1 /* 2 * validator/validator.c - secure validator DNS query response module 3 * 4 * Copyright (c) 2007, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file contains a module that performs validation of DNS queries. 40 * According to RFC 4034. 41 */ 42 #include "config.h" 43 #include <ctype.h> 44 #include "validator/validator.h" 45 #include "validator/val_anchor.h" 46 #include "validator/val_kcache.h" 47 #include "validator/val_kentry.h" 48 #include "validator/val_utils.h" 49 #include "validator/val_nsec.h" 50 #include "validator/val_nsec3.h" 51 #include "validator/val_neg.h" 52 #include "validator/val_sigcrypt.h" 53 #include "validator/autotrust.h" 54 #include "services/cache/dns.h" 55 #include "services/cache/rrset.h" 56 #include "util/data/dname.h" 57 #include "util/module.h" 58 #include "util/log.h" 59 #include "util/net_help.h" 60 #include "util/regional.h" 61 #include "util/config_file.h" 62 #include "util/fptr_wlist.h" 63 #include "sldns/rrdef.h" 64 #include "sldns/wire2str.h" 65 #include "sldns/str2wire.h" 66 67 /* forward decl for cache response and normal super inform calls of a DS */ 68 static void process_ds_response(struct module_qstate* qstate, 69 struct val_qstate* vq, int id, int rcode, struct dns_msg* msg, 70 struct query_info* qinfo, struct sock_list* origin); 71 72 73 /* Updates the suplied EDE (RFC8914) code selectively so we don't lose 74 * a more specific code */ 75 static void 76 update_reason_bogus(struct reply_info* rep, sldns_ede_code reason_bogus) 77 { 78 if(reason_bogus == LDNS_EDE_NONE) return; 79 if(reason_bogus == LDNS_EDE_DNSSEC_BOGUS 80 && rep->reason_bogus != LDNS_EDE_NONE 81 && rep->reason_bogus != LDNS_EDE_DNSSEC_BOGUS) return; 82 rep->reason_bogus = reason_bogus; 83 } 84 85 86 /** fill up nsec3 key iterations config entry */ 87 static int 88 fill_nsec3_iter(struct val_env* ve, char* s, int c) 89 { 90 char* e; 91 int i; 92 free(ve->nsec3_keysize); 93 free(ve->nsec3_maxiter); 94 ve->nsec3_keysize = (size_t*)calloc(sizeof(size_t), (size_t)c); 95 ve->nsec3_maxiter = (size_t*)calloc(sizeof(size_t), (size_t)c); 96 if(!ve->nsec3_keysize || !ve->nsec3_maxiter) { 97 log_err("out of memory"); 98 return 0; 99 } 100 for(i=0; i<c; i++) { 101 ve->nsec3_keysize[i] = (size_t)strtol(s, &e, 10); 102 if(s == e) { 103 log_err("cannot parse: %s", s); 104 return 0; 105 } 106 s = e; 107 ve->nsec3_maxiter[i] = (size_t)strtol(s, &e, 10); 108 if(s == e) { 109 log_err("cannot parse: %s", s); 110 return 0; 111 } 112 s = e; 113 if(i>0 && ve->nsec3_keysize[i-1] >= ve->nsec3_keysize[i]) { 114 log_err("nsec3 key iterations not ascending: %d %d", 115 (int)ve->nsec3_keysize[i-1], 116 (int)ve->nsec3_keysize[i]); 117 return 0; 118 } 119 verbose(VERB_ALGO, "validator nsec3cfg keysz %d mxiter %d", 120 (int)ve->nsec3_keysize[i], (int)ve->nsec3_maxiter[i]); 121 } 122 return 1; 123 } 124 125 /** apply config settings to validator */ 126 static int 127 val_apply_cfg(struct module_env* env, struct val_env* val_env, 128 struct config_file* cfg) 129 { 130 int c; 131 val_env->bogus_ttl = (uint32_t)cfg->bogus_ttl; 132 if(!env->anchors) 133 env->anchors = anchors_create(); 134 if(!env->anchors) { 135 log_err("out of memory"); 136 return 0; 137 } 138 if (env->key_cache) 139 val_env->kcache = env->key_cache; 140 if(!val_env->kcache) 141 val_env->kcache = key_cache_create(cfg); 142 if(!val_env->kcache) { 143 log_err("out of memory"); 144 return 0; 145 } 146 env->key_cache = val_env->kcache; 147 if(!anchors_apply_cfg(env->anchors, cfg)) { 148 log_err("validator: error in trustanchors config"); 149 return 0; 150 } 151 val_env->date_override = cfg->val_date_override; 152 val_env->skew_min = cfg->val_sig_skew_min; 153 val_env->skew_max = cfg->val_sig_skew_max; 154 val_env->max_restart = cfg->val_max_restart; 155 c = cfg_count_numbers(cfg->val_nsec3_key_iterations); 156 if(c < 1 || (c&1)) { 157 log_err("validator: unparsable or odd nsec3 key " 158 "iterations: %s", cfg->val_nsec3_key_iterations); 159 return 0; 160 } 161 val_env->nsec3_keyiter_count = c/2; 162 if(!fill_nsec3_iter(val_env, cfg->val_nsec3_key_iterations, c/2)) { 163 log_err("validator: cannot apply nsec3 key iterations"); 164 return 0; 165 } 166 if (env->neg_cache) 167 val_env->neg_cache = env->neg_cache; 168 if(!val_env->neg_cache) 169 val_env->neg_cache = val_neg_create(cfg, 170 val_env->nsec3_maxiter[val_env->nsec3_keyiter_count-1]); 171 if(!val_env->neg_cache) { 172 log_err("out of memory"); 173 return 0; 174 } 175 env->neg_cache = val_env->neg_cache; 176 return 1; 177 } 178 179 #ifdef USE_ECDSA_EVP_WORKAROUND 180 void ecdsa_evp_workaround_init(void); 181 #endif 182 int 183 val_init(struct module_env* env, int id) 184 { 185 struct val_env* val_env = (struct val_env*)calloc(1, 186 sizeof(struct val_env)); 187 if(!val_env) { 188 log_err("malloc failure"); 189 return 0; 190 } 191 env->modinfo[id] = (void*)val_env; 192 env->need_to_validate = 1; 193 lock_basic_init(&val_env->bogus_lock); 194 lock_protect(&val_env->bogus_lock, &val_env->num_rrset_bogus, 195 sizeof(val_env->num_rrset_bogus)); 196 #ifdef USE_ECDSA_EVP_WORKAROUND 197 ecdsa_evp_workaround_init(); 198 #endif 199 if(!val_apply_cfg(env, val_env, env->cfg)) { 200 log_err("validator: could not apply configuration settings."); 201 return 0; 202 } 203 if(env->cfg->disable_edns_do) { 204 struct trust_anchor* anchor = anchors_find_any_noninsecure( 205 env->anchors); 206 if(anchor) { 207 char b[LDNS_MAX_DOMAINLEN+2]; 208 dname_str(anchor->name, b); 209 log_warn("validator: disable-edns-do is enabled, but there is a trust anchor for '%s'. Since DNSSEC could not work, the disable-edns-do setting is turned off. Continuing without it.", b); 210 lock_basic_unlock(&anchor->lock); 211 env->cfg->disable_edns_do = 0; 212 } 213 } 214 215 return 1; 216 } 217 218 void 219 val_deinit(struct module_env* env, int id) 220 { 221 struct val_env* val_env; 222 if(!env || !env->modinfo[id]) 223 return; 224 val_env = (struct val_env*)env->modinfo[id]; 225 lock_basic_destroy(&val_env->bogus_lock); 226 anchors_delete(env->anchors); 227 env->anchors = NULL; 228 key_cache_delete(val_env->kcache); 229 env->key_cache = NULL; 230 neg_cache_delete(val_env->neg_cache); 231 env->neg_cache = NULL; 232 free(val_env->nsec3_keysize); 233 free(val_env->nsec3_maxiter); 234 free(val_env); 235 env->modinfo[id] = NULL; 236 } 237 238 /** fill in message structure */ 239 static struct val_qstate* 240 val_new_getmsg(struct module_qstate* qstate, struct val_qstate* vq) 241 { 242 if(!qstate->return_msg || qstate->return_rcode != LDNS_RCODE_NOERROR) { 243 /* create a message to verify */ 244 verbose(VERB_ALGO, "constructing reply for validation"); 245 vq->orig_msg = (struct dns_msg*)regional_alloc(qstate->region, 246 sizeof(struct dns_msg)); 247 if(!vq->orig_msg) 248 return NULL; 249 vq->orig_msg->qinfo = qstate->qinfo; 250 vq->orig_msg->rep = (struct reply_info*)regional_alloc( 251 qstate->region, sizeof(struct reply_info)); 252 if(!vq->orig_msg->rep) 253 return NULL; 254 memset(vq->orig_msg->rep, 0, sizeof(struct reply_info)); 255 vq->orig_msg->rep->flags = (uint16_t)(qstate->return_rcode&0xf) 256 |BIT_QR|BIT_RA|(qstate->query_flags|(BIT_CD|BIT_RD)); 257 vq->orig_msg->rep->qdcount = 1; 258 vq->orig_msg->rep->reason_bogus = LDNS_EDE_NONE; 259 } else { 260 vq->orig_msg = qstate->return_msg; 261 } 262 vq->qchase = qstate->qinfo; 263 /* chase reply will be an edited (sub)set of the orig msg rrset ptrs */ 264 vq->chase_reply = regional_alloc_init(qstate->region, 265 vq->orig_msg->rep, 266 sizeof(struct reply_info) - sizeof(struct rrset_ref)); 267 if(!vq->chase_reply) 268 return NULL; 269 if(vq->orig_msg->rep->rrset_count > RR_COUNT_MAX) 270 return NULL; /* protect against integer overflow */ 271 vq->chase_reply->rrsets = regional_alloc_init(qstate->region, 272 vq->orig_msg->rep->rrsets, sizeof(struct ub_packed_rrset_key*) 273 * vq->orig_msg->rep->rrset_count); 274 if(!vq->chase_reply->rrsets) 275 return NULL; 276 vq->rrset_skip = 0; 277 return vq; 278 } 279 280 /** allocate new validator query state */ 281 static struct val_qstate* 282 val_new(struct module_qstate* qstate, int id) 283 { 284 struct val_qstate* vq = (struct val_qstate*)regional_alloc( 285 qstate->region, sizeof(*vq)); 286 log_assert(!qstate->minfo[id]); 287 if(!vq) 288 return NULL; 289 memset(vq, 0, sizeof(*vq)); 290 qstate->minfo[id] = vq; 291 vq->state = VAL_INIT_STATE; 292 return val_new_getmsg(qstate, vq); 293 } 294 295 /** 296 * Exit validation with an error status 297 * 298 * @param qstate: query state 299 * @param id: validator id. 300 * @return false, for use by caller to return to stop processing. 301 */ 302 static int 303 val_error(struct module_qstate* qstate, int id) 304 { 305 qstate->ext_state[id] = module_error; 306 qstate->return_rcode = LDNS_RCODE_SERVFAIL; 307 return 0; 308 } 309 310 /** 311 * Check to see if a given response needs to go through the validation 312 * process. Typical reasons for this routine to return false are: CD bit was 313 * on in the original request, or the response is a kind of message that 314 * is unvalidatable (i.e., SERVFAIL, REFUSED, etc.) 315 * 316 * @param qstate: query state. 317 * @param ret_rc: rcode for this message (if noerror - examine ret_msg). 318 * @param ret_msg: return msg, can be NULL; look at rcode instead. 319 * @return true if the response could use validation (although this does not 320 * mean we can actually validate this response). 321 */ 322 static int 323 needs_validation(struct module_qstate* qstate, int ret_rc, 324 struct dns_msg* ret_msg) 325 { 326 int rcode; 327 328 /* If the CD bit is on in the original request, then you could think 329 * that we don't bother to validate anything. 330 * But this is signalled internally with the valrec flag. 331 * User queries are validated with BIT_CD to make our cache clean 332 * so that bogus messages get retried by the upstream also for 333 * downstream validators that set BIT_CD. 334 * For DNS64 bit_cd signals no dns64 processing, but we want to 335 * provide validation there too */ 336 /* 337 if(qstate->query_flags & BIT_CD) { 338 verbose(VERB_ALGO, "not validating response due to CD bit"); 339 return 0; 340 } 341 */ 342 if(qstate->is_valrec) { 343 verbose(VERB_ALGO, "not validating response, is valrec" 344 "(validation recursion lookup)"); 345 return 0; 346 } 347 348 if(ret_rc != LDNS_RCODE_NOERROR || !ret_msg) 349 rcode = ret_rc; 350 else rcode = (int)FLAGS_GET_RCODE(ret_msg->rep->flags); 351 352 if(rcode != LDNS_RCODE_NOERROR && rcode != LDNS_RCODE_NXDOMAIN) { 353 if(verbosity >= VERB_ALGO) { 354 char rc[16]; 355 rc[0]=0; 356 (void)sldns_wire2str_rcode_buf(rcode, rc, sizeof(rc)); 357 verbose(VERB_ALGO, "cannot validate non-answer, rcode %s", rc); 358 } 359 return 0; 360 } 361 362 /* cannot validate positive RRSIG response. (negatives can) */ 363 if(qstate->qinfo.qtype == LDNS_RR_TYPE_RRSIG && 364 rcode == LDNS_RCODE_NOERROR && ret_msg && 365 ret_msg->rep->an_numrrsets > 0) { 366 verbose(VERB_ALGO, "cannot validate RRSIG, no sigs on sigs."); 367 return 0; 368 } 369 return 1; 370 } 371 372 /** 373 * Check to see if the response has already been validated. 374 * @param ret_msg: return msg, can be NULL 375 * @return true if the response has already been validated 376 */ 377 static int 378 already_validated(struct dns_msg* ret_msg) 379 { 380 /* validate unchecked, and re-validate bogus messages */ 381 if (ret_msg && ret_msg->rep->security > sec_status_bogus) 382 { 383 verbose(VERB_ALGO, "response has already been validated: %s", 384 sec_status_to_string(ret_msg->rep->security)); 385 return 1; 386 } 387 return 0; 388 } 389 390 /** 391 * Generate a request for DNS data. 392 * 393 * @param qstate: query state that is the parent. 394 * @param id: module id. 395 * @param name: what name to query for. 396 * @param namelen: length of name. 397 * @param qtype: query type. 398 * @param qclass: query class. 399 * @param flags: additional flags, such as the CD bit (BIT_CD), or 0. 400 * @param newq: If the subquery is newly created, it is returned, 401 * otherwise NULL is returned 402 * @param detached: true if this qstate should not attach to the subquery 403 * @return false on alloc failure. 