2 * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 2000-2003 Internet Software Consortium.
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
18 /* $Id: validator.c,v 1.164.12.11.10.6 2010/09/03 02:55:18 marka Exp $ */
22 #include <isc/base32.h>
24 #include <isc/print.h>
26 #include <isc/string.h>
32 #include <dns/dnssec.h>
33 #include <dns/events.h>
34 #include <dns/keytable.h>
36 #include <dns/message.h>
37 #include <dns/ncache.h>
39 #include <dns/nsec3.h>
40 #include <dns/rdata.h>
41 #include <dns/rdatastruct.h>
42 #include <dns/rdataset.h>
43 #include <dns/rdatatype.h>
44 #include <dns/resolver.h>
45 #include <dns/result.h>
46 #include <dns/validator.h>
51 * Basic processing sequences.
53 * \li When called with rdataset and sigrdataset:
54 * validator_start -> validate -> proveunsecure -> startfinddlvsep ->
55 * dlv_validator_start -> validator_start -> validate -> proveunsecure
57 * validator_start -> validate -> nsecvalidate (secure wildcard answer)
59 * \li When called with rdataset, sigrdataset and with DNS_VALIDATOR_DLV:
60 * validator_start -> startfinddlvsep -> dlv_validator_start ->
61 * validator_start -> validate -> proveunsecure
63 * \li When called with rdataset:
64 * validator_start -> proveunsecure -> startfinddlvsep ->
65 * dlv_validator_start -> validator_start -> proveunsecure
67 * \li When called with rdataset and with DNS_VALIDATOR_DLV:
68 * validator_start -> startfinddlvsep -> dlv_validator_start ->
69 * validator_start -> proveunsecure
71 * \li When called without a rdataset:
72 * validator_start -> nsecvalidate -> proveunsecure -> startfinddlvsep ->
73 * dlv_validator_start -> validator_start -> nsecvalidate -> proveunsecure
75 * Note: there isn't a case for DNS_VALIDATOR_DLV here as we want nsecvalidate()
76 * to always validate the authority section even when it does not contain
79 * validator_start: determines what type of validation to do.
80 * validate: attempts to perform a positive validation.
81 * proveunsecure: attempts to prove the answer comes from a unsecure zone.
82 * nsecvalidate: attempts to prove a negative response.
83 * startfinddlvsep: starts the DLV record lookup.
84 * dlv_validator_start: resets state and restarts the lookup using the
85 * DLV RRset found by startfinddlvsep.
88 #define VALIDATOR_MAGIC ISC_MAGIC('V', 'a', 'l', '?')
89 #define VALID_VALIDATOR(v) ISC_MAGIC_VALID(v, VALIDATOR_MAGIC)
91 #define VALATTR_SHUTDOWN 0x0001 /*%< Shutting down. */
92 #define VALATTR_CANCELED 0x0002 /*%< Canceled. */
93 #define VALATTR_TRIEDVERIFY 0x0004 /*%< We have found a key and
94 * have attempted a verify. */
95 #define VALATTR_INSECURITY 0x0010 /*%< Attempting proveunsecure. */
96 #define VALATTR_DLVTRIED 0x0020 /*%< Looked for a DLV record. */
99 * NSEC proofs to be looked for.
101 #define VALATTR_NEEDNOQNAME 0x00000100
102 #define VALATTR_NEEDNOWILDCARD 0x00000200
103 #define VALATTR_NEEDNODATA 0x00000400
106 * NSEC proofs that have been found.
108 #define VALATTR_FOUNDNOQNAME 0x00001000
109 #define VALATTR_FOUNDNOWILDCARD 0x00002000
110 #define VALATTR_FOUNDNODATA 0x00004000
111 #define VALATTR_FOUNDCLOSEST 0x00008000
116 #define VALATTR_FOUNDOPTOUT 0x00010000
117 #define VALATTR_FOUNDUNKNOWN 0x00020000
119 #define NEEDNODATA(val) ((val->attributes & VALATTR_NEEDNODATA) != 0)
120 #define NEEDNOQNAME(val) ((val->attributes & VALATTR_NEEDNOQNAME) != 0)
121 #define NEEDNOWILDCARD(val) ((val->attributes & VALATTR_NEEDNOWILDCARD) != 0)
122 #define DLVTRIED(val) ((val->attributes & VALATTR_DLVTRIED) != 0)
123 #define FOUNDNODATA(val) ((val->attributes & VALATTR_FOUNDNODATA) != 0)
124 #define FOUNDNOQNAME(val) ((val->attributes & VALATTR_FOUNDNOQNAME) != 0)
125 #define FOUNDNOWILDCARD(val) ((val->attributes & VALATTR_FOUNDNOWILDCARD) != 0)
126 #define FOUNDCLOSEST(val) ((val->attributes & VALATTR_FOUNDCLOSEST) != 0)
127 #define FOUNDOPTOUT(val) ((val->attributes & VALATTR_FOUNDOPTOUT) != 0)
129 #define SHUTDOWN(v) (((v)->attributes & VALATTR_SHUTDOWN) != 0)
130 #define CANCELED(v) (((v)->attributes & VALATTR_CANCELED) != 0)
133 destroy(dns_validator_t *val);
136 get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo,
137 dns_rdataset_t *rdataset);
140 validate(dns_validator_t *val, isc_boolean_t resume);
143 validatezonekey(dns_validator_t *val);
146 nsecvalidate(dns_validator_t *val, isc_boolean_t resume);
149 proveunsecure(dns_validator_t *val, isc_boolean_t have_ds,
150 isc_boolean_t resume);
153 validator_logv(dns_validator_t *val, isc_logcategory_t *category,
154 isc_logmodule_t *module, int level, const char *fmt, va_list ap)
155 ISC_FORMAT_PRINTF(5, 0);
158 validator_log(dns_validator_t *val, int level, const char *fmt, ...)
159 ISC_FORMAT_PRINTF(3, 4);
162 validator_logcreate(dns_validator_t *val,
163 dns_name_t *name, dns_rdatatype_t type,
164 const char *caller, const char *operation);
167 dlv_validatezonekey(dns_validator_t *val);
170 dlv_validator_start(dns_validator_t *val);
173 finddlvsep(dns_validator_t *val, isc_boolean_t resume);
176 startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure);
179 * Mark the RRsets as a answer.
182 markanswer(dns_validator_t *val, const char *where) {
183 validator_log(val, ISC_LOG_DEBUG(3), "marking as answer (%s)", where);
184 if (val->event->rdataset != NULL)
185 dns_rdataset_settrust(val->event->rdataset, dns_trust_answer);
186 if (val->event->sigrdataset != NULL)
187 dns_rdataset_settrust(val->event->sigrdataset,
192 marksecure(dns_validatorevent_t *event) {
193 dns_rdataset_settrust(event->rdataset, dns_trust_secure);
194 if (event->sigrdataset != NULL)
195 dns_rdataset_settrust(event->sigrdataset, dns_trust_secure);
199 validator_done(dns_validator_t *val, isc_result_t result) {
202 if (val->event == NULL)
206 * Caller must be holding the lock.
209 val->event->result = result;
210 task = val->event->ev_sender;
211 val->event->ev_sender = val;
212 val->event->ev_type = DNS_EVENT_VALIDATORDONE;
213 val->event->ev_action = val->action;
214 val->event->ev_arg = val->arg;
215 isc_task_sendanddetach(&task, (isc_event_t **)&val->event);
218 static inline isc_boolean_t
219 exit_check(dns_validator_t *val) {
221 * Caller must be holding the lock.
226 INSIST(val->event == NULL);
228 if (val->fetch != NULL || val->subvalidator != NULL)
235 * Check that we have atleast one supported algorithm in the DLV RRset.
237 static inline isc_boolean_t
238 dlv_algorithm_supported(dns_validator_t *val) {
239 dns_rdata_t rdata = DNS_RDATA_INIT;
243 for (result = dns_rdataset_first(&val->dlv);
244 result == ISC_R_SUCCESS;
245 result = dns_rdataset_next(&val->dlv)) {
246 dns_rdata_reset(&rdata);
247 dns_rdataset_current(&val->dlv, &rdata);
248 result = dns_rdata_tostruct(&rdata, &dlv, NULL);
249 RUNTIME_CHECK(result == ISC_R_SUCCESS);
251 if (!dns_resolver_algorithm_supported(val->view->resolver,
256 if (dlv.digest_type != DNS_DSDIGEST_SHA256 &&
257 dlv.digest_type != DNS_DSDIGEST_SHA1)
266 * Look in the NSEC record returned from a DS query to see if there is
267 * a NS RRset at this name. If it is found we are at a delegation point.
270 isdelegation(dns_name_t *name, dns_rdataset_t *rdataset,
271 isc_result_t dbresult)
273 dns_fixedname_t fixed;
274 dns_label_t hashlabel;
275 dns_name_t nsec3name;
276 dns_rdata_nsec3_t nsec3;
277 dns_rdata_t rdata = DNS_RDATA_INIT;
284 unsigned char hash[NSEC3_MAX_HASH_LENGTH];
285 unsigned char owner[NSEC3_MAX_HASH_LENGTH];
288 REQUIRE(dbresult == DNS_R_NXRRSET || dbresult == DNS_R_NCACHENXRRSET);
290 dns_rdataset_init(&set);
291 if (dbresult == DNS_R_NXRRSET)
292 dns_rdataset_clone(rdataset, &set);
294 result = dns_ncache_getrdataset(rdataset, name,
295 dns_rdatatype_nsec, &set);
296 if (result == ISC_R_NOTFOUND)
298 if (result != ISC_R_SUCCESS)
302 INSIST(set.type == dns_rdatatype_nsec);
305 result = dns_rdataset_first(&set);
306 if (result == ISC_R_SUCCESS) {
307 dns_rdataset_current(&set, &rdata);
308 found = dns_nsec_typepresent(&rdata, dns_rdatatype_ns);
309 dns_rdata_reset(&rdata);
311 dns_rdataset_disassociate(&set);
316 * Iterate over the ncache entry.
319 dns_name_init(&nsec3name, NULL);
320 dns_fixedname_init(&fixed);
321 dns_name_downcase(name, dns_fixedname_name(&fixed), NULL);
322 name = dns_fixedname_name(&fixed);
323 result = dns_rdataset_first(rdataset);
324 for (result = dns_rdataset_first(rdataset);
325 result == ISC_R_SUCCESS;
326 result = dns_rdataset_next(rdataset))
328 dns_ncache_current(rdataset, &nsec3name, &set);
329 if (set.type != dns_rdatatype_nsec3) {
330 dns_rdataset_disassociate(&set);
333 dns_name_getlabel(&nsec3name, 0, &hashlabel);
334 isc_region_consume(&hashlabel, 1);
335 isc_buffer_init(&buffer, owner, sizeof(owner));
336 result = isc_base32hex_decoderegion(&hashlabel, &buffer);
337 if (result != ISC_R_SUCCESS) {
338 dns_rdataset_disassociate(&set);
341 for (result = dns_rdataset_first(&set);
342 result == ISC_R_SUCCESS;
343 result = dns_rdataset_next(&set))
345 dns_rdata_reset(&rdata);
346 dns_rdataset_current(&set, &rdata);
347 (void)dns_rdata_tostruct(&rdata, &nsec3, NULL);
350 length = isc_iterated_hash(hash, nsec3.hash,
351 nsec3.iterations, nsec3.salt,
353 name->ndata, name->length);
354 if (length != isc_buffer_usedlength(&buffer))
356 order = memcmp(hash, owner, length);
358 found = dns_nsec3_typepresent(&rdata,
360 dns_rdataset_disassociate(&set);
363 if ((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) == 0)
366 * Does this optout span cover the name?
368 scope = memcmp(owner, nsec3.next, nsec3.next_length);
369 if ((scope < 0 && order > 0 &&
370 memcmp(hash, nsec3.next, length) < 0) ||
371 (scope >= 0 && (order > 0 ||
372 memcmp(hash, nsec3.next, length) < 0)))
374 dns_rdataset_disassociate(&set);
378 dns_rdataset_disassociate(&set);
384 * We have been asked to to look for a key.
385 * If found resume the validation process.
386 * If not found fail the validation process.
389 fetch_callback_validator(isc_task_t *task, isc_event_t *event) {
390 dns_fetchevent_t *devent;
391 dns_validator_t *val;
392 dns_rdataset_t *rdataset;
393 isc_boolean_t want_destroy;
395 isc_result_t eresult;
398 INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
399 devent = (dns_fetchevent_t *)event;
400 val = devent->ev_arg;
401 rdataset = &val->frdataset;
402 eresult = devent->result;
404 /* Free resources which are not of interest. */
405 if (devent->node != NULL)
406 dns_db_detachnode(devent->db, &devent->node);
407 if (devent->db != NULL)
408 dns_db_detach(&devent->db);
409 if (dns_rdataset_isassociated(&val->fsigrdataset))
410 dns_rdataset_disassociate(&val->fsigrdataset);
411 isc_event_free(&event);
412 dns_resolver_destroyfetch(&val->fetch);
414 INSIST(val->event != NULL);
416 validator_log(val, ISC_LOG_DEBUG(3), "in fetch_callback_validator");
419 validator_done(val, ISC_R_CANCELED);
420 } else if (eresult == ISC_R_SUCCESS) {
421 validator_log(val, ISC_LOG_DEBUG(3),
422 "keyset with trust %d", rdataset->trust);
424 * Only extract the dst key if the keyset is secure.
426 if (rdataset->trust >= dns_trust_secure) {
427 result = get_dst_key(val, val->siginfo, rdataset);
428 if (result == ISC_R_SUCCESS)
429 val->keyset = &val->frdataset;
431 result = validate(val, ISC_TRUE);
432 if (result != DNS_R_WAIT)
433 validator_done(val, result);
435 validator_log(val, ISC_LOG_DEBUG(3),
436 "fetch_callback_validator: got %s",
437 isc_result_totext(eresult));
438 if (eresult == ISC_R_CANCELED)
439 validator_done(val, eresult);
441 validator_done(val, DNS_R_BROKENCHAIN);
443 want_destroy = exit_check(val);
450 * We were asked to look for a DS record as part of following a key chain
451 * upwards. If found resume the validation process. If not found fail the
452 * validation process.
455 dsfetched(isc_task_t *task, isc_event_t *event) {
456 dns_fetchevent_t *devent;
457 dns_validator_t *val;
458 dns_rdataset_t *rdataset;
459 isc_boolean_t want_destroy;
461 isc_result_t eresult;
464 INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
465 devent = (dns_fetchevent_t *)event;
466 val = devent->ev_arg;
467 rdataset = &val->frdataset;
468 eresult = devent->result;
470 /* Free resources which are not of interest. */
471 if (devent->node != NULL)
472 dns_db_detachnode(devent->db, &devent->node);
473 if (devent->db != NULL)
474 dns_db_detach(&devent->db);
475 if (dns_rdataset_isassociated(&val->fsigrdataset))
476 dns_rdataset_disassociate(&val->fsigrdataset);
477 isc_event_free(&event);
478 dns_resolver_destroyfetch(&val->fetch);
480 INSIST(val->event != NULL);
482 validator_log(val, ISC_LOG_DEBUG(3), "in dsfetched");
485 validator_done(val, ISC_R_CANCELED);
486 } else if (eresult == ISC_R_SUCCESS) {
487 validator_log(val, ISC_LOG_DEBUG(3),
488 "dsset with trust %d", rdataset->trust);
489 val->dsset = &val->frdataset;
490 result = validatezonekey(val);
491 if (result != DNS_R_WAIT)
492 validator_done(val, result);
493 } else if (eresult == DNS_R_NXRRSET ||
494 eresult == DNS_R_NCACHENXRRSET ||
495 eresult == DNS_R_SERVFAIL) /* RFC 1034 parent? */
497 validator_log(val, ISC_LOG_DEBUG(3),
498 "falling back to insecurity proof (%s)",
499 dns_result_totext(eresult));
500 val->attributes |= VALATTR_INSECURITY;
501 result = proveunsecure(val, ISC_FALSE, ISC_FALSE);
502 if (result != DNS_R_WAIT)
503 validator_done(val, result);
505 validator_log(val, ISC_LOG_DEBUG(3),
507 isc_result_totext(eresult));
508 if (eresult == ISC_R_CANCELED)
509 validator_done(val, eresult);
511 validator_done(val, DNS_R_BROKENCHAIN);
513 want_destroy = exit_check(val);
520 * We were asked to look for the DS record as part of proving that a
523 * If the DS record doesn't exist and the query name corresponds to
524 * a delegation point we are transitioning from a secure zone to a
527 * If the DS record exists it will be secure. We can continue looking
528 * for the break point in the chain of trust.
