xref: /freebsd/contrib/unbound/validator/val_utils.c (revision b197d4b893974c9eb4d7b38704c6d5c486235d6f)
1 /*
2  * validator/val_utils.c - validator utility functions.
3  *
4  * Copyright (c) 2007, NLnet Labs. All rights reserved.
5  *
6  * This software is open source.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * Redistributions of source code must retain the above copyright notice,
13  * this list of conditions and the following disclaimer.
14  *
15  * Redistributions in binary form must reproduce the above copyright notice,
16  * this list of conditions and the following disclaimer in the documentation
17  * and/or other materials provided with the distribution.
18  *
19  * Neither the name of the NLNET LABS nor the names of its contributors may
20  * be used to endorse or promote products derived from this software without
21  * specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27  * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29  * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34  */
35 
36 /**
37  * \file
38  *
39  * This file contains helper functions for the validator module.
40  */
41 #include "config.h"
42 #include "validator/val_utils.h"
43 #include "validator/validator.h"
44 #include "validator/val_kentry.h"
45 #include "validator/val_sigcrypt.h"
46 #include "validator/val_anchor.h"
47 #include "validator/val_nsec.h"
48 #include "validator/val_neg.h"
49 #include "services/cache/rrset.h"
50 #include "services/cache/dns.h"
51 #include "util/data/msgreply.h"
52 #include "util/data/packed_rrset.h"
53 #include "util/data/dname.h"
54 #include "util/net_help.h"
55 #include "util/module.h"
56 #include "util/regional.h"
57 #include "util/config_file.h"
58 #include "sldns/wire2str.h"
59 #include "sldns/parseutil.h"
60 
61 enum val_classification
62 val_classify_response(uint16_t query_flags, struct query_info* origqinf,
63 	struct query_info* qinf, struct reply_info* rep, size_t skip)
64 {
65 	int rcode = (int)FLAGS_GET_RCODE(rep->flags);
66 	size_t i;
67 
68 	/* Normal Name Error's are easy to detect -- but don't mistake a CNAME
69 	 * chain ending in NXDOMAIN. */
70 	if(rcode == LDNS_RCODE_NXDOMAIN && rep->an_numrrsets == 0)
71 		return VAL_CLASS_NAMEERROR;
72 
73 	/* check for referral: nonRD query and it looks like a nodata */
74 	if(!(query_flags&BIT_RD) && rep->an_numrrsets == 0 &&
75 		rcode == LDNS_RCODE_NOERROR) {
76 		/* SOA record in auth indicates it is NODATA instead.
77 		 * All validation requiring NODATA messages have SOA in
78 		 * authority section. */
79 		/* uses fact that answer section is empty */
80 		int saw_ns = 0;
81 		for(i=0; i<rep->ns_numrrsets; i++) {
82 			if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_SOA)
83 				return VAL_CLASS_NODATA;
84 			if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_DS)
85 				return VAL_CLASS_REFERRAL;
86 			if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NS)
87 				saw_ns = 1;
88 		}
89 		return saw_ns?VAL_CLASS_REFERRAL:VAL_CLASS_NODATA;
90 	}
91 	/* root referral where NS set is in the answer section */
92 	if(!(query_flags&BIT_RD) && rep->ns_numrrsets == 0 &&
93 		rep->an_numrrsets == 1 && rcode == LDNS_RCODE_NOERROR &&
94 		ntohs(rep->rrsets[0]->rk.type) == LDNS_RR_TYPE_NS &&
95 		query_dname_compare(rep->rrsets[0]->rk.dname,
96 			origqinf->qname) != 0)
97 		return VAL_CLASS_REFERRAL;
98 
99 	/* dump bad messages */
100 	if(rcode != LDNS_RCODE_NOERROR && rcode != LDNS_RCODE_NXDOMAIN)
101 		return VAL_CLASS_UNKNOWN;
102 	/* next check if the skip into the answer section shows no answer */
103 	if(skip>0 && rep->an_numrrsets <= skip)
104 		return VAL_CLASS_CNAMENOANSWER;
105 
106 	/* Next is NODATA */
107 	if(rcode == LDNS_RCODE_NOERROR && rep->an_numrrsets == 0)
108 		return VAL_CLASS_NODATA;
109 
110 	/* We distinguish between CNAME response and other positive/negative
111 	 * responses because CNAME answers require extra processing. */
112 
113 	/* We distinguish between ANY and CNAME or POSITIVE because
114 	 * ANY responses are validated differently. */
115 	if(rcode == LDNS_RCODE_NOERROR && qinf->qtype == LDNS_RR_TYPE_ANY)
116 		return VAL_CLASS_ANY;
117 
118 	/* Note that DNAMEs will be ignored here, unless qtype=DNAME. Unless
119 	 * qtype=CNAME, this will yield a CNAME response. */
120 	for(i=skip; i<rep->an_numrrsets; i++) {
121 		if(rcode == LDNS_RCODE_NOERROR &&
122 			ntohs(rep->rrsets[i]->rk.type) == qinf->qtype)
123 			return VAL_CLASS_POSITIVE;
124 		if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_CNAME)
125 			return VAL_CLASS_CNAME;
126 	}
127 	log_dns_msg("validator: error. failed to classify response message: ",
128 		qinf, rep);
129 	return VAL_CLASS_UNKNOWN;
130 }
131 
132 /** Get signer name from RRSIG */
133 static void
134 rrsig_get_signer(uint8_t* data, size_t len, uint8_t** sname, size_t* slen)
135 {
136 	/* RRSIG rdata is not allowed to be compressed, it is stored
137 	 * uncompressed in memory as well, so return a ptr to the name */
138 	if(len < 21) {
139 		/* too short RRSig:
140 		 * short, byte, byte, long, long, long, short, "." is
141 		 * 2	1	1	4	4  4	2	1 = 19
142 		 * 			and a skip of 18 bytes to the name.
143 		 * +2 for the rdatalen is 21 bytes len for root label */
144 		*sname = NULL;
145 		*slen = 0;
146 		return;
147 	}
148 	data += 20; /* skip the fixed size bits */
149 	len -= 20;
150 	*slen = dname_valid(data, len);
151 	if(!*slen) {
152 		/* bad dname in this rrsig. */
153 		*sname = NULL;
154 		return;
155 	}
156 	*sname = data;
157 }
158 
159 void
160 val_find_rrset_signer(struct ub_packed_rrset_key* rrset, uint8_t** sname,
161 	size_t* slen)
162 {
163 	struct packed_rrset_data* d = (struct packed_rrset_data*)
164 		rrset->entry.data;
165 	/* return signer for first signature, or NULL */
166 	if(d->rrsig_count == 0) {
167 		*sname = NULL;
168 		*slen = 0;
169 		return;
170 	}
171 	/* get rrsig signer name out of the signature */
172 	rrsig_get_signer(d->rr_data[d->count], d->rr_len[d->count],
173 		sname, slen);
174 }
175 
176 /**
177  * Find best signer name in this set of rrsigs.
