2 * validator/val_nsec.c - validator NSEC denial of existance functions.
4 * Copyright (c) 2007, NLnet Labs. All rights reserved.
6 * This software is open source.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
25 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
26 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
27 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
28 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
29 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
30 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
31 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
32 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33 * POSSIBILITY OF SUCH DAMAGE.
39 * This file contains helper functions for the validator module.
40 * The functions help with NSEC checking, the different NSEC proofs
41 * for denial of existance, and proofs for presence of types.
44 #include <ldns/packet.h>
45 #include "validator/val_nsec.h"
46 #include "validator/val_utils.h"
47 #include "util/data/msgreply.h"
48 #include "util/data/dname.h"
49 #include "util/net_help.h"
50 #include "util/module.h"
51 #include "services/cache/rrset.h"
53 /** get ttl of rrset */
55 rrset_get_ttl(struct ub_packed_rrset_key* k)
57 struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data;
62 nsecbitmap_has_type_rdata(uint8_t* bitmap, size_t len, uint16_t type)
64 /* Check type present in NSEC typemap with bitmap arg */
65 /* bitmasks for determining type-lowerbits presence */
66 uint8_t masks[8] = {0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01};
67 uint8_t type_window = type>>8;
68 uint8_t type_low = type&0xff;
70 /* read each of the type bitmap windows and see if the searched
71 * type is amongst it */
73 if(len < 3) /* bad window, at least window# winlen bitmap */
78 if(len < winlen || winlen < 1 || winlen > 32)
79 return 0; /* bad window length */
80 if(win == type_window) {
81 /* search window bitmap for the correct byte */
82 /* mybyte is 0 if we need the first byte */
83 size_t mybyte = type_low>>3;
85 return 0; /* window too short */
86 return (int)(bitmap[mybyte] & masks[type_low&0x7]);
88 /* not the window we are looking for */
93 /* end of bitmap reached, no type found */
98 nsec_has_type(struct ub_packed_rrset_key* nsec, uint16_t type)
100 struct packed_rrset_data* d = (struct packed_rrset_data*)nsec->
103 if(!d || d->count == 0 || d->rr_len[0] < 2+1)
105 len = dname_valid(d->rr_data[0]+2, d->rr_len[0]-2);
108 return nsecbitmap_has_type_rdata(d->rr_data[0]+2+len,
109 d->rr_len[0]-2-len, type);
113 * Get next owner name from nsec record
114 * @param nsec: the nsec RRset.
115 * If there are multiple RRs, then this will only return one of them.
116 * @param nm: the next name is returned.
117 * @param ln: length of nm is returned.
118 * @return false on a bad NSEC RR (too short, malformed dname).
121 nsec_get_next(struct ub_packed_rrset_key* nsec, uint8_t** nm, size_t* ln)
123 struct packed_rrset_data* d = (struct packed_rrset_data*)nsec->
125 if(!d || d->count == 0 || d->rr_len[0] < 2+1) {
130 *nm = d->rr_data[0]+2;
131 *ln = dname_valid(*nm, d->rr_len[0]-2);
141 * For an NSEC that matches the DS queried for, check absence of DS type.
143 * @param nsec: NSEC for proof, must be trusted.
144 * @param qinfo: what is queried for.
145 * @return if secure the nsec proves that no DS is present, or
146 * insecure if it proves it is not a delegation point.
147 * or bogus if something was wrong.