404 */ 405 static int 406 generate_request(struct module_qstate* qstate, int id, uint8_t* name, 407 size_t namelen, uint16_t qtype, uint16_t qclass, uint16_t flags, 408 struct module_qstate** newq, int detached) 409 { 410 struct val_qstate* vq = (struct val_qstate*)qstate->minfo[id]; 411 struct query_info ask; 412 int valrec; 413 ask.qname = name; 414 ask.qname_len = namelen; 415 ask.qtype = qtype; 416 ask.qclass = qclass; 417 ask.local_alias = NULL; 418 log_query_info(VERB_ALGO, "generate request", &ask); 419 /* enable valrec flag to avoid recursion to the same validation 420 * routine, this lookup is simply a lookup. */ 421 valrec = 1; 422 423 fptr_ok(fptr_whitelist_modenv_detect_cycle(qstate->env->detect_cycle)); 424 if((*qstate->env->detect_cycle)(qstate, &ask, 425 (uint16_t)(BIT_RD|flags), 0, valrec)) { 426 verbose(VERB_ALGO, "Could not generate request: cycle detected"); 427 return 0; 428 } 429 430 if(detached) { 431 struct mesh_state* sub = NULL; 432 fptr_ok(fptr_whitelist_modenv_add_sub( 433 qstate->env->add_sub)); 434 if(!(*qstate->env->add_sub)(qstate, &ask, 435 (uint16_t)(BIT_RD|flags), 0, valrec, newq, &sub)){ 436 log_err("Could not generate request: out of memory"); 437 return 0; 438 } 439 } 440 else { 441 fptr_ok(fptr_whitelist_modenv_attach_sub( 442 qstate->env->attach_sub)); 443 if(!(*qstate->env->attach_sub)(qstate, &ask, 444 (uint16_t)(BIT_RD|flags), 0, valrec, newq)){ 445 log_err("Could not generate request: out of memory"); 446 return 0; 447 } 448 } 449 /* newq; validator does not need state created for that 450 * query, and its a 'normal' for iterator as well */ 451 if(*newq) { 452 /* add our blacklist to the query blacklist */ 453 sock_list_merge(&(*newq)->blacklist, (*newq)->region, 454 vq->chain_blacklist); 455 } 456 qstate->ext_state[id] = module_wait_subquery; 457 return 1; 458 } 459 460 /** 461 * Generate, send and detach key tag signaling query. 462 * 463 * @param qstate: query state. 464 * @param id: module id. 465 * @param ta: trust anchor, locked. 466 * @return false on a processing error. 467 */ 468 static int 469 generate_keytag_query(struct module_qstate* qstate, int id, 470 struct trust_anchor* ta) 471 { 472 /* 3 bytes for "_ta", 5 bytes per tag (4 bytes + "-") */ 473 #define MAX_LABEL_TAGS (LDNS_MAX_LABELLEN-3)/5 474 size_t i, numtag; 475 uint16_t tags[MAX_LABEL_TAGS]; 476 char tagstr[LDNS_MAX_LABELLEN+1] = "_ta"; /* +1 for NULL byte */ 477 size_t tagstr_left = sizeof(tagstr) - strlen(tagstr); 478 char* tagstr_pos = tagstr + strlen(tagstr); 479 uint8_t dnamebuf[LDNS_MAX_DOMAINLEN+1]; /* +1 for label length byte */ 480 size_t dnamebuf_len = sizeof(dnamebuf); 481 uint8_t* keytagdname; 482 struct module_qstate* newq = NULL; 483 enum module_ext_state ext_state = qstate->ext_state[id]; 484 485 numtag = anchor_list_keytags(ta, tags, MAX_LABEL_TAGS); 486 if(numtag == 0) 487 return 0; 488 489 for(i=0; i<numtag; i++) { 490 /* Buffer can't overflow; numtag is limited to tags that fit in 491 * the buffer. */ 492 snprintf(tagstr_pos, tagstr_left, "-%04x", (unsigned)tags[i]); 493 tagstr_left -= strlen(tagstr_pos); 494 tagstr_pos += strlen(tagstr_pos); 495 } 496 497 sldns_str2wire_dname_buf_origin(tagstr, dnamebuf, &dnamebuf_len, 498 ta->name, ta->namelen); 499 if(!(keytagdname = (uint8_t*)regional_alloc_init(qstate->region, 500 dnamebuf, dnamebuf_len))) { 501 log_err("could not generate key tag query: out of memory"); 502 return 0; 503 } 504 505 log_nametypeclass(VERB_OPS, "generate keytag query", keytagdname, 506 LDNS_RR_TYPE_NULL, ta->dclass); 507 if(!generate_request(qstate, id, keytagdname, dnamebuf_len, 508 LDNS_RR_TYPE_NULL, ta->dclass, 0, &newq, 1)) { 509 verbose(VERB_ALGO, "failed to generate key tag signaling request"); 510 return 0; 511 } 512 513 /* Not interested in subquery response. Restore the ext_state, 514 * that might be changed by generate_request() */ 515 qstate->ext_state[id] = ext_state; 516 517 return 1; 518 } 519 520 /** 521 * Get keytag as uint16_t from string 522 * 523 * @param start: start of string containing keytag 524 * @param keytag: pointer where to store the extracted keytag 525 * @return: 1 if keytag was extracted, else 0. 526 */ 527 static int 528 sentinel_get_keytag(char* start, uint16_t* keytag) { 529 char* keytag_str; 530 char* e = NULL; 531 keytag_str = calloc(1, SENTINEL_KEYTAG_LEN + 1 /* null byte */); 532 if(!keytag_str) 533 return 0; 534 memmove(keytag_str, start, SENTINEL_KEYTAG_LEN); 535 keytag_str[SENTINEL_KEYTAG_LEN] = '\0'; 536 *keytag = (uint16_t)strtol(keytag_str, &e, 10); 537 if(!e || *e != '\0') { 538 free(keytag_str); 539 return 0; 540 } 541 free(keytag_str); 542 return 1; 543 } 544 545 /** 546 * Prime trust anchor for use. 547 * Generate and dispatch a priming query for the given trust anchor. 548 * The trust anchor can be DNSKEY or DS and does not have to be signed. 549 * 550 * @param qstate: query state. 551 * @param vq: validator query state. 552 * @param id: module id. 553 * @param toprime: what to prime. 554 * @return false on a processing error. 555 */ 556 static int 557 prime_trust_anchor(struct module_qstate* qstate, struct val_qstate* vq, 558 int id, struct trust_anchor* toprime) 559 { 560 struct module_qstate* newq = NULL; 561 int ret = generate_request(qstate, id, toprime->name, toprime->namelen, 562 LDNS_RR_TYPE_DNSKEY, toprime->dclass, BIT_CD, &newq, 0); 563 564 if(newq && qstate->env->cfg->trust_anchor_signaling && 565 !generate_keytag_query(qstate, id, toprime)) { 566 verbose(VERB_ALGO, "keytag signaling query failed"); 567 return 0; 568 } 569 570 if(!ret) { 571 verbose(VERB_ALGO, "Could not prime trust anchor"); 572 return 0; 573 } 574 /* ignore newq; validator does not need state created for that 575 * query, and its a 'normal' for iterator as well */ 576 vq->wait_prime_ta = 1; /* to elicit PRIME_RESP_STATE processing 577 from the validator inform_super() routine */ 578 /* store trust anchor name for later lookup when prime returns */ 579 vq->trust_anchor_name = regional_alloc_init(qstate->region, 580 toprime->name, toprime->namelen); 581 vq->trust_anchor_len = toprime->namelen; 582 vq->trust_anchor_labs = toprime->namelabs; 583 if(!vq->trust_anchor_name) { 584 log_err("Could not prime trust anchor: out of memory"); 585 return 0; 586 } 587 return 1; 588 } 589 590 /** 591 * Validate if the ANSWER and AUTHORITY sections contain valid rrsets. 592 * They must be validly signed with the given key. 593 * Tries to validate ADDITIONAL rrsets as well, but only to check them. 594 * Allows unsigned CNAME after a DNAME that expands the DNAME. 595 * 596 * Note that by the time this method is called, the process of finding the 597 * trusted DNSKEY rrset that signs this response must already have been 598 * completed. 599 * 600 * @param qstate: query state. 601 * @param env: module env for verify. 602 * @param ve: validator env for verify. 603 * @param qchase: query that was made. 604 * @param chase_reply: answer to validate. 605 * @param key_entry: the key entry, which is trusted, and which matches 606 * the signer of the answer. The key entry isgood(). 607 * @return false if any of the rrsets in the an or ns sections of the message 608 * fail to verify. The message is then set to bogus. 609 */ 610 static int 611 validate_msg_signatures(struct module_qstate* qstate, struct module_env* env, 612 struct val_env* ve, struct query_info* qchase, 613 struct reply_info* chase_reply, struct key_entry_key* key_entry) 614 { 615 uint8_t* sname; 616 size_t i, slen; 617 struct ub_packed_rrset_key* s; 618 enum sec_status sec; 619 int dname_seen = 0; 620 char* reason = NULL; 621 sldns_ede_code reason_bogus = LDNS_EDE_DNSSEC_BOGUS; 622 623 /* validate the ANSWER section */ 624 for(i=0; i<chase_reply->an_numrrsets; i++) { 625 s = chase_reply->rrsets[i]; 626 /* Skip the CNAME following a (validated) DNAME. 627 * Because of the normalization routines in the iterator, 628 * there will always be an unsigned CNAME following a DNAME 629 * (unless qtype=DNAME). */ 630 if(dname_seen && ntohs(s->rk.type) == LDNS_RR_TYPE_CNAME) { 631 dname_seen = 0; 632 /* CNAME was synthesized by our own iterator */ 633 /* since the DNAME verified, mark the CNAME as secure */ 634 ((struct packed_rrset_data*)s->entry.data)->security = 635 sec_status_secure; 636 ((struct packed_rrset_data*)s->entry.data)->trust = 637 rrset_trust_validated; 638 continue; 639 } 640 641 /* Verify the answer rrset */ 642 sec = val_verify_rrset_entry(env, ve, s, key_entry, &reason, 643 &reason_bogus, LDNS_SECTION_ANSWER, qstate); 644 /* If the (answer) rrset failed to validate, then this 645 * message is BAD. */ 646 if(sec != sec_status_secure) { 647 log_nametypeclass(VERB_QUERY, "validator: response " 648 "has failed ANSWER rrset:", s->rk.dname, 649 ntohs(s->rk.type), ntohs(s->rk.rrset_class)); 650 errinf_ede(qstate, reason, reason_bogus); 651 if(ntohs(s->rk.type) == LDNS_RR_TYPE_CNAME) 652 errinf(qstate, "for CNAME"); 653 else if(ntohs(s->rk.type) == LDNS_RR_TYPE_DNAME) 654 errinf(qstate, "for DNAME"); 655 errinf_origin(qstate, qstate->reply_origin); 656 chase_reply->security = sec_status_bogus; 657 update_reason_bogus(chase_reply, reason_bogus); 658 659 return 0; 660 } 661 662 /* Notice a DNAME that should be followed by an unsigned 663 * CNAME. */ 664 if(qchase->qtype != LDNS_RR_TYPE_DNAME && 665 ntohs(s->rk.type) == LDNS_RR_TYPE_DNAME) { 666 dname_seen = 1; 667 } 668 } 669 670 /* validate the AUTHORITY section */ 671 for(i=chase_reply->an_numrrsets; i<chase_reply->an_numrrsets+ 672 chase_reply->ns_numrrsets; i++) { 673 s = chase_reply->rrsets[i]; 674 sec = val_verify_rrset_entry(env, ve, s, key_entry, &reason, 675 &reason_bogus, LDNS_SECTION_AUTHORITY, qstate); 676 /* If anything in the authority section fails to be secure, 677 * we have a bad message. */ 678 if(sec != sec_status_secure) { 679 log_nametypeclass(VERB_QUERY, "validator: response " 680 "has failed AUTHORITY rrset:", s->rk.dname, 681 ntohs(s->rk.type), ntohs(s->rk.rrset_class)); 682 errinf_ede(qstate, reason, reason_bogus); 683 errinf_origin(qstate, qstate->reply_origin); 684 errinf_rrset(qstate, s); 685 chase_reply->security = sec_status_bogus; 686 update_reason_bogus(chase_reply, reason_bogus); 687 return 0; 688 } 689 } 690 691 /* If set, the validator should clean the additional section of 692 * secure messages. */ 693 if(!env->cfg->val_clean_additional) 694 return 1; 695 /* attempt to validate the ADDITIONAL section rrsets */ 696 for(i=chase_reply->an_numrrsets+chase_reply->ns_numrrsets; 697 i<chase_reply->rrset_count; i++) { 698 s = chase_reply->rrsets[i]; 699 /* only validate rrs that have signatures with the key */ 700 /* leave others unchecked, those get removed later on too */ 701 val_find_rrset_signer(s, &sname, &slen); 702 703 if(sname && query_dname_compare(sname, key_entry->name)==0) 704 (void)val_verify_rrset_entry(env, ve, s, key_entry, 705 &reason, NULL, LDNS_SECTION_ADDITIONAL, qstate); 706 /* the additional section can fail to be secure, 707 * it is optional, check signature in case we need 708 * to clean the additional section later. */ 709 } 710 711 return 1; 712 } 713 714 /** 715 * Detect wrong truncated response (say from BIND 9.6.1 that is forwarding 716 * and saw the NS record without signatures from a referral). 717 * The positive response has a mangled authority section. 718 * Remove that authority section and the additional section. 719 * @param rep: reply 720 * @return true if a wrongly truncated response. 721 */ 722 static int 723 detect_wrongly_truncated(struct reply_info* rep) 724 { 725 size_t i; 726 /* only NS in authority, and it is bogus */ 727 if(rep->ns_numrrsets != 1 || rep->an_numrrsets == 0) 728 return 0; 729 if(ntohs(rep->rrsets[ rep->an_numrrsets ]->rk.type) != LDNS_RR_TYPE_NS) 730 return 0; 731 if(((struct packed_rrset_data*)rep->rrsets[ rep->an_numrrsets ] 732 ->entry.data)->security == sec_status_secure) 733 return 0; 734 /* answer section is present and secure */ 735 for(i=0; i<rep->an_numrrsets; i++) { 736 if(((struct packed_rrset_data*)rep->rrsets[ i ] 737 ->entry.data)->security != sec_status_secure) 738 return 0; 739 } 740 verbose(VERB_ALGO, "truncating to minimal response"); 741 return 1; 742 } 743 744 /** 745 * For messages that are not referrals, if the chase reply contains an 746 * unsigned NS record in the authority section it could have been 747 * inserted by a (BIND) forwarder that thinks the zone is insecure, and 748 * that has an NS record without signatures in cache. Remove the NS 749 * record since the reply does not hinge on that record (in the authority 750 * section), but do not remove it if it removes the last record from the 751 * answer+authority sections. 752 * @param chase_reply: the chased reply, we have a key for this contents, 753 * so we should have signatures for these rrsets and not having 754 * signatures means it will be bogus. 755 * @param orig_reply: original reply, remove NS from there as well because 756 * we cannot mark the NS record as DNSSEC valid because it is not 757 * validated by signatures. 