1 /* 2 * securechasetrace.c 3 * Where all the hard work concerning secure tracing is done 4 * 5 * (c) 2005, 2006 NLnet Labs 6 * 7 * See the file LICENSE for the license 8 * 9 */ 10 11 #include "drill.h" 12 #include <ldns/ldns.h> 13 14 #define SELF "[S]" /* self sig ok */ 15 #define TRUST "[T]" /* chain from parent */ 16 #define BOGUS "[B]" /* bogus */ 17 #define UNSIGNED "[U]" /* no relevant dnssec data found */ 18 19 #if 0 20 /* See if there is a key/ds in trusted that matches 21 * a ds in *ds. 22 */ 23 static ldns_rr_list * 24 ds_key_match(ldns_rr_list *ds, ldns_rr_list *trusted) 25 { 26 size_t i, j; 27 bool match; 28 ldns_rr *rr_i, *rr_j; 29 ldns_rr_list *keys; 30 31 if (!trusted || !ds) { 32 return NULL; 33 } 34 35 match = false; 36 keys = ldns_rr_list_new(); 37 if (!keys) { 38 return NULL; 39 } 40 41 if (!ds || !trusted) { 42 return NULL; 43 } 44 45 for (i = 0; i < ldns_rr_list_rr_count(trusted); i++) { 46 rr_i = ldns_rr_list_rr(trusted, i); 47 for (j = 0; j < ldns_rr_list_rr_count(ds); j++) { 48 49 rr_j = ldns_rr_list_rr(ds, j); 50 if (ldns_rr_compare_ds(rr_i, rr_j)) { 51 match = true; 52 /* only allow unique RRs to match */ 53 ldns_rr_set_push_rr(keys, rr_i); 54 } 55 } 56 } 57 if (match) { 58 return keys; 59 } else { 60 return NULL; 61 } 62 } 63 #endif 64 65 static ldns_pkt * 66 get_dnssec_pkt(ldns_resolver *r, ldns_rdf *name, ldns_rr_type t) 67 { 68 ldns_pkt *p = NULL; 69 p = ldns_resolver_query(r, name, t, LDNS_RR_CLASS_IN, 0); 70 if (!p) { 71 return NULL; 72 } else { 73 if (verbosity >= 5) { 74 ldns_pkt_print(stdout, p); 75 } 76 return p; 77 } 78 } 79 80 #ifdef HAVE_SSL 81 /* 82 * retrieve keys for this zone 83 */ 84 static ldns_pkt_type 85 get_key(ldns_pkt *p, ldns_rdf *apexname, ldns_rr_list **rrlist, ldns_rr_list **opt_sig) 86 { 87 return get_dnssec_rr(p, apexname, LDNS_RR_TYPE_DNSKEY, rrlist, opt_sig); 88 } 89 90 /* 91 * check to see if we can find a DS rrset here which we can then follow 92 */ 93 static ldns_pkt_type 94 get_ds(ldns_pkt *p, ldns_rdf *ownername, ldns_rr_list **rrlist, ldns_rr_list **opt_sig) 95 { 96 return get_dnssec_rr(p, ownername, LDNS_RR_TYPE_DS, rrlist, opt_sig); 97 } 98 #endif /* HAVE_SSL */ 99 100 static void 101 remove_resolver_nameservers(ldns_resolver *res) 102 { 103 ldns_rdf *pop; 104 105 /* remove the old nameserver from the resolver */ 106 while((pop = ldns_resolver_pop_nameserver(res))) { 107 ldns_rdf_deep_free(pop); 108 } 109 110 } 111 112 /*ldns_pkt **/ 113 #ifdef HAVE_SSL 114 int 115 do_secure_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t, 116 ldns_rr_class c, ldns_rr_list *trusted_keys, ldns_rdf *start_name 117 ) 118 { 119 ldns_resolver *res; 120 ldns_pkt *p, *local_p; 121 ldns_rr_list *new_nss; 122 ldns_rr_list *ns_addr; 123 ldns_rdf *pop; 124 ldns_rdf **labels = NULL; 125 ldns_status status, st; 126 ssize_t i; 127 size_t j; 128 size_t k; 129 size_t l; 130 uint8_t labels_count = 0; 131 132 /* dnssec */ 133 ldns_rr_list *key_list; 134 ldns_rr_list *key_sig_list; 135 ldns_rr_list *ds_list; 136 ldns_rr_list *ds_sig_list; 137 ldns_rr_list *correct_key_list; 138 ldns_rr_list *trusted_ds_rrs; 139 bool new_keys_trusted = false; 140 ldns_rr_list *current_correct_keys = NULL; 141 ldns_rr_list *dataset; 142 143 ldns_rr_list *nsec_rrs = NULL; 144 ldns_rr_list *nsec_rr_sigs = NULL; 145 146 /* empty non-terminal check */ 147 bool ent; 148 ldns_rr *nsecrr; /* The nsec that proofs the non-terminal */ 149 ldns_rdf *hashed_name; /* The query hashed with nsec3 params */ 150 ldns_rdf *label0; /* The first label of an nsec3 owner name */ 151 152 /* glue handling */ 153 ldns_rr_list *new_ns_addr; 154 ldns_rr_list *old_ns_addr; 155 ldns_rr *ns_rr; 156 157 int result = 0; 158 159 /* printing niceness */ 160 const ldns_rr_descriptor *descriptor; 161 162 descriptor = ldns_rr_descript(t); 163 164 new_nss = NULL; 165 ns_addr = NULL; 166 key_list = NULL; 167 ds_list = NULL; 168 169 p = NULL; 170 local_p = NULL; 171 res = ldns_resolver_new(); 172 key_sig_list = NULL; 173 ds_sig_list = NULL; 174 175 if (!res) { 176 error("Memory allocation failed"); 177 result = -1; 178 return result; 179 } 180 181 correct_key_list = ldns_rr_list_new(); 182 if (!correct_key_list) { 183 error("Memory allocation failed"); 184 result = -1; 185 return result; 186 } 187 188 trusted_ds_rrs = ldns_rr_list_new(); 189 if (!trusted_ds_rrs) { 190 error("Memory allocation failed"); 191 result = -1; 192 return result; 193 } 194 /* Add all preset trusted DS signatures to the list of trusted DS RRs. */ 195 for (j = 0; j < ldns_rr_list_rr_count(trusted_keys); j++) { 196 ldns_rr* one_rr = ldns_rr_list_rr(trusted_keys, j); 197 if (ldns_rr_get_type(one_rr) == LDNS_RR_TYPE_DS) { 198 ldns_rr_list_push_rr(trusted_ds_rrs, ldns_rr_clone(one_rr)); 199 } 200 } 201 202 /* transfer some properties of local_res to res */ 203 ldns_resolver_set_ip6(res, 204 ldns_resolver_ip6(local_res)); 205 ldns_resolver_set_port(res, 206 ldns_resolver_port(local_res)); 207 ldns_resolver_set_debug(res, 208 ldns_resolver_debug(local_res)); 209 ldns_resolver_set_fail(res, 210 ldns_resolver_fail(local_res)); 211 ldns_resolver_set_usevc(res, 212 ldns_resolver_usevc(local_res)); 213 ldns_resolver_set_random(res, 214 ldns_resolver_random(local_res)); 215 ldns_resolver_set_source(res, 216 ldns_resolver_source(local_res)); 217 ldns_resolver_set_recursive(local_res, true); 218 219 ldns_resolver_set_recursive(res, false); 220 ldns_resolver_set_dnssec_cd(res, false); 221 ldns_resolver_set_dnssec(res, true); 222 223 /* setup the root nameserver in the new resolver */ 224 status = ldns_resolver_push_nameserver_rr_list(res, global_dns_root); 225 if (status != LDNS_STATUS_OK) { 226 printf("ERRRRR: %s\n", ldns_get_errorstr_by_id(status)); 227 ldns_rr_list_print(stdout, global_dns_root); 228 result = status; 229 goto done; 230 } 231 labels_count = ldns_dname_label_count(name); 232 if (start_name) { 233 if (ldns_dname_is_subdomain(name, start_name)) { 234 labels_count -= ldns_dname_label_count(start_name); 235 } else { 236 fprintf(stderr, "Error; "); 237 ldns_rdf_print(stderr, name); 238 fprintf(stderr, " is not a subdomain of "); 239 ldns_rdf_print(stderr, start_name); 240 fprintf(stderr, "\n"); 241 goto done; 242 } 243 } 244 labels = LDNS_CALLOC(ldns_rdf*, labels_count + 2); 245 if (!labels) { 246 goto done; 247 } 248 labels[0] = ldns_dname_new_frm_str(LDNS_ROOT_LABEL_STR); 249 labels[1] = ldns_rdf_clone(name); 250 for(i = 2 ; i < (ssize_t)labels_count + 2; i++) { 251 labels[i] = ldns_dname_left_chop(labels[i - 1]); 252 } 253 254 /* get the nameserver for the label 255 * ask: dnskey and ds for the label 256 */ 257 for(i = (ssize_t)labels_count + 1; i > 0; i--) { 258 status = ldns_resolver_send(&local_p, res, labels[i], LDNS_RR_TYPE_NS, c, 0); 259 if (status != LDNS_STATUS_OK) { 260 fprintf(stderr, "Error sending query: %s\n", ldns_get_errorstr_by_id(status)); 261 result = status; 262 goto done; 263 } 264 265 /* TODO: handle status */ 266 267 if (verbosity >= 5) { 268 ldns_pkt_print(stdout, local_p); 269 } 270 271 new_nss = ldns_pkt_rr_list_by_type(local_p, 272 LDNS_RR_TYPE_NS, LDNS_SECTION_ANSWER); 273 if (!new_nss) { 274 /* if it's a delegation, servers put them in the auth section */ 275 new_nss = ldns_pkt_rr_list_by_type(local_p, 276 LDNS_RR_TYPE_NS, LDNS_SECTION_AUTHORITY); 277 } 278 279 /* if this is the final step there might not be nameserver records 280 of course if the data is in the apex, there are, so cover both 281 cases */ 282 if (new_nss || i > 1) { 283 for(j = 0; j < ldns_rr_list_rr_count(new_nss); j++) { 284 ns_rr = ldns_rr_list_rr(new_nss, j); 285 pop = ldns_rr_rdf(ns_rr, 0); 286 if (!pop) { 287 printf("nopo\n"); 288 break; 289 } 290 /* retrieve it's addresses */ 291 /* trust glue? */ 292 new_ns_addr = NULL; 293 if (ldns_dname_is_subdomain(pop, labels[i])) { 294 new_ns_addr = ldns_pkt_rr_list_by_name_and_type(local_p, pop, LDNS_RR_TYPE_A, LDNS_SECTION_ADDITIONAL); 295 } 296 if (!new_ns_addr || ldns_rr_list_rr_count(new_ns_addr) == 0) { 297 new_ns_addr = ldns_get_rr_list_addr_by_name(res, pop, c, 0); 298 } 299 if (!new_ns_addr || ldns_rr_list_rr_count(new_ns_addr) == 0) { 300 new_ns_addr = ldns_get_rr_list_addr_by_name(local_res, pop, c, 0); 301 } 302 303 if (new_ns_addr) { 304 old_ns_addr = ns_addr; 305 ns_addr = ldns_rr_list_cat_clone(ns_addr, new_ns_addr); 306 ldns_rr_list_deep_free(old_ns_addr); 307 } 308 ldns_rr_list_deep_free(new_ns_addr); 309 } 310 ldns_rr_list_deep_free(new_nss); 311 312 if (ns_addr) { 313 remove_resolver_nameservers(res); 314 315 if (ldns_resolver_push_nameserver_rr_list(res, ns_addr) != 316 LDNS_STATUS_OK) { 317 error("Error adding new nameservers"); 318 ldns_pkt_free(local_p); 319 goto done; 320 } 321 ldns_rr_list_deep_free(ns_addr); 322 } else { 323 status = ldns_verify_denial(local_p, labels[i], LDNS_RR_TYPE_NS, &nsec_rrs, &nsec_rr_sigs); 