1 /* 2 * validator/val_utils.c - validator utility functions. 3 * 4 * Copyright (c) 2007, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file contains helper functions for the validator module. 40 */ 41 #include "config.h" 42 #include "validator/val_utils.h" 43 #include "validator/validator.h" 44 #include "validator/val_kentry.h" 45 #include "validator/val_sigcrypt.h" 46 #include "validator/val_anchor.h" 47 #include "validator/val_nsec.h" 48 #include "validator/val_neg.h" 49 #include "services/cache/rrset.h" 50 #include "services/cache/dns.h" 51 #include "util/data/msgreply.h" 52 #include "util/data/packed_rrset.h" 53 #include "util/data/dname.h" 54 #include "util/net_help.h" 55 #include "util/module.h" 56 #include "util/regional.h" 57 #include "util/config_file.h" 58 #include "sldns/wire2str.h" 59 #include "sldns/parseutil.h" 60 61 /** Maximum allowed digest match failures per DS, for DNSKEYs with the same 62 * properties */ 63 #define MAX_DS_MATCH_FAILURES 4 64 65 enum val_classification 66 val_classify_response(uint16_t query_flags, struct query_info* origqinf, 67 struct query_info* qinf, struct reply_info* rep, size_t skip) 68 { 69 int rcode = (int)FLAGS_GET_RCODE(rep->flags); 70 size_t i; 71 72 /* Normal Name Error's are easy to detect -- but don't mistake a CNAME 73 * chain ending in NXDOMAIN. */ 74 if(rcode == LDNS_RCODE_NXDOMAIN && rep->an_numrrsets == 0) 75 return VAL_CLASS_NAMEERROR; 76 77 /* check for referral: nonRD query and it looks like a nodata */ 78 if(!(query_flags&BIT_RD) && rep->an_numrrsets == 0 && 79 rcode == LDNS_RCODE_NOERROR) { 80 /* SOA record in auth indicates it is NODATA instead. 81 * All validation requiring NODATA messages have SOA in 82 * authority section. */ 83 /* uses fact that answer section is empty */ 84 int saw_ns = 0; 85 for(i=0; i<rep->ns_numrrsets; i++) { 86 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_SOA) 87 return VAL_CLASS_NODATA; 88 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_DS) 89 return VAL_CLASS_REFERRAL; 90 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NS) 91 saw_ns = 1; 92 } 93 return saw_ns?VAL_CLASS_REFERRAL:VAL_CLASS_NODATA; 94 } 95 /* root referral where NS set is in the answer section */ 96 if(!(query_flags&BIT_RD) && rep->ns_numrrsets == 0 && 97 rep->an_numrrsets == 1 && rcode == LDNS_RCODE_NOERROR && 98 ntohs(rep->rrsets[0]->rk.type) == LDNS_RR_TYPE_NS && 99 query_dname_compare(rep->rrsets[0]->rk.dname, 100 origqinf->qname) != 0) 101 return VAL_CLASS_REFERRAL; 102 103 /* dump bad messages */ 104 if(rcode != LDNS_RCODE_NOERROR && rcode != LDNS_RCODE_NXDOMAIN) 105 return VAL_CLASS_UNKNOWN; 106 /* next check if the skip into the answer section shows no answer */ 107 if(skip>0 && rep->an_numrrsets <= skip) 108 return VAL_CLASS_CNAMENOANSWER; 109 110 /* Next is NODATA */ 111 if(rcode == LDNS_RCODE_NOERROR && rep->an_numrrsets == 0) 112 return VAL_CLASS_NODATA; 113 114 /* We distinguish between CNAME response and other positive/negative 115 * responses because CNAME answers require extra processing. */ 116 117 /* We distinguish between ANY and CNAME or POSITIVE because 118 * ANY responses are validated differently. */ 119 if(rcode == LDNS_RCODE_NOERROR && qinf->qtype == LDNS_RR_TYPE_ANY) 120 return VAL_CLASS_ANY; 121 122 /* Note that DNAMEs will be ignored here, unless qtype=DNAME. Unless 123 * qtype=CNAME, this will yield a CNAME response. */ 124 for(i=skip; i<rep->an_numrrsets; i++) { 125 if(rcode == LDNS_RCODE_NOERROR && 126 ntohs(rep->rrsets[i]->rk.type) == qinf->qtype) 127 return VAL_CLASS_POSITIVE; 128 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_CNAME) 129 return VAL_CLASS_CNAME; 130 } 131 log_dns_msg("validator: error. failed to classify response message: ", 132 qinf, rep); 133 return VAL_CLASS_UNKNOWN; 134 } 135 136 /** Get signer name from RRSIG */ 137 static void 138 rrsig_get_signer(uint8_t* data, size_t len, uint8_t** sname, size_t* slen) 139 { 140 /* RRSIG rdata is not allowed to be compressed, it is stored 141 * uncompressed in memory as well, so return a ptr to the name */ 142 if(len < 21) { 143 /* too short RRSig: 144 * short, byte, byte, long, long, long, short, "." is 145 * 2 1 1 4 4 4 2 1 = 19 146 * and a skip of 18 bytes to the name. 147 * +2 for the rdatalen is 21 bytes len for root label */ 148 *sname = NULL; 149 *slen = 0; 150 return; 151 } 152 data += 20; /* skip the fixed size bits */ 153 len -= 20; 154 *slen = dname_valid(data, len); 155 if(!*slen) { 156 /* bad dname in this rrsig. */ 157 *sname = NULL; 158 return; 159 } 160 *sname = data; 161 } 162 163 void 164 val_find_rrset_signer(struct ub_packed_rrset_key* rrset, uint8_t** sname, 165 size_t* slen) 166 { 167 struct packed_rrset_data* d = (struct packed_rrset_data*) 168 rrset->entry.data; 169 /* return signer for first signature, or NULL */ 170 if(d->rrsig_count == 0) { 171 *sname = NULL; 172 *slen = 0; 173 return; 174 } 175 /* get rrsig signer name out of the signature */ 176 rrsig_get_signer(d->rr_data[d->count], d->rr_len[d->count], 177 sname, slen); 178 } 179 180 /** 181 * Find best signer name in this set of rrsigs. 