xref: /freebsd/contrib/ldns/drill/securetrace.c (revision 7661de35d15f582ab33e3bd6b8d909601557e436)
1 /*
2  * securechasetrace.c
3  * Where all the hard work concerning secure tracing is done
4  *
5  * (c) 2005, 2006 NLnet Labs
6  *
7  * See the file LICENSE for the license
8  *
9  */
10 
11 #include "drill.h"
12 #include <ldns/ldns.h>
13 
14 #define SELF "[S]"  /* self sig ok */
15 #define TRUST "[T]" /* chain from parent */
16 #define BOGUS "[B]" /* bogus */
17 #define UNSIGNED "[U]" /* no relevant dnssec data found */
18 
19 #if 0
20 /* See if there is a key/ds in trusted that matches
21  * a ds in *ds.
22  */
23 static ldns_rr_list *
24 ds_key_match(ldns_rr_list *ds, ldns_rr_list *trusted)
25 {
26 	size_t i, j;
27 	bool match;
28 	ldns_rr *rr_i, *rr_j;
29 	ldns_rr_list *keys;
30 
31 	if (!trusted || !ds) {
32 		return NULL;
33 	}
34 
35 	match = false;
36 	keys = ldns_rr_list_new();
37 	if (!keys) {
38 		return NULL;
39 	}
40 
41 	if (!ds || !trusted) {
42 		return NULL;
43 	}
44 
45 	for (i = 0; i < ldns_rr_list_rr_count(trusted); i++) {
46 		rr_i = ldns_rr_list_rr(trusted, i);
47 		for (j = 0; j < ldns_rr_list_rr_count(ds); j++) {
48 
49 			rr_j = ldns_rr_list_rr(ds, j);
50 			if (ldns_rr_compare_ds(rr_i, rr_j)) {
51 				match = true;
52 				/* only allow unique RRs to match */
53 				ldns_rr_set_push_rr(keys, rr_i);
54 			}
55 		}
56 	}
57 	if (match) {
58 		return keys;
59 	} else {
60 		return NULL;
61 	}
62 }
63 #endif
64 
65 ldns_pkt *
66 get_dnssec_pkt(ldns_resolver *r, ldns_rdf *name, ldns_rr_type t)
67 {
68 	ldns_pkt *p = NULL;
69 	p = ldns_resolver_query(r, name, t, LDNS_RR_CLASS_IN, 0);
70 	if (!p) {
71 		return NULL;
72 	} else {
73 		if (verbosity >= 5) {
74 			ldns_pkt_print(stdout, p);
75 		}
76 		return p;
77 	}
78 }
79 
80 #ifdef HAVE_SSL
81 /*
82  * retrieve keys for this zone
83  */
84 static ldns_pkt_type
85 get_key(ldns_pkt *p, ldns_rdf *apexname, ldns_rr_list **rrlist, ldns_rr_list **opt_sig)
86 {
87 	return get_dnssec_rr(p, apexname, LDNS_RR_TYPE_DNSKEY, rrlist, opt_sig);
88 }
89 
90 /*
91  * check to see if we can find a DS rrset here which we can then follow
92  */
93 static ldns_pkt_type
94 get_ds(ldns_pkt *p, ldns_rdf *ownername, ldns_rr_list **rrlist, ldns_rr_list **opt_sig)
95 {
96 	return get_dnssec_rr(p, ownername, LDNS_RR_TYPE_DS, rrlist, opt_sig);
97 }
98 #endif /* HAVE_SSL */
99 
100 void
101 remove_resolver_nameservers(ldns_resolver *res)
102 {
103 	ldns_rdf *pop;
104 
105 	/* remove the old nameserver from the resolver */
106 	while((pop = ldns_resolver_pop_nameserver(res))) {
107 		ldns_rdf_deep_free(pop);
108 	}
109 
110 }
111 
112 void
113 show_current_nameservers(FILE *out, ldns_resolver *res)
114 {
115 	size_t i;
116 	fprintf(out, "Current nameservers for resolver object:\n");
117 	for (i = 0; i < ldns_resolver_nameserver_count(res); i++) {
118 		ldns_rdf_print(out, ldns_resolver_nameservers(res)[i]);
119 		fprintf(out, "\n");
120 	}
121 }
122 
123 /*ldns_pkt **/
124 #ifdef HAVE_SSL
125 int
126 do_secure_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t,