324 325 /* verify the nsec3 themselves*/ 326 if (verbosity >= 4) { 327 printf("NSEC(3) Records to verify:\n"); 328 ldns_rr_list_print(stdout, nsec_rrs); 329 printf("With signatures:\n"); 330 ldns_rr_list_print(stdout, nsec_rr_sigs); 331 printf("correct keys:\n"); 332 ldns_rr_list_print(stdout, correct_key_list); 333 } 334 335 if (status == LDNS_STATUS_OK) { 336 if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) { 337 fprintf(stdout, "%s ", TRUST); 338 fprintf(stdout, "Existence denied: "); 339 ldns_rdf_print(stdout, labels[i]); 340 /* 341 if (descriptor && descriptor->_name) { 342 printf(" %s", descriptor->_name); 343 } else { 344 printf(" TYPE%u", t); 345 } 346 */ fprintf(stdout, " NS\n"); 347 } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) { 348 fprintf(stdout, "%s ", SELF); 349 fprintf(stdout, "Existence denied: "); 350 ldns_rdf_print(stdout, labels[i]); 351 /* 352 if (descriptor && descriptor->_name) { 353 printf(" %s", descriptor->_name); 354 } else { 355 printf(" TYPE%u", t); 356 } 357 */ 358 fprintf(stdout, " NS\n"); 359 } else { 360 fprintf(stdout, "%s ", BOGUS); 361 result = 1; 362 printf(";; Error verifying denial of existence for name "); 363 ldns_rdf_print(stdout, labels[i]); 364 /* 365 printf(" type "); 366 if (descriptor && descriptor->_name) { 367 printf("%s", descriptor->_name); 368 } else { 369 printf("TYPE%u", t); 370 } 371 */ printf("NS: %s\n", ldns_get_errorstr_by_id(st)); 372 } 373 } else { 374 fprintf(stdout, "%s ", BOGUS); 375 result = 1; 376 printf(";; Error verifying denial of existence for name "); 377 ldns_rdf_print(stdout, labels[i]); 378 printf("NS: %s\n", ldns_get_errorstr_by_id(status)); 379 } 380 381 /* there might be an empty non-terminal, in which case we need to continue */ 382 ent = false; 383 for (j = 0; j < ldns_rr_list_rr_count(nsec_rrs); j++) { 384 nsecrr = ldns_rr_list_rr(nsec_rrs, j); 385 /* For NSEC when the next name is a subdomain of the question */ 386 if (ldns_rr_get_type(nsecrr) == LDNS_RR_TYPE_NSEC && 387 ldns_dname_is_subdomain(ldns_rr_rdf(nsecrr, 0), labels[i])) { 388 ent = true; 389 390 /* For NSEC3, the hash matches the name and the type bitmap is empty*/ 391 } else if (ldns_rr_get_type(nsecrr) == LDNS_RR_TYPE_NSEC3) { 392 hashed_name = ldns_nsec3_hash_name_frm_nsec3(nsecrr, labels[i]); 393 label0 = ldns_dname_label(ldns_rr_owner(nsecrr), 0); 394 if (hashed_name && label0 && 395 ldns_dname_compare(hashed_name, label0) == 0 && 396 ldns_nsec3_bitmap(nsecrr) == NULL) { 397 ent = true; 398 } 399 if (label0) { 400 LDNS_FREE(label0); 401 } 402 if (hashed_name) { 403 LDNS_FREE(hashed_name); 404 } 405 } 406 } 407 if (!ent) { 408 ldns_rr_list_deep_free(nsec_rrs); 409 ldns_rr_list_deep_free(nsec_rr_sigs); 410 ldns_pkt_free(local_p); 411 goto done; 412 } else { 413 printf(";; There is an empty non-terminal here, continue\n"); 414 continue; 415 } 416 } 417 418 if (ldns_resolver_nameserver_count(res) == 0) { 419 error("No