1 /* 2 * validator/val_utils.c - validator utility functions. 3 * 4 * Copyright (c) 2007, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file contains helper functions for the validator module. 40 */ 41 #include "config.h" 42 #include "validator/val_utils.h" 43 #include "validator/validator.h" 44 #include "validator/val_kentry.h" 45 #include "validator/val_sigcrypt.h" 46 #include "validator/val_anchor.h" 47 #include "validator/val_nsec.h" 48 #include "validator/val_neg.h" 49 #include "services/cache/rrset.h" 50 #include "services/cache/dns.h" 51 #include "util/data/msgreply.h" 52 #include "util/data/packed_rrset.h" 53 #include "util/data/dname.h" 54 #include "util/net_help.h" 55 #include "util/module.h" 56 #include "util/regional.h" 57 #include "util/config_file.h" 58 #include "sldns/wire2str.h" 59 #include "sldns/parseutil.h" 60 61 enum val_classification 62 val_classify_response(uint16_t query_flags, struct query_info* origqinf, 63 struct query_info* qinf, struct reply_info* rep, size_t skip) 64 { 65 int rcode = (int)FLAGS_GET_RCODE(rep->flags); 66 size_t i; 67 68 /* Normal Name Error's are easy to detect -- but don't mistake a CNAME 69 * chain ending in NXDOMAIN. */ 70 if(rcode == LDNS_RCODE_NXDOMAIN && rep->an_numrrsets == 0) 71 return VAL_CLASS_NAMEERROR; 72 73 /* check for referral: nonRD query and it looks like a nodata */ 74 if(!(query_flags&BIT_RD) && rep->an_numrrsets == 0 && 75 rcode == LDNS_RCODE_NOERROR) { 76 /* SOA record in auth indicates it is NODATA instead. 77 * All validation requiring NODATA messages have SOA in 78 * authority section. */ 79 /* uses fact that answer section is empty */ 80 int saw_ns = 0; 81 for(i=0; i<rep->ns_numrrsets; i++) { 82 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_SOA) 83 return VAL_CLASS_NODATA; 84 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_DS) 85 return VAL_CLASS_REFERRAL; 86 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NS) 87 saw_ns = 1; 88 } 89 return saw_ns?VAL_CLASS_REFERRAL:VAL_CLASS_NODATA; 90 } 91 /* root referral where NS set is in the answer section */ 92 if(!(query_flags&BIT_RD) && rep->ns_numrrsets == 0 && 93 rep->an_numrrsets == 1 && rcode == LDNS_RCODE_NOERROR && 94 ntohs(rep->rrsets[0]->rk.type) == LDNS_RR_TYPE_NS && 95 query_dname_compare(rep->rrsets[0]->rk.dname, 96 origqinf->qname) != 0) 97 return VAL_CLASS_REFERRAL; 98 99 /* dump bad messages */ 100 if(rcode != LDNS_RCODE_NOERROR && rcode != LDNS_RCODE_NXDOMAIN) 101 return VAL_CLASS_UNKNOWN; 102 /* next check if the skip into the answer section shows no answer */ 103 if(skip>0 && rep->an_numrrsets <= skip) 104 return VAL_CLASS_CNAMENOANSWER; 105 106 /* Next is NODATA */ 107 if(rcode == LDNS_RCODE_NOERROR && rep->an_numrrsets == 0) 108 return VAL_CLASS_NODATA; 109 110 /* We distinguish between CNAME response and other positive/negative 111 * responses because CNAME answers require extra processing. */ 112 113 /* We distinguish between ANY and CNAME or POSITIVE because 114 * ANY responses are validated differently. */ 115 if(rcode == LDNS_RCODE_NOERROR && qinf->qtype == LDNS_RR_TYPE_ANY) 116 return VAL_CLASS_ANY; 117 118 /* Note that DNAMEs will be ignored here, unless qtype=DNAME. Unless 119 * qtype=CNAME, this will yield a CNAME response. */ 120 for(i=skip; i<rep->an_numrrsets; i++) { 121 if(rcode == LDNS_RCODE_NOERROR && 122 ntohs(rep->rrsets[i]->rk.type) == qinf->qtype) 123 return VAL_CLASS_POSITIVE; 124 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_CNAME) 125 return VAL_CLASS_CNAME; 126 } 127 log_dns_msg("validator: error. failed to classify response message: ", 128 qinf, rep); 129 return VAL_CLASS_UNKNOWN; 130 } 131 132 /** Get signer name from RRSIG */ 133 static void 134 rrsig_get_signer(uint8_t* data, size_t len, uint8_t** sname, size_t* slen) 135 { 136 /* RRSIG rdata is not allowed to be compressed, it is stored 137 * uncompressed in memory as well, so return a ptr to the name */ 138 if(len < 21) { 139 /* too short RRSig: 140 * short, byte, byte, long, long, long, short, "." is 141 * 2 1 1 4 4 4 2 1 = 19 142 * and a skip of 18 bytes to the name. 143 * +2 for the rdatalen is 21 bytes len for root label */ 144 *sname = NULL; 145 *slen = 0; 146 return; 147 } 148 data += 20; /* skip the fixed size bits */ 149 len -= 20; 150 *slen = dname_valid(data, len); 151 if(!*slen) { 152 /* bad dname in this rrsig. */ 153 *sname = NULL; 154 return; 155 } 156 *sname = data; 157 } 158 159 void 160 val_find_rrset_signer(struct ub_packed_rrset_key* rrset, uint8_t** sname, 161 size_t* slen) 162 { 163 struct packed_rrset_data* d = (struct packed_rrset_data*) 164 rrset->entry.data; 165 /* return signer for first signature, or NULL */ 166 if(d->rrsig_count == 0) { 167 *sname = NULL; 168 *slen = 0; 169 return; 170 } 171 /* get rrsig signer name out of the signature */ 172 rrsig_get_signer(d->rr_data[d->count], d->rr_len[d->count], 173 sname, slen); 174 } 175 176 /** 177 * Find best signer name in this set of rrsigs. 178 * @param rrset: which rrsigs to look through. 