1 /* 2 * validator/val_nsec.c - validator NSEC denial of existence functions. 3 * 4 * Copyright (c) 2007, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file contains helper functions for the validator module. 40 * The functions help with NSEC checking, the different NSEC proofs 41 * for denial of existence, and proofs for presence of types. 42 */ 43 #include "config.h" 44 #include "validator/val_nsec.h" 45 #include "validator/val_utils.h" 46 #include "util/data/msgreply.h" 47 #include "util/data/dname.h" 48 #include "util/net_help.h" 49 #include "util/module.h" 50 #include "services/cache/rrset.h" 51 52 /** get ttl of rrset */ 53 static uint32_t 54 rrset_get_ttl(struct ub_packed_rrset_key* k) 55 { 56 struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data; 57 return d->ttl; 58 } 59 60 int 61 nsecbitmap_has_type_rdata(uint8_t* bitmap, size_t len, uint16_t type) 62 { 63 /* Check type present in NSEC typemap with bitmap arg */ 64 /* bitmasks for determining type-lowerbits presence */ 65 uint8_t masks[8] = {0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01}; 66 uint8_t type_window = type>>8; 67 uint8_t type_low = type&0xff; 68 uint8_t win, winlen; 69 /* read each of the type bitmap windows and see if the searched 70 * type is amongst it */ 71 while(len > 0) { 72 if(len < 3) /* bad window, at least window# winlen bitmap */ 73 return 0; 74 win = *bitmap++; 75 winlen = *bitmap++; 76 len -= 2; 77 if(len < winlen || winlen < 1 || winlen > 32) 78 return 0; /* bad window length */ 79 if(win == type_window) { 80 /* search window bitmap for the correct byte */ 81 /* mybyte is 0 if we need the first byte */ 82 size_t mybyte = type_low>>3; 83 if(winlen <= mybyte) 84 return 0; /* window too short */ 85 return (int)(bitmap[mybyte] & masks[type_low&0x7]); 86 } else { 87 /* not the window we are looking for */ 88 bitmap += winlen; 89 len -= winlen; 90 } 91 } 92 /* end of bitmap reached, no type found */ 93 return 0; 94 } 95 96 int 97 nsec_has_type(struct ub_packed_rrset_key* nsec, uint16_t type) 98 { 99 struct packed_rrset_data* d = (struct packed_rrset_data*)nsec-> 100 entry.data; 101 size_t len; 102 if(!d || d->count == 0 || d->rr_len[0] < 2+1) 103 return 0; 104 len = dname_valid(d->rr_data[0]+2, d->rr_len[0]-2); 105 if(!len) 106 return 0; 107 return nsecbitmap_has_type_rdata(d->rr_data[0]+2+len, 108 d->rr_len[0]-2-len, type); 109 } 110 111 /** 112 * Get next owner name from nsec record 113 * @param nsec: the nsec RRset. 114 * If there are multiple RRs, then this will only return one of them. 115 * @param nm: the next name is returned. 116 * @param ln: length of nm is returned. 117 * @return false on a bad NSEC RR (too short, malformed dname). 118 */ 119 static int 120 nsec_get_next(struct ub_packed_rrset_key* nsec, uint8_t** nm, size_t* ln) 121 { 122 struct packed_rrset_data* d = (struct packed_rrset_data*)nsec-> 123 entry.data; 124 if(!d || d->count == 0 || d->rr_len[0] < 2+1) { 125 *nm = 0; 126 *ln = 0; 127 return 0; 128 } 129 *nm = d->rr_data[0]+2; 130 *ln = dname_valid(*nm, d->rr_len[0]-2); 131 if(!*ln) { 132 *nm = 0; 133 *ln = 0; 134 return 0; 135 } 136 return 1; 137 } 138 139 /** 140 * For an NSEC that matches the DS queried for, check absence of DS type. 141 * 142 * @param nsec: NSEC for proof, must be trusted. 