xref: /freebsd/contrib/ldns/drill/securetrace.c (revision cfd6422a5217410fbd66f7a7a8a64d9d85e61229)
1 /*
2  * securechasetrace.c
3  * Where all the hard work concerning secure tracing is done
4  *
5  * (c) 2005, 2006 NLnet Labs
6  *
7  * See the file LICENSE for the license
8  *
9  */
10 
11 #include "drill.h"
12 #include <ldns/ldns.h>
13 
14 #define SELF "[S]"  /* self sig ok */
15 #define TRUST "[T]" /* chain from parent */
16 #define BOGUS "[B]" /* bogus */
17 #define UNSIGNED "[U]" /* no relevant dnssec data found */
18 
19 #if 0
20 /* See if there is a key/ds in trusted that matches
21  * a ds in *ds.
22  */
23 static ldns_rr_list *
24 ds_key_match(ldns_rr_list *ds, ldns_rr_list *trusted)
25 {
26 	size_t i, j;
27 	bool match;
28 	ldns_rr *rr_i, *rr_j;
29 	ldns_rr_list *keys;
30 
31 	if (!trusted || !ds) {
32 		return NULL;
33 	}
34 
35 	match = false;
36 	keys = ldns_rr_list_new();
37 	if (!keys) {
38 		return NULL;
39 	}
40 
41 	if (!ds || !trusted) {
42 		return NULL;
43 	}
44 
45 	for (i = 0; i < ldns_rr_list_rr_count(trusted); i++) {
46 		rr_i = ldns_rr_list_rr(trusted, i);
47 		for (j = 0; j < ldns_rr_list_rr_count(ds); j++) {
48 
49 			rr_j = ldns_rr_list_rr(ds, j);
50 			if (ldns_rr_compare_ds(rr_i, rr_j)) {
51 				match = true;
52 				/* only allow unique RRs to match */
53 				ldns_rr_set_push_rr(keys, rr_i);
54 			}
55 		}
56 	}
57 	if (match) {
58 		return keys;
59 	} else {
60 		return NULL;
61 	}
62 }
63 #endif
64 
65 static ldns_pkt *
66 get_dnssec_pkt(ldns_resolver *r, ldns_rdf *name, ldns_rr_type t)
67 {
68 	ldns_pkt *p = NULL;
69 	p = ldns_resolver_query(r, name, t, LDNS_RR_CLASS_IN, 0);
70 	if (!p) {
71 		return NULL;
72 	} else {
73 		if (verbosity >= 5) {
74 			ldns_pkt_print(stdout, p);
75 		}
76 		return p;
77 	}
78 }
79 
80 #ifdef HAVE_SSL
81 /*
82  * retrieve keys for this zone
83  */
84 static ldns_pkt_type
85 get_key(ldns_pkt *p, ldns_rdf *apexname, ldns_rr_list **rrlist, ldns_rr_list **opt_sig)
86 {
87 	return get_dnssec_rr(p, apexname, LDNS_RR_TYPE_DNSKEY, rrlist, opt_sig);
88 }
89 
90 /*
91  * check to see if we can find a DS rrset here which we can then follow
92  */
93 static ldns_pkt_type
94 get_ds(ldns_pkt *p, ldns_rdf *ownername, ldns_rr_list **rrlist, ldns_rr_list **opt_sig)
95 {
96 	return get_dnssec_rr(p, ownername, LDNS_RR_TYPE_DS, rrlist, opt_sig);
97 }
98 #endif /* HAVE_SSL */
99 
100 static void
101 remove_resolver_nameservers(ldns_resolver *res)
102 {
103 	ldns_rdf *pop;
104 
105 	/* remove the old nameserver from the resolver */
106 	while((pop = ldns_resolver_pop_nameserver(res))) {
107 		ldns_rdf_deep_free(pop);
108 	}
109 
110 }
111 
112 /*ldns_pkt **/
113 #ifdef HAVE_SSL
114 int
115 do_secure_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t,
116                 ldns_rr_class c, ldns_rr_list *trusted_keys, ldns_rdf *start_name
117                )
118 {
119 	ldns_resolver *res;
120 	ldns_pkt *p, *local_p;
121 	ldns_rr_list *new_nss;
122 	ldns_rr_list *ns_addr;
123 	ldns_rdf *pop;
124 	ldns_rdf **labels = NULL;
125 	ldns_status status, st;
126 	ssize_t i;
127 	size_t j;
128 	size_t k;
129 	size_t l;
130 	uint8_t labels_count = 0;
131 
132 	/* dnssec */