758 */ 759 static void 760 remove_spurious_authority(struct reply_info* chase_reply, 761 struct reply_info* orig_reply) 762 { 763 size_t i, found = 0; 764 int remove = 0; 765 /* if no answer and only 1 auth RRset, do not remove that one */ 766 if(chase_reply->an_numrrsets == 0 && chase_reply->ns_numrrsets == 1) 767 return; 768 /* search authority section for unsigned NS records */ 769 for(i = chase_reply->an_numrrsets; 770 i < chase_reply->an_numrrsets+chase_reply->ns_numrrsets; i++) { 771 struct packed_rrset_data* d = (struct packed_rrset_data*) 772 chase_reply->rrsets[i]->entry.data; 773 if(ntohs(chase_reply->rrsets[i]->rk.type) == LDNS_RR_TYPE_NS 774 && d->rrsig_count == 0) { 775 found = i; 776 remove = 1; 777 break; 778 } 779 } 780 /* see if we found the entry */ 781 if(!remove) return; 782 log_rrset_key(VERB_ALGO, "Removing spurious unsigned NS record " 783 "(likely inserted by forwarder)", chase_reply->rrsets[found]); 784 785 /* find rrset in orig_reply */ 786 for(i = orig_reply->an_numrrsets; 787 i < orig_reply->an_numrrsets+orig_reply->ns_numrrsets; i++) { 788 if(ntohs(orig_reply->rrsets[i]->rk.type) == LDNS_RR_TYPE_NS 789 && query_dname_compare(orig_reply->rrsets[i]->rk.dname, 790 chase_reply->rrsets[found]->rk.dname) == 0) { 791 /* remove from orig_msg */ 792 val_reply_remove_auth(orig_reply, i); 793 break; 794 } 795 } 796 /* remove rrset from chase_reply */ 797 val_reply_remove_auth(chase_reply, found); 798 } 799 800 /** 801 * Given a "positive" response -- a response that contains an answer to the 802 * question, and no CNAME chain, validate this response. 803 * 804 * The answer and authority RRsets must already be verified as secure. 805 * 806 * @param env: module env for verify. 807 * @param ve: validator env for verify. 808 * @param qchase: query that was made. 809 * @param chase_reply: answer to that query to validate. 810 * @param kkey: the key entry, which is trusted, and which matches 811 * the signer of the answer. The key entry isgood(). 812 */ 813 static void 814 validate_positive_response(struct module_env* env, struct val_env* ve, 815 struct query_info* qchase, struct reply_info* chase_reply, 816 struct key_entry_key* kkey) 817 { 818 uint8_t* wc = NULL; 819 size_t wl; 820 int wc_cached = 0; 821 int wc_NSEC_ok = 0; 822 int nsec3s_seen = 0; 823 size_t i; 824 struct ub_packed_rrset_key* s; 825 826 /* validate the ANSWER section - this will be the answer itself */ 827 for(i=0; i<chase_reply->an_numrrsets; i++) { 828 s = chase_reply->rrsets[i]; 829 830 /* Check to see if the rrset is the result of a wildcard 831 * expansion. If so, an additional check will need to be 832 * made in the authority section. */ 833 if(!val_rrset_wildcard(s, &wc, &wl)) { 834 log_nametypeclass(VERB_QUERY, "Positive response has " 835 "inconsistent wildcard sigs:", s->rk.dname, 836 ntohs(s->rk.type), ntohs(s->rk.rrset_class)); 837 chase_reply->security = sec_status_bogus; 838 update_reason_bogus(chase_reply, LDNS_EDE_DNSSEC_BOGUS); 839 return; 840 } 841 if(wc && !wc_cached && env->cfg->aggressive_nsec) { 842 rrset_cache_update_wildcard(env->rrset_cache, s, wc, wl, 843 env->alloc, *env->now); 844 wc_cached = 1; 845 } 846 847 } 848 849 /* validate the AUTHORITY section as well - this will generally be 850 * the NS rrset (which could be missing, no problem) */ 851 for(i=chase_reply->an_numrrsets; i<chase_reply->an_numrrsets+ 852 chase_reply->ns_numrrsets; i++) { 853 s = chase_reply->rrsets[i]; 854 855 /* If this is a positive wildcard response, and we have a 856 * (just verified) NSEC record, try to use it to 1) prove 857 * that qname doesn't exist and 2) that the correct wildcard 858 * was used. */ 859 if(wc != NULL && ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC) { 860 if(val_nsec_proves_positive_wildcard(s, qchase, wc)) { 861 wc_NSEC_ok = 1; 862 } 863 /* if not, continue looking for proof */ 864 } 865 866 /* Otherwise, if this is a positive wildcard response and 867 * we have NSEC3 records */ 868 if(wc != NULL && ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC3) { 869 nsec3s_seen = 1; 870 } 871 } 872 873 /* If this was a positive wildcard response that we haven't already 874 * proven, and we have NSEC3 records, try to prove it using the NSEC3 875 * records. */ 876 if(wc != NULL && !wc_NSEC_ok && nsec3s_seen) { 877 enum sec_status sec = nsec3_prove_wildcard(env, ve, 878 chase_reply->rrsets+chase_reply->an_numrrsets, 879 chase_reply->ns_numrrsets, qchase, kkey, wc); 880 if(sec == sec_status_insecure) { 881 verbose(VERB_ALGO, "Positive wildcard response is " 882 "insecure"); 883 chase_reply->security = sec_status_insecure; 884 return; 885 } else if(sec == sec_status_secure) 886 wc_NSEC_ok = 1; 887 } 888 889 /* If after all this, we still haven't proven the positive wildcard 890 * response, fail. */ 891 if(wc != NULL && !wc_NSEC_ok) { 892 verbose(VERB_QUERY, "positive response was wildcard " 893 "expansion and did not prove original data " 894 "did not exist"); 895 chase_reply->security = sec_status_bogus; 896 update_reason_bogus(chase_reply, LDNS_EDE_DNSSEC_BOGUS); 897 return; 898 } 899 900 verbose(VERB_ALGO, "Successfully validated positive response"); 901 chase_reply->security = sec_status_secure; 902 } 903 904 /** 905 * Validate a NOERROR/NODATA signed response -- a response that has a 906 * NOERROR Rcode but no ANSWER section RRsets. This consists of making 907 * certain that the authority section NSEC/NSEC3s proves that the qname 908 * does exist and the qtype doesn't. 909 * 910 * The answer and authority RRsets must already be verified as secure. 911 * 912 * @param env: module env for verify. 913 * @param ve: validator env for verify. 914 * @param qchase: query that was made. 915 * @param chase_reply: answer to that query to validate. 916 * @param kkey: the key entry, which is trusted, and which matches 917 * the signer of the answer. The key entry isgood(). 918 */ 919 static void 920 validate_nodata_response(struct module_env* env, struct val_env* ve, 921 struct query_info* qchase, struct reply_info* chase_reply, 922 struct key_entry_key* kkey) 923 { 924 /* Since we are here, there must be nothing in the ANSWER section to 925 * validate. */ 926 /* (Note: CNAME/DNAME responses will not directly get here -- 927 * instead, they are chased down into individual CNAME validations, 928 * and at the end of the cname chain a POSITIVE, or CNAME_NOANSWER 929 * validation.) */ 930 931 /* validate the AUTHORITY section */ 932 int has_valid_nsec = 0; /* If true, then the NODATA has been proven.*/ 933 uint8_t* ce = NULL; /* for wildcard nodata responses. This is the 934 proven closest encloser. */ 935 uint8_t* wc = NULL; /* for wildcard nodata responses. wildcard nsec */ 936 int nsec3s_seen = 0; /* nsec3s seen */ 937 struct ub_packed_rrset_key* s; 938 size_t i; 939 940 for(i=chase_reply->an_numrrsets; i<chase_reply->an_numrrsets+ 941 chase_reply->ns_numrrsets; i++) { 942 s = chase_reply->rrsets[i]; 943 /* If we encounter an NSEC record, try to use it to prove 944 * NODATA. 945 * This needs to handle the ENT NODATA case. */ 946 if(ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC) { 947 if(nsec_proves_nodata(s, qchase, &wc)) { 948 has_valid_nsec = 1; 949 /* sets wc-encloser if wildcard applicable */ 950 } 951 if(val_nsec_proves_name_error(s, qchase->qname)) { 952 ce = nsec_closest_encloser(qchase->qname, s); 953 } 954 if(val_nsec_proves_insecuredelegation(s, qchase)) { 955 verbose(VERB_ALGO, "delegation is insecure"); 956 chase_reply->security = sec_status_insecure; 957 return; 958 } 959 } else if(ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC3) { 960 nsec3s_seen = 1; 961 } 962 } 963 964 /* check to see if we have a wildcard NODATA proof. */ 965 966 /* The wildcard NODATA is 1 NSEC proving that qname does not exist 967 * (and also proving what the closest encloser is), and 1 NSEC 968 * showing the matching wildcard, which must be *.closest_encloser. */ 969 if(wc && !ce) 970 has_valid_nsec = 0; 971 else if(wc && ce) { 972 if(query_dname_compare(wc, ce) != 0) { 973 has_valid_nsec = 0; 974 } 975 } 976 977 if(!has_valid_nsec && nsec3s_seen) { 978 enum sec_status sec = nsec3_prove_nodata(env, ve, 979 chase_reply->rrsets+chase_reply->an_numrrsets, 980 chase_reply->ns_numrrsets, qchase, kkey); 981 if(sec == sec_status_insecure) { 982 verbose(VERB_ALGO, "NODATA response is insecure"); 983 chase_reply->security = sec_status_insecure; 984 return; 985 } else if(sec == sec_status_secure) 986 has_valid_nsec = 1; 987 } 988 989 if(!has_valid_nsec) { 990 verbose(VERB_QUERY, "NODATA response failed to prove NODATA " 991 "status with NSEC/NSEC3"); 992 if(verbosity >= VERB_ALGO) 993 log_dns_msg("Failed NODATA", qchase, chase_reply); 994 chase_reply->security = sec_status_bogus; 995 update_reason_bogus(chase_reply, LDNS_EDE_DNSSEC_BOGUS); 996 return; 997 } 998 999 verbose(VERB_ALGO, "successfully validated NODATA response."); 1000 chase_reply->security = sec_status_secure; 1001 } 1002 1003 /** 1004 * Validate a NAMEERROR signed response -- a response that has a NXDOMAIN 1005 * Rcode. 1006 * This consists of making certain that the authority section NSEC proves 1007 * that the qname doesn't exist and the covering wildcard also doesn't exist.. 1008 * 1009 * The answer and authority RRsets must have already been verified as secure. 1010 * 1011 * @param env: module env for verify. 1012 * @param ve: validator env for verify. 1013 * @param qchase: query that was made. 1014 * @param chase_reply: answer to that query to validate. 1015 * @param kkey: the key entry, which is trusted, and which matches 1016 * the signer of the answer. The key entry isgood(). 1017 * @param rcode: adjusted RCODE, in case of RCODE/proof mismatch leniency. 1018 */ 1019 static void 1020 validate_nameerror_response(struct module_env* env, struct val_env* ve, 1021 struct query_info* qchase, struct reply_info* chase_reply, 1022 struct key_entry_key* kkey, int* rcode) 1023 { 1024 int has_valid_nsec = 0; 1025 int has_valid_wnsec = 0; 1026 int nsec3s_seen = 0; 1027 struct ub_packed_rrset_key* s; 1028 size_t i; 1029 uint8_t* ce; 1030 int ce_labs = 0; 1031 int prev_ce_labs = 0; 1032 1033 for(i=chase_reply->an_numrrsets; i<chase_reply->an_numrrsets+ 1034 chase_reply->ns_numrrsets; i++) { 1035 s = chase_reply->rrsets[i]; 1036 if(ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC) { 1037 if(val_nsec_proves_name_error(s, qchase->qname)) 1038 has_valid_nsec = 1; 1039 ce = nsec_closest_encloser(qchase->qname, s); 1040 ce_labs = dname_count_labels(ce); 1041 /* Use longest closest encloser to prove wildcard. */ 1042 if(ce_labs > prev_ce_labs || 1043 (ce_labs == prev_ce_labs && 1044 has_valid_wnsec == 0)) { 1045 if(val_nsec_proves_no_wc(s, qchase->qname, 1046 qchase->qname_len)) 1047 has_valid_wnsec = 1; 1048 else 1049 has_valid_wnsec = 0; 1050 } 1051 prev_ce_labs = ce_labs; 1052 if(val_nsec_proves_insecuredelegation(s, qchase)) { 1053 verbose(VERB_ALGO, "delegation is insecure"); 1054 chase_reply->security = sec_status_insecure; 1055 return; 1056 } 1057 } else if(ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC3) 1058 nsec3s_seen = 1; 1059 } 1060 1061 if((!has_valid_nsec || !has_valid_wnsec) && nsec3s_seen) { 1062 /* use NSEC3 proof, both answer and auth rrsets, in case 1063 * NSEC3s end up in the answer (due to qtype=NSEC3 or so) */ 1064 chase_reply->security = nsec3_prove_nameerror(env, ve, 1065 chase_reply->rrsets, chase_reply->an_numrrsets+ 1066 chase_reply->ns_numrrsets, qchase, kkey); 1067 if(chase_reply->security != sec_status_secure) { 1068 verbose(VERB_QUERY, "NameError response failed nsec, " 1069 "nsec3 proof was %s", sec_status_to_string( 1070 chase_reply->security)); 1071 return; 1072 } 1073 has_valid_nsec = 1; 1074 has_valid_wnsec = 1; 1075 } 1076 1077 /* If the message fails to prove either condition, it is bogus. */ 1078 if(!has_valid_nsec) { 1079 verbose(VERB_QUERY, "NameError response has failed to prove: " 1080 "qname does not exist"); 1081 chase_reply->security = sec_status_bogus; 1082 update_reason_bogus(chase_reply, LDNS_EDE_DNSSEC_BOGUS); 1083 /* Be lenient with RCODE in NSEC NameError responses */ 1084 validate_nodata_response(env, ve, qchase, chase_reply, kkey); 1085 if (chase_reply->security == sec_status_secure) 1086 *rcode = LDNS_RCODE_NOERROR; 1087 return; 1088 } 1089 1090 if(!has_valid_wnsec) { 1091 verbose(VERB_QUERY, "NameError response has failed to prove: " 1092 "covering wildcard does not exist"); 1093 chase_reply->security = sec_status_bogus; 1094 update_reason_bogus(chase_reply, LDNS_EDE_DNSSEC_BOGUS); 1095 /* Be lenient with RCODE in NSEC NameError responses */ 1096 validate_nodata_response(env, ve, qchase, chase_reply, kkey); 1097 if (chase_reply->security == sec_status_secure) 1098 *rcode = LDNS_RCODE_NOERROR; 1099 return; 1100 } 1101 1102 /* Otherwise, we consider the message secure. */ 1103 verbose(VERB_ALGO, "successfully validated NAME ERROR response."); 1104 chase_reply->security = sec_status_secure; 1105 } 1106 1107 /** 1108 * Given a referral response, validate rrsets and take least trusted rrset 1109 * as the current validation status. 