143 * @param qinfo: what is queried for. 144 * @return if secure the nsec proves that no DS is present, or 145 * insecure if it proves it is not a delegation point. 146 * or bogus if something was wrong. 147 */ 148 static enum sec_status 149 val_nsec_proves_no_ds(struct ub_packed_rrset_key* nsec, 150 struct query_info* qinfo) 151 { 152 log_assert(qinfo->qtype == LDNS_RR_TYPE_DS); 153 log_assert(ntohs(nsec->rk.type) == LDNS_RR_TYPE_NSEC); 154 155 if(nsec_has_type(nsec, LDNS_RR_TYPE_SOA) && qinfo->qname_len != 1) { 156 /* SOA present means that this is the NSEC from the child, 157 * not the parent (so it is the wrong one). */ 158 return sec_status_bogus; 159 } 160 if(nsec_has_type(nsec, LDNS_RR_TYPE_DS)) { 161 /* DS present means that there should have been a positive 162 * response to the DS query, so there is something wrong. */ 163 return sec_status_bogus; 164 } 165 166 if(!nsec_has_type(nsec, LDNS_RR_TYPE_NS)) { 167 /* If there is no NS at this point at all, then this 168 * doesn't prove anything one way or the other. */ 169 return sec_status_insecure; 170 } 171 /* Otherwise, this proves no DS. */ 172 return sec_status_secure; 173 } 174 175 /** check security status from cache or verify rrset, returns true if secure */ 176 static int 177 nsec_verify_rrset(struct module_env* env, struct val_env* ve, 178 struct ub_packed_rrset_key* nsec, struct key_entry_key* kkey, 179 char** reason, sldns_ede_code* reason_bogus, 180 struct module_qstate* qstate, char* reasonbuf, size_t reasonlen) 181 { 182 struct packed_rrset_data* d = (struct packed_rrset_data*) 183 nsec->entry.data; 184 int verified = 0; 185 if(!d) return 0; 186 if(d->security == sec_status_secure) 187 return 1; 188 rrset_check_sec_status(env->rrset_cache, nsec, *env->now); 189 if(d->security == sec_status_secure) 190 return 1; 191 d->security = val_verify_rrset_entry(env, ve, nsec, kkey, reason, 192 reason_bogus, LDNS_SECTION_AUTHORITY, qstate, &verified, 193 reasonbuf, reasonlen); 194 if(d->security == sec_status_secure) { 195 rrset_update_sec_status(env->rrset_cache, nsec, *env->now); 196 return 1; 197 } 198 return 0; 199 } 200 201 enum sec_status 202 val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve, 203 struct query_info* qinfo, struct reply_info* rep, 204 struct key_entry_key* kkey, time_t* proof_ttl, char** reason, 205 sldns_ede_code* reason_bogus, struct module_qstate* qstate, 206 char* reasonbuf, size_t reasonlen) 207 { 208 struct ub_packed_rrset_key* nsec = reply_find_rrset_section_ns( 209 rep, qinfo->qname, qinfo->qname_len, LDNS_RR_TYPE_NSEC, 210 qinfo->qclass); 211 enum sec_status sec; 212 size_t i; 213 uint8_t* wc = NULL, *ce = NULL; 214 int valid_nsec = 0; 215 struct ub_packed_rrset_key* wc_nsec = NULL; 216 217 /* If we have a NSEC at the same name, it must prove one 218 * of two things 219 * -- 220 * 1) this is a delegation point and there is no DS 221 * 2) this is not a delegation point */ 222 if(nsec) { 223 if(!nsec_verify_rrset(env, ve, nsec, kkey, reason, 224 reason_bogus, qstate, reasonbuf, reasonlen)) { 225 verbose(VERB_ALGO, "NSEC RRset for the " 226 "referral did not verify."); 227 return sec_status_bogus; 228 } 229 sec = val_nsec_proves_no_ds(nsec, qinfo); 230 if(sec == sec_status_bogus) { 231 /* something was wrong. */ 232 *reason = "NSEC does not prove absence of DS"; 233 *reason_bogus = LDNS_EDE_DNSSEC_BOGUS; 234 return sec; 235 } else if(sec == sec_status_insecure) { 