531 dsfetched2(isc_task_t *task, isc_event_t *event) {
532 dns_fetchevent_t *devent;
533 dns_validator_t *val;
535 isc_boolean_t want_destroy;
537 isc_result_t eresult;
540 INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
541 devent = (dns_fetchevent_t *)event;
542 val = devent->ev_arg;
543 eresult = devent->result;
545 /* Free resources which are not of interest. */
546 if (devent->node != NULL)
547 dns_db_detachnode(devent->db, &devent->node);
548 if (devent->db != NULL)
549 dns_db_detach(&devent->db);
550 if (dns_rdataset_isassociated(&val->fsigrdataset))
551 dns_rdataset_disassociate(&val->fsigrdataset);
552 dns_resolver_destroyfetch(&val->fetch);
554 INSIST(val->event != NULL);
556 validator_log(val, ISC_LOG_DEBUG(3), "in dsfetched2: %s",
557 dns_result_totext(eresult));
560 validator_done(val, ISC_R_CANCELED);
561 } else if (eresult == DNS_R_NXRRSET || eresult == DNS_R_NCACHENXRRSET) {
563 * There is no DS. If this is a delegation, we're done.
565 tname = dns_fixedname_name(&devent->foundname);
566 if (isdelegation(tname, &val->frdataset, eresult)) {
567 if (val->mustbesecure) {
568 validator_log(val, ISC_LOG_WARNING,
569 "must be secure failure");
570 validator_done(val, DNS_R_MUSTBESECURE);
571 } else if (val->view->dlv == NULL || DLVTRIED(val)) {
572 markanswer(val, "dsfetched2");
573 validator_done(val, ISC_R_SUCCESS);
575 result = startfinddlvsep(val, tname);
576 if (result != DNS_R_WAIT)
577 validator_done(val, result);
580 result = proveunsecure(val, ISC_FALSE, ISC_TRUE);
581 if (result != DNS_R_WAIT)
582 validator_done(val, result);
584 } else if (eresult == ISC_R_SUCCESS ||
585 eresult == DNS_R_NXDOMAIN ||
586 eresult == DNS_R_NCACHENXDOMAIN)
589 * There is a DS which may or may not be a zone cut.
590 * In either case we are still in a secure zone resume
593 result = proveunsecure(val, ISC_TF(eresult == ISC_R_SUCCESS),
595 if (result != DNS_R_WAIT)
596 validator_done(val, result);
598 if (eresult == ISC_R_CANCELED)
599 validator_done(val, eresult);
601 validator_done(val, DNS_R_NOVALIDDS);
603 isc_event_free(&event);
604 want_destroy = exit_check(val);
611 * Callback from when a DNSKEY RRset has been validated.
613 * Resumes the stalled validation process.
616 keyvalidated(isc_task_t *task, isc_event_t *event) {
617 dns_validatorevent_t *devent;
618 dns_validator_t *val;
619 isc_boolean_t want_destroy;
621 isc_result_t eresult;
624 INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
626 devent = (dns_validatorevent_t *)event;
627 val = devent->ev_arg;
628 eresult = devent->result;
630 isc_event_free(&event);
631 dns_validator_destroy(&val->subvalidator);
633 INSIST(val->event != NULL);
635 validator_log(val, ISC_LOG_DEBUG(3), "in keyvalidated");
638 validator_done(val, ISC_R_CANCELED);
639 } else if (eresult == ISC_R_SUCCESS) {
640 validator_log(val, ISC_LOG_DEBUG(3),
641 "keyset with trust %d", val->frdataset.trust);
643 * Only extract the dst key if the keyset is secure.
645 if (val->frdataset.trust >= dns_trust_secure)
646 (void) get_dst_key(val, val->siginfo, &val->frdataset);
647 result = validate(val, ISC_TRUE);
648 if (result != DNS_R_WAIT)
649 validator_done(val, result);
651 if (eresult != DNS_R_BROKENCHAIN) {
652 if (dns_rdataset_isassociated(&val->frdataset))
653 dns_rdataset_expire(&val->frdataset);
654 if (dns_rdataset_isassociated(&val->fsigrdataset))
655 dns_rdataset_expire(&val->fsigrdataset);
657 validator_log(val, ISC_LOG_DEBUG(3),
658 "keyvalidated: got %s",
659 isc_result_totext(eresult));
660 validator_done(val, DNS_R_BROKENCHAIN);
662 want_destroy = exit_check(val);
669 * Callback when the DS record has been validated.
671 * Resumes validation of the zone key or the unsecure zone proof.
674 dsvalidated(isc_task_t *task, isc_event_t *event) {
675 dns_validatorevent_t *devent;
676 dns_validator_t *val;
677 isc_boolean_t want_destroy;
679 isc_result_t eresult;
682 INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
684 devent = (dns_validatorevent_t *)event;
685 val = devent->ev_arg;
686 eresult = devent->result;
688 isc_event_free(&event);
689 dns_validator_destroy(&val->subvalidator);
691 INSIST(val->event != NULL);
693 validator_log(val, ISC_LOG_DEBUG(3), "in dsvalidated");
696 validator_done(val, ISC_R_CANCELED);
697 } else if (eresult == ISC_R_SUCCESS) {
698 isc_boolean_t have_dsset;
700 validator_log(val, ISC_LOG_DEBUG(3),
702 val->frdataset.type == dns_rdatatype_ds ?
703 "dsset" : "ds non-existance",
704 val->frdataset.trust);
705 have_dsset = ISC_TF(val->frdataset.type == dns_rdatatype_ds);
706 name = dns_fixedname_name(&val->fname);
707 if ((val->attributes & VALATTR_INSECURITY) != 0 &&
708 val->frdataset.covers == dns_rdatatype_ds &&
709 val->frdataset.type == 0 &&
710 isdelegation(name, &val->frdataset, DNS_R_NCACHENXRRSET)) {
711 if (val->mustbesecure) {
712 validator_log(val, ISC_LOG_WARNING,
713 "must be secure failure, no DS "
714 "and this is a delegation");
715 result = DNS_R_MUSTBESECURE;
716 } else if (val->view->dlv == NULL || DLVTRIED(val)) {
717 markanswer(val, "dsvalidated");
718 result = ISC_R_SUCCESS;;
720 result = startfinddlvsep(val, name);
721 } else if ((val->attributes & VALATTR_INSECURITY) != 0) {
722 result = proveunsecure(val, have_dsset, ISC_TRUE);
724 result = validatezonekey(val);
725 if (result != DNS_R_WAIT)
726 validator_done(val, result);
728 if (eresult != DNS_R_BROKENCHAIN) {
729 if (dns_rdataset_isassociated(&val->frdataset))
730 dns_rdataset_expire(&val->frdataset);
731 if (dns_rdataset_isassociated(&val->fsigrdataset))
732 dns_rdataset_expire(&val->fsigrdataset);
734 validator_log(val, ISC_LOG_DEBUG(3),
735 "dsvalidated: got %s",
736 isc_result_totext(eresult));
737 validator_done(val, DNS_R_BROKENCHAIN);
739 want_destroy = exit_check(val);
746 * Return ISC_R_SUCCESS if we can determine that the name doesn't exist
747 * or we can determine whether there is data or not at the name.
748 * If the name does not exist return the wildcard name.
750 * Return ISC_R_IGNORE when the NSEC is not the appropriate one.
753 nsecnoexistnodata(dns_validator_t *val, dns_name_t* name, dns_name_t *nsecname,
754 dns_rdataset_t *nsecset, isc_boolean_t *exists,
755 isc_boolean_t *data, dns_name_t *wild)
758 dns_rdata_t rdata = DNS_RDATA_INIT;
760 dns_namereln_t relation;
761 unsigned int olabels, nlabels, labels;
762 dns_rdata_nsec_t nsec;
763 isc_boolean_t atparent;
767 REQUIRE(exists != NULL);
768 REQUIRE(data != NULL);
769 REQUIRE(nsecset != NULL &&
770 nsecset->type == dns_rdatatype_nsec);
772 result = dns_rdataset_first(nsecset);
773 if (result != ISC_R_SUCCESS) {
774 validator_log(val, ISC_LOG_DEBUG(3),
775 "failure processing NSEC set");
778 dns_rdataset_current(nsecset, &rdata);
780 validator_log(val, ISC_LOG_DEBUG(3), "looking for relevant nsec");
781 relation = dns_name_fullcompare(name, nsecname, &order, &olabels);
785 * The name is not within the NSEC range.
787 validator_log(val, ISC_LOG_DEBUG(3),
788 "NSEC does not cover name, before NSEC");
789 return (ISC_R_IGNORE);
794 * The names are the same.
796 atparent = dns_rdatatype_atparent(val->event->type);
797 ns = dns_nsec_typepresent(&rdata, dns_rdatatype_ns);
798 soa = dns_nsec_typepresent(&rdata, dns_rdatatype_soa);
802 * This NSEC record is from somewhere higher in
803 * the DNS, and at the parent of a delegation.
804 * It can not be legitimately used here.
806 validator_log(val, ISC_LOG_DEBUG(3),
807 "ignoring parent nsec");
808 return (ISC_R_IGNORE);
810 } else if (atparent && ns && soa) {
812 * This NSEC record is from the child.
813 * It can not be legitimately used here.
815 validator_log(val, ISC_LOG_DEBUG(3),
816 "ignoring child nsec");
817 return (ISC_R_IGNORE);
819 if (val->event->type == dns_rdatatype_cname ||
820 val->event->type == dns_rdatatype_nxt ||
821 val->event->type == dns_rdatatype_nsec ||
822 val->event->type == dns_rdatatype_key ||
823 !dns_nsec_typepresent(&rdata, dns_rdatatype_cname)) {
825 *data = dns_nsec_typepresent(&rdata, val->event->type);
826 validator_log(val, ISC_LOG_DEBUG(3),
827 "nsec proves name exists (owner) data=%d",
829 return (ISC_R_SUCCESS);
831 validator_log(val, ISC_LOG_DEBUG(3), "NSEC proves CNAME exists");
832 return (ISC_R_IGNORE);
835 if (relation == dns_namereln_subdomain &&
836 dns_nsec_typepresent(&rdata, dns_rdatatype_ns) &&
837 !dns_nsec_typepresent(&rdata, dns_rdatatype_soa))
840 * This NSEC record is from somewhere higher in
841 * the DNS, and at the parent of a delegation.
842 * It can not be legitimately used here.
844 validator_log(val, ISC_LOG_DEBUG(3), "ignoring parent nsec");
845 return (ISC_R_IGNORE);
848 result = dns_rdata_tostruct(&rdata, &nsec, NULL);
849 if (result != ISC_R_SUCCESS)
851 relation = dns_name_fullcompare(&nsec.next, name, &order, &nlabels);
853 dns_rdata_freestruct(&nsec);
854 validator_log(val, ISC_LOG_DEBUG(3),
855 "ignoring nsec matches next name");
856 return (ISC_R_IGNORE);
859 if (order < 0 && !dns_name_issubdomain(nsecname, &nsec.next)) {
861 * The name is not within the NSEC range.
863 dns_rdata_freestruct(&nsec);
864 validator_log(val, ISC_LOG_DEBUG(3),
865 "ignoring nsec because name is past end of range");
866 return (ISC_R_IGNORE);
869 if (order > 0 && relation == dns_namereln_subdomain) {
870 validator_log(val, ISC_LOG_DEBUG(3),
871 "nsec proves name exist (empty)");
872 dns_rdata_freestruct(&nsec);
875 return (ISC_R_SUCCESS);
879 dns_name_init(&common, NULL);
880 if (olabels > nlabels) {
881 labels = dns_name_countlabels(nsecname);
882 dns_name_getlabelsequence(nsecname, labels - olabels,
885 labels = dns_name_countlabels(&nsec.next);
886 dns_name_getlabelsequence(&nsec.next, labels - nlabels,
889 result = dns_name_concatenate(dns_wildcardname, &common,
891 if (result != ISC_R_SUCCESS) {
892 dns_rdata_freestruct(&nsec);
893 validator_log(val, ISC_LOG_DEBUG(3),
894 "failure generating wildcard name");
898 dns_rdata_freestruct(&nsec);
899 validator_log(val, ISC_LOG_DEBUG(3), "nsec range ok");
901 return (ISC_R_SUCCESS);
905 nsec3noexistnodata(dns_validator_t *val, dns_name_t* name,
906 dns_name_t *nsec3name, dns_rdataset_t *nsec3set,
907 dns_name_t *zonename, isc_boolean_t *exists,
908 isc_boolean_t *data, isc_boolean_t *optout,
909 isc_boolean_t *unknown, isc_boolean_t *setclosest,
910 isc_boolean_t *setnearest, dns_name_t *closest,
913 char namebuf[DNS_NAME_FORMATSIZE];
914 dns_fixedname_t fzone;
915 dns_fixedname_t qfixed;
916 dns_label_t hashlabel;
919 dns_rdata_nsec3_t nsec3;
920 dns_rdata_t rdata = DNS_RDATA_INIT;
923 isc_boolean_t atparent;
928 isc_result_t answer = ISC_R_IGNORE;
930 unsigned char hash[NSEC3_MAX_HASH_LENGTH];
931 unsigned char owner[NSEC3_MAX_HASH_LENGTH];
933 unsigned int qlabels;
934 unsigned int zlabels;
936 REQUIRE((exists == NULL && data == NULL) ||
937 (exists != NULL && data != NULL));
938 REQUIRE(nsec3set != NULL && nsec3set->type == dns_rdatatype_nsec3);
939 REQUIRE((setclosest == NULL && closest == NULL) ||
940 (setclosest != NULL && closest != NULL));
941 REQUIRE((setnearest == NULL && nearest == NULL) ||
942 (setnearest != NULL && nearest != NULL));
944 result = dns_rdataset_first(nsec3set);
945 if (result != ISC_R_SUCCESS) {
946 validator_log(val, ISC_LOG_DEBUG(3),
947 "failure processing NSEC3 set");
951 dns_rdataset_current(nsec3set, &rdata);
953 result = dns_rdata_tostruct(&rdata, &nsec3, NULL);
954 if (result != ISC_R_SUCCESS)
957 validator_log(val, ISC_LOG_DEBUG(3), "looking for relevant NSEC3");
959 dns_fixedname_init(&fzone);
960 zone = dns_fixedname_name(&fzone);
961 zlabels = dns_name_countlabels(nsec3name);
964 * NSEC3 records must have two or more labels to be valid.
967 return (ISC_R_IGNORE);
970 * Strip off the NSEC3 hash to get the zone.
973 dns_name_split(nsec3name, zlabels, NULL, zone);
976 * If not below the zone name we can ignore this record.
978 if (!dns_name_issubdomain(name, zone))
979 return (ISC_R_IGNORE);
982 * Is this zone the same or deeper than the current zone?
984 if (dns_name_countlabels(zonename) == 0 ||
985 dns_name_issubdomain(zone, zonename))
986 dns_name_copy(zone, zonename, NULL);
988 if (!dns_name_equal(zone, zonename))
989 return (ISC_R_IGNORE);
992 * Are we only looking for the most enclosing zone?
994 if (exists == NULL || data == NULL)
995 return (ISC_R_SUCCESS);
998 * Only set unknown once we are sure that this NSEC3 is from
999 * the deepest covering zone.
1001 if (!dns_nsec3_supportedhash(nsec3.hash)) {
1002 if (unknown != NULL)
1003 *unknown = ISC_TRUE;
1004 return (ISC_R_IGNORE);
1008 * Recover the hash from the first label.
1010 dns_name_getlabel(nsec3name, 0, &hashlabel);
1011 isc_region_consume(&hashlabel, 1);
1012 isc_buffer_init(&buffer, owner, sizeof(owner));
1013 result = isc_base32hex_decoderegion(&hashlabel, &buffer);
1014 if (result != ISC_R_SUCCESS)
1018 * The hash lengths should match. If not ignore the record.
1020 if (isc_buffer_usedlength(&buffer) != nsec3.next_length)
1021 return (ISC_R_IGNORE);
1024 * Work out what this NSEC3 covers.
1025 * Inside (<0) or outside (>=0).
1027 scope = memcmp(owner, nsec3.next, nsec3.next_length);
1030 * Prepare to compute all the hashes.
1032 dns_fixedname_init(&qfixed);
1033 qname = dns_fixedname_name(&qfixed);
1034 dns_name_downcase(name, qname, NULL);
1035 qlabels = dns_name_countlabels(qname);
1038 while (qlabels >= zlabels) {
1039 length = isc_iterated_hash(hash, nsec3.hash, nsec3.iterations,
1040 nsec3.salt, nsec3.salt_length,
1041 qname->ndata, qname->length);
1043 * The computed hash length should match.
1045 if (length != nsec3.next_length) {
1046 validator_log(val, ISC_LOG_DEBUG(3),
1047 "ignoring NSEC bad length %u vs %u",
1048 length, nsec3.next_length);
1049 return (ISC_R_IGNORE);
1052 order = memcmp(hash, owner, length);
1053 if (first && order == 0) {
1055 * The hashes are the same.
