3 * Where all the hard work concerning secure tracing is done
5 * (c) 2005, 2006 NLnet Labs
7 * See the file LICENSE for the license
12 #include <ldns/ldns.h>
14 #define SELF "[S]" /* self sig ok */
15 #define TRUST "[T]" /* chain from parent */
16 #define BOGUS "[B]" /* bogus */
17 #define UNSIGNED "[U]" /* no relevant dnssec data found */
20 /* See if there is a key/ds in trusted that matches
24 ds_key_match(ldns_rr_list *ds, ldns_rr_list *trusted)
31 if (!trusted || !ds) {
36 keys = ldns_rr_list_new();
41 if (!ds || !trusted) {
45 for (i = 0; i < ldns_rr_list_rr_count(trusted); i++) {
46 rr_i = ldns_rr_list_rr(trusted, i);
47 for (j = 0; j < ldns_rr_list_rr_count(ds); j++) {
49 rr_j = ldns_rr_list_rr(ds, j);
50 if (ldns_rr_compare_ds(rr_i, rr_j)) {
52 /* only allow unique RRs to match */
53 ldns_rr_set_push_rr(keys, rr_i);
66 get_dnssec_pkt(ldns_resolver *r, ldns_rdf *name, ldns_rr_type t)
69 p = ldns_resolver_query(r, name, t, LDNS_RR_CLASS_IN, 0);
74 ldns_pkt_print(stdout, p);
82 * retrieve keys for this zone
85 get_key(ldns_pkt *p, ldns_rdf *apexname, ldns_rr_list **rrlist, ldns_rr_list **opt_sig)
87 return get_dnssec_rr(p, apexname, LDNS_RR_TYPE_DNSKEY, rrlist, opt_sig);
91 * check to see if we can find a DS rrset here which we can then follow
94 get_ds(ldns_pkt *p, ldns_rdf *ownername, ldns_rr_list **rrlist, ldns_rr_list **opt_sig)
96 return get_dnssec_rr(p, ownername, LDNS_RR_TYPE_DS, rrlist, opt_sig);
101 remove_resolver_nameservers(ldns_resolver *res)
105 /* remove the old nameserver from the resolver */
106 while((pop = ldns_resolver_pop_nameserver(res))) {
107 ldns_rdf_deep_free(pop);
113 show_current_nameservers(FILE *out, ldns_resolver *res)
116 fprintf(out, "Current nameservers for resolver object:\n");
117 for (i = 0; i < ldns_resolver_nameserver_count(res); i++) {
118 ldns_rdf_print(out, ldns_resolver_nameservers(res)[i]);
126 do_secure_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t,
127 ldns_rr_class c, ldns_rr_list *trusted_keys, ldns_rdf *start_name
131 ldns_pkt *p, *local_p;
132 ldns_rr_list *new_nss;
133 ldns_rr_list *ns_addr;
135 ldns_rdf **labels = NULL;
136 ldns_status status, st;
141 uint8_t labels_count;
144 ldns_rr_list *key_list;
145 ldns_rr_list *key_sig_list;
146 ldns_rr_list *ds_list;
147 ldns_rr_list *ds_sig_list;
148 ldns_rr_list *correct_key_list;
149 ldns_rr_list *trusted_ds_rrs;
150 bool new_keys_trusted = false;
151 ldns_rr_list *current_correct_keys;
152 ldns_rr_list *dataset;
154 ldns_rr_list *nsec_rrs = NULL;
155 ldns_rr_list *nsec_rr_sigs = NULL;
157 /* empty non-terminal check */
161 ldns_rr_list *new_ns_addr;
162 ldns_rr_list *old_ns_addr;
167 /* printing niceness */
168 const ldns_rr_descriptor *descriptor;
170 descriptor = ldns_rr_descript(t);
179 res = ldns_resolver_new();
184 error("Memory allocation failed");
189 correct_key_list = ldns_rr_list_new();
190 if (!correct_key_list) {
191 error("Memory allocation failed");
196 trusted_ds_rrs = ldns_rr_list_new();