179 * @param qinf: the query name that needs validation. 180 * @param signer_name: the best signer_name. Updated if a better one is found. 181 * @param signer_len: length of signer name. 182 * @param matchcount: count of current best name (starts at 0 for no match). 183 * Updated if match is improved. 184 */ 185 static void 186 val_find_best_signer(struct ub_packed_rrset_key* rrset, 187 struct query_info* qinf, uint8_t** signer_name, size_t* signer_len, 188 int* matchcount) 189 { 190 struct packed_rrset_data* d = (struct packed_rrset_data*) 191 rrset->entry.data; 192 uint8_t* sign; 193 size_t i; 194 int m; 195 for(i=d->count; i<d->count+d->rrsig_count; i++) { 196 sign = d->rr_data[i]+2+18; 197 /* look at signatures that are valid (long enough), 198 * and have a signer name that is a superdomain of qname, 199 * and then check the number of labels in the shared topdomain 200 * improve the match if possible */ 201 if(d->rr_len[i] > 2+19 && /* rdata, sig + root label*/ 202 dname_subdomain_c(qinf->qname, sign)) { 203 (void)dname_lab_cmp(qinf->qname, 204 dname_count_labels(qinf->qname), 205 sign, dname_count_labels(sign), &m); 206 if(m > *matchcount) { 207 *matchcount = m; 208 *signer_name = sign; 209 (void)dname_count_size_labels(*signer_name, 210 signer_len); 211 } 212 } 213 } 214 } 215 216 void 217 val_find_signer(enum val_classification subtype, struct query_info* qinf, 218 struct reply_info* rep, size_t skip, uint8_t** signer_name, 219 size_t* signer_len) 220 { 221 size_t i; 222 223 if(subtype == VAL_CLASS_POSITIVE) { 224 /* check for the answer rrset */ 225 for(i=skip; i<rep->an_numrrsets; i++) { 226 if(query_dname_compare(qinf->qname, 227 rep->rrsets[i]->rk.dname) == 0) { 228 val_find_rrset_signer(rep->rrsets[i], 229 signer_name, signer_len); 230 return; 231 } 232 } 233 *signer_name = NULL; 234 *signer_len = 0; 235 } else if(subtype == VAL_CLASS_CNAME) { 236 /* check for the first signed cname/dname rrset */ 237 for(i=skip; i<rep->an_numrrsets; i++) { 238 val_find_rrset_signer(rep->rrsets[i], 239 signer_name, signer_len); 240 if(*signer_name) 241 return; 242 if(ntohs(rep->rrsets[i]->rk.type) != LDNS_RR_TYPE_DNAME) 243 break; /* only check CNAME after a DNAME */ 244 } 245 *signer_name = NULL; 246 *signer_len = 0; 247 } else if(subtype == VAL_CLASS_NAMEERROR 248 || subtype == VAL_CLASS_NODATA) { 249 /*Check to see if the AUTH section NSEC record(s) have rrsigs*/ 250 for(i=rep->an_numrrsets; i< 251 rep->an_numrrsets+rep->ns_numrrsets; i++) { 252 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NSEC 253 || ntohs(rep->rrsets[i]->rk.type) == 254 LDNS_RR_TYPE_NSEC3) { 255 val_find_rrset_signer(rep->rrsets[i], 256 signer_name, signer_len); 257 return; 258 } 259 } 260 } else if(subtype == VAL_CLASS_CNAMENOANSWER) { 261 /* find closest superdomain signer name in authority section 262 * NSEC and NSEC3s */ 263 int matchcount = 0; 264 *signer_name = NULL; 265 *signer_len = 0; 266 for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep-> 267 ns_numrrsets; i++) { 268 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NSEC 269 || ntohs(rep->rrsets[i]->rk.type) == 270 LDNS_RR_TYPE_NSEC3) { 271 val_find_best_signer(rep->rrsets[i], qinf, 272 signer_name, signer_len, &matchcount); 273 } 274 } 275 } else if(subtype == VAL_CLASS_ANY) { 276 /* check for one of the answer rrset that has signatures, 277 * or potentially a DNAME is in use with a different qname */ 278 for(i=skip; i<rep->an_numrrsets; i++) { 279 if(query_dname_compare(qinf->qname, 280 rep->rrsets[i]->rk.dname) == 0) { 281 val_find_rrset_signer(rep->rrsets[i], 282 signer_name, signer_len); 283 if(*signer_name) 284 return; 285 } 286 } 287 /* no answer RRSIGs with qname, try a DNAME */ 288 if(skip < rep->an_numrrsets && 289 ntohs(rep->rrsets[skip]->rk.type) == 290 LDNS_RR_TYPE_DNAME) { 291 val_find_rrset_signer(rep->rrsets[skip], 292 signer_name, signer_len); 293 if(*signer_name) 294 return; 295 } 296 *signer_name = NULL; 297 *signer_len = 0; 298 } else if(subtype == VAL_CLASS_REFERRAL) { 299 /* find keys for the item at skip */ 300 if(skip < rep->rrset_count) { 301 val_find_rrset_signer(rep->rrsets[skip], 302 signer_name, signer_len); 303 return; 304 } 305 *signer_name = NULL; 306 *signer_len = 0; 307 } else { 308 verbose(VERB_QUERY, "find_signer: could not find signer name" 309 " for unknown type response"); 310 *signer_name = NULL; 311 *signer_len = 0; 312 } 313 } 314 315 /** return number of rrs in an rrset */ 316 static size_t 317 rrset_get_count(struct ub_packed_rrset_key* rrset) 318 { 319 struct packed_rrset_data* d = (struct packed_rrset_data*) 320 rrset->entry.data; 321 if(!d) return 0; 322 return d->count; 323 } 324 325 /** return TTL of rrset */ 326 static uint32_t 327 rrset_get_ttl(struct ub_packed_rrset_key* rrset) 328 { 329 struct packed_rrset_data* d = (struct packed_rrset_data*) 330 rrset->entry.data; 331 if(!d) return 0; 332 return d->ttl; 333 } 334 335 static enum sec_status 336 val_verify_rrset(struct module_env* env, struct