133 	ldns_rr_list *key_list;
134 	ldns_rr_list *key_sig_list;
135 	ldns_rr_list *ds_list;
136 	ldns_rr_list *ds_sig_list;
137 	ldns_rr_list *correct_key_list;
138 	ldns_rr_list *trusted_ds_rrs;
139 	bool new_keys_trusted = false;
140 	ldns_rr_list *current_correct_keys;
141 	ldns_rr_list *dataset;
142 
143 	ldns_rr_list *nsec_rrs = NULL;
144 	ldns_rr_list *nsec_rr_sigs = NULL;
145 
146 	/* empty non-terminal check */
147 	bool ent;
148 	ldns_rr  *nsecrr;      /* The nsec that proofs the non-terminal */
149 	ldns_rdf *hashed_name; /* The query hashed with nsec3 params */
150 	ldns_rdf *label0;      /* The first label of an nsec3 owner name */
151 
152 	/* glue handling */
153 	ldns_rr_list *new_ns_addr;
154 	ldns_rr_list *old_ns_addr;
155 	ldns_rr *ns_rr;
156 
157 	int result = 0;
158 
159 	/* printing niceness */
160 	const ldns_rr_descriptor *descriptor;
161 
162 	descriptor = ldns_rr_descript(t);
163 
164 	new_nss = NULL;
165 	ns_addr = NULL;
166 	key_list = NULL;
167 	ds_list = NULL;
168 
169 	p = NULL;
170 	local_p = NULL;
171 	res = ldns_resolver_new();
172 	key_sig_list = NULL;
173 	ds_sig_list = NULL;
174 
175 	if (!res) {
176 		error("Memory allocation failed");
177 		result = -1;
178 		return result;
179 	}
180 
181 	correct_key_list = ldns_rr_list_new();
182 	if (!correct_key_list) {
183 		error("Memory allocation failed");
184 		result = -1;
185 		return result;
186 	}
187 
188 	trusted_ds_rrs = ldns_rr_list_new();
189 	if (!trusted_ds_rrs) {
190 		error("Memory allocation failed");
191 		result = -1;
192 		return result;
193 	}
194         /* Add all preset trusted DS signatures to the list of trusted DS RRs. */
195         for (j = 0; j < ldns_rr_list_rr_count(trusted_keys); j++) {
196             ldns_rr* one_rr = ldns_rr_list_rr(trusted_keys, j);
197             if (ldns_rr_get_type(one_rr)  == LDNS_RR_TYPE_DS) {
198                 ldns_rr_list_push_rr(trusted_ds_rrs, ldns_rr_clone(one_rr));
199             }
200         }
201 
202 	/* transfer some properties of local_res to res */
203 	ldns_resolver_set_ip6(res,
204 			ldns_resolver_ip6(local_res));
205 	ldns_resolver_set_port(res,
206 			ldns_resolver_port(local_res));
207 	ldns_resolver_set_debug(res,
208 			ldns_resolver_debug(local_res));
209 	ldns_resolver_set_fail(res,
210 			ldns_resolver_fail(local_res));
211 	ldns_resolver_set_usevc(res,
212 			ldns_resolver_usevc(local_res));
213 	ldns_resolver_set_random(res,
214 			ldns_resolver_random(local_res));
215 	ldns_resolver_set_source(res,
216 			ldns_resolver_source(local_res));
217 	ldns_resolver_set_recursive(local_res, true);
218 
219 	ldns_resolver_set_recursive(res, false);
220 	ldns_resolver_set_dnssec_cd(res, false);
221 	ldns_resolver_set_dnssec(res, true);
222 
223 	/* setup the root nameserver in the new resolver */
224 	status = ldns_resolver_push_nameserver_rr_list(res, global_dns_root);
225 	if (status != LDNS_STATUS_OK) {
226 		printf("ERRRRR: %s\n", ldns_get_errorstr_by_id(status));
227 		ldns_rr_list_print(stdout, global_dns_root);
228 		result = status;
229 		goto done;
230 	}
231 	labels_count = ldns_dname_label_count(name);
232 	if (start_name) {
233 		if (ldns_dname_is_subdomain(name, start_name)) {