197 if (!trusted_ds_rrs) {
198 error("Memory allocation failed");
202 /* Add all preset trusted DS signatures to the list of trusted DS RRs. */
203 for (j = 0; j < ldns_rr_list_rr_count(trusted_keys); j++) {
204 ldns_rr* one_rr = ldns_rr_list_rr(trusted_keys, j);
205 if (ldns_rr_get_type(one_rr) == LDNS_RR_TYPE_DS) {
206 ldns_rr_list_push_rr(trusted_ds_rrs, ldns_rr_clone(one_rr));
210 /* transfer some properties of local_res to res */
211 ldns_resolver_set_ip6(res,
212 ldns_resolver_ip6(local_res));
213 ldns_resolver_set_port(res,
214 ldns_resolver_port(local_res));
215 ldns_resolver_set_debug(res,
216 ldns_resolver_debug(local_res));
217 ldns_resolver_set_fail(res,
218 ldns_resolver_fail(local_res));
219 ldns_resolver_set_usevc(res,
220 ldns_resolver_usevc(local_res));
221 ldns_resolver_set_random(res,
222 ldns_resolver_random(local_res));
223 ldns_resolver_set_recursive(local_res, true);
225 ldns_resolver_set_recursive(res, false);
226 ldns_resolver_set_dnssec_cd(res, false);
227 ldns_resolver_set_dnssec(res, true);
229 /* setup the root nameserver in the new resolver */
230 status = ldns_resolver_push_nameserver_rr_list(res, global_dns_root);
231 if (status != LDNS_STATUS_OK) {
232 printf("ERRRRR: %s\n", ldns_get_errorstr_by_id(status));
233 ldns_rr_list_print(stdout, global_dns_root);
237 labels_count = ldns_dname_label_count(name);
239 if (ldns_dname_is_subdomain(name, start_name)) {
240 labels_count -= ldns_dname_label_count(start_name);
242 fprintf(stderr, "Error; ");
243 ldns_rdf_print(stderr, name);
244 fprintf(stderr, " is not a subdomain of ");
245 ldns_rdf_print(stderr, start_name);
246 fprintf(stderr, "\n");
250 labels = LDNS_XMALLOC(ldns_rdf*, labels_count + 2);
254 labels[0] = ldns_dname_new_frm_str(LDNS_ROOT_LABEL_STR);
255 labels[1] = ldns_rdf_clone(name);
256 for(i = 2 ; i < (ssize_t)labels_count + 2; i++) {
257 labels[i] = ldns_dname_left_chop(labels[i - 1]);
260 /* get the nameserver for the label
261 * ask: dnskey and ds for the label
263 for(i = (ssize_t)labels_count + 1; i > 0; i--) {
264 status = ldns_resolver_send(&local_p, res, labels[i], LDNS_RR_TYPE_NS, c, 0);
266 if (verbosity >= 5) {
267 ldns_pkt_print(stdout, local_p);
270 new_nss = ldns_pkt_rr_list_by_type(local_p,
271 LDNS_RR_TYPE_NS, LDNS_SECTION_ANSWER);
273 /* if it's a delegation, servers put them in the auth section */
274 new_nss = ldns_pkt_rr_list_by_type(local_p,
275 LDNS_RR_TYPE_NS, LDNS_SECTION_AUTHORITY);
278 /* if this is the final step there might not be nameserver records
279 of course if the data is in the apex, there are, so cover both
281 if (new_nss || i > 1) {
282 for(j = 0; j < ldns_rr_list_rr_count(new_nss); j++) {
283 ns_rr = ldns_rr_list_rr(new_nss, j);
284 pop = ldns_rr_rdf(ns_rr, 0);
289 /* retrieve it's addresses */
292 if (ldns_dname_is_subdomain(pop, labels[i])) {
293 new_ns_addr = ldns_pkt_rr_list_by_name_and_type(local_p, pop, LDNS_RR_TYPE_A, LDNS_SECTION_ADDITIONAL);