val_env* ve, 337 struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* keys, 338 uint8_t* sigalg, char** reason, sldns_ede_code *reason_bogus, 339 sldns_pkt_section section, struct module_qstate* qstate) 340 { 341 enum sec_status sec; 342 struct packed_rrset_data* d = (struct packed_rrset_data*)rrset-> 343 entry.data; 344 if(d->security == sec_status_secure) { 345 /* re-verify all other statuses, because keyset may change*/ 346 log_nametypeclass(VERB_ALGO, "verify rrset cached", 347 rrset->rk.dname, ntohs(rrset->rk.type), 348 ntohs(rrset->rk.rrset_class)); 349 return d->security; 350 } 351 /* check in the cache if verification has already been done */ 352 rrset_check_sec_status(env->rrset_cache, rrset, *env->now); 353 if(d->security == sec_status_secure) { 354 log_nametypeclass(VERB_ALGO, "verify rrset from cache", 355 rrset->rk.dname, ntohs(rrset->rk.type), 356 ntohs(rrset->rk.rrset_class)); 357 return d->security; 358 } 359 log_nametypeclass(VERB_ALGO, "verify rrset", rrset->rk.dname, 360 ntohs(rrset->rk.type), ntohs(rrset->rk.rrset_class)); 361 sec = dnskeyset_verify_rrset(env, ve, rrset, keys, sigalg, reason, 362 reason_bogus, section, qstate); 363 verbose(VERB_ALGO, "verify result: %s", sec_status_to_string(sec)); 364 regional_free_all(env->scratch); 365 366 /* update rrset security status 367 * only improves security status 368 * and bogus is set only once, even if we rechecked the status */ 369 if(sec > d->security) { 370 d->security = sec; 371 if(sec == sec_status_secure) 372 d->trust = rrset_trust_validated; 373 else if(sec == sec_status_bogus) { 374 size_t i; 375 /* update ttl for rrset to fixed value. */ 376 d->ttl = ve->bogus_ttl; 377 for(i=0; i<d->count+d->rrsig_count; i++) 378 d->rr_ttl[i] = ve->bogus_ttl; 379 /* leave RR specific TTL: not used for determine 380 * if RRset timed out and clients see proper value. */ 381 lock_basic_lock(&ve->bogus_lock); 382 ve->num_rrset_bogus++; 383 lock_basic_unlock(&ve->bogus_lock); 384 } 385 /* if status updated - store in cache for reuse */ 386 rrset_update_sec_status(env->rrset_cache, rrset, *env->now); 387 } 388 389 return sec; 390 } 391 392 enum sec_status 393 val_verify_rrset_entry(struct module_env* env, struct val_env* ve, 394 struct ub_packed_rrset_key* rrset, struct key_entry_key* kkey, 395 char** reason, sldns_ede_code *reason_bogus, 396 sldns_pkt_section section, struct module_qstate* qstate) 397 { 398 /* temporary dnskey rrset-key */ 399 struct ub_packed_rrset_key dnskey; 400 struct key_entry_data* kd = (struct key_entry_data*)kkey->entry.data; 401 enum sec_status sec; 402 dnskey.rk.type = htons(kd->rrset_type); 403 dnskey.rk.rrset_class = htons(kkey->key_class); 404 dnskey.rk.flags = 0; 405 dnskey.rk.dname = kkey->name; 406 dnskey.rk.dname_len = kkey->namelen; 407 dnskey.entry.key = &dnskey; 408 dnskey.entry.data = kd->rrset_data; 409 sec = val_verify_rrset(env, ve, rrset, &dnskey, kd->algo, reason, 410 reason_bogus, section, qstate); 411 return sec; 412 } 413 414 /** verify that a DS RR hashes to a key and that key signs the set */ 415 static enum sec_status 416 verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve, 417 struct ub_packed_rrset_key* dnskey_rrset, 418 struct ub_packed_rrset_key* ds_rrset, size_t ds_idx, char** reason, 419 sldns_ede_code *reason_bogus, struct module_qstate* qstate) 420 { 421 enum sec_status sec = sec_status_bogus; 422 size_t i, num, numchecked = 0, numhashok = 0, numsizesupp = 0; 423 num = rrset_get_count(dnskey_rrset); 424 for(i=0; i<num; i++) { 425 /* Skip DNSKEYs that don't match the basic criteria. */ 426 if(ds_get_key_algo(ds_rrset, ds_idx) 427 != dnskey_get_algo(dnskey_rrset, i) 428 || dnskey_calc_keytag(dnskey_rrset, i) 429 != ds_get_keytag(ds_rrset, ds_idx)) { 430 continue; 431 } 432 numchecked++; 433 verbose(VERB_ALGO, "attempt DS match algo %d keytag %d", 434 ds_get_key_algo(ds_rrset, ds_idx), 435 ds_get_keytag(ds_rrset, ds_idx)); 436 437 /* Convert the candidate DNSKEY into a hash using the 438 * same DS hash algorithm. */ 439 if(!ds_digest_match_dnskey(env, dnskey_rrset, i, ds_rrset, 440 ds_idx)) { 441 verbose(VERB_ALGO, "DS match attempt failed"); 442 continue; 443 } 444 numhashok++; 445 if(!dnskey_size_is_supported(dnskey_rrset, i)) { 446 verbose(VERB_ALGO, "DS okay but that DNSKEY size is not supported"); 447 numsizesupp++; 448 continue; 449 } 450 verbose(VERB_ALGO, "DS match digest ok, trying signature"); 451 452 /* Otherwise, we have a match! Make sure that the DNSKEY 453 * verifies *with this key* */ 454 sec = dnskey_verify_rrset(env, ve, dnskey_rrset, dnskey_rrset, 455 i, reason, reason_bogus, LDNS_SECTION_ANSWER, qstate); 456 if(sec == sec_status_secure) { 457 return sec; 458 } 459 /* If it didn't validate with the DNSKEY, try the next one! */ 460 } 461 if(numsizesupp != 0 || sec == sec_status_indeterminate) { 462 /* there is a working DS, but that DNSKEY is not supported */ 463 return sec_status_insecure; 464 } 465 if(numchecked == 0) 466 algo_needs_reason(env, ds_get_key_algo(ds_rrset, ds_idx), 467 reason, "no keys have a DS"); 468 else if(numhashok == 0) 469 *reason = "DS hash mismatches key"; 470 else if(!