234 			labels_count -= ldns_dname_label_count(start_name);
235 		} else {
236 			fprintf(stderr, "Error; ");
237 			ldns_rdf_print(stderr, name);
238 			fprintf(stderr, " is not a subdomain of ");
239 			ldns_rdf_print(stderr, start_name);
240 			fprintf(stderr, "\n");
241 			goto done;
242 		}
243 	}
244 	labels = LDNS_XMALLOC(ldns_rdf*, labels_count + 2);
245 	if (!labels) {
246 		goto done;
247 	}
248 	labels[0] = ldns_dname_new_frm_str(LDNS_ROOT_LABEL_STR);
249 	labels[1] = ldns_rdf_clone(name);
250 	for(i = 2 ; i < (ssize_t)labels_count + 2; i++) {
251 		labels[i] = ldns_dname_left_chop(labels[i - 1]);
252 	}
253 
254 	/* get the nameserver for the label
255 	 * ask: dnskey and ds for the label
256 	 */
257 	for(i = (ssize_t)labels_count + 1; i > 0; i--) {
258 		status = ldns_resolver_send(&local_p, res, labels[i], LDNS_RR_TYPE_NS, c, 0);
259 
260 		if (verbosity >= 5) {
261 			ldns_pkt_print(stdout, local_p);
262 		}
263 
264 		new_nss = ldns_pkt_rr_list_by_type(local_p,
265 					LDNS_RR_TYPE_NS, LDNS_SECTION_ANSWER);
266  		if (!new_nss) {
267 			/* if it's a delegation, servers put them in the auth section */
268 			new_nss = ldns_pkt_rr_list_by_type(local_p,
269 					LDNS_RR_TYPE_NS, LDNS_SECTION_AUTHORITY);
270 		}
271 
272 		/* if this is the final step there might not be nameserver records
273 		   of course if the data is in the apex, there are, so cover both
274 		   cases */
275 		if (new_nss || i > 1) {
276 			for(j = 0; j < ldns_rr_list_rr_count(new_nss); j++) {
277 				ns_rr = ldns_rr_list_rr(new_nss, j);
278 				pop = ldns_rr_rdf(ns_rr, 0);
279 				if (!pop) {
280 					printf("nopo\n");
281 					break;
282 				}
283 				/* retrieve it's addresses */
284 				/* trust glue? */
285 				new_ns_addr = NULL;
286 				if (ldns_dname_is_subdomain(pop, labels[i])) {
287 					new_ns_addr = ldns_pkt_rr_list_by_name_and_type(local_p, pop, LDNS_RR_TYPE_A, LDNS_SECTION_ADDITIONAL);
288 				}
289 				if (!new_ns_addr || ldns_rr_list_rr_count(new_ns_addr) == 0) {
290 					new_ns_addr = ldns_get_rr_list_addr_by_name(res, pop, c, 0);
291 				}
292 				if (!new_ns_addr || ldns_rr_list_rr_count(new_ns_addr) == 0) {
293 					new_ns_addr = ldns_get_rr_list_addr_by_name(local_res, pop, c, 0);
294 				}
295 
296 				if (new_ns_addr) {
297 					old_ns_addr = ns_addr;
298 					ns_addr = ldns_rr_list_cat_clone(ns_addr, new_ns_addr);
299 					ldns_rr_list_deep_free(old_ns_addr);
300 				}
301 				ldns_rr_list_deep_free(new_ns_addr);
302 			}
303 			ldns_rr_list_deep_free(new_nss);
304 
305 			if (ns_addr) {
306 				remove_resolver_nameservers(res);
307 
308 				if (ldns_resolver_push_nameserver_rr_list(res, ns_addr) !=
309 						LDNS_STATUS_OK) {
310 					error("Error adding new nameservers");
311 					ldns_pkt_free(local_p);
312 					goto done;
313 				}
314 				ldns_rr_list_deep_free(ns_addr);
315 			} else {
316 				status = ldns_verify_denial(local_p, labels[i], LDNS_RR_TYPE_NS, &nsec_rrs, &nsec_rr_sigs);
317 
318 				/* verify the nsec3 themselves*/
319 				if (verbosity >= 4) {
320 					printf("NSEC(3) Records to verify:\n");
321 					ldns_rr_list_print(stdout, nsec_rrs);
322 					printf("With signatures:\n");