149 static enum sec_status
150 val_nsec_proves_no_ds(struct ub_packed_rrset_key* nsec,
151 struct query_info* qinfo)
153 log_assert(qinfo->qtype == LDNS_RR_TYPE_DS);
154 log_assert(ntohs(nsec->rk.type) == LDNS_RR_TYPE_NSEC);
156 if(nsec_has_type(nsec, LDNS_RR_TYPE_SOA) && qinfo->qname_len != 1) {
157 /* SOA present means that this is the NSEC from the child,
158 * not the parent (so it is the wrong one). */
159 return sec_status_bogus;
161 if(nsec_has_type(nsec, LDNS_RR_TYPE_DS)) {
162 /* DS present means that there should have been a positive
163 * response to the DS query, so there is something wrong. */
164 return sec_status_bogus;
167 if(!nsec_has_type(nsec, LDNS_RR_TYPE_NS)) {
168 /* If there is no NS at this point at all, then this
169 * doesn't prove anything one way or the other. */
170 return sec_status_insecure;
172 /* Otherwise, this proves no DS. */
173 return sec_status_secure;
176 /** check security status from cache or verify rrset, returns true if secure */
178 nsec_verify_rrset(struct module_env* env, struct val_env* ve,
179 struct ub_packed_rrset_key* nsec, struct key_entry_key* kkey,
182 struct packed_rrset_data* d = (struct packed_rrset_data*)
184 if(d->security == sec_status_secure)
186 rrset_check_sec_status(env->rrset_cache, nsec, *env->now);
187 if(d->security == sec_status_secure)
189 d->security = val_verify_rrset_entry(env, ve, nsec, kkey, reason);
190 if(d->security == sec_status_secure) {
191 rrset_update_sec_status(env->rrset_cache, nsec, *env->now);
198 val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve,
199 struct query_info* qinfo, struct reply_info* rep,
200 struct key_entry_key* kkey, time_t* proof_ttl, char** reason)
202 struct ub_packed_rrset_key* nsec = reply_find_rrset_section_ns(
203 rep, qinfo->qname, qinfo->qname_len, LDNS_RR_TYPE_NSEC,
207 uint8_t* wc = NULL, *ce = NULL;
209 struct ub_packed_rrset_key* wc_nsec = NULL;
211 /* If we have a NSEC at the same name, it must prove one
214 * 1) this is a delegation point and there is no DS
215 * 2) this is not a delegation point */
217 if(!nsec_verify_rrset(env, ve, nsec, kkey, reason)) {
218 verbose(VERB_ALGO, "NSEC RRset for the "
219 "referral did not verify.");
220 return sec_status_bogus;
222 sec = val_nsec_proves_no_ds(nsec, qinfo);
223 if(sec == sec_status_bogus) {
224 /* something was wrong. */
225 *reason = "NSEC does not prove absence of DS";
227 } else if(sec == sec_status_insecure) {
228 /* this wasn't a delegation point. */
230 } else if(sec == sec_status_secure) {
231 /* this proved no DS. */
232 *proof_ttl = ub_packed_rrset_ttl(nsec);
235 /* if unchecked, fall through to next proof */
238 /* Otherwise, there is no NSEC at qname. This could be an ENT.
239 * (ENT=empty non terminal). If not, this is broken. */
241 /* verify NSEC rrsets in auth section */
242 for(i=rep->an_numrrsets; i < rep->an_numrrsets+rep->ns_numrrsets;
244 if(rep->rrsets[i]->rk.type != htons(LDNS_RR_TYPE_NSEC))
246 if(!nsec_verify_rrset(env, ve, rep->rrsets[i], kkey, reason)) {
247 verbose(VERB_ALGO, "NSEC for empty non-terminal "
249 return sec_status_bogus;
251 if(nsec_proves_nodata(rep->rrsets[i], qinfo, &wc)) {
252 verbose(VERB_ALGO, "NSEC for empty non-terminal "
254 *proof_ttl = rrset_get_ttl(rep->rrsets[i]);
255 if(wc && dname_is_wild(rep->rrsets[i]->rk.dname))
256 wc_nsec = rep->rrsets[i];
259 if(val_nsec_proves_name_error(rep->rrsets[i], qinfo->qname)) {
260 ce = nsec_closest_encloser(qinfo->qname,
267 /* ce and wc must match */
268 if(query_dname_compare(wc, ce) != 0)
275 /* check if this is a delegation */
276 *reason = "NSEC for wildcard does not prove absence of DS";
277 return val_nsec_proves_no_ds(wc_nsec, qinfo);
279 /* valid nsec proves empty nonterminal */
280 return sec_status_insecure;
283 /* NSEC proof did not conlusively point to DS or no DS */
284 return sec_status_unchecked;
287 int nsec_proves_nodata(struct ub_packed_rrset_key* nsec,
288 struct query_info* qinfo, uint8_t** wc)
291 if(query_dname_compare(nsec->rk.dname, qinfo->qname) != 0) {
295 /* empty-non-terminal checking.