127                 ldns_rr_class c, ldns_rr_list *trusted_keys, ldns_rdf *start_name
128                )
129 {
130 	ldns_resolver *res;
131 	ldns_pkt *p, *local_p;
132 	ldns_rr_list *new_nss;
133 	ldns_rr_list *ns_addr;
134 	ldns_rdf *pop;
135 	ldns_rdf **labels = NULL;
136 	ldns_status status, st;
137 	ssize_t i;
138 	size_t j;
139 	size_t k;
140 	size_t l;
141 	uint8_t labels_count;
142 
143 	/* dnssec */
144 	ldns_rr_list *key_list;
145 	ldns_rr_list *key_sig_list;
146 	ldns_rr_list *ds_list;
147 	ldns_rr_list *ds_sig_list;
148 	ldns_rr_list *correct_key_list;
149 	ldns_rr_list *trusted_ds_rrs;
150 	bool new_keys_trusted = false;
151 	ldns_rr_list *current_correct_keys;
152 	ldns_rr_list *dataset;
153 
154 	ldns_rr_list *nsec_rrs = NULL;
155 	ldns_rr_list *nsec_rr_sigs = NULL;
156 
157 	/* empty non-terminal check */
158 	bool ent;
159 
160 	/* glue handling */
161 	ldns_rr_list *new_ns_addr;
162 	ldns_rr_list *old_ns_addr;
163 	ldns_rr *ns_rr;
164 
165 	int result = 0;
166 
167 	/* printing niceness */
168 	const ldns_rr_descriptor *descriptor;
169 
170 	descriptor = ldns_rr_descript(t);
171 
172 	new_nss = NULL;
173 	ns_addr = NULL;
174 	key_list = NULL;
175 	ds_list = NULL;
176 
177 	p = NULL;
178 	local_p = NULL;
179 	res = ldns_resolver_new();
180 	key_sig_list = NULL;
181 	ds_sig_list = NULL;
182 
183 	if (!res) {
184 		error("Memory allocation failed");
185 		result = -1;
186 		return result;
187 	}
188 
189 	correct_key_list = ldns_rr_list_new();
190 	if (!correct_key_list) {
191 		error("Memory allocation failed");
192 		result = -1;
193 		return result;
194 	}
195 
196 	trusted_ds_rrs = ldns_rr_list_new();
197 	if (!trusted_ds_rrs) {
198 		error("Memory allocation failed");
199 		result = -1;
200 		return result;
201 	}
202         /* Add all preset trusted DS signatures to the list of trusted DS RRs. */
203         for (j = 0; j < ldns_rr_list_rr_count(trusted_keys); j++) {
204             ldns_rr* one_rr = ldns_rr_list_rr(trusted_keys, j);
205             if (ldns_rr_get_type(one_rr)  == LDNS_RR_TYPE_DS) {
206                 ldns_rr_list_push_rr(trusted_ds_rrs, ldns_rr_clone(one_rr));
207             }
208         }
209 
210 	/* transfer some properties of local_res to res */
211 	ldns_resolver_set_ip6(res,
212 			ldns_resolver_ip6(local_res));
213 	ldns_resolver_set_port(res,
214 			ldns_resolver_port(local_res));
215 	ldns_resolver_set_debug(res,
216 			ldns_resolver_debug(local_res));
217 	ldns_resolver_set_fail(res,
218 			ldns_resolver_fail(local_res));
219 	ldns_resolver_set_usevc(res,
220 			ldns_resolver_usevc(local_res));
221 	ldns_resolver_set_random(res,
222 			ldns_resolver_random(local_res));
223 	ldns_resolver_set_recursive(local_res, true);
224 
225 	ldns_resolver_set_recursive(res, false);
226 	ldns_resolver_set_dnssec_cd(res, false);
227 	ldns_resolver_set_dnssec(res, true);
228 
229 	/* setup the root nameserver in the new resolver */
230 	status = ldns_resolver_push_nameserver_rr_list(res, global_dns_root);
231 	if (status != LDNS_STATUS_OK) {
232 		printf("ERRRRR: %s\n", ldns_get_errorstr_by_id(status));