295 if (!new_ns_addr || ldns_rr_list_rr_count(new_ns_addr) == 0) {
296 new_ns_addr = ldns_get_rr_list_addr_by_name(res, pop, c, 0);
298 if (!new_ns_addr || ldns_rr_list_rr_count(new_ns_addr) == 0) {
299 new_ns_addr = ldns_get_rr_list_addr_by_name(local_res, pop, c, 0);
303 old_ns_addr = ns_addr;
304 ns_addr = ldns_rr_list_cat_clone(ns_addr, new_ns_addr);
305 ldns_rr_list_deep_free(old_ns_addr);
307 ldns_rr_list_deep_free(new_ns_addr);
309 ldns_rr_list_deep_free(new_nss);
312 remove_resolver_nameservers(res);
314 if (ldns_resolver_push_nameserver_rr_list(res, ns_addr) !=
316 error("Error adding new nameservers");
317 ldns_pkt_free(local_p);
320 ldns_rr_list_deep_free(ns_addr);
322 status = ldns_verify_denial(local_p, labels[i], LDNS_RR_TYPE_NS, &nsec_rrs, &nsec_rr_sigs);
324 /* verify the nsec3 themselves*/
325 if (verbosity >= 4) {
326 printf("NSEC(3) Records to verify:\n");
327 ldns_rr_list_print(stdout, nsec_rrs);
328 printf("With signatures:\n");
329 ldns_rr_list_print(stdout, nsec_rr_sigs);
330 printf("correct keys:\n");
331 ldns_rr_list_print(stdout, correct_key_list);
334 if (status == LDNS_STATUS_OK) {
335 if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) {
336 fprintf(stdout, "%s ", TRUST);
337 fprintf(stdout, "Existence denied: ");
338 ldns_rdf_print(stdout, labels[i]);
340 if (descriptor && descriptor->_name) {
341 printf(" %s", descriptor->_name);
343 printf(" TYPE%u", t);
345 */ fprintf(stdout, " NS\n");
346 } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) {
347 fprintf(stdout, "%s ", SELF);
348 fprintf(stdout, "Existence denied: ");
349 ldns_rdf_print(stdout, labels[i]);
351 if (descriptor && descriptor->_name) {
352 printf(" %s", descriptor->_name);
354 printf(" TYPE%u", t);
357 fprintf(stdout, " NS\n");
359 fprintf(stdout, "%s ", BOGUS);
361 printf(";; Error verifying denial of existence for name ");
362 ldns_rdf_print(stdout, labels[i]);
365 if (descriptor && descriptor->_name) {
366 printf("%s", descriptor->_name);
370 */ printf("NS: %s\n", ldns_get_errorstr_by_id(st));
373 fprintf(stdout, "%s ", BOGUS);
375 printf(";; Error verifying denial of existence for name ");
376 ldns_rdf_print(stdout, labels[i]);
377 printf("NS: %s\n", ldns_get_errorstr_by_id(status));
380 /* there might be an empty non-terminal, in which case we need to continue */
382 for (j = 0; j < ldns_rr_list_rr_count(nsec_rrs); j++) {
383 if (ldns_dname_is_subdomain(ldns_rr_rdf(ldns_rr_list_rr(nsec_rrs, j), 0), labels[i])) {
388 ldns_rr_list_deep_free(nsec_rrs);
389 ldns_rr_list_deep_free(nsec_rr_sigs);
390 ldns_pkt_free(local_p);
393 printf(";; There is an empty non-terminal here, continue\n");
398 if (ldns_resolver_nameserver_count(res) == 0) {
399 error("No nameservers found for this node");
403 ldns_pkt_free(local_p);
405 fprintf(stdout, ";; Domain: ");
406 ldns_rdf_print(stdout, labels[i]);
407 fprintf(stdout, "\n");
409 /* retrieve keys for current domain, and verify them
410 if they match an already trusted DS, or if one of the