178  * @param rrset: which rrsigs to look through.
179  * @param qinf: the query name that needs validation.
180  * @param signer_name: the best signer_name. Updated if a better one is found.
181  * @param signer_len: length of signer name.
182  * @param matchcount: count of current best name (starts at 0 for no match).
183  * 	Updated if match is improved.
184  */
185 static void
186 val_find_best_signer(struct ub_packed_rrset_key* rrset,
187 	struct query_info* qinf, uint8_t** signer_name, size_t* signer_len,
188 	int* matchcount)
189 {
190 	struct packed_rrset_data* d = (struct packed_rrset_data*)
191 		rrset->entry.data;
192 	uint8_t* sign;
193 	size_t i;
194 	int m;
195 	for(i=d->count; i<d->count+d->rrsig_count; i++) {
196 		sign = d->rr_data[i]+2+18;
197 		/* look at signatures that are valid (long enough),
198 		 * and have a signer name that is a superdomain of qname,
199 		 * and then check the number of labels in the shared topdomain
200 		 * improve the match if possible */
201 		if(d->rr_len[i] > 2+19 && /* rdata, sig + root label*/
202 			dname_subdomain_c(qinf->qname, sign)) {
203 			(void)dname_lab_cmp(qinf->qname,
204 				dname_count_labels(qinf->qname),
205 				sign, dname_count_labels(sign), &m);
206 			if(m > *matchcount) {
207 				*matchcount = m;
208 				*signer_name = sign;
209 				(void)dname_count_size_labels(*signer_name,
210 					signer_len);
211 			}
212 		}
213 	}
214 }
215 
216 void
217 val_find_signer(enum val_classification subtype, struct query_info* qinf,
218 	struct reply_info* rep, size_t skip, uint8_t** signer_name,
219 	size_t* signer_len)
220 {
221 	size_t i;
222 
223 	if(subtype == VAL_CLASS_POSITIVE) {
224 		/* check for the answer rrset */
225 		for(i=skip; i<rep->an_numrrsets; i++) {
226 			if(query_dname_compare(qinf->qname,
227 				rep->rrsets[i]->rk.dname) == 0) {
228 				val_find_rrset_signer(rep->rrsets[i],
229 					signer_name, signer_len);
230 				return;
231 			}
232 		}
233 		*signer_name = NULL;
234 		*signer_len = 0;
235 	} else if(subtype == VAL_CLASS_CNAME) {
236 		/* check for the first signed cname/dname rrset */
237 		for(i=skip; i<rep->an_numrrsets; i++) {
238 			val_find_rrset_signer(rep->rrsets[i],
239 				signer_name, signer_len);
240 			if(*signer_name)
241 				return;
242 			if(ntohs(rep->rrsets[i]->rk.type) != LDNS_RR_TYPE_DNAME)
243 				break; /* only check CNAME after a DNAME */
244 		}
245 		*signer_name = NULL;
246 		*signer_len = 0;
247 	} else if(subtype == VAL_CLASS_NAMEERROR
248 		|| subtype == VAL_CLASS_NODATA) {
249 		/*Check to see if the AUTH section NSEC record(s) have rrsigs*/
250 		for(i=rep->an_numrrsets; i<
251 			rep->an_numrrsets+rep->ns_numrrsets; i++) {
252 			if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NSEC
253 				|| ntohs(rep->rrsets[i]->rk.type) ==
254 				LDNS_RR_TYPE_NSEC3) {
255 				val_find_rrset_signer(rep->rrsets[i],
256 					signer_name, signer_len);
257 				return;
258 			}
259 		}
260 	} else if(subtype == VAL_CLASS_CNAMENOANSWER) {
261 		/* find closest superdomain signer name in authority section
262 		 * NSEC and NSEC3s */
263 		int matchcount = 0;
264 		*signer_name = NULL;
265 		*signer_len = 0;
266 		for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->
267 			ns_numrrsets; i++) {
268 			if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NSEC
269 				|| ntohs(rep->rrsets[i]->rk.type) ==
270 				LDNS_RR_TYPE_NSEC3) {
271 				val_find_best_signer(rep->rrsets[i], qinf,
272 					signer_name, signer_len, &matchcount);
273 			}
274 		}
275 	} else if(subtype == VAL_CLASS_ANY) {
276 		/* check for one of the answer rrset that has signatures,
277 		 * or potentially a DNAME is in use with a different qname */
278 		for(i=skip; i<rep->an_numrrsets; i++) {
279 			if(query_dname_compare(qinf->qname,
280 				rep->rrsets[i]->rk.dname) == 0) {
281 				val_find_rrset_signer(rep->rrsets[i],
282 					signer_name, signer_len);
283 				if(*signer_name)
284 					return;
285 			}
286 		}
287 		/* no answer RRSIGs with qname, try a DNAME */
288 		if(skip < rep->an_numrrsets &&
289 			ntohs(rep->rrsets[skip]->rk.type) ==
290 			LDNS_RR_TYPE_DNAME) {
291 			val_find_rrset_signer(rep->rrsets[skip],
292 				signer_name, signer_len);
293 			if(*signer_name)
294 				return;
295 		}
296 		*signer_name = NULL;
297 		*signer_len = 0;
298 	} else if(subtype == VAL_CLASS_REFERRAL) {
299 		/* find keys for the item at skip */
300 		if(skip < rep->rrset_count) {
301 			val_find_rrset_signer(rep->rrsets[skip],
302 				signer_name, signer_len);
303 			return;
304 		}
305 		*signer_name = NULL;
306 		*signer_len = 0;
307 	} else {
308 		verbose(VERB_QUERY, "find_signer: could not find signer name"
309 			" for unknown type response");
310 		*signer_name = NULL;
311 		*signer_len = 0;
312 	}
313 }
314 
315 /** return number of rrs in an rrset */
316 static size_t
317 rrset_get_count(struct ub_packed_rrset_key* rrset)
318 {
319 	struct packed_rrset_data* d = (struct packed_rrset_data*)
320 		rrset->entry.data;
321 	if(!d) return 0;
322 	return d->count;
323 }
324 
325 /** return TTL of rrset */
326 static uint32_t
327 rrset_get_ttl(struct ub_packed_rrset_key* rrset)
328 {
329 	struct packed_rrset_data* d = (struct packed_rrset_data*)
330 		rrset->entry.data;
331 	if(!d) return 0;
332 	return d->ttl;
333 }
334 
335 static enum sec_status
336 val_verify_rrset(struct module_env* env, struct val_env* ve,
337         struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* keys,
338 	uint8_t* sigalg, char** reason, sldns_ede_code *reason_bogus,
339 	sldns_pkt_section section, struct module_qstate* qstate)
340 {
341 	enum sec_status sec;
342 	struct packed_rrset_data* d = (struct packed_rrset_data*)rrset->
343 		entry.data;
344 	if(d->security == sec_status_secure) {
345 		/* re-verify all other statuses, because keyset may change*/