296 * Done before wildcard, because this is an exact match,
297 * and would prevent a wildcard from matching. */
299 /* If the nsec is proving that qname is an ENT, the nsec owner
300 * will be less than qname, and the next name will be a child
301 * domain of the qname. */
302 if(!nsec_get_next(nsec, &nm, &ln))
303 return 0; /* bad nsec */
304 if(dname_strict_subdomain_c(nm, qinfo->qname) &&
305 dname_canonical_compare(nsec->rk.dname,
307 return 1; /* proves ENT */
310 /* wildcard checking. */
312 /* If this is a wildcard NSEC, make sure that a) it was
313 * possible to have generated qname from the wildcard and
314 * b) the type map does not contain qtype. Note that this
315 * does NOT prove that this wildcard was the applicable
317 if(dname_is_wild(nsec->rk.dname)) {
318 /* the purported closest encloser. */
319 uint8_t* ce = nsec->rk.dname;
320 size_t ce_len = nsec->rk.dname_len;
321 dname_remove_label(&ce, &ce_len);
323 /* The qname must be a strict subdomain of the
324 * closest encloser, for the wildcard to apply
326 if(dname_strict_subdomain_c(qinfo->qname, ce)) {
327 /* here we have a matching NSEC for the qname,
328 * perform matching NSEC checks */
329 if(nsec_has_type(nsec, LDNS_RR_TYPE_CNAME)) {
330 /* should have gotten the wildcard CNAME */
333 if(nsec_has_type(nsec, LDNS_RR_TYPE_NS) &&
334 !nsec_has_type(nsec, LDNS_RR_TYPE_SOA)) {
335 /* wrong parentside (wildcard) NSEC used */
338 if(nsec_has_type(nsec, qinfo->qtype)) {
346 /* Otherwise, this NSEC does not prove ENT and is not a
347 * wildcard, so it does not prove NODATA. */
351 /* If the qtype exists, then we should have gotten it. */
352 if(nsec_has_type(nsec, qinfo->qtype)) {
356 /* if the name is a CNAME node, then we should have gotten the CNAME*/
357 if(nsec_has_type(nsec, LDNS_RR_TYPE_CNAME)) {
361 /* If an NS set exists at this name, and NOT a SOA (so this is a
362 * zone cut, not a zone apex), then we should have gotten a
363 * referral (or we just got the wrong NSEC).
364 * The reverse of this check is used when qtype is DS, since that
365 * must use the NSEC from above the zone cut. */
366 if(qinfo->qtype != LDNS_RR_TYPE_DS &&
367 nsec_has_type(nsec, LDNS_RR_TYPE_NS) &&
368 !nsec_has_type(nsec, LDNS_RR_TYPE_SOA)) {
370 } else if(qinfo->qtype == LDNS_RR_TYPE_DS &&
371 nsec_has_type(nsec, LDNS_RR_TYPE_SOA) &&
372 !dname_is_root(qinfo->qname)) {
380 val_nsec_proves_name_error(struct ub_packed_rrset_key* nsec, uint8_t* qname)
382 uint8_t* owner = nsec->rk.dname;
385 if(!nsec_get_next(nsec, &next, &nlen))
388 /* If NSEC owner == qname, then this NSEC proves that qname exists. */
389 if(query_dname_compare(qname, owner) == 0) {
393 /* If NSEC is a parent of qname, we need to check the type map
394 * If the parent name has a DNAME or is a delegation point, then
395 * this NSEC is being misused. */
396 if(dname_subdomain_c(qname, owner) &&
397 (nsec_has_type(nsec, LDNS_RR_TYPE_DNAME) ||
398 (nsec_has_type(nsec, LDNS_RR_TYPE_NS)
399 && !nsec_has_type(nsec, LDNS_RR_TYPE_SOA))
404 if(query_dname_compare(owner, next) == 0) {
405 /* this nsec is the only nsec */
406 /* zone.name NSEC zone.name, disproves everything else */
407 /* but only for subdomains of that zone */
408 if(dname_strict_subdomain_c(qname, next))
411 else if(dname_canonical_compare(owner, next) > 0) {
412 /* this is the last nsec, ....(bigger) NSEC zonename(smaller) */
413 /* the names after the last (owner) name do not exist
414 * there are no names before the zone name in the zone
415 * but the qname must be a subdomain of the zone name(next). */
416 if(dname_canonical_compare(owner, qname) < 0 &&
417 dname_strict_subdomain_c(qname, next))
420 /* regular NSEC, (smaller) NSEC (larger) */
421 if(dname_canonical_compare(owner, qname) < 0 &&
422 dname_canonical_compare(qname, next) < 0) {
429 int val_nsec_proves_insecuredelegation(struct ub_packed_rrset_key* nsec,
430 struct query_info* qinfo)
432 if(nsec_has_type(nsec, LDNS_RR_TYPE_NS) &&
433 !nsec_has_type(nsec, LDNS_RR_TYPE_DS) &&
434 !nsec_has_type(nsec, LDNS_RR_TYPE_SOA)) {
435 /* see if nsec signals an insecure delegation */