182 * @param rrset: which rrsigs to look through. 183 * @param qinf: the query name that needs validation. 184 * @param signer_name: the best signer_name. Updated if a better one is found. 185 * @param signer_len: length of signer name. 186 * @param matchcount: count of current best name (starts at 0 for no match). 187 * Updated if match is improved. 188 */ 189 static void 190 val_find_best_signer(struct ub_packed_rrset_key* rrset, 191 struct query_info* qinf, uint8_t** signer_name, size_t* signer_len, 192 int* matchcount) 193 { 194 struct packed_rrset_data* d = (struct packed_rrset_data*) 195 rrset->entry.data; 196 uint8_t* sign; 197 size_t i; 198 int m; 199 for(i=d->count; i<d->count+d->rrsig_count; i++) { 200 sign = d->rr_data[i]+2+18; 201 /* look at signatures that are valid (long enough), 202 * and have a signer name that is a superdomain of qname, 203 * and then check the number of labels in the shared topdomain 204 * improve the match if possible */ 205 if(d->rr_len[i] > 2+19 && /* rdata, sig + root label*/ 206 dname_subdomain_c(qinf->qname, sign)) { 207 (void)dname_lab_cmp(qinf->qname, 208 dname_count_labels(qinf->qname), 209 sign, dname_count_labels(sign), &m); 210 if(m > *matchcount) { 211 *matchcount = m; 212 *signer_name = sign; 213 (void)dname_count_size_labels(*signer_name, 214 signer_len); 215 } 216 } 217 } 218 } 219 220 void 221 val_find_signer(enum val_classification subtype, struct query_info* qinf, 222 struct reply_info* rep, size_t skip, uint8_t** signer_name, 223 size_t* signer_len) 224 { 225 size_t i; 226 227 if(subtype == VAL_CLASS_POSITIVE) { 228 /* check for the answer rrset */ 229 for(i=skip; i<rep->an_numrrsets; i++) { 230 if(query_dname_compare(qinf->qname, 231 rep->rrsets[i]->rk.dname) == 0) { 232 val_find_rrset_signer(rep->rrsets[i], 233 signer_name, signer_len); 234 return; 235 } 236 } 237 *signer_name = NULL; 238 *signer_len = 0; 239 } else if(subtype == VAL_CLASS_CNAME) { 240 /* check for the first signed cname/dname rrset */ 241 for(i=skip; i<rep->an_numrrsets; i++) { 242 val_find_rrset_signer(rep->rrsets[i], 243 signer_name, signer_len); 244 if(*signer_name) 245 return; 246 if(ntohs(rep->rrsets[i]->rk.type) != LDNS_RR_TYPE_DNAME) 247 break; /* only check CNAME after a DNAME */ 248 } 249 *signer_name = NULL; 250 *signer_len = 0; 251 } else if(subtype == VAL_CLASS_NAMEERROR 252 || subtype == VAL_CLASS_NODATA) { 253 /*Check to see if the AUTH section NSEC record(s) have rrsigs*/ 254 for(i=rep->an_numrrsets; i< 255 rep->an_numrrsets+rep->ns_numrrsets; i++) { 256 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NSEC 257 || ntohs(rep->rrsets[i]->rk.type) == 258 LDNS_RR_TYPE_NSEC3) { 259 val_find_rrset_signer(rep->rrsets[i], 260 signer_name, signer_len); 261 return; 262 } 263 } 264 } else if(subtype == VAL_CLASS_CNAMENOANSWER) { 265 /* find closest superdomain signer name in authority section 266 * NSEC and NSEC3s */ 267 int matchcount = 0; 268 *signer_name = NULL; 269 *signer_len = 0; 270 for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep-> 271 ns_numrrsets; i++) { 272 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NSEC 273 || ntohs(rep->rrsets[i]->rk.type) == 274 LDNS_RR_TYPE_NSEC3) { 275 val_find_best_signer(rep->rrsets[i], qinf, 276 signer_name, signer_len, &matchcount); 277 } 278 } 279 } else if(subtype == VAL_CLASS_ANY) { 280 /* check for one of the answer rrset that has signatures, 281 * or potentially a DNAME is in use with a different qname */ 282 for(i=skip; i<rep->an_numrrsets; i++) { 283 if(query_dname_compare(qinf->qname, 284 rep->rrsets[i]->rk.dname) == 0) { 285 val_find_rrset_signer(rep->rrsets[i], 286 signer_name, signer_len); 287 if(*signer_name) 288 return; 289 } 290 } 291 /* no answer RRSIGs with qname, try a DNAME */ 292 if(skip < rep->an_numrrsets && 293 ntohs(rep->rrsets[skip]->rk.type) == 294 LDNS_RR_TYPE_DNAME) { 295 val_find_rrset_signer(rep->rrsets[skip], 296 signer_name, signer_len); 297 if(*signer_name) 298 return; 299 } 300 *signer_name = NULL; 301 *signer_len = 0; 302 } else if(subtype == VAL_CLASS_REFERRAL) { 303 /* find keys for the item at skip */ 304 if(skip < rep->rrset_count) { 305 val_find_rrset_signer(rep->rrsets[skip], 306 signer_name, signer_len); 307 return; 308 } 309 *signer_name = NULL; 310 *signer_len = 0; 311 } else { 312 verbose(VERB_QUERY, "find_signer: could not find signer name" 313 " for unknown type response"); 314 *signer_name = NULL; 315 *signer_len = 0; 316 } 317 } 318 319 /** return number of rrs in an rrset */ 320 static size_t 321 rrset_get_count(struct ub_packed_rrset_key* rrset) 322 { 323 struct packed_rrset_data* d = (struct packed_rrset_data*) 324 rrset->entry.data; 325 if(!d) return 0; 326 return d->count; 327 } 328 329 /** return TTL of rrset */ 330 static uint32_t 331 rrset_get_ttl(struct ub_packed_rrset_key* rrset) 332 { 333 struct packed_rrset_data* d = (struct packed_rrset_data*) 334 rrset->entry.data; 335 if(!d) return 0; 336 return d->ttl; 337 } 338 339 static enum sec_status 340 val_verify_rrset(struct