*reason) 471 *reason = "keyset not secured by DNSKEY that matches DS"; 472 return sec_status_bogus; 473 } 474 475 int val_favorite_ds_algo(struct ub_packed_rrset_key* ds_rrset) 476 { 477 size_t i, num = rrset_get_count(ds_rrset); 478 int d, digest_algo = 0; /* DS digest algo 0 is not used. */ 479 /* find favorite algo, for now, highest number supported */ 480 for(i=0; i<num; i++) { 481 if(!ds_digest_algo_is_supported(ds_rrset, i) || 482 !ds_key_algo_is_supported(ds_rrset, i)) { 483 continue; 484 } 485 d = ds_get_digest_algo(ds_rrset, i); 486 if(d > digest_algo) 487 digest_algo = d; 488 } 489 return digest_algo; 490 } 491 492 enum sec_status 493 val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve, 494 struct ub_packed_rrset_key* dnskey_rrset, 495 struct ub_packed_rrset_key* ds_rrset, uint8_t* sigalg, char** reason, 496 sldns_ede_code *reason_bogus, struct module_qstate* qstate) 497 { 498 /* as long as this is false, we can consider this DS rrset to be 499 * equivalent to no DS rrset. */ 500 int has_useful_ds = 0, digest_algo, alg; 501 struct algo_needs needs; 502 size_t i, num; 503 enum sec_status sec; 504 505 if(dnskey_rrset->rk.dname_len != ds_rrset->rk.dname_len || 506 query_dname_compare(dnskey_rrset->rk.dname, ds_rrset->rk.dname) 507 != 0) { 508 verbose(VERB_QUERY, "DNSKEY RRset did not match DS RRset " 509 "by name"); 510 *reason = "DNSKEY RRset did not match DS RRset by name"; 511 return sec_status_bogus; 512 } 513 514 if(sigalg) { 515 /* harden against algo downgrade is enabled */ 516 digest_algo = val_favorite_ds_algo(ds_rrset); 517 algo_needs_init_ds(&needs, ds_rrset, digest_algo, sigalg); 518 } else { 519 /* accept any key algo, any digest algo */ 520 digest_algo = -1; 521 } 522 num = rrset_get_count(ds_rrset); 523 for(i=0; i<num; i++) { 524 /* Check to see if we can understand this DS. 525 * And check it is the strongest digest */ 526 if(!ds_digest_algo_is_supported(ds_rrset, i) || 527 !ds_key_algo_is_supported(ds_rrset, i) || 528 (sigalg && (ds_get_digest_algo(ds_rrset, i) != digest_algo))) { 529 continue; 530 } 531 532 sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset, 533 ds_rrset, i, reason, reason_bogus, qstate); 534 if(sec == sec_status_insecure) 535 continue; 536 537 /* Once we see a single DS with a known digestID and 538 * algorithm, we cannot return INSECURE (with a 539 * "null" KeyEntry). */ 540 has_useful_ds = 1; 541 542 if(sec == sec_status_secure) { 543 if(!sigalg || algo_needs_set_secure(&needs, 544 (uint8_t)ds_get_key_algo(ds_rrset, i))) { 545 verbose(VERB_ALGO, "DS matched DNSKEY."); 546 if(!dnskeyset_size_is_supported(dnskey_rrset)) { 547 verbose(VERB_ALGO, "DS works, but dnskeyset contain keys that are unsupported, treat as insecure"); 548 return sec_status_insecure; 549 } 550 return sec_status_secure; 551 } 552 } else if(sigalg && sec == sec_status_bogus) { 553 algo_needs_set_bogus(&needs, 554 (uint8_t)ds_get_key_algo(ds_rrset, i)); 555 } 556 } 557 558 /* None of the DS's worked out. */ 559 560 /* If no DSs were understandable, then this is OK. */ 561 if(!has_useful_ds) { 562 verbose(VERB_ALGO, "No usable DS records were found -- " 563 "treating as insecure."); 564 return sec_status_insecure; 565 } 566 /* If any were understandable, then it is bad. */ 567 verbose(VERB_QUERY, "Failed to match any usable DS to a DNSKEY."); 568 if(sigalg && (alg=algo_needs_missing(&needs)) != 0) { 569 algo_needs_reason(env, alg, reason, "missing verification of " 570 "DNSKEY signature"); 571 } 572 return sec_status_bogus; 573 } 574 575 struct key_entry_key* 576 val_verify_new_DNSKEYs(struct regional* region, struct module_env* env, 577 struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset, 578 struct ub_packed_rrset_key* ds_rrset, int downprot, char** reason, 579 sldns_ede_code *reason_bogus, struct module_qstate* qstate) 580 { 581 uint8_t sigalg[ALGO_NEEDS_MAX+1]; 582 enum sec_status sec = val_verify_DNSKEY_with_DS(env, ve, 583 dnskey_rrset, ds_rrset, downprot?sigalg:NULL, reason, 584 reason_bogus, qstate); 585 586 if(sec == sec_status_secure) { 587 return key_entry_create_rrset(region, 588 ds_rrset->rk.dname, ds_rrset->rk.dname_len, 589 ntohs(ds_rrset->rk.rrset_class), dnskey_rrset, 590 downprot?sigalg:NULL, LDNS_EDE_NONE, NULL, 591 *env->now); 592 } else if(sec == sec_status_insecure) { 593 return key_entry_create_null(region, ds_rrset->rk.dname, 594 ds_rrset->rk.dname_len, 595 ntohs(ds_rrset->rk.rrset_class), 596 rrset_get_ttl(ds_rrset), *reason_bogus, *reason, 597 *env->now); 598 } 599 return key_entry_create_bad(region, ds_rrset->rk.dname, 600 ds_rrset->rk.dname_len, ntohs(ds_rrset->rk.rrset_class), 601 BOGUS_KEY_TTL, *reason_bogus, *reason, *env->now); 602 } 603 604 enum sec_status 605 val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve, 606 struct ub_packed_rrset_key* dnskey_rrset, 607 struct ub_packed_rrset_key* ta_ds, 608 