236 /* this wasn't a delegation point. */ 237 return sec; 238 } else if(sec == sec_status_secure) { 239 /* this proved no DS. */ 240 *proof_ttl = ub_packed_rrset_ttl(nsec); 241 return sec; 242 } 243 /* if unchecked, fall through to next proof */ 244 } 245 246 /* Otherwise, there is no NSEC at qname. This could be an ENT. 247 * (ENT=empty non terminal). If not, this is broken. */ 248 249 /* verify NSEC rrsets in auth section */ 250 for(i=rep->an_numrrsets; i < rep->an_numrrsets+rep->ns_numrrsets; 251 i++) { 252 if(rep->rrsets[i]->rk.type != htons(LDNS_RR_TYPE_NSEC)) 253 continue; 254 if(!nsec_verify_rrset(env, ve, rep->rrsets[i], kkey, reason, 255 reason_bogus, qstate, reasonbuf, reasonlen)) { 256 verbose(VERB_ALGO, "NSEC for empty non-terminal " 257 "did not verify."); 258 *reason = "NSEC for empty non-terminal " 259 "did not verify."; 260 return sec_status_bogus; 261 } 262 if(nsec_proves_nodata(rep->rrsets[i], qinfo, &wc)) { 263 verbose(VERB_ALGO, "NSEC for empty non-terminal " 264 "proved no DS."); 265 *proof_ttl = rrset_get_ttl(rep->rrsets[i]); 266 if(wc && dname_is_wild(rep->rrsets[i]->rk.dname)) 267 wc_nsec = rep->rrsets[i]; 268 valid_nsec = 1; 269 } 270 if(val_nsec_proves_name_error(rep->rrsets[i], qinfo->qname)) { 271 ce = nsec_closest_encloser(qinfo->qname, 272 rep->rrsets[i]); 273 } 274 } 275 if(wc && !ce) 276 valid_nsec = 0; 277 else if(wc && ce) { 278 /* ce and wc must match */ 279 if(query_dname_compare(wc, ce) != 0) 280 valid_nsec = 0; 281 else if(!wc_nsec) 282 valid_nsec = 0; 283 } 284 if(valid_nsec) { 285 if(wc) { 286 /* check if this is a delegation */ 287 *reason = "NSEC for wildcard does not prove absence of DS"; 288 return val_nsec_proves_no_ds(wc_nsec, qinfo); 289 } 290 /* valid nsec proves empty nonterminal */ 291 return sec_status_insecure; 292 } 293 294 /* NSEC proof did not conclusively point to DS or no DS */ 295 return sec_status_unchecked; 296 } 297 298 int nsec_proves_nodata(struct ub_packed_rrset_key* nsec, 299 struct query_info* qinfo, uint8_t** wc) 300 { 301 log_assert(wc); 302 if(query_dname_compare(nsec->rk.dname, qinfo->qname) != 0) { 303 uint8_t* nm; 304 size_t ln; 305 306 /* empty-non-terminal checking. 307 * Done before wildcard, because this is an exact match, 308 * and would prevent a wildcard from matching. */ 309 310 /* If the nsec is proving that qname is an ENT, the nsec owner 311 * will be less than qname, and the next name will be a child 312 * domain of the qname. */ 313 if(!nsec_get_next(nsec, &nm, &ln)) 314 return 0; /* bad nsec */ 315 if(dname_strict_subdomain_c(nm, qinfo->qname) && 316 dname_canonical_compare(nsec->rk.dname, 317 qinfo->qname) < 0) { 318 return 1; /* proves ENT */ 319 } 320 321 /* wildcard checking. */ 322 323 /* If this is a wildcard NSEC, make sure that a) it was 324 * possible to have generated qname from the wildcard and 325 * b) the type map does not contain qtype. Note that this 326 * does NOT prove that this wildcard was the applicable 327 * wildcard. */ 328 if(dname_is_wild(nsec->rk.dname)) { 329 /* the purported closest encloser. */ 330 uint8_t* ce = nsec->rk.dname; 331 size_t ce_len = nsec->rk.dname_len; 332 dname_remove_label(&ce, &ce_len); 333 334 /* The qname must be a strict subdomain of the 335 * closest encloser, for the wildcard to apply 336 */ 337 if(dname_strict_subdomain_c(qinfo->qname, ce)) { 