */
621 if(!dnskey_algo_is_supported(ta_dnskey, i))
624 /* we saw a useful TA */
625 has_useful_ta = true;
627 sec = dnskey_verify_rrset(env, ve, dnskey_rrset,
628 ta_dnskey, i, reason);
629 if(sec == sec_status_secure) {
630 if(!sigalg || algo_needs_set_secure(&needs,
631 (uint8_t)dnskey_get_algo(ta_dnskey, i))) {
632 verbose(VERB_ALGO, "anchor matched DNSKEY.");
633 return sec_status_secure;
635 } else if(sigalg && sec == sec_status_bogus) {
636 algo_needs_set_bogus(&needs,
637 (uint8_t)dnskey_get_algo(ta_dnskey, i));
642 /* If no DSs were understandable, then this is OK. */
644 verbose(VERB_ALGO, "No usable trust anchors were found -- "
645 "treating as insecure.");
646 return sec_status_insecure;
648 /* If any were understandable, then it is bad. */
649 verbose(VERB_QUERY, "Failed to match any usable anchor to a DNSKEY.");
650 if(sigalg && (alg=algo_needs_missing(&needs)) != 0) {
651 algo_needs_reason(env, alg, reason, "missing verification of "
654 return sec_status_bogus;
657 struct key_entry_key*
658 val_verify_new_DNSKEYs_with_ta(struct regional* region, struct module_env* env,
659 struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset,
660 struct ub_packed_rrset_key* ta_ds_rrset,
661 struct ub_packed_rrset_key* ta_dnskey_rrset, int downprot,
664 uint8_t sigalg[ALGO_NEEDS_MAX+1];
665 enum sec_status sec = val_verify_DNSKEY_with_TA(env, ve,
666 dnskey_rrset, ta_ds_rrset, ta_dnskey_rrset,
667 downprot?sigalg:NULL, reason);
669 if(sec == sec_status_secure) {
670 return key_entry_create_rrset(region,
671 dnskey_rrset->rk.dname, dnskey_rrset->rk.dname_len,
672 ntohs(dnskey_rrset->rk.rrset_class), dnskey_rrset,
673 downprot?sigalg:NULL, *env->now);
674 } else if(sec == sec_status_insecure) {
675 return key_entry_create_null(region, dnskey_rrset->rk.dname,
676 dnskey_rrset->rk.dname_len,
677 ntohs(dnskey_rrset->rk.rrset_class),
678 rrset_get_ttl(dnskey_rrset), *env->now);
680 return key_entry_create_bad(region, dnskey_rrset->rk.dname,
681 dnskey_rrset->rk.dname_len, ntohs(dnskey_rrset->rk.rrset_class),
682 BOGUS_KEY_TTL, *env->now);
686 val_dsset_isusable(struct ub_packed_rrset_key* ds_rrset)
689 for(i=0; i<rrset_get_count(ds_rrset); i++) {
690 if(ds_digest_algo_is_supported(ds_rrset, i) &&
691 ds_key_algo_is_supported(ds_rrset, i))
697 /** get label count for a signature */
699 rrsig_get_labcount(struct packed_rrset_data* d, size_t sig)
701 if(d->rr_len[sig] < 2+4)
702 return 0; /* bad sig length */
703 return d->rr_data[sig][2+3];
707 val_rrset_wildcard(struct ub_packed_rrset_key* rrset, uint8_t** wc)
709 struct packed_rrset_data* d = (struct packed_rrset_data*)rrset->
715 if(d->rrsig_count == 0) {
718 labcount = rrsig_get_labcount(d, d->count + 0);
719 /* check rest of signatures identical */
720 for(i=1; i<d->rrsig_count; i++) {
721 if(labcount != rrsig_get_labcount(d, d->count + i)) {
725 /* OK the rrsigs check out */
726 /* if the RRSIG label count is shorter than the number of actual
727 * labels, then this rrset was synthesized from a wildcard.