module_env* env, struct val_env* ve, 341 struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* keys, 342 uint8_t* sigalg, char** reason, sldns_ede_code *reason_bogus, 343 sldns_pkt_section section, struct module_qstate* qstate, 344 int *verified) 345 { 346 enum sec_status sec; 347 struct packed_rrset_data* d = (struct packed_rrset_data*)rrset-> 348 entry.data; 349 if(d->security == sec_status_secure) { 350 /* re-verify all other statuses, because keyset may change*/ 351 log_nametypeclass(VERB_ALGO, "verify rrset cached", 352 rrset->rk.dname, ntohs(rrset->rk.type), 353 ntohs(rrset->rk.rrset_class)); 354 *verified = 0; 355 return d->security; 356 } 357 /* check in the cache if verification has already been done */ 358 rrset_check_sec_status(env->rrset_cache, rrset, *env->now); 359 if(d->security == sec_status_secure) { 360 log_nametypeclass(VERB_ALGO, "verify rrset from cache", 361 rrset->rk.dname, ntohs(rrset->rk.type), 362 ntohs(rrset->rk.rrset_class)); 363 *verified = 0; 364 return d->security; 365 } 366 log_nametypeclass(VERB_ALGO, "verify rrset", rrset->rk.dname, 367 ntohs(rrset->rk.type), ntohs(rrset->rk.rrset_class)); 368 sec = dnskeyset_verify_rrset(env, ve, rrset, keys, sigalg, reason, 369 reason_bogus, section, qstate, verified); 370 verbose(VERB_ALGO, "verify result: %s", sec_status_to_string(sec)); 371 regional_free_all(env->scratch); 372 373 /* update rrset security status 374 * only improves security status 375 * and bogus is set only once, even if we rechecked the status */ 376 if(sec > d->security) { 377 d->security = sec; 378 if(sec == sec_status_secure) 379 d->trust = rrset_trust_validated; 380 else if(sec == sec_status_bogus) { 381 size_t i; 382 /* update ttl for rrset to fixed value. */ 383 d->ttl = ve->bogus_ttl; 384 for(i=0; i<d->count+d->rrsig_count; i++) 385 d->rr_ttl[i] = ve->bogus_ttl; 386 /* leave RR specific TTL: not used for determine 387 * if RRset timed out and clients see proper value. */ 388 lock_basic_lock(&ve->bogus_lock); 389 ve->num_rrset_bogus++; 390 lock_basic_unlock(&ve->bogus_lock); 391 } 392 /* if status updated - store in cache for reuse */ 393 rrset_update_sec_status(env->rrset_cache, rrset, *env->now); 394 } 395 396 return sec; 397 } 398 399 enum sec_status 400 val_verify_rrset_entry(struct module_env* env, struct val_env* ve, 401 struct ub_packed_rrset_key* rrset, struct key_entry_key* kkey, 402 char** reason, sldns_ede_code *reason_bogus, 403 sldns_pkt_section section, struct module_qstate* qstate, 404 int* verified) 405 { 406 /* temporary dnskey rrset-key */ 407 struct ub_packed_rrset_key dnskey; 408 struct key_entry_data* kd = (struct key_entry_data*)kkey->entry.data; 409 enum sec_status sec; 410 dnskey.rk.type = htons(kd->rrset_type); 411 dnskey.rk.rrset_class = htons(kkey->key_class); 412 dnskey.rk.flags = 0; 413 dnskey.rk.dname = kkey->name; 414 dnskey.rk.dname_len = kkey->namelen; 415 dnskey.entry.key = &dnskey; 416 dnskey.entry.data = kd->rrset_data; 417 sec = val_verify_rrset(env, ve, rrset, &dnskey, kd->algo, reason, 418 reason_bogus, section, qstate, verified); 419 return sec; 420 } 421 422 /** verify that a DS RR hashes to a key and that key signs the set */ 423 static enum sec_status 424 verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve, 425 struct ub_packed_rrset_key* dnskey_rrset, 426 struct ub_packed_rrset_key* ds_rrset, size_t ds_idx, char** reason, 427 sldns_ede_code *reason_bogus, struct module_qstate* qstate) 428 { 429 enum sec_status sec = sec_status_bogus; 430 size_t i, num, numchecked = 0, numhashok = 0, numsizesupp = 0; 431 num = rrset_get_count(dnskey_rrset); 432 for(i=0; i<num; i++) { 433 /* Skip DNSKEYs that don't match the basic criteria. */ 434 if(ds_get_key_algo(ds_rrset, ds_idx) 435 != dnskey_get_algo(dnskey_rrset, i) 436 || dnskey_calc_keytag(dnskey_rrset, i) 437 != ds_get_keytag(ds_rrset, ds_idx)) { 438 continue; 439 } 440 numchecked++; 441 verbose(VERB_ALGO, "attempt DS match algo %d keytag %d", 442 ds_get_key_algo(ds_rrset, ds_idx), 443 ds_get_keytag(ds_rrset, ds_idx)); 444 445 /* Convert the candidate DNSKEY into a hash using the 446 * same DS hash algorithm. */ 447 if(!ds_digest_match_dnskey(env, dnskey_rrset, i, ds_rrset, 448 ds_idx)) { 449 verbose(VERB_ALGO, "DS match attempt failed"); 450 if(numchecked > numhashok + MAX_DS_MATCH_FAILURES) { 451 verbose(VERB_ALGO, "DS match attempt reached " 452 "MAX_DS_MATCH_FAILURES (%d); bogus", 453 MAX_DS_MATCH_FAILURES); 454 return sec_status_bogus; 455 } 456 continue; 457 } 458 numhashok++; 459 if(!dnskey_size_is_supported(dnskey_rrset, i)) { 460 verbose(VERB_ALGO, "DS okay but that DNSKEY size is not supported"); 461 numsizesupp++; 462 continue; 463 } 464 verbose(VERB_ALGO, "DS match digest ok, trying signature"); 465 466 /* Otherwise, we have a match! Make sure that the DNSKEY 467 * verifies *with this key* */ 468 sec = dnskey_verify_rrset(env, ve, dnskey_rrset, dnskey_rrset, 469 i, reason, reason_bogus, LDNS_SECTION_ANSWER, qstate); 470 if(sec == sec_status_secure) { 471 return sec; 472 } 473 /* If it didn't validate with the DNSKEY, try the next one! */ 474 } 475 if(numsizesupp != 0 || sec == sec_status_indeterminate) { 476 /* there is a working DS, but that DNSKEY is not supported */ 477 return sec_status_insecure; 478 } 479 if(numchecked == 0) 480 algo_needs_reason(env, ds_get_key_algo(ds_rrset, ds_idx), 481 reason, "no keys have a DS"); 482 else if(numhashok == 0) 483 *reason = "DS hash mismatches key"; 484 else if(!