346 		log_nametypeclass(VERB_ALGO, "verify rrset cached",
347 			rrset->rk.dname, ntohs(rrset->rk.type),
348 			ntohs(rrset->rk.rrset_class));
349 		return d->security;
350 	}
351 	/* check in the cache if verification has already been done */
352 	rrset_check_sec_status(env->rrset_cache, rrset, *env->now);
353 	if(d->security == sec_status_secure) {
354 		log_nametypeclass(VERB_ALGO, "verify rrset from cache",
355 			rrset->rk.dname, ntohs(rrset->rk.type),
356 			ntohs(rrset->rk.rrset_class));
357 		return d->security;
358 	}
359 	log_nametypeclass(VERB_ALGO, "verify rrset", rrset->rk.dname,
360 		ntohs(rrset->rk.type), ntohs(rrset->rk.rrset_class));
361 	sec = dnskeyset_verify_rrset(env, ve, rrset, keys, sigalg, reason,
362 		reason_bogus, section, qstate);
363 	verbose(VERB_ALGO, "verify result: %s", sec_status_to_string(sec));
364 	regional_free_all(env->scratch);
365 
366 	/* update rrset security status
367 	 * only improves security status
368 	 * and bogus is set only once, even if we rechecked the status */
369 	if(sec > d->security) {
370 		d->security = sec;
371 		if(sec == sec_status_secure)
372 			d->trust = rrset_trust_validated;
373 		else if(sec == sec_status_bogus) {
374 			size_t i;
375 			/* update ttl for rrset to fixed value. */
376 			d->ttl = ve->bogus_ttl;
377 			for(i=0; i<d->count+d->rrsig_count; i++)
378 				d->rr_ttl[i] = ve->bogus_ttl;
379 			/* leave RR specific TTL: not used for determine
380 			 * if RRset timed out and clients see proper value. */
381 			lock_basic_lock(&ve->bogus_lock);
382 			ve->num_rrset_bogus++;
383 			lock_basic_unlock(&ve->bogus_lock);
384 		}
385 		/* if status updated - store in cache for reuse */
386 		rrset_update_sec_status(env->rrset_cache, rrset, *env->now);
387 	}
388 
389 	return sec;
390 }
391 
392 enum sec_status
393 val_verify_rrset_entry(struct module_env* env, struct val_env* ve,
394         struct ub_packed_rrset_key* rrset, struct key_entry_key* kkey,
395 	char** reason, sldns_ede_code *reason_bogus,
396 	sldns_pkt_section section, struct module_qstate* qstate)
397 {
398 	/* temporary dnskey rrset-key */
399 	struct ub_packed_rrset_key dnskey;
400 	struct key_entry_data* kd = (struct key_entry_data*)kkey->entry.data;
401 	enum sec_status sec;
402 	dnskey.rk.type = htons(kd->rrset_type);
403 	dnskey.rk.rrset_class = htons(kkey->key_class);
404 	dnskey.rk.flags = 0;
405 	dnskey.rk.dname = kkey->name;
406 	dnskey.rk.dname_len = kkey->namelen;
407 	dnskey.entry.key = &dnskey;
408 	dnskey.entry.data = kd->rrset_data;
409 	sec = val_verify_rrset(env, ve, rrset, &dnskey, kd->algo, reason,
410 		reason_bogus, section, qstate);
411 	return sec;
412 }
413 
414 /** verify that a DS RR hashes to a key and that key signs the set */
415 static enum sec_status
416 verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve,
417 	struct ub_packed_rrset_key* dnskey_rrset,
418         struct ub_packed_rrset_key* ds_rrset, size_t ds_idx, char** reason,
419 	sldns_ede_code *reason_bogus, struct module_qstate* qstate)
420 {
421 	enum sec_status sec = sec_status_bogus;
422 	size_t i, num, numchecked = 0, numhashok = 0, numsizesupp = 0;
423 	num = rrset_get_count(dnskey_rrset);
424 	for(i=0; i<num; i++) {
425 		/* Skip DNSKEYs that don't match the basic criteria. */
426 		if(ds_get_key_algo(ds_rrset, ds_idx)
427 		   != dnskey_get_algo(dnskey_rrset, i)
428 		   || dnskey_calc_keytag(dnskey_rrset, i)
429 		   != ds_get_keytag(ds_rrset, ds_idx)) {
430 			continue;
431 		}
432 		numchecked++;
433 		verbose(VERB_ALGO, "attempt DS match algo %d keytag %d",
434 			ds_get_key_algo(ds_rrset, ds_idx),
435 			ds_get_keytag(ds_rrset, ds_idx));
436 
437 		/* Convert the candidate DNSKEY into a hash using the
438 		 * same DS hash algorithm. */
439 		if(!ds_digest_match_dnskey(env, dnskey_rrset, i, ds_rrset,
440 			ds_idx)) {
441 			verbose(VERB_ALGO, "DS match attempt failed");
442 			continue;
443 		}
444 		numhashok++;
445 		if(!dnskey_size_is_supported(dnskey_rrset, i)) {
446 			verbose(VERB_ALGO, "DS okay but that DNSKEY size is not supported");
447 			numsizesupp++;
448 			continue;
449 		}
450 		verbose(VERB_ALGO, "DS match digest ok, trying signature");
451 
452 		/* Otherwise, we have a match! Make sure that the DNSKEY
453 		 * verifies *with this key*  */
454 		sec = dnskey_verify_rrset(env, ve, dnskey_rrset, dnskey_rrset,
455 			i, reason, reason_bogus, LDNS_SECTION_ANSWER, qstate);
456 		if(sec == sec_status_secure) {
457 			return sec;
458 		}
459 		/* If it didn't validate with the DNSKEY, try the next one! */
460 	}
461 	if(numsizesupp != 0 || sec == sec_status_indeterminate) {
462 		/* there is a working DS, but that DNSKEY is not supported */
463 		return sec_status_insecure;
464 	}
465 	if(numchecked == 0)
466 		algo_needs_reason(env, ds_get_key_algo(ds_rrset, ds_idx),
467 			reason, "no keys have a DS");
468 	else if(numhashok == 0)
469 		*reason = "DS hash mismatches key";
470 	else if(!*reason)
471 		*reason = "keyset not secured by DNSKEY that matches DS";
472 	return sec_status_bogus;
473 }
474 
475 int val_favorite_ds_algo(struct ub_packed_rrset_key* ds_rrset)
476 {
477 	size_t i, num = rrset_get_count(ds_rrset);
478 	int d, digest_algo = 0; /* DS digest algo 0 is not used. */
479 	/* find favorite algo, for now, highest number supported */
480 	for(i=0; i<num; i++) {
481 		if(!ds_digest_algo_is_supported(ds_rrset, i) ||
482 			!ds_key_algo_is_supported(ds_rrset, i)) {
483 			continue;
484 		}
485 		d = ds_get_digest_algo(ds_rrset, i);
486 		if(d > digest_algo)
487 			digest_algo = d;
488 	}
489 	return digest_algo;
490 }
491 
492 enum sec_status
493 val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve,
494 	struct ub_packed_rrset_key* dnskey_rrset,
495 	struct ub_packed_rrset_key* ds_rrset, uint8_t* sigalg, char** reason,