1110 * 1111 * Note that by the time this method is called, the process of finding the 1112 * trusted DNSKEY rrset that signs this response must already have been 1113 * completed. 1114 * 1115 * @param chase_reply: answer to validate. 1116 */ 1117 static void 1118 validate_referral_response(struct reply_info* chase_reply) 1119 { 1120 size_t i; 1121 enum sec_status s; 1122 /* message security equals lowest rrset security */ 1123 chase_reply->security = sec_status_secure; 1124 for(i=0; i<chase_reply->rrset_count; i++) { 1125 s = ((struct packed_rrset_data*)chase_reply->rrsets[i] 1126 ->entry.data)->security; 1127 if(s < chase_reply->security) 1128 chase_reply->security = s; 1129 } 1130 verbose(VERB_ALGO, "validated part of referral response as %s", 1131 sec_status_to_string(chase_reply->security)); 1132 } 1133 1134 /** 1135 * Given an "ANY" response -- a response that contains an answer to a 1136 * qtype==ANY question, with answers. This does no checking that all 1137 * types are present. 1138 * 1139 * NOTE: it may be possible to get parent-side delegation point records 1140 * here, which won't all be signed. Right now, this routine relies on the 1141 * upstream iterative resolver to not return these responses -- instead 1142 * treating them as referrals. 1143 * 1144 * NOTE: RFC 4035 is silent on this issue, so this may change upon 1145 * clarification. Clarification draft -05 says to not check all types are 1146 * present. 1147 * 1148 * Note that by the time this method is called, the process of finding the 1149 * trusted DNSKEY rrset that signs this response must already have been 1150 * completed. 1151 * 1152 * @param env: module env for verify. 1153 * @param ve: validator env for verify. 1154 * @param qchase: query that was made. 1155 * @param chase_reply: answer to that query to validate. 1156 * @param kkey: the key entry, which is trusted, and which matches 1157 * the signer of the answer. The key entry isgood(). 1158 */ 1159 static void 1160 validate_any_response(struct module_env* env, struct val_env* ve, 1161 struct query_info* qchase, struct reply_info* chase_reply, 1162 struct key_entry_key* kkey) 1163 { 1164 /* all answer and auth rrsets already verified */ 1165 /* but check if a wildcard response is given, then check NSEC/NSEC3 1166 * for qname denial to see if wildcard is applicable */ 1167 uint8_t* wc = NULL; 1168 size_t wl; 1169 int wc_NSEC_ok = 0; 1170 int nsec3s_seen = 0; 1171 size_t i; 1172 struct ub_packed_rrset_key* s; 1173 1174 if(qchase->qtype != LDNS_RR_TYPE_ANY) { 1175 log_err("internal error: ANY validation called for non-ANY"); 1176 chase_reply->security = sec_status_bogus; 1177 update_reason_bogus(chase_reply, LDNS_EDE_DNSSEC_BOGUS); 1178 return; 1179 } 1180 1181 /* validate the ANSWER section - this will be the answer itself */ 1182 for(i=0; i<chase_reply->an_numrrsets; i++) { 1183 s = chase_reply->rrsets[i]; 1184 1185 /* Check to see if the rrset is the result of a wildcard 1186 * expansion. If so, an additional check will need to be 1187 * made in the authority section. */ 1188 if(!val_rrset_wildcard(s, &wc, &wl)) { 1189 log_nametypeclass(VERB_QUERY, "Positive ANY response" 1190 " has inconsistent wildcard sigs:", 1191 s->rk.dname, ntohs(s->rk.type), 1192 ntohs(s->rk.rrset_class)); 1193 chase_reply->security = sec_status_bogus; 1194 update_reason_bogus(chase_reply, LDNS_EDE_DNSSEC_BOGUS); 1195 return; 1196 } 1197 } 1198 1199 /* if it was a wildcard, check for NSEC/NSEC3s in both answer 1200 * and authority sections (NSEC may be moved to the ANSWER section) */ 1201 if(wc != NULL) 1202 for(i=0; i<chase_reply->an_numrrsets+chase_reply->ns_numrrsets; 1203 i++) { 1204 s = chase_reply->rrsets[i]; 1205 1206 /* If this is a positive wildcard response, and we have a 1207 * (just verified) NSEC record, try to use it to 1) prove 1208 * that qname doesn't exist and 2) that the correct wildcard 1209 * was used. */ 1210 if(ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC) { 1211 if(val_nsec_proves_positive_wildcard(s, qchase, wc)) { 1212 wc_NSEC_ok = 1; 1213 } 1214 /* if not, continue looking for proof */ 1215 } 1216 1217 /* Otherwise, if this is a positive wildcard response and 1218 * we have NSEC3 records */ 1219 if(ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC3) { 1220 nsec3s_seen = 1; 1221 } 1222 } 1223 1224 /* If this was a positive wildcard response that we haven't already 1225 * proven, and we have NSEC3 records, try to prove it using the NSEC3 1226 * records. */ 1227 if(wc != NULL && !wc_NSEC_ok && nsec3s_seen) { 1228 /* look both in answer and auth section for NSEC3s */ 1229 enum sec_status sec = nsec3_prove_wildcard(env, ve, 1230 chase_reply->rrsets, 1231 chase_reply->an_numrrsets+chase_reply->ns_numrrsets, 1232 qchase, kkey, wc); 1233 if(sec == sec_status_insecure) { 1234 verbose(VERB_ALGO, "Positive ANY wildcard response is " 1235 "insecure"); 1236 chase_reply->security = sec_status_insecure; 1237 return; 1238 } else if(sec == sec_status_secure) 1239 wc_NSEC_ok = 1; 1240 } 1241 1242 /* If after all this, we still haven't proven the positive wildcard 1243 * response, fail. */ 1244 if(wc != NULL && !wc_NSEC_ok) { 1245 verbose(VERB_QUERY, "positive ANY response was wildcard " 1246 "expansion and did not prove original data " 1247 "did not exist"); 1248 chase_reply->security = sec_status_bogus; 1249 update_reason_bogus(chase_reply, LDNS_EDE_DNSSEC_BOGUS); 1250 return; 1251 } 1252 1253 verbose(VERB_ALGO, "Successfully validated positive ANY response"); 1254 chase_reply->security = sec_status_secure; 1255 } 1256 1257 /** 1258 * Validate CNAME response, or DNAME+CNAME. 1259 * This is just like a positive proof, except that this is about a 1260 * DNAME+CNAME. Possible wildcard proof. 1261 * Difference with positive proof is that this routine refuses 1262 * wildcarded DNAMEs. 1263 * 1264 * The answer and authority rrsets must already be verified as secure. 1265 * 1266 * @param env: module env for verify. 1267 * @param ve: validator env for verify. 1268 * @param qchase: query that was made. 1269 * @param chase_reply: answer to that query to validate. 1270 * @param kkey: the key entry, which is trusted, and which matches 1271 * the signer of the answer. The key entry isgood(). 1272 */ 1273 static void 1274 validate_cname_response(struct module_env* env, struct val_env* ve, 1275 struct query_info* qchase, struct reply_info* chase_reply, 1276 struct key_entry_key* kkey) 1277 { 1278 uint8_t* wc = NULL; 1279 size_t wl; 1280 int wc_NSEC_ok = 0; 1281 int nsec3s_seen = 0; 1282 size_t i; 1283 struct ub_packed_rrset_key* s; 1284 1285 /* validate the ANSWER section - this will be the CNAME (+DNAME) */ 1286 for(i=0; i<chase_reply->an_numrrsets; i++) { 1287 s = chase_reply->rrsets[i]; 1288 1289 /* Check to see if the rrset is the result of a wildcard 1290 * expansion. If so, an additional check will need to be 1291 * made in the authority section. */ 1292 if(!val_rrset_wildcard(s, &wc, &wl)) { 1293 log_nametypeclass(VERB_QUERY, "Cname response has " 1294 "inconsistent wildcard sigs:", s->rk.dname, 1295 ntohs(s->rk.type), ntohs(s->rk.rrset_class)); 1296 chase_reply->security = sec_status_bogus; 1297 update_reason_bogus(chase_reply, LDNS_EDE_DNSSEC_BOGUS); 1298 return; 1299 } 1300 1301 /* Refuse wildcarded DNAMEs rfc 4597. 1302 * Do not follow a wildcarded DNAME because 1303 * its synthesized CNAME expansion is underdefined */ 1304 if(qchase->qtype != LDNS_RR_TYPE_DNAME && 1305 ntohs(s->rk.type) == LDNS_RR_TYPE_DNAME && wc) { 1306 log_nametypeclass(VERB_QUERY, "cannot validate a " 1307 "wildcarded DNAME:", s->rk.dname, 1308 ntohs(s->rk.type), ntohs(s->rk.rrset_class)); 1309 chase_reply->security = sec_status_bogus; 1310 update_reason_bogus(chase_reply, LDNS_EDE_DNSSEC_BOGUS); 1311 return; 1312 } 1313 1314 /* If we have found a CNAME, stop looking for one. 1315 * The iterator has placed the CNAME chain in correct 1316 * order. */ 1317 if (ntohs(s->rk.type) == LDNS_RR_TYPE_CNAME) { 1318 break; 1319 } 1320 } 1321 1322 /* AUTHORITY section */ 1323 for(i=chase_reply->an_numrrsets; i<chase_reply->an_numrrsets+ 1324 chase_reply->ns_numrrsets; i++) { 1325 s = chase_reply->rrsets[i]; 1326 1327 /* If this is a positive wildcard response, and we have a 1328 * (just verified) NSEC record, try to use it to 1) prove 1329 * that qname doesn't exist and 2) that the correct wildcard 1330 * was used. */ 1331 if(wc != NULL && ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC) { 1332 if(val_nsec_proves_positive_wildcard(s, qchase, wc)) { 1333 wc_NSEC_ok = 1; 1334 } 1335 /* if not, continue looking for proof */ 1336 } 1337 1338 /* Otherwise, if this is a positive wildcard response and 1339 * we have NSEC3 records */ 1340 if(wc != NULL && ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC3) { 1341 nsec3s_seen = 1; 1342 } 1343 } 1344 1345 /* If this was a positive wildcard response that we haven't already 1346 * proven, and we have NSEC3 records, try to prove it using the NSEC3 1347 * records. */ 1348 if(wc != NULL && !wc_NSEC_ok && nsec3s_seen) { 1349 enum sec_status sec = nsec3_prove_wildcard(env, ve, 1350 chase_reply->rrsets+chase_reply->an_numrrsets, 1351 chase_reply->ns_numrrsets, qchase, kkey, wc); 1352 if(sec == sec_status_insecure) { 1353 verbose(VERB_ALGO, "wildcard CNAME response is " 1354 "insecure"); 1355 chase_reply->security = sec_status_insecure; 1356 return; 1357 } else if(sec == sec_status_secure) 1358 wc_NSEC_ok = 1; 1359 } 1360 1361 /* If after all this, we still haven't proven the positive wildcard 1362 * response, fail. */ 1363 if(wc != NULL && !wc_NSEC_ok) { 1364 verbose(VERB_QUERY, "CNAME response was wildcard " 1365 "expansion and did not prove original data " 1366 "did not exist"); 1367 chase_reply->security = sec_status_bogus; 1368 update_reason_bogus(chase_reply, LDNS_EDE_DNSSEC_BOGUS); 1369 return; 1370 } 1371 1372 verbose(VERB_ALGO, "Successfully validated CNAME response"); 1373 chase_reply->security = sec_status_secure; 1374 } 1375 1376 /** 1377 * Validate CNAME NOANSWER response, no more data after a CNAME chain. 1378 * This can be a NODATA or a NAME ERROR case, but not both at the same time. 1379 * We don't know because the rcode has been set to NOERROR by the CNAME. 1380 * 1381 * The answer and authority rrsets must already be verified as secure. 1382 * 1383 * @param env: module env for verify. 1384 * @param ve: validator env for verify. 1385 * @param qchase: query that was made. 1386 * @param chase_reply: answer to that query to validate. 1387 * @param kkey: the key entry, which is trusted, and which matches 1388 * the signer of the answer. The key entry isgood(). 1389 */ 1390 static void 1391 validate_cname_noanswer_response(struct module_env* env, struct val_env* ve, 1392 struct query_info* qchase, struct reply_info* chase_reply, 1393 struct key_entry_key* kkey) 1394 { 1395 int nodata_valid_nsec = 0; /* If true, then NODATA has been proven.