*reason) 485 *reason = "keyset not secured by DNSKEY that matches DS"; 486 return sec_status_bogus; 487 } 488 489 int val_favorite_ds_algo(struct ub_packed_rrset_key* ds_rrset) 490 { 491 size_t i, num = rrset_get_count(ds_rrset); 492 int d, digest_algo = 0; /* DS digest algo 0 is not used. */ 493 /* find favorite algo, for now, highest number supported */ 494 for(i=0; i<num; i++) { 495 if(!ds_digest_algo_is_supported(ds_rrset, i) || 496 !ds_key_algo_is_supported(ds_rrset, i)) { 497 continue; 498 } 499 d = ds_get_digest_algo(ds_rrset, i); 500 if(d > digest_algo) 501 digest_algo = d; 502 } 503 return digest_algo; 504 } 505 506 enum sec_status 507 val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve, 508 struct ub_packed_rrset_key* dnskey_rrset, 509 struct ub_packed_rrset_key* ds_rrset, uint8_t* sigalg, char** reason, 510 sldns_ede_code *reason_bogus, struct module_qstate* qstate) 511 { 512 /* as long as this is false, we can consider this DS rrset to be 513 * equivalent to no DS rrset. */ 514 int has_useful_ds = 0, digest_algo, alg; 515 struct algo_needs needs; 516 size_t i, num; 517 enum sec_status sec; 518 519 if(dnskey_rrset->rk.dname_len != ds_rrset->rk.dname_len || 520 query_dname_compare(dnskey_rrset->rk.dname, ds_rrset->rk.dname) 521 != 0) { 522 verbose(VERB_QUERY, "DNSKEY RRset did not match DS RRset " 523 "by name"); 524 *reason = "DNSKEY RRset did not match DS RRset by name"; 525 return sec_status_bogus; 526 } 527 528 if(sigalg) { 529 /* harden against algo downgrade is enabled */ 530 digest_algo = val_favorite_ds_algo(ds_rrset); 531 algo_needs_init_ds(&needs, ds_rrset, digest_algo, sigalg); 532 } else { 533 /* accept any key algo, any digest algo */ 534 digest_algo = -1; 535 } 536 num = rrset_get_count(ds_rrset); 537 for(i=0; i<num; i++) { 538 /* Check to see if we can understand this DS. 539 * And check it is the strongest digest */ 540 if(!ds_digest_algo_is_supported(ds_rrset, i) || 541 !ds_key_algo_is_supported(ds_rrset, i) || 542 (sigalg && (ds_get_digest_algo(ds_rrset, i) != digest_algo))) { 543 continue; 544 } 545 546 sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset, 547 ds_rrset, i, reason, reason_bogus, qstate); 548 if(sec == sec_status_insecure) 549 continue; 550 551 /* Once we see a single DS with a known digestID and 552 * algorithm, we cannot return INSECURE (with a 553 * "null" KeyEntry). */ 554 has_useful_ds = 1; 555 556 if(sec == sec_status_secure) { 557 if(!sigalg || algo_needs_set_secure(&needs, 558 (uint8_t)ds_get_key_algo(ds_rrset, i))) { 559 verbose(VERB_ALGO, "DS matched DNSKEY."); 560 if(!dnskeyset_size_is_supported(dnskey_rrset)) { 561 verbose(VERB_ALGO, "DS works, but dnskeyset contain keys that are unsupported, treat as insecure"); 562 return sec_status_insecure; 563 } 564 return sec_status_secure; 565 } 566 } else if(sigalg && sec == sec_status_bogus) { 567 algo_needs_set_bogus(&needs, 568 (uint8_t)ds_get_key_algo(ds_rrset, i)); 569 } 570 } 571 572 /* None of the DS's worked out. */ 573 574 /* If no DSs were understandable, then this is OK. */ 575 if(!has_useful_ds) { 576 verbose(VERB_ALGO, "No usable DS records were found -- " 577 "treating as insecure."); 578 return sec_status_insecure; 579 } 580 /* If any were understandable, then it is bad. */ 581 verbose(VERB_QUERY, "Failed to match any usable DS to a DNSKEY."); 582 if(sigalg && (alg=algo_needs_missing(&needs)) != 0) { 583 algo_needs_reason(env, alg, reason, "missing verification of " 584 "DNSKEY signature"); 585 } 586 return sec_status_bogus; 587 } 588 589 struct key_entry_key* 590 val_verify_new_DNSKEYs(struct regional* region, struct module_env* env, 591 struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset, 592 struct ub_packed_rrset_key* ds_rrset, int downprot, char** reason, 593 sldns_ede_code *reason_bogus, struct module_qstate* qstate) 594 { 595 uint8_t sigalg[ALGO_NEEDS_MAX+1]; 596 enum sec_status sec = val_verify_DNSKEY_with_DS(env, ve, 597 dnskey_rrset, ds_rrset, downprot?sigalg:NULL, reason, 598 reason_bogus, qstate); 599 600 if(sec == sec_status_secure) { 601 return key_entry_create_rrset(region, 602 ds_rrset->rk.dname, ds_rrset->rk.dname_len, 603 ntohs(ds_rrset->rk.rrset_class), dnskey_rrset, 604 downprot?sigalg:NULL, LDNS_EDE_NONE, NULL, 605 *env->now); 606 } else if(sec == sec_status_insecure) { 607 return key_entry_create_null(region, ds_rrset->rk.dname, 608 ds_rrset->rk.dname_len, 609 ntohs(ds_rrset->rk.rrset_class), 610 rrset_get_ttl(ds_rrset), *reason_bogus, *reason, 611 *env->now); 612 } 613 return key_entry_create_bad(region, ds_rrset->rk.dname, 614 ds_rrset->rk.dname_len, ntohs(ds_rrset->rk.rrset_class), 615 