338 /* here we have a matching NSEC for the qname, 339 * perform matching NSEC checks */ 340 if(nsec_has_type(nsec, LDNS_RR_TYPE_CNAME)) { 341 /* should have gotten the wildcard CNAME */ 342 return 0; 343 } 344 if(nsec_has_type(nsec, LDNS_RR_TYPE_NS) && 345 !nsec_has_type(nsec, LDNS_RR_TYPE_SOA)) { 346 /* wrong parentside (wildcard) NSEC used */ 347 return 0; 348 } 349 if(nsec_has_type(nsec, qinfo->qtype)) { 350 return 0; 351 } 352 *wc = ce; 353 return 1; 354 } 355 } else { 356 /* See if the next owner name covers a wildcard 357 * empty non-terminal. */ 358 while (dname_canonical_compare(nsec->rk.dname, nm) < 0) { 359 /* wildcard does not apply if qname below 360 * the name that exists under the '*' */ 361 if (dname_subdomain_c(qinfo->qname, nm)) 362 break; 363 /* but if it is a wildcard and qname is below 364 * it, then the wildcard applies. The wildcard 365 * is an empty nonterminal. nodata proven. */ 366 if (dname_is_wild(nm)) { 367 size_t ce_len = ln; 368 uint8_t* ce = nm; 369 dname_remove_label(&ce, &ce_len); 370 if(dname_strict_subdomain_c(qinfo->qname, ce)) { 371 *wc = ce; 372 return 1; 373 } 374 } 375 dname_remove_label(&nm, &ln); 376 } 377 } 378 379 /* Otherwise, this NSEC does not prove ENT and is not a 380 * wildcard, so it does not prove NODATA. */ 381 return 0; 382 } 383 384 /* If the qtype exists, then we should have gotten it. */ 385 if(nsec_has_type(nsec, qinfo->qtype)) { 386 return 0; 387 } 388 389 /* if the name is a CNAME node, then we should have gotten the CNAME*/ 390 if(nsec_has_type(nsec, LDNS_RR_TYPE_CNAME)) { 391 return 0; 392 } 393 394 /* If an NS set exists at this name, and NOT a SOA (so this is a 395 * zone cut, not a zone apex), then we should have gotten a 396 * referral (or we just got the wrong NSEC). 397 * The reverse of this check is used when qtype is DS, since that 398 * must use the NSEC from above the zone cut. */ 399 if(qinfo->qtype != LDNS_RR_TYPE_DS && 400 nsec_has_type(nsec, LDNS_RR_TYPE_NS) && 401 !nsec_has_type(nsec, LDNS_RR_TYPE_SOA)) { 402 return 0; 403 } else if(qinfo->qtype == LDNS_RR_TYPE_DS && 404 nsec_has_type(nsec, LDNS_RR_TYPE_SOA) && 405 !dname_is_root(qinfo->qname)) { 406 return 0; 407 } 408 409 return 1; 410 } 411 412 int 413 val_nsec_proves_name_error(struct ub_packed_rrset_key* nsec, uint8_t* qname) 414 { 415 uint8_t* owner = nsec->rk.dname; 416 uint8_t* next; 417 size_t nlen; 418 if(!nsec_get_next(nsec, &next, &nlen)) 419 return 0; 420 421 /* If NSEC owner == qname, then this NSEC proves that qname exists. */ 422 if(query_dname_compare(qname, owner) == 0) { 423 return 0; 424 } 425 426 /* If NSEC is a parent of qname, we need to check the type map 427 * If the parent name has a DNAME or is a delegation point, then 428 * this NSEC is being misused. */ 429 if(dname_subdomain_c(qname, owner) && 430 (nsec_has_type(nsec, LDNS_RR_TYPE_DNAME) || 431 (nsec_has_type(nsec, LDNS_RR_TYPE_NS) 432 && !nsec_has_type(nsec, LDNS_RR_TYPE_SOA)) 433 )) { 434 return 0; 435 } 436 437 if(query_dname_compare(owner, next) == 0) { 438 /* this nsec is the only nsec */ 439 /* zone.name NSEC zone.name, disproves everything else */ 440 /* but only for subdomains of that zone */ 441 if(dname_strict_subdomain_c(qname, next)) 442 return 1; 443 } 444 else if(dname_canonical_compare(owner, next) > 0) { 445 /* this is the last nsec, ....