xref: /freebsd/contrib/unbound/validator/val_utils.c (revision 8ef24a0d4b28fe230e20637f56869cc4148cd2ca)
1 /*
2  * validator/val_utils.c - validator utility functions.
3  *
4  * Copyright (c) 2007, NLnet Labs. All rights reserved.
5  *
6  * This software is open source.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * Redistributions of source code must retain the above copyright notice,
13  * this list of conditions and the following disclaimer.
14  *
15  * Redistributions in binary form must reproduce the above copyright notice,
16  * this list of conditions and the following disclaimer in the documentation
17  * and/or other materials provided with the distribution.
18  *
19  * Neither the name of the NLNET LABS nor the names of its contributors may
20  * be used to endorse or promote products derived from this software without
21  * specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27  * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29  * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34  */
35 
36 /**
37  * \file
38  *
39  * This file contains helper functions for the validator module.
40  */
41 #include "config.h"
42 #include "validator/val_utils.h"
43 #include "validator/validator.h"
44 #include "validator/val_kentry.h"
45 #include "validator/val_sigcrypt.h"
46 #include "validator/val_anchor.h"
47 #include "validator/val_nsec.h"
48 #include "validator/val_neg.h"
49 #include "services/cache/rrset.h"
50 #include "services/cache/dns.h"
51 #include "util/data/msgreply.h"
52 #include "util/data/packed_rrset.h"
53 #include "util/data/dname.h"
54 #include "util/net_help.h"
55 #include "util/module.h"
56 #include "util/regional.h"
57 #include "sldns/wire2str.h"
58 #include "sldns/parseutil.h"
59 
60 enum val_classification
61 val_classify_response(uint16_t query_flags, struct query_info* origqinf,
62 	struct query_info* qinf, struct reply_info* rep, size_t skip)
63 {
64 	int rcode = (int)FLAGS_GET_RCODE(rep->flags);
65 	size_t i;
66 
67 	/* Normal Name Error's are easy to detect -- but don't mistake a CNAME
68 	 * chain ending in NXDOMAIN. */
69 	if(rcode == LDNS_RCODE_NXDOMAIN && rep->an_numrrsets == 0)
70 		return VAL_CLASS_NAMEERROR;
71 
72 	/* check for referral: nonRD query and it looks like a nodata */
73 	if(!(query_flags&BIT_RD) && rep->an_numrrsets == 0 &&
74 		rcode == LDNS_RCODE_NOERROR) {
75 		/* SOA record in auth indicates it is NODATA instead.
76 		 * All validation requiring NODATA messages have SOA in
77 		 * authority section. */
78 		/* uses fact that answer section is empty */
79 		int saw_ns = 0;
80 		for(i=0; i<rep->ns_numrrsets; i++) {
81 			if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_SOA)
82 				return VAL_CLASS_NODATA;
83 			if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_DS)
84 				return VAL_CLASS_REFERRAL;
85 			if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NS)
86 				saw_ns = 1;
87 		}
88 		return saw_ns?VAL_CLASS_REFERRAL:VAL_CLASS_NODATA;
89 	}
90 	/* root referral where NS set is in the answer section */
91 	if(!(query_flags&BIT_RD) && rep->ns_numrrsets == 0 &&
92 		rep->an_numrrsets == 1 && rcode == LDNS_RCODE_NOERROR &&
93 		ntohs(rep->rrsets[0]->rk.type) == LDNS_RR_TYPE_NS &&
94 		query_dname_compare(rep->rrsets[0]->rk.dname,
95 			origqinf->qname) != 0)
96 		return VAL_CLASS_REFERRAL;
97 
98 	/* dump bad messages */
99 	if(rcode != LDNS_RCODE_NOERROR && rcode != LDNS_RCODE_NXDOMAIN)
100 		return VAL_CLASS_UNKNOWN;
101 	/* next check if the skip into the answer section shows no answer */
102 	if(skip>0 && rep->an_numrrsets <= skip)
103 		return VAL_CLASS_CNAMENOANSWER;
104 
105 	/* Next is NODATA */
106 	if(rcode == LDNS_RCODE_NOERROR && rep->an_numrrsets == 0)
107 		return VAL_CLASS_NODATA;
108 
109 	/* We distinguish between CNAME response and other positive/negative
110 	 * responses because CNAME answers require extra processing. */
111 
112 	/* We distinguish between ANY and CNAME or POSITIVE because
113 	 * ANY responses are validated differently. */
114 	if(rcode == LDNS_RCODE_NOERROR && qinf->qtype == LDNS_RR_TYPE_ANY)
115 		return VAL_CLASS_ANY;
116 
117 	/* Note that DNAMEs will be ignored here, unless qtype=DNAME. Unless
118 	 * qtype=CNAME, this will yield a CNAME response. */
119 	for(i=skip; i<rep->an_numrrsets; i++) {
120 		if(rcode == LDNS_RCODE_NOERROR &&
121 			ntohs(rep->rrsets[i]->rk.type) == qinf->qtype)
122 			return VAL_CLASS_POSITIVE;
123 		if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_CNAME)
124 			return VAL_CLASS_CNAME;
125 	}
126 	log_dns_msg("validator: error. failed to classify response message: ",
127 		qinf, rep);
128 	return VAL_CLASS_UNKNOWN;
129 }
130 
131 /** Get signer name from RRSIG */
132 static void
133 rrsig_get_signer(uint8_t* data, size_t len, uint8_t** sname, size_t* slen)
134 {
135 	/* RRSIG rdata is not allowed to be compressed, it is stored
136 	 * uncompressed in memory as well, so return a ptr to the name */
137 	if(len < 21) {
138 		/* too short RRSig:
139 		 * short, byte, byte, long, long, long, short, "." is
140 		 * 2	1	1	4	4  4	2	1 = 19
141 		 * 			and a skip of 18 bytes to the name.