BOGUS_KEY_TTL, *reason_bogus, *reason, *env->now); 616 } 617 618 enum sec_status 619 val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve, 620 struct ub_packed_rrset_key* dnskey_rrset, 621 struct ub_packed_rrset_key* ta_ds, 622 struct ub_packed_rrset_key* ta_dnskey, uint8_t* sigalg, char** reason, 623 sldns_ede_code *reason_bogus, struct module_qstate* qstate) 624 { 625 /* as long as this is false, we can consider this anchor to be 626 * equivalent to no anchor. */ 627 int has_useful_ta = 0, digest_algo = 0, alg; 628 struct algo_needs needs; 629 size_t i, num; 630 enum sec_status sec; 631 632 if(ta_ds && (dnskey_rrset->rk.dname_len != ta_ds->rk.dname_len || 633 query_dname_compare(dnskey_rrset->rk.dname, ta_ds->rk.dname) 634 != 0)) { 635 verbose(VERB_QUERY, "DNSKEY RRset did not match DS RRset " 636 "by name"); 637 *reason = "DNSKEY RRset did not match DS RRset by name"; 638 if(reason_bogus) 639 *reason_bogus = LDNS_EDE_DNSKEY_MISSING; 640 return sec_status_bogus; 641 } 642 if(ta_dnskey && (dnskey_rrset->rk.dname_len != ta_dnskey->rk.dname_len 643 || query_dname_compare(dnskey_rrset->rk.dname, ta_dnskey->rk.dname) 644 != 0)) { 645 verbose(VERB_QUERY, "DNSKEY RRset did not match anchor RRset " 646 "by name"); 647 *reason = "DNSKEY RRset did not match anchor RRset by name"; 648 if(reason_bogus) 649 *reason_bogus = LDNS_EDE_DNSKEY_MISSING; 650 return sec_status_bogus; 651 } 652 653 if(ta_ds) 654 digest_algo = val_favorite_ds_algo(ta_ds); 655 if(sigalg) { 656 if(ta_ds) 657 algo_needs_init_ds(&needs, ta_ds, digest_algo, sigalg); 658 else memset(&needs, 0, sizeof(needs)); 659 if(ta_dnskey) 660 algo_needs_init_dnskey_add(&needs, ta_dnskey, sigalg); 661 } 662 if(ta_ds) { 663 num = rrset_get_count(ta_ds); 664 for(i=0; i<num; i++) { 665 /* Check to see if we can understand this DS. 666 * And check it is the strongest digest */ 667 if(!ds_digest_algo_is_supported(ta_ds, i) || 668 !ds_key_algo_is_supported(ta_ds, i) || 669 ds_get_digest_algo(ta_ds, i) != digest_algo) 670 continue; 671 672 sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset, 673 ta_ds, i, reason, reason_bogus, qstate); 674 if(sec == sec_status_insecure) 675 continue; 676 677 /* Once we see a single DS with a known digestID and 678 * algorithm, we cannot return INSECURE (with a 679 * "null" KeyEntry). */ 680 has_useful_ta = 1; 681 682 if(sec == sec_status_secure) { 683 if(!sigalg || algo_needs_set_secure(&needs, 684 (uint8_t)ds_get_key_algo(ta_ds, i))) { 685 verbose(VERB_ALGO, "DS matched DNSKEY."); 686 if(!dnskeyset_size_is_supported(dnskey_rrset)) { 687 verbose(VERB_ALGO, "trustanchor works, but dnskeyset contain keys that are unsupported, treat as insecure"); 688 return sec_status_insecure; 689 } 690 return sec_status_secure; 691 } 692 } else if(sigalg && sec == sec_status_bogus) { 693 algo_needs_set_bogus(&needs, 694 (uint8_t)ds_get_key_algo(ta_ds, i)); 695 } 696 } 697 } 698 699 /* None of the DS's worked out: check the DNSKEYs. */ 700 if(ta_dnskey) { 701 num = rrset_get_count(ta_dnskey); 702 for(i=0; i<num; i++) { 703 /* Check to see if we can understand this DNSKEY */ 704 if(!dnskey_algo_is_supported(ta_dnskey, i)) 705 continue; 706 if(!dnskey_size_is_supported(ta_dnskey, i)) 707 continue; 708 709 /* we saw a useful TA */ 710 has_useful_ta = 1; 711 712 sec = dnskey_verify_rrset(env, ve, dnskey_rrset, 713 ta_dnskey, i, reason, reason_bogus, LDNS_SECTION_ANSWER, qstate); 714 if(sec == sec_status_secure) { 715 if(!sigalg || algo_needs_set_secure(&needs, 716 (uint8_t)dnskey_get_algo(ta_dnskey, i))) { 717 verbose(VERB_ALGO, "anchor matched DNSKEY."); 718 if(!dnskeyset_size_is_supported(dnskey_rrset)) { 719 verbose(VERB_ALGO, "trustanchor works, but dnskeyset contain keys that are unsupported, treat as insecure"); 720 return sec_status_insecure; 721 } 722 return sec_status_secure; 723 } 724 } else if(sigalg && sec == sec_status_bogus) { 725 algo_needs_set_bogus(&needs, 726 (uint8_t)dnskey_get_algo(ta_dnskey, i)); 727 } 728 } 729 } 730 731 /* If no DSs were understandable, then this is OK. */ 732 if(!has_useful_ta) { 733 verbose(VERB_ALGO, "No usable trust anchors were found -- " 734 "treating as insecure."); 735 return sec_status_insecure; 736 } 737 /* If any were understandable, then it is bad. */ 738 verbose(VERB_QUERY, "Failed to match any usable anchor to a DNSKEY."); 739 if(sigalg && (alg=algo_needs_missing(&needs)) != 0) { 740 algo_needs_reason(env, alg, reason, "missing verification of " 741 "DNSKEY signature"); 742 } 743 return sec_status_bogus; 744 } 745 746 struct key_entry_key* 747 val_verify_new_DNSKEYs_with_ta(struct regional* region, struct module_env* env, 748 struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset, 749 struct ub_packed_rrset_key* ta_ds_rrset, 750 struct ub_packed_rrset_key* ta_dnskey_rrset, int downprot, 751 char** reason, sldns_ede_code *reason_bogus, struct module_qstate* qstate) 752 { 753 uint8_t sigalg[ALGO_NEEDS_MAX+1]; 754 enum sec_status sec = val_verify_DNSKEY_with_TA(env, ve, 755 dnskey_rrset, ta_ds_rrset, ta_dnskey_rrset, 756 downprot?sigalg:NULL, reason, reason_bogus, qstate); 