233 		ldns_rr_list_print(stdout, global_dns_root);
234 		result = status;
235 		goto done;
236 	}
237 	labels_count = ldns_dname_label_count(name);
238 	if (start_name) {
239 		if (ldns_dname_is_subdomain(name, start_name)) {
240 			labels_count -= ldns_dname_label_count(start_name);
241 		} else {
242 			fprintf(stderr, "Error; ");
243 			ldns_rdf_print(stderr, name);
244 			fprintf(stderr, " is not a subdomain of ");
245 			ldns_rdf_print(stderr, start_name);
246 			fprintf(stderr, "\n");
247 			goto done;
248 		}
249 	}
250 	labels = LDNS_XMALLOC(ldns_rdf*, labels_count + 2);
251 	if (!labels) {
252 		goto done;
253 	}
254 	labels[0] = ldns_dname_new_frm_str(LDNS_ROOT_LABEL_STR);
255 	labels[1] = ldns_rdf_clone(name);
256 	for(i = 2 ; i < (ssize_t)labels_count + 2; i++) {
257 		labels[i] = ldns_dname_left_chop(labels[i - 1]);
258 	}
259 
260 	/* get the nameserver for the label
261 	 * ask: dnskey and ds for the label
262 	 */
263 	for(i = (ssize_t)labels_count + 1; i > 0; i--) {
264 		status = ldns_resolver_send(&local_p, res, labels[i], LDNS_RR_TYPE_NS, c, 0);
265 
266 		if (verbosity >= 5) {
267 			ldns_pkt_print(stdout, local_p);
268 		}
269 
270 		new_nss = ldns_pkt_rr_list_by_type(local_p,
271 					LDNS_RR_TYPE_NS, LDNS_SECTION_ANSWER);
272  		if (!new_nss) {
273 			/* if it's a delegation, servers put them in the auth section */
274 			new_nss = ldns_pkt_rr_list_by_type(local_p,
275 					LDNS_RR_TYPE_NS, LDNS_SECTION_AUTHORITY);
276 		}
277 
278 		/* if this is the final step there might not be nameserver records
279 		   of course if the data is in the apex, there are, so cover both
280 		   cases */
281 		if (new_nss || i > 1) {
282 			for(j = 0; j < ldns_rr_list_rr_count(new_nss); j++) {
283 				ns_rr = ldns_rr_list_rr(new_nss, j);
284 				pop = ldns_rr_rdf(ns_rr, 0);
285 				if (!pop) {
286 					printf("nopo\n");
287 					break;
288 				}
289 				/* retrieve it's addresses */
290 				/* trust glue? */
291 				new_ns_addr = NULL;
292 				if (ldns_dname_is_subdomain(pop, labels[i])) {
293 					new_ns_addr = ldns_pkt_rr_list_by_name_and_type(local_p, pop, LDNS_RR_TYPE_A, LDNS_SECTION_ADDITIONAL);
294 				}
295 				if (!new_ns_addr || ldns_rr_list_rr_count(new_ns_addr) == 0) {
296 					new_ns_addr = ldns_get_rr_list_addr_by_name(res, pop, c, 0);
297 				}
298 				if (!new_ns_addr || ldns_rr_list_rr_count(new_ns_addr) == 0) {
299 					new_ns_addr = ldns_get_rr_list_addr_by_name(local_res, pop, c, 0);
300 				}
301 
302 				if (new_ns_addr) {
303 					old_ns_addr = ns_addr;
304 					ns_addr = ldns_rr_list_cat_clone(ns_addr, new_ns_addr);
305 					ldns_rr_list_deep_free(old_ns_addr);
306 				}
307 				ldns_rr_list_deep_free(new_ns_addr);
308 			}
309 			ldns_rr_list_deep_free(new_nss);
310 
311 			if (ns_addr) {
312 				remove_resolver_nameservers(res);
313 
314 				if (ldns_resolver_push_nameserver_rr_list(res, ns_addr) !=
315 						LDNS_STATUS_OK) {
316 					error("Error adding new nameservers");
317 					ldns_pkt_free(local_p);
318 					goto done;
319 				}
320 				ldns_rr_list_deep_free(ns_addr);
321 			} else {