142 		 * +2 for the rdatalen is 21 bytes len for root label */
143 		*sname = NULL;
144 		*slen = 0;
145 		return;
146 	}
147 	data += 20; /* skip the fixed size bits */
148 	len -= 20;
149 	*slen = dname_valid(data, len);
150 	if(!*slen) {
151 		/* bad dname in this rrsig. */
152 		*sname = NULL;
153 		return;
154 	}
155 	*sname = data;
156 }
157 
158 void
159 val_find_rrset_signer(struct ub_packed_rrset_key* rrset, uint8_t** sname,
160 	size_t* slen)
161 {
162 	struct packed_rrset_data* d = (struct packed_rrset_data*)
163 		rrset->entry.data;
164 	/* return signer for first signature, or NULL */
165 	if(d->rrsig_count == 0) {
166 		*sname = NULL;
167 		*slen = 0;
168 		return;
169 	}
170 	/* get rrsig signer name out of the signature */
171 	rrsig_get_signer(d->rr_data[d->count], d->rr_len[d->count],
172 		sname, slen);
173 }
174 
175 /**
176  * Find best signer name in this set of rrsigs.
177  * @param rrset: which rrsigs to look through.
178  * @param qinf: the query name that needs validation.
179  * @param signer_name: the best signer_name. Updated if a better one is found.
180  * @param signer_len: length of signer name.
181  * @param matchcount: count of current best name (starts at 0 for no match).
182  * 	Updated if match is improved.
183  */
184 static void
185 val_find_best_signer(struct ub_packed_rrset_key* rrset,
186 	struct query_info* qinf, uint8_t** signer_name, size_t* signer_len,
187 	int* matchcount)
188 {
189 	struct packed_rrset_data* d = (struct packed_rrset_data*)
190 		rrset->entry.data;
191 	uint8_t* sign;
192 	size_t i;
193 	int m;
194 	for(i=d->count; i<d->count+d->rrsig_count; i++) {
195 		sign = d->rr_data[i]+2+18;
196 		/* look at signatures that are valid (long enough),
197 		 * and have a signer name that is a superdomain of qname,
198 		 * and then check the number of labels in the shared topdomain
199 		 * improve the match if possible */
200 		if(d->rr_len[i] > 2+19 && /* rdata, sig + root label*/
201 			dname_subdomain_c(qinf->qname, sign)) {
202 			(void)dname_lab_cmp(qinf->qname,
203 				dname_count_labels(qinf->qname),
204 				sign, dname_count_labels(sign), &m);
205 			if(m > *matchcount) {
206 				*matchcount = m;
207 				*signer_name = sign;
208 				(void)dname_count_size_labels(*signer_name,
209 					signer_len);
210 			}
211 		}
212 	}
213 }
214 
215 void
216 val_find_signer(enum val_classification subtype, struct query_info* qinf,
217 	struct reply_info* rep, size_t skip, uint8_t** signer_name,
218 	size_t* signer_len)
219 {
220 	size_t i;
221 
222 	if(subtype == VAL_CLASS_POSITIVE || subtype == VAL_CLASS_ANY) {
223 		/* check for the answer rrset */
224 		for(i=skip; i<rep->an_numrrsets; i++) {
225 			if(query_dname_compare(qinf->qname,
226 				rep->rrsets[i]->rk.dname) == 0) {
227 				val_find_rrset_signer(rep->rrsets[i],
228 					signer_name, signer_len);
229 				return;
230 			}
231 		}
232 		*signer_name = NULL;
233 		*signer_len = 0;
234 	} else if(subtype == VAL_CLASS_CNAME) {
235 		/* check for the first signed cname/dname rrset */
236 		for(i=skip; i<rep->an_numrrsets; i++) {
237 			val_find_rrset_signer(rep->rrsets[i],
238 				signer_name, signer_len);
239 			if(*signer_name)
240 				return;
241 			if(ntohs(rep->rrsets[i]->rk.type) != LDNS_RR_TYPE_DNAME)
242 				break; /* only check CNAME after a DNAME */
243 		}
244 		*signer_name = NULL;
245 		*signer_len = 0;
246 	} else if(subtype == VAL_CLASS_NAMEERROR
247 		|| subtype == VAL_CLASS_NODATA) {
248 		/*Check to see if the AUTH section NSEC record(s) have rrsigs*/
249 		for(i=rep->an_numrrsets; i<
250 			rep->an_numrrsets+rep->ns_numrrsets; i++) {
251 			if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NSEC
252 				|| ntohs(rep->rrsets[i]->rk.type) ==
253 				LDNS_RR_TYPE_NSEC3) {
254 				val_find_rrset_signer(rep->rrsets[i],
255 					signer_name, signer_len);
256 				return;
257 			}
258 		}
259 	} else if(subtype == VAL_CLASS_CNAMENOANSWER) {
260 		/* find closest superdomain signer name in authority section
261 		 * NSEC and NSEC3s */
262 		int matchcount = 0;
263 		*signer_name = NULL;
264 		*signer_len = 0;
265 		for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->
266 			ns_numrrsets; i++) {
267 			if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NSEC
268 				|| ntohs(rep->rrsets[i]->rk.type) ==
269 				LDNS_RR_TYPE_NSEC3) {
270 				val_find_best_signer(rep->rrsets[i], qinf,
271 					signer_name, signer_len, &matchcount);
272 			}
273 		}
274 	} else if(subtype == VAL_CLASS_REFERRAL) {
275 		/* find keys for the item at skip */
276 		if(skip < rep->rrset_count) {
277 			val_find_rrset_signer(rep->rrsets[skip],
278 				signer_name, signer_len);
279 			return;
280 		}
281 		*signer_name = NULL;
282 		*signer_len = 0;
283 	} else {
284 		verbose(VERB_QUERY, "find_signer: could not find signer name"
285 			" for unknown type response");
286 		*signer_name = NULL;
287 		*signer_len = 0;
288 	}
289 }
290 
291 /** return number of rrs in an rrset */
292 static size_t
293 rrset_get_count(struct ub_packed_rrset_key* rrset)
294 {
295 	struct packed_rrset_data* d = (struct packed_rrset_data*)
296 		rrset->entry.data;
297 	if(!d) return 0;
298 	return d->count;
299 }
300 
301 /** return TTL of rrset */
302 static uint32_t
303 rrset_get_ttl(struct ub_packed_rrset_key* rrset)
304 {
305 	struct packed_rrset_data* d = (struct packed_rrset_data*)