*/ 1396 uint8_t* ce = NULL; /* for wildcard nodata responses. This is the 1397 proven closest encloser. */ 1398 uint8_t* wc = NULL; /* for wildcard nodata responses. wildcard nsec */ 1399 int nxdomain_valid_nsec = 0; /* if true, nameerror has been proven */ 1400 int nxdomain_valid_wnsec = 0; 1401 int nsec3s_seen = 0; /* nsec3s seen */ 1402 struct ub_packed_rrset_key* s; 1403 size_t i; 1404 uint8_t* nsec_ce; /* Used to find the NSEC with the longest ce */ 1405 int ce_labs = 0; 1406 int prev_ce_labs = 0; 1407 1408 /* the AUTHORITY section */ 1409 for(i=chase_reply->an_numrrsets; i<chase_reply->an_numrrsets+ 1410 chase_reply->ns_numrrsets; i++) { 1411 s = chase_reply->rrsets[i]; 1412 1413 /* If we encounter an NSEC record, try to use it to prove 1414 * NODATA. This needs to handle the ENT NODATA case. 1415 * Also try to prove NAMEERROR, and absence of a wildcard */ 1416 if(ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC) { 1417 if(nsec_proves_nodata(s, qchase, &wc)) { 1418 nodata_valid_nsec = 1; 1419 /* set wc encloser if wildcard applicable */ 1420 } 1421 if(val_nsec_proves_name_error(s, qchase->qname)) { 1422 ce = nsec_closest_encloser(qchase->qname, s); 1423 nxdomain_valid_nsec = 1; 1424 } 1425 nsec_ce = nsec_closest_encloser(qchase->qname, s); 1426 ce_labs = dname_count_labels(nsec_ce); 1427 /* Use longest closest encloser to prove wildcard. */ 1428 if(ce_labs > prev_ce_labs || 1429 (ce_labs == prev_ce_labs && 1430 nxdomain_valid_wnsec == 0)) { 1431 if(val_nsec_proves_no_wc(s, qchase->qname, 1432 qchase->qname_len)) 1433 nxdomain_valid_wnsec = 1; 1434 else 1435 nxdomain_valid_wnsec = 0; 1436 } 1437 prev_ce_labs = ce_labs; 1438 if(val_nsec_proves_insecuredelegation(s, qchase)) { 1439 verbose(VERB_ALGO, "delegation is insecure"); 1440 chase_reply->security = sec_status_insecure; 1441 return; 1442 } 1443 } else if(ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC3) { 1444 nsec3s_seen = 1; 1445 } 1446 } 1447 1448 /* check to see if we have a wildcard NODATA proof. */ 1449 1450 /* The wildcard NODATA is 1 NSEC proving that qname does not exists 1451 * (and also proving what the closest encloser is), and 1 NSEC 1452 * showing the matching wildcard, which must be *.closest_encloser. */ 1453 if(wc && !ce) 1454 nodata_valid_nsec = 0; 1455 else if(wc && ce) { 1456 if(query_dname_compare(wc, ce) != 0) { 1457 nodata_valid_nsec = 0; 1458 } 1459 } 1460 if(nxdomain_valid_nsec && !nxdomain_valid_wnsec) { 1461 /* name error is missing wildcard denial proof */ 1462 nxdomain_valid_nsec = 0; 1463 } 1464 1465 if(nodata_valid_nsec && nxdomain_valid_nsec) { 1466 verbose(VERB_QUERY, "CNAMEchain to noanswer proves that name " 1467 "exists and not exists, bogus"); 1468 chase_reply->security = sec_status_bogus; 1469 update_reason_bogus(chase_reply, LDNS_EDE_DNSSEC_BOGUS); 1470 return; 1471 } 1472 if(!nodata_valid_nsec && !nxdomain_valid_nsec && nsec3s_seen) { 1473 int nodata; 1474 enum sec_status sec = nsec3_prove_nxornodata(env, ve, 1475 chase_reply->rrsets+chase_reply->an_numrrsets, 1476 chase_reply->ns_numrrsets, qchase, kkey, &nodata); 1477 if(sec == sec_status_insecure) { 1478 verbose(VERB_ALGO, "CNAMEchain to noanswer response " 1479 "is insecure"); 1480 chase_reply->security = sec_status_insecure; 1481 return; 1482 } else if(sec == sec_status_secure) { 1483 if(nodata) 1484 nodata_valid_nsec = 1; 1485 else nxdomain_valid_nsec = 1; 1486 } 1487 } 1488 1489 if(!nodata_valid_nsec && !nxdomain_valid_nsec) { 1490 verbose(VERB_QUERY, "CNAMEchain to noanswer response failed " 1491 "to prove status with NSEC/NSEC3"); 1492 if(verbosity >= VERB_ALGO) 1493 log_dns_msg("Failed CNAMEnoanswer", qchase, chase_reply); 1494 chase_reply->security = sec_status_bogus; 1495 update_reason_bogus(chase_reply, LDNS_EDE_DNSSEC_BOGUS); 1496 return; 1497 } 1498 1499 if(nodata_valid_nsec) 1500 verbose(VERB_ALGO, "successfully validated CNAME chain to a " 1501 "NODATA response."); 1502 else verbose(VERB_ALGO, "successfully validated CNAME chain to a " 1503 "NAMEERROR response."); 1504 chase_reply->security = sec_status_secure; 1505 } 1506 1507 /** 1508 * Process init state for validator. 1509 * Process the INIT state. First tier responses start in the INIT state. 1510 * This is where they are vetted for validation suitability, and the initial 1511 * key search is done. 1512 * 1513 * Currently, events the come through this routine will be either promoted 1514 * to FINISHED/CNAME_RESP (no validation needed), FINDKEY (next step to 1515 * validation), or will be (temporarily) retired and a new priming request 1516 * event will be generated. 1517 * 1518 * @param qstate: query state. 1519 * @param vq: validator query state. 1520 * @param ve: validator shared global environment. 1521 * @param id: module id. 1522 * @return true if the event should be processed further on return, false if 1523 * not. 1524 */ 1525 static int 1526 processInit(struct module_qstate* qstate, struct val_qstate* vq, 1527 struct val_env* ve, int id) 1528 { 1529 uint8_t* lookup_name; 1530 size_t lookup_len; 1531 struct trust_anchor* anchor; 1532 enum val_classification subtype = val_classify_response( 1533 qstate->query_flags, &qstate->qinfo, &vq->qchase, 1534 vq->orig_msg->rep, vq->rrset_skip); 1535 if(vq->restart_count > ve->max_restart) { 1536 verbose(VERB_ALGO, "restart count exceeded"); 1537 return val_error(qstate, id); 1538 } 1539 1540 /* correctly initialize reason_bogus */ 1541 update_reason_bogus(vq->chase_reply, LDNS_EDE_DNSSEC_BOGUS); 1542 1543 verbose(VERB_ALGO, "validator classification %s", 1544 val_classification_to_string(subtype)); 1545 if(subtype == VAL_CLASS_REFERRAL && 1546 vq->rrset_skip < vq->orig_msg->rep->rrset_count) { 1547 /* referral uses the rrset name as qchase, to find keys for 1548 * that rrset */ 1549 vq->qchase.qname = vq->orig_msg->rep-> 1550 rrsets[vq->rrset_skip]->rk.dname; 1551 vq->qchase.qname_len = vq->orig_msg->rep-> 1552 rrsets[vq->rrset_skip]->rk.dname_len; 1553 vq->qchase.qtype = ntohs(vq->orig_msg->rep-> 1554 rrsets[vq->rrset_skip]->rk.type); 1555 vq->qchase.qclass = ntohs(vq->orig_msg->rep-> 1556 rrsets[vq->rrset_skip]->rk.rrset_class); 1557 } 1558 lookup_name = vq->qchase.qname; 1559 lookup_len = vq->qchase.qname_len; 1560 /* for type DS look at the parent side for keys/trustanchor */ 1561 /* also for NSEC not at apex */ 1562 if(vq->qchase.qtype == LDNS_RR_TYPE_DS || 1563 (vq->qchase.qtype == LDNS_RR_TYPE_NSEC && 1564 vq->orig_msg->rep->rrset_count > vq->rrset_skip && 1565 ntohs(vq->orig_msg->rep->rrsets[vq->rrset_skip]->rk.type) == 1566 LDNS_RR_TYPE_NSEC && 1567 !(vq->orig_msg->rep->rrsets[vq->rrset_skip]-> 1568 rk.flags&PACKED_RRSET_NSEC_AT_APEX))) { 1569 dname_remove_label(&lookup_name, &lookup_len); 1570 } 1571 1572 val_mark_indeterminate(vq->chase_reply, qstate->env->anchors, 1573 qstate->env->rrset_cache, qstate->env); 1574 vq->key_entry = NULL; 1575 vq->empty_DS_name = NULL; 1576 vq->ds_rrset = 0; 1577 anchor = anchors_lookup(qstate->env->anchors, 1578 lookup_name, lookup_len, vq->qchase.qclass); 1579 1580 /* Determine the signer/lookup name */ 1581 val_find_signer(subtype, &vq->qchase, vq->orig_msg->rep, 1582 vq->rrset_skip, &vq->signer_name, &vq->signer_len); 1583 if(vq->signer_name != NULL && 1584 !dname_subdomain_c(lookup_name, vq->signer_name)) { 1585 log_nametypeclass(VERB_ALGO, "this signer name is not a parent " 1586 "of lookupname, omitted", vq->signer_name, 0, 0); 1587 vq->signer_name = NULL; 1588 } 1589 if(vq->signer_name == NULL) { 1590 log_nametypeclass(VERB_ALGO, "no signer, using", lookup_name, 1591 0, 0); 1592 } else { 1593 lookup_name = vq->signer_name; 1594 lookup_len = vq->signer_len; 1595 log_nametypeclass(VERB_ALGO, "signer is", lookup_name, 0, 0); 1596 } 1597 1598 /* for NXDOMAIN it could be signed by a parent of the trust anchor */ 1599 if(subtype == VAL_CLASS_NAMEERROR && vq->signer_name && 1600 anchor && dname_strict_subdomain_c(anchor->name, lookup_name)){ 1601 lock_basic_unlock(&anchor->lock); 1602 anchor = anchors_lookup(qstate->env->anchors, 1603 lookup_name, lookup_len, vq->qchase.qclass); 1604 if(!anchor) { /* unsigned parent denies anchor*/ 1605 verbose(VERB_QUERY, "unsigned parent zone denies" 1606 " trust anchor, indeterminate"); 1607 vq->chase_reply->security = sec_status_indeterminate; 1608 update_reason_bogus(vq->chase_reply, LDNS_EDE_DNSSEC_INDETERMINATE); 1609 vq->state = VAL_FINISHED_STATE; 1610 return 1; 1611 } 1612 verbose(VERB_ALGO, "trust anchor NXDOMAIN by signed parent"); 1613 } else if(subtype == VAL_CLASS_POSITIVE && 1614 qstate->qinfo.qtype == LDNS_RR_TYPE_DNSKEY && 1615 query_dname_compare(lookup_name, qstate->qinfo.qname) == 0) { 1616 /* is a DNSKEY so lookup a bit higher since we want to 1617 * get it from a parent or from trustanchor */ 1618 dname_remove_label(&lookup_name, &lookup_len); 1619 } 1620 1621 if(vq->rrset_skip > 0 || subtype == VAL_CLASS_CNAME || 1622 subtype == VAL_CLASS_REFERRAL) { 1623 /* extract this part of orig_msg into chase_reply for 1624 * the eventual VALIDATE stage */ 1625 val_fill_reply(vq->chase_reply, vq->orig_msg->rep, 1626 vq->rrset_skip, lookup_name, lookup_len, 1627 vq->signer_name); 1628 if(verbosity >= VERB_ALGO) 1629 log_dns_msg("chased extract", &vq->qchase, 1630 vq->chase_reply); 1631 } 1632 1633 vq->key_entry = key_cache_obtain(ve->kcache, lookup_name, lookup_len, 1634 vq->qchase.qclass, qstate->region, *qstate->env->now); 1635 1636 /* there is no key and no trust anchor */ 1637 if(vq->key_entry == NULL && anchor == NULL) { 1638 /*response isn't under a trust anchor, so we cannot validate.*/ 1639 vq->chase_reply->security = sec_status_indeterminate; 1640 update_reason_bogus(vq->chase_reply, LDNS_EDE_DNSSEC_INDETERMINATE); 1641 /* go to finished state to cache this result */ 1642 vq->state = VAL_FINISHED_STATE; 1643 return 1; 1644 } 1645 /* if not key, or if keyentry is *above* the trustanchor, i.e. 1646 * the keyentry is based on another (higher) trustanchor */ 1647 else if(vq->key_entry == NULL || (anchor && 1648 dname_strict_subdomain_c(anchor->name, vq->key_entry->name))) { 1649 /* trust anchor is an 'unsigned' trust anchor */ 1650 if(anchor && anchor->numDS == 0 && anchor->numDNSKEY == 0) { 1651 vq->chase_reply->security = sec_status_insecure; 1652 val_mark_insecure(vq->chase_reply, anchor->name, 1653 qstate->env->rrset_cache, qstate->env); 1654 lock_basic_unlock(&anchor->lock); 1655 /* go to finished state to cache this result */ 1656 vq->state = VAL_FINISHED_STATE; 1657 return 1; 1658 } 1659 /* fire off a trust anchor priming query. */ 1660 verbose(VERB_DETAIL, "prime trust anchor"); 1661 if(!prime_trust_anchor(qstate, vq, id, anchor)) { 1662 lock_basic_unlock(&anchor->lock); 1663 return val_error(qstate, id); 1664 } 1665 lock_basic_unlock(&anchor->lock); 1666 /* and otherwise, don't continue processing this event. 1667 * (it will be reactivated when the priming query returns). */ 1668 vq->state = VAL_FINDKEY_STATE; 1669 return 0; 1670 } 1671 if(anchor) { 1672 lock_basic_unlock(&anchor->lock); 1673 } 1674 1675 if(key_entry_isnull(vq->key_entry)) { 1676 /* response is under a null key, so we cannot validate 1677 * However, we do set the status to INSECURE, since it is 1678 * essentially proven insecure. */ 1679 vq->chase_reply->security = sec_status_insecure; 1680 val_mark_insecure(vq->chase_reply, vq->key_entry->name, 1681 qstate->env->rrset_cache, qstate->env); 1682 /* go to finished state to cache this result */ 1683 vq->state = VAL_FINISHED_STATE; 1684 return 1; 1685 } else if(key_entry_isbad(vq->key_entry)) { 1686 /* Bad keys should have the relevant EDE code and text */ 1687 sldns_ede_code ede = key_entry_get_reason_bogus(vq->key_entry); 1688 /* key is bad, chain is bad, reply is bogus */ 1689 errinf_dname(qstate, "key for validation", vq->key_entry->name); 1690 errinf_ede(qstate, "is marked as invalid", ede); 1691 errinf(qstate, "because of a previous"); 1692 errinf(qstate, key_entry_get_reason(vq->key_entry)); 1693 1694 /* no retries, stop bothering the authority until timeout */ 1695 vq->restart_count = ve->max_restart; 1696 vq->chase_reply->security = sec_status_bogus; 1697 update_reason_bogus(vq->chase_reply, ede); 1698 vq->state = VAL_FINISHED_STATE; 1699 return 1; 1700 } 1701 1702 /* otherwise, we have our "closest" cached key -- continue 1703 * processing in the next state. */ 1704 vq->state = VAL_FINDKEY_STATE; 1705 return 1; 1706 } 1707 1708 /** 1709 * Process the FINDKEY state. Generally this just calculates the next name 1710 * to query and either issues a DS or a DNSKEY query. It will check to see 1711 * if the correct key has already been reached, in which case it will 1712 * advance the event to the next state. 1713 * 1714 * @param qstate: query state. 1715 * @param vq: validator query state. 1716 * @param id: module id. 1717 * @return true if the event should be processed further on return, false if 1718 * not. 1719 */ 1720 static int 1721 processFindKey(struct module_qstate* qstate, struct val_qstate* vq, int id) 1722 { 1723 uint8_t* target_key_name, *current_key_name; 1724 size_t target_key_len; 1725 int strip_lab; 1726 struct module_qstate* newq = NULL; 1727 1728 log_query_info(VERB_ALGO, "validator: FindKey", &vq->qchase); 1729 /* We know that state.key_entry is not 0 or bad key -- if it were, 1730 * then previous processing should have directed this event to 1731 * a different state. 