322 				status = ldns_verify_denial(local_p, labels[i], LDNS_RR_TYPE_NS, &nsec_rrs, &nsec_rr_sigs);
323 
324 				/* verify the nsec3 themselves*/
325 				if (verbosity >= 4) {
326 					printf("NSEC(3) Records to verify:\n");
327 					ldns_rr_list_print(stdout, nsec_rrs);
328 					printf("With signatures:\n");
329 					ldns_rr_list_print(stdout, nsec_rr_sigs);
330 					printf("correct keys:\n");
331 					ldns_rr_list_print(stdout, correct_key_list);
332 				}
333 
334 				if (status == LDNS_STATUS_OK) {
335 					if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) {
336 						fprintf(stdout, "%s ", TRUST);
337 						fprintf(stdout, "Existence denied: ");
338 						ldns_rdf_print(stdout, labels[i]);
339 	/*
340 						if (descriptor && descriptor->_name) {
341 							printf(" %s", descriptor->_name);
342 						} else {
343 							printf(" TYPE%u", t);
344 						}
345 	*/					fprintf(stdout, " NS\n");
346 					} else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) {
347 						fprintf(stdout, "%s ", SELF);
348 						fprintf(stdout, "Existence denied: ");
349 						ldns_rdf_print(stdout, labels[i]);
350 	/*
351 						if (descriptor && descriptor->_name) {
352 							printf(" %s", descriptor->_name);
353 						} else {
354 							printf(" TYPE%u", t);
355 						}
356 	*/
357 						fprintf(stdout, " NS\n");
358 					} else {
359 						fprintf(stdout, "%s ", BOGUS);
360 						result = 1;
361 						printf(";; Error verifying denial of existence for name ");
362 						ldns_rdf_print(stdout, labels[i]);
363 	/*
364 						printf(" type ");
365 						if (descriptor && descriptor->_name) {
366 							printf("%s", descriptor->_name);
367 						} else {
368 							printf("TYPE%u", t);
369 						}
370 	*/					printf("NS: %s\n", ldns_get_errorstr_by_id(st));
371 					}
372 				} else {
373 					fprintf(stdout, "%s ", BOGUS);
374 					result = 1;
375 					printf(";; Error verifying denial of existence for name ");
376 					ldns_rdf_print(stdout, labels[i]);
377 					printf("NS: %s\n", ldns_get_errorstr_by_id(status));
378 				}
379 
380 				/* there might be an empty non-terminal, in which case we need to continue */
381 				ent = false;
382 				for (j = 0; j < ldns_rr_list_rr_count(nsec_rrs); j++) {
383 					if (ldns_dname_is_subdomain(ldns_rr_rdf(ldns_rr_list_rr(nsec_rrs, j), 0), labels[i])) {
384 						ent = true;
385 					}
386 				}
387 				if (!ent) {
388 					ldns_rr_list_deep_free(nsec_rrs);
389 					ldns_rr_list_deep_free(nsec_rr_sigs);
390 					ldns_pkt_free(local_p);
391 					goto done;
392 				} else {
393 					printf(";; There is an empty non-terminal here, continue\n");
394 					continue;
395 				}
396 			}
397 
398 			if (ldns_resolver_nameserver_count(res) == 0) {
399 				error("No nameservers found for this node");
400 				goto done;
401 			}
402 		}
403 		ldns_pkt_free(local_p);
404 
405 		fprintf(stdout, ";; Domain: ");
406 		ldns_rdf_print(stdout, labels[i]);
407 		fprintf(stdout, "\n");
408 
409 		/* retrieve keys for current domain, and verify them
410 		   if they match an already trusted DS, or if one of the