306 		rrset->entry.data;
307 	if(!d) return 0;
308 	return d->ttl;
309 }
310 
311 enum sec_status
312 val_verify_rrset(struct module_env* env, struct val_env* ve,
313         struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* keys,
314 	uint8_t* sigalg, char** reason)
315 {
316 	enum sec_status sec;
317 	struct packed_rrset_data* d = (struct packed_rrset_data*)rrset->
318 		entry.data;
319 	if(d->security == sec_status_secure) {
320 		/* re-verify all other statuses, because keyset may change*/
321 		log_nametypeclass(VERB_ALGO, "verify rrset cached",
322 			rrset->rk.dname, ntohs(rrset->rk.type),
323 			ntohs(rrset->rk.rrset_class));
324 		return d->security;
325 	}
326 	/* check in the cache if verification has already been done */
327 	rrset_check_sec_status(env->rrset_cache, rrset, *env->now);
328 	if(d->security == sec_status_secure) {
329 		log_nametypeclass(VERB_ALGO, "verify rrset from cache",
330 			rrset->rk.dname, ntohs(rrset->rk.type),
331 			ntohs(rrset->rk.rrset_class));
332 		return d->security;
333 	}
334 	log_nametypeclass(VERB_ALGO, "verify rrset", rrset->rk.dname,
335 		ntohs(rrset->rk.type), ntohs(rrset->rk.rrset_class));
336 	sec = dnskeyset_verify_rrset(env, ve, rrset, keys, sigalg, reason);
337 	verbose(VERB_ALGO, "verify result: %s", sec_status_to_string(sec));
338 	regional_free_all(env->scratch);
339 
340 	/* update rrset security status
341 	 * only improves security status
342 	 * and bogus is set only once, even if we rechecked the status */
343 	if(sec > d->security) {
344 		d->security = sec;
345 		if(sec == sec_status_secure)
346 			d->trust = rrset_trust_validated;
347 		else if(sec == sec_status_bogus) {
348 			size_t i;
349 			/* update ttl for rrset to fixed value. */
350 			d->ttl = ve->bogus_ttl;
351 			for(i=0; i<d->count+d->rrsig_count; i++)
352 				d->rr_ttl[i] = ve->bogus_ttl;
353 			/* leave RR specific TTL: not used for determine
354 			 * if RRset timed out and clients see proper value. */
355 			lock_basic_lock(&ve->bogus_lock);
356 			ve->num_rrset_bogus++;
357 			lock_basic_unlock(&ve->bogus_lock);
358 		}
359 		/* if status updated - store in cache for reuse */
360 		rrset_update_sec_status(env->rrset_cache, rrset, *env->now);
361 	}
362 
363 	return sec;
364 }
365 
366 enum sec_status
367 val_verify_rrset_entry(struct module_env* env, struct val_env* ve,
368         struct ub_packed_rrset_key* rrset, struct key_entry_key* kkey,
369 	char** reason)
370 {
371 	/* temporary dnskey rrset-key */
372 	struct ub_packed_rrset_key dnskey;
373 	struct key_entry_data* kd = (struct key_entry_data*)kkey->entry.data;
374 	enum sec_status sec;
375 	dnskey.rk.type = htons(kd->rrset_type);
376 	dnskey.rk.rrset_class = htons(kkey->key_class);
377 	dnskey.rk.flags = 0;
378 	dnskey.rk.dname = kkey->name;
379 	dnskey.rk.dname_len = kkey->namelen;
380 	dnskey.entry.key = &dnskey;
381 	dnskey.entry.data = kd->rrset_data;
382 	sec = val_verify_rrset(env, ve, rrset, &dnskey, kd->algo, reason);
383 	return sec;
384 }
385 
386 /** verify that a DS RR hashes to a key and that key signs the set */
387 static enum sec_status
388 verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve,
389 	struct ub_packed_rrset_key* dnskey_rrset,
390         struct ub_packed_rrset_key* ds_rrset, size_t ds_idx, char** reason)
391 {
392 	enum sec_status sec = sec_status_bogus;
393 	size_t i, num, numchecked = 0, numhashok = 0;
394 	num = rrset_get_count(dnskey_rrset);
395 	for(i=0; i<num; i++) {
396 		/* Skip DNSKEYs that don't match the basic criteria. */
397 		if(ds_get_key_algo(ds_rrset, ds_idx)
398 		   != dnskey_get_algo(dnskey_rrset, i)
399 		   || dnskey_calc_keytag(dnskey_rrset, i)
400 		   != ds_get_keytag(ds_rrset, ds_idx)) {
401 			continue;
402 		}
403 		numchecked++;
404 		verbose(VERB_ALGO, "attempt DS match algo %d keytag %d",
405 			ds_get_key_algo(ds_rrset, ds_idx),
406 			ds_get_keytag(ds_rrset, ds_idx));
407 
408 		/* Convert the candidate DNSKEY into a hash using the
409 		 * same DS hash algorithm. */
410 		if(!ds_digest_match_dnskey(env, dnskey_rrset, i, ds_rrset,
411 			ds_idx)) {
412 			verbose(VERB_ALGO, "DS match attempt failed");
413 			continue;
414 		}
415 		numhashok++;
416 		verbose(VERB_ALGO, "DS match digest ok, trying signature");
417 
418 		/* Otherwise, we have a match! Make sure that the DNSKEY
419 		 * verifies *with this key*  */
420 		sec = dnskey_verify_rrset(env, ve, dnskey_rrset,
421 			dnskey_rrset, i, reason);
422 		if(sec == sec_status_secure) {
423 			return sec;
424 		}
425 		/* If it didn't validate with the DNSKEY, try the next one! */
426 	}
427 	if(numchecked == 0)
428 		algo_needs_reason(env, ds_get_key_algo(ds_rrset, ds_idx),
429 			reason, "no keys have a DS");
430 	else if(numhashok == 0)
431 		*reason = "DS hash mismatches key";
432 	else if(!*reason)
433 		*reason = "keyset not secured by DNSKEY that matches DS";
434 	return sec_status_bogus;
435 }
436 
437 int val_favorite_ds_algo(struct ub_packed_rrset_key* ds_rrset)
438 {
439 	size_t i, num = rrset_get_count(ds_rrset);
440 	int d, digest_algo = 0; /* DS digest algo 0 is not used. */
441 	/* find favorite algo, for now, highest number supported */
442 	for(i=0; i<num; i++) {
443 		if(!ds_digest_algo_is_supported(ds_rrset, i) ||
444 			!ds_key_algo_is_supported(ds_rrset, i)) {
445 			continue;