(bigger) NSEC zonename(smaller) */ 446 /* the names after the last (owner) name do not exist 447 * there are no names before the zone name in the zone 448 * but the qname must be a subdomain of the zone name(next). */ 449 if(dname_canonical_compare(owner, qname) < 0 && 450 dname_strict_subdomain_c(qname, next)) 451 return 1; 452 } else { 453 /* regular NSEC, (smaller) NSEC (larger) */ 454 if(dname_canonical_compare(owner, qname) < 0 && 455 dname_canonical_compare(qname, next) < 0) { 456 return 1; 457 } 458 } 459 return 0; 460 } 461 462 int val_nsec_proves_insecuredelegation(struct ub_packed_rrset_key* nsec, 463 struct query_info* qinfo) 464 { 465 if(nsec_has_type(nsec, LDNS_RR_TYPE_NS) && 466 !nsec_has_type(nsec, LDNS_RR_TYPE_DS) && 467 !nsec_has_type(nsec, LDNS_RR_TYPE_SOA)) { 468 /* see if nsec signals an insecure delegation */ 469 if(qinfo->qtype == LDNS_RR_TYPE_DS) { 470 /* if type is DS and qname is equal to nsec, then it 471 * is an exact match nsec, result not insecure */ 472 if(dname_strict_subdomain_c(qinfo->qname, 473 nsec->rk.dname)) 474 return 1; 475 } else { 476 if(dname_subdomain_c(qinfo->qname, nsec->rk.dname)) 477 return 1; 478 } 479 } 480 return 0; 481 } 482 483 uint8_t* 484 nsec_closest_encloser(uint8_t* qname, struct ub_packed_rrset_key* nsec) 485 { 486 uint8_t* next; 487 size_t nlen; 488 uint8_t* common1, *common2; 489 if(!nsec_get_next(nsec, &next, &nlen)) 490 return NULL; 491 /* longest common with owner or next name */ 492 common1 = dname_get_shared_topdomain(nsec->rk.dname, qname); 493 common2 = dname_get_shared_topdomain(next, qname); 494 if(dname_count_labels(common1) > dname_count_labels(common2)) 495 return common1; 496 return common2; 497 } 498 499 int val_nsec_proves_positive_wildcard(struct ub_packed_rrset_key* nsec, 500 struct query_info* qinf, uint8_t* wc) 501 { 502 uint8_t* ce; 503 /* 1) prove that qname doesn't exist and 504 * 2) that the correct wildcard was used 505 * nsec has been verified already. */ 506 if(!val_nsec_proves_name_error(nsec, qinf->qname)) 507 return 0; 508 /* check wildcard name */ 509 ce = nsec_closest_encloser(qinf->qname, nsec); 510 if(!ce) 511 return 0; 512 if(query_dname_compare(wc, ce) != 0) { 513 return 0; 514 } 515 return 1; 516 } 517 518 int 519 val_nsec_proves_no_wc(struct ub_packed_rrset_key* nsec, uint8_t* qname, 520 size_t qnamelen) 521 { 522 /* Determine if a NSEC record proves the non-existence of a 523 * wildcard that could have produced qname. */ 524 int labs; 525 uint8_t* ce = nsec_closest_encloser(qname, nsec); 526 uint8_t* strip; 527 size_t striplen; 528 uint8_t buf[LDNS_MAX_DOMAINLEN+3]; 529 if(!ce) 530 return 0; 531 /* we can subtract the closest encloser count - since that is the 532 * largest shared topdomain with owner and next NSEC name, 533 * because the NSEC is no proof for names shorter than the owner 534 * and next names. */ 535 labs = dname_count_labels(qname) - dname_count_labels(ce); 536 537 if(labs > 0) { 538 /* i is number of labels to strip off qname, prepend * wild */ 539 strip = qname; 540 striplen = qnamelen; 541 dname_remove_labels(&strip, &striplen, labs); 542 if(striplen > LDNS_MAX_DOMAINLEN-2) 543 return 0; /* too long to prepend wildcard */ 544 buf[0] = 1; 545 buf[1] = (uint8_t)'*'; 546 memmove(buf+2, strip, striplen); 547 if(val_nsec_proves_name_error(nsec, buf)) { 548 return 1; 549 } 550 } 551 return 0; 552 } 553