496 	sldns_ede_code *reason_bogus, struct module_qstate* qstate)
497 {
498 	/* as long as this is false, we can consider this DS rrset to be
499 	 * equivalent to no DS rrset. */
500 	int has_useful_ds = 0, digest_algo, alg;
501 	struct algo_needs needs;
502 	size_t i, num;
503 	enum sec_status sec;
504 
505 	if(dnskey_rrset->rk.dname_len != ds_rrset->rk.dname_len ||
506 		query_dname_compare(dnskey_rrset->rk.dname, ds_rrset->rk.dname)
507 		!= 0) {
508 		verbose(VERB_QUERY, "DNSKEY RRset did not match DS RRset "
509 			"by name");
510 		*reason = "DNSKEY RRset did not match DS RRset by name";
511 		return sec_status_bogus;
512 	}
513 
514 	if(sigalg) {
515 		/* harden against algo downgrade is enabled */
516 		digest_algo = val_favorite_ds_algo(ds_rrset);
517 		algo_needs_init_ds(&needs, ds_rrset, digest_algo, sigalg);
518 	} else {
519 		/* accept any key algo, any digest algo */
520 		digest_algo = -1;
521 	}
522 	num = rrset_get_count(ds_rrset);
523 	for(i=0; i<num; i++) {
524 		/* Check to see if we can understand this DS.
525 		 * And check it is the strongest digest */
526 		if(!ds_digest_algo_is_supported(ds_rrset, i) ||
527 			!ds_key_algo_is_supported(ds_rrset, i) ||
528 			(sigalg && (ds_get_digest_algo(ds_rrset, i) != digest_algo))) {
529 			continue;
530 		}
531 
532 		sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset,
533 			ds_rrset, i, reason, reason_bogus, qstate);
534 		if(sec == sec_status_insecure)
535 			continue;
536 
537 		/* Once we see a single DS with a known digestID and
538 		 * algorithm, we cannot return INSECURE (with a
539 		 * "null" KeyEntry). */
540 		has_useful_ds = 1;
541 
542 		if(sec == sec_status_secure) {
543 			if(!sigalg || algo_needs_set_secure(&needs,
544 				(uint8_t)ds_get_key_algo(ds_rrset, i))) {
545 				verbose(VERB_ALGO, "DS matched DNSKEY.");
546 				if(!dnskeyset_size_is_supported(dnskey_rrset)) {
547 					verbose(VERB_ALGO, "DS works, but dnskeyset contain keys that are unsupported, treat as insecure");
548 					return sec_status_insecure;
549 				}
550 				return sec_status_secure;
551 			}
552 		} else if(sigalg && sec == sec_status_bogus) {
553 			algo_needs_set_bogus(&needs,
554 				(uint8_t)ds_get_key_algo(ds_rrset, i));
555 		}
556 	}
557 
558 	/* None of the DS's worked out. */
559 
560 	/* If no DSs were understandable, then this is OK. */
561 	if(!has_useful_ds) {
562 		verbose(VERB_ALGO, "No usable DS records were found -- "
563 			"treating as insecure.");
564 		return sec_status_insecure;
565 	}
566 	/* If any were understandable, then it is bad. */
567 	verbose(VERB_QUERY, "Failed to match any usable DS to a DNSKEY.");
568 	if(sigalg && (alg=algo_needs_missing(&needs)) != 0) {
569 		algo_needs_reason(env, alg, reason, "missing verification of "
570 			"DNSKEY signature");
571 	}
572 	return sec_status_bogus;
573 }
574 
575 struct key_entry_key*
576 val_verify_new_DNSKEYs(struct regional* region, struct module_env* env,
577 	struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset,
578 	struct ub_packed_rrset_key* ds_rrset, int downprot, char** reason,
579 	sldns_ede_code *reason_bogus, struct module_qstate* qstate)
580 {
581 	uint8_t sigalg[ALGO_NEEDS_MAX+1];
582 	enum sec_status sec = val_verify_DNSKEY_with_DS(env, ve,
583 		dnskey_rrset, ds_rrset, downprot?sigalg:NULL, reason,
584 		reason_bogus, qstate);
585 
586 	if(sec == sec_status_secure) {
587 		return key_entry_create_rrset(region,
588 			ds_rrset->rk.dname, ds_rrset->rk.dname_len,
589 			ntohs(ds_rrset->rk.rrset_class), dnskey_rrset,
590 			downprot?sigalg:NULL, *env->now);
591 	} else if(sec == sec_status_insecure) {
592 		return key_entry_create_null(region, ds_rrset->rk.dname,
593 			ds_rrset->rk.dname_len,
594 			ntohs(ds_rrset->rk.rrset_class),
595 			rrset_get_ttl(ds_rrset), *env->now);
596 	}
597 	return key_entry_create_bad(region, ds_rrset->rk.dname,
598 		ds_rrset->rk.dname_len, ntohs(ds_rrset->rk.rrset_class),
599 		BOGUS_KEY_TTL, *env->now);
600 }
601 
602 enum sec_status
603 val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve,
604 	struct ub_packed_rrset_key* dnskey_rrset,
605 	struct ub_packed_rrset_key* ta_ds,
606 	struct ub_packed_rrset_key* ta_dnskey, uint8_t* sigalg, char** reason,
607 	sldns_ede_code *reason_bogus, struct module_qstate* qstate)
608 {
609 	/* as long as this is false, we can consider this anchor to be
610 	 * equivalent to no anchor. */
611 	int has_useful_ta = 0, digest_algo = 0, alg;
612 	struct algo_needs needs;
613 	size_t i, num;
614 	enum sec_status sec;
615 
616 	if(ta_ds && (dnskey_rrset->rk.dname_len != ta_ds->rk.dname_len ||
617 		query_dname_compare(dnskey_rrset->rk.dname, ta_ds->rk.dname)
618 		!= 0)) {
619 		verbose(VERB_QUERY, "DNSKEY RRset did not match DS RRset "
620 			"by name");
621 		*reason = "DNSKEY RRset did not match DS RRset by name";
622 		if(reason_bogus)
623 			*reason_bogus = LDNS_EDE_DNSKEY_MISSING;
624 		return sec_status_bogus;
625 	}
626 	if(ta_dnskey && (dnskey_rrset->rk.dname_len != ta_dnskey->rk.dname_len
627 	     || query_dname_compare(dnskey_rrset->rk.dname, ta_dnskey->rk.dname)
628 		!= 0)) {
629 		verbose(VERB_QUERY, "DNSKEY RRset did not match anchor RRset "
630 			"by name");
631 		*reason = "DNSKEY RRset did not match anchor RRset by name";
632 		if(reason_bogus)
633 			*reason_bogus = LDNS_EDE_DNSKEY_MISSING;
634 		return sec_status_bogus;
635 	}
636 
637 	if(ta_ds)
638 		digest_algo = val_favorite_ds_algo(ta_ds);
639 	if(sigalg) {
640 		if(ta_ds)
641 			algo_needs_init_ds(&needs, ta_ds, digest_algo, sigalg);
642 		else	memset(&needs, 0, sizeof(needs));
643 		if(ta_dnskey)
644 			algo_needs_init_dnskey_add(&needs, ta_dnskey, sigalg);
645 	}
646 	if(ta_ds) {
647 	    num = rrset_get_count(ta_ds);
648 	    for(i=0; i<num; i++) {
649 		/* Check to see if we can understand this DS.