1057 atparent = dns_rdatatype_atparent(val->event->type);
1058 ns = dns_nsec3_typepresent(&rdata, dns_rdatatype_ns);
1059 soa = dns_nsec3_typepresent(&rdata, dns_rdatatype_soa);
1063 * This NSEC record is from somewhere
1064 * higher in the DNS, and at the
1065 * parent of a delegation. It can not
1066 * be legitimately used here.
1068 validator_log(val, ISC_LOG_DEBUG(3),
1069 "ignoring parent NSEC3");
1070 return (ISC_R_IGNORE);
1072 } else if (atparent && ns && soa) {
1074 * This NSEC record is from the child.
1075 * It can not be legitimately used here.
1077 validator_log(val, ISC_LOG_DEBUG(3),
1078 "ignoring child NSEC3");
1079 return (ISC_R_IGNORE);
1081 if (val->event->type == dns_rdatatype_cname ||
1082 val->event->type == dns_rdatatype_nxt ||
1083 val->event->type == dns_rdatatype_nsec ||
1084 val->event->type == dns_rdatatype_key ||
1085 !dns_nsec3_typepresent(&rdata, dns_rdatatype_cname)) {
1087 *data = dns_nsec3_typepresent(&rdata,
1089 validator_log(val, ISC_LOG_DEBUG(3),
1090 "NSEC3 proves name exists (owner) "
1092 return (ISC_R_SUCCESS);
1094 validator_log(val, ISC_LOG_DEBUG(3),
1095 "NSEC3 proves CNAME exists");
1096 return (ISC_R_IGNORE);
1100 dns_nsec3_typepresent(&rdata, dns_rdatatype_ns) &&
1101 !dns_nsec3_typepresent(&rdata, dns_rdatatype_soa))
1104 * This NSEC3 record is from somewhere higher in
1105 * the DNS, and at the parent of a delegation.
1106 * It can not be legitimately used here.
1108 validator_log(val, ISC_LOG_DEBUG(3),
1109 "ignoring parent NSEC3");
1110 return (ISC_R_IGNORE);
1114 * Potential closest encloser.
1117 if (closest != NULL &&
1118 (dns_name_countlabels(closest) == 0 ||
1119 dns_name_issubdomain(qname, closest)) &&
1120 !dns_nsec3_typepresent(&rdata, dns_rdatatype_ds) &&
1121 !dns_nsec3_typepresent(&rdata, dns_rdatatype_dname) &&
1122 (dns_nsec3_typepresent(&rdata, dns_rdatatype_soa) ||
1123 !dns_nsec3_typepresent(&rdata, dns_rdatatype_ns)))
1126 dns_name_format(qname, namebuf,
1128 validator_log(val, ISC_LOG_DEBUG(3),
1129 "NSEC3 indicates potential "
1130 "closest encloser: '%s'",
1132 dns_name_copy(qname, closest, NULL);
1133 *setclosest = ISC_TRUE;
1135 dns_name_format(qname, namebuf, sizeof(namebuf));
1136 validator_log(val, ISC_LOG_DEBUG(3),
1137 "NSEC3 at super-domain %s", namebuf);
1142 * Find if the name does not exist.
1144 * We continue as we need to find the name closest to the
1145 * closest encloser that doesn't exist.
1147 * We also need to continue to ensure that we are not
1148 * proving the non-existence of a record in a sub-zone.
1149 * If that would be the case we will return ISC_R_IGNORE
1152 if ((scope < 0 && order > 0 &&
1153 memcmp(hash, nsec3.next, length) < 0) ||
1154 (scope >= 0 && (order > 0 ||
1155 memcmp(hash, nsec3.next, length) < 0)))
1157 char namebuf[DNS_NAME_FORMATSIZE];
1159 dns_name_format(qname, namebuf, sizeof(namebuf));
1160 validator_log(val, ISC_LOG_DEBUG(3), "NSEC3 proves "
1161 "name does not exist: '%s'", namebuf);
1162 if (nearest != NULL &&
1163 (dns_name_countlabels(nearest) == 0 ||
1164 dns_name_issubdomain(nearest, qname))) {
1165 dns_name_copy(qname, nearest, NULL);
1166 *setnearest = ISC_TRUE;
1169 *exists = ISC_FALSE;
1171 if (optout != NULL) {
1172 if ((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0)
1173 validator_log(val, ISC_LOG_DEBUG(3),
1174 "NSEC3 indicates optout");
1176 ISC_TF(nsec3.flags & DNS_NSEC3FLAG_OPTOUT);
1178 answer = ISC_R_SUCCESS;
1183 dns_name_split(qname, qlabels, NULL, qname);
1190 * Callback for when NSEC records have been validated.
1192 * Looks for NOQNAME, NODATA and OPTOUT proofs.
1194 * Resumes nsecvalidate.
1197 authvalidated(isc_task_t *task, isc_event_t *event) {
1198 dns_validatorevent_t *devent;
1199 dns_validator_t *val;
1200 dns_rdataset_t *rdataset;
1201 dns_rdataset_t *sigrdataset;
1202 isc_boolean_t want_destroy;
1203 isc_result_t result;
1204 isc_boolean_t exists, data;
1207 INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
1209 devent = (dns_validatorevent_t *)event;
1210 rdataset = devent->rdataset;
1211 sigrdataset = devent->sigrdataset;
1212 val = devent->ev_arg;
1213 result = devent->result;
1214 dns_validator_destroy(&val->subvalidator);
1216 INSIST(val->event != NULL);
1218 validator_log(val, ISC_LOG_DEBUG(3), "in authvalidated");
1220 if (CANCELED(val)) {
1221 validator_done(val, ISC_R_CANCELED);
1222 } else if (result != ISC_R_SUCCESS) {
1223 validator_log(val, ISC_LOG_DEBUG(3),
1224 "authvalidated: got %s",
1225 isc_result_totext(result));
1226 if (result == DNS_R_BROKENCHAIN)
1228 if (result == ISC_R_CANCELED)
1229 validator_done(val, result);
1231 result = nsecvalidate(val, ISC_TRUE);
1232 if (result != DNS_R_WAIT)
1233 validator_done(val, result);
1236 dns_name_t **proofs = val->event->proofs;
1237 dns_name_t *wild = dns_fixedname_name(&val->wild);
1239 if (rdataset->trust == dns_trust_secure)
1240 val->seensig = ISC_TRUE;
1242 if (rdataset->type == dns_rdatatype_nsec &&
1243 rdataset->trust == dns_trust_secure &&
1244 (NEEDNODATA(val) || NEEDNOQNAME(val)) &&
1245 !FOUNDNODATA(val) && !FOUNDNOQNAME(val) &&
1246 nsecnoexistnodata(val, val->event->name, devent->name,
1247 rdataset, &exists, &data, wild)
1250 if (exists && !data) {
1251 val->attributes |= VALATTR_FOUNDNODATA;
1252 if (NEEDNODATA(val))
1253 proofs[DNS_VALIDATOR_NODATAPROOF] =
1257 val->attributes |= VALATTR_FOUNDNOQNAME;
1258 val->attributes |= VALATTR_FOUNDCLOSEST;
1260 * The NSEC noqname proof also contains
1261 * the closest encloser.
1264 if (NEEDNOQNAME(val))
1265 proofs[DNS_VALIDATOR_NOQNAMEPROOF] =
1270 result = nsecvalidate(val, ISC_TRUE);
1271 if (result != DNS_R_WAIT)
1272 validator_done(val, result);
1274 want_destroy = exit_check(val);
1280 * Free stuff from the event.
1282 isc_event_free(&event);
1286 * Looks for the requested name and type in the view (zones and cache).
1288 * When looking for a DLV record also checks to make sure the NSEC record
1289 * returns covers the query name as part of aggressive negative caching.
1293 * \li ISC_R_NOTFOUND
1294 * \li DNS_R_NCACHENXDOMAIN
1295 * \li DNS_R_NCACHENXRRSET
1297 * \li DNS_R_NXDOMAIN
1298 * \li DNS_R_BROKENCHAIN
1300 static inline isc_result_t
1301 view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) {
1302 dns_fixedname_t fixedname;
1303 dns_name_t *foundname;
1304 dns_rdata_nsec_t nsec;
1305 dns_rdata_t rdata = DNS_RDATA_INIT;
1306 isc_result_t result;
1307 unsigned int options;
1309 char buf1[DNS_NAME_FORMATSIZE];
1310 char buf2[DNS_NAME_FORMATSIZE];
1311 char buf3[DNS_NAME_FORMATSIZE];
1312 char namebuf[DNS_NAME_FORMATSIZE];
1313 char typebuf[DNS_RDATATYPE_FORMATSIZE];
1315 if (dns_rdataset_isassociated(&val->frdataset))
1316 dns_rdataset_disassociate(&val->frdataset);
1317 if (dns_rdataset_isassociated(&val->fsigrdataset))
1318 dns_rdataset_disassociate(&val->fsigrdataset);
1320 if (val->view->zonetable == NULL)
1321 return (ISC_R_CANCELED);
1323 if (isc_time_now(&now) == ISC_R_SUCCESS &&
1324 dns_resolver_getbadcache(val->view->resolver, name, type, &now)) {
1326 dns_name_format(name, namebuf, sizeof(namebuf));
1327 dns_rdatatype_format(type, typebuf, sizeof(typebuf));
1328 validator_log(val, ISC_LOG_INFO, "bad cache hit (%s/%s)",
1330 return (DNS_R_BROKENCHAIN);
1333 options = DNS_DBFIND_PENDINGOK;
1334 if (type == dns_rdatatype_dlv)
1335 options |= DNS_DBFIND_COVERINGNSEC;
1336 dns_fixedname_init(&fixedname);
1337 foundname = dns_fixedname_name(&fixedname);
1338 result = dns_view_find(val->view, name, type, 0, options,
1339 ISC_FALSE, NULL, NULL, foundname,
1340 &val->frdataset, &val->fsigrdataset);
1342 if (result == DNS_R_NXDOMAIN) {
1343 if (dns_rdataset_isassociated(&val->frdataset))
1344 dns_rdataset_disassociate(&val->frdataset);
1345 if (dns_rdataset_isassociated(&val->fsigrdataset))
1346 dns_rdataset_disassociate(&val->fsigrdataset);
1347 } else if (result == DNS_R_COVERINGNSEC) {
1348 validator_log(val, ISC_LOG_DEBUG(3), "DNS_R_COVERINGNSEC");
1350 * Check if the returned NSEC covers the name.
1352 INSIST(type == dns_rdatatype_dlv);
1353 if (val->frdataset.trust != dns_trust_secure) {
1354 validator_log(val, ISC_LOG_DEBUG(3),
1355 "covering nsec: trust %u",
1356 val->frdataset.trust);
1359 result = dns_rdataset_first(&val->frdataset);
1360 if (result != ISC_R_SUCCESS)
1362 dns_rdataset_current(&val->frdataset, &rdata);
1363 if (dns_nsec_typepresent(&rdata, dns_rdatatype_ns) &&
1364 !dns_nsec_typepresent(&rdata, dns_rdatatype_soa)) {
1365 /* Parent NSEC record. */
1366 if (dns_name_issubdomain(name, foundname)) {
1367 validator_log(val, ISC_LOG_DEBUG(3),
1368 "covering nsec: for parent");
1372 result = dns_rdata_tostruct(&rdata, &nsec, NULL);
1373 if (result != ISC_R_SUCCESS)
1375 if (dns_name_compare(foundname, &nsec.next) >= 0) {
1376 /* End of zone chain. */
1377 if (!dns_name_issubdomain(name, &nsec.next)) {
1379 * XXXMPA We could look for a parent NSEC
1380 * at nsec.next and if found retest with
1383 dns_rdata_freestruct(&nsec);
1384 validator_log(val, ISC_LOG_DEBUG(3),
1385 "covering nsec: not in zone");
1388 } else if (dns_name_compare(name, &nsec.next) >= 0) {
1390 * XXXMPA We could check if this NSEC is at a zone
1391 * apex and if the qname is not below it and look for
1392 * a parent NSEC with the same name. This requires
1393 * that we can cache both NSEC records which we
1394 * currently don't support.
1396 dns_rdata_freestruct(&nsec);
1397 validator_log(val, ISC_LOG_DEBUG(3),
1398 "covering nsec: not in range");
1401 if (isc_log_wouldlog(dns_lctx,ISC_LOG_DEBUG(3))) {
1402 dns_name_format(name, buf1, sizeof buf1);
1403 dns_name_format(foundname, buf2, sizeof buf2);
1404 dns_name_format(&nsec.next, buf3, sizeof buf3);
1405 validator_log(val, ISC_LOG_DEBUG(3),
1406 "covering nsec found: '%s' '%s' '%s'",
1409 if (dns_rdataset_isassociated(&val->frdataset))
1410 dns_rdataset_disassociate(&val->frdataset);
1411 if (dns_rdataset_isassociated(&val->fsigrdataset))
1412 dns_rdataset_disassociate(&val->fsigrdataset);
1413 dns_rdata_freestruct(&nsec);
1414 result = DNS_R_NCACHENXDOMAIN;
1415 } else if (result != ISC_R_SUCCESS &&
1416 result != DNS_R_NCACHENXDOMAIN &&
1417 result != DNS_R_NCACHENXRRSET &&
1418 result != DNS_R_EMPTYNAME &&
1419 result != DNS_R_NXRRSET &&
1420 result != ISC_R_NOTFOUND) {
1426 if (dns_rdataset_isassociated(&val->frdataset))
1427 dns_rdataset_disassociate(&val->frdataset);
1428 if (dns_rdataset_isassociated(&val->fsigrdataset))
1429 dns_rdataset_disassociate(&val->fsigrdataset);
1430 return (ISC_R_NOTFOUND);
1434 * Checks to make sure we are not going to loop. As we use a SHARED fetch
1435 * the validation process will stall if looping was to occur.
1437 static inline isc_boolean_t
1438 check_deadlock(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
1439 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
1441 dns_validator_t *parent;
1443 for (parent = val; parent != NULL; parent = parent->parent) {
1444 if (parent->event != NULL &&
1445 parent->event->type == type &&
1446 dns_name_equal(parent->event->name, name) &&
1448 * As NSEC3 records are meta data you sometimes
1449 * need to prove a NSEC3 record which says that
1450 * itself doesn't exist.
1452 (parent->event->type != dns_rdatatype_nsec3 ||
1453 rdataset == NULL || sigrdataset == NULL ||
1454 parent->event->message == NULL ||
1455 parent->event->rdataset != NULL ||
1456 parent->event->sigrdataset != NULL))
1458 validator_log(val, ISC_LOG_DEBUG(3),
1459 "continuing validation would lead to "
1460 "deadlock: aborting validation");
1468 * Start a fetch for the requested name and type.
1470 static inline isc_result_t
1471 create_fetch(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
1472 isc_taskaction_t callback, const char *caller)
1474 if (dns_rdataset_isassociated(&val->frdataset))
1475 dns_rdataset_disassociate(&val->frdataset);
1476 if (dns_rdataset_isassociated(&val->fsigrdataset))
1477 dns_rdataset_disassociate(&val->fsigrdataset);
1479 if (check_deadlock(val, name, type, NULL, NULL))
1480 return (DNS_R_NOVALIDSIG);
1482 validator_logcreate(val, name, type, caller, "fetch");
1483 return (dns_resolver_createfetch(val->view->resolver, name, type,
1484 NULL, NULL, NULL, 0,
1485 val->event->ev_sender,
1493 * Start a subvalidation process.
1495 static inline isc_result_t
1496 create_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
1497 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
1498 isc_taskaction_t action, const char *caller)
1500 isc_result_t result;
1502 if (check_deadlock(val, name, type, rdataset, sigrdataset))
1503 return (DNS_R_NOVALIDSIG);
1505 validator_logcreate(val, name, type, caller, "validator");
1506 result = dns_validator_create(val->view, name, type,
1507 rdataset, sigrdataset, NULL, 0,
1508 val->task, action, val,
1509 &val->subvalidator);
1510 if (result == ISC_R_SUCCESS) {
1511 val->subvalidator->parent = val;
1512 val->subvalidator->depth = val->depth + 1;
1518 * Try to find a key that could have signed 'siginfo' among those
1519 * in 'rdataset'. If found, build a dst_key_t for it and point
1522 * If val->key is non-NULL, this returns the next matching key.
1525 get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo,
1526 dns_rdataset_t *rdataset)
1528 isc_result_t result;
1530 dns_rdata_t rdata = DNS_RDATA_INIT;
1531 dst_key_t *oldkey = val->key;
1532 isc_boolean_t foundold;
1535 foundold = ISC_TRUE;
1537 foundold = ISC_FALSE;
1541 result = dns_rdataset_first(rdataset);
1542 if (result != ISC_R_SUCCESS)
1545 dns_rdataset_current(rdataset, &rdata);
1547 isc_buffer_init(&b, rdata.data, rdata.length);
1548 isc_buffer_add(&b, rdata.length);
1549 INSIST(val->key == NULL);
1550 result = dst_key_fromdns(&siginfo->signer, rdata.rdclass, &b,
1551 val->view->mctx, &val->key);
1552 if (result != ISC_R_SUCCESS)
1554 if (siginfo->algorithm ==
1555 (dns_secalg_t)dst_key_alg(val->key) &&
1557 (dns_keytag_t)dst_key_id(val->key) &&
1558 dst_key_iszonekey(val->key))
1562 * This is the key we're looking for.