411 keys used to sign these is trusted, add the keys to
413 p = get_dnssec_pkt(res, labels[i], LDNS_RR_TYPE_DNSKEY);
414 (void) get_key(p, labels[i], &key_list, &key_sig_list);
417 current_correct_keys = ldns_rr_list_new();
418 if ((st = ldns_verify(key_list, key_sig_list, key_list, current_correct_keys)) ==
420 /* add all signed keys (don't just add current_correct, you'd miss
422 for (j = 0; j < ldns_rr_list_rr_count(key_list); j++) {
423 ldns_rr_list_push_rr(correct_key_list, ldns_rr_clone(ldns_rr_list_rr(key_list, j)));
426 /* check whether these keys were signed
427 * by a trusted keys. if so, these
428 * keys are also trusted */
429 new_keys_trusted = false;
430 for (k = 0; k < ldns_rr_list_rr_count(current_correct_keys); k++) {
431 for (j = 0; j < ldns_rr_list_rr_count(trusted_ds_rrs); j++) {
432 if (ldns_rr_compare_ds(ldns_rr_list_rr(current_correct_keys, k),
433 ldns_rr_list_rr(trusted_ds_rrs, j))) {
434 new_keys_trusted = true;
439 /* also all keys are trusted if one of the current correct keys is trusted */
440 for (k = 0; k < ldns_rr_list_rr_count(current_correct_keys); k++) {
441 for (j = 0; j < ldns_rr_list_rr_count(trusted_keys); j++) {
442 if (ldns_rr_compare(ldns_rr_list_rr(current_correct_keys, k),
443 ldns_rr_list_rr(trusted_keys, j)) == 0) {
444 new_keys_trusted = true;
450 if (new_keys_trusted) {
451 ldns_rr_list_push_rr_list(trusted_keys, key_list);
452 print_rr_list_abbr(stdout, key_list, TRUST);
453 ldns_rr_list_free(key_list);
456 if (verbosity >= 2) {
457 printf(";; Signature ok but no chain to a trusted key or ds record\n");
459 print_rr_list_abbr(stdout, key_list, SELF);
460 ldns_rr_list_deep_free(key_list);
464 print_rr_list_abbr(stdout, key_list, BOGUS);
466 ldns_rr_list_deep_free(key_list);
469 ldns_rr_list_free(current_correct_keys);
470 current_correct_keys = NULL;
472 printf(";; No DNSKEY record found for ");
473 ldns_rdf_print(stdout, labels[i]);
479 ldns_rr_list_deep_free(key_sig_list);
482 /* check the DS records for the next child domain */
484 p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS);
485 (void) get_ds(p, labels[i-1], &ds_list, &ds_sig_list);
489 ldns_rr_list_deep_free(ds_sig_list);
491 p = get_dnssec_pkt(res, name, LDNS_RR_TYPE_DNSKEY);
492 (void) get_ds(p, NULL, &ds_list, &ds_sig_list);
496 if (verbosity >= 4) {
497 printf("VERIFYING:\n");
498 printf("DS LIST:\n");
499 ldns_rr_list_print(stdout, ds_list);
501 ldns_rr_list_print(stdout, ds_sig_list);
503 ldns_rr_list_print(stdout, correct_key_list);
506 current_correct_keys = ldns_rr_list_new();
508 if ((st = ldns_verify(ds_list, ds_sig_list, correct_key_list, current_correct_keys)) ==
510 /* if the ds is signed by a trusted key and a key from correct keys
511 matches that ds, add that key to the trusted keys */
512 new_keys_trusted = false;
513 if (verbosity >= 2) {
514 printf("Checking if signing key is trusted:\n");
516 for (j = 0; j < ldns_rr_list_rr_count(current_correct_keys); j++) {