411 		   keys used to sign these is trusted, add the keys to
412 		   the trusted list */
413 		p = get_dnssec_pkt(res, labels[i], LDNS_RR_TYPE_DNSKEY);
414 		(void) get_key(p, labels[i], &key_list, &key_sig_list);
415 		if (key_sig_list) {
416 			if (key_list) {
417 				current_correct_keys = ldns_rr_list_new();
418 				if ((st = ldns_verify(key_list, key_sig_list, key_list, current_correct_keys)) ==
419 						LDNS_STATUS_OK) {
420 					/* add all signed keys (don't just add current_correct, you'd miss
421 					 * the zsk's then */
422 					for (j = 0; j < ldns_rr_list_rr_count(key_list); j++) {
423 						ldns_rr_list_push_rr(correct_key_list, ldns_rr_clone(ldns_rr_list_rr(key_list, j)));
424 					}
425 
426 					/* check whether these keys were signed
427 					 * by a trusted keys. if so, these
428 					 * keys are also trusted */
429 					new_keys_trusted = false;
430 					for (k = 0; k < ldns_rr_list_rr_count(current_correct_keys); k++) {
431 						for (j = 0; j < ldns_rr_list_rr_count(trusted_ds_rrs); j++) {
432 							if (ldns_rr_compare_ds(ldns_rr_list_rr(current_correct_keys, k),
433 								    ldns_rr_list_rr(trusted_ds_rrs, j))) {
434 								new_keys_trusted = true;
435 							}
436 						}
437 					}
438 
439 					/* also all keys are trusted if one of the current correct keys is trusted */
440 					for (k = 0; k < ldns_rr_list_rr_count(current_correct_keys); k++) {
441 						for (j = 0; j < ldns_rr_list_rr_count(trusted_keys); j++) {
442 							if (ldns_rr_compare(ldns_rr_list_rr(current_correct_keys, k),
443 								            ldns_rr_list_rr(trusted_keys, j)) == 0) {
444 								            new_keys_trusted = true;
445 							}
446 						}
447 					}
448 
449 
450 					if (new_keys_trusted) {
451 						ldns_rr_list_push_rr_list(trusted_keys, key_list);
452 						print_rr_list_abbr(stdout, key_list, TRUST);
453 						ldns_rr_list_free(key_list);
454 						key_list = NULL;
455 					} else {
456 						if (verbosity >= 2) {
457 							printf(";; Signature ok but no chain to a trusted key or ds record\n");
458 						}
459 						print_rr_list_abbr(stdout, key_list, SELF);
460 						ldns_rr_list_deep_free(key_list);
461 						key_list = NULL;
462 					}
463 				} else {
464 					print_rr_list_abbr(stdout, key_list, BOGUS);
465 					result = 2;
466 					ldns_rr_list_deep_free(key_list);
467 					key_list = NULL;
468 				}
469 				ldns_rr_list_free(current_correct_keys);
470 				current_correct_keys = NULL;
471 			} else {
472 				printf(";; No DNSKEY record found for ");
473 				ldns_rdf_print(stdout, labels[i]);
474 				printf("\n");
475 			}
476 		}
477 
478 		ldns_pkt_free(p);
479 		ldns_rr_list_deep_free(key_sig_list);
480 		key_sig_list = NULL;
481 
482 		/* check the DS records for the next child domain */
483 		if (i > 1) {
484 			p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS);
485 			(void) get_ds(p, labels[i-1], &ds_list, &ds_sig_list);
486 			if (!ds_list) {
487 				ldns_pkt_free(p);
488 				if (ds_sig_list) {
489 					ldns_rr_list_deep_free(ds_sig_list);
490 				}
491 				p = get_dnssec_pkt(res, name, LDNS_RR_TYPE_DNSKEY);