757 758 if(sec == sec_status_secure) { 759 return key_entry_create_rrset(region, 760 dnskey_rrset->rk.dname, dnskey_rrset->rk.dname_len, 761 ntohs(dnskey_rrset->rk.rrset_class), dnskey_rrset, 762 downprot?sigalg:NULL, LDNS_EDE_NONE, NULL, *env->now); 763 } else if(sec == sec_status_insecure) { 764 return key_entry_create_null(region, dnskey_rrset->rk.dname, 765 dnskey_rrset->rk.dname_len, 766 ntohs(dnskey_rrset->rk.rrset_class), 767 rrset_get_ttl(dnskey_rrset), *reason_bogus, *reason, 768 *env->now); 769 } 770 return key_entry_create_bad(region, dnskey_rrset->rk.dname, 771 dnskey_rrset->rk.dname_len, ntohs(dnskey_rrset->rk.rrset_class), 772 BOGUS_KEY_TTL, *reason_bogus, *reason, *env->now); 773 } 774 775 int 776 val_dsset_isusable(struct ub_packed_rrset_key* ds_rrset) 777 { 778 size_t i; 779 for(i=0; i<rrset_get_count(ds_rrset); i++) { 780 if(ds_digest_algo_is_supported(ds_rrset, i) && 781 ds_key_algo_is_supported(ds_rrset, i)) 782 return 1; 783 } 784 if(verbosity < VERB_ALGO) 785 return 0; 786 if(rrset_get_count(ds_rrset) == 0) 787 verbose(VERB_ALGO, "DS is not usable"); 788 else { 789 /* report usability for the first DS RR */ 790 sldns_lookup_table *lt; 791 char herr[64], aerr[64]; 792 lt = sldns_lookup_by_id(sldns_hashes, 793 (int)ds_get_digest_algo(ds_rrset, 0)); 794 if(lt) snprintf(herr, sizeof(herr), "%s", lt->name); 795 else snprintf(herr, sizeof(herr), "%d", 796 (int)ds_get_digest_algo(ds_rrset, 0)); 797 lt = sldns_lookup_by_id(sldns_algorithms, 798 (int)ds_get_key_algo(ds_rrset, 0)); 799 if(lt) snprintf(aerr, sizeof(aerr), "%s", lt->name); 800 else snprintf(aerr, sizeof(aerr), "%d", 801 (int)ds_get_key_algo(ds_rrset, 0)); 802 803 verbose(VERB_ALGO, "DS unsupported, hash %s %s, " 804 "key algorithm %s %s", herr, 805 (ds_digest_algo_is_supported(ds_rrset, 0)? 806 "(supported)":"(unsupported)"), aerr, 807 (ds_key_algo_is_supported(ds_rrset, 0)? 808 "(supported)":"(unsupported)")); 809 } 810 return 0; 811 } 812 813 /** get label count for a signature */ 814 static uint8_t 815 rrsig_get_labcount(struct packed_rrset_data* d, size_t sig) 816 { 817 if(d->rr_len[sig] < 2+4) 818 return 0; /* bad sig length */ 819 return d->rr_data[sig][2+3]; 820 } 821 822 int 823 val_rrset_wildcard(struct ub_packed_rrset_key* rrset, uint8_t** wc, 824 size_t* wc_len) 825 { 826 struct packed_rrset_data* d = (struct packed_rrset_data*)rrset-> 827 entry.data; 828 uint8_t labcount; 829 int labdiff; 830 uint8_t* wn; 831 size_t i, wl; 832 if(d->rrsig_count == 0) { 833 return 1; 834 } 835 labcount = rrsig_get_labcount(d, d->count + 0); 836 /* check rest of signatures identical */ 837 for(i=1; i<d->rrsig_count; i++) { 838 if(labcount != rrsig_get_labcount(d, d->count + i)) { 839 return 0; 840 } 841 } 842 /* OK the rrsigs check out */ 843 /* if the RRSIG label count is shorter than the number of actual 844 * labels, then this rrset was synthesized from a wildcard. 845 * Note that the RRSIG label count doesn't count the root label. */ 846 wn = rrset->rk.dname; 847 wl = rrset->rk.dname_len; 848 /* skip a leading wildcard label in the dname (RFC4035 2.2) */ 849 if(dname_is_wild(wn)) { 850 wn += 2; 851 wl -= 2; 852 } 853 labdiff = (dname_count_labels(wn) - 1) - (int)labcount; 854 if(labdiff > 0) { 855 *wc = wn; 856 dname_remove_labels(wc, &wl, labdiff); 857 *wc_len = wl; 858 return 1; 859 } 860 return 1; 861 } 862 863 int 864 val_chase_cname(struct query_info* qchase, struct reply_info* rep, 865 size_t* cname_skip) { 866 size_t i; 867 /* skip any DNAMEs, go to the CNAME for next part */ 868 for(i = *cname_skip; i < rep->an_numrrsets; i++) { 869 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_CNAME && 870 query_dname_compare(qchase->qname, rep->rrsets[i]-> 871 rk.dname) == 0) { 872 qchase->qname = NULL; 873 get_cname_target(rep->rrsets[i], &qchase->qname, 874 &qchase->qname_len); 875 if(!qchase->qname) 876 return 0; /* bad CNAME rdata */ 877 (*cname_skip) = i+1; 878 return 1; 879 } 880 } 881 return 0; /* CNAME classified but no matching CNAME ?! */ 882 } 883 884 /** see if rrset has signer name as one of the rrsig signers */ 885 static int 886 rrset_has_signer(struct ub_packed_rrset_key* rrset, uint8_t* name, size_t len) 887 { 888 struct packed_rrset_data* d = (struct packed_rrset_data*)rrset-> 889 entry.data; 890 size_t i; 891 for(i = d->count; i< d->count+d->rrsig_count; i++) { 892 if(d->rr_len[i] > 2+18+len) { 893 /* at least rdatalen + signature + signame (+1 sig)*/ 894 if(!dname_valid(d->rr_data[i]+2+18, d->rr_len[i]-2-18)) 895 continue; 896 if(query_dname_compare(name, d->rr_data[i]+2+18) == 0) 897 { 898 return 1; 899 } 900 } 901 } 902 return 0; 903 } 904 905 void 906 val_fill_reply(struct reply_info* chase, struct reply_info* orig, 907 size_t skip, uint8_t* name, size_t len, uint8_t* signer) 908 { 909 size_t i; 910 int seen_dname = 0; 911 chase->rrset_count = 0; 912 chase->an_numrrsets = 0; 913 chase->ns_numrrsets = 0; 914 chase->ar_numrrsets = 0; 915 /* ANSWER section */ 916 for(i=skip; i<orig->an_numrrsets; i++) { 917 if(!signer) { 918 if(query_dname_compare(name, 