1564 return (ISC_R_SUCCESS);
1565 else if (dst_key_compare(oldkey, val->key) == ISC_TRUE)
1567 foundold = ISC_TRUE;
1568 dst_key_free(&oldkey);
1571 dst_key_free(&val->key);
1572 dns_rdata_reset(&rdata);
1573 result = dns_rdataset_next(rdataset);
1574 } while (result == ISC_R_SUCCESS);
1575 if (result == ISC_R_NOMORE)
1576 result = ISC_R_NOTFOUND;
1580 dst_key_free(&oldkey);
1586 * Get the key that generated this signature.
1589 get_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo) {
1590 isc_result_t result;
1591 unsigned int nlabels;
1593 dns_namereln_t namereln;
1596 * Is the signer name appropriate for this signature?
1598 * The signer name must be at the same level as the owner name
1599 * or closer to the DNS root.
1601 namereln = dns_name_fullcompare(val->event->name, &siginfo->signer,
1603 if (namereln != dns_namereln_subdomain &&
1604 namereln != dns_namereln_equal)
1605 return (DNS_R_CONTINUE);
1607 if (namereln == dns_namereln_equal) {
1609 * If this is a self-signed keyset, it must not be a zone key
1610 * (since get_key is not called from validatezonekey).
1612 if (val->event->rdataset->type == dns_rdatatype_dnskey)
1613 return (DNS_R_CONTINUE);
1616 * Records appearing in the parent zone at delegation
1617 * points cannot be self-signed.
1619 if (dns_rdatatype_atparent(val->event->rdataset->type))
1620 return (DNS_R_CONTINUE);
1623 * SOA and NS RRsets can only be signed by a key with
1626 if (val->event->rdataset->type == dns_rdatatype_soa ||
1627 val->event->rdataset->type == dns_rdatatype_ns) {
1628 const char *typename;
1630 if (val->event->rdataset->type == dns_rdatatype_soa)
1634 validator_log(val, ISC_LOG_DEBUG(3),
1635 "%s signer mismatch", typename);
1636 return (DNS_R_CONTINUE);
1641 * Do we know about this key?
1643 result = view_find(val, &siginfo->signer, dns_rdatatype_dnskey);
1644 if (result == ISC_R_SUCCESS) {
1646 * We have an rrset for the given keyname.
1648 val->keyset = &val->frdataset;
1649 if ((DNS_TRUST_PENDING(val->frdataset.trust) ||
1650 DNS_TRUST_ANSWER(val->frdataset.trust)) &&
1651 dns_rdataset_isassociated(&val->fsigrdataset))
1654 * We know the key but haven't validated it yet or
1655 * we have a key of trust answer but a DS/DLV
1656 * record for the zone may have been added.
1658 result = create_validator(val, &siginfo->signer,
1659 dns_rdatatype_dnskey,
1664 if (result != ISC_R_SUCCESS)
1666 return (DNS_R_WAIT);
1667 } else if (DNS_TRUST_PENDING(val->frdataset.trust)) {
1669 * Having a pending key with no signature means that
1670 * something is broken.
1672 result = DNS_R_CONTINUE;
1673 } else if (val->frdataset.trust < dns_trust_secure) {
1675 * The key is legitimately insecure. There's no
1676 * point in even attempting verification.
1679 result = ISC_R_SUCCESS;
1682 * See if we've got the key used in the signature.
1684 validator_log(val, ISC_LOG_DEBUG(3),
1685 "keyset with trust %d",
1686 val->frdataset.trust);
1687 result = get_dst_key(val, siginfo, val->keyset);
1688 if (result != ISC_R_SUCCESS) {
1690 * Either the key we're looking for is not
1691 * in the rrset, or something bad happened.
1694 result = DNS_R_CONTINUE;
1697 } else if (result == ISC_R_NOTFOUND) {
1699 * We don't know anything about this key.
1701 result = create_fetch(val, &siginfo->signer,
1702 dns_rdatatype_dnskey,
1703 fetch_callback_validator, "get_key");
1704 if (result != ISC_R_SUCCESS)
1706 return (DNS_R_WAIT);
1707 } else if (result == DNS_R_NCACHENXDOMAIN ||
1708 result == DNS_R_NCACHENXRRSET ||
1709 result == DNS_R_EMPTYNAME ||
1710 result == DNS_R_NXDOMAIN ||
1711 result == DNS_R_NXRRSET)
1714 * This key doesn't exist.
1716 result = DNS_R_CONTINUE;
1717 } else if (result == DNS_R_BROKENCHAIN)
1720 if (dns_rdataset_isassociated(&val->frdataset) &&
1721 val->keyset != &val->frdataset)
1722 dns_rdataset_disassociate(&val->frdataset);
1723 if (dns_rdataset_isassociated(&val->fsigrdataset))
1724 dns_rdataset_disassociate(&val->fsigrdataset);
1730 compute_keytag(dns_rdata_t *rdata, dns_rdata_dnskey_t *key) {
1733 dns_rdata_toregion(rdata, &r);
1734 return (dst_region_computeid(&r, key->algorithm));
1738 * Is this keyset self-signed?
1740 static isc_boolean_t
1741 isselfsigned(dns_validator_t *val) {
1742 dns_rdataset_t *rdataset, *sigrdataset;
1743 dns_rdata_t rdata = DNS_RDATA_INIT;
1744 dns_rdata_t sigrdata = DNS_RDATA_INIT;
1745 dns_rdata_dnskey_t key;
1746 dns_rdata_rrsig_t sig;
1747 dns_keytag_t keytag;
1748 isc_result_t result;
1750 rdataset = val->event->rdataset;
1751 sigrdataset = val->event->sigrdataset;
1753 INSIST(rdataset->type == dns_rdatatype_dnskey);
1755 for (result = dns_rdataset_first(rdataset);
1756 result == ISC_R_SUCCESS;
1757 result = dns_rdataset_next(rdataset))
1759 dns_rdata_reset(&rdata);
1760 dns_rdataset_current(rdataset, &rdata);
1761 result = dns_rdata_tostruct(&rdata, &key, NULL);
1762 RUNTIME_CHECK(result == ISC_R_SUCCESS);
1763 keytag = compute_keytag(&rdata, &key);
1764 for (result = dns_rdataset_first(sigrdataset);
1765 result == ISC_R_SUCCESS;
1766 result = dns_rdataset_next(sigrdataset))
1768 dns_rdata_reset(&sigrdata);
1769 dns_rdataset_current(sigrdataset, &sigrdata);
1770 result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
1771 RUNTIME_CHECK(result == ISC_R_SUCCESS);
1773 if (sig.algorithm == key.algorithm &&
1774 sig.keyid == keytag)
1782 * Attempt to verify the rdataset using the given key and rdata (RRSIG).
1783 * The signature was good and from a wildcard record and the QNAME does
1784 * not match the wildcard we need to look for a NOQNAME proof.
1787 * \li ISC_R_SUCCESS if the verification succeeds.
1788 * \li Others if the verification fails.
1791 verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata,
1794 isc_result_t result;
1795 dns_fixedname_t fixed;
1796 isc_boolean_t ignore = ISC_FALSE;
1798 val->attributes |= VALATTR_TRIEDVERIFY;
1799 dns_fixedname_init(&fixed);
1801 result = dns_dnssec_verify2(val->event->name, val->event->rdataset,
1802 key, ignore, val->view->mctx, rdata,
1803 dns_fixedname_name(&fixed));
1804 if (result == DNS_R_SIGEXPIRED && val->view->acceptexpired) {
1808 if (ignore && (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD))
1809 validator_log(val, ISC_LOG_INFO,
1810 "accepted expired %sRRSIG (keyid=%u)",
1811 (result == DNS_R_FROMWILDCARD) ?
1812 "wildcard " : "", keyid);
1814 validator_log(val, ISC_LOG_DEBUG(3),
1815 "verify rdataset (keyid=%u): %s",
1816 keyid, isc_result_totext(result));
1817 if (result == DNS_R_FROMWILDCARD) {
1818 if (!dns_name_equal(val->event->name,
1819 dns_fixedname_name(&fixed)))
1820 val->attributes |= VALATTR_NEEDNOQNAME;
1821 result = ISC_R_SUCCESS;
1827 * Attempts positive response validation of a normal RRset.
1830 * \li ISC_R_SUCCESS Validation completed successfully
1831 * \li DNS_R_WAIT Validation has started but is waiting
1833 * \li Other return codes are possible and all indicate failure.
1836 validate(dns_validator_t *val, isc_boolean_t resume) {
1837 isc_result_t result;
1838 dns_validatorevent_t *event;
1839 dns_rdata_t rdata = DNS_RDATA_INIT;
1842 * Caller must be holding the validator lock.
1849 * We already have a sigrdataset.
1851 result = ISC_R_SUCCESS;
1852 validator_log(val, ISC_LOG_DEBUG(3), "resuming validate");
1854 result = dns_rdataset_first(event->sigrdataset);
1858 result == ISC_R_SUCCESS;
1859 result = dns_rdataset_next(event->sigrdataset))
1861 dns_rdata_reset(&rdata);
1862 dns_rdataset_current(event->sigrdataset, &rdata);
1863 if (val->siginfo == NULL) {
1864 val->siginfo = isc_mem_get(val->view->mctx,
1865 sizeof(*val->siginfo));
1866 if (val->siginfo == NULL)
1867 return (ISC_R_NOMEMORY);
1869 result = dns_rdata_tostruct(&rdata, val->siginfo, NULL);
1870 if (result != ISC_R_SUCCESS)
1874 * At this point we could check that the signature algorithm
1875 * was known and "sufficiently good".
1877 if (!dns_resolver_algorithm_supported(val->view->resolver,
1879 val->siginfo->algorithm))
1883 result = get_key(val, val->siginfo);
1884 if (result == DNS_R_CONTINUE)
1885 continue; /* Try the next SIG RR. */
1886 if (result != ISC_R_SUCCESS)
1891 * The key is insecure, so mark the data as insecure also.
1893 if (val->key == NULL) {
1894 if (val->mustbesecure) {
1895 validator_log(val, ISC_LOG_WARNING,
1896 "must be secure failure");
1897 return (DNS_R_MUSTBESECURE);
1899 markanswer(val, "validate");
1900 return (ISC_R_SUCCESS);
1904 result = verify(val, val->key, &rdata,
1905 val->siginfo->keyid);
1906 if (result == ISC_R_SUCCESS)
1908 if (val->keynode != NULL) {
1909 dns_keynode_t *nextnode = NULL;
1910 result = dns_keytable_findnextkeynode(
1914 dns_keytable_detachkeynode(val->keytable,
1916 val->keynode = nextnode;
1917 if (result != ISC_R_SUCCESS) {
1921 val->key = dns_keynode_key(val->keynode);
1923 if (get_dst_key(val, val->siginfo, val->keyset)
1928 if (result != ISC_R_SUCCESS)
1929 validator_log(val, ISC_LOG_DEBUG(3),
1930 "failed to verify rdataset");
1935 isc_stdtime_get(&now);
1936 ttl = ISC_MIN(event->rdataset->ttl,
1937 val->siginfo->timeexpire - now);
1938 if (val->keyset != NULL)
1939 ttl = ISC_MIN(ttl, val->keyset->ttl);
1940 event->rdataset->ttl = ttl;
1941 event->sigrdataset->ttl = ttl;
1944 if (val->keynode != NULL)
1945 dns_keytable_detachkeynode(val->keytable,
1948 if (val->key != NULL)
1949 dst_key_free(&val->key);
1950 if (val->keyset != NULL) {
1951 dns_rdataset_disassociate(val->keyset);
1956 if (NEEDNOQNAME(val)) {
1957 if (val->event->message == NULL) {
1958 validator_log(val, ISC_LOG_DEBUG(3),
1959 "no message available for noqname proof");
1960 return (DNS_R_NOVALIDSIG);
1962 validator_log(val, ISC_LOG_DEBUG(3),
1963 "looking for noqname proof");
1964 return (nsecvalidate(val, ISC_FALSE));
1965 } else if (result == ISC_R_SUCCESS) {
1967 validator_log(val, ISC_LOG_DEBUG(3),
1968 "marking as secure");
1971 validator_log(val, ISC_LOG_DEBUG(3),
1972 "verify failure: %s",
1973 isc_result_totext(result));
1977 if (result != ISC_R_NOMORE) {
1978 validator_log(val, ISC_LOG_DEBUG(3),
1979 "failed to iterate signatures: %s",
1980 isc_result_totext(result));
1984 validator_log(val, ISC_LOG_INFO, "no valid signature found");
1985 return (DNS_R_NOVALIDSIG);
1989 * Validate the DNSKEY RRset by looking for a DNSKEY that matches a
1990 * DLV record and that also verifies the DNSKEY RRset.
1993 dlv_validatezonekey(dns_validator_t *val) {
1994 dns_keytag_t keytag;
1995 dns_rdata_dlv_t dlv;
1996 dns_rdata_dnskey_t key;
1997 dns_rdata_rrsig_t sig;
1998 dns_rdata_t dlvrdata = DNS_RDATA_INIT;
1999 dns_rdata_t keyrdata = DNS_RDATA_INIT;
2000 dns_rdata_t newdsrdata = DNS_RDATA_INIT;
2001 dns_rdata_t sigrdata = DNS_RDATA_INIT;
2002 dns_rdataset_t trdataset;
2004 isc_boolean_t supported_algorithm;
2005 isc_result_t result;
2006 unsigned char dsbuf[DNS_DS_BUFFERSIZE];
2007 isc_uint8_t digest_type;
2009 validator_log(val, ISC_LOG_DEBUG(3), "dlv_validatezonekey");
2012 * Look through the DLV record and find the keys that can sign the
2013 * key set and the matching signature. For each such key, attempt
2016 supported_algorithm = ISC_FALSE;
2019 * If DNS_DSDIGEST_SHA256 is present we are required to prefer
2020 * it over DNS_DSDIGEST_SHA1. This in practice means that we
2021 * need to ignore DNS_DSDIGEST_SHA1 if a DNS_DSDIGEST_SHA256
2024 digest_type = DNS_DSDIGEST_SHA1;
2025 for (result = dns_rdataset_first(&val->dlv);
2026 result == ISC_R_SUCCESS;
2027 result = dns_rdataset_next(&val->dlv)) {
2028 dns_rdata_reset(&dlvrdata);
2029 dns_rdataset_current(&val->dlv, &dlvrdata);
2030 result = dns_rdata_tostruct(&dlvrdata, &dlv, NULL);
2031 RUNTIME_CHECK(result == ISC_R_SUCCESS);
2033 if (!dns_resolver_algorithm_supported(val->view->resolver,
2038 if (dlv.digest_type == DNS_DSDIGEST_SHA256 &&
2039 dlv.length == ISC_SHA256_DIGESTLENGTH) {
2040 digest_type = DNS_DSDIGEST_SHA256;
2045 for (result = dns_rdataset_first(&val->dlv);
2046 result == ISC_R_SUCCESS;
2047 result = dns_rdataset_next(&val->dlv))
2049 dns_rdata_reset(&dlvrdata);
2050 dns_rdataset_current(&val->dlv, &dlvrdata);
2051 result = dns_rdata_tostruct(&dlvrdata, &dlv, NULL);
2052 RUNTIME_CHECK(result == ISC_R_SUCCESS);
2054 if (!dns_resolver_digest_supported(val->view->resolver,
2058 if (dlv.digest_type != digest_type)
2061 if (!dns_resolver_algorithm_supported(val->view->resolver,
2066 supported_algorithm = ISC_TRUE;
2068 dns_rdataset_init(&trdataset);
2069 dns_rdataset_clone(val->event->rdataset, &trdataset);
2071 for (result = dns_rdataset_first(&trdataset);
2072 result == ISC_R_SUCCESS;
2073 result = dns_rdataset_next(&trdataset))
2075 dns_rdata_reset(&keyrdata);
2076 dns_rdataset_current(&trdataset, &keyrdata);
2077 result = dns_rdata_tostruct(&keyrdata, &key, NULL);
2078 RUNTIME_CHECK(result == ISC_R_SUCCESS);
2079 keytag = compute_keytag(&keyrdata, &key);
2080 if (dlv.key_tag != keytag ||
2081 dlv.algorithm != key.algorithm)
2083 dns_rdata_reset(&newdsrdata);
2084 result = dns_ds_buildrdata(val->event->name,
2085 &keyrdata, dlv.digest_type,
2086 dsbuf, &newdsrdata);
2087 if (result != ISC_R_SUCCESS) {
2088 validator_log(val, ISC_LOG_DEBUG(3),
2089 "dns_ds_buildrdata() -> %s",
2090 dns_result_totext(result));
2094 newdsrdata.type = dns_rdatatype_dlv;
2095 if (dns_rdata_compare(&dlvrdata, &newdsrdata) == 0)
2098 if (result != ISC_R_SUCCESS) {
2099 dns_rdataset_disassociate(&trdataset);
2100 validator_log(val, ISC_LOG_DEBUG(3),
2101 "no DNSKEY matching DLV");
2104 validator_log(val, ISC_LOG_DEBUG(3),
2105 "Found matching DLV record: checking for signature");
2107 for (result = dns_rdataset_first(val->event->sigrdataset);
2108 result == ISC_R_SUCCESS;
2109 result = dns_rdataset_next(val->event->sigrdataset))
2111 dns_rdata_reset(&sigrdata);
2112 dns_rdataset_current(val->event->sigrdataset,
2114 result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
2115 RUNTIME_CHECK(result == ISC_R_SUCCESS);
2116 if (dlv.key_tag != sig.keyid &&
2117 dlv.algorithm != sig.algorithm)
2120 result = dns_dnssec_keyfromrdata(val->event->name,
2124 if (result != ISC_R_SUCCESS)
2126 * This really shouldn't happen, but...
