1 /* 2 * validator/validator.h - secure validator DNS query response module 3 * 4 * Copyright (c) 2007, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file contains a module that performs validation of DNS queries. 40 * According to RFC 4034. 41 */ 42 43 #ifndef VALIDATOR_VALIDATOR_H 44 #define VALIDATOR_VALIDATOR_H 45 #include "util/module.h" 46 #include "util/data/msgreply.h" 47 #include "validator/val_utils.h" 48 #include "validator/val_nsec3.h" 49 struct val_anchors; 50 struct key_cache; 51 struct key_entry_key; 52 struct val_neg_cache; 53 struct config_strlist; 54 struct comm_timer; 55 struct config_file; 56 57 /** 58 * This is the TTL to use when a trust anchor fails to prime. A trust anchor 59 * will be primed no more often than this interval. Used when harden- 60 * dnssec-stripped is off and the trust anchor fails. 61 */ 62 #define NULL_KEY_TTL 60 /* seconds */ 63 64 /** 65 * TTL for bogus key entries. When a DS or DNSKEY fails in the chain of 66 * trust the entire zone for that name is blacked out for this TTL. 67 */ 68 #define BOGUS_KEY_TTL 60 /* seconds */ 69 70 /** Root key sentinel is ta preamble */ 71 #define SENTINEL_IS "root-key-sentinel-is-ta-" 72 /** Root key sentinel is not ta preamble */ 73 #define SENTINEL_NOT "root-key-sentinel-not-ta-" 74 /** Root key sentinel keytag length */ 75 #define SENTINEL_KEYTAG_LEN 5 76 77 /** 78 * Global state for the validator. 79 */ 80 struct val_env { 81 /** key cache; these are validated keys. trusted keys only 82 * end up here after being primed. */ 83 struct key_cache* kcache; 84 85 /** aggressive negative cache. index into NSECs in rrset cache. */ 86 struct val_neg_cache* neg_cache; 87 88 /** for debug testing a fixed validation date can be entered. 89 * if 0, current time is used for rrsig validation */ 90 int32_t date_override; 91 92 /** clock skew min for signatures */ 93 int32_t skew_min; 94 95 /** clock skew max for signatures */ 96 int32_t skew_max; 97 98 /** max number of query restarts, number of IPs to probe */ 99 int max_restart; 100 101 /** TTL for bogus data; used instead of untrusted TTL from data. 102 * Bogus data will not be verified more often than this interval. 103 * seconds. */ 104 uint32_t bogus_ttl; 105 106 /** 107 * Number of entries in the NSEC3 maximum iteration count table. 108 * Keep this table short, and sorted by size 109 */ 110 int nsec3_keyiter_count; 111 112 /** 113 * NSEC3 maximum iteration count per signing key size. 114 * This array contains key size values (in increasing order) 115 */ 116 size_t* nsec3_keysize; 117 118 /** 119 * NSEC3 maximum iteration count per signing key size. 120 * This array contains the maximum iteration count for the keysize 121 * in the keysize array. 122 */ 123 size_t* nsec3_maxiter; 124 125 /** lock on bogus counter */ 126 lock_basic_type bogus_lock; 127 /** number of times rrsets marked bogus */ 128 size_t num_rrset_bogus; 129 }; 130 131 /** 132 * State of the validator for a query. 133 */ 134 enum val_state { 135 /** initial state for validation */ 136 VAL_INIT_STATE = 0, 137 /** find the proper keys for validation, follow trust chain */ 138 VAL_FINDKEY_STATE, 139 /** validate the answer, using found key entry */ 140 VAL_VALIDATE_STATE, 141 /** finish up */ 142 VAL_FINISHED_STATE, 143 }; 144 145 /** 146 * Per query state for the validator module. 147 */ 148 struct val_qstate { 149 /** 150 * State of the validator module. 151 */ 152 enum val_state state; 153 154 /** 155 * The original message we have been given to validate. 156 */ 157 struct dns_msg* orig_msg; 158 159 /** 160 * The query restart count 161 */ 162 int restart_count; 163 /** The blacklist saved for chain of trust elements */ 164 struct sock_list* chain_blacklist; 165 166 /** 167 * The query name we have chased to; qname after following CNAMEs 168 */ 169 struct query_info qchase; 170 171 /** 172 * The chased reply, extract from original message. Can be: 173 * o CNAME 174 * o DNAME + CNAME 175 * o answer 176 * plus authority, additional (nsecs) that have same signature. 177 */ 178 struct reply_info* chase_reply; 179 180 /** 181 * The cname skip value; the number of rrsets that have been skipped 182 * due to chasing cnames. This is the offset into the 183 * orig_msg->rep->rrsets array, into the answer section. 