446 		}
447 		d = ds_get_digest_algo(ds_rrset, i);
448 		if(d > digest_algo)
449 			digest_algo = d;
450 	}
451 	return digest_algo;
452 }
453 
454 enum sec_status
455 val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve,
456 	struct ub_packed_rrset_key* dnskey_rrset,
457 	struct ub_packed_rrset_key* ds_rrset, uint8_t* sigalg, char** reason)
458 {
459 	/* as long as this is false, we can consider this DS rrset to be
460 	 * equivalent to no DS rrset. */
461 	int has_useful_ds = 0, digest_algo, alg;
462 	struct algo_needs needs;
463 	size_t i, num;
464 	enum sec_status sec;
465 
466 	if(dnskey_rrset->rk.dname_len != ds_rrset->rk.dname_len ||
467 		query_dname_compare(dnskey_rrset->rk.dname, ds_rrset->rk.dname)
468 		!= 0) {
469 		verbose(VERB_QUERY, "DNSKEY RRset did not match DS RRset "
470 			"by name");
471 		*reason = "DNSKEY RRset did not match DS RRset by name";
472 		return sec_status_bogus;
473 	}
474 
475 	digest_algo = val_favorite_ds_algo(ds_rrset);
476 	if(sigalg)
477 		algo_needs_init_ds(&needs, ds_rrset, digest_algo, sigalg);
478 	num = rrset_get_count(ds_rrset);
479 	for(i=0; i<num; i++) {
480 		/* Check to see if we can understand this DS.
481 		 * And check it is the strongest digest */
482 		if(!ds_digest_algo_is_supported(ds_rrset, i) ||
483 			!ds_key_algo_is_supported(ds_rrset, i) ||
484 			ds_get_digest_algo(ds_rrset, i) != digest_algo) {
485 			continue;
486 		}
487 
488 		/* Once we see a single DS with a known digestID and
489 		 * algorithm, we cannot return INSECURE (with a
490 		 * "null" KeyEntry). */
491 		has_useful_ds = 1;
492 
493 		sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset,
494 			ds_rrset, i, reason);
495 		if(sec == sec_status_secure) {
496 			if(!sigalg || algo_needs_set_secure(&needs,
497 				(uint8_t)ds_get_key_algo(ds_rrset, i))) {
498 				verbose(VERB_ALGO, "DS matched DNSKEY.");
499 				return sec_status_secure;
500 			}
501 		} else if(sigalg && sec == sec_status_bogus) {
502 			algo_needs_set_bogus(&needs,
503 				(uint8_t)ds_get_key_algo(ds_rrset, i));
504 		}
505 	}
506 
507 	/* None of the DS's worked out. */
508 
509 	/* If no DSs were understandable, then this is OK. */
510 	if(!has_useful_ds) {
511 		verbose(VERB_ALGO, "No usable DS records were found -- "
512 			"treating as insecure.");
513 		return sec_status_insecure;
514 	}
515 	/* If any were understandable, then it is bad. */
516 	verbose(VERB_QUERY, "Failed to match any usable DS to a DNSKEY.");
517 	if(sigalg && (alg=algo_needs_missing(&needs)) != 0) {
518 		algo_needs_reason(env, alg, reason, "missing verification of "
519 			"DNSKEY signature");
520 	}
521 	return sec_status_bogus;
522 }
523 
524 struct key_entry_key*
525 val_verify_new_DNSKEYs(struct regional* region, struct module_env* env,
526 	struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset,
527 	struct ub_packed_rrset_key* ds_rrset, int downprot, char** reason)
528 {
529 	uint8_t sigalg[ALGO_NEEDS_MAX+1];
530 	enum sec_status sec = val_verify_DNSKEY_with_DS(env, ve,
531 		dnskey_rrset, ds_rrset, downprot?sigalg:NULL, reason);
532 
533 	if(sec == sec_status_secure) {
534 		return key_entry_create_rrset(region,
535 			ds_rrset->rk.dname, ds_rrset->rk.dname_len,
536 			ntohs(ds_rrset->rk.rrset_class), dnskey_rrset,
537 			downprot?sigalg:NULL, *env->now);
538 	} else if(sec == sec_status_insecure) {
539 		return key_entry_create_null(region, ds_rrset->rk.dname,
540 			ds_rrset->rk.dname_len,
541 			ntohs(ds_rrset->rk.rrset_class),
542 			rrset_get_ttl(ds_rrset), *env->now);
543 	}
544 	return key_entry_create_bad(region, ds_rrset->rk.dname,
545 		ds_rrset->rk.dname_len, ntohs(ds_rrset->rk.rrset_class),
546 		BOGUS_KEY_TTL, *env->now);
547 }
548 
549 enum sec_status
550 val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve,
551 	struct ub_packed_rrset_key* dnskey_rrset,
552 	struct ub_packed_rrset_key* ta_ds,
553 	struct ub_packed_rrset_key* ta_dnskey, uint8_t* sigalg, char** reason)
554 {
555 	/* as long as this is false, we can consider this anchor to be
556 	 * equivalent to no anchor. */
557 	int has_useful_ta = 0, digest_algo = 0, alg;
558 	struct algo_needs needs;
559 	size_t i, num;
560 	enum sec_status sec;
561 
562 	if(ta_ds && (dnskey_rrset->rk.dname_len != ta_ds->rk.dname_len ||
563 		query_dname_compare(dnskey_rrset->rk.dname, ta_ds->rk.dname)
564 		!= 0)) {
565 		verbose(VERB_QUERY, "DNSKEY RRset did not match DS RRset "
566 			"by name");
567 		*reason = "DNSKEY RRset did not match DS RRset by name";
568 		return sec_status_bogus;
569 	}
570 	if(ta_dnskey && (dnskey_rrset->rk.dname_len != ta_dnskey->rk.dname_len
571 	     || query_dname_compare(dnskey_rrset->rk.dname, ta_dnskey->rk.dname)
572 		!= 0)) {
573 		verbose(VERB_QUERY, "DNSKEY RRset did not match anchor RRset "
574 			"by name");
575 		*reason = "DNSKEY RRset did not match anchor RRset by name";
576 		return sec_status_bogus;
577 	}
578 
579 	if(ta_ds)
580 		digest_algo = val_favorite_ds_algo(ta_ds);
581 	if(sigalg) {
582 		if(ta_ds)
583 			algo_needs_init_ds(&needs, ta_ds, digest_algo, sigalg);
584 		else	memset(&needs, 0, sizeof(needs));
585 		if(ta_dnskey)
586 			algo_needs_init_dnskey_add(&needs, ta_dnskey, sigalg);
587 	}
588 	if(ta_ds) {
589 	    num = rrset_get_count(ta_ds);
590 	    for(i=0; i<num; i++) {
591 		/* Check to see if we can understand this DS.