728 * Note that the RRSIG label count doesn't count the root label. */
729 wn = rrset->rk.dname;
730 wl = rrset->rk.dname_len;
731 /* skip a leading wildcard label in the dname (RFC4035 2.2) */
732 if(dname_is_wild(wn)) {
736 labdiff = (dname_count_labels(wn) - 1) - (int)labcount;
739 dname_remove_labels(wc, &wl, labdiff);
746 val_chase_cname(struct query_info* qchase, struct reply_info* rep,
747 size_t* cname_skip) {
749 /* skip any DNAMEs, go to the CNAME for next part */
750 for(i = *cname_skip; i < rep->an_numrrsets; i++) {
751 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_CNAME &&
752 query_dname_compare(qchase->qname, rep->rrsets[i]->
754 qchase->qname = NULL;
755 get_cname_target(rep->rrsets[i], &qchase->qname,
758 return 0; /* bad CNAME rdata */
763 return 0; /* CNAME classified but no matching CNAME ?! */
766 /** see if rrset has signer name as one of the rrsig signers */
768 rrset_has_signer(struct ub_packed_rrset_key* rrset, uint8_t* name, size_t len)
770 struct packed_rrset_data* d = (struct packed_rrset_data*)rrset->
773 for(i = d->count; i< d->count+d->rrsig_count; i++) {
774 if(d->rr_len[i] > 2+18+len) {
775 /* at least rdatalen + signature + signame (+1 sig)*/
776 if(query_dname_compare(name, d->rr_data[i]+2+18) == 0)
786 val_fill_reply(struct reply_info* chase, struct reply_info* orig,
787 size_t skip, uint8_t* name, size_t len, uint8_t* signer)
791 chase->rrset_count = 0;
792 chase->an_numrrsets = 0;
793 chase->ns_numrrsets = 0;
794 chase->ar_numrrsets = 0;
796 for(i=skip; i<orig->an_numrrsets; i++) {
798 if(query_dname_compare(name,
799 orig->rrsets[i]->rk.dname) == 0)
800 chase->rrsets[chase->an_numrrsets++] =
802 } else if(seen_dname && ntohs(orig->rrsets[i]->rk.type) ==
803 LDNS_RR_TYPE_CNAME) {
804 chase->rrsets[chase->an_numrrsets++] = orig->rrsets[i];
806 } else if(rrset_has_signer(orig->rrsets[i], name, len)) {
807 chase->rrsets[chase->an_numrrsets++] = orig->rrsets[i];
808 if(ntohs(orig->rrsets[i]->rk.type) ==
809 LDNS_RR_TYPE_DNAME) {
814 /* AUTHORITY section */
815 for(i = (skip > orig->an_numrrsets)?skip:orig->an_numrrsets;
816 i<orig->an_numrrsets+orig->ns_numrrsets;
819 if(query_dname_compare(name,
820 orig->rrsets[i]->rk.dname) == 0)
821 chase->rrsets[chase->an_numrrsets+
822 chase->ns_numrrsets++] = orig->rrsets[i];
823 } else if(rrset_has_signer(orig->rrsets[i], name, len)) {
824 chase->rrsets[chase->an_numrrsets+
825 chase->ns_numrrsets++] = orig->rrsets[i];
828 /* ADDITIONAL section */
829 for(i= (skip>orig->an_numrrsets+orig->ns_numrrsets)?
830 skip:orig->an_numrrsets+orig->ns_numrrsets;
831 i<orig->rrset_count; i++) {
833 if(query_dname_compare(name,
834 orig->rrsets[i]->rk.dname) == 0)
835 chase->rrsets[chase->an_numrrsets
836 +orig->ns_numrrsets+chase->ar_numrrsets++]
838 } else if(rrset_has_signer(orig->rrsets[i], name, len)) {
839 chase->rrsets[chase->an_numrrsets+orig->ns_numrrsets+
840 chase->ar_numrrsets++] = orig->rrsets[i];
843 chase->rrset_count = chase->an_numrrsets + chase->ns_numrrsets +
848 val_check_nonsecure(struct val_env* ve, struct reply_info* rep)
852 for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->ns_numrrsets; i++) {
853 if(((struct packed_rrset_data*)rep->rrsets[i]->entry.data)
854 ->security != sec_status_secure) {
855 /* because we want to return the authentic original
856 * message when presented with CD-flagged queries,
857 * we need to preserve AUTHORITY section data.