650 		 * And check it is the strongest digest */
651 		if(!ds_digest_algo_is_supported(ta_ds, i) ||
652 			!ds_key_algo_is_supported(ta_ds, i) ||
653 			ds_get_digest_algo(ta_ds, i) != digest_algo)
654 			continue;
655 
656 		sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset,
657 			ta_ds, i, reason, reason_bogus, qstate);
658 		if(sec == sec_status_insecure)
659 			continue;
660 
661 		/* Once we see a single DS with a known digestID and
662 		 * algorithm, we cannot return INSECURE (with a
663 		 * "null" KeyEntry). */
664 		has_useful_ta = 1;
665 
666 		if(sec == sec_status_secure) {
667 			if(!sigalg || algo_needs_set_secure(&needs,
668 				(uint8_t)ds_get_key_algo(ta_ds, i))) {
669 				verbose(VERB_ALGO, "DS matched DNSKEY.");
670 				if(!dnskeyset_size_is_supported(dnskey_rrset)) {
671 					verbose(VERB_ALGO, "trustanchor works, but dnskeyset contain keys that are unsupported, treat as insecure");
672 					return sec_status_insecure;
673 				}
674 				return sec_status_secure;
675 			}
676 		} else if(sigalg && sec == sec_status_bogus) {
677 			algo_needs_set_bogus(&needs,
678 				(uint8_t)ds_get_key_algo(ta_ds, i));
679 		}
680 	    }
681 	}
682 
683 	/* None of the DS's worked out: check the DNSKEYs. */
684 	if(ta_dnskey) {
685 	    num = rrset_get_count(ta_dnskey);
686 	    for(i=0; i<num; i++) {
687 		/* Check to see if we can understand this DNSKEY */
688 		if(!dnskey_algo_is_supported(ta_dnskey, i))
689 			continue;
690 		if(!dnskey_size_is_supported(ta_dnskey, i))
691 			continue;
692 
693 		/* we saw a useful TA */
694 		has_useful_ta = 1;
695 
696 		sec = dnskey_verify_rrset(env, ve, dnskey_rrset,
697 			ta_dnskey, i, reason, NULL, LDNS_SECTION_ANSWER, qstate);
698 		if(sec == sec_status_secure) {
699 			if(!sigalg || algo_needs_set_secure(&needs,
700 				(uint8_t)dnskey_get_algo(ta_dnskey, i))) {
701 				verbose(VERB_ALGO, "anchor matched DNSKEY.");
702 				if(!dnskeyset_size_is_supported(dnskey_rrset)) {
703 					verbose(VERB_ALGO, "trustanchor works, but dnskeyset contain keys that are unsupported, treat as insecure");
704 					return sec_status_insecure;
705 				}
706 				return sec_status_secure;
707 			}
708 		} else if(sigalg && sec == sec_status_bogus) {
709 			algo_needs_set_bogus(&needs,
710 				(uint8_t)dnskey_get_algo(ta_dnskey, i));
711 		}
712 	    }
713 	}
714 
715 	/* If no DSs were understandable, then this is OK. */
716 	if(!has_useful_ta) {
717 		verbose(VERB_ALGO, "No usable trust anchors were found -- "
718 			"treating as insecure.");
719 		return sec_status_insecure;
720 	}
721 	/* If any were understandable, then it is bad. */
722 	verbose(VERB_QUERY, "Failed to match any usable anchor to a DNSKEY.");
723 	if(sigalg && (alg=algo_needs_missing(&needs)) != 0) {
724 		algo_needs_reason(env, alg, reason, "missing verification of "
725 			"DNSKEY signature");
726 	}
727 	return sec_status_bogus;
728 }
729 
730 struct key_entry_key*
731 val_verify_new_DNSKEYs_with_ta(struct regional* region, struct module_env* env,
732 	struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset,
733 	struct ub_packed_rrset_key* ta_ds_rrset,
734 	struct ub_packed_rrset_key* ta_dnskey_rrset, int downprot,
735 	char** reason, sldns_ede_code *reason_bogus, struct module_qstate* qstate)
736 {
737 	uint8_t sigalg[ALGO_NEEDS_MAX+1];
738 	enum sec_status sec = val_verify_DNSKEY_with_TA(env, ve,
739 		dnskey_rrset, ta_ds_rrset, ta_dnskey_rrset,
740 		downprot?sigalg:NULL, reason, reason_bogus, qstate);
741 
742 	if(sec == sec_status_secure) {
743 		return key_entry_create_rrset(region,
744 			dnskey_rrset->rk.dname, dnskey_rrset->rk.dname_len,
745 			ntohs(dnskey_rrset->rk.rrset_class), dnskey_rrset,
746 			downprot?sigalg:NULL, *env->now);
747 	} else if(sec == sec_status_insecure) {
748 		return key_entry_create_null(region, dnskey_rrset->rk.dname,
749 			dnskey_rrset->rk.dname_len,
750 			ntohs(dnskey_rrset->rk.rrset_class),
751 			rrset_get_ttl(dnskey_rrset), *env->now);
752 	}
753 	return key_entry_create_bad(region, dnskey_rrset->rk.dname,
754 		dnskey_rrset->rk.dname_len, ntohs(dnskey_rrset->rk.rrset_class),
755 		BOGUS_KEY_TTL, *env->now);
756 }
757 
758 int
759 val_dsset_isusable(struct ub_packed_rrset_key* ds_rrset)
760 {
761 	size_t i;
762 	for(i=0; i<rrset_get_count(ds_rrset); i++) {
763 		if(ds_digest_algo_is_supported(ds_rrset, i) &&
764 			ds_key_algo_is_supported(ds_rrset, i))
765 			return 1;
766 	}
767 	if(verbosity < VERB_ALGO)
768 		return 0;
769 	if(rrset_get_count(ds_rrset) == 0)
770 		verbose(VERB_ALGO, "DS is not usable");
771 	else {
772 		/* report usability for the first DS RR */
773 		sldns_lookup_table *lt;
774 		char herr[64], aerr[64];
775 		lt = sldns_lookup_by_id(sldns_hashes,
776 			(int)ds_get_digest_algo(ds_rrset, 0));
777 		if(lt) snprintf(herr, sizeof(herr), "%s", lt->name);
778 		else snprintf(herr, sizeof(herr), "%d",
779 			(int)ds_get_digest_algo(ds_rrset, 0));