592 		 * And check it is the strongest digest */
593 		if(!ds_digest_algo_is_supported(ta_ds, i) ||
594 			!ds_key_algo_is_supported(ta_ds, i) ||
595 			ds_get_digest_algo(ta_ds, i) != digest_algo)
596 			continue;
597 
598 		/* Once we see a single DS with a known digestID and
599 		 * algorithm, we cannot return INSECURE (with a
600 		 * "null" KeyEntry). */
601 		has_useful_ta = 1;
602 
603 		sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset,
604 			ta_ds, i, reason);
605 		if(sec == sec_status_secure) {
606 			if(!sigalg || algo_needs_set_secure(&needs,
607 				(uint8_t)ds_get_key_algo(ta_ds, i))) {
608 				verbose(VERB_ALGO, "DS matched DNSKEY.");
609 				return sec_status_secure;
610 			}
611 		} else if(sigalg && sec == sec_status_bogus) {
612 			algo_needs_set_bogus(&needs,
613 				(uint8_t)ds_get_key_algo(ta_ds, i));
614 		}
615 	    }
616 	}
617 
618 	/* None of the DS's worked out: check the DNSKEYs. */
619 	if(ta_dnskey) {
620 	    num = rrset_get_count(ta_dnskey);
621 	    for(i=0; i<num; i++) {
622 		/* Check to see if we can understand this DNSKEY */
623 		if(!dnskey_algo_is_supported(ta_dnskey, i))
624 			continue;
625 
626 		/* we saw a useful TA */
627 		has_useful_ta = 1;
628 
629 		sec = dnskey_verify_rrset(env, ve, dnskey_rrset,
630 			ta_dnskey, i, reason);
631 		if(sec == sec_status_secure) {
632 			if(!sigalg || algo_needs_set_secure(&needs,
633 				(uint8_t)dnskey_get_algo(ta_dnskey, i))) {
634 				verbose(VERB_ALGO, "anchor matched DNSKEY.");
635 				return sec_status_secure;
636 			}
637 		} else if(sigalg && sec == sec_status_bogus) {
638 			algo_needs_set_bogus(&needs,
639 				(uint8_t)dnskey_get_algo(ta_dnskey, i));
640 		}
641 	    }
642 	}
643 
644 	/* If no DSs were understandable, then this is OK. */
645 	if(!has_useful_ta) {
646 		verbose(VERB_ALGO, "No usable trust anchors were found -- "
647 			"treating as insecure.");
648 		return sec_status_insecure;
649 	}
650 	/* If any were understandable, then it is bad. */
651 	verbose(VERB_QUERY, "Failed to match any usable anchor to a DNSKEY.");
652 	if(sigalg && (alg=algo_needs_missing(&needs)) != 0) {
653 		algo_needs_reason(env, alg, reason, "missing verification of "
654 			"DNSKEY signature");
655 	}
656 	return sec_status_bogus;
657 }
658 
659 struct key_entry_key*
660 val_verify_new_DNSKEYs_with_ta(struct regional* region, struct module_env* env,
661 	struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset,
662 	struct ub_packed_rrset_key* ta_ds_rrset,
663 	struct ub_packed_rrset_key* ta_dnskey_rrset, int downprot,
664 	char** reason)
665 {
666 	uint8_t sigalg[ALGO_NEEDS_MAX+1];
667 	enum sec_status sec = val_verify_DNSKEY_with_TA(env, ve,
668 		dnskey_rrset, ta_ds_rrset, ta_dnskey_rrset,
669 		downprot?sigalg:NULL, reason);
670 
671 	if(sec == sec_status_secure) {
672 		return key_entry_create_rrset(region,
673 			dnskey_rrset->rk.dname, dnskey_rrset->rk.dname_len,
674 			ntohs(dnskey_rrset->rk.rrset_class), dnskey_rrset,
675 			downprot?sigalg:NULL, *env->now);
676 	} else if(sec == sec_status_insecure) {
677 		return key_entry_create_null(region, dnskey_rrset->rk.dname,
678 			dnskey_rrset->rk.dname_len,
679 			ntohs(dnskey_rrset->rk.rrset_class),
680 			rrset_get_ttl(dnskey_rrset), *env->now);
681 	}
682 	return key_entry_create_bad(region, dnskey_rrset->rk.dname,
683 		dnskey_rrset->rk.dname_len, ntohs(dnskey_rrset->rk.rrset_class),
684 		BOGUS_KEY_TTL, *env->now);
685 }
686 
687 int
688 val_dsset_isusable(struct ub_packed_rrset_key* ds_rrset)
689 {
690 	size_t i;
691 	for(i=0; i<rrset_get_count(ds_rrset); i++) {
692 		if(ds_digest_algo_is_supported(ds_rrset, i) &&
693 			ds_key_algo_is_supported(ds_rrset, i))
694 			return 1;
695 	}
696 	if(verbosity < VERB_ALGO)
697 		return 0;
698 	if(rrset_get_count(ds_rrset) == 0)
699 		verbose(VERB_ALGO, "DS is not usable");
700 	else {
701 		/* report usability for the first DS RR */
702 		sldns_lookup_table *lt;
703 		char herr[64], aerr[64];
704 		lt = sldns_lookup_by_id(sldns_hashes,
705 			(int)ds_get_digest_algo(ds_rrset, i));
706 		if(lt) snprintf(herr, sizeof(herr), "%s", lt->name);
707 		else snprintf(herr, sizeof(herr), "%d",
708 			(int)ds_get_digest_algo(ds_rrset, i));
709 		lt = sldns_lookup_by_id(sldns_algorithms,
710 			(int)ds_get_key_algo(ds_rrset, i));
711 		if(lt) snprintf(aerr, sizeof(aerr), "%s", lt->name);
712 		else snprintf(aerr, sizeof(aerr), "%d",
713 			(int)ds_get_key_algo(ds_rrset, i));
714 		verbose(VERB_ALGO, "DS unsupported, hash %s %s, "
715 			"key algorithm %s %s", herr,
716 			(ds_digest_algo_is_supported(ds_rrset, 0)?