323 					ldns_rr_list_print(stdout, nsec_rr_sigs);
324 					printf("correct keys:\n");
325 					ldns_rr_list_print(stdout, correct_key_list);
326 				}
327 
328 				if (status == LDNS_STATUS_OK) {
329 					if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) {
330 						fprintf(stdout, "%s ", TRUST);
331 						fprintf(stdout, "Existence denied: ");
332 						ldns_rdf_print(stdout, labels[i]);
333 	/*
334 						if (descriptor && descriptor->_name) {
335 							printf(" %s", descriptor->_name);
336 						} else {
337 							printf(" TYPE%u", t);
338 						}
339 	*/					fprintf(stdout, " NS\n");
340 					} else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) {
341 						fprintf(stdout, "%s ", SELF);
342 						fprintf(stdout, "Existence denied: ");
343 						ldns_rdf_print(stdout, labels[i]);
344 	/*
345 						if (descriptor && descriptor->_name) {
346 							printf(" %s", descriptor->_name);
347 						} else {
348 							printf(" TYPE%u", t);
349 						}
350 	*/
351 						fprintf(stdout, " NS\n");
352 					} else {
353 						fprintf(stdout, "%s ", BOGUS);
354 						result = 1;
355 						printf(";; Error verifying denial of existence for name ");
356 						ldns_rdf_print(stdout, labels[i]);
357 	/*
358 						printf(" type ");
359 						if (descriptor && descriptor->_name) {
360 							printf("%s", descriptor->_name);
361 						} else {
362 							printf("TYPE%u", t);
363 						}
364 	*/					printf("NS: %s\n", ldns_get_errorstr_by_id(st));
365 					}
366 				} else {
367 					fprintf(stdout, "%s ", BOGUS);
368 					result = 1;
369 					printf(";; Error verifying denial of existence for name ");
370 					ldns_rdf_print(stdout, labels[i]);
371 					printf("NS: %s\n", ldns_get_errorstr_by_id(status));
372 				}
373 
374 				/* there might be an empty non-terminal, in which case we need to continue */
375 				ent = false;
376 				for (j = 0; j < ldns_rr_list_rr_count(nsec_rrs); j++) {
377 					nsecrr = ldns_rr_list_rr(nsec_rrs, j);
378 					/* For NSEC when the next name is a subdomain of the question */
379 					if (ldns_rr_get_type(nsecrr) == LDNS_RR_TYPE_NSEC &&
380 							ldns_dname_is_subdomain(ldns_rr_rdf(nsecrr, 0), labels[i])) {
381 						ent = true;
382 
383 					/* For NSEC3, the hash matches the name and the type bitmap is empty*/
384 					} else if (ldns_rr_get_type(nsecrr) == LDNS_RR_TYPE_NSEC3) {
385 						hashed_name = ldns_nsec3_hash_name_frm_nsec3(nsecrr, labels[i]);
386 						label0 = ldns_dname_label(ldns_rr_owner(nsecrr), 0);
387 						if (hashed_name && label0 &&
388 								ldns_dname_compare(hashed_name, label0) == 0 &&
389 								ldns_nsec3_bitmap(nsecrr) == NULL) {
390 							ent = true;
391 						}
392 						if (label0) {
393 							LDNS_FREE(label0);
394 						}
395 						if (hashed_name) {
396 							LDNS_FREE(hashed_name);
397 						}
398 					}
399 				}
400 				if (!ent) {
401 					ldns_rr_list_deep_free(nsec_rrs);
402 					ldns_rr_list_deep_free(nsec_rr_sigs);
403 					ldns_pkt_free(local_p);
404 					goto done;
405 				} else {
406 					printf(";; There is an empty non-terminal here, continue\n");
407 					continue;
408 				}
409 			}
410 
411 			if (ldns_resolver_nameserver_count(res) == 0) {