780 		lt = sldns_lookup_by_id(sldns_algorithms,
781 			(int)ds_get_key_algo(ds_rrset, 0));
782 		if(lt) snprintf(aerr, sizeof(aerr), "%s", lt->name);
783 		else snprintf(aerr, sizeof(aerr), "%d",
784 			(int)ds_get_key_algo(ds_rrset, 0));
785 
786 		verbose(VERB_ALGO, "DS unsupported, hash %s %s, "
787 			"key algorithm %s %s", herr,
788 			(ds_digest_algo_is_supported(ds_rrset, 0)?
789 			"(supported)":"(unsupported)"), aerr,
790 			(ds_key_algo_is_supported(ds_rrset, 0)?
791 			"(supported)":"(unsupported)"));
792 	}
793 	return 0;
794 }
795 
796 /** get label count for a signature */
797 static uint8_t
798 rrsig_get_labcount(struct packed_rrset_data* d, size_t sig)
799 {
800 	if(d->rr_len[sig] < 2+4)
801 		return 0; /* bad sig length */
802 	return d->rr_data[sig][2+3];
803 }
804 
805 int
806 val_rrset_wildcard(struct ub_packed_rrset_key* rrset, uint8_t** wc,
807 	size_t* wc_len)
808 {
809 	struct packed_rrset_data* d = (struct packed_rrset_data*)rrset->
810 		entry.data;
811 	uint8_t labcount;
812 	int labdiff;
813 	uint8_t* wn;
814 	size_t i, wl;
815 	if(d->rrsig_count == 0) {
816 		return 1;
817 	}
818 	labcount = rrsig_get_labcount(d, d->count + 0);
819 	/* check rest of signatures identical */
820 	for(i=1; i<d->rrsig_count; i++) {
821 		if(labcount != rrsig_get_labcount(d, d->count + i)) {
822 			return 0;
823 		}
824 	}
825 	/* OK the rrsigs check out */
826 	/* if the RRSIG label count is shorter than the number of actual
827 	 * labels, then this rrset was synthesized from a wildcard.
828 	 * Note that the RRSIG label count doesn't count the root label. */
829 	wn = rrset->rk.dname;
830 	wl = rrset->rk.dname_len;
831 	/* skip a leading wildcard label in the dname (RFC4035 2.2) */
832 	if(dname_is_wild(wn)) {
833 		wn += 2;
834 		wl -= 2;
835 	}
836 	labdiff = (dname_count_labels(wn) - 1) - (int)labcount;
837 	if(labdiff > 0) {
838 		*wc = wn;
839 		dname_remove_labels(wc, &wl, labdiff);
840 		*wc_len = wl;
841 		return 1;
842 	}
843 	return 1;
844 }
845 
846 int
847 val_chase_cname(struct query_info* qchase, struct reply_info* rep,
848 	size_t* cname_skip) {
849 	size_t i;
850 	/* skip any DNAMEs, go to the CNAME for next part */
851 	for(i = *cname_skip; i < rep->an_numrrsets; i++) {
852 		if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_CNAME &&
853 			query_dname_compare(qchase->qname, rep->rrsets[i]->
854 				rk.dname) == 0) {
855 			qchase->qname = NULL;
856 			get_cname_target(rep->rrsets[i], &qchase->qname,
857 				&qchase->qname_len);
858 			if(!qchase->qname)
859 				return 0; /* bad CNAME rdata */
860 			(*cname_skip) = i+1;
861 			return 1;
862 		}
863 	}
864 	return 0; /* CNAME classified but no matching CNAME ?! */
865 }
866 
867 /** see if rrset has signer name as one of the rrsig signers */
868 static int
869 rrset_has_signer(struct ub_packed_rrset_key* rrset, uint8_t* name, size_t len)
870 {
871 	struct packed_rrset_data* d = (struct packed_rrset_data*)rrset->
872 		entry.data;
873 	size_t i;
874 	for(i = d->count; i< d->count+d->rrsig_count; i++) {
875 		if(d->rr_len[i] > 2+18+len) {
876 			/* at least rdatalen + signature + signame (+1 sig)*/
877 			if(!dname_valid(d->rr_data[i]+2+18, d->rr_len[i]-2-18))
878 				continue;
879 			if(query_dname_compare(name, d->rr_data[i]+2+18) == 0)
880 			{
881 				return 1;
882 			}
883 		}
884 	}
885 	return 0;
886 }
887 
888 void
889 val_fill_reply(struct reply_info* chase, struct reply_info* orig,
890 	size_t skip, uint8_t* name, size_t len, uint8_t* signer)
891 {
892 	size_t i;
893 	int seen_dname = 0;
894 	chase->rrset_count = 0;
895 	chase->an_numrrsets = 0;
896 	chase->ns_numrrsets = 0;
897 	chase->ar_numrrsets = 0;
898 	/* ANSWER section */
899 	for(i=skip; i<orig->an_numrrsets; i++) {
900 		if(!signer) {
901 			if(query_dname_compare(name,
902 				orig->rrsets[i]->rk.dname) == 0)
903 				chase->rrsets[chase->an_numrrsets++] =
904 					orig->rrsets[i];
905 		} else if(seen_dname && ntohs(orig->rrsets[i]->rk.type) ==
906 			LDNS_RR_TYPE_CNAME) {
907 			chase->rrsets[chase->an_numrrsets++] = orig->rrsets[i];
908 			seen_dname = 0;
909 		} else if(rrset_has_signer(orig->rrsets[i], name, len)) {
910 			chase->rrsets[chase->an_numrrsets++] = orig->rrsets[i];
911 			if(ntohs(orig->rrsets[i]->rk.type) ==
912 				LDNS_RR_TYPE_DNAME) {
913 					seen_dname = 1;
914 			}
915 		}
916 	}
917 	/* AUTHORITY section */
918 	for(i = (skip > orig->an_numrrsets)?skip:orig->an_numrrsets;
919 		i<orig->an_numrrsets+orig->ns_numrrsets;
920 		i++) {
921 		if(!signer) {
922 			if(query_dname_compare(name,
923 				orig->rrsets[i]->rk.dname) == 0)
924 				chase->rrsets[chase->an_numrrsets+
925 				    chase->ns_numrrsets++] = orig->rrsets[i];
926 		} else if(rrset_has_signer(orig->rrsets[i], name, len)) {
927 			chase->rrsets[chase->an_numrrsets+
928 				chase->ns_numrrsets++] = orig->rrsets[i];
929 		}
930 	}
931 	/* ADDITIONAL section */
932 	for(i= (skip>orig->an_numrrsets+orig->ns_numrrsets)?