struct ub_packed_rrset_key* ta_dnskey, uint8_t* sigalg, char** reason, 609 sldns_ede_code *reason_bogus, struct module_qstate* qstate) 610 { 611 /* as long as this is false, we can consider this anchor to be 612 * equivalent to no anchor. */ 613 int has_useful_ta = 0, digest_algo = 0, alg; 614 struct algo_needs needs; 615 size_t i, num; 616 enum sec_status sec; 617 618 if(ta_ds && (dnskey_rrset->rk.dname_len != ta_ds->rk.dname_len || 619 query_dname_compare(dnskey_rrset->rk.dname, ta_ds->rk.dname) 620 != 0)) { 621 verbose(VERB_QUERY, "DNSKEY RRset did not match DS RRset " 622 "by name"); 623 *reason = "DNSKEY RRset did not match DS RRset by name"; 624 if(reason_bogus) 625 *reason_bogus = LDNS_EDE_DNSKEY_MISSING; 626 return sec_status_bogus; 627 } 628 if(ta_dnskey && (dnskey_rrset->rk.dname_len != ta_dnskey->rk.dname_len 629 || query_dname_compare(dnskey_rrset->rk.dname, ta_dnskey->rk.dname) 630 != 0)) { 631 verbose(VERB_QUERY, "DNSKEY RRset did not match anchor RRset " 632 "by name"); 633 *reason = "DNSKEY RRset did not match anchor RRset by name"; 634 if(reason_bogus) 635 *reason_bogus = LDNS_EDE_DNSKEY_MISSING; 636 return sec_status_bogus; 637 } 638 639 if(ta_ds) 640 digest_algo = val_favorite_ds_algo(ta_ds); 641 if(sigalg) { 642 if(ta_ds) 643 algo_needs_init_ds(&needs, ta_ds, digest_algo, sigalg); 644 else memset(&needs, 0, sizeof(needs)); 645 if(ta_dnskey) 646 algo_needs_init_dnskey_add(&needs, ta_dnskey, sigalg); 647 } 648 if(ta_ds) { 649 num = rrset_get_count(ta_ds); 650 for(i=0; i<num; i++) { 651 /* Check to see if we can understand this DS. 652 * And check it is the strongest digest */ 653 if(!ds_digest_algo_is_supported(ta_ds, i) || 654 !ds_key_algo_is_supported(ta_ds, i) || 655 ds_get_digest_algo(ta_ds, i) != digest_algo) 656 continue; 657 658 sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset, 659 ta_ds, i, reason, reason_bogus, qstate); 660 if(sec == sec_status_insecure) 661 continue; 662 663 /* Once we see a single DS with a known digestID and 664 * algorithm, we cannot return INSECURE (with a 665 * "null" KeyEntry). */ 666 has_useful_ta = 1; 667 668 if(sec == sec_status_secure) { 669 if(!sigalg || algo_needs_set_secure(&needs, 670 (uint8_t)ds_get_key_algo(ta_ds, i))) { 671 verbose(VERB_ALGO, "DS matched DNSKEY."); 672 if(!dnskeyset_size_is_supported(dnskey_rrset)) { 673 verbose(VERB_ALGO, "trustanchor works, but dnskeyset contain keys that are unsupported, treat as insecure"); 674 return sec_status_insecure; 675 } 676 return sec_status_secure; 677 } 678 } else if(sigalg && sec == sec_status_bogus) { 679 algo_needs_set_bogus(&needs, 680 (uint8_t)ds_get_key_algo(ta_ds, i)); 681 } 682 } 683 } 684 685 /* None of the DS's worked out: check the DNSKEYs. */ 686 if(ta_dnskey) { 687 num = rrset_get_count(ta_dnskey); 688 for(i=0; i<num; i++) { 689 /* Check to see if we can understand this DNSKEY */ 690 if(!dnskey_algo_is_supported(ta_dnskey, i)) 691 continue; 692 if(!dnskey_size_is_supported(ta_dnskey, i)) 693 continue; 694 695 /* we saw a useful TA */ 696 has_useful_ta = 1; 697 698 sec = dnskey_verify_rrset(env, ve, dnskey_rrset, 699 ta_dnskey, i, reason, reason_bogus, LDNS_SECTION_ANSWER, qstate); 700 if(sec == sec_status_secure) { 701 if(!sigalg || algo_needs_set_secure(&needs, 702 (uint8_t)dnskey_get_algo(ta_dnskey, i))) { 703 verbose(VERB_ALGO, "anchor matched DNSKEY."); 704 if(!dnskeyset_size_is_supported(dnskey_rrset)) { 705 verbose(VERB_ALGO, "trustanchor works, but dnskeyset contain keys that are unsupported, treat as insecure"); 706 return sec_status_insecure; 707 } 708 return sec_status_secure; 709 } 710 } else if(sigalg && sec == sec_status_bogus) { 711 algo_needs_set_bogus(&needs, 712 (uint8_t)dnskey_get_algo(ta_dnskey, i)); 713 } 714 } 715 } 716 717 /* If no DSs were understandable, then this is OK. */ 718 if(!has_useful_ta) { 719 verbose(VERB_ALGO, "No usable trust anchors were found -- " 720 "treating as insecure."); 721 return sec_status_insecure; 722 } 723 /* If any were understandable, then it is bad. */ 724 verbose(VERB_QUERY, "Failed to match any usable anchor to a DNSKEY."); 725 if(sigalg && (alg=algo_needs_missing(&needs)) != 0) { 726 algo_needs_reason(env, alg, reason, "missing verification of " 727 "DNSKEY signature"); 728 } 729 return sec_status_bogus; 730 } 731 732 struct key_entry_key* 733 val_verify_new_DNSKEYs_with_ta(struct regional* region, struct module_env* env, 734 struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset, 735 struct ub_packed_rrset_key* ta_ds_rrset, 736 struct ub_packed_rrset_key* ta_dnskey_rrset, int downprot, 737 char** reason, sldns_ede_code *reason_bogus, struct module_qstate* qstate) 738 { 739 uint8_t sigalg[ALGO_NEEDS_MAX+1]; 740 enum sec_status sec = val_verify_DNSKEY_with_TA(env, ve, 741 dnskey_rrset, ta_ds_rrset, ta_dnskey_rrset, 742 downprot?sigalg:NULL, reason, reason_bogus, qstate); 743 744 if(sec == sec_status_secure) { 745 return key_entry_create_rrset(region, 746 dnskey_rrset->rk.dname, dnskey_rrset->rk.dname_len, 747 