412 				error("No nameservers found for this node");
413 				goto done;
414 			}
415 		}
416 		ldns_pkt_free(local_p);
417 
418 		fprintf(stdout, ";; Domain: ");
419 		ldns_rdf_print(stdout, labels[i]);
420 		fprintf(stdout, "\n");
421 
422 		/* retrieve keys for current domain, and verify them
423 		   if they match an already trusted DS, or if one of the
424 		   keys used to sign these is trusted, add the keys to
425 		   the trusted list */
426 		p = get_dnssec_pkt(res, labels[i], LDNS_RR_TYPE_DNSKEY);
427 		(void) get_key(p, labels[i], &key_list, &key_sig_list);
428 		if (key_sig_list) {
429 			if (key_list) {
430 				current_correct_keys = ldns_rr_list_new();
431 				if ((st = ldns_verify(key_list, key_sig_list, key_list, current_correct_keys)) ==
432 						LDNS_STATUS_OK) {
433 					/* add all signed keys (don't just add current_correct, you'd miss
434 					 * the zsk's then */
435 					for (j = 0; j < ldns_rr_list_rr_count(key_list); j++) {
436 						ldns_rr_list_push_rr(correct_key_list, ldns_rr_clone(ldns_rr_list_rr(key_list, j)));
437 					}
438 
439 					/* check whether these keys were signed
440 					 * by a trusted keys. if so, these
441 					 * keys are also trusted */
442 					new_keys_trusted = false;
443 					for (k = 0; k < ldns_rr_list_rr_count(current_correct_keys); k++) {
444 						for (j = 0; j < ldns_rr_list_rr_count(trusted_ds_rrs); j++) {
445 							if (ldns_rr_compare_ds(ldns_rr_list_rr(current_correct_keys, k),
446 								    ldns_rr_list_rr(trusted_ds_rrs, j))) {
447 								new_keys_trusted = true;
448 							}
449 						}
450 					}
451 
452 					/* also all keys are trusted if one of the current correct keys is trusted */
453 					for (k = 0; k < ldns_rr_list_rr_count(current_correct_keys); k++) {
454 						for (j = 0; j < ldns_rr_list_rr_count(trusted_keys); j++) {
455 							if (ldns_rr_compare(ldns_rr_list_rr(current_correct_keys, k),
456 								            ldns_rr_list_rr(trusted_keys, j)) == 0) {
457 								            new_keys_trusted = true;
458 							}
459 						}
460 					}
461 
462 
463 					if (new_keys_trusted) {
464 						ldns_rr_list_push_rr_list(trusted_keys, key_list);
465 						print_rr_list_abbr(stdout, key_list, TRUST);
466 						ldns_rr_list_free(key_list);
467 						key_list = NULL;
468 					} else {
469 						if (verbosity >= 2) {
470 							printf(";; Signature ok but no chain to a trusted key or ds record\n");
471 						}
472 						print_rr_list_abbr(stdout, key_list, SELF);
473 						ldns_rr_list_deep_free(key_list);
474 						key_list = NULL;
475 					}
476 				} else {
477 					print_rr_list_abbr(stdout, key_list, BOGUS);
478 					result = 2;
479 					ldns_rr_list_deep_free(key_list);
480 					key_list = NULL;
481 				}
482 				ldns_rr_list_free(current_correct_keys);
483 				current_correct_keys = NULL;
484 			} else {
485 				printf(";; No DNSKEY record found for ");
486 				ldns_rdf_print(stdout, labels[i]);
487 				printf("\n");
488 			}
489 		}
490 
491 		ldns_pkt_free(p);
492 		ldns_rr_list_deep_free(key_sig_list);
493 		key_sig_list = NULL;
494 
495 		/* check the DS records for the next child domain */
496 		if (i > 1) {