717 			"(supported)":"(unsupported)"), aerr,
718 			(ds_key_algo_is_supported(ds_rrset, 0)?
719 			"(supported)":"(unsupported)"));
720 	}
721 	return 0;
722 }
723 
724 /** get label count for a signature */
725 static uint8_t
726 rrsig_get_labcount(struct packed_rrset_data* d, size_t sig)
727 {
728 	if(d->rr_len[sig] < 2+4)
729 		return 0; /* bad sig length */
730 	return d->rr_data[sig][2+3];
731 }
732 
733 int
734 val_rrset_wildcard(struct ub_packed_rrset_key* rrset, uint8_t** wc)
735 {
736 	struct packed_rrset_data* d = (struct packed_rrset_data*)rrset->
737 		entry.data;
738 	uint8_t labcount;
739 	int labdiff;
740 	uint8_t* wn;
741 	size_t i, wl;
742 	if(d->rrsig_count == 0) {
743 		return 1;
744 	}
745 	labcount = rrsig_get_labcount(d, d->count + 0);
746 	/* check rest of signatures identical */
747 	for(i=1; i<d->rrsig_count; i++) {
748 		if(labcount != rrsig_get_labcount(d, d->count + i)) {
749 			return 0;
750 		}
751 	}
752 	/* OK the rrsigs check out */
753 	/* if the RRSIG label count is shorter than the number of actual
754 	 * labels, then this rrset was synthesized from a wildcard.
755 	 * Note that the RRSIG label count doesn't count the root label. */
756 	wn = rrset->rk.dname;
757 	wl = rrset->rk.dname_len;
758 	/* skip a leading wildcard label in the dname (RFC4035 2.2) */
759 	if(dname_is_wild(wn)) {
760 		wn += 2;
761 		wl -= 2;
762 	}
763 	labdiff = (dname_count_labels(wn) - 1) - (int)labcount;
764 	if(labdiff > 0) {
765 		*wc = wn;
766 		dname_remove_labels(wc, &wl, labdiff);
767 		return 1;
768 	}
769 	return 1;
770 }
771 
772 int
773 val_chase_cname(struct query_info* qchase, struct reply_info* rep,
774 	size_t* cname_skip) {
775 	size_t i;
776 	/* skip any DNAMEs, go to the CNAME for next part */
777 	for(i = *cname_skip; i < rep->an_numrrsets; i++) {
778 		if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_CNAME &&
779 			query_dname_compare(qchase->qname, rep->rrsets[i]->
780 				rk.dname) == 0) {
781 			qchase->qname = NULL;
782 			get_cname_target(rep->rrsets[i], &qchase->qname,
783 				&qchase->qname_len);
784 			if(!qchase->qname)
785 				return 0; /* bad CNAME rdata */
786 			(*cname_skip) = i+1;
787 			return 1;
788 		}
789 	}
790 	return 0; /* CNAME classified but no matching CNAME ?! */
791 }
792 
793 /** see if rrset has signer name as one of the rrsig signers */
794 static int
795 rrset_has_signer(struct ub_packed_rrset_key* rrset, uint8_t* name, size_t len)
796 {
797 	struct packed_rrset_data* d = (struct packed_rrset_data*)rrset->
798 		entry.data;
799 	size_t i;
800 	for(i = d->count; i< d->count+d->rrsig_count; i++) {
801 		if(d->rr_len[i] > 2+18+len) {
802 			/* at least rdatalen + signature + signame (+1 sig)*/
803 			if(!dname_valid(d->rr_data[i]+2+18, d->rr_len[i]-2-18))
804 				continue;
805 			if(query_dname_compare(name, d->rr_data[i]+2+18) == 0)
806 			{
807 				return 1;
808 			}
809 		}
810 	}
811 	return 0;
812 }
813 
814 void
815 val_fill_reply(struct reply_info* chase, struct reply_info* orig,
816 	size_t skip, uint8_t* name, size_t len, uint8_t* signer)
817 {
818 	size_t i;
819 	int seen_dname = 0;
820 	chase->rrset_count = 0;
821 	chase->an_numrrsets = 0;
822 	chase->ns_numrrsets = 0;
823 	chase->ar_numrrsets = 0;
824 	/* ANSWER section */
825 	for(i=skip; i<orig->an_numrrsets; i++) {
826 		if(!signer) {
827 			if(query_dname_compare(name,
828 				orig->rrsets[i]->rk.dname) == 0)
829 				chase->rrsets[chase->an_numrrsets++] =
830 					orig->rrsets[i];
831 		} else if(seen_dname && ntohs(orig->rrsets[i]->rk.type) ==
832 			LDNS_RR_TYPE_CNAME) {
833 			chase->rrsets[chase->an_numrrsets++] = orig->rrsets[i];
834 			seen_dname = 0;
835 		} else if(rrset_has_signer(orig->rrsets[i], name, len)) {
836 			chase->rrsets[chase->an_numrrsets++] = orig->rrsets[i];
837 			if(ntohs(orig->rrsets[i]->rk.type) ==
838 				LDNS_RR_TYPE_DNAME) {
839 					seen_dname = 1;
840 			}
841 		}
842 	}
843 	/* AUTHORITY section */
844 	for(i = (skip > orig->an_numrrsets)?skip:orig->an_numrrsets;
845 		i<orig->an_numrrsets+orig->ns_numrrsets;
846 		i++) {
847 		if(!signer) {
848 			if(query_dname_compare(name,
849 				orig->rrsets[i]->rk.dname) == 0)
850 				chase->rrsets[chase->an_numrrsets+
851 				    chase->ns_numrrsets++] = orig->rrsets[i];
852 		} else if(rrset_has_signer(orig->rrsets[i], name, len)) {
853 			chase->rrsets[chase->an_numrrsets+
854 				chase->ns_numrrsets++] = orig->rrsets[i];
855 		}
856 	}
857 	/* ADDITIONAL section */
858 	for(i= (skip>orig->an_numrrsets+orig->ns_numrrsets)?