2130 result = verify(val, dstkey, &sigrdata, sig.keyid);
2131 dst_key_free(&dstkey);
2132 if (result == ISC_R_SUCCESS)
2135 dns_rdataset_disassociate(&trdataset);
2136 if (result == ISC_R_SUCCESS)
2138 validator_log(val, ISC_LOG_DEBUG(3),
2139 "no RRSIG matching DLV key");
2141 if (result == ISC_R_SUCCESS) {
2142 marksecure(val->event);
2143 validator_log(val, ISC_LOG_DEBUG(3), "marking as secure");
2145 } else if (result == ISC_R_NOMORE && !supported_algorithm) {
2146 if (val->mustbesecure) {
2147 validator_log(val, ISC_LOG_WARNING,
2148 "must be secure failure");
2149 return (DNS_R_MUSTBESECURE);
2151 validator_log(val, ISC_LOG_DEBUG(3),
2152 "no supported algorithm/digest (dlv)");
2153 markanswer(val, "dlv_validatezonekey (2)");
2154 return (ISC_R_SUCCESS);
2156 return (DNS_R_NOVALIDSIG);
2160 * Attempts positive response validation of an RRset containing zone keys.
2163 * \li ISC_R_SUCCESS Validation completed successfully
2164 * \li DNS_R_WAIT Validation has started but is waiting
2166 * \li Other return codes are possible and all indicate failure.
2169 validatezonekey(dns_validator_t *val) {
2170 isc_result_t result;
2171 dns_validatorevent_t *event;
2172 dns_rdataset_t trdataset;
2173 dns_rdata_t dsrdata = DNS_RDATA_INIT;
2174 dns_rdata_t newdsrdata = DNS_RDATA_INIT;
2175 dns_rdata_t keyrdata = DNS_RDATA_INIT;
2176 dns_rdata_t sigrdata = DNS_RDATA_INIT;
2177 unsigned char dsbuf[DNS_DS_BUFFERSIZE];
2178 char namebuf[DNS_NAME_FORMATSIZE];
2179 dns_keytag_t keytag;
2181 dns_rdata_dnskey_t key;
2182 dns_rdata_rrsig_t sig;
2184 isc_boolean_t supported_algorithm;
2185 isc_boolean_t atsep = ISC_FALSE;
2186 isc_uint8_t digest_type;
2189 * Caller must be holding the validator lock.
2194 if (val->havedlvsep && val->dlv.trust >= dns_trust_secure &&
2195 dns_name_equal(event->name, dns_fixedname_name(&val->dlvsep)))
2196 return (dlv_validatezonekey(val));
2198 if (val->dsset == NULL) {
2200 * First, see if this key was signed by a trusted key.
2202 for (result = dns_rdataset_first(val->event->sigrdataset);
2203 result == ISC_R_SUCCESS;
2204 result = dns_rdataset_next(val->event->sigrdataset))
2206 dns_keynode_t *keynode = NULL;
2207 dns_fixedname_t fixed;
2210 dns_fixedname_init(&fixed);
2211 found = dns_fixedname_name(&fixed);
2212 dns_rdata_reset(&sigrdata);
2213 dns_rdataset_current(val->event->sigrdataset,
2215 result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
2216 RUNTIME_CHECK(result == ISC_R_SUCCESS);
2218 if (!dns_name_equal(val->event->name, &sig.signer))
2221 result = dns_keytable_findkeynode(val->keytable,
2226 if (result == ISC_R_NOTFOUND &&
2227 dns_keytable_finddeepestmatch(val->keytable,
2228 val->event->name, found) != ISC_R_SUCCESS) {
2229 if (val->mustbesecure) {
2230 validator_log(val, ISC_LOG_WARNING,
2231 "must be secure failure, "
2232 "not beneath secure root");
2233 return (DNS_R_MUSTBESECURE);
2235 validator_log(val, ISC_LOG_DEBUG(3),
2236 "not beneath secure root");
2237 if (val->view->dlv == NULL || DLVTRIED(val)) {
2238 markanswer(val, "validatezonekey (1)");
2239 return (ISC_R_SUCCESS);
2241 return (startfinddlvsep(val, dns_rootname));
2243 if (result == DNS_R_PARTIALMATCH ||
2244 result == ISC_R_SUCCESS)
2246 while (result == ISC_R_SUCCESS) {
2247 dns_keynode_t *nextnode = NULL;
2248 dstkey = dns_keynode_key(keynode);
2249 result = verify(val, dstkey, &sigrdata,
2251 if (result == ISC_R_SUCCESS) {
2252 dns_keytable_detachkeynode(val->keytable,
2256 result = dns_keytable_findnextkeynode(
2260 dns_keytable_detachkeynode(val->keytable,
2264 if (result == ISC_R_SUCCESS) {
2266 validator_log(val, ISC_LOG_DEBUG(3),
2267 "signed by trusted key; "
2268 "marking as secure");
2274 * If this is the root name and there was no trusted key,
2275 * give up, since there's no DS at the root.
2277 if (dns_name_equal(event->name, dns_rootname)) {
2278 if ((val->attributes & VALATTR_TRIEDVERIFY) != 0)
2279 return (DNS_R_NOVALIDSIG);
2281 return (DNS_R_NOVALIDDS);
2286 * We have not found a key to verify this DNSKEY
2287 * RRset. As this is a SEP we have to assume that
2288 * the RRset is invalid.
2290 dns_name_format(val->event->name, namebuf,
2292 validator_log(val, ISC_LOG_NOTICE,
2293 "unable to find a DNSKEY which verifies "
2294 "the DNSKEY RRset and also matches one "
2295 "of specified trusted-keys for '%s'",
2297 validator_log(val, ISC_LOG_NOTICE,
2298 "please check the 'trusted-keys' for "
2299 "'%s' in named.conf.", namebuf);
2300 return (DNS_R_NOVALIDKEY);
2304 * Otherwise, try to find the DS record.
2306 result = view_find(val, val->event->name, dns_rdatatype_ds);
2307 if (result == ISC_R_SUCCESS) {
2309 * We have DS records.
2311 val->dsset = &val->frdataset;
2312 if ((DNS_TRUST_PENDING(val->frdataset.trust) ||
2313 DNS_TRUST_ANSWER(val->frdataset.trust)) &&
2314 dns_rdataset_isassociated(&val->fsigrdataset))
2316 result = create_validator(val,
2323 if (result != ISC_R_SUCCESS)
2325 return (DNS_R_WAIT);
2326 } else if (DNS_TRUST_PENDING(val->frdataset.trust)) {
2328 * There should never be an unsigned DS.
2330 dns_rdataset_disassociate(&val->frdataset);
2331 validator_log(val, ISC_LOG_DEBUG(2),
2332 "unsigned DS record");
2333 return (DNS_R_NOVALIDSIG);
2335 result = ISC_R_SUCCESS;
2336 } else if (result == ISC_R_NOTFOUND) {
2338 * We don't have the DS. Find it.
2340 result = create_fetch(val, val->event->name,
2341 dns_rdatatype_ds, dsfetched,
2343 if (result != ISC_R_SUCCESS)
2345 return (DNS_R_WAIT);
2346 } else if (result == DNS_R_NCACHENXDOMAIN ||
2347 result == DNS_R_NCACHENXRRSET ||
2348 result == DNS_R_EMPTYNAME ||
2349 result == DNS_R_NXDOMAIN ||
2350 result == DNS_R_NXRRSET)
2353 * The DS does not exist.
2355 if (dns_rdataset_isassociated(&val->frdataset))
2356 dns_rdataset_disassociate(&val->frdataset);
2357 if (dns_rdataset_isassociated(&val->fsigrdataset))
2358 dns_rdataset_disassociate(&val->fsigrdataset);
2359 validator_log(val, ISC_LOG_DEBUG(2), "no DS record");
2360 return (DNS_R_NOVALIDSIG);
2361 } else if (result == DNS_R_BROKENCHAIN)
2368 INSIST(val->dsset != NULL);
2370 if (val->dsset->trust < dns_trust_secure) {
2371 if (val->mustbesecure) {
2372 validator_log(val, ISC_LOG_WARNING,
2373 "must be secure failure");
2374 return (DNS_R_MUSTBESECURE);
2376 markanswer(val, "validatezonekey (2)");
2377 return (ISC_R_SUCCESS);
2381 * Look through the DS record and find the keys that can sign the
2382 * key set and the matching signature. For each such key, attempt
2386 supported_algorithm = ISC_FALSE;
2389 * If DNS_DSDIGEST_SHA256 is present we are required to prefer
2390 * it over DNS_DSDIGEST_SHA1. This in practice means that we
2391 * need to ignore DNS_DSDIGEST_SHA1 if a DNS_DSDIGEST_SHA256
2394 digest_type = DNS_DSDIGEST_SHA1;
2395 for (result = dns_rdataset_first(val->dsset);
2396 result == ISC_R_SUCCESS;
2397 result = dns_rdataset_next(val->dsset)) {
2398 dns_rdata_reset(&dsrdata);
2399 dns_rdataset_current(val->dsset, &dsrdata);
2400 result = dns_rdata_tostruct(&dsrdata, &ds, NULL);
2401 RUNTIME_CHECK(result == ISC_R_SUCCESS);
2403 if (!dns_resolver_algorithm_supported(val->view->resolver,
2408 if (ds.digest_type == DNS_DSDIGEST_SHA256 &&
2409 ds.length == ISC_SHA256_DIGESTLENGTH) {
2410 digest_type = DNS_DSDIGEST_SHA256;
2415 for (result = dns_rdataset_first(val->dsset);
2416 result == ISC_R_SUCCESS;
2417 result = dns_rdataset_next(val->dsset))
2419 dns_rdata_reset(&dsrdata);
2420 dns_rdataset_current(val->dsset, &dsrdata);
2421 result = dns_rdata_tostruct(&dsrdata, &ds, NULL);
2422 RUNTIME_CHECK(result == ISC_R_SUCCESS);
2424 if (!dns_resolver_digest_supported(val->view->resolver,
2428 if (ds.digest_type != digest_type)
2431 if (!dns_resolver_algorithm_supported(val->view->resolver,
2436 supported_algorithm = ISC_TRUE;
2438 dns_rdataset_init(&trdataset);
2439 dns_rdataset_clone(val->event->rdataset, &trdataset);
2442 * Look for the KEY that matches the DS record.
2444 for (result = dns_rdataset_first(&trdataset);
2445 result == ISC_R_SUCCESS;
2446 result = dns_rdataset_next(&trdataset))
2448 dns_rdata_reset(&keyrdata);
2449 dns_rdataset_current(&trdataset, &keyrdata);
2450 result = dns_rdata_tostruct(&keyrdata, &key, NULL);
2451 RUNTIME_CHECK(result == ISC_R_SUCCESS);
2452 keytag = compute_keytag(&keyrdata, &key);
2453 if (ds.key_tag != keytag ||
2454 ds.algorithm != key.algorithm)
2456 dns_rdata_reset(&newdsrdata);
2457 result = dns_ds_buildrdata(val->event->name,
2458 &keyrdata, ds.digest_type,
2459 dsbuf, &newdsrdata);
2460 if (result != ISC_R_SUCCESS)
2462 if (dns_rdata_compare(&dsrdata, &newdsrdata) == 0)
2465 if (result != ISC_R_SUCCESS) {
2466 dns_rdataset_disassociate(&trdataset);
2467 validator_log(val, ISC_LOG_DEBUG(3),
2468 "no DNSKEY matching DS");
2472 for (result = dns_rdataset_first(val->event->sigrdataset);
2473 result == ISC_R_SUCCESS;
2474 result = dns_rdataset_next(val->event->sigrdataset))
2476 dns_rdata_reset(&sigrdata);
2477 dns_rdataset_current(val->event->sigrdataset,
2479 result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
2480 RUNTIME_CHECK(result == ISC_R_SUCCESS);
2481 if (ds.key_tag != sig.keyid ||
2482 ds.algorithm != sig.algorithm)
2484 if (!dns_name_equal(val->event->name, &sig.signer)) {
2485 validator_log(val, ISC_LOG_DEBUG(3),
2486 "DNSKEY signer mismatch");
2490 result = dns_dnssec_keyfromrdata(val->event->name,
2494 if (result != ISC_R_SUCCESS)
2496 * This really shouldn't happen, but...
2499 result = verify(val, dstkey, &sigrdata, sig.keyid);
2500 dst_key_free(&dstkey);
2501 if (result == ISC_R_SUCCESS)
2504 dns_rdataset_disassociate(&trdataset);
2505 if (result == ISC_R_SUCCESS)
2507 validator_log(val, ISC_LOG_DEBUG(3),
2508 "no RRSIG matching DS key");
2510 if (result == ISC_R_SUCCESS) {
2512 validator_log(val, ISC_LOG_DEBUG(3), "marking as secure");
2514 } else if (result == ISC_R_NOMORE && !supported_algorithm) {
2515 if (val->mustbesecure) {
2516 validator_log(val, ISC_LOG_WARNING,
2517 "must be secure failure");
2518 return (DNS_R_MUSTBESECURE);
2520 validator_log(val, ISC_LOG_DEBUG(3),
2521 "no supported algorithm/digest (DS)");
2522 markanswer(val, "validatezonekey (3)");
2523 return (ISC_R_SUCCESS);
2525 return (DNS_R_NOVALIDSIG);
2529 * Starts a positive response validation.
2532 * \li ISC_R_SUCCESS Validation completed successfully
2533 * \li DNS_R_WAIT Validation has started but is waiting
2535 * \li Other return codes are possible and all indicate failure.
2538 start_positive_validation(dns_validator_t *val) {
2540 * If this is not a key, go straight into validate().
2542 if (val->event->type != dns_rdatatype_dnskey || !isselfsigned(val))
2543 return (validate(val, ISC_FALSE));
2545 return (validatezonekey(val));
2549 * val_rdataset_first and val_rdataset_next provide iteration methods
2550 * that hide whether we are iterating across a message or a negative
2554 val_rdataset_first(dns_validator_t *val, dns_name_t **namep,
2555 dns_rdataset_t **rdatasetp)
2557 dns_message_t *message = val->event->message;
2558 isc_result_t result;
2560 REQUIRE(rdatasetp != NULL);
2561 REQUIRE(namep != NULL);
2562 if (message == NULL) {
2563 REQUIRE(*rdatasetp != NULL);
2564 REQUIRE(*namep != NULL);
2566 REQUIRE(*rdatasetp == NULL);
2567 REQUIRE(*namep == NULL);
2570 if (message != NULL) {
2571 result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
2572 if (result != ISC_R_SUCCESS)
2574 dns_message_currentname(message, DNS_SECTION_AUTHORITY, namep);
2575 *rdatasetp = ISC_LIST_HEAD((*namep)->list);
2576 INSIST(*rdatasetp != NULL);
2578 result = dns_rdataset_first(val->event->rdataset);
2579 if (result == ISC_R_SUCCESS)
2580 dns_ncache_current(val->event->rdataset, *namep,
2587 val_rdataset_next(dns_validator_t *val, dns_name_t **namep,
2588 dns_rdataset_t **rdatasetp)
2590 dns_message_t *message = val->event->message;
2591 isc_result_t result = ISC_R_SUCCESS;
2593 REQUIRE(rdatasetp != NULL && *rdatasetp != NULL);
2594 REQUIRE(namep != NULL && *namep != NULL);
2596 if (message != NULL) {
2597 dns_rdataset_t *rdataset = *rdatasetp;
2598 rdataset = ISC_LIST_NEXT(rdataset, link);
2599 if (rdataset == NULL) {
2601 result = dns_message_nextname(message,
2602 DNS_SECTION_AUTHORITY);
2603 if (result == ISC_R_SUCCESS) {
2604 dns_message_currentname(message,
2605 DNS_SECTION_AUTHORITY,
2607 rdataset = ISC_LIST_HEAD((*namep)->list);
2608 INSIST(rdataset != NULL);
2611 *rdatasetp = rdataset;
2613 dns_rdataset_disassociate(*rdatasetp);
2614 result = dns_rdataset_next(val->event->rdataset);
2615 if (result == ISC_R_SUCCESS)
2616 dns_ncache_current(val->event->rdataset, *namep,
2623 * Look for NODATA at the wildcard and NOWILDCARD proofs in the
2624 * previously validated NSEC records. As these proofs are mutually
2625 * exclusive we stop when one is found.