ntohs(dnskey_rrset->rk.rrset_class), dnskey_rrset, 748 downprot?sigalg:NULL, LDNS_EDE_NONE, NULL, *env->now); 749 } else if(sec == sec_status_insecure) { 750 return key_entry_create_null(region, dnskey_rrset->rk.dname, 751 dnskey_rrset->rk.dname_len, 752 ntohs(dnskey_rrset->rk.rrset_class), 753 rrset_get_ttl(dnskey_rrset), *reason_bogus, *reason, 754 *env->now); 755 } 756 return key_entry_create_bad(region, dnskey_rrset->rk.dname, 757 dnskey_rrset->rk.dname_len, ntohs(dnskey_rrset->rk.rrset_class), 758 BOGUS_KEY_TTL, *reason_bogus, *reason, *env->now); 759 } 760 761 int 762 val_dsset_isusable(struct ub_packed_rrset_key* ds_rrset) 763 { 764 size_t i; 765 for(i=0; i<rrset_get_count(ds_rrset); i++) { 766 if(ds_digest_algo_is_supported(ds_rrset, i) && 767 ds_key_algo_is_supported(ds_rrset, i)) 768 return 1; 769 } 770 if(verbosity < VERB_ALGO) 771 return 0; 772 if(rrset_get_count(ds_rrset) == 0) 773 verbose(VERB_ALGO, "DS is not usable"); 774 else { 775 /* report usability for the first DS RR */ 776 sldns_lookup_table *lt; 777 char herr[64], aerr[64]; 778 lt = sldns_lookup_by_id(sldns_hashes, 779 (int)ds_get_digest_algo(ds_rrset, 0)); 780 if(lt) snprintf(herr, sizeof(herr), "%s", lt->name); 781 else snprintf(herr, sizeof(herr), "%d", 782 (int)ds_get_digest_algo(ds_rrset, 0)); 783 lt = sldns_lookup_by_id(sldns_algorithms, 784 (int)ds_get_key_algo(ds_rrset, 0)); 785 if(lt) snprintf(aerr, sizeof(aerr), "%s", lt->name); 786 else snprintf(aerr, sizeof(aerr), "%d", 787 (int)ds_get_key_algo(ds_rrset, 0)); 788 789 verbose(VERB_ALGO, "DS unsupported, hash %s %s, " 790 "key algorithm %s %s", herr, 791 (ds_digest_algo_is_supported(ds_rrset, 0)? 792 "(supported)":"(unsupported)"), aerr, 793 (ds_key_algo_is_supported(ds_rrset, 0)? 794 "(supported)":"(unsupported)")); 795 } 796 return 0; 797 } 798 799 /** get label count for a signature */ 800 static uint8_t 801 rrsig_get_labcount(struct packed_rrset_data* d, size_t sig) 802 { 803 if(d->rr_len[sig] < 2+4) 804 return 0; /* bad sig length */ 805 return d->rr_data[sig][2+3]; 806 } 807 808 int 809 val_rrset_wildcard(struct ub_packed_rrset_key* rrset, uint8_t** wc, 810 size_t* wc_len) 811 { 812 struct packed_rrset_data* d = (struct packed_rrset_data*)rrset-> 813 entry.data; 814 uint8_t labcount; 815 int labdiff; 816 uint8_t* wn; 817 size_t i, wl; 818 if(d->rrsig_count == 0) { 819 return 1; 820 } 821 labcount = rrsig_get_labcount(d, d->count + 0); 822 /* check rest of signatures identical */ 823 for(i=1; i<d->rrsig_count; i++) { 824 if(labcount != rrsig_get_labcount(d, d->count + i)) { 825 return 0; 826 } 827 } 828 /* OK the rrsigs check out */ 829 /* if the RRSIG label count is shorter than the number of actual 830 * labels, then this rrset was synthesized from a wildcard. 831 * Note that the RRSIG label count doesn't count the root label. */ 832 wn = rrset->rk.dname; 833 wl = rrset->rk.dname_len; 834 /* skip a leading wildcard label in the dname (RFC4035 2.2) */ 835 if(dname_is_wild(wn)) { 836 wn += 2; 837 wl -= 2; 838 } 839 labdiff = (dname_count_labels(wn) - 1) - (int)labcount; 840 if(labdiff > 0) { 841 *wc = wn; 842 dname_remove_labels(wc, &wl, labdiff); 843 *wc_len = wl; 844 return 1; 845 } 846 return 1; 847 } 848 849 int 850 val_chase_cname(struct query_info* qchase, struct reply_info* rep, 851 size_t* cname_skip) { 852 size_t i; 853 /* skip any DNAMEs, go to the CNAME for next part */ 854 for(i = *cname_skip; i < rep->an_numrrsets; i++) { 855 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_CNAME && 856 query_dname_compare(qchase->qname, rep->rrsets[i]-> 857 rk.dname) == 0) { 858 qchase->qname = NULL; 859 get_cname_target(rep->rrsets[i], &qchase->qname, 860 &qchase->qname_len); 861 if(!qchase->qname) 862 return 0; /* bad CNAME rdata */ 863 (*cname_skip) = i+1; 864 return 1; 865 } 866 } 867 return 0; /* CNAME classified but no matching CNAME ?! */ 868 } 869 870 /** see if rrset has signer name as one of the rrsig signers */ 871 static int 872 rrset_has_signer(struct ub_packed_rrset_key* rrset, uint8_t* name, size_t len) 873 { 874 struct packed_rrset_data* d = (struct packed_rrset_data*)rrset-> 875 entry.data; 876 size_t i; 877 for(i = d->count; i< d->count+d->rrsig_count; i++) { 878 if(d->rr_len[i] > 2+18+len) { 879 /* at least rdatalen + signature + signame (+1 sig)*/ 880 if(!dname_valid(d->rr_data[i]+2+18, d->rr_len[i]-2-18)) 881 continue; 882 if(query_dname_compare(name, d->rr_data[i]+2+18) == 0) 883 { 884 return 1; 885 } 886 } 887 } 888 return 0; 889 } 890 891 void 892 val_fill_reply(struct reply_info* chase, struct reply_info* orig, 893 size_t skip, uint8_t* name, size_t len, uint8_t* signer) 894 { 895 size_t i; 896 int seen_dname = 0; 897 chase->rrset_count = 0; 898 chase->an_numrrsets = 0; 899 chase->ns_numrrsets = 0; 900 chase->ar_numrrsets = 0; 901 /* ANSWER section */ 902 for(i=skip; i<orig->an_numrrsets; i++) { 903 if(!signer) { 904 if(query_dname_compare(name, 905 orig->rrsets[i]->rk.dname) == 0) 906 chase->rrsets[chase->an_numrrsets++] = 907 orig->rrsets[i]; 