859 		skip:orig->an_numrrsets+orig->ns_numrrsets;
860 		i<orig->rrset_count; i++) {
861 		if(!signer) {
862 			if(query_dname_compare(name,
863 				orig->rrsets[i]->rk.dname) == 0)
864 			    chase->rrsets[chase->an_numrrsets
865 				+orig->ns_numrrsets+chase->ar_numrrsets++]
866 				= orig->rrsets[i];
867 		} else if(rrset_has_signer(orig->rrsets[i], name, len)) {
868 			chase->rrsets[chase->an_numrrsets+orig->ns_numrrsets+
869 				chase->ar_numrrsets++] = orig->rrsets[i];
870 		}
871 	}
872 	chase->rrset_count = chase->an_numrrsets + chase->ns_numrrsets +
873 		chase->ar_numrrsets;
874 }
875 
876 void val_reply_remove_auth(struct reply_info* rep, size_t index)
877 {
878 	log_assert(index < rep->rrset_count);
879 	log_assert(index >= rep->an_numrrsets);
880 	log_assert(index < rep->an_numrrsets+rep->ns_numrrsets);
881 	memmove(rep->rrsets+index, rep->rrsets+index+1,
882 		sizeof(struct ub_packed_rrset_key*)*
883 		(rep->rrset_count - index - 1));
884 	rep->ns_numrrsets--;
885 	rep->rrset_count--;
886 }
887 
888 void
889 val_check_nonsecure(struct val_env* ve, struct reply_info* rep)
890 {
891 	size_t i;
892 	/* authority */
893 	for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->ns_numrrsets; i++) {
894 		if(((struct packed_rrset_data*)rep->rrsets[i]->entry.data)
895 			->security != sec_status_secure) {
896 			/* because we want to return the authentic original
897 			 * message when presented with CD-flagged queries,
898 			 * we need to preserve AUTHORITY section data.
899 			 * However, this rrset is not signed or signed
900 			 * with the wrong keys. Validation has tried to
901 			 * verify this rrset with the keysets of import.
902 			 * But this rrset did not verify.
903 			 * Therefore the message is bogus.
904 			 */
905 
906 			/* check if authority consists of only an NS record
907 			 * which is bad, and there is an answer section with
908 			 * data.  In that case, delete NS and additional to
909 			 * be lenient and make a minimal response */
910 			if(rep->an_numrrsets != 0 && rep->ns_numrrsets == 1 &&
911 				ntohs(rep->rrsets[i]->rk.type)
912 				== LDNS_RR_TYPE_NS) {
913 				verbose(VERB_ALGO, "truncate to minimal");
914 				rep->ns_numrrsets = 0;
915 				rep->ar_numrrsets = 0;
916 				rep->rrset_count = rep->an_numrrsets;
917 				return;
918 			}
919 
920 			log_nametypeclass(VERB_QUERY, "message is bogus, "
921 				"non secure rrset",
922 				rep->rrsets[i]->rk.dname,
923 				ntohs(rep->rrsets[i]->rk.type),
924 				ntohs(rep->rrsets[i]->rk.rrset_class));
925 			rep->security = sec_status_bogus;
926 			return;
927 		}
928 	}
929 	/* additional */
930 	if(!ve->clean_additional)
931 		return;
932 	for(i=rep->an_numrrsets+rep->ns_numrrsets; i<rep->rrset_count; i++) {
933 		if(((struct packed_rrset_data*)rep->rrsets[i]->entry.data)
934 			->security != sec_status_secure) {
935 			/* This does not cause message invalidation. It was
936 			 * simply unsigned data in the additional. The
937 			 * RRSIG must have been truncated off the message.
938 			 *
939 			 * However, we do not want to return possible bogus
940 			 * data to clients that rely on this service for
941 			 * their authentication.