1732 * It could be an isnull key, which signals the DNSKEY failed 1733 * with retry and has to be looked up again. */ 1734 log_assert(vq->key_entry && !key_entry_isbad(vq->key_entry)); 1735 if(key_entry_isnull(vq->key_entry)) { 1736 if(!generate_request(qstate, id, vq->ds_rrset->rk.dname, 1737 vq->ds_rrset->rk.dname_len, LDNS_RR_TYPE_DNSKEY, 1738 vq->qchase.qclass, BIT_CD, &newq, 0)) { 1739 verbose(VERB_ALGO, "error generating DNSKEY request"); 1740 return val_error(qstate, id); 1741 } 1742 return 0; 1743 } 1744 1745 target_key_name = vq->signer_name; 1746 target_key_len = vq->signer_len; 1747 if(!target_key_name) { 1748 target_key_name = vq->qchase.qname; 1749 target_key_len = vq->qchase.qname_len; 1750 } 1751 1752 current_key_name = vq->key_entry->name; 1753 1754 /* If our current key entry matches our target, then we are done. */ 1755 if(query_dname_compare(target_key_name, current_key_name) == 0) { 1756 vq->state = VAL_VALIDATE_STATE; 1757 return 1; 1758 } 1759 1760 if(vq->empty_DS_name) { 1761 /* if the last empty nonterminal/emptyDS name we detected is 1762 * below the current key, use that name to make progress 1763 * along the chain of trust */ 1764 if(query_dname_compare(target_key_name, 1765 vq->empty_DS_name) == 0) { 1766 /* do not query for empty_DS_name again */ 1767 verbose(VERB_ALGO, "Cannot retrieve DS for signature"); 1768 errinf_ede(qstate, "no signatures", LDNS_EDE_RRSIGS_MISSING); 1769 errinf_origin(qstate, qstate->reply_origin); 1770 vq->chase_reply->security = sec_status_bogus; 1771 update_reason_bogus(vq->chase_reply, LDNS_EDE_RRSIGS_MISSING); 1772 vq->state = VAL_FINISHED_STATE; 1773 return 1; 1774 } 1775 current_key_name = vq->empty_DS_name; 1776 } 1777 1778 log_nametypeclass(VERB_ALGO, "current keyname", current_key_name, 1779 LDNS_RR_TYPE_DNSKEY, LDNS_RR_CLASS_IN); 1780 log_nametypeclass(VERB_ALGO, "target keyname", target_key_name, 1781 LDNS_RR_TYPE_DNSKEY, LDNS_RR_CLASS_IN); 1782 /* assert we are walking down the DNS tree */ 1783 if(!dname_subdomain_c(target_key_name, current_key_name)) { 1784 verbose(VERB_ALGO, "bad signer name"); 1785 vq->chase_reply->security = sec_status_bogus; 1786 vq->state = VAL_FINISHED_STATE; 1787 return 1; 1788 } 1789 /* so this value is >= -1 */ 1790 strip_lab = dname_count_labels(target_key_name) - 1791 dname_count_labels(current_key_name) - 1; 1792 log_assert(strip_lab >= -1); 1793 verbose(VERB_ALGO, "striplab %d", strip_lab); 1794 if(strip_lab > 0) { 1795 dname_remove_labels(&target_key_name, &target_key_len, 1796 strip_lab); 1797 } 1798 log_nametypeclass(VERB_ALGO, "next keyname", target_key_name, 1799 LDNS_RR_TYPE_DNSKEY, LDNS_RR_CLASS_IN); 1800 1801 /* The next step is either to query for the next DS, or to query 1802 * for the next DNSKEY. */ 1803 if(vq->ds_rrset) 1804 log_nametypeclass(VERB_ALGO, "DS RRset", vq->ds_rrset->rk.dname, LDNS_RR_TYPE_DS, LDNS_RR_CLASS_IN); 1805 else verbose(VERB_ALGO, "No DS RRset"); 1806 1807 if(vq->ds_rrset && query_dname_compare(vq->ds_rrset->rk.dname, 1808 vq->key_entry->name) != 0) { 1809 if(!generate_request(qstate, id, vq->ds_rrset->rk.dname, 1810 vq->ds_rrset->rk.dname_len, LDNS_RR_TYPE_DNSKEY, 1811 vq->qchase.qclass, BIT_CD, &newq, 0)) { 1812 verbose(VERB_ALGO, "error generating DNSKEY request"); 1813 return val_error(qstate, id); 1814 } 1815 return 0; 1816 } 1817 1818 if(!vq->ds_rrset || query_dname_compare(vq->ds_rrset->rk.dname, 1819 target_key_name) != 0) { 1820 /* check if there is a cache entry : pick up an NSEC if 1821 * there is no DS, check if that NSEC has DS-bit unset, and 1822 * thus can disprove the secure delegation we seek. 1823 * We can then use that NSEC even in the absence of a SOA 1824 * record that would be required by the iterator to supply 1825 * a completely protocol-correct response. 1826 * Uses negative cache for NSEC3 lookup of DS responses. */ 1827 /* only if cache not blacklisted, of course */ 1828 struct dns_msg* msg; 1829 if(!qstate->blacklist && !vq->chain_blacklist && 1830 (msg=val_find_DS(qstate->env, target_key_name, 1831 target_key_len, vq->qchase.qclass, qstate->region, 1832 vq->key_entry->name)) ) { 1833 verbose(VERB_ALGO, "Process cached DS response"); 1834 process_ds_response(qstate, vq, id, LDNS_RCODE_NOERROR, 1835 msg, &msg->qinfo, NULL); 1836 return 1; /* continue processing ds-response results */ 1837 } 1838 if(!generate_request(qstate, id, target_key_name, 1839 target_key_len, LDNS_RR_TYPE_DS, vq->qchase.qclass, 1840 BIT_CD, &newq, 0)) { 1841 verbose(VERB_ALGO, "error generating DS request"); 1842 return val_error(qstate, id); 1843 } 1844 return 0; 1845 } 1846 1847 /* Otherwise, it is time to query for the DNSKEY */ 1848 if(!generate_request(qstate, id, vq->ds_rrset->rk.dname, 1849 vq->ds_rrset->rk.dname_len, LDNS_RR_TYPE_DNSKEY, 1850 vq->qchase.qclass, BIT_CD, &newq, 0)) { 1851 verbose(VERB_ALGO, "error generating DNSKEY request"); 1852 return val_error(qstate, id); 1853 } 1854 1855 return 0; 1856 } 1857 1858 /** 1859 * Process the VALIDATE stage, the init and findkey stages are finished, 1860 * and the right keys are available to validate the response. 1861 * Or, there are no keys available, in order to invalidate the response. 1862 * 1863 * After validation, the status is recorded in the message and rrsets, 1864 * and finished state is started. 1865 * 1866 * @param qstate: query state. 1867 * @param vq: validator query state. 1868 * @param ve: validator shared global environment. 1869 * @param id: module id. 1870 * @return true if the event should be processed further on return, false if 1871 * not. 1872 */ 1873 static int 1874 processValidate(struct module_qstate* qstate, struct val_qstate* vq, 1875 struct val_env* ve, int id) 1876 { 1877 enum val_classification subtype; 1878 int rcode; 1879 1880 if(!vq->key_entry) { 1881 verbose(VERB_ALGO, "validate: no key entry, failed"); 1882 return val_error(qstate, id); 1883 } 1884 1885 /* This is the default next state. */ 1886 vq->state = VAL_FINISHED_STATE; 1887 1888 /* Unsigned responses must be underneath a "null" key entry.*/ 1889 if(key_entry_isnull(vq->key_entry)) { 1890 verbose(VERB_DETAIL, "Verified that %sresponse is INSECURE", 1891 vq->signer_name?"":"unsigned "); 1892 vq->chase_reply->security = sec_status_insecure; 1893 val_mark_insecure(vq->chase_reply, vq->key_entry->name, 1894 qstate->env->rrset_cache, qstate->env); 1895 key_cache_insert(ve->kcache, vq->key_entry, 1896 qstate->env->cfg->val_log_level >= 2); 1897 return 1; 1898 } 1899 1900 if(key_entry_isbad(vq->key_entry)) { 1901 log_nametypeclass(VERB_DETAIL, "Could not establish a chain " 1902 "of trust to keys for", vq->key_entry->name, 1903 LDNS_RR_TYPE_DNSKEY, vq->key_entry->key_class); 1904 vq->chase_reply->security = sec_status_bogus; 1905 update_reason_bogus(vq->chase_reply, 1906 key_entry_get_reason_bogus(vq->key_entry)); 1907 errinf_ede(qstate, "while building chain of trust", 1908 key_entry_get_reason_bogus(vq->key_entry)); 1909 if(vq->restart_count >= ve->max_restart) 1910 key_cache_insert(ve->kcache, vq->key_entry, 1911 qstate->env->cfg->val_log_level >= 2); 1912 return 1; 1913 } 1914 1915 /* signerName being null is the indicator that this response was 1916 * unsigned */ 1917 if(vq->signer_name == NULL) { 1918 log_query_info(VERB_ALGO, "processValidate: state has no " 1919 "signer name", &vq->qchase); 1920 verbose(VERB_DETAIL, "Could not establish validation of " 1921 "INSECURE status of unsigned response."); 1922 errinf_ede(qstate, "no signatures", LDNS_EDE_RRSIGS_MISSING); 1923 errinf_origin(qstate, qstate->reply_origin); 1924 vq->chase_reply->security = sec_status_bogus; 1925 update_reason_bogus(vq->chase_reply, LDNS_EDE_RRSIGS_MISSING); 1926 return 1; 1927 } 1928 subtype = val_classify_response(qstate->query_flags, &qstate->qinfo, 1929 &vq->qchase, vq->orig_msg->rep, vq->rrset_skip); 1930 if(subtype != VAL_CLASS_REFERRAL) 1931 remove_spurious_authority(vq->chase_reply, vq->orig_msg->rep); 1932 1933 /* check signatures in the message; 1934 * answer and authority must be valid, additional is only checked. */ 1935 if(!validate_msg_signatures(qstate, qstate->env, ve, &vq->qchase, 1936 vq->chase_reply, vq->key_entry)) { 1937 /* workaround bad recursor out there that truncates (even 1938 * with EDNS4k) to 512 by removing RRSIG from auth section 1939 * for positive replies*/ 1940 if((subtype == VAL_CLASS_POSITIVE || subtype == VAL_CLASS_ANY 1941 || subtype == VAL_CLASS_CNAME) && 1942 detect_wrongly_truncated(vq->orig_msg->rep)) { 1943 /* truncate the message some more */ 1944 vq->orig_msg->rep->ns_numrrsets = 0; 1945 vq->orig_msg->rep->ar_numrrsets = 0; 1946 vq->orig_msg->rep->rrset_count = 1947 vq->orig_msg->rep->an_numrrsets; 1948 vq->chase_reply->ns_numrrsets = 0; 1949 vq->chase_reply->ar_numrrsets = 0; 1950 vq->chase_reply->rrset_count = 1951 vq->chase_reply->an_numrrsets; 1952 qstate->errinf = NULL; 1953 } 1954 else { 1955 verbose(VERB_DETAIL, "Validate: message contains " 1956 "bad rrsets"); 1957 return 1; 1958 } 1959 } 1960 1961 switch(subtype) { 1962 case VAL_CLASS_POSITIVE: 1963 verbose(VERB_ALGO, "Validating a positive response"); 1964 validate_positive_response(qstate->env, ve, 1965 &vq->qchase, vq->chase_reply, vq->key_entry); 1966 verbose(VERB_DETAIL, "validate(positive): %s", 1967 sec_status_to_string( 1968 vq->chase_reply->security)); 1969 break; 1970 1971 case VAL_CLASS_NODATA: 1972 verbose(VERB_ALGO, "Validating a nodata response"); 1973 validate_nodata_response(qstate->env, ve, 1974 &vq->qchase, vq->chase_reply, vq->key_entry); 1975 verbose(VERB_DETAIL, "validate(nodata): %s", 1976 sec_status_to_string( 1977 vq->chase_reply->security)); 1978 break; 1979 1980 case VAL_CLASS_NAMEERROR: 1981 rcode = (int)FLAGS_GET_RCODE(vq->orig_msg->rep->flags); 1982 verbose(VERB_ALGO, "Validating a nxdomain response"); 1983 validate_nameerror_response(qstate->env, ve, 1984 &vq->qchase, vq->chase_reply, vq->key_entry, &rcode); 1985 verbose(VERB_DETAIL, "validate(nxdomain): %s", 1986 sec_status_to_string( 1987 vq->chase_reply->security)); 1988 FLAGS_SET_RCODE(vq->orig_msg->rep->flags, rcode); 1989 FLAGS_SET_RCODE(vq->chase_reply->flags, rcode); 1990 break; 1991 1992 case VAL_CLASS_CNAME: 1993 verbose(VERB_ALGO, "Validating a cname response"); 1994 validate_cname_response(qstate->env, ve, 1995 &vq->qchase, vq->chase_reply, vq->key_entry); 1996 verbose(VERB_DETAIL, "validate(cname): %s", 1997 sec_status_to_string( 1998 vq->chase_reply->security)); 1999 break; 2000 2001 case VAL_CLASS_CNAMENOANSWER: 2002 verbose(VERB_ALGO, "Validating a cname noanswer " 2003 "response"); 2004 validate_cname_noanswer_response(qstate->env, ve, 2005 &vq->qchase, vq->chase_reply, vq->key_entry); 2006 verbose(VERB_DETAIL, "validate(cname_noanswer): %s", 2007 sec_status_to_string( 2008 vq->chase_reply->security)); 2009 break; 2010 2011 case VAL_CLASS_REFERRAL: 2012 verbose(VERB_ALGO, "Validating a referral response"); 2013 validate_referral_response(vq->chase_reply); 2014 verbose(VERB_DETAIL, "validate(referral): %s", 2015 sec_status_to_string( 2016 vq->chase_reply->security)); 2017 break; 2018 2019 case VAL_CLASS_ANY: 2020 verbose(VERB_ALGO, "Validating a positive ANY " 2021 "response"); 2022 validate_any_response(qstate->env, ve, &vq->qchase, 2023 vq->chase_reply, vq->key_entry); 2024 verbose(VERB_DETAIL, "validate(positive_any): %s", 2025 sec_status_to_string( 2026 vq->chase_reply->security)); 2027 break; 2028 2029 default: 2030 log_err("validate: unhandled response subtype: %d", 2031 subtype); 2032 } 2033 if(vq->chase_reply->security == sec_status_bogus) { 2034 if(subtype == VAL_CLASS_POSITIVE) 2035 errinf(qstate, "wildcard"); 2036 else errinf(qstate, val_classification_to_string(subtype)); 2037 errinf(qstate, "proof failed"); 2038 errinf_origin(qstate, qstate->reply_origin); 2039 } 2040 2041 return 1; 2042 } 2043 2044 /** 2045 * The Finished state. The validation status (good or bad) has been determined. 2046 * 2047 * @param qstate: query state. 2048 * @param vq: validator query state. 2049 * @param ve: validator shared global environment. 