492 				(void) get_ds(p, NULL, &ds_list, &ds_sig_list);
493 			}
494 			if (ds_sig_list) {
495 				if (ds_list) {
496 					if (verbosity >= 4) {
497 						printf("VERIFYING:\n");
498 						printf("DS LIST:\n");
499 						ldns_rr_list_print(stdout, ds_list);
500 						printf("SIGS:\n");
501 						ldns_rr_list_print(stdout, ds_sig_list);
502 						printf("KEYS:\n");
503 						ldns_rr_list_print(stdout, correct_key_list);
504 					}
505 
506 					current_correct_keys = ldns_rr_list_new();
507 
508 					if ((st = ldns_verify(ds_list, ds_sig_list, correct_key_list, current_correct_keys)) ==
509 							LDNS_STATUS_OK) {
510 						/* if the ds is signed by a trusted key and a key from correct keys
511 						   matches that ds, add that key to the trusted keys */
512 						new_keys_trusted = false;
513 						if (verbosity >= 2) {
514 							printf("Checking if signing key is trusted:\n");
515 						}
516 						for (j = 0; j < ldns_rr_list_rr_count(current_correct_keys); j++) {
517 							if (verbosity >= 2) {
518 								printf("New key: ");
519 								ldns_rr_print(stdout, ldns_rr_list_rr(current_correct_keys, j));
520 							}
521 							for (k = 0; k < ldns_rr_list_rr_count(trusted_keys); k++) {
522 								if (verbosity >= 2) {
523 									printf("\tTrusted key: ");
524 									ldns_rr_print(stdout, ldns_rr_list_rr(trusted_keys, k));
525 								}
526 								if (ldns_rr_compare(ldns_rr_list_rr(current_correct_keys, j),
527 								    ldns_rr_list_rr(trusted_keys, k)) == 0) {
528 								    	if (verbosity >= 2) {
529 								    		printf("Key is now trusted!\n");
530 									}
531 									for (l = 0; l < ldns_rr_list_rr_count(ds_list); l++) {
532 										ldns_rr_list_push_rr(trusted_ds_rrs, ldns_rr_clone(ldns_rr_list_rr(ds_list, l)));
533 										new_keys_trusted = true;
534 									}
535 								}
536 							}
537 						}
538 						if (new_keys_trusted) {
539 							print_rr_list_abbr(stdout, ds_list, TRUST);
540 						} else {
541 							print_rr_list_abbr(stdout, ds_list, SELF);
542 						}
543 					} else {
544 						result = 3;
545 						print_rr_list_abbr(stdout, ds_list, BOGUS);
546 					}
547 
548 					ldns_rr_list_free(current_correct_keys);
549 					current_correct_keys = NULL;
550 				} else {
551 					/* wait apparently there were no keys either, go back to the ds packet */
552 					ldns_pkt_free(p);
553 					ldns_rr_list_deep_free(ds_sig_list);
554 					p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS);
555 					(void) get_ds(p, labels[i-1], &ds_list, &ds_sig_list);
556 
557 					status = ldns_verify_denial(p, labels[i-1], LDNS_RR_TYPE_DS, &nsec_rrs, &nsec_rr_sigs);
558 
559 					if (verbosity >= 4) {
560 						printf("NSEC(3) Records to verify:\n");
561 						ldns_rr_list_print(stdout, nsec_rrs);
562 						printf("With signatures:\n");
563 						ldns_rr_list_print(stdout, nsec_rr_sigs);
564 						printf("correct keys:\n");
565 						ldns_rr_list_print(stdout, correct_key_list);
566 					}
567 
568 					if (status == LDNS_STATUS_OK) {
569 						if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) {