497 			p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS);
498 			(void) get_ds(p, labels[i-1], &ds_list, &ds_sig_list);
499 			if (!ds_list) {
500 				ldns_pkt_free(p);
501 				if (ds_sig_list) {
502 					ldns_rr_list_deep_free(ds_sig_list);
503 				}
504 				p = get_dnssec_pkt(res, name, LDNS_RR_TYPE_DNSKEY);
505 				(void) get_ds(p, NULL, &ds_list, &ds_sig_list);
506 			}
507 			if (ds_sig_list) {
508 				if (ds_list) {
509 					if (verbosity >= 4) {
510 						printf("VERIFYING:\n");
511 						printf("DS LIST:\n");
512 						ldns_rr_list_print(stdout, ds_list);
513 						printf("SIGS:\n");
514 						ldns_rr_list_print(stdout, ds_sig_list);
515 						printf("KEYS:\n");
516 						ldns_rr_list_print(stdout, correct_key_list);
517 					}
518 
519 					current_correct_keys = ldns_rr_list_new();
520 
521 					if ((st = ldns_verify(ds_list, ds_sig_list, correct_key_list, current_correct_keys)) ==
522 							LDNS_STATUS_OK) {
523 						/* if the ds is signed by a trusted key and a key from correct keys
524 						   matches that ds, add that key to the trusted keys */
525 						new_keys_trusted = false;
526 						if (verbosity >= 2) {
527 							printf("Checking if signing key is trusted:\n");
528 						}
529 						for (j = 0; j < ldns_rr_list_rr_count(current_correct_keys); j++) {
530 							if (verbosity >= 2) {
531 								printf("New key: ");
532 								ldns_rr_print(stdout, ldns_rr_list_rr(current_correct_keys, j));
533 							}
534 							for (k = 0; k < ldns_rr_list_rr_count(trusted_keys); k++) {
535 								if (verbosity >= 2) {
536 									printf("\tTrusted key: ");
537 									ldns_rr_print(stdout, ldns_rr_list_rr(trusted_keys, k));
538 								}
539 								if (ldns_rr_compare(ldns_rr_list_rr(current_correct_keys, j),
540 								    ldns_rr_list_rr(trusted_keys, k)) == 0) {
541 								    	if (verbosity >= 2) {
542 								    		printf("Key is now trusted!\n");
543 									}
544 									for (l = 0; l < ldns_rr_list_rr_count(ds_list); l++) {
545 										ldns_rr_list_push_rr(trusted_ds_rrs, ldns_rr_clone(ldns_rr_list_rr(ds_list, l)));
546 										new_keys_trusted = true;
547 									}
548 								}
549 							}
550 						}
551 						if (new_keys_trusted) {
552 							print_rr_list_abbr(stdout, ds_list, TRUST);
553 						} else {
554 							print_rr_list_abbr(stdout, ds_list, SELF);
555 						}
556 					} else {
557 						result = 3;
558 						print_rr_list_abbr(stdout, ds_list, BOGUS);
559 					}
560 
561 					ldns_rr_list_free(current_correct_keys);
562 					current_correct_keys = NULL;
563 				} else {
564 					/* wait apparently there were no keys either, go back to the ds packet */
565 					ldns_pkt_free(p);
566 					ldns_rr_list_deep_free(ds_sig_list);
567 					p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS);
568 					(void) get_ds(p, labels[i-1], &ds_list, &ds_sig_list);
569 
570 					status = ldns_verify_denial(p, labels[i-1], LDNS_RR_TYPE_DS, &nsec_rrs, &nsec_rr_sigs);
571 
572 					if (verbosity >= 4) {
573 						printf("NSEC(3) Records to verify:\n");
574 						ldns_rr_list_print(stdout, nsec_rrs);
575 						printf("With signatures:\n");
576 						ldns_rr_list_print(stdout, nsec_rr_sigs);