2631 checkwildcard(dns_validator_t *val, dns_rdatatype_t type, dns_name_t *zonename)
2633 dns_name_t *name, *wild, tname;
2634 isc_result_t result;
2635 isc_boolean_t exists, data;
2636 char namebuf[DNS_NAME_FORMATSIZE];
2637 dns_rdataset_t *rdataset, trdataset;
2639 dns_name_init(&tname, NULL);
2640 dns_rdataset_init(&trdataset);
2641 wild = dns_fixedname_name(&val->wild);
2643 if (dns_name_countlabels(wild) == 0) {
2644 validator_log(val, ISC_LOG_DEBUG(3),
2645 "in checkwildcard: no wildcard to check");
2646 return (ISC_R_SUCCESS);
2649 dns_name_format(wild, namebuf, sizeof(namebuf));
2650 validator_log(val, ISC_LOG_DEBUG(3), "in checkwildcard: %s", namebuf);
2652 if (val->event->message == NULL) {
2654 rdataset = &trdataset;
2660 for (result = val_rdataset_first(val, &name, &rdataset);
2661 result == ISC_R_SUCCESS;
2662 result = val_rdataset_next(val, &name, &rdataset))
2664 if (rdataset->type != type ||
2665 rdataset->trust != dns_trust_secure)
2668 if (rdataset->type == dns_rdatatype_nsec &&
2669 (NEEDNODATA(val) || NEEDNOWILDCARD(val)) &&
2670 !FOUNDNODATA(val) && !FOUNDNOWILDCARD(val) &&
2671 nsecnoexistnodata(val, wild, name, rdataset,
2672 &exists, &data, NULL)
2675 dns_name_t **proofs = val->event->proofs;
2676 if (exists && !data)
2677 val->attributes |= VALATTR_FOUNDNODATA;
2678 if (exists && !data && NEEDNODATA(val))
2679 proofs[DNS_VALIDATOR_NODATAPROOF] =
2683 VALATTR_FOUNDNOWILDCARD;
2684 if (!exists && NEEDNOQNAME(val))
2685 proofs[DNS_VALIDATOR_NOWILDCARDPROOF] =
2687 if (dns_rdataset_isassociated(&trdataset))
2688 dns_rdataset_disassociate(&trdataset);
2689 return (ISC_R_SUCCESS);
2692 if (rdataset->type == dns_rdatatype_nsec3 &&
2693 (NEEDNODATA(val) || NEEDNOWILDCARD(val)) &&
2694 !FOUNDNODATA(val) && !FOUNDNOWILDCARD(val) &&
2695 nsec3noexistnodata(val, wild, name, rdataset,
2696 zonename, &exists, &data,
2697 NULL, NULL, NULL, NULL, NULL,
2698 NULL) == ISC_R_SUCCESS)
2700 dns_name_t **proofs = val->event->proofs;
2701 if (exists && !data)
2702 val->attributes |= VALATTR_FOUNDNODATA;
2703 if (exists && !data && NEEDNODATA(val))
2704 proofs[DNS_VALIDATOR_NODATAPROOF] =
2708 VALATTR_FOUNDNOWILDCARD;
2709 if (!exists && NEEDNOQNAME(val))
2710 proofs[DNS_VALIDATOR_NOWILDCARDPROOF] =
2712 if (dns_rdataset_isassociated(&trdataset))
2713 dns_rdataset_disassociate(&trdataset);
2714 return (ISC_R_SUCCESS);
2717 if (result == ISC_R_NOMORE)
2718 result = ISC_R_SUCCESS;
2719 if (dns_rdataset_isassociated(&trdataset))
2720 dns_rdataset_disassociate(&trdataset);
2725 findnsec3proofs(dns_validator_t *val) {
2726 dns_name_t *name, tname;
2727 isc_result_t result;
2728 isc_boolean_t exists, data, optout, unknown;
2729 isc_boolean_t setclosest, setnearest;
2730 dns_fixedname_t fclosest, fnearest, fzonename;
2731 dns_name_t *closest, *nearest, *zonename;
2732 dns_name_t **proofs = val->event->proofs;
2733 dns_rdataset_t *rdataset, trdataset;
2735 dns_name_init(&tname, NULL);
2736 dns_rdataset_init(&trdataset);
2737 dns_fixedname_init(&fclosest);
2738 dns_fixedname_init(&fnearest);
2739 dns_fixedname_init(&fzonename);
2740 closest = dns_fixedname_name(&fclosest);
2741 nearest = dns_fixedname_name(&fnearest);
2742 zonename = dns_fixedname_name(&fzonename);
2744 if (val->event->message == NULL) {
2746 rdataset = &trdataset;
2752 for (result = val_rdataset_first(val, &name, &rdataset);
2753 result == ISC_R_SUCCESS;
2754 result = val_rdataset_next(val, &name, &rdataset))
2756 if (rdataset->type != dns_rdatatype_nsec3 ||
2757 rdataset->trust != dns_trust_secure)
2760 result = nsec3noexistnodata(val, val->event->name,
2762 zonename, NULL, NULL, NULL,
2763 NULL, NULL, NULL, NULL,
2765 if (result != ISC_R_IGNORE && result != ISC_R_SUCCESS) {
2766 if (dns_rdataset_isassociated(&trdataset))
2767 dns_rdataset_disassociate(&trdataset);
2771 if (result != ISC_R_NOMORE)
2772 result = ISC_R_SUCCESS;
2774 if (dns_name_countlabels(zonename) == 0)
2775 return (ISC_R_SUCCESS);
2777 for (result = val_rdataset_first(val, &name, &rdataset);
2778 result == ISC_R_SUCCESS;
2779 result = val_rdataset_next(val, &name, &rdataset))
2781 if (rdataset->type != dns_rdatatype_nsec3 ||
2782 rdataset->trust != dns_trust_secure)
2786 * We process all NSEC3 records to find the closest
2787 * encloser and nearest name to the closest encloser.
2789 setclosest = setnearest = ISC_FALSE;
2791 unknown = ISC_FALSE;
2792 (void)nsec3noexistnodata(val, val->event->name, name, rdataset,
2793 zonename, &exists, &data, &optout,
2794 &unknown, &setclosest, &setnearest,
2797 proofs[DNS_VALIDATOR_CLOSESTENCLOSER] = name;
2799 val->attributes |= VALATTR_FOUNDUNKNOWN;
2800 if (result != ISC_R_SUCCESS)
2802 if (exists && !data && NEEDNODATA(val)) {
2803 val->attributes |= VALATTR_FOUNDNODATA;
2804 proofs[DNS_VALIDATOR_NODATAPROOF] = name;
2806 if (!exists && setnearest) {
2807 val->attributes |= VALATTR_FOUNDNOQNAME;
2808 proofs[DNS_VALIDATOR_NOQNAMEPROOF] = name;
2810 val->attributes |= VALATTR_FOUNDOPTOUT;
2813 if (result == ISC_R_NOMORE)
2814 result = ISC_R_SUCCESS;
2817 * To know we have a valid noqname and optout proofs we need to also
2818 * have a valid closest encloser. Otherwise we could still be looking
2819 * at proofs from the parent zone.
2821 if (dns_name_countlabels(closest) > 0 &&
2822 dns_name_countlabels(nearest) ==
2823 dns_name_countlabels(closest) + 1 &&
2824 dns_name_issubdomain(nearest, closest))
2826 val->attributes |= VALATTR_FOUNDCLOSEST;
2827 result = dns_name_concatenate(dns_wildcardname, closest,
2828 dns_fixedname_name(&val->wild),
2830 RUNTIME_CHECK(result == ISC_R_SUCCESS);
2832 val->attributes &= ~VALATTR_FOUNDNOQNAME;
2833 val->attributes &= ~VALATTR_FOUNDOPTOUT;
2834 proofs[DNS_VALIDATOR_NOQNAMEPROOF] = NULL;
2838 * Do we need to check for the wildcard?
2840 if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) &&
2841 ((NEEDNODATA(val) && !FOUNDNODATA(val)) || NEEDNOWILDCARD(val))) {
2842 result = checkwildcard(val, dns_rdatatype_nsec3, zonename);
2843 if (result != ISC_R_SUCCESS)
2850 * Validate the authority section records.
2853 validate_authority(dns_validator_t *val, isc_boolean_t resume) {
2855 dns_message_t *message = val->event->message;
2856 isc_result_t result;
2859 result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
2861 result = ISC_R_SUCCESS;
2864 result == ISC_R_SUCCESS;
2865 result = dns_message_nextname(message, DNS_SECTION_AUTHORITY))
2867 dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
2870 dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
2872 rdataset = ISC_LIST_NEXT(val->currentset, link);
2873 val->currentset = NULL;
2876 rdataset = ISC_LIST_HEAD(name->list);
2880 rdataset = ISC_LIST_NEXT(rdataset, link))
2882 if (rdataset->type == dns_rdatatype_rrsig)
2885 for (sigrdataset = ISC_LIST_HEAD(name->list);
2886 sigrdataset != NULL;
2887 sigrdataset = ISC_LIST_NEXT(sigrdataset,
2890 if (sigrdataset->type == dns_rdatatype_rrsig &&
2891 sigrdataset->covers == rdataset->type)
2895 * If a signed zone is missing the zone key, bad
2896 * things could happen. A query for data in the zone
2897 * would lead to a query for the zone key, which
2898 * would return a negative answer, which would contain
2899 * an SOA and an NSEC signed by the missing key, which
2900 * would trigger another query for the DNSKEY (since
2901 * the first one is still in progress), and go into an
2902 * infinite loop. Avoid that.
2904 if (val->event->type == dns_rdatatype_dnskey &&
2905 dns_name_equal(name, val->event->name))
2907 dns_rdata_t nsec = DNS_RDATA_INIT;
2909 if (rdataset->type != dns_rdatatype_nsec)
2912 result = dns_rdataset_first(rdataset);
2913 if (result != ISC_R_SUCCESS)
2915 dns_rdataset_current(rdataset, &nsec);
2916 if (dns_nsec_typepresent(&nsec,
2920 val->currentset = rdataset;
2921 result = create_validator(val, name, rdataset->type,
2922 rdataset, sigrdataset,
2924 "validate_authority");
2925 if (result != ISC_R_SUCCESS)
2928 return (DNS_R_WAIT);
2931 if (result == ISC_R_NOMORE)
2932 result = ISC_R_SUCCESS;
2937 * Validate the ncache elements.
2940 validate_ncache(dns_validator_t *val, isc_boolean_t resume) {
2942 isc_result_t result;
2945 result = dns_rdataset_first(val->event->rdataset);
2947 result = dns_rdataset_next(val->event->rdataset);
2950 result == ISC_R_SUCCESS;
2951 result = dns_rdataset_next(val->event->rdataset))
2953 dns_rdataset_t *rdataset, *sigrdataset = NULL;
2955 if (dns_rdataset_isassociated(&val->frdataset))
2956 dns_rdataset_disassociate(&val->frdataset);
2957 if (dns_rdataset_isassociated(&val->fsigrdataset))
2958 dns_rdataset_disassociate(&val->fsigrdataset);
2960 dns_fixedname_init(&val->fname);
2961 name = dns_fixedname_name(&val->fname);
2962 rdataset = &val->frdataset;
2963 dns_ncache_current(val->event->rdataset, name, rdataset);
2965 if (val->frdataset.type == dns_rdatatype_rrsig)
2968 result = dns_ncache_getsigrdataset(val->event->rdataset, name,
2970 &val->fsigrdataset);
2971 if (result == ISC_R_SUCCESS)
2972 sigrdataset = &val->fsigrdataset;
2975 * If a signed zone is missing the zone key, bad
2976 * things could happen. A query for data in the zone
2977 * would lead to a query for the zone key, which
2978 * would return a negative answer, which would contain
2979 * an SOA and an NSEC signed by the missing key, which
2980 * would trigger another query for the DNSKEY (since
2981 * the first one is still in progress), and go into an
2982 * infinite loop. Avoid that.
2984 if (val->event->type == dns_rdatatype_dnskey &&
2985 dns_name_equal(name, val->event->name))
2987 dns_rdata_t nsec = DNS_RDATA_INIT;
2989 if (rdataset->type != dns_rdatatype_nsec)
2992 result = dns_rdataset_first(rdataset);
2993 if (result != ISC_R_SUCCESS)
2995 dns_rdataset_current(rdataset, &nsec);
2996 if (dns_nsec_typepresent(&nsec,
3000 val->currentset = rdataset;
3001 result = create_validator(val, name, rdataset->type,
3002 rdataset, sigrdataset,
3005 if (result != ISC_R_SUCCESS)
3008 return (DNS_R_WAIT);
3010 if (result == ISC_R_NOMORE)
3011 result = ISC_R_SUCCESS;
3016 * Prove a negative answer is good or that there is a NOQNAME when the
3017 * answer is from a wildcard.
3019 * Loop through the authority section looking for NODATA, NOWILDCARD
3020 * and NOQNAME proofs in the NSEC records by calling authvalidated().
3022 * If the required proofs are found we are done.
3024 * If the proofs are not found attempt to prove this is a unsecure
3028 nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
3029 isc_result_t result;
3032 validator_log(val, ISC_LOG_DEBUG(3), "resuming nsecvalidate");
3034 if (val->event->message == NULL)
3035 result = validate_ncache(val, resume);
3037 result = validate_authority(val, resume);
3039 if (result != ISC_R_SUCCESS)
3043 * Do we only need to check for NOQNAME? To get here we must have
3044 * had a secure wildcard answer.
3046 if (!NEEDNODATA(val) && !NEEDNOWILDCARD(val) && NEEDNOQNAME(val)) {
3047 if (!FOUNDNOQNAME(val))
3048 findnsec3proofs(val);
3049 if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val)) {
3050 validator_log(val, ISC_LOG_DEBUG(3),
3051 "noqname proof found");
3052 validator_log(val, ISC_LOG_DEBUG(3),
3053 "marking as secure");
3054 marksecure(val->event);
3055 return (ISC_R_SUCCESS);
3056 } else if (FOUNDOPTOUT(val) &&
3057 dns_name_countlabels(dns_fixedname_name(&val->wild))
3059 validator_log(val, ISC_LOG_DEBUG(3),
3060 "optout proof found");
3061 val->event->optout = ISC_TRUE;
3062 markanswer(val, "nsecvalidate (1)");
3063 return (ISC_R_SUCCESS);
3064 } else if ((val->attributes & VALATTR_FOUNDUNKNOWN) != 0) {
3065 validator_log(val, ISC_LOG_DEBUG(3),
3066 "unknown NSEC3 hash algorithm found");
3067 markanswer(val, "nsecvalidate (2)");
3068 return (ISC_R_SUCCESS);
3070 validator_log(val, ISC_LOG_DEBUG(3),
3071 "noqname proof not found");
3072 return (DNS_R_NOVALIDNSEC);
3075 if (!FOUNDNOQNAME(val) && !FOUNDNODATA(val))
3076 findnsec3proofs(val);
3079 * Do we need to check for the wildcard?