517 if (verbosity >= 2) {
519 ldns_rr_print(stdout, ldns_rr_list_rr(current_correct_keys, j));
521 for (k = 0; k < ldns_rr_list_rr_count(trusted_keys); k++) {
522 if (verbosity >= 2) {
523 printf("\tTrusted key: ");
524 ldns_rr_print(stdout, ldns_rr_list_rr(trusted_keys, k));
526 if (ldns_rr_compare(ldns_rr_list_rr(current_correct_keys, j),
527 ldns_rr_list_rr(trusted_keys, k)) == 0) {
528 if (verbosity >= 2) {
529 printf("Key is now trusted!\n");
531 for (l = 0; l < ldns_rr_list_rr_count(ds_list); l++) {
532 ldns_rr_list_push_rr(trusted_ds_rrs, ldns_rr_clone(ldns_rr_list_rr(ds_list, l)));
533 new_keys_trusted = true;
538 if (new_keys_trusted) {
539 print_rr_list_abbr(stdout, ds_list, TRUST);
541 print_rr_list_abbr(stdout, ds_list, SELF);
545 print_rr_list_abbr(stdout, ds_list, BOGUS);
548 ldns_rr_list_free(current_correct_keys);
549 current_correct_keys = NULL;
551 /* wait apparently there were no keys either, go back to the ds packet */
553 ldns_rr_list_deep_free(ds_sig_list);
554 p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS);
555 (void) get_ds(p, labels[i-1], &ds_list, &ds_sig_list);
557 status = ldns_verify_denial(p, labels[i-1], LDNS_RR_TYPE_DS, &nsec_rrs, &nsec_rr_sigs);
559 if (verbosity >= 4) {
560 printf("NSEC(3) Records to verify:\n");
561 ldns_rr_list_print(stdout, nsec_rrs);
562 printf("With signatures:\n");
563 ldns_rr_list_print(stdout, nsec_rr_sigs);
564 printf("correct keys:\n");
565 ldns_rr_list_print(stdout, correct_key_list);
568 if (status == LDNS_STATUS_OK) {
569 if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) {
570 fprintf(stdout, "%s ", TRUST);
571 fprintf(stdout, "Existence denied: ");
572 ldns_rdf_print(stdout, labels[i-1]);
574 fprintf(stdout, "\n");
575 } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) {
576 fprintf(stdout, "%s ", SELF);
577 fprintf(stdout, "Existence denied: ");
578 ldns_rdf_print(stdout, labels[i-1]);
580 fprintf(stdout, "\n");
583 fprintf(stdout, "%s ", BOGUS);
584 printf("Error verifying denial of existence for ");
585 ldns_rdf_print(stdout, labels[i-1]);
587 printf(": %s\n", ldns_get_errorstr_by_id(st));
592 if (status == LDNS_STATUS_CRYPTO_NO_RRSIG) {
593 printf(";; No DS for ");
594 ldns_rdf_print(stdout, labels[i - 1]);
596 printf("[B] Unable to verify denial of existence for ");
597 ldns_rdf_print(stdout, labels[i - 1]);
598 printf(" DS: %s\n", ldns_get_errorstr_by_id(status));
601 if (verbosity >= 2) {
602 printf(";; No ds record for delegation\n");
606 ldns_rr_list_deep_free(ds_list);
609 /* if this is the last label, just verify the data and stop */
610 p = get_dnssec_pkt(res, labels[i], t);
611 (void) get_dnssec_rr(p, labels[i], t, &dataset, &key_sig_list);
612 if (dataset && ldns_rr_list_rr_count(dataset) > 0) {
613 if (key_sig_list && ldns_rr_list_rr_count(key_sig_list) > 0) {
615 /* If this is a wildcard, you must be able to deny exact match */
616 if ((st = ldns_verify(dataset, key_sig_list, trusted_keys, NULL)) == LDNS_STATUS_OK) {