570 							fprintf(stdout, "%s ", TRUST);
571 							fprintf(stdout, "Existence denied: ");
572 							ldns_rdf_print(stdout, labels[i-1]);
573 							printf(" DS");
574 							fprintf(stdout, "\n");
575 						} else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) {
576 							fprintf(stdout, "%s ", SELF);
577 							fprintf(stdout, "Existence denied: ");
578 							ldns_rdf_print(stdout, labels[i-1]);
579 							printf(" DS");
580 							fprintf(stdout, "\n");
581 						} else {
582 							result = 4;
583 							fprintf(stdout, "%s ", BOGUS);
584 							printf("Error verifying denial of existence for ");
585 							ldns_rdf_print(stdout, labels[i-1]);
586 							printf(" DS");
587 							printf(": %s\n", ldns_get_errorstr_by_id(st));
588 						}
589 
590 
591 					} else {
592 						if (status == LDNS_STATUS_CRYPTO_NO_RRSIG) {
593 							printf(";; No DS for ");
594 							ldns_rdf_print(stdout, labels[i - 1]);
595 						} else {
596 							printf("[B] Unable to verify denial of existence for ");
597 							ldns_rdf_print(stdout, labels[i - 1]);
598 							printf(" DS: %s\n", ldns_get_errorstr_by_id(status));
599 						}
600 					}
601 					if (verbosity >= 2) {
602 						printf(";; No ds record for delegation\n");
603 					}
604 				}
605 			}
606 			ldns_rr_list_deep_free(ds_list);
607 			ldns_pkt_free(p);
608 		} else {
609 			/* if this is the last label, just verify the data and stop */
610 			p = get_dnssec_pkt(res, labels[i], t);
611 			(void) get_dnssec_rr(p, labels[i], t, &dataset, &key_sig_list);
612 			if (dataset && ldns_rr_list_rr_count(dataset) > 0) {
613 				if (key_sig_list && ldns_rr_list_rr_count(key_sig_list) > 0) {
614 
615 					/* If this is a wildcard, you must be able to deny exact match */
616 					if ((st = ldns_verify(dataset, key_sig_list, trusted_keys, NULL)) == LDNS_STATUS_OK) {
617 						fprintf(stdout, "%s ", TRUST);
618 						ldns_rr_list_print(stdout, dataset);
619 					} else if ((st = ldns_verify(dataset, key_sig_list, correct_key_list, NULL)) == LDNS_STATUS_OK) {
620 						fprintf(stdout, "%s ", SELF);
621 						ldns_rr_list_print(stdout, dataset);
622 					} else {
623 						result = 5;
624 						fprintf(stdout, "%s ", BOGUS);
625 						ldns_rr_list_print(stdout, dataset);
626 						printf(";; Error: %s\n", ldns_get_errorstr_by_id(st));
627 					}
628 				} else {
629 					fprintf(stdout, "%s ", UNSIGNED);
630 					ldns_rr_list_print(stdout, dataset);
631 				}
632 				ldns_rr_list_deep_free(dataset);
633 			} else {
634 				status = ldns_verify_denial(p, name, t, &nsec_rrs, &nsec_rr_sigs);
635 				if (status == LDNS_STATUS_OK) {
636 					/* verify the nsec3 themselves*/
637 					if (verbosity >= 5) {
638 						printf("NSEC(3) Records to verify:\n");
639 						ldns_rr_list_print(stdout, nsec_rrs);
640 						printf("With signatures:\n");
641 						ldns_rr_list_print(stdout, nsec_rr_sigs);
642 						printf("correct keys:\n");
643 						ldns_rr_list_print(stdout, correct_key_list);
644 /*
645 						printf("trusted keys at %p:\n", trusted_keys);