908 } else if(seen_dname && ntohs(orig->rrsets[i]->rk.type) == 909 LDNS_RR_TYPE_CNAME) { 910 chase->rrsets[chase->an_numrrsets++] = orig->rrsets[i]; 911 seen_dname = 0; 912 } else if(rrset_has_signer(orig->rrsets[i], name, len)) { 913 chase->rrsets[chase->an_numrrsets++] = orig->rrsets[i]; 914 if(ntohs(orig->rrsets[i]->rk.type) == 915 LDNS_RR_TYPE_DNAME) { 916 seen_dname = 1; 917 } 918 } 919 } 920 /* AUTHORITY section */ 921 for(i = (skip > orig->an_numrrsets)?skip:orig->an_numrrsets; 922 i<orig->an_numrrsets+orig->ns_numrrsets; 923 i++) { 924 if(!signer) { 925 if(query_dname_compare(name, 926 orig->rrsets[i]->rk.dname) == 0) 927 chase->rrsets[chase->an_numrrsets+ 928 chase->ns_numrrsets++] = orig->rrsets[i]; 929 } else if(rrset_has_signer(orig->rrsets[i], name, len)) { 930 chase->rrsets[chase->an_numrrsets+ 931 chase->ns_numrrsets++] = orig->rrsets[i]; 932 } 933 } 934 /* ADDITIONAL section */ 935 for(i= (skip>orig->an_numrrsets+orig->ns_numrrsets)? 936 skip:orig->an_numrrsets+orig->ns_numrrsets; 937 i<orig->rrset_count; i++) { 938 if(!signer) { 939 if(query_dname_compare(name, 940 orig->rrsets[i]->rk.dname) == 0) 941 chase->rrsets[chase->an_numrrsets 942 +orig->ns_numrrsets+chase->ar_numrrsets++] 943 = orig->rrsets[i]; 944 } else if(rrset_has_signer(orig->rrsets[i], name, len)) { 945 chase->rrsets[chase->an_numrrsets+orig->ns_numrrsets+ 946 chase->ar_numrrsets++] = orig->rrsets[i]; 947 } 948 } 949 chase->rrset_count = chase->an_numrrsets + chase->ns_numrrsets + 950 chase->ar_numrrsets; 951 } 952 953 void val_reply_remove_auth(struct reply_info* rep, size_t index) 954 { 955 log_assert(index < rep->rrset_count); 956 log_assert(index >= rep->an_numrrsets); 957 log_assert(index < rep->an_numrrsets+rep->ns_numrrsets); 958 memmove(rep->rrsets+index, rep->rrsets+index+1, 959 sizeof(struct ub_packed_rrset_key*)* 960 (rep->rrset_count - index - 1)); 961 rep->ns_numrrsets--; 962 rep->rrset_count--; 963 } 964 965 void 966 val_check_nonsecure(struct module_env* env, struct reply_info* rep) 967 { 968 size_t i; 969 /* authority */ 970 for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->ns_numrrsets; i++) { 971 if(((struct packed_rrset_data*)rep->rrsets[i]->entry.data) 972 ->security != sec_status_secure) { 973 /* because we want to return the authentic original 974 * message when presented with CD-flagged queries, 975 * we need to preserve AUTHORITY section data. 976 * However, this rrset is not signed or signed 977 * with the wrong keys. Validation has tried to 978 * verify this rrset with the keysets of import. 979 * But this rrset did not verify. 980 * Therefore the message is bogus. 981 */ 982 983 /* check if authority has an NS record 984 * which is bad, and there is an answer section with 985 * data. In that case, delete NS and additional to 986 * be lenient and make a minimal response */ 987 if(rep->an_numrrsets != 0 && 988 ntohs(rep->rrsets[i]->rk.type) 989 == LDNS_RR_TYPE_NS) { 990 verbose(VERB_ALGO, "truncate to minimal"); 991 rep->ar_numrrsets = 0; 992 rep->rrset_count = rep->an_numrrsets + 993 rep->ns_numrrsets; 994 /* remove this unneeded authority rrset */ 995 memmove(rep->rrsets+i, rep->rrsets+i+1, 996 sizeof(struct ub_packed_rrset_key*)* 997 (rep->rrset_count - i - 1)); 998 rep->ns_numrrsets--; 999 rep->rrset_count--; 1000 i--; 1001 return; 1002 } 1003 1004 log_nametypeclass(VERB_QUERY, "message is bogus, " 1005 "non secure rrset", 1006 rep->rrsets[i]->rk.dname, 1007 ntohs(rep->rrsets[i]->rk.type), 1008 ntohs(rep->rrsets[i]->rk.rrset_class)); 1009 rep->security = sec_status_bogus; 1010 return; 1011 } 1012 } 1013 /* additional */ 1014 if(!env->cfg->val_clean_additional) 1015 return; 1016 for(i=rep->an_numrrsets+rep->ns_numrrsets; i<rep->rrset_count; i++) { 1017 if(((struct packed_rrset_data*)rep->rrsets[i]->entry.data) 1018 ->security != sec_status_secure) { 1019 /* This does not cause message invalidation. It was 1020 * simply unsigned data in the additional. The 1021 * RRSIG must have been truncated off the message. 1022 * 1023 * However, we do not want to return possible bogus 1024 * data to clients that rely on this service for 1025 * their authentication. 1026 */ 1027 /* remove this unneeded additional rrset */ 1028 memmove(rep->rrsets+i, rep->rrsets+i+1, 1029 sizeof(struct ub_packed_rrset_key*)* 1030 (rep->rrset_count - i - 1)); 1031 rep->ar_numrrsets--; 1032 rep->rrset_count--; 1033 i--; 1034 } 1035 } 1036 } 1037 1038 /** check no anchor and unlock */ 1039 static int 1040 check_no_anchor(struct val_anchors* anchors, uint8_t* nm, size_t l, uint16_t c) 1041 { 1042 struct trust_anchor* ta; 1043 if((ta=anchors_lookup(anchors, nm, l, c))) { 1044 lock_basic_unlock(&ta->lock); 1045 } 1046 return !ta; 1047 } 1048 1049 void 1050 val_mark_indeterminate(struct reply_info* rep, struct val_anchors* anchors, 1051 struct rrset_cache* r, struct module_env* env) 1052 { 1053 size_t i; 1054 struct packed_rrset_data* d; 1055 for(i=0; i<rep->rrset_count; i++) { 1056 d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data; 