2050 * @param id: module id. 2051 * @return true if the event should be processed further on return, false if 2052 * not. 2053 */ 2054 static int 2055 processFinished(struct module_qstate* qstate, struct val_qstate* vq, 2056 struct val_env* ve, int id) 2057 { 2058 enum val_classification subtype = val_classify_response( 2059 qstate->query_flags, &qstate->qinfo, &vq->qchase, 2060 vq->orig_msg->rep, vq->rrset_skip); 2061 2062 /* store overall validation result in orig_msg */ 2063 if(vq->rrset_skip == 0) { 2064 vq->orig_msg->rep->security = vq->chase_reply->security; 2065 update_reason_bogus(vq->orig_msg->rep, vq->chase_reply->reason_bogus); 2066 } else if(subtype != VAL_CLASS_REFERRAL || 2067 vq->rrset_skip < vq->orig_msg->rep->an_numrrsets + 2068 vq->orig_msg->rep->ns_numrrsets) { 2069 /* ignore sec status of additional section if a referral 2070 * type message skips there and 2071 * use the lowest security status as end result. */ 2072 if(vq->chase_reply->security < vq->orig_msg->rep->security) { 2073 vq->orig_msg->rep->security = 2074 vq->chase_reply->security; 2075 update_reason_bogus(vq->orig_msg->rep, vq->chase_reply->reason_bogus); 2076 } 2077 } 2078 2079 if(subtype == VAL_CLASS_REFERRAL) { 2080 /* for a referral, move to next unchecked rrset and check it*/ 2081 vq->rrset_skip = val_next_unchecked(vq->orig_msg->rep, 2082 vq->rrset_skip); 2083 if(vq->rrset_skip < vq->orig_msg->rep->rrset_count) { 2084 /* and restart for this rrset */ 2085 verbose(VERB_ALGO, "validator: go to next rrset"); 2086 vq->chase_reply->security = sec_status_unchecked; 2087 vq->state = VAL_INIT_STATE; 2088 return 1; 2089 } 2090 /* referral chase is done */ 2091 } 2092 if(vq->chase_reply->security != sec_status_bogus && 2093 subtype == VAL_CLASS_CNAME) { 2094 /* chase the CNAME; process next part of the message */ 2095 if(!val_chase_cname(&vq->qchase, vq->orig_msg->rep, 2096 &vq->rrset_skip)) { 2097 verbose(VERB_ALGO, "validator: failed to chase CNAME"); 2098 vq->orig_msg->rep->security = sec_status_bogus; 2099 update_reason_bogus(vq->orig_msg->rep, LDNS_EDE_DNSSEC_BOGUS); 2100 } else { 2101 /* restart process for new qchase at rrset_skip */ 2102 log_query_info(VERB_ALGO, "validator: chased to", 2103 &vq->qchase); 2104 vq->chase_reply->security = sec_status_unchecked; 2105 vq->state = VAL_INIT_STATE; 2106 return 1; 2107 } 2108 } 2109 2110 if(vq->orig_msg->rep->security == sec_status_secure) { 2111 /* If the message is secure, check that all rrsets are 2112 * secure (i.e. some inserted RRset for CNAME chain with 2113 * a different signer name). And drop additional rrsets 2114 * that are not secure (if clean-additional option is set) */ 2115 /* this may cause the msg to be marked bogus */ 2116 val_check_nonsecure(qstate->env, vq->orig_msg->rep); 2117 if(vq->orig_msg->rep->security == sec_status_secure) { 2118 log_query_info(VERB_DETAIL, "validation success", 2119 &qstate->qinfo); 2120 if(!qstate->no_cache_store) { 2121 val_neg_addreply(qstate->env->neg_cache, 2122 vq->orig_msg->rep); 2123 } 2124 } 2125 } 2126 2127 /* if the result is bogus - set message ttl to bogus ttl to avoid 2128 * endless bogus revalidation */ 2129 if(vq->orig_msg->rep->security == sec_status_bogus) { 2130 /* see if we can try again to fetch data */ 2131 if(vq->restart_count < ve->max_restart) { 2132 int restart_count = vq->restart_count+1; 2133 verbose(VERB_ALGO, "validation failed, " 2134 "blacklist and retry to fetch data"); 2135 val_blacklist(&qstate->blacklist, qstate->region, 2136 qstate->reply_origin, 0); 2137 qstate->reply_origin = NULL; 2138 qstate->errinf = NULL; 2139 memset(vq, 0, sizeof(*vq)); 2140 vq->restart_count = restart_count; 2141 vq->state = VAL_INIT_STATE; 2142 verbose(VERB_ALGO, "pass back to next module"); 2143 qstate->ext_state[id] = module_restart_next; 2144 return 0; 2145 } 2146 2147 vq->orig_msg->rep->ttl = ve->bogus_ttl; 2148 vq->orig_msg->rep->prefetch_ttl = 2149 PREFETCH_TTL_CALC(vq->orig_msg->rep->ttl); 2150 vq->orig_msg->rep->serve_expired_ttl = 2151 vq->orig_msg->rep->ttl + qstate->env->cfg->serve_expired_ttl; 2152 if((qstate->env->cfg->val_log_level >= 1 || 2153 qstate->env->cfg->log_servfail) && 2154 !qstate->env->cfg->val_log_squelch) { 2155 if(qstate->env->cfg->val_log_level < 2 && 2156 !qstate->env->cfg->log_servfail) 2157 log_query_info(NO_VERBOSE, "validation failure", 2158 &qstate->qinfo); 2159 else { 2160 char* err_str = errinf_to_str_bogus(qstate); 2161 if(err_str) { 2162 size_t err_str_len = strlen(err_str); 2163 log_info("%s", err_str); 2164 /* allocate space and store the error 2165 * string */ 2166 vq->orig_msg->rep->reason_bogus_str = regional_alloc( 2167 qstate->region, 2168 sizeof(char) * (err_str_len+1)); 2169 memcpy(vq->orig_msg->rep->reason_bogus_str, 2170 err_str, err_str_len+1); 2171 } 2172 free(err_str); 2173 } 2174 } 2175 /* 2176 * If set, the validator will not make messages bogus, instead 2177 * indeterminate is issued, so that no clients receive SERVFAIL. 2178 * This allows an operator to run validation 'shadow' without 2179 * hurting responses to clients. 2180 */ 2181 /* If we are in permissive mode, bogus gets indeterminate */ 2182 if(qstate->env->cfg->val_permissive_mode) 2183 vq->orig_msg->rep->security = sec_status_indeterminate; 2184 } 2185 2186 if(vq->orig_msg->rep->security == sec_status_secure && 2187 qstate->env->cfg->root_key_sentinel && 2188 (qstate->qinfo.qtype == LDNS_RR_TYPE_A || 2189 qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA)) { 2190 char* keytag_start; 2191 uint16_t keytag; 2192 if(*qstate->qinfo.qname == strlen(SENTINEL_IS) + 2193 SENTINEL_KEYTAG_LEN && 2194 dname_lab_startswith(qstate->qinfo.qname, SENTINEL_IS, 2195 &keytag_start)) { 2196 if(sentinel_get_keytag(keytag_start, &keytag) && 2197 !anchor_has_keytag(qstate->env->anchors, 2198 (uint8_t*)"", 1, 0, vq->qchase.qclass, keytag)) { 2199 vq->orig_msg->rep->security = 2200 sec_status_secure_sentinel_fail; 2201 } 2202 } else if(*qstate->qinfo.qname == strlen(SENTINEL_NOT) + 2203 SENTINEL_KEYTAG_LEN && 2204 dname_lab_startswith(qstate->qinfo.qname, SENTINEL_NOT, 2205 &keytag_start)) { 2206 if(sentinel_get_keytag(keytag_start, &keytag) && 2207 anchor_has_keytag(qstate->env->anchors, 2208 (uint8_t*)"", 1, 0, vq->qchase.qclass, keytag)) { 2209 vq->orig_msg->rep->security = 2210 sec_status_secure_sentinel_fail; 2211 } 2212 } 2213 } 2214 2215 /* Update rep->reason_bogus as it is the one being cached */ 2216 update_reason_bogus(vq->orig_msg->rep, errinf_to_reason_bogus(qstate)); 2217 /* store results in cache */ 2218 if(qstate->query_flags&BIT_RD) { 2219 /* if secure, this will override cache anyway, no need 2220 * to check if from parentNS */ 2221 if(!qstate->no_cache_store) { 2222 if(!dns_cache_store(qstate->env, &vq->orig_msg->qinfo, 2223 vq->orig_msg->rep, 0, qstate->prefetch_leeway, 0, NULL, 2224 qstate->query_flags, qstate->qstarttime)) { 2225 log_err("out of memory caching validator results"); 2226 } 2227 } 2228 } else { 2229 /* for a referral, store the verified RRsets */ 2230 /* and this does not get prefetched, so no leeway */ 2231 if(!dns_cache_store(qstate->env, &vq->orig_msg->qinfo, 2232 vq->orig_msg->rep, 1, 0, 0, NULL, 2233 qstate->query_flags, qstate->qstarttime)) { 2234 log_err("out of memory caching validator results"); 2235 } 2236 } 2237 qstate->return_rcode = LDNS_RCODE_NOERROR; 2238 qstate->return_msg = vq->orig_msg; 2239 qstate->ext_state[id] = module_finished; 2240 return 0; 2241 } 2242 2243 /** 2244 * Handle validator state. 2245 * If a method returns true, the next state is started. If false, then 2246 * processing will stop. 2247 * @param qstate: query state. 2248 * @param vq: validator query state. 2249 * @param ve: validator shared global environment. 2250 * @param id: module id. 2251 */ 2252 static void 2253 val_handle(struct module_qstate* qstate, struct val_qstate* vq, 2254 struct val_env* ve, int id) 2255 { 2256 int cont = 1; 2257 while(cont) { 2258 verbose(VERB_ALGO, "val handle processing q with state %s", 2259 val_state_to_string(vq->state)); 2260 switch(vq->state) { 2261 case VAL_INIT_STATE: 2262 cont = processInit(qstate, vq, ve, id); 2263 break; 2264 case VAL_FINDKEY_STATE: 2265 cont = processFindKey(qstate, vq, id); 2266 break; 2267 case VAL_VALIDATE_STATE: 2268 cont = processValidate(qstate, vq, ve, id); 2269 break; 2270 case VAL_FINISHED_STATE: 2271 cont = processFinished(qstate, vq, ve, id); 2272 break; 2273 default: 2274 log_warn("validator: invalid state %d", 2275 vq->state); 2276 cont = 0; 2277 break; 2278 } 2279 } 2280 } 2281 2282 void 2283 val_operate(struct module_qstate* qstate, enum module_ev event, int id, 2284 struct outbound_entry* outbound) 2285 { 2286 struct val_env* ve = (struct val_env*)qstate->env->modinfo[id]; 2287 struct val_qstate* vq = (struct val_qstate*)qstate->minfo[id]; 2288 verbose(VERB_QUERY, "validator[module %d] operate: extstate:%s " 2289 "event:%s", id, strextstate(qstate->ext_state[id]), 2290 strmodulevent(event)); 2291 log_query_info(VERB_QUERY, "validator operate: query", 2292 &qstate->qinfo); 2293 if(vq && qstate->qinfo.qname != vq->qchase.qname) 2294 log_query_info(VERB_QUERY, "validator operate: chased to", 2295 &vq->qchase); 2296 (void)outbound; 2297 if(event == module_event_new || 2298 (event == module_event_pass && vq == NULL)) { 2299 2300 /* pass request to next module, to get it */ 2301 verbose(VERB_ALGO, "validator: pass to next module"); 2302 qstate->ext_state[id] = module_wait_module; 2303 return; 2304 } 2305 if(event == module_event_moddone) { 2306 /* check if validation is needed */ 2307 verbose(VERB_ALGO, "validator: nextmodule returned"); 2308 2309 if(!needs_validation(qstate, qstate->return_rcode, 2310 qstate->return_msg)) { 2311 /* no need to validate this */ 2312 if(qstate->return_msg) 2313 qstate->return_msg->rep->security = 2314 sec_status_indeterminate; 2315 qstate->ext_state[id] = module_finished; 2316 return; 2317 } 2318 if(already_validated(qstate->return_msg)) { 2319 qstate->ext_state[id] = module_finished; 2320 return; 2321 } 2322 /* qclass ANY should have validation result from spawned 2323 * queries. If we get here, it is bogus or an internal error */ 2324 if(qstate->qinfo.qclass == LDNS_RR_CLASS_ANY) { 2325 verbose(VERB_ALGO, "cannot validate classANY: bogus"); 2326 if(qstate->return_msg) { 2327 qstate->return_msg->rep->security = 2328 sec_status_bogus; 2329 update_reason_bogus(qstate->return_msg->rep, LDNS_EDE_DNSSEC_BOGUS); 2330 } 2331 qstate->ext_state[id] = module_finished; 2332 return; 2333 } 2334 /* create state to start validation */ 2335 qstate->ext_state[id] = module_error; /* override this */ 2336 if(!vq) { 2337 vq = val_new(qstate, id); 2338 if(!vq) { 2339 log_err("validator: malloc failure"); 2340 qstate->ext_state[id] = module_error; 2341 return; 2342 } 2343 } else if(!vq->orig_msg) { 2344 if(!val_new_getmsg(qstate, vq)) { 2345 log_err("validator: malloc failure"); 2346 qstate->ext_state[id] = module_error; 2347 return; 2348 } 2349 } 2350 val_handle(qstate, vq, ve, id); 2351 return; 2352 } 2353 if(event == module_event_pass) { 2354 qstate->ext_state[id] = module_error; /* override this */ 2355 /* continue processing, since val_env exists */ 2356 val_handle(qstate, vq, ve, id); 2357 return; 2358 } 2359 log_err("validator: bad event %s", strmodulevent(event)); 2360 qstate->ext_state[id] = module_error; 2361 return; 2362 } 2363 2364 /** 2365 * Evaluate the response to a priming request. 2366 * 2367 * @param dnskey_rrset: DNSKEY rrset (can be NULL if none) in prime reply. 2368 * (this rrset is allocated in the wrong region, not the qstate). 2369 * @param ta: trust anchor. 2370 * @param qstate: qstate that needs key. 2371 * @param id: module id. 2372 * @return new key entry or NULL on allocation failure. 2373 * The key entry will either contain a validated DNSKEY rrset, or 2374 * represent a Null key (query failed, but validation did not), or a 2375 * Bad key (validation failed). 2376 */ 2377 static struct key_entry_key* 2378 primeResponseToKE(struct ub_packed_rrset_key* dnskey_rrset, 2379 struct trust_anchor* ta, struct module_qstate* qstate, int id) 2380 { 2381 struct val_env* ve = (struct val_env*)qstate->env->modinfo[id]; 2382 struct key_entry_key* kkey = NULL; 2383 enum sec_status sec = sec_status_unchecked; 2384 char* reason = NULL; 2385 sldns_ede_code reason_bogus = LDNS_EDE_DNSSEC_BOGUS; 2386 int downprot = qstate->env->cfg->harden_algo_downgrade; 2387 2388 if(!dnskey_rrset) { 2389 log_nametypeclass(VERB_OPS, "failed to prime trust anchor -- " 2390 "could not fetch DNSKEY rrset", 2391 ta->name, LDNS_RR_TYPE_DNSKEY, ta->dclass); 2392 reason_bogus = LDNS_EDE_DNSKEY_MISSING; 2393 reason = "no DNSKEY rrset"; 2394 if(qstate->env->cfg->harden_dnssec_stripped) { 2395 errinf_ede(qstate, reason, reason_bogus); 2396 kkey = key_entry_create_bad(qstate->region, ta->name, 2397 ta->namelen, ta->dclass, BOGUS_KEY_TTL, 2398 reason_bogus, reason, 2399 *qstate->env->now); 2400 } else kkey = key_entry_create_null(qstate->region, ta->name, 2401 ta->namelen, ta->dclass, NULL_KEY_TTL, 2402 reason_bogus, reason, 2403 *qstate->env->now); 2404 if(!kkey) { 2405 log_err("out of memory: allocate fail prime key"); 2406 return NULL; 2407 } 2408 return kkey; 2409 } 2410 /* attempt to verify with trust anchor DS and DNSKEY */ 2411 kkey = val_verify_new_DNSKEYs_with_ta(qstate->region, qstate->env, ve, 2412 dnskey_rrset, ta->ds_rrset, ta->dnskey_rrset, downprot, 2413 &reason, &reason_bogus, qstate); 2414 if(!kkey) { 2415 log_err("out of memory: verifying prime TA"); 2416 return NULL; 2417 } 2418 if(key_entry_isgood(kkey)) 2419 sec = sec_status_secure; 2420 else 2421 sec = sec_status_bogus; 2422 verbose(VERB_DETAIL, "validate keys with anchor(DS): %s", 2423 sec_status_to_string(sec)); 2424 2425 if(sec != sec_status_secure) { 2426 log_nametypeclass(VERB_OPS, "failed to prime trust anchor -- " 2427 "DNSKEY rrset is not secure", 2428 ta->name, LDNS_RR_TYPE_DNSKEY, ta->dclass); 2429 /* NOTE: in this case, we should probably reject the trust 2430 * anchor for longer, perhaps forever. */ 2431 if(qstate->env->cfg->harden_dnssec_stripped) { 2432 errinf_ede(qstate, reason, reason_bogus); 2433 kkey = key_entry_create_bad(qstate->region, ta->name, 2434 ta->namelen, ta->dclass, BOGUS_KEY_TTL, 2435 reason_bogus, reason, 2436 *qstate->env->now); 2437 } else kkey = key_entry_create_null(qstate->region, ta->name, 2438 ta->namelen, ta->dclass, NULL_KEY_TTL, 2439 reason_bogus, reason, 2440 *qstate->env->now); 2441 if(!kkey) { 2442 log_err("out of memory: allocate null prime key"); 2443 return NULL; 2444 } 2445 return kkey; 2446 } 2447 2448 log_nametypeclass(VERB_DETAIL, "Successfully primed trust anchor", 2449 ta->name, LDNS_RR_TYPE_DNSKEY, ta->dclass); 2450 return kkey; 2451 } 2452 2453 /** 2454 * In inform supers, with the resulting message and rcode and the current 2455 * keyset in the super state, validate the DS response, returning a KeyEntry. 