436 if(qinfo->qtype == LDNS_RR_TYPE_DS) {
437 /* if type is DS and qname is equal to nsec, then it
438 * is an exact match nsec, result not insecure */
439 if(dname_strict_subdomain_c(qinfo->qname,
443 if(dname_subdomain_c(qinfo->qname, nsec->rk.dname))
451 nsec_closest_encloser(uint8_t* qname, struct ub_packed_rrset_key* nsec)
455 uint8_t* common1, *common2;
456 if(!nsec_get_next(nsec, &next, &nlen))
458 /* longest common with owner or next name */
459 common1 = dname_get_shared_topdomain(nsec->rk.dname, qname);
460 common2 = dname_get_shared_topdomain(next, qname);
461 if(dname_count_labels(common1) > dname_count_labels(common2))
466 int val_nsec_proves_positive_wildcard(struct ub_packed_rrset_key* nsec,
467 struct query_info* qinf, uint8_t* wc)
470 /* 1) prove that qname doesn't exist and
471 * 2) that the correct wildcard was used
472 * nsec has been verified already. */
473 if(!val_nsec_proves_name_error(nsec, qinf->qname))
475 /* check wildcard name */
476 ce = nsec_closest_encloser(qinf->qname, nsec);
479 if(query_dname_compare(wc, ce) != 0) {
486 val_nsec_proves_no_wc(struct ub_packed_rrset_key* nsec, uint8_t* qname,
489 /* Determine if a NSEC record proves the non-existence of a
490 * wildcard that could have produced qname. */
493 uint8_t* ce = nsec_closest_encloser(qname, nsec);
496 uint8_t buf[LDNS_MAX_DOMAINLEN+3];
499 /* we can subtract the closest encloser count - since that is the
500 * largest shared topdomain with owner and next NSEC name,
501 * because the NSEC is no proof for names shorter than the owner
503 labs = dname_count_labels(qname) - dname_count_labels(ce);
505 for(i=labs; i>0; i--) {
506 /* i is number of labels to strip off qname, prepend * wild */
509 dname_remove_labels(&strip, &striplen, i);
510 if(striplen > LDNS_MAX_DOMAINLEN-2)
511 continue; /* too long to prepend wildcard */
513 buf[1] = (uint8_t)'*';
514 memmove(buf+2, strip, striplen);
515 if(val_nsec_proves_name_error(nsec, buf)) {
523 * Find shared topdomain that exists
526 dlv_topdomain(struct ub_packed_rrset_key* nsec, uint8_t* qname,
527 uint8_t** nm, size_t* nm_len)
529 /* make sure reply is part of nm */
530 /* take shared topdomain with left of NSEC. */
532 /* because, if empty nonterminal, then right is subdomain of qname.
533 * and any shared topdomain would be empty nonterminals.
535 * If nxdomain, then the right is bigger, and could have an
536 * interesting shared topdomain, but if it does have one, it is
537 * an empty nonterminal. An empty nonterminal shared with the left
540 uint8_t* common = dname_get_shared_topdomain(qname, nsec->rk.dname);
541 n = dname_count_labels(*nm) - dname_count_labels(common);
542 dname_remove_labels(nm, nm_len, n);
545 int val_nsec_check_dlv(struct query_info* qinfo,
546 struct reply_info* rep, uint8_t** nm, size_t* nm_len)
551 /* we should now have a NOERROR/NODATA or NXDOMAIN message */
552 if(rep->an_numrrsets != 0) {
555 /* is this NOERROR ? */
556 if(FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NOERROR) {
557 /* it can be a plain NSEC match - go up one more level. */
558 /* or its an empty nonterminal - go up to nonempty level */
559 for(i=0; i<rep->ns_numrrsets; i++) {
560 if(htons(rep->rrsets[i]->rk.type)!=LDNS_RR_TYPE_NSEC ||
561 !nsec_get_next(rep->rrsets[i], &next, &nlen))
563 c = dname_canonical_compare(
564 rep->rrsets[i]->rk.dname, qinfo->qname);
567 if(nsec_has_type(rep->rrsets[i],
570 dname_remove_label(nm, nm_len);
573 dname_strict_subdomain_c(next, qinfo->qname)) {
575 dlv_topdomain(rep->rrsets[i], qinfo->qname,
583 /* is this NXDOMAIN ? */
584 if(FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN) {
585 /* find the qname denial NSEC record. It can tell us
586 * a closest encloser name; or that we not need bother */
587 for(i=0; i<rep->ns_numrrsets; i++) {
588 if(htons(rep->rrsets[i]->rk.type) != LDNS_RR_TYPE_NSEC)
590 if(val_nsec_proves_name_error(rep->rrsets[i],
592 log_nametypeclass(VERB_ALGO, "topdomain on",
593 rep->rrsets[i]->rk.dname,
594 ntohs(rep->rrsets[i]->rk.type), 0);
595 dlv_topdomain(rep->rrsets[i], qinfo->qname,