577 						printf("correct keys:\n");
578 						ldns_rr_list_print(stdout, correct_key_list);
579 					}
580 
581 					if (status == LDNS_STATUS_OK) {
582 						if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) {
583 							fprintf(stdout, "%s ", TRUST);
584 							fprintf(stdout, "Existence denied: ");
585 							ldns_rdf_print(stdout, labels[i-1]);
586 							printf(" DS");
587 							fprintf(stdout, "\n");
588 						} else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) {
589 							fprintf(stdout, "%s ", SELF);
590 							fprintf(stdout, "Existence denied: ");
591 							ldns_rdf_print(stdout, labels[i-1]);
592 							printf(" DS");
593 							fprintf(stdout, "\n");
594 						} else {
595 							result = 4;
596 							fprintf(stdout, "%s ", BOGUS);
597 							printf("Error verifying denial of existence for ");
598 							ldns_rdf_print(stdout, labels[i-1]);
599 							printf(" DS");
600 							printf(": %s\n", ldns_get_errorstr_by_id(st));
601 						}
602 
603 
604 					} else {
605 						if (status == LDNS_STATUS_CRYPTO_NO_RRSIG) {
606 							printf(";; No DS for ");
607 							ldns_rdf_print(stdout, labels[i - 1]);
608 						} else {
609 							printf("[B] Unable to verify denial of existence for ");
610 							ldns_rdf_print(stdout, labels[i - 1]);
611 							printf(" DS: %s\n", ldns_get_errorstr_by_id(status));
612 						}
613 					}
614 					if (verbosity >= 2) {
615 						printf(";; No ds record for delegation\n");
616 					}
617 				}
618 			}
619 			ldns_rr_list_deep_free(ds_list);
620 			ldns_pkt_free(p);
621 		} else {
622 			/* if this is the last label, just verify the data and stop */
623 			p = get_dnssec_pkt(res, labels[i], t);
624 			(void) get_dnssec_rr(p, labels[i], t, &dataset, &key_sig_list);
625 			if (dataset && ldns_rr_list_rr_count(dataset) > 0) {
626 				if (key_sig_list && ldns_rr_list_rr_count(key_sig_list) > 0) {
627 
628 					/* If this is a wildcard, you must be able to deny exact match */
629 					if ((st = ldns_verify(dataset, key_sig_list, trusted_keys, NULL)) == LDNS_STATUS_OK) {
630 						fprintf(stdout, "%s ", TRUST);
631 						ldns_rr_list_print(stdout, dataset);
632 					} else if ((st = ldns_verify(dataset, key_sig_list, correct_key_list, NULL)) == LDNS_STATUS_OK) {
633 						fprintf(stdout, "%s ", SELF);
634 						ldns_rr_list_print(stdout, dataset);
635 					} else {
636 						result = 5;
637 						fprintf(stdout, "%s ", BOGUS);
638 						ldns_rr_list_print(stdout, dataset);
639 						printf(";; Error: %s\n", ldns_get_errorstr_by_id(st));
640 					}
641 				} else {
642 					fprintf(stdout, "%s ", UNSIGNED);
643 					ldns_rr_list_print(stdout, dataset);
644 				}
645 				ldns_rr_list_deep_free(dataset);
646 			} else {
647 				status = ldns_verify_denial(p, name, t, &nsec_rrs, &nsec_rr_sigs);
648 				if (status == LDNS_STATUS_OK) {
649 					/* verify the nsec3 themselves*/
650 					if (verbosity >= 5) {
651 						printf("NSEC(3) Records to verify:\n");
652 						ldns_rr_list_print(stdout, nsec_rrs);
653 						printf("With signatures:\n");
654 						ldns_rr_list_print(stdout, nsec_rr_sigs);
655 						printf("correct keys:\n");
656 						ldns_rr_list_print(stdout, correct_key_list);