3081 if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) &&
3082 ((NEEDNODATA(val) && !FOUNDNODATA(val)) || NEEDNOWILDCARD(val))) {
3083 result = checkwildcard(val, dns_rdatatype_nsec, NULL);
3084 if (result != ISC_R_SUCCESS)
3088 if ((NEEDNODATA(val) && (FOUNDNODATA(val) || FOUNDOPTOUT(val))) ||
3089 (NEEDNOQNAME(val) && FOUNDNOQNAME(val) &&
3090 NEEDNOWILDCARD(val) && FOUNDNOWILDCARD(val) &&
3091 FOUNDCLOSEST(val))) {
3092 if ((val->attributes & VALATTR_FOUNDOPTOUT) != 0)
3093 val->event->optout = ISC_TRUE;
3094 validator_log(val, ISC_LOG_DEBUG(3),
3095 "nonexistence proof(s) found");
3096 if (val->event->message == NULL)
3097 marksecure(val->event);
3098 return (ISC_R_SUCCESS);
3100 findnsec3proofs(val);
3102 if (val->authfail != 0 && val->authcount == val->authfail)
3103 return (DNS_R_BROKENCHAIN);
3104 validator_log(val, ISC_LOG_DEBUG(3),
3105 "nonexistence proof(s) not found");
3106 val->attributes |= VALATTR_INSECURITY;
3107 return (proveunsecure(val, ISC_FALSE, ISC_FALSE));
3110 static isc_boolean_t
3111 check_ds(dns_validator_t *val, dns_name_t *name, dns_rdataset_t *rdataset) {
3112 dns_rdata_t dsrdata = DNS_RDATA_INIT;
3114 isc_result_t result;
3116 for (result = dns_rdataset_first(rdataset);
3117 result == ISC_R_SUCCESS;
3118 result = dns_rdataset_next(rdataset)) {
3119 dns_rdataset_current(rdataset, &dsrdata);
3120 result = dns_rdata_tostruct(&dsrdata, &ds, NULL);
3121 RUNTIME_CHECK(result == ISC_R_SUCCESS);
3123 if (dns_resolver_digest_supported(val->view->resolver,
3125 dns_resolver_algorithm_supported(val->view->resolver,
3126 name, ds.algorithm)) {
3127 dns_rdata_reset(&dsrdata);
3130 dns_rdata_reset(&dsrdata);
3136 dlvvalidated(isc_task_t *task, isc_event_t *event) {
3137 dns_validatorevent_t *devent;
3138 dns_validator_t *val;
3139 isc_result_t eresult;
3140 isc_boolean_t want_destroy;
3143 INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
3145 devent = (dns_validatorevent_t *)event;
3146 val = devent->ev_arg;
3147 eresult = devent->result;
3149 isc_event_free(&event);
3150 dns_validator_destroy(&val->subvalidator);
3152 INSIST(val->event != NULL);
3154 validator_log(val, ISC_LOG_DEBUG(3), "in dlvvalidated");
3156 if (CANCELED(val)) {
3157 validator_done(val, ISC_R_CANCELED);
3158 } else if (eresult == ISC_R_SUCCESS) {
3159 validator_log(val, ISC_LOG_DEBUG(3),
3160 "dlvset with trust %d", val->frdataset.trust);
3161 dns_rdataset_clone(&val->frdataset, &val->dlv);
3162 val->havedlvsep = ISC_TRUE;
3163 if (dlv_algorithm_supported(val))
3164 dlv_validator_start(val);
3166 markanswer(val, "dlvvalidated");
3167 validator_done(val, ISC_R_SUCCESS);
3170 if (eresult != DNS_R_BROKENCHAIN) {
3171 if (dns_rdataset_isassociated(&val->frdataset))
3172 dns_rdataset_expire(&val->frdataset);
3173 if (dns_rdataset_isassociated(&val->fsigrdataset))
3174 dns_rdataset_expire(&val->fsigrdataset);
3176 validator_log(val, ISC_LOG_DEBUG(3),
3177 "dlvvalidated: got %s",
3178 isc_result_totext(eresult));
3179 validator_done(val, DNS_R_BROKENCHAIN);
3181 want_destroy = exit_check(val);
3188 * Callback from fetching a DLV record.
3190 * Resumes the DLV lookup process.
3193 dlvfetched(isc_task_t *task, isc_event_t *event) {
3194 char namebuf[DNS_NAME_FORMATSIZE];
3195 dns_fetchevent_t *devent;
3196 dns_validator_t *val;
3197 isc_boolean_t want_destroy;
3198 isc_result_t eresult;
3199 isc_result_t result;
3202 INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
3203 devent = (dns_fetchevent_t *)event;
3204 val = devent->ev_arg;
3205 eresult = devent->result;
3207 /* Free resources which are not of interest. */
3208 if (devent->node != NULL)
3209 dns_db_detachnode(devent->db, &devent->node);
3210 if (devent->db != NULL)
3211 dns_db_detach(&devent->db);
3212 if (dns_rdataset_isassociated(&val->fsigrdataset))
3213 dns_rdataset_disassociate(&val->fsigrdataset);
3214 isc_event_free(&event);
3215 dns_resolver_destroyfetch(&val->fetch);
3217 INSIST(val->event != NULL);
3218 validator_log(val, ISC_LOG_DEBUG(3), "in dlvfetched: %s",
3219 dns_result_totext(eresult));
3222 if (eresult == ISC_R_SUCCESS) {
3223 dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf,
3225 dns_rdataset_clone(&val->frdataset, &val->dlv);
3226 val->havedlvsep = ISC_TRUE;
3227 if (dlv_algorithm_supported(val)) {
3228 validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found",
3230 dlv_validator_start(val);
3232 validator_log(val, ISC_LOG_DEBUG(3),
3233 "DLV %s found with no supported algorithms",
3235 markanswer(val, "dlvfetched (1)");
3236 validator_done(val, ISC_R_SUCCESS);
3238 } else if (eresult == DNS_R_NXRRSET ||
3239 eresult == DNS_R_NXDOMAIN ||
3240 eresult == DNS_R_NCACHENXRRSET ||
3241 eresult == DNS_R_NCACHENXDOMAIN) {
3242 result = finddlvsep(val, ISC_TRUE);
3243 if (result == ISC_R_SUCCESS) {
3244 if (dlv_algorithm_supported(val)) {
3245 dns_name_format(dns_fixedname_name(&val->dlvsep),
3246 namebuf, sizeof(namebuf));
3247 validator_log(val, ISC_LOG_DEBUG(3),
3248 "DLV %s found", namebuf);
3249 dlv_validator_start(val);
3251 validator_log(val, ISC_LOG_DEBUG(3),
3252 "DLV %s found with no supported "
3253 "algorithms", namebuf);
3254 markanswer(val, "dlvfetched (2)");
3255 validator_done(val, ISC_R_SUCCESS);
3257 } else if (result == ISC_R_NOTFOUND) {
3258 validator_log(val, ISC_LOG_DEBUG(3), "DLV not found");
3259 markanswer(val, "dlvfetched (3)");
3260 validator_done(val, ISC_R_SUCCESS);
3262 validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s",
3263 dns_result_totext(result));
3264 if (result != DNS_R_WAIT)
3265 validator_done(val, result);
3268 validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s",
3269 dns_result_totext(eresult));
3270 validator_done(val, eresult);
3272 want_destroy = exit_check(val);
3279 * Start the DLV lookup process.
3284 * \li Others on validation failures.
3287 startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure) {
3288 char namebuf[DNS_NAME_FORMATSIZE];
3289 isc_result_t result;
3291 INSIST(!DLVTRIED(val));
3293 val->attributes |= VALATTR_DLVTRIED;
3295 dns_name_format(unsecure, namebuf, sizeof(namebuf));
3296 validator_log(val, ISC_LOG_DEBUG(3),
3297 "plain DNSSEC returns unsecure (%s): looking for DLV",
3300 if (dns_name_issubdomain(val->event->name, val->view->dlv)) {
3301 validator_log(val, ISC_LOG_WARNING, "must be secure failure");
3302 return (DNS_R_MUSTBESECURE);
3305 val->dlvlabels = dns_name_countlabels(unsecure) - 1;
3306 result = finddlvsep(val, ISC_FALSE);
3307 if (result == ISC_R_NOTFOUND) {
3308 validator_log(val, ISC_LOG_DEBUG(3), "DLV not found");
3309 markanswer(val, "startfinddlvsep (1)");
3310 return (ISC_R_SUCCESS);
3312 if (result != ISC_R_SUCCESS) {
3313 validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s",
3314 dns_result_totext(result));
3317 dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf,
3319 if (dlv_algorithm_supported(val)) {
3320 validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
3321 dlv_validator_start(val);
3322 return (DNS_R_WAIT);
3324 validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found with no supported "
3325 "algorithms", namebuf);
3326 markanswer(val, "startfinddlvsep (2)");
3327 validator_done(val, ISC_R_SUCCESS);
3328 return (ISC_R_SUCCESS);
3332 * Continue the DLV lookup process.
3336 * \li ISC_R_NOTFOUND
3338 * \li Others on validation failure.
3341 finddlvsep(dns_validator_t *val, isc_boolean_t resume) {
3342 char namebuf[DNS_NAME_FORMATSIZE];
3343 dns_fixedname_t dlvfixed;
3344 dns_name_t *dlvname;
3347 isc_result_t result;
3348 unsigned int labels;
3350 INSIST(val->view->dlv != NULL);
3354 if (dns_name_issubdomain(val->event->name, val->view->dlv)) {
3355 validator_log(val, ISC_LOG_WARNING,
3356 "must be secure failure");
3357 return (DNS_R_MUSTBESECURE);
3360 dns_fixedname_init(&val->dlvsep);
3361 dlvsep = dns_fixedname_name(&val->dlvsep);
3362 dns_name_copy(val->event->name, dlvsep, NULL);
3364 * If this is a response to a DS query, we need to look in
3365 * the parent zone for the trust anchor.
3367 if (val->event->type == dns_rdatatype_ds) {
3368 labels = dns_name_countlabels(dlvsep);
3370 return (ISC_R_NOTFOUND);
3371 dns_name_getlabelsequence(dlvsep, 1, labels - 1,
3375 dlvsep = dns_fixedname_name(&val->dlvsep);
3376 labels = dns_name_countlabels(dlvsep);
3377 dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep);
3379 dns_name_init(&noroot, NULL);
3380 dns_fixedname_init(&dlvfixed);
3381 dlvname = dns_fixedname_name(&dlvfixed);
3382 labels = dns_name_countlabels(dlvsep);
3384 return (ISC_R_NOTFOUND);
3385 dns_name_getlabelsequence(dlvsep, 0, labels - 1, &noroot);
3386 result = dns_name_concatenate(&noroot, val->view->dlv, dlvname, NULL);
3387 while (result == ISC_R_NOSPACE) {
3388 labels = dns_name_countlabels(dlvsep);
3389 dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep);
3390 dns_name_getlabelsequence(dlvsep, 0, labels - 2, &noroot);
3391 result = dns_name_concatenate(&noroot, val->view->dlv,
3394 if (result != ISC_R_SUCCESS) {
3395 validator_log(val, ISC_LOG_DEBUG(2), "DLV concatenate failed");
3396 return (DNS_R_NOVALIDSIG);
3399 while (dns_name_countlabels(dlvname) >=
3400 dns_name_countlabels(val->view->dlv) + val->dlvlabels) {
3401 dns_name_format(dlvname, namebuf, sizeof(namebuf));
3402 validator_log(val, ISC_LOG_DEBUG(3), "looking for DLV %s",
3404 result = view_find(val, dlvname, dns_rdatatype_dlv);
3405 if (result == ISC_R_SUCCESS) {
3406 if (DNS_TRUST_PENDING(val->frdataset.trust) &&
3407 dns_rdataset_isassociated(&val->fsigrdataset))
3409 dns_fixedname_init(&val->fname);
3410 dns_name_copy(dlvname,
3411 dns_fixedname_name(&val->fname),
3413 result = create_validator(val,
3414 dns_fixedname_name(&val->fname),
3420 if (result != ISC_R_SUCCESS)
3422 return (DNS_R_WAIT);
3424 if (val->frdataset.trust < dns_trust_secure)
3425 return (DNS_R_NOVALIDSIG);
3426 val->havedlvsep = ISC_TRUE;
3427 dns_rdataset_clone(&val->frdataset, &val->dlv);
3428 return (ISC_R_SUCCESS);
3430 if (result == ISC_R_NOTFOUND) {
3431 result = create_fetch(val, dlvname, dns_rdatatype_dlv,
3432 dlvfetched, "finddlvsep");
3433 if (result != ISC_R_SUCCESS)
3435 return (DNS_R_WAIT);
3437 if (result != DNS_R_NXRRSET &&
3438 result != DNS_R_NXDOMAIN &&
3439 result != DNS_R_EMPTYNAME &&
3440 result != DNS_R_NCACHENXRRSET &&
3441 result != DNS_R_NCACHENXDOMAIN)
3444 * Strip first labels from both dlvsep and dlvname.
3446 labels = dns_name_countlabels(dlvsep);
3449 dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep);
3450 labels = dns_name_countlabels(dlvname);
3451 dns_name_getlabelsequence(dlvname, 1, labels - 1, dlvname);
3453 return (ISC_R_NOTFOUND);
3457 * proveunsecure walks down from the SEP looking for a break in the
3458 * chain of trust. That occurs when we can prove the DS record does
3459 * not exist at a delegation point or the DS exists at a delegation
3460 * but we don't support the algorithm/digest.
3462 * If DLV is active and we look for a DLV record at or below the
3463 * point we go insecure. If found we restart the validation process.
3464 * If not found or DLV isn't active we mark the response as a answer.
3467 * \li ISC_R_SUCCESS val->event->name is in a unsecure zone
3468 * \li DNS_R_WAIT validation is in progress.
3469 * \li DNS_R_MUSTBESECURE val->event->name is supposed to be secure
3470 * (policy) but we proved that it is unsecure.
3471 * \li DNS_R_NOVALIDSIG
3472 * \li DNS_R_NOVALIDNSEC
3473 * \li DNS_R_NOTINSECURE
3474 * \li DNS_R_BROKENCHAIN
3477 proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
3479 isc_result_t result;
3480 dns_fixedname_t fixedsecroot;
3481 dns_name_t *secroot;
3483 char namebuf[DNS_NAME_FORMATSIZE];
3485 dns_fixedname_t fixedfound;
3487 dns_fixedname_init(&fixedsecroot);
3488 secroot = dns_fixedname_name(&fixedsecroot);
3489 dns_fixedname_init(&fixedfound);
3490 found = dns_fixedname_name(&fixedfound);
3491 if (val->havedlvsep)
3492 dns_name_copy(dns_fixedname_name(&val->dlvsep), secroot, NULL);
3494 unsigned int labels;
3495 dns_name_copy(val->event->name, secroot, NULL);
3497 * If this is a response to a DS query, we need to look in
3498 * the parent zone for the trust anchor.
3501 labels = dns_name_countlabels(secroot);
3502 if (val->event->type == dns_rdatatype_ds && labels > 1U)
3503 dns_name_getlabelsequence(secroot, 1, labels - 1,
3505 result = dns_keytable_finddeepestmatch(val->keytable,
3507 if (result == ISC_R_NOTFOUND) {
3508 if (val->mustbesecure) {
3509 validator_log(val, ISC_LOG_WARNING,
3510 "must be secure failure");
3511 result = DNS_R_MUSTBESECURE;
3514 if (val->view->dlv == NULL || DLVTRIED(val)) {
3515 markanswer(val, "proveunsecure (1)");
3516 return (ISC_R_SUCCESS);
3518 return (startfinddlvsep(val, dns_rootname));
3519 } else if (result != ISC_R_SUCCESS)
3525 * We are looking for breaks below the SEP so add a label.
3527 val->labels = dns_name_countlabels(secroot) + 1;
3529 validator_log(val, ISC_LOG_DEBUG(3), "resuming proveunsecure");
3531 * If we have a DS rdataset and it is secure then check if
3532 * the DS rdataset has a supported algorithm combination.
3533 * If not this is a insecure delegation as far as this
3534 * resolver is concerned. Fall back to DLV if available.
3536 if (have_ds && val->frdataset.trust >= dns_trust_secure &&
3537 !check_ds(val, dns_fixedname_name(&val->fname),
3539 dns_name_format(dns_fixedname_name(&val->fname),
3540 namebuf, sizeof(namebuf));
3541 if ((val->view->dlv == NULL || DLVTRIED(val)) &&
3542 val->mustbesecure) {
3543 validator_log(val, ISC_LOG_WARNING,
3544 "must be secure failure at '%s'",
3546 result = DNS_R_MUSTBESECURE;
3549 validator_log(val, ISC_LOG_DEBUG(3),
3550 "no supported algorithm/digest (%s/DS)",
3552 if (val->view->dlv == NULL || DLVTRIED(val)) {
3553 markanswer(val, "proveunsecure (2)");
3554 result = ISC_R_SUCCESS;
3557 result = startfinddlvsep(val,
3558 dns_fixedname_name(&val->fname));
3565 val->labels <= dns_name_countlabels(val->event->name);
3569 dns_fixedname_init(&val->fname);
3570 tname = dns_fixedname_name(&val->fname);
3571 if (val->labels == dns_name_countlabels(val->event->name))
3572 dns_name_copy(val->event->name, tname, NULL);
3574 dns_name_split(val->event->name, val->labels,
3577 dns_name_format(tname, namebuf, sizeof(namebuf));
3578 validator_log(val, ISC_LOG_DEBUG(3),
3579 "checking existence of DS at '%s'",
3582 result = view_find(val, tname, dns_rdatatype_ds);
3583 if (result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) {
3585 * There is no DS. If this is a delegation,
3589 * If we have "trust == answer" then this namespace
3590 * has switched from insecure to should be secure.