919 orig->rrsets[i]->rk.dname) == 0) 920 chase->rrsets[chase->an_numrrsets++] = 921 orig->rrsets[i]; 922 } else if(seen_dname && ntohs(orig->rrsets[i]->rk.type) == 923 LDNS_RR_TYPE_CNAME) { 924 chase->rrsets[chase->an_numrrsets++] = orig->rrsets[i]; 925 seen_dname = 0; 926 } else if(rrset_has_signer(orig->rrsets[i], name, len)) { 927 chase->rrsets[chase->an_numrrsets++] = orig->rrsets[i]; 928 if(ntohs(orig->rrsets[i]->rk.type) == 929 LDNS_RR_TYPE_DNAME) { 930 seen_dname = 1; 931 } 932 } 933 } 934 /* AUTHORITY section */ 935 for(i = (skip > orig->an_numrrsets)?skip:orig->an_numrrsets; 936 i<orig->an_numrrsets+orig->ns_numrrsets; 937 i++) { 938 if(!signer) { 939 if(query_dname_compare(name, 940 orig->rrsets[i]->rk.dname) == 0) 941 chase->rrsets[chase->an_numrrsets+ 942 chase->ns_numrrsets++] = orig->rrsets[i]; 943 } else if(rrset_has_signer(orig->rrsets[i], name, len)) { 944 chase->rrsets[chase->an_numrrsets+ 945 chase->ns_numrrsets++] = orig->rrsets[i]; 946 } 947 } 948 /* ADDITIONAL section */ 949 for(i= (skip>orig->an_numrrsets+orig->ns_numrrsets)? 950 skip:orig->an_numrrsets+orig->ns_numrrsets; 951 i<orig->rrset_count; i++) { 952 if(!signer) { 953 if(query_dname_compare(name, 954 orig->rrsets[i]->rk.dname) == 0) 955 chase->rrsets[chase->an_numrrsets 956 +orig->ns_numrrsets+chase->ar_numrrsets++] 957 = orig->rrsets[i]; 958 } else if(rrset_has_signer(orig->rrsets[i], name, len)) { 959 chase->rrsets[chase->an_numrrsets+orig->ns_numrrsets+ 960 chase->ar_numrrsets++] = orig->rrsets[i]; 961 } 962 } 963 chase->rrset_count = chase->an_numrrsets + chase->ns_numrrsets + 964 chase->ar_numrrsets; 965 } 966 967 void val_reply_remove_auth(struct reply_info* rep, size_t index) 968 { 969 log_assert(index < rep->rrset_count); 970 log_assert(index >= rep->an_numrrsets); 971 log_assert(index < rep->an_numrrsets+rep->ns_numrrsets); 972 memmove(rep->rrsets+index, rep->rrsets+index+1, 973 sizeof(struct ub_packed_rrset_key*)* 974 (rep->rrset_count - index - 1)); 975 rep->ns_numrrsets--; 976 rep->rrset_count--; 977 } 978 979 void 980 val_check_nonsecure(struct module_env* env, struct reply_info* rep) 981 { 982 size_t i; 983 /* authority */ 984 for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->ns_numrrsets; i++) { 985 if(((struct packed_rrset_data*)rep->rrsets[i]->entry.data) 986 ->security != sec_status_secure) { 987 /* because we want to return the authentic original 988 * message when presented with CD-flagged queries, 989 * we need to preserve AUTHORITY section data. 990 * However, this rrset is not signed or signed 991 * with the wrong keys. Validation has tried to 992 * verify this rrset with the keysets of import. 993 * But this rrset did not verify. 994 * Therefore the message is bogus. 995 */ 996 997 /* check if authority has an NS record 998 * which is bad, and there is an answer section with 999 * data. In that case, delete NS and additional to 1000 * be lenient and make a minimal response */ 1001 if(rep->an_numrrsets != 0 && 1002 ntohs(rep->rrsets[i]->rk.type) 1003 == LDNS_RR_TYPE_NS) { 1004 verbose(VERB_ALGO, "truncate to minimal"); 1005 rep->ar_numrrsets = 0; 1006 rep->rrset_count = rep->an_numrrsets + 1007 rep->ns_numrrsets; 1008 /* remove this unneeded authority rrset */ 1009 memmove(rep->rrsets+i, rep->rrsets+i+1, 1010 sizeof(struct ub_packed_rrset_key*)* 1011 (rep->rrset_count - i - 1)); 1012 rep->ns_numrrsets--; 1013 rep->rrset_count--; 1014 i--; 1015 return; 1016 } 1017 1018 log_nametypeclass(VERB_QUERY, "message is bogus, " 1019 "non secure rrset", 1020 rep->rrsets[i]->rk.dname, 1021 ntohs(rep->rrsets[i]->rk.type), 1022 ntohs(rep->rrsets[i]->rk.rrset_class)); 1023 rep->security = sec_status_bogus; 1024 return; 1025 } 1026 } 1027 /* additional */ 1028 if(!env->cfg->val_clean_additional) 1029 return; 1030 for(i=rep->an_numrrsets+rep->ns_numrrsets; i<rep->rrset_count; i++) { 1031 if(((struct packed_rrset_data*)rep->rrsets[i]->entry.data) 1032 ->security != sec_status_secure) { 1033 /* This does not cause message invalidation. It was 1034 * simply unsigned data in the additional. The 1035 * RRSIG must have been truncated off the message. 1036 * 1037 * However, we do not want to return possible bogus 1038 * data to clients that rely on this service for 1039 * their authentication. 1040 */ 1041 /* remove this unneeded additional rrset */ 1042 memmove(rep->rrsets+i, rep->rrsets+i+1, 1043 sizeof(struct ub_packed_rrset_key*)* 1044 (rep->rrset_count - i - 1)); 1045 rep->ar_numrrsets--; 1046 rep->rrset_count--; 1047 i--; 1048 } 1049 } 1050 } 1051 1052 /** check no anchor and unlock */ 1053 static int 1054 check_no_anchor(struct val_anchors* anchors, uint8_t* nm, size_t l, uint16_t c) 1055 { 1056 struct trust_anchor* ta; 1057 if((ta=anchors_lookup(anchors, nm, l, c))) { 1058 lock_basic_unlock(&ta->lock); 1059 } 1060 return !ta; 1061 } 1062 1063 void 1064 val_mark_indeterminate(struct reply_info* rep, struct val_anchors* anchors, 1065 struct rrset_cache* r, struct module_env* env) 1066 { 1067 size_t i; 1068 struct packed_rrset_data* d; 1069 