nameservers found for this node"); 420 goto done; 421 } 422 } 423 ldns_pkt_free(local_p); 424 425 fprintf(stdout, ";; Domain: "); 426 ldns_rdf_print(stdout, labels[i]); 427 fprintf(stdout, "\n"); 428 429 /* retrieve keys for current domain, and verify them 430 if they match an already trusted DS, or if one of the 431 keys used to sign these is trusted, add the keys to 432 the trusted list */ 433 p = get_dnssec_pkt(res, labels[i], LDNS_RR_TYPE_DNSKEY); 434 (void) get_key(p, labels[i], &key_list, &key_sig_list); 435 if (key_sig_list) { 436 if (key_list) { 437 current_correct_keys = ldns_rr_list_new(); 438 if ((st = ldns_verify(key_list, key_sig_list, key_list, current_correct_keys)) == 439 LDNS_STATUS_OK) { 440 /* add all signed keys (don't just add current_correct, you'd miss 441 * the zsk's then */ 442 for (j = 0; j < ldns_rr_list_rr_count(key_list); j++) { 443 ldns_rr_list_push_rr(correct_key_list, ldns_rr_clone(ldns_rr_list_rr(key_list, j))); 444 } 445 446 /* check whether these keys were signed 447 * by a trusted keys. if so, these 448 * keys are also trusted */ 449 new_keys_trusted = false; 450 for (k = 0; k < ldns_rr_list_rr_count(current_correct_keys); k++) { 451 for (j = 0; j < ldns_rr_list_rr_count(trusted_ds_rrs); j++) { 452 if (ldns_rr_compare_ds(ldns_rr_list_rr(current_correct_keys, k), 453 ldns_rr_list_rr(trusted_ds_rrs, j))) { 454 new_keys_trusted = true; 455 } 456 } 457 } 458 459 /* also all keys are trusted if one of the current correct keys is trusted */ 460 for (k = 0; k < ldns_rr_list_rr_count(current_correct_keys); k++) { 461 for (j = 0; j < ldns_rr_list_rr_count(trusted_keys); j++) { 462 if (ldns_rr_compare(ldns_rr_list_rr(current_correct_keys, k), 463 ldns_rr_list_rr(trusted_keys, j)) == 0) { 464 new_keys_trusted = true; 465 } 466 } 467 } 468 469 470 if (new_keys_trusted) { 471 ldns_rr_list_push_rr_list(trusted_keys, key_list); 472 print_rr_list_abbr(stdout, key_list, TRUST); 473 ldns_rr_list_free(key_list); 474 key_list = NULL; 475 } else { 476 if (verbosity >= 2) { 477 printf(";; Signature ok but no chain to a trusted key or ds record\n"); 478 } 479 print_rr_list_abbr(stdout, key_list, SELF); 480 ldns_rr_list_deep_free(key_list); 481 key_list = NULL; 482 } 483 } else { 484 print_rr_list_abbr(stdout, key_list, BOGUS); 485 result = 2; 486 ldns_rr_list_deep_free(key_list); 487 key_list = NULL; 488 } 489 ldns_rr_list_free(current_correct_keys); 490 current_correct_keys = NULL; 491 } else { 492 printf(";; No DNSKEY record found for "); 493 ldns_rdf_print(stdout, labels[i]); 494 printf("\n"); 495 } 496 } 497 498 ldns_pkt_free(p); 499 ldns_rr_list_deep_free(key_sig_list); 500 key_sig_list = NULL; 501 502 /* check the DS records for the next child domain */ 503 if (i > 1) { 504 p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS); 505 (void) get_ds(p, labels[i-1], &ds_list, &ds_sig_list); 506 if (!ds_list) { 507 ldns_rr_list_deep_free(ds_sig_list); 508 (void) get_dnssec_rr( p, labels[i-1] 509 , LDNS_RR_TYPE_CNAME 510 , &ds_list, &ds_sig_list); 511 if (ds_list) { 512 st = ldns_verify( ds_list, ds_sig_list 513 , correct_key_list 514 , current_correct_keys); 515 516 if (st == LDNS_STATUS_OK) { 517 printf(";; No DS record found " 518 "for "); 519 ldns_rdf_print(stdout, 520 labels[i-1]); 521 printf(", but valid CNAME"); 522 } else { 523 printf(BOGUS " Unable to verify " 524 "denial of existence for "); 525 ldns_rdf_print(stdout, 526 labels[i-1]); 527 printf(", because of BOGUS CNAME"); 528 } 529 printf("\n"); 530 ldns_rr_list_deep_free(ds_sig_list); 531 ldns_pkt_free(p); 532 ldns_rr_list_deep_free(ds_list); 533 ds_list = NULL; 534 ds_sig_list = NULL; 535 p = NULL; 536 } else { 537 ldns_rr_list_deep_free(ds_sig_list); 538 ldns_pkt_free(p); 539 p = get_dnssec_pkt(res, name, 540 LDNS_RR_TYPE_DNSKEY); 541 (void) get_ds(p, NULL 542 , &ds_list, &ds_sig_list); 543 } 544 } 545 if (ds_sig_list) { 546 if (ds_list) { 547 if (verbosity >= 4) { 548 printf("VERIFYING:\n"); 549 printf("DS LIST:\n"); 550 ldns_rr_list_print(stdout, ds_list); 551 printf("SIGS:\n"); 552 ldns_rr_list_print(stdout, ds_sig_list); 553 printf("KEYS:\n"); 554 ldns_rr_list_print(stdout, correct_key_list); 555 } 556 557 current_correct_keys = ldns_rr_list_new(); 558 559 if ((st = ldns_verify(ds_list, ds_sig_list, correct_key_list, current_correct_keys)) == 560 LDNS_STATUS_OK) { 561 /* if the ds is signed by a trusted key and a key from correct keys 562 matches that ds, add that key to the trusted keys */ 563 new_keys_trusted = false; 564 if (verbosity >= 2) { 565 printf("Checking if signing key is trusted:\n"); 566 } 567 for (j = 0; j < ldns_rr_list_rr_count(current_correct_keys); j++) { 568 if (verbosity >= 2) { 569 printf("New key: "); 570 ldns_rr_print(stdout, ldns_rr_list_rr(current_correct_keys, j)); 571 } 572 for (k = 0; k < ldns_rr_list_rr_count(trusted_keys); k++) { 573 if (verbosity >= 2) { 574 printf("\tTrusted key: "); 575 ldns_rr_print(stdout, ldns_rr_list_rr(trusted_keys, k)); 576 } 577 if (ldns_rr_compare(ldns_rr_list_rr(current_correct_keys, j), 578 ldns_rr_list_rr(trusted_keys, k)) == 0) { 579 if (verbosity >= 2) { 580 printf("Key is now trusted!\n"); 581 } 582 for (l = 0; l < ldns_rr_list_rr_count(ds_list); l++) { 583 ldns_rr_list_push_rr(trusted_ds_rrs, ldns_rr_clone(ldns_rr_list_rr(ds_list, l))); 584 new_keys_trusted = true; 585 } 586 } 587 } 588 } 589 if (new_keys_trusted) { 590 print_rr_list_abbr(stdout, ds_list, TRUST); 591 } else { 592 print_rr_list_abbr(stdout, ds_list, SELF); 593 } 594 } else { 595 result = 3; 596 print_rr_list_abbr(stdout, ds_list, BOGUS); 597 } 598 599 ldns_rr_list_free(current_correct_keys); 600 current_correct_keys = NULL; 601 } else { 602 /* wait apparently there were no keys either, go back to the ds packet */ 603 ldns_pkt_free(p); 604 ldns_rr_list_deep_free(ds_sig_list); 605 p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS); 606 (void) get_ds(p, labels[i-1], &ds_list, &ds_sig_list); 607 608 status = ldns_verify_denial(p, labels[i-1], LDNS_RR_TYPE_DS, &nsec_rrs, &nsec_rr_sigs); 609 610 if (verbosity >= 4) { 611 printf("NSEC(3) Records to verify:\n"); 612 ldns_rr_list_print(stdout, nsec_rrs); 613 printf("With signatures:\n"); 614 ldns_rr_list_print(stdout, nsec_rr_sigs); 615 printf("correct keys:\n"); 616 ldns_rr_list_print(stdout, correct_key_list); 617 } 618 619 if (status == LDNS_STATUS_OK) { 620 if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) { 621 fprintf(stdout, "%s ", TRUST); 622 fprintf(stdout, "Existence denied: "); 623 ldns_rdf_print(stdout, labels[i-1]); 624 printf(" DS"); 625 fprintf(stdout, "\n"); 626 } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) { 627 fprintf(stdout, "%s ", SELF); 628 fprintf(stdout, "Existence denied: "); 629 ldns_rdf_print(stdout, labels[i-1]); 630 printf(" DS"); 631 fprintf(stdout, "\n"); 632 } else { 633 result = 4; 634 fprintf(stdout, "%s ", BOGUS); 635 printf("Error verifying denial of existence for "); 636 ldns_rdf_print(stdout, labels[i-1]); 637 printf(" DS"); 638 printf(": %s\n", ldns_get_errorstr_by_id(st)); 639 } 640 641 642 } else { 643 if (status == LDNS_STATUS_CRYPTO_NO_RRSIG) { 644 printf(";; No DS for "); 645 ldns_rdf_print(stdout, labels[i - 1]); 646 } else { 647 printf(BOGUS " Unable to verify denial of existence for "); 648 ldns_rdf_print(stdout, labels[i - 1]); 649 printf(" DS: %s\n", ldns_get_errorstr_by_id(status)); 650 } 651 } 652 if (verbosity >= 2) { 653 printf(";; No ds record for delegation\n"); 654 } 655 } 656 } 657 ldns_rr_list_deep_free(ds_list); 658 ldns_pkt_free(p); 659 } else { 660 /* if this is the last label, just verify the data and stop */ 661 p = get_dnssec_pkt(res, labels[i], t); 662 (void) get_dnssec_rr(p, labels[i], t, &dataset, &key_sig_list); 663 if (dataset && ldns_rr_list_rr_count(dataset) > 0) { 664 if (key_sig_list && ldns_rr_list_rr_count(key_sig_list) > 0) { 665 666 /* If this is a wildcard, you must be able to deny exact match */ 667 if ((st = ldns_verify(dataset, key_sig_list, trusted_keys, NULL)) == LDNS_STATUS_OK) { 668 fprintf(stdout, "%s ", TRUST); 669 ldns_rr_list_print(stdout, dataset); 670 } else if ((st = ldns_verify(dataset, key_sig_list, correct_key_list, NULL)) == LDNS_STATUS_OK) { 671 fprintf(stdout, "%s ", SELF); 672 ldns_rr_list_print(stdout, dataset); 673 } else { 674 result = 5; 675 fprintf(stdout, "%s ", BOGUS); 676 ldns_rr_list_print(stdout, dataset); 677 printf(";; Error: %s\n", ldns_get_errorstr_by_id(st)); 678 } 679 } else { 680 fprintf(stdout, "%s ", UNSIGNED); 681 ldns_rr_list_print(stdout, dataset); 682 } 683 ldns_rr_list_deep_free(dataset); 684 } else { 685 status = ldns_verify_denial(p, name, t, &nsec_rrs, &nsec_rr_sigs); 686 if (status == LDNS_STATUS_OK) { 687 /* verify the nsec3 themselves*/ 688 if (verbosity >= 5) { 689 printf("NSEC(3) Records to verify:\n"); 690 