1 /* 2 * validator/val_nsec.h - validator NSEC denial of existence functions. 3 * 4 * Copyright (c) 2007, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file contains helper functions for the validator module. 40 * The functions help with NSEC checking, the different NSEC proofs 41 * for denial of existence, and proofs for presence of types. 42 */ 43 44 #ifndef VALIDATOR_VAL_NSEC_H 45 #define VALIDATOR_VAL_NSEC_H 46 #include "util/data/packed_rrset.h" 47 struct val_env; 48 struct module_env; 49 struct ub_packed_rrset_key; 50 struct reply_info; 51 struct query_info; 52 struct key_entry_key; 53 54 /** 55 * Check DS absence. 56 * There is a NODATA reply to a DS that needs checking. 57 * NSECs can prove this is not a delegation point, or successfully prove 58 * that there is no DS. Or this fails. 59 * 60 * @param env: module env for rrsig verification routines. 61 * @param ve: validator env for rrsig verification routines. 62 * @param qinfo: the DS queried for. 63 * @param rep: reply received. 64 * @param kkey: key entry to use for verification of signatures. 65 * @param proof_ttl: if secure, the TTL of how long this proof lasts. 66 * @param reason: string explaining why bogus. 67 * @return security status. 68 * SECURE: proved absence of DS. 69 * INSECURE: proved that this was not a delegation point. 70 * BOGUS: crypto bad, or no absence of DS proven. 71 * UNCHECKED: there was no way to prove anything (no NSECs, unknown algo). 72 */ 73 enum sec_status val_nsec_prove_nodata_dsreply(struct module_env* env, 74 struct val_env* ve, struct query_info* qinfo, 75 struct reply_info* rep, struct key_entry_key* kkey, 76 time_t* proof_ttl, char** reason); 77 78 /** 79 * nsec typemap check, takes an NSEC-type bitmap as argument, checks for type. 80 * @param bitmap: pointer to the bitmap part of wireformat rdata. 81 * @param len: length of the bitmap, in bytes. 82 * @param type: the type (in host order) to check for. 83 * @return true if the type bit was set in the bitmap. false if not, or 84 * if the bitmap was malformed in some way. 85 */ 86 int nsecbitmap_has_type_rdata(uint8_t* bitmap, size_t len, uint16_t type); 87 88 /** 89 * Check if type is present in the NSEC typemap 90 * @param nsec: the nsec RRset. 91 * If there are multiple RRs, then each must have the same typemap, 92 * since the typemap represents the types at this domain node. 93 * @param type: type to check for, host order. 94 * @return true if present 95 */ 96 int nsec_has_type(struct ub_packed_rrset_key* nsec, uint16_t type); 97 98 /** 99 * Determine if a NSEC proves the NOERROR/NODATA conditions. This will also 100 * handle the empty non-terminal (ENT) case and partially handle the 101 * wildcard case. If the ownername of 'nsec' is a wildcard, the validator 102 * must still be provided proof that qname did not directly exist and that 103 * the wildcard is, in fact, *.closest_encloser. 104 * 105 * @param nsec: the nsec record to check against. 106 * @param qinfo: the query info. 107 * @param wc: if the nodata is proven for a wildcard match, the wildcard 108 * closest encloser is returned, else NULL (wc is unchanged). 109 * This closest encloser must then match the nameerror given for the 110 * nextcloser of qname. 111 * @return true if NSEC proves this. 112 */ 113 int nsec_proves_nodata(struct ub_packed_rrset_key* nsec, 114 struct query_info* qinfo, uint8_t** wc); 115 116 /** 117 * Determine if the given NSEC proves a NameError (NXDOMAIN) for a given 118 * qname. 119 * 120 * @param nsec: the nsec to check 121 * @param qname: what was queried. 122 * @return true if proven. 123 */ 124 int val_nsec_proves_name_error(struct ub_packed_rrset_key* nsec, 125 uint8_t* qname); 126 127 /** 128 * Determine if the given NSEC proves a positive wildcard response. 129 * @param nsec: the nsec to check 130 * @param qinf: what was queried. 131 * @param wc: wildcard (without *. label) 132 * @return true if proven. 133 */ 134 int val_nsec_proves_positive_wildcard(struct ub_packed_rrset_key* nsec, 135 struct query_info* qinf, uint8_t* wc); 136 137 /** 138 * Determine closest encloser of a query name and the NSEC that covers it 139 * (and thus disproved it). 140 * A name error must have been proven already, otherwise this will be invalid. 141 * @param qname: the name queried for. 142 * @param nsec: the nsec RRset. 143 * @return closest encloser dname or NULL on error (bad nsec RRset). 144 */ 145 uint8_t* nsec_closest_encloser(uint8_t* qname, 146 struct ub_packed_rrset_key* nsec); 147 148 /** 149 * Determine if the given NSEC proves that a wildcard match does not exist. 150 * 151 * @param nsec: the nsec RRset. 152 * @param qname: the name queried for. 153 * @param qnamelen: length of qname. 154 * @return true if proven. 155 */ 156 int val_nsec_proves_no_wc(struct ub_packed_rrset_key* nsec, uint8_t* qname, 157 size_t qnamelen); 158 159 /** 160 * Determine the DLV result, what to do with NSEC DLV reply. 161 * @param qinfo: what was queried for. 162 * @param rep: the nonpositive reply. 163 * @param nm: dlv lookup name, to adjust for new lookup name (if needed). 164 * @param nm_len: length of lookup name. 165 * @return 0 on error, 1 if a higher point is found. 166 * If the higher point is above the dlv repo anchor, the qname does 167 * not exist. 168 */ 169 int val_nsec_check_dlv(struct query_info* qinfo, 170 struct reply_info* rep, uint8_t** nm, size_t* nm_len); 171 172 /** 173 * Determine if an nsec proves an insecure delegation towards the qname. 174 * @param nsec: nsec rrset. 175 * @param qinfo: what was queries for. 176 * @return 0 if not, 1 if an NSEC that signals an insecure delegation to 177 * the qname. 178 */ 179 int val_nsec_proves_insecuredelegation(struct ub_packed_rrset_key* nsec, 180 struct query_info* qinfo); 181 182 #endif /* VALIDATOR_VAL_NSEC_H */ 183