for(i=0; i<rep->rrset_count; i++) { 1070 d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data; 1071 if(d->security == sec_status_unchecked && 1072 check_no_anchor(anchors, rep->rrsets[i]->rk.dname, 1073 rep->rrsets[i]->rk.dname_len, 1074 ntohs(rep->rrsets[i]->rk.rrset_class))) 1075 { 1076 /* mark as indeterminate */ 1077 d->security = sec_status_indeterminate; 1078 rrset_update_sec_status(r, rep->rrsets[i], *env->now); 1079 } 1080 } 1081 } 1082 1083 void 1084 val_mark_insecure(struct reply_info* rep, uint8_t* kname, 1085 struct rrset_cache* r, struct module_env* env) 1086 { 1087 size_t i; 1088 struct packed_rrset_data* d; 1089 for(i=0; i<rep->rrset_count; i++) { 1090 d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data; 1091 if(d->security == sec_status_unchecked && 1092 dname_subdomain_c(rep->rrsets[i]->rk.dname, kname)) { 1093 /* mark as insecure */ 1094 d->security = sec_status_insecure; 1095 rrset_update_sec_status(r, rep->rrsets[i], *env->now); 1096 } 1097 } 1098 } 1099 1100 size_t 1101 val_next_unchecked(struct reply_info* rep, size_t skip) 1102 { 1103 size_t i; 1104 struct packed_rrset_data* d; 1105 for(i=skip+1; i<rep->rrset_count; i++) { 1106 d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data; 1107 if(d->security == sec_status_unchecked) { 1108 return i; 1109 } 1110 } 1111 return rep->rrset_count; 1112 } 1113 1114 const char* 1115 val_classification_to_string(enum val_classification subtype) 1116 { 1117 switch(subtype) { 1118 case VAL_CLASS_UNTYPED: return "untyped"; 1119 case VAL_CLASS_UNKNOWN: return "unknown"; 1120 case VAL_CLASS_POSITIVE: return "positive"; 1121 case VAL_CLASS_CNAME: return "cname"; 1122 case VAL_CLASS_NODATA: return "nodata"; 1123 case VAL_CLASS_NAMEERROR: return "nameerror"; 1124 case VAL_CLASS_CNAMENOANSWER: return "cnamenoanswer"; 1125 case VAL_CLASS_REFERRAL: return "referral"; 1126 case VAL_CLASS_ANY: return "qtype_any"; 1127 default: 1128 return "bad_val_classification"; 1129 } 1130 } 1131 1132 /** log a sock_list entry */ 1133 static void 1134 sock_list_logentry(enum verbosity_value v, const char* s, struct sock_list* p) 1135 { 1136 if(p->len) 1137 log_addr(v, s, &p->addr, p->len); 1138 else verbose(v, "%s cache", s); 1139 } 1140 1141 void val_blacklist(struct sock_list** blacklist, struct regional* region, 1142 struct sock_list* origin, int cross) 1143 { 1144 /* debug printout */ 1145 if(verbosity >= VERB_ALGO) { 1146 struct sock_list* p; 1147 for(p=*blacklist; p; p=p->next) 1148 sock_list_logentry(VERB_ALGO, "blacklist", p); 1149 if(!origin) 1150 verbose(VERB_ALGO, "blacklist add: cache"); 1151 for(p=origin; p; p=p->next) 1152 sock_list_logentry(VERB_ALGO, "blacklist add", p); 1153 } 1154 /* blacklist the IPs or the cache */ 1155 if(!origin) { 1156 /* only add if nothing there. anything else also stops cache*/ 1157 if(!*blacklist) 1158 sock_list_insert(blacklist, NULL, 0, region); 1159 } else if(!cross) 1160 sock_list_prepend(blacklist, origin); 1161 else sock_list_merge(blacklist, region, origin); 1162 } 1163 1164 int val_has_signed_nsecs(struct reply_info* rep, char** reason) 1165 { 1166 size_t i, num_nsec = 0, num_nsec3 = 0; 1167 struct packed_rrset_data* d; 1168 for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->ns_numrrsets; i++) { 1169 if(rep->rrsets[i]->rk.type == htons(LDNS_RR_TYPE_NSEC)) 1170 num_nsec++; 1171 else if(rep->rrsets[i]->rk.type == htons(LDNS_RR_TYPE_NSEC3)) 1172 num_nsec3++; 1173 else continue; 1174 d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data; 1175 if(d && d->rrsig_count != 0) { 1176 return 1; 1177 } 1178 } 1179 if(num_nsec == 0 && num_nsec3 == 0) 1180 *reason = "no DNSSEC records"; 1181 else if(num_nsec != 0) 1182 *reason = "no signatures over NSECs"; 1183 else *reason = "no signatures over NSEC3s"; 1184 return 0; 1185 } 1186 1187 struct dns_msg* 1188 val_find_DS(struct module_env* env, uint8_t* nm, size_t nmlen, uint16_t c, 1189 struct regional* region, uint8_t* topname) 1190 { 1191 struct dns_msg* msg; 1192 struct query_info qinfo; 1193 struct ub_packed_rrset_key *rrset = rrset_cache_lookup( 1194 env->rrset_cache, nm, nmlen, LDNS_RR_TYPE_DS, c, 0, 1195 *env->now, 0); 1196 if(rrset) { 1197 /* DS rrset exists. Return it to the validator immediately*/ 1198 struct ub_packed_rrset_key* copy = packed_rrset_copy_region( 1199 rrset, region, *env->now); 1200 lock_rw_unlock(&rrset->entry.lock); 1201 if(!copy) 1202 return NULL; 1203 msg = dns_msg_create(nm, nmlen, LDNS_RR_TYPE_DS, c, region, 1); 1204 if(!msg) 1205 return NULL; 1206 msg->rep->rrsets[0] = copy; 1207 msg->rep->rrset_count++; 1208 msg->rep->an_numrrsets++; 1209 return msg; 1210 } 1211 /* lookup in rrset and negative cache for NSEC/NSEC3 */ 1212 qinfo.qname = nm; 1213 qinfo.qname_len = nmlen; 1214 qinfo.qtype = LDNS_RR_TYPE_DS; 1215 qinfo.qclass = c; 1216 qinfo.local_alias = NULL; 1217 /* do not add SOA to reply message, it is going to be used internal */ 1218 msg = val_neg_getmsg(env->neg_cache, &qinfo, region, env->rrset_cache, 1219 env->scratch_buffer, *env->now, 0, topname, env->cfg); 1220 return msg; 1221 } 1222