858 * However, this rrset is not signed or signed
859 * with the wrong keys. Validation has tried to
860 * verify this rrset with the keysets of import.
861 * But this rrset did not verify.
862 * Therefore the message is bogus.
865 /* check if authority consists of only an NS record
866 * which is bad, and there is an answer section with
867 * data. In that case, delete NS and additional to
868 * be lenient and make a minimal response */
869 if(rep->an_numrrsets != 0 && rep->ns_numrrsets == 1 &&
870 ntohs(rep->rrsets[i]->rk.type)
871 == LDNS_RR_TYPE_NS) {
872 verbose(VERB_ALGO, "truncate to minimal");
873 rep->ns_numrrsets = 0;
874 rep->ar_numrrsets = 0;
875 rep->rrset_count = rep->an_numrrsets;
879 log_nametypeclass(VERB_QUERY, "message is bogus, "
881 rep->rrsets[i]->rk.dname,
882 ntohs(rep->rrsets[i]->rk.type),
883 ntohs(rep->rrsets[i]->rk.rrset_class));
884 rep->security = sec_status_bogus;
889 if(!ve->clean_additional)
891 for(i=rep->an_numrrsets+rep->ns_numrrsets; i<rep->rrset_count; i++) {
892 if(((struct packed_rrset_data*)rep->rrsets[i]->entry.data)
893 ->security != sec_status_secure) {
894 /* This does not cause message invalidation. It was
895 * simply unsigned data in the additional. The
896 * RRSIG must have been truncated off the message.
898 * However, we do not want to return possible bogus
899 * data to clients that rely on this service for
900 * their authentication.
902 /* remove this unneeded additional rrset */
903 memmove(rep->rrsets+i, rep->rrsets+i+1,
904 sizeof(struct ub_packed_rrset_key*)*
905 (rep->rrset_count - i - 1));
913 /** check no anchor and unlock */
915 check_no_anchor(struct val_anchors* anchors, uint8_t* nm, size_t l, uint16_t c)
917 struct trust_anchor* ta;
918 if((ta=anchors_lookup(anchors, nm, l, c))) {
919 lock_basic_unlock(&ta->lock);
925 val_mark_indeterminate(struct reply_info* rep, struct val_anchors* anchors,
926 struct rrset_cache* r, struct module_env* env)
929 struct packed_rrset_data* d;
930 for(i=0; i<rep->rrset_count; i++) {
931 d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data;
932 if(d->security == sec_status_unchecked &&
933 check_no_anchor(anchors, rep->rrsets[i]->rk.dname,
934 rep->rrsets[i]->rk.dname_len,
935 ntohs(rep->rrsets[i]->rk.rrset_class)))
937 /* mark as indeterminate */
938 d->security = sec_status_indeterminate;
939 rrset_update_sec_status(r, rep->rrsets[i], *env->now);
945 val_mark_insecure(struct reply_info* rep, uint8_t* kname,
946 struct rrset_cache* r, struct module_env* env)
949 struct packed_rrset_data* d;
950 for(i=0; i<rep->rrset_count; i++) {
951 d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data;
952 if(d->security == sec_status_unchecked &&
953 dname_subdomain_c(rep->rrsets[i]->rk.dname, kname)) {
954 /* mark as insecure */
955 d->security = sec_status_insecure;
956 rrset_update_sec_status(r, rep->rrsets[i], *env->now);
962 val_next_unchecked(struct reply_info* rep, size_t skip)
965 struct packed_rrset_data* d;
966 for(i=skip+1; i<rep->rrset_count; i++) {
967 d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data;
968 if(d->security == sec_status_unchecked) {