184 * starts at 0 - for the full original message. 185 * if it is >0 - qchase followed the cname, chase_reply setup to be 186 * that message and relevant authority rrsets. 187 * 188 * The skip is also used for referral messages, where it will 189 * range from 0, over the answer, authority and additional sections. 190 */ 191 size_t rrset_skip; 192 193 /** trust anchor name */ 194 uint8_t* trust_anchor_name; 195 /** trust anchor labels */ 196 int trust_anchor_labs; 197 /** trust anchor length */ 198 size_t trust_anchor_len; 199 200 /** the DS rrset */ 201 struct ub_packed_rrset_key* ds_rrset; 202 203 /** domain name for empty nonterminal detection */ 204 uint8_t* empty_DS_name; 205 /** length of empty_DS_name */ 206 size_t empty_DS_len; 207 208 /** the current key entry */ 209 struct key_entry_key* key_entry; 210 211 /** subtype */ 212 enum val_classification subtype; 213 214 /** signer name */ 215 uint8_t* signer_name; 216 /** length of signer_name */ 217 size_t signer_len; 218 219 /** true if this state is waiting to prime a trust anchor */ 220 int wait_prime_ta; 221 222 /** State to continue with RRSIG validation in a message later */ 223 int msg_signatures_state; 224 /** The rrset index for the msg signatures to continue from */ 225 size_t msg_signatures_index; 226 /** Cache table for NSEC3 hashes */ 227 struct nsec3_cache_table nsec3_cache_table; 228 /** DS message from sub if it got suspended from NSEC3 calculations */ 229 struct dns_msg* sub_ds_msg; 230 /** The timer to resume processing msg signatures */ 231 struct comm_timer* suspend_timer; 232 /** Number of suspends */ 233 int suspend_count; 234 }; 235 236 /** 237 * Get the validator function block. 238 * @return: function block with function pointers to validator methods. 239 */ 240 struct module_func_block* val_get_funcblock(void); 241 242 /** 243 * Get validator state as a string 244 * @param state: to convert 245 * @return constant string that is printable. 246 */ 247 const char* val_state_to_string(enum val_state state); 248 249 /** validator init */ 250 int val_init(struct module_env* env, int id); 251 252 /** validator deinit */ 253 void val_deinit(struct module_env* env, int id); 254 255 /** validator operate on a query */ 256 void val_operate(struct module_qstate* qstate, enum module_ev event, int id, 257 struct outbound_entry* outbound); 258 259 /** 260 * inform validator super. 261 * 262 * @param qstate: query state that finished. 263 * @param id: module id. 264 * @param super: the qstate to inform. 265 */ 266 void val_inform_super(struct module_qstate* qstate, int id, 267 struct module_qstate* super); 268 269 /** validator cleanup query state */ 270 void val_clear(struct module_qstate* qstate, int id); 271 272 /** 273 * Debug helper routine that assists worker in determining memory in 274 * use. 275 * @param env: module environment 276 * @param id: module id. 277 * @return memory in use in bytes. 278 */ 279 size_t val_get_mem(struct module_env* env, int id); 280 281 /** Timer callback for msg signatures continue timer */ 282 void validate_suspend_timer_cb(void* arg); 283 284 /** 285 * Parse the val_nsec3_key_iterations string. 286 * @param val_nsec3_key_iterations: the string with nsec3 iterations config. 287 * @param keysize: returns malloced key size array on success. 288 * @param maxiter: returns malloced max iterations array on success. 289 * @param keyiter_count: returns size of keysize and maxiter arrays. 290 * @return false if it does not parse correctly. 291 */ 292 int val_env_parse_key_iter(char* val_nsec3_key_iterations, size_t** keysize, 293 size_t** maxiter, int* keyiter_count); 294 295 /** 296 * Apply config to validator env 297 * @param val_env: validator env. 298 * @param cfg: config 299 * @param keysize: nsec3 key size array. 300 * @param maxiter: nsec3 max iterations array. 301 * @param keyiter_count: size of keysize and maxiter arrays. 302 */ 303 void val_env_apply_cfg(struct val_env* val_env, struct config_file* cfg, 304 size_t* keysize, size_t* maxiter, int keyiter_count); 305 306 #endif /* VALIDATOR_VALIDATOR_H */ 307