3592 if (DNS_TRUST_PENDING(val->frdataset.trust) ||
3593 DNS_TRUST_ANSWER(val->frdataset.trust)) {
3594 result = create_validator(val, tname,
3599 if (result != ISC_R_SUCCESS)
3601 return (DNS_R_WAIT);
3604 * Zones using NSEC3 don't return a NSEC RRset so
3605 * we need to use dns_view_findzonecut2 to find
3608 if (result == DNS_R_NXRRSET &&
3609 !dns_rdataset_isassociated(&val->frdataset) &&
3610 dns_view_findzonecut2(val->view, tname, found,
3611 0, 0, ISC_FALSE, ISC_FALSE,
3612 NULL, NULL) == ISC_R_SUCCESS &&
3613 dns_name_equal(tname, found)) {
3614 if (val->mustbesecure) {
3615 validator_log(val, ISC_LOG_WARNING,
3616 "must be secure failure");
3617 return (DNS_R_MUSTBESECURE);
3619 if (val->view->dlv == NULL || DLVTRIED(val)) {
3620 markanswer(val, "proveunsecure (3)");
3621 return (ISC_R_SUCCESS);
3623 return (startfinddlvsep(val, tname));
3625 if (val->frdataset.trust < dns_trust_secure) {
3627 * This shouldn't happen, since the negative
3628 * response should have been validated. Since
3629 * there's no way of validating existing
3630 * negative response blobs, give up.
3632 result = DNS_R_NOVALIDSIG;
3635 if (isdelegation(tname, &val->frdataset, result)) {
3636 if (val->mustbesecure) {
3637 validator_log(val, ISC_LOG_WARNING,
3638 "must be secure failure");
3639 return (DNS_R_MUSTBESECURE);
3641 if (val->view->dlv == NULL || DLVTRIED(val)) {
3642 markanswer(val, "proveunsecure (4)");
3643 return (ISC_R_SUCCESS);
3645 return (startfinddlvsep(val, tname));
3648 } else if (result == ISC_R_SUCCESS) {
3650 * There is a DS here. Verify that it's secure and
3653 if (val->frdataset.trust >= dns_trust_secure) {
3654 if (!check_ds(val, tname, &val->frdataset)) {
3655 validator_log(val, ISC_LOG_DEBUG(3),
3656 "no supported algorithm/"
3657 "digest (%s/DS)", namebuf);
3658 if (val->mustbesecure) {
3661 "must be secure failure");
3662 result = DNS_R_MUSTBESECURE;
3665 if (val->view->dlv == NULL ||
3668 "proveunsecure (5)");
3669 result = ISC_R_SUCCESS;
3672 result = startfinddlvsep(val, tname);
3677 else if (!dns_rdataset_isassociated(&val->fsigrdataset))
3679 result = DNS_R_NOVALIDSIG;
3683 * Validate / re-validate answer.
3685 result = create_validator(val, tname, dns_rdatatype_ds,
3690 if (result != ISC_R_SUCCESS)
3692 return (DNS_R_WAIT);
3693 } else if (result == DNS_R_NXDOMAIN ||
3694 result == DNS_R_NCACHENXDOMAIN) {
3696 * This is not a zone cut. Assuming things are
3697 * as expected, continue.
3699 if (!dns_rdataset_isassociated(&val->frdataset)) {
3701 * There should be an NSEC here, since we
3702 * are still in a secure zone.
3704 result = DNS_R_NOVALIDNSEC;
3706 } else if (val->frdataset.trust < dns_trust_secure) {
3708 * This shouldn't happen, since the negative
3709 * response should have been validated. Since
3710 * there's no way of validating existing
3711 * negative response blobs, give up.
3713 result = DNS_R_NOVALIDSIG;
3717 } else if (result == ISC_R_NOTFOUND) {
3719 * We don't know anything about the DS. Find it.
3721 result = create_fetch(val, tname, dns_rdatatype_ds,
3722 dsfetched2, "proveunsecure");
3723 if (result != ISC_R_SUCCESS)
3725 return (DNS_R_WAIT);
3726 } else if (result == DNS_R_BROKENCHAIN)
3730 /* Couldn't complete insecurity proof */
3731 validator_log(val, ISC_LOG_DEBUG(3), "insecurity proof failed");
3732 return (DNS_R_NOTINSECURE); /* Couldn't complete insecurity proof */
3735 if (dns_rdataset_isassociated(&val->frdataset))
3736 dns_rdataset_disassociate(&val->frdataset);
3737 if (dns_rdataset_isassociated(&val->fsigrdataset))
3738 dns_rdataset_disassociate(&val->fsigrdataset);
3743 * Reset state and revalidate the answer using DLV.
3746 dlv_validator_start(dns_validator_t *val) {
3749 validator_log(val, ISC_LOG_DEBUG(3), "dlv_validator_start");
3752 * Reset state and try again.
3754 val->attributes &= VALATTR_DLVTRIED;
3755 val->options &= ~DNS_VALIDATOR_DLV;
3757 event = (isc_event_t *)val->event;
3758 isc_task_send(val->task, &event);
3762 * Start the validation process.
3764 * Attempt to validate the answer based on the category it appears to
3766 * \li 1. secure positive answer.
3767 * \li 2. unsecure positive answer.
3768 * \li 3. a negative answer (secure or unsecure).
3770 * Note a answer that appears to be a secure positive answer may actually
3771 * be a unsecure positive answer.
3774 validator_start(isc_task_t *task, isc_event_t *event) {
3775 dns_validator_t *val;
3776 dns_validatorevent_t *vevent;
3777 isc_boolean_t want_destroy = ISC_FALSE;
3778 isc_result_t result = ISC_R_FAILURE;
3781 REQUIRE(event->ev_type == DNS_EVENT_VALIDATORSTART);
3782 vevent = (dns_validatorevent_t *)event;
3783 val = vevent->validator;
3785 /* If the validator has been canceled, val->event == NULL */
3786 if (val->event == NULL)
3790 validator_log(val, ISC_LOG_DEBUG(3), "restarting using DLV");
3792 validator_log(val, ISC_LOG_DEBUG(3), "starting");
3796 if ((val->options & DNS_VALIDATOR_DLV) != 0 &&
3797 val->event->rdataset != NULL) {
3798 validator_log(val, ISC_LOG_DEBUG(3), "looking for DLV");
3799 result = startfinddlvsep(val, dns_rootname);
3800 } else if (val->event->rdataset != NULL &&
3801 val->event->sigrdataset != NULL) {
3802 isc_result_t saved_result;
3805 * This looks like a simple validation. We say "looks like"
3806 * because it might end up requiring an insecurity proof.
3808 validator_log(val, ISC_LOG_DEBUG(3),
3809 "attempting positive response validation");
3811 INSIST(dns_rdataset_isassociated(val->event->rdataset));
3812 INSIST(dns_rdataset_isassociated(val->event->sigrdataset));
3813 result = start_positive_validation(val);
3814 if (result == DNS_R_NOVALIDSIG &&
3815 (val->attributes & VALATTR_TRIEDVERIFY) == 0)
3817 saved_result = result;
3818 validator_log(val, ISC_LOG_DEBUG(3),
3819 "falling back to insecurity proof");
3820 val->attributes |= VALATTR_INSECURITY;
3821 result = proveunsecure(val, ISC_FALSE, ISC_FALSE);
3822 if (result == DNS_R_NOTINSECURE)
3823 result = saved_result;
3825 } else if (val->event->rdataset != NULL &&
3826 val->event->rdataset->type != 0) {
3828 * This is either an unsecure subdomain or a response from
3831 INSIST(dns_rdataset_isassociated(val->event->rdataset));
3832 validator_log(val, ISC_LOG_DEBUG(3),
3833 "attempting insecurity proof");
3835 val->attributes |= VALATTR_INSECURITY;
3836 result = proveunsecure(val, ISC_FALSE, ISC_FALSE);
3837 } else if (val->event->rdataset == NULL &&
3838 val->event->sigrdataset == NULL)
3841 * This is a nonexistence validation.
3843 validator_log(val, ISC_LOG_DEBUG(3),
3844 "attempting negative response validation");
3846 if (val->event->message->rcode == dns_rcode_nxdomain) {
3847 val->attributes |= VALATTR_NEEDNOQNAME;
3848 val->attributes |= VALATTR_NEEDNOWILDCARD;
3850 val->attributes |= VALATTR_NEEDNODATA;
3851 result = nsecvalidate(val, ISC_FALSE);
3852 } else if (val->event->rdataset != NULL &&
3853 val->event->rdataset->type == 0)
3856 * This is a nonexistence validation.
3858 validator_log(val, ISC_LOG_DEBUG(3),
3859 "attempting negative response validation");
3861 if (val->event->rdataset->covers == dns_rdatatype_any) {
3862 val->attributes |= VALATTR_NEEDNOQNAME;
3863 val->attributes |= VALATTR_NEEDNOWILDCARD;
3865 val->attributes |= VALATTR_NEEDNODATA;
3866 result = nsecvalidate(val, ISC_FALSE);
3869 * This shouldn't happen.
3874 if (result != DNS_R_WAIT) {
3875 want_destroy = exit_check(val);
3876 validator_done(val, result);
3885 dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
3886 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
3887 dns_message_t *message, unsigned int options,
3888 isc_task_t *task, isc_taskaction_t action, void *arg,
3889 dns_validator_t **validatorp)
3891 isc_result_t result;
3892 dns_validator_t *val;
3894 dns_validatorevent_t *event;
3896 REQUIRE(name != NULL);
3897 REQUIRE(rdataset != NULL ||
3898 (rdataset == NULL && sigrdataset == NULL && message != NULL));
3899 REQUIRE(validatorp != NULL && *validatorp == NULL);
3902 result = ISC_R_FAILURE;
3904 val = isc_mem_get(view->mctx, sizeof(*val));
3906 return (ISC_R_NOMEMORY);
3908 dns_view_weakattach(view, &val->view);
3909 event = (dns_validatorevent_t *)
3910 isc_event_allocate(view->mctx, task,
3911 DNS_EVENT_VALIDATORSTART,
3912 validator_start, NULL,
3913 sizeof(dns_validatorevent_t));
3914 if (event == NULL) {
3915 result = ISC_R_NOMEMORY;
3918 isc_task_attach(task, &tclone);
3919 event->validator = val;
3920 event->result = ISC_R_FAILURE;
3923 event->rdataset = rdataset;
3924 event->sigrdataset = sigrdataset;
3925 event->message = message;
3926 memset(event->proofs, 0, sizeof(event->proofs));
3927 event->optout = ISC_FALSE;
3928 result = isc_mutex_init(&val->lock);
3929 if (result != ISC_R_SUCCESS)
3932 val->options = options;
3933 val->attributes = 0;
3935 val->subvalidator = NULL;
3937 val->keytable = NULL;
3938 dns_keytable_attach(val->view->secroots, &val->keytable);
3939 val->keynode = NULL;
3941 val->siginfo = NULL;
3943 val->action = action;
3946 val->currentset = NULL;
3949 dns_rdataset_init(&val->dlv);
3950 val->seensig = ISC_FALSE;
3951 val->havedlvsep = ISC_FALSE;
3955 val->mustbesecure = dns_resolver_getmustbesecure(view->resolver, name);
3956 dns_rdataset_init(&val->frdataset);
3957 dns_rdataset_init(&val->fsigrdataset);
3958 dns_fixedname_init(&val->wild);
3959 dns_fixedname_init(&val->nearest);
3960 dns_fixedname_init(&val->closest);
3961 ISC_LINK_INIT(val, link);
3962 val->magic = VALIDATOR_MAGIC;
3964 if ((options & DNS_VALIDATOR_DEFER) == 0)
3965 isc_task_send(task, ISC_EVENT_PTR(&event));
3969 return (ISC_R_SUCCESS);
3972 isc_task_detach(&tclone);
3973 isc_event_free(ISC_EVENT_PTR(&event));
3976 dns_view_weakdetach(&val->view);
3977 isc_mem_put(view->mctx, val, sizeof(*val));
3983 dns_validator_send(dns_validator_t *validator) {
3985 REQUIRE(VALID_VALIDATOR(validator));
3987 LOCK(&validator->lock);
3989 INSIST((validator->options & DNS_VALIDATOR_DEFER) != 0);
3990 event = (isc_event_t *)validator->event;
3991 validator->options &= ~DNS_VALIDATOR_DEFER;
3992 UNLOCK(&validator->lock);
3994 isc_task_send(validator->task, ISC_EVENT_PTR(&event));
3998 dns_validator_cancel(dns_validator_t *validator) {
3999 REQUIRE(VALID_VALIDATOR(validator));
4001 LOCK(&validator->lock);
4003 validator_log(validator, ISC_LOG_DEBUG(3), "dns_validator_cancel");
4005 if (validator->event != NULL) {
4006 if (validator->fetch != NULL)
4007 dns_resolver_cancelfetch(validator->fetch);
4009 if (validator->subvalidator != NULL)
4010 dns_validator_cancel(validator->subvalidator);
4011 if ((validator->options & DNS_VALIDATOR_DEFER) != 0) {
4012 isc_task_t *task = validator->event->ev_sender;
4013 validator->options &= ~DNS_VALIDATOR_DEFER;
4014 isc_event_free((isc_event_t **)&validator->event);
4015 isc_task_detach(&task);
4017 validator->attributes |= VALATTR_CANCELED;
4019 UNLOCK(&validator->lock);
4023 destroy(dns_validator_t *val) {
4026 REQUIRE(SHUTDOWN(val));
4027 REQUIRE(val->event == NULL);
4028 REQUIRE(val->fetch == NULL);
4030 if (val->keynode != NULL)
4031 dns_keytable_detachkeynode(val->keytable, &val->keynode);
4032 else if (val->key != NULL)
4033 dst_key_free(&val->key);
4034 if (val->keytable != NULL)
4035 dns_keytable_detach(&val->keytable);
4036 if (val->subvalidator != NULL)
4037 dns_validator_destroy(&val->subvalidator);
4038 if (val->havedlvsep)
4039 dns_rdataset_disassociate(&val->dlv);
4040 if (dns_rdataset_isassociated(&val->frdataset))
4041 dns_rdataset_disassociate(&val->frdataset);
4042 if (dns_rdataset_isassociated(&val->fsigrdataset))
4043 dns_rdataset_disassociate(&val->fsigrdataset);
4044 mctx = val->view->mctx;
4045 if (val->siginfo != NULL)
4046 isc_mem_put(mctx, val->siginfo, sizeof(*val->siginfo));
4047 DESTROYLOCK(&val->lock);
4048 dns_view_weakdetach(&val->view);
4050 isc_mem_put(mctx, val, sizeof(*val));
4054 dns_validator_destroy(dns_validator_t **validatorp) {
4055 dns_validator_t *val;
4056 isc_boolean_t want_destroy = ISC_FALSE;
4058 REQUIRE(validatorp != NULL);
4060 REQUIRE(VALID_VALIDATOR(val));
4064 val->attributes |= VALATTR_SHUTDOWN;
4065 validator_log(val, ISC_LOG_DEBUG(3), "dns_validator_destroy");
4067 want_destroy = exit_check(val);
4078 validator_logv(dns_validator_t *val, isc_logcategory_t *category,
4079 isc_logmodule_t *module, int level, const char *fmt, va_list ap)
4082 static const char spaces[] = " *";
4083 int depth = val->depth * 2;
4085 vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
4087 if ((unsigned int) depth >= sizeof spaces)
4088 depth = sizeof spaces - 1;
4090 if (val->event != NULL && val->event->name != NULL) {
4091 char namebuf[DNS_NAME_FORMATSIZE];
4092 char typebuf[DNS_RDATATYPE_FORMATSIZE];
4094 dns_name_format(val->event->name, namebuf, sizeof(namebuf));
4095 dns_rdatatype_format(val->event->type, typebuf,
4097 isc_log_write(dns_lctx, category, module, level,
4098 "%.*svalidating @%p: %s %s: %s", depth, spaces,
4099 val, namebuf, typebuf, msgbuf);
4101 isc_log_write(dns_lctx, category, module, level,
4102 "%.*svalidator @%p: %s", depth, spaces,
4108 validator_log(dns_validator_t *val, int level, const char *fmt, ...) {
4111 if (! isc_log_wouldlog(dns_lctx, level))
4116 validator_logv(val, DNS_LOGCATEGORY_DNSSEC,
4117 DNS_LOGMODULE_VALIDATOR, level, fmt, ap);
4122 validator_logcreate(dns_validator_t *val,
4123 dns_name_t *name, dns_rdatatype_t type,
4124 const char *caller, const char *operation)
4126 char namestr[DNS_NAME_FORMATSIZE];
4127 char typestr[DNS_RDATATYPE_FORMATSIZE];
4129 dns_name_format(name, namestr, sizeof(namestr));
4130 dns_rdatatype_format(type, typestr, sizeof(typestr));
4131 validator_log(val, ISC_LOG_DEBUG(9), "%s: creating %s for %s %s",
4132 caller, operation, namestr, typestr);