617 fprintf(stdout, "%s ", TRUST);
618 ldns_rr_list_print(stdout, dataset);
619 } else if ((st = ldns_verify(dataset, key_sig_list, correct_key_list, NULL)) == LDNS_STATUS_OK) {
620 fprintf(stdout, "%s ", SELF);
621 ldns_rr_list_print(stdout, dataset);
624 fprintf(stdout, "%s ", BOGUS);
625 ldns_rr_list_print(stdout, dataset);
626 printf(";; Error: %s\n", ldns_get_errorstr_by_id(st));
629 fprintf(stdout, "%s ", UNSIGNED);
630 ldns_rr_list_print(stdout, dataset);
632 ldns_rr_list_deep_free(dataset);
634 status = ldns_verify_denial(p, name, t, &nsec_rrs, &nsec_rr_sigs);
635 if (status == LDNS_STATUS_OK) {
636 /* verify the nsec3 themselves*/
637 if (verbosity >= 5) {
638 printf("NSEC(3) Records to verify:\n");
639 ldns_rr_list_print(stdout, nsec_rrs);
640 printf("With signatures:\n");
641 ldns_rr_list_print(stdout, nsec_rr_sigs);
642 printf("correct keys:\n");
643 ldns_rr_list_print(stdout, correct_key_list);
645 printf("trusted keys at %p:\n", trusted_keys);
646 ldns_rr_list_print(stdout, trusted_keys);
649 if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) {
650 fprintf(stdout, "%s ", TRUST);
651 fprintf(stdout, "Existence denied: ");
652 ldns_rdf_print(stdout, name);
653 if (descriptor && descriptor->_name) {
654 printf(" %s", descriptor->_name);
656 printf(" TYPE%u", t);
658 fprintf(stdout, "\n");
659 } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) {
660 fprintf(stdout, "%s ", SELF);
661 fprintf(stdout, "Existence denied: ");
662 ldns_rdf_print(stdout, name);
663 if (descriptor && descriptor->_name) {
664 printf(" %s", descriptor->_name);
666 printf(" TYPE%u", t);
668 fprintf(stdout, "\n");
671 fprintf(stdout, "%s ", BOGUS);
672 printf("Error verifying denial of existence for ");
673 ldns_rdf_print(stdout, name);
675 if (descriptor && descriptor->_name) {
676 printf("%s", descriptor->_name);
680 printf(": %s\n", ldns_get_errorstr_by_id(st));
683 ldns_rr_list_deep_free(nsec_rrs);
684 ldns_rr_list_deep_free(nsec_rr_sigs);
688 if (status == LDNS_STATUS_CRYPTO_NO_RRSIG) {
689 printf("%s ", UNSIGNED);
690 printf("No data found for: ");
691 ldns_rdf_print(stdout, name);
693 if (descriptor && descriptor->_name) {
694 printf("%s", descriptor->_name);
700 printf("[B] Unable to verify denial of existence for ");
701 ldns_rdf_print(stdout, name);
703 if (descriptor && descriptor->_name) {
704 printf("%s", descriptor->_name);
718 ldns_rr_list_deep_free(key_list);
720 ldns_rr_list_deep_free(key_sig_list);
723 ldns_rr_list_deep_free(ds_sig_list);
726 printf(";;" SELF " self sig OK; " BOGUS " bogus; " TRUST " trusted\n");
728 printf("Trusted keys:\n");
729 ldns_rr_list_print(stdout, trusted_keys);
730 printf("trusted dss:\n");
731 ldns_rr_list_print(stdout, trusted_ds_rrs);
735 ldns_rr_list_deep_free(trusted_ds_rrs);
736 ldns_rr_list_deep_free(correct_key_list);
737 ldns_resolver_deep_free(res);
739 for(i = 0 ; i < (ssize_t)labels_count + 2; i++) {
740 ldns_rdf_deep_free(labels[i]);
746 #endif /* HAVE_SSL */