933 		skip:orig->an_numrrsets+orig->ns_numrrsets;
934 		i<orig->rrset_count; i++) {
935 		if(!signer) {
936 			if(query_dname_compare(name,
937 				orig->rrsets[i]->rk.dname) == 0)
938 			    chase->rrsets[chase->an_numrrsets
939 				+orig->ns_numrrsets+chase->ar_numrrsets++]
940 				= orig->rrsets[i];
941 		} else if(rrset_has_signer(orig->rrsets[i], name, len)) {
942 			chase->rrsets[chase->an_numrrsets+orig->ns_numrrsets+
943 				chase->ar_numrrsets++] = orig->rrsets[i];
944 		}
945 	}
946 	chase->rrset_count = chase->an_numrrsets + chase->ns_numrrsets +
947 		chase->ar_numrrsets;
948 }
949 
950 void val_reply_remove_auth(struct reply_info* rep, size_t index)
951 {
952 	log_assert(index < rep->rrset_count);
953 	log_assert(index >= rep->an_numrrsets);
954 	log_assert(index < rep->an_numrrsets+rep->ns_numrrsets);
955 	memmove(rep->rrsets+index, rep->rrsets+index+1,
956 		sizeof(struct ub_packed_rrset_key*)*
957 		(rep->rrset_count - index - 1));
958 	rep->ns_numrrsets--;
959 	rep->rrset_count--;
960 }
961 
962 void
963 val_check_nonsecure(struct module_env* env, struct reply_info* rep)
964 {
965 	size_t i;
966 	/* authority */
967 	for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->ns_numrrsets; i++) {
968 		if(((struct packed_rrset_data*)rep->rrsets[i]->entry.data)
969 			->security != sec_status_secure) {
970 			/* because we want to return the authentic original
971 			 * message when presented with CD-flagged queries,
972 			 * we need to preserve AUTHORITY section data.
973 			 * However, this rrset is not signed or signed
974 			 * with the wrong keys. Validation has tried to
975 			 * verify this rrset with the keysets of import.
976 			 * But this rrset did not verify.
977 			 * Therefore the message is bogus.
978 			 */
979 
980 			/* check if authority has an NS record
981 			 * which is bad, and there is an answer section with
982 			 * data.  In that case, delete NS and additional to
983 			 * be lenient and make a minimal response */
984 			if(rep->an_numrrsets != 0 &&
985 				ntohs(rep->rrsets[i]->rk.type)
986 				== LDNS_RR_TYPE_NS) {
987 				verbose(VERB_ALGO, "truncate to minimal");
988 				rep->ar_numrrsets = 0;
989 				rep->rrset_count = rep->an_numrrsets +
990 					rep->ns_numrrsets;
991 				/* remove this unneeded authority rrset */
992 				memmove(rep->rrsets+i, rep->rrsets+i+1,
993 					sizeof(struct ub_packed_rrset_key*)*
994 					(rep->rrset_count - i - 1));
995 				rep->ns_numrrsets--;
996 				rep->rrset_count--;
997 				i--;
998 				return;
999 			}
1000 
1001 			log_nametypeclass(VERB_QUERY, "message is bogus, "
1002 				"non secure rrset",
1003 				rep->rrsets[i]->rk.dname,
1004 				ntohs(rep->rrsets[i]->rk.type),
1005 				ntohs(rep->rrsets[i]->rk.rrset_class));
1006 			rep->security = sec_status_bogus;
1007 			return;
1008 		}
1009 	}
1010 	/* additional */
1011 	if(!env->cfg->val_clean_additional)
1012 		return;
1013 	for(i=rep->an_numrrsets+rep->ns_numrrsets; i<rep->rrset_count; i++) {
1014 		if(((struct packed_rrset_data*)rep->rrsets[i]->entry.data)
1015 			->security != sec_status_secure) {
1016 			/* This does not cause message invalidation. It was
1017 			 * simply unsigned data in the additional. The
1018 			 * RRSIG must have been truncated off the message.
1019 			 *
1020 			 * However, we do not want to return possible bogus
1021 			 * data to clients that rely on this service for
1022 			 * their authentication.