ldns_rr_list_print(stdout, nsec_rrs); 691 printf("With signatures:\n"); 692 ldns_rr_list_print(stdout, nsec_rr_sigs); 693 printf("correct keys:\n"); 694 ldns_rr_list_print(stdout, correct_key_list); 695 /* 696 printf("trusted keys at %p:\n", trusted_keys); 697 ldns_rr_list_print(stdout, trusted_keys); 698 */ } 699 700 if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) { 701 fprintf(stdout, "%s ", TRUST); 702 fprintf(stdout, "Existence denied: "); 703 ldns_rdf_print(stdout, name); 704 if (descriptor && descriptor->_name) { 705 printf(" %s", descriptor->_name); 706 } else { 707 printf(" TYPE%u", t); 708 } 709 fprintf(stdout, "\n"); 710 } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) { 711 fprintf(stdout, "%s ", SELF); 712 fprintf(stdout, "Existence denied: "); 713 ldns_rdf_print(stdout, name); 714 if (descriptor && descriptor->_name) { 715 printf(" %s", descriptor->_name); 716 } else { 717 printf(" TYPE%u", t); 718 } 719 fprintf(stdout, "\n"); 720 } else { 721 result = 6; 722 fprintf(stdout, "%s ", BOGUS); 723 printf("Error verifying denial of existence for "); 724 ldns_rdf_print(stdout, name); 725 printf(" type "); 726 if (descriptor && descriptor->_name) { 727 printf("%s", descriptor->_name); 728 } else { 729 printf("TYPE%u", t); 730 } 731 printf(": %s\n", ldns_get_errorstr_by_id(st)); 732 } 733 734 ldns_rr_list_deep_free(nsec_rrs); 735 ldns_rr_list_deep_free(nsec_rr_sigs); 736 } else { 737 /* 738 */ 739 if (status == LDNS_STATUS_CRYPTO_NO_RRSIG) { 740 printf("%s ", UNSIGNED); 741 printf("No data found for: "); 742 ldns_rdf_print(stdout, name); 743 printf(" type "); 744 if (descriptor && descriptor->_name) { 745 printf("%s", descriptor->_name); 746 } else { 747 printf("TYPE%u", t); 748 } 749 printf("\n"); 750 } else { 751 printf(BOGUS " Unable to verify denial of existence for "); 752 ldns_rdf_print(stdout, name); 753 printf(" type "); 754 if (descriptor && descriptor->_name) { 755 printf("%s", descriptor->_name); 756 } else { 757 printf("TYPE%u", t); 758 } 759 printf("\n"); 760 } 761 762 } 763 } 764 ldns_pkt_free(p); 765 } 766 767 new_nss = NULL; 768 ns_addr = NULL; 769 ldns_rr_list_deep_free(key_list); 770 key_list = NULL; 771 ldns_rr_list_deep_free(key_sig_list); 772 key_sig_list = NULL; 773 ds_list = NULL; 774 ldns_rr_list_deep_free(ds_sig_list); 775 ds_sig_list = NULL; 776 } 777 printf(";;" SELF " self sig OK; " BOGUS " bogus; " TRUST " trusted; " UNSIGNED " unsigned\n"); 778 /* verbose mode? 779 printf("Trusted keys:\n"); 780 ldns_rr_list_print(stdout, trusted_keys); 781 printf("trusted dss:\n"); 782 ldns_rr_list_print(stdout, trusted_ds_rrs); 783 */ 784 785 done: 786 ldns_rr_list_deep_free(trusted_ds_rrs); 787 ldns_rr_list_deep_free(correct_key_list); 788 ldns_resolver_deep_free(res); 789 if (labels) { 790 for(i = 0 ; i < (ssize_t)labels_count + 2; i++) { 791 ldns_rdf_deep_free(labels[i]); 792 } 793 LDNS_FREE(labels); 794 } 795 return result; 796 } 797 #endif /* HAVE_SSL */ 798