942 			 */
943 			/* remove this unneeded additional rrset */
944 			memmove(rep->rrsets+i, rep->rrsets+i+1,
945 				sizeof(struct ub_packed_rrset_key*)*
946 				(rep->rrset_count - i - 1));
947 			rep->ar_numrrsets--;
948 			rep->rrset_count--;
949 			i--;
950 		}
951 	}
952 }
953 
954 /** check no anchor and unlock */
955 static int
956 check_no_anchor(struct val_anchors* anchors, uint8_t* nm, size_t l, uint16_t c)
957 {
958 	struct trust_anchor* ta;
959 	if((ta=anchors_lookup(anchors, nm, l, c))) {
960 		lock_basic_unlock(&ta->lock);
961 	}
962 	return !ta;
963 }
964 
965 void
966 val_mark_indeterminate(struct reply_info* rep, struct val_anchors* anchors,
967 	struct rrset_cache* r, struct module_env* env)
968 {
969 	size_t i;
970 	struct packed_rrset_data* d;
971 	for(i=0; i<rep->rrset_count; i++) {
972 		d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data;
973 		if(d->security == sec_status_unchecked &&
974 		   check_no_anchor(anchors, rep->rrsets[i]->rk.dname,
975 			rep->rrsets[i]->rk.dname_len,
976 			ntohs(rep->rrsets[i]->rk.rrset_class)))
977 		{
978 			/* mark as indeterminate */
979 			d->security = sec_status_indeterminate;
980 			rrset_update_sec_status(r, rep->rrsets[i], *env->now);
981 		}
982 	}
983 }
984 
985 void
986 val_mark_insecure(struct reply_info* rep, uint8_t* kname,
987 	struct rrset_cache* r, struct module_env* env)
988 {
989 	size_t i;
990 	struct packed_rrset_data* d;
991 	for(i=0; i<rep->rrset_count; i++) {
992 		d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data;
993 		if(d->security == sec_status_unchecked &&
994 		   dname_subdomain_c(rep->rrsets[i]->rk.dname, kname)) {
995 			/* mark as insecure */
996 			d->security = sec_status_insecure;
997 			rrset_update_sec_status(r, rep->rrsets[i], *env->now);
998 		}
999 	}
1000 }
1001 
1002 size_t
1003 val_next_unchecked(struct reply_info* rep, size_t skip)
1004 {
1005 	size_t i;
1006 	struct packed_rrset_data* d;
1007 	for(i=skip+1; i<rep->rrset_count; i++) {
1008 		d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data;
1009 		if(d->security == sec_status_unchecked) {
1010 			return i;
1011 		}
1012 	}
1013 	return rep->rrset_count;
1014 }
1015 
1016 const char*
1017 val_classification_to_string(enum val_classification subtype)
1018 {
1019 	switch(subtype) {
1020 		case VAL_CLASS_UNTYPED: 	return "untyped";
1021 		case VAL_CLASS_UNKNOWN: 	return "unknown";
1022 		case VAL_CLASS_POSITIVE: 	return "positive";
1023 		case VAL_CLASS_CNAME: 		return "cname";
1024 		case VAL_CLASS_NODATA: 		return "nodata";
1025 		case VAL_CLASS_NAMEERROR: 	return "nameerror";
1026 		case VAL_CLASS_CNAMENOANSWER: 	return "cnamenoanswer";
1027 		case VAL_CLASS_REFERRAL: 	return "referral";
1028 		case VAL_CLASS_ANY: 		return "qtype_any";
1029 		default:
1030 			return "bad_val_classification";
1031 	}
1032 }
1033 
1034 /** log a sock_list entry */
1035 static void
1036 sock_list_logentry(enum verbosity_value v, const char* s, struct sock_list* p)
1037 {
1038 	if(p->len)
1039 		log_addr(v, s, &p->addr, p->len);
1040 	else	verbose(v, "%s cache", s);
1041 }
1042 
1043 void val_blacklist(struct sock_list** blacklist, struct regional* region,
1044 	struct sock_list* origin, int cross)
1045 {
1046 	/* debug printout */
1047 	if(verbosity >= VERB_ALGO) {
1048 		struct sock_list* p;
1049 		for(p=*blacklist; p; p=p->next)
1050 			sock_list_logentry(VERB_ALGO, "blacklist", p);
1051 		if(!origin)
1052 			verbose(VERB_ALGO, "blacklist add: cache");
1053 		for(p=origin; p; p=p->next)
1054 			sock_list_logentry(VERB_ALGO, "blacklist add", p);
1055 	}
1056 	/* blacklist the IPs or the cache */
1057 	if(!origin) {
1058 		/* only add if nothing there. anything else also stops cache*/
1059 		if(!*blacklist)
1060 			sock_list_insert(blacklist, NULL, 0, region);
1061 	} else if(!cross)
1062 		sock_list_prepend(blacklist, origin);
1063 	else	sock_list_merge(blacklist, region, origin);
1064 }
1065 
1066 int val_has_signed_nsecs(struct reply_info* rep, char** reason)
1067 {
1068 	size_t i, num_nsec = 0, num_nsec3 = 0;
1069 	struct packed_rrset_data* d;
1070 	for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->ns_numrrsets; i++) {
1071 		if(rep->rrsets[i]->rk.type == htons(LDNS_RR_TYPE_NSEC))
1072 			num_nsec++;
1073 		else if(rep->rrsets[i]->rk.type == htons(LDNS_RR_TYPE_NSEC3))
1074 			num_nsec3++;
1075 		else continue;
1076 		d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data;
1077 		if(d && d->rrsig_count != 0) {
1078 			return 1;
1079 		}
1080 	}
1081 	if(num_nsec == 0 && num_nsec3 == 0)
1082 		*reason = "no DNSSEC records";
1083 	else if(num_nsec != 0)
1084 		*reason = "no signatures over NSECs";
1085 	else	*reason = "no signatures over NSEC3s";
1086 	return 0;
1087 }
1088 
1089 struct dns_msg*
1090 val_find_DS(struct module_env* env, uint8_t* nm, size_t nmlen, uint16_t c,
1091 	struct regional* region, uint8_t* topname)
1092 {
1093 	struct dns_msg* msg;
1094 	struct query_info qinfo;
1095 	struct ub_packed_rrset_key *rrset = rrset_cache_lookup(
1096 		env->rrset_cache, nm, nmlen, LDNS_RR_TYPE_DS, c, 0,
1097 		*env->now, 0);
1098 	if(rrset) {
1099 		/* DS rrset exists. Return it to the validator immediately*/
1100 		struct ub_packed_rrset_key* copy = packed_rrset_copy_region(
1101 			rrset, region, *env->now);
1102 		lock_rw_unlock(&rrset->entry.lock);
1103 		if(!copy)
1104 			return NULL;
1105 		msg = dns_msg_create(nm, nmlen, LDNS_RR_TYPE_DS, c, region, 1);
1106 		if(!msg)
1107 			return NULL;
1108 		msg->rep->rrsets[0] = copy;
1109 		msg->rep->rrset_count++;
1110 		msg->rep->an_numrrsets++;
1111 		return msg;
1112 	}
1113 	/* lookup in rrset and negative cache for NSEC/NSEC3 */
1114 	qinfo.qname = nm;
1115 	qinfo.qname_len = nmlen;
1116 	qinfo.qtype = LDNS_RR_TYPE_DS;
1117 	qinfo.qclass = c;
1118 	/* do not add SOA to reply message, it is going to be used internal */
1119 	msg = val_neg_getmsg(env->neg_cache, &qinfo, region, env->rrset_cache,
1120 		env->scratch_buffer, *env->now, 0, topname);
1121 	return msg;
1122 }
1123