646 						ldns_rr_list_print(stdout, trusted_keys);
647 */					}
648 
649 					if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) {
650 						fprintf(stdout, "%s ", TRUST);
651 						fprintf(stdout, "Existence denied: ");
652 						ldns_rdf_print(stdout, name);
653 						if (descriptor && descriptor->_name) {
654 							printf(" %s", descriptor->_name);
655 						} else {
656 							printf(" TYPE%u", t);
657 						}
658 						fprintf(stdout, "\n");
659 					} else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) {
660 						fprintf(stdout, "%s ", SELF);
661 						fprintf(stdout, "Existence denied: ");
662 						ldns_rdf_print(stdout, name);
663 						if (descriptor && descriptor->_name) {
664 							printf(" %s", descriptor->_name);
665 						} else {
666 							printf(" TYPE%u", t);
667 						}
668 						fprintf(stdout, "\n");
669 					} else {
670 						result = 6;
671 						fprintf(stdout, "%s ", BOGUS);
672 						printf("Error verifying denial of existence for ");
673 						ldns_rdf_print(stdout, name);
674 						printf(" type ");
675 						if (descriptor && descriptor->_name) {
676 							printf("%s", descriptor->_name);
677 						} else {
678 							printf("TYPE%u", t);
679 						}
680 						printf(": %s\n", ldns_get_errorstr_by_id(st));
681 					}
682 
683 					ldns_rr_list_deep_free(nsec_rrs);
684 					ldns_rr_list_deep_free(nsec_rr_sigs);
685 				} else {
686 /*
687 */
688 					if (status == LDNS_STATUS_CRYPTO_NO_RRSIG) {
689 						printf("%s ", UNSIGNED);
690 						printf("No data found for: ");
691 						ldns_rdf_print(stdout, name);
692 						printf(" type ");
693 						if (descriptor && descriptor->_name) {
694 							printf("%s", descriptor->_name);
695 						} else {
696 							printf("TYPE%u", t);
697 						}
698 						printf("\n");
699 					} else {
700 						printf("[B] Unable to verify denial of existence for ");
701 						ldns_rdf_print(stdout, name);
702 						printf(" type ");
703 						if (descriptor && descriptor->_name) {
704 							printf("%s", descriptor->_name);
705 						} else {
706 							printf("TYPE%u", t);
707 						}
708 						printf("\n");
709 					}
710 
711 				}
712 			}
713 			ldns_pkt_free(p);
714 		}
715 
716 		new_nss = NULL;
717 		ns_addr = NULL;
718 		ldns_rr_list_deep_free(key_list);
719 		key_list = NULL;
720 		ldns_rr_list_deep_free(key_sig_list);
721 		key_sig_list = NULL;
722 		ds_list = NULL;
723 		ldns_rr_list_deep_free(ds_sig_list);
724 		ds_sig_list = NULL;
725 	}
726 	printf(";;" SELF " self sig OK; " BOGUS " bogus; " TRUST " trusted\n");
727 	/* verbose mode?
728 	printf("Trusted keys:\n");
729 	ldns_rr_list_print(stdout, trusted_keys);
730 	printf("trusted dss:\n");
731 	ldns_rr_list_print(stdout, trusted_ds_rrs);
732 	*/
733 
734 	done:
735 	ldns_rr_list_deep_free(trusted_ds_rrs);
736 	ldns_rr_list_deep_free(correct_key_list);
737 	ldns_resolver_deep_free(res);
738 	if (labels) {
739 		for(i = 0 ; i < (ssize_t)labels_count + 2; i++) {
740 			ldns_rdf_deep_free(labels[i]);
741 		}
742 		LDNS_FREE(labels);
743 	}
744 	return result;
745 }
746 #endif /* HAVE_SSL */
747