972 return rep->rrset_count;
976 val_classification_to_string(enum val_classification subtype)
979 case VAL_CLASS_UNTYPED: return "untyped";
980 case VAL_CLASS_UNKNOWN: return "unknown";
981 case VAL_CLASS_POSITIVE: return "positive";
982 case VAL_CLASS_CNAME: return "cname";
983 case VAL_CLASS_NODATA: return "nodata";
984 case VAL_CLASS_NAMEERROR: return "nameerror";
985 case VAL_CLASS_CNAMENOANSWER: return "cnamenoanswer";
986 case VAL_CLASS_REFERRAL: return "referral";
987 case VAL_CLASS_ANY: return "qtype_any";
989 return "bad_val_classification";
993 /** log a sock_list entry */
995 sock_list_logentry(enum verbosity_value v, const char* s, struct sock_list* p)
998 log_addr(v, s, &p->addr, p->len);
999 else verbose(v, "%s cache", s);
1002 void val_blacklist(struct sock_list** blacklist, struct regional* region,
1003 struct sock_list* origin, int cross)
1005 /* debug printout */
1006 if(verbosity >= VERB_ALGO) {
1007 struct sock_list* p;
1008 for(p=*blacklist; p; p=p->next)
1009 sock_list_logentry(VERB_ALGO, "blacklist", p);
1011 verbose(VERB_ALGO, "blacklist add: cache");
1012 for(p=origin; p; p=p->next)
1013 sock_list_logentry(VERB_ALGO, "blacklist add", p);
1015 /* blacklist the IPs or the cache */
1017 /* only add if nothing there. anything else also stops cache*/
1019 sock_list_insert(blacklist, NULL, 0, region);
1021 sock_list_prepend(blacklist, origin);
1022 else sock_list_merge(blacklist, region, origin);
1025 int val_has_signed_nsecs(struct reply_info* rep, char** reason)
1027 size_t i, num_nsec = 0, num_nsec3 = 0;
1028 struct packed_rrset_data* d;
1029 for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->ns_numrrsets; i++) {
1030 if(rep->rrsets[i]->rk.type == htons(LDNS_RR_TYPE_NSEC))
1032 else if(rep->rrsets[i]->rk.type == htons(LDNS_RR_TYPE_NSEC3))
1035 d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data;
1036 if(d && d->rrsig_count != 0) {
1040 if(num_nsec == 0 && num_nsec3 == 0)
1041 *reason = "no DNSSEC records";
1042 else if(num_nsec != 0)
1043 *reason = "no signatures over NSECs";
1044 else *reason = "no signatures over NSEC3s";
1049 val_find_DS(struct module_env* env, uint8_t* nm, size_t nmlen, uint16_t c,
1050 struct regional* region, uint8_t* topname)
1052 struct dns_msg* msg;
1053 struct query_info qinfo;
1054 struct ub_packed_rrset_key *rrset = rrset_cache_lookup(
1055 env->rrset_cache, nm, nmlen, LDNS_RR_TYPE_DS, c, 0,
1058 /* DS rrset exists. Return it to the validator immediately*/
1059 struct ub_packed_rrset_key* copy = packed_rrset_copy_region(
1060 rrset, region, *env->now);
1061 lock_rw_unlock(&rrset->entry.lock);
1064 msg = dns_msg_create(nm, nmlen, LDNS_RR_TYPE_DS, c, region, 1);
1067 msg->rep->rrsets[0] = copy;
1068 msg->rep->rrset_count++;
1069 msg->rep->an_numrrsets++;
1072 /* lookup in rrset and negative cache for NSEC/NSEC3 */
1074 qinfo.qname_len = nmlen;
1075 qinfo.qtype = LDNS_RR_TYPE_DS;
1077 /* do not add SOA to reply message, it is going to be used internal */
1078 msg = val_neg_getmsg(env->neg_cache, &qinfo, region, env->rrset_cache,
1079 env->scratch_buffer, *env->now, 0, topname);