1023 			 */
1024 			/* remove this unneeded additional rrset */
1025 			memmove(rep->rrsets+i, rep->rrsets+i+1,
1026 				sizeof(struct ub_packed_rrset_key*)*
1027 				(rep->rrset_count - i - 1));
1028 			rep->ar_numrrsets--;
1029 			rep->rrset_count--;
1030 			i--;
1031 		}
1032 	}
1033 }
1034 
1035 /** check no anchor and unlock */
1036 static int
1037 check_no_anchor(struct val_anchors* anchors, uint8_t* nm, size_t l, uint16_t c)
1038 {
1039 	struct trust_anchor* ta;
1040 	if((ta=anchors_lookup(anchors, nm, l, c))) {
1041 		lock_basic_unlock(&ta->lock);
1042 	}
1043 	return !ta;
1044 }
1045 
1046 void
1047 val_mark_indeterminate(struct reply_info* rep, struct val_anchors* anchors,
1048 	struct rrset_cache* r, struct module_env* env)
1049 {
1050 	size_t i;
1051 	struct packed_rrset_data* d;
1052 	for(i=0; i<rep->rrset_count; i++) {
1053 		d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data;
1054 		if(d->security == sec_status_unchecked &&
1055 		   check_no_anchor(anchors, rep->rrsets[i]->rk.dname,
1056 			rep->rrsets[i]->rk.dname_len,
1057 			ntohs(rep->rrsets[i]->rk.rrset_class)))
1058 		{
1059 			/* mark as indeterminate */
1060 			d->security = sec_status_indeterminate;
1061 			rrset_update_sec_status(r, rep->rrsets[i], *env->now);
1062 		}
1063 	}
1064 }
1065 
1066 void
1067 val_mark_insecure(struct reply_info* rep, uint8_t* kname,
1068 	struct rrset_cache* r, struct module_env* env)
1069 {
1070 	size_t i;
1071 	struct packed_rrset_data* d;
1072 	for(i=0; i<rep->rrset_count; i++) {
1073 		d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data;
1074 		if(d->security == sec_status_unchecked &&
1075 		   dname_subdomain_c(rep->rrsets[i]->rk.dname, kname)) {
1076 			/* mark as insecure */
1077 			d->security = sec_status_insecure;
1078 			rrset_update_sec_status(r, rep->rrsets[i], *env->now);
1079 		}
1080 	}
1081 }
1082 
1083 size_t
1084 val_next_unchecked(struct reply_info* rep, size_t skip)
1085 {
1086 	size_t i;
1087 	struct packed_rrset_data* d;
1088 	for(i=skip+1; i<rep->rrset_count; i++) {
1089 		d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data;
1090 		if(d->security == sec_status_unchecked) {
1091 			return i;
1092 		}
1093 	}
1094 	return rep->rrset_count;
1095 }
1096 
1097 const char*
1098 val_classification_to_string(enum val_classification subtype)
1099 {
1100 	switch(subtype) {
1101 		case VAL_CLASS_UNTYPED: 	return "untyped";
1102 		case VAL_CLASS_UNKNOWN: 	return "unknown";
1103 		case VAL_CLASS_POSITIVE: 	return "positive";
1104 		case VAL_CLASS_CNAME: 		return "cname";
1105 		case VAL_CLASS_NODATA: 		return "nodata";
1106 		case VAL_CLASS_NAMEERROR: 	return "nameerror";
1107 		case VAL_CLASS_CNAMENOANSWER: 	return "cnamenoanswer";
1108 		case VAL_CLASS_REFERRAL: 	return "referral";
1109 		case VAL_CLASS_ANY: 		return "qtype_any";
1110 		default:
1111 			return "bad_val_classification";
1112 	}
1113 }
1114 
1115 /** log a sock_list entry */
1116 static void
1117 sock_list_logentry(enum verbosity_value v, const char* s, struct sock_list* p)
1118 {
1119 	if(p->len)
1120 		log_addr(v, s, &p->addr, p->len);
1121 	else	verbose(v, "%s cache", s);
1122 }
1123 
1124 void val_blacklist(struct sock_list** blacklist, struct regional* region,
1125 	struct sock_list* origin, int cross)
1126 {
1127 	/* debug printout */
1128 	if(verbosity >= VERB_ALGO) {
1129 		struct sock_list* p;
1130 		for(p=*blacklist; p; p=p->next)
1131 			sock_list_logentry(VERB_ALGO, "blacklist", p);
1132 		if(!origin)
1133 			verbose(VERB_ALGO, "blacklist add: cache");
1134 		for(p=origin; p; p=p->next)
1135 			sock_list_logentry(VERB_ALGO, "blacklist add", p);
1136 	}
1137 	/* blacklist the IPs or the cache */
1138 	if(!origin) {
1139 		/* only add if nothing there. anything else also stops cache*/
1140 		if(!*blacklist)
1141 			sock_list_insert(blacklist, NULL, 0, region);
1142 	} else if(!cross)
1143 		sock_list_prepend(blacklist, origin);
1144 	else	sock_list_merge(blacklist, region, origin);
1145 }
1146 
1147 int val_has_signed_nsecs(struct reply_info* rep, char** reason)
1148 {
1149 	size_t i, num_nsec = 0, num_nsec3 = 0;
1150 	struct packed_rrset_data* d;
1151 	for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->ns_numrrsets; i++) {
1152 		if(rep->rrsets[i]->rk.type == htons(LDNS_RR_TYPE_NSEC))
1153 			num_nsec++;
1154 		else if(rep->rrsets[i]->rk.type == htons(LDNS_RR_TYPE_NSEC3))
1155 			num_nsec3++;
1156 		else continue;
1157 		d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data;
1158 		if(d && d->rrsig_count != 0) {
1159 			return 1;
1160 		}
1161 	}
1162 	if(num_nsec == 0 && num_nsec3 == 0)
1163 		*reason = "no DNSSEC records";
1164 	else if(num_nsec != 0)
1165 		*reason = "no signatures over NSECs";
1166 	else	*reason = "no signatures over NSEC3s";
1167 	return 0;
1168 }
1169 
1170 struct dns_msg*
1171 val_find_DS(struct module_env* env, uint8_t* nm, size_t nmlen, uint16_t c,
1172 	struct regional* region, uint8_t* topname)
1173 {
1174 	struct dns_msg* msg;
1175 	struct query_info qinfo;
1176 	struct ub_packed_rrset_key *rrset = rrset_cache_lookup(
1177 		env->rrset_cache, nm, nmlen, LDNS_RR_TYPE_DS, c, 0,
1178 		*env->now, 0);
1179 	if(rrset) {
1180 		/* DS rrset exists. Return it to the validator immediately*/
1181 		struct ub_packed_rrset_key* copy = packed_rrset_copy_region(
1182 			rrset, region, *env->now);
1183 		lock_rw_unlock(&rrset->entry.lock);
1184 		if(!copy)
1185 			return NULL;
1186 		msg = dns_msg_create(nm, nmlen, LDNS_RR_TYPE_DS, c, region, 1);
1187 		if(!msg)
1188 			return NULL;
1189 		msg->rep->rrsets[0] = copy;
1190 		msg->rep->rrset_count++;
1191 		msg->rep->an_numrrsets++;
1192 		return msg;
1193 	}
1194 	/* lookup in rrset and negative cache for NSEC/NSEC3 */
1195 	qinfo.qname = nm;
1196 	qinfo.qname_len = nmlen;
1197 	qinfo.qtype = LDNS_RR_TYPE_DS;
1198 	qinfo.qclass = c;
1199 	qinfo.local_alias = NULL;
1200 	/* do not add SOA to reply message, it is going to be used internal */
1201 	msg = val_neg_getmsg(env->neg_cache, &qinfo, region, env->rrset_cache,
1202 		env->scratch_buffer, *env->now, 0, topname, env->cfg);
1203 	return msg;
1204 }
1205