1057 if(d->security == sec_status_unchecked && 1058 check_no_anchor(anchors, rep->rrsets[i]->rk.dname, 1059 rep->rrsets[i]->rk.dname_len, 1060 ntohs(rep->rrsets[i]->rk.rrset_class))) 1061 { 1062 /* mark as indeterminate */ 1063 d->security = sec_status_indeterminate; 1064 rrset_update_sec_status(r, rep->rrsets[i], *env->now); 1065 } 1066 } 1067 } 1068 1069 void 1070 val_mark_insecure(struct reply_info* rep, uint8_t* kname, 1071 struct rrset_cache* r, struct module_env* env) 1072 { 1073 size_t i; 1074 struct packed_rrset_data* d; 1075 for(i=0; i<rep->rrset_count; i++) { 1076 d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data; 1077 if(d->security == sec_status_unchecked && 1078 dname_subdomain_c(rep->rrsets[i]->rk.dname, kname)) { 1079 /* mark as insecure */ 1080 d->security = sec_status_insecure; 1081 rrset_update_sec_status(r, rep->rrsets[i], *env->now); 1082 } 1083 } 1084 } 1085 1086 size_t 1087 val_next_unchecked(struct reply_info* rep, size_t skip) 1088 { 1089 size_t i; 1090 struct packed_rrset_data* d; 1091 for(i=skip+1; i<rep->rrset_count; i++) { 1092 d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data; 1093 if(d->security == sec_status_unchecked) { 1094 return i; 1095 } 1096 } 1097 return rep->rrset_count; 1098 } 1099 1100 const char* 1101 val_classification_to_string(enum val_classification subtype) 1102 { 1103 switch(subtype) { 1104 case VAL_CLASS_UNTYPED: return "untyped"; 1105 case VAL_CLASS_UNKNOWN: return "unknown"; 1106 case VAL_CLASS_POSITIVE: return "positive"; 1107 case VAL_CLASS_CNAME: return "cname"; 1108 case VAL_CLASS_NODATA: return "nodata"; 1109 case VAL_CLASS_NAMEERROR: return "nameerror"; 1110 case VAL_CLASS_CNAMENOANSWER: return "cnamenoanswer"; 1111 case VAL_CLASS_REFERRAL: return "referral"; 1112 case VAL_CLASS_ANY: return "qtype_any"; 1113 default: 1114 return "bad_val_classification"; 1115 } 1116 } 1117 1118 /** log a sock_list entry */ 1119 static void 1120 sock_list_logentry(enum verbosity_value v, const char* s, struct sock_list* p) 1121 { 1122 if(p->len) 1123 log_addr(v, s, &p->addr, p->len); 1124 else verbose(v, "%s cache", s); 1125 } 1126 1127 void val_blacklist(struct sock_list** blacklist, struct regional* region, 1128 struct sock_list* origin, int cross) 1129 { 1130 /* debug printout */ 1131 if(verbosity >= VERB_ALGO) { 1132 struct sock_list* p; 1133 for(p=*blacklist; p; p=p->next) 1134 sock_list_logentry(VERB_ALGO, "blacklist", p); 1135 if(!origin) 1136 verbose(VERB_ALGO, "blacklist add: cache"); 1137 for(p=origin; p; p=p->next) 1138 sock_list_logentry(VERB_ALGO, "blacklist add", p); 1139 } 1140 /* blacklist the IPs or the cache */ 1141 if(!origin) { 1142 /* only add if nothing there. anything else also stops cache*/ 1143 if(!*blacklist) 1144 sock_list_insert(blacklist, NULL, 0, region); 1145 } else if(!cross) 1146 sock_list_prepend(blacklist, origin); 1147 else sock_list_merge(blacklist, region, origin); 1148 } 1149 1150 int val_has_signed_nsecs(struct reply_info* rep, char** reason) 1151 { 1152 size_t i, num_nsec = 0, num_nsec3 = 0; 1153 struct packed_rrset_data* d; 1154 for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->ns_numrrsets; i++) { 1155 if(rep->rrsets[i]->rk.type == htons(LDNS_RR_TYPE_NSEC)) 1156 num_nsec++; 1157 else if(rep->rrsets[i]->rk.type == htons(LDNS_RR_TYPE_NSEC3)) 1158 num_nsec3++; 1159 else continue; 1160 d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data; 1161 if(d && d->rrsig_count != 0) { 1162 return 1; 1163 } 1164 } 1165 if(num_nsec == 0 && num_nsec3 == 0) 1166 *reason = "no DNSSEC records"; 1167 else if(num_nsec != 0) 1168 *reason = "no signatures over NSECs"; 1169 else *reason = "no signatures over NSEC3s"; 1170 return 0; 1171 } 1172 1173 struct dns_msg* 1174 val_find_DS(struct module_env* env, uint8_t* nm, size_t nmlen, uint16_t c, 1175 struct regional* region, uint8_t* topname) 1176 { 1177 struct dns_msg* msg; 1178 struct query_info qinfo; 1179 struct ub_packed_rrset_key *rrset = rrset_cache_lookup( 1180 env->rrset_cache, nm, nmlen, LDNS_RR_TYPE_DS, c, 0, 1181 *env->now, 0); 1182 if(rrset) { 1183 /* DS rrset exists. Return it to the validator immediately*/ 1184 struct ub_packed_rrset_key* copy = packed_rrset_copy_region( 1185 rrset, region, *env->now); 1186 lock_rw_unlock(&rrset->entry.lock); 1187 if(!copy) 1188 return NULL; 1189 msg = dns_msg_create(nm, nmlen, LDNS_RR_TYPE_DS, c, region, 1); 1190 if(!msg) 1191 return NULL; 1192 msg->rep->rrsets[0] = copy; 1193 msg->rep->rrset_count++; 1194 msg->rep->an_numrrsets++; 1195 return msg; 1196 } 1197 /* lookup in rrset and negative cache for NSEC/NSEC3 */ 1198 qinfo.qname = nm; 1199 qinfo.qname_len = nmlen; 1200 qinfo.qtype = LDNS_RR_TYPE_DS; 1201 qinfo.qclass = c; 1202 qinfo.local_alias = NULL; 1203 /* do not add SOA to reply message, it is going to be used internal */ 1204 msg = val_neg_getmsg(env->neg_cache, &qinfo, region, env->rrset_cache, 1205 env->scratch_buffer, *env->now, 0, topname, env->cfg); 1206 return msg; 1207 } 1208