657 /*
658 						printf("trusted keys at %p:\n", trusted_keys);
659 						ldns_rr_list_print(stdout, trusted_keys);
660 */					}
661 
662 					if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) {
663 						fprintf(stdout, "%s ", TRUST);
664 						fprintf(stdout, "Existence denied: ");
665 						ldns_rdf_print(stdout, name);
666 						if (descriptor && descriptor->_name) {
667 							printf(" %s", descriptor->_name);
668 						} else {
669 							printf(" TYPE%u", t);
670 						}
671 						fprintf(stdout, "\n");
672 					} else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) {
673 						fprintf(stdout, "%s ", SELF);
674 						fprintf(stdout, "Existence denied: ");
675 						ldns_rdf_print(stdout, name);
676 						if (descriptor && descriptor->_name) {
677 							printf(" %s", descriptor->_name);
678 						} else {
679 							printf(" TYPE%u", t);
680 						}
681 						fprintf(stdout, "\n");
682 					} else {
683 						result = 6;
684 						fprintf(stdout, "%s ", BOGUS);
685 						printf("Error verifying denial of existence for ");
686 						ldns_rdf_print(stdout, name);
687 						printf(" type ");
688 						if (descriptor && descriptor->_name) {
689 							printf("%s", descriptor->_name);
690 						} else {
691 							printf("TYPE%u", t);
692 						}
693 						printf(": %s\n", ldns_get_errorstr_by_id(st));
694 					}
695 
696 					ldns_rr_list_deep_free(nsec_rrs);
697 					ldns_rr_list_deep_free(nsec_rr_sigs);
698 				} else {
699 /*
700 */
701 					if (status == LDNS_STATUS_CRYPTO_NO_RRSIG) {
702 						printf("%s ", UNSIGNED);
703 						printf("No data found for: ");
704 						ldns_rdf_print(stdout, name);
705 						printf(" type ");
706 						if (descriptor && descriptor->_name) {
707 							printf("%s", descriptor->_name);
708 						} else {
709 							printf("TYPE%u", t);
710 						}
711 						printf("\n");
712 					} else {
713 						printf("[B] Unable to verify denial of existence for ");
714 						ldns_rdf_print(stdout, name);
715 						printf(" type ");
716 						if (descriptor && descriptor->_name) {
717 							printf("%s", descriptor->_name);
718 						} else {
719 							printf("TYPE%u", t);
720 						}
721 						printf("\n");
722 					}
723 
724 				}
725 			}
726 			ldns_pkt_free(p);
727 		}
728 
729 		new_nss = NULL;
730 		ns_addr = NULL;
731 		ldns_rr_list_deep_free(key_list);
732 		key_list = NULL;
733 		ldns_rr_list_deep_free(key_sig_list);
734 		key_sig_list = NULL;
735 		ds_list = NULL;
736 		ldns_rr_list_deep_free(ds_sig_list);
737 		ds_sig_list = NULL;
738 	}
739 	printf(";;" SELF " self sig OK; " BOGUS " bogus; " TRUST " trusted\n");
740 	/* verbose mode?
741 	printf("Trusted keys:\n");
742 	ldns_rr_list_print(stdout, trusted_keys);
743 	printf("trusted dss:\n");
744 	ldns_rr_list_print(stdout, trusted_ds_rrs);
745 	*/
746 
747 	done:
748 	ldns_rr_list_deep_free(trusted_ds_rrs);
749 	ldns_rr_list_deep_free(correct_key_list);
750 	ldns_resolver_deep_free(res);
751 	if (labels) {
752 		for(i = 0 ; i < (ssize_t)labels_count + 2; i++) {
753 			ldns_rdf_deep_free(labels[i]);
754 		}
755 		LDNS_FREE(labels);
756 	}
757 	return result;
758 }
759 #endif /* HAVE_SSL */
760