2456 * 2457 * @param qstate: query state that is validating and asked for a DS. 2458 * @param vq: validator query state 2459 * @param id: module id. 2460 * @param rcode: rcode result value. 2461 * @param msg: result message (if rcode is OK). 2462 * @param qinfo: from the sub query state, query info. 2463 * @param ke: the key entry to return. It returns 2464 * is_bad if the DS response fails to validate, is_null if the 2465 * DS response indicated an end to secure space, is_good if the DS 2466 * validated. It returns ke=NULL if the DS response indicated that the 2467 * request wasn't a delegation point. 2468 * @return 0 on servfail error (malloc failure). 2469 */ 2470 static int 2471 ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq, 2472 int id, int rcode, struct dns_msg* msg, struct query_info* qinfo, 2473 struct key_entry_key** ke) 2474 { 2475 struct val_env* ve = (struct val_env*)qstate->env->modinfo[id]; 2476 char* reason = NULL; 2477 sldns_ede_code reason_bogus = LDNS_EDE_DNSSEC_BOGUS; 2478 enum val_classification subtype; 2479 if(rcode != LDNS_RCODE_NOERROR) { 2480 char rc[16]; 2481 rc[0]=0; 2482 (void)sldns_wire2str_rcode_buf(rcode, rc, sizeof(rc)); 2483 /* errors here pretty much break validation */ 2484 verbose(VERB_DETAIL, "DS response was error, thus bogus"); 2485 errinf(qstate, rc); 2486 reason = "no DS"; 2487 reason_bogus = LDNS_EDE_NETWORK_ERROR; 2488 errinf_ede(qstate, reason, reason_bogus); 2489 goto return_bogus; 2490 } 2491 2492 subtype = val_classify_response(BIT_RD, qinfo, qinfo, msg->rep, 0); 2493 if(subtype == VAL_CLASS_POSITIVE) { 2494 struct ub_packed_rrset_key* ds; 2495 enum sec_status sec; 2496 ds = reply_find_answer_rrset(qinfo, msg->rep); 2497 /* If there was no DS rrset, then we have mis-classified 2498 * this message. */ 2499 if(!ds) { 2500 log_warn("internal error: POSITIVE DS response was " 2501 "missing DS."); 2502 reason = "no DS record"; 2503 errinf_ede(qstate, reason, reason_bogus); 2504 goto return_bogus; 2505 } 2506 /* Verify only returns BOGUS or SECURE. If the rrset is 2507 * bogus, then we are done. */ 2508 sec = val_verify_rrset_entry(qstate->env, ve, ds, 2509 vq->key_entry, &reason, &reason_bogus, LDNS_SECTION_ANSWER, qstate); 2510 if(sec != sec_status_secure) { 2511 verbose(VERB_DETAIL, "DS rrset in DS response did " 2512 "not verify"); 2513 errinf_ede(qstate, reason, reason_bogus); 2514 goto return_bogus; 2515 } 2516 2517 /* If the DS rrset validates, we still have to make sure 2518 * that they are usable. */ 2519 if(!val_dsset_isusable(ds)) { 2520 /* If they aren't usable, then we treat it like 2521 * there was no DS. */ 2522 *ke = key_entry_create_null(qstate->region, 2523 qinfo->qname, qinfo->qname_len, qinfo->qclass, 2524 ub_packed_rrset_ttl(ds), 2525 LDNS_EDE_UNSUPPORTED_DS_DIGEST, NULL, 2526 *qstate->env->now); 2527 return (*ke) != NULL; 2528 } 2529 2530 /* Otherwise, we return the positive response. */ 2531 log_query_info(VERB_DETAIL, "validated DS", qinfo); 2532 *ke = key_entry_create_rrset(qstate->region, 2533 qinfo->qname, qinfo->qname_len, qinfo->qclass, ds, 2534 NULL, LDNS_EDE_NONE, NULL, *qstate->env->now); 2535 return (*ke) != NULL; 2536 } else if(subtype == VAL_CLASS_NODATA || 2537 subtype == VAL_CLASS_NAMEERROR) { 2538 /* NODATA means that the qname exists, but that there was 2539 * no DS. This is a pretty normal case. */ 2540 time_t proof_ttl = 0; 2541 enum sec_status sec; 2542 2543 /* make sure there are NSECs or NSEC3s with signatures */ 2544 if(!val_has_signed_nsecs(msg->rep, &reason)) { 2545 verbose(VERB_ALGO, "no NSECs: %s", reason); 2546 reason_bogus = LDNS_EDE_NSEC_MISSING; 2547 errinf_ede(qstate, reason, reason_bogus); 2548 goto return_bogus; 2549 } 2550 2551 /* For subtype Name Error. 2552 * attempt ANS 2.8.1.0 compatibility where it sets rcode 2553 * to nxdomain, but really this is an Nodata/Noerror response. 2554 * Find and prove the empty nonterminal in that case */ 2555 2556 /* Try to prove absence of the DS with NSEC */ 2557 sec = val_nsec_prove_nodata_dsreply( 2558 qstate->env, ve, qinfo, msg->rep, vq->key_entry, 2559 &proof_ttl, &reason, &reason_bogus, qstate); 2560 switch(sec) { 2561 case sec_status_secure: 2562 verbose(VERB_DETAIL, "NSEC RRset for the " 2563 "referral proved no DS."); 2564 *ke = key_entry_create_null(qstate->region, 2565 qinfo->qname, qinfo->qname_len, 2566 qinfo->qclass, proof_ttl, 2567 LDNS_EDE_NONE, NULL, 2568 *qstate->env->now); 2569 return (*ke) != NULL; 2570 case sec_status_insecure: 2571 verbose(VERB_DETAIL, "NSEC RRset for the " 2572 "referral proved not a delegation point"); 2573 *ke = NULL; 2574 return 1; 2575 case sec_status_bogus: 2576 verbose(VERB_DETAIL, "NSEC RRset for the " 2577 "referral did not prove no DS."); 2578 errinf(qstate, reason); 2579 goto return_bogus; 2580 case sec_status_unchecked: 2581 default: 2582 /* NSEC proof did not work, try next */ 2583 break; 2584 } 2585 2586 sec = nsec3_prove_nods(qstate->env, ve, 2587 msg->rep->rrsets + msg->rep->an_numrrsets, 2588 msg->rep->ns_numrrsets, qinfo, vq->key_entry, &reason, 2589 &reason_bogus, qstate); 2590 switch(sec) { 2591 case sec_status_insecure: 2592 /* case insecure also continues to unsigned 2593 * space. If nsec3-iter-count too high or 2594 * optout, then treat below as unsigned */ 2595 case sec_status_secure: 2596 verbose(VERB_DETAIL, "NSEC3s for the " 2597 "referral proved no DS."); 2598 *ke = key_entry_create_null(qstate->region, 2599 qinfo->qname, qinfo->qname_len, 2600 qinfo->qclass, proof_ttl, 2601 LDNS_EDE_NONE, NULL, 2602 *qstate->env->now); 2603 return (*ke) != NULL; 2604 case sec_status_indeterminate: 2605 verbose(VERB_DETAIL, "NSEC3s for the " 2606 "referral proved no delegation"); 2607 *ke = NULL; 2608 return 1; 2609 case sec_status_bogus: 2610 verbose(VERB_DETAIL, "NSEC3s for the " 2611 "referral did not prove no DS."); 2612 errinf_ede(qstate, reason, reason_bogus); 2613 goto return_bogus; 2614 case sec_status_unchecked: 2615 default: 2616 /* NSEC3 proof did not work */ 2617 break; 2618 } 2619 2620 /* Apparently, no available NSEC/NSEC3 proved NODATA, so 2621 * this is BOGUS. */ 2622 verbose(VERB_DETAIL, "DS %s ran out of options, so return " 2623 "bogus", val_classification_to_string(subtype)); 2624 reason = "no DS but also no proof of that"; 2625 errinf_ede(qstate, reason, reason_bogus); 2626 goto return_bogus; 2627 } else if(subtype == VAL_CLASS_CNAME || 2628 subtype == VAL_CLASS_CNAMENOANSWER) { 2629 /* if the CNAME matches the exact name we want and is signed 2630 * properly, then also, we are sure that no DS exists there, 2631 * much like a NODATA proof */ 2632 enum sec_status sec; 2633 struct ub_packed_rrset_key* cname; 2634 cname = reply_find_rrset_section_an(msg->rep, qinfo->qname, 2635 qinfo->qname_len, LDNS_RR_TYPE_CNAME, qinfo->qclass); 2636 if(!cname) { 2637 reason = "validator classified CNAME but no " 2638 "CNAME of the queried name for DS"; 2639 errinf_ede(qstate, reason, reason_bogus); 2640 goto return_bogus; 2641 } 2642 if(((struct packed_rrset_data*)cname->entry.data)->rrsig_count 2643 == 0) { 2644 if(msg->rep->an_numrrsets != 0 && ntohs(msg->rep-> 2645 rrsets[0]->rk.type)==LDNS_RR_TYPE_DNAME) { 2646 reason = "DS got DNAME answer"; 2647 } else { 2648 reason = "DS got unsigned CNAME answer"; 2649 } 2650 errinf_ede(qstate, reason, reason_bogus); 2651 goto return_bogus; 2652 } 2653 sec = val_verify_rrset_entry(qstate->env, ve, cname, 2654 vq->key_entry, &reason, &reason_bogus, 2655 LDNS_SECTION_ANSWER, qstate); 2656 if(sec == sec_status_secure) { 2657 verbose(VERB_ALGO, "CNAME validated, " 2658 "proof that DS does not exist"); 2659 /* and that it is not a referral point */ 2660 *ke = NULL; 2661 return 1; 2662 } 2663 errinf(qstate, "CNAME in DS response was not secure."); 2664 errinf_ede(qstate, reason, reason_bogus); 2665 goto return_bogus; 2666 } else { 2667 verbose(VERB_QUERY, "Encountered an unhandled type of " 2668 "DS response, thus bogus."); 2669 errinf(qstate, "no DS and"); 2670 reason = "no DS"; 2671 if(FLAGS_GET_RCODE(msg->rep->flags) != LDNS_RCODE_NOERROR) { 2672 char rc[16]; 2673 rc[0]=0; 2674 (void)sldns_wire2str_rcode_buf((int)FLAGS_GET_RCODE( 2675 msg->rep->flags), rc, sizeof(rc)); 2676 errinf(qstate, rc); 2677 } else errinf(qstate, val_classification_to_string(subtype)); 2678 errinf(qstate, "message fails to prove that"); 2679 goto return_bogus; 2680 } 2681 return_bogus: 2682 *ke = key_entry_create_bad(qstate->region, qinfo->qname, 2683 qinfo->qname_len, qinfo->qclass, BOGUS_KEY_TTL, 2684 reason_bogus, reason, *qstate->env->now); 2685 return (*ke) != NULL; 2686 } 2687 2688 /** 2689 * Process DS response. Called from inform_supers. 2690 * Because it is in inform_supers, the mesh itself is busy doing callbacks 2691 * for a state that is to be deleted soon; don't touch the mesh; instead 2692 * set a state in the super, as the super will be reactivated soon. 2693 * Perform processing to determine what state to set in the super. 2694 * 2695 * @param qstate: query state that is validating and asked for a DS. 2696 * @param vq: validator query state 2697 * @param id: module id. 2698 * @param rcode: rcode result value. 2699 * @param msg: result message (if rcode is OK). 2700 * @param qinfo: from the sub query state, query info. 2701 * @param origin: the origin of msg. 2702 */ 2703 static void 2704 process_ds_response(struct module_qstate* qstate, struct val_qstate* vq, 2705 int id, int rcode, struct dns_msg* msg, struct query_info* qinfo, 2706 struct sock_list* origin) 2707 { 2708 struct val_env* ve = (struct val_env*)qstate->env->modinfo[id]; 2709 struct key_entry_key* dske = NULL; 2710 uint8_t* olds = vq->empty_DS_name; 2711 vq->empty_DS_name = NULL; 2712 if(!ds_response_to_ke(qstate, vq, id, rcode, msg, qinfo, &dske)) { 2713 log_err("malloc failure in process_ds_response"); 2714 vq->key_entry = NULL; /* make it error */ 2715 vq->state = VAL_VALIDATE_STATE; 2716 return; 2717 } 2718 if(dske == NULL) { 2719 vq->empty_DS_name = regional_alloc_init(qstate->region, 2720 qinfo->qname, qinfo->qname_len); 2721 if(!vq->empty_DS_name) { 2722 log_err("malloc failure in empty_DS_name"); 2723 vq->key_entry = NULL; /* make it error */ 2724 vq->state = VAL_VALIDATE_STATE; 2725 return; 2726 } 2727 vq->empty_DS_len = qinfo->qname_len; 2728 vq->chain_blacklist = NULL; 2729 /* ds response indicated that we aren't on a delegation point. 2730 * Keep the forState.state on FINDKEY. */ 2731 } else if(key_entry_isgood(dske)) { 2732 vq->ds_rrset = key_entry_get_rrset(dske, qstate->region); 2733 if(!vq->ds_rrset) { 2734 log_err("malloc failure in process DS"); 2735 vq->key_entry = NULL; /* make it error */ 2736 vq->state = VAL_VALIDATE_STATE; 2737 return; 2738 } 2739 vq->chain_blacklist = NULL; /* fresh blacklist for next part*/ 2740 /* Keep the forState.state on FINDKEY. */ 2741 } else if(key_entry_isbad(dske) 2742 && vq->restart_count < ve->max_restart) { 2743 vq->empty_DS_name = olds; 2744 val_blacklist(&vq->chain_blacklist, qstate->region, origin, 1); 2745 qstate->errinf = NULL; 2746 vq->restart_count++; 2747 } else { 2748 if(key_entry_isbad(dske)) { 2749 errinf_origin(qstate, origin); 2750 errinf_dname(qstate, "for DS", qinfo->qname); 2751 } 2752 /* NOTE: the reason for the DS to be not good (that is, 2753 * either bad or null) should have been logged by 2754 * dsResponseToKE. */ 2755 vq->key_entry = dske; 2756 /* The FINDKEY phase has ended, so move on. */ 2757 vq->state = VAL_VALIDATE_STATE; 2758 } 2759 } 2760 2761 /** 2762 * Process DNSKEY response. Called from inform_supers. 2763 * Sets the key entry in the state. 2764 * Because it is in inform_supers, the mesh itself is busy doing callbacks 2765 * for a state that is to be deleted soon; don't touch the mesh; instead 2766 * set a state in the super, as the super will be reactivated soon. 2767 * Perform processing to determine what state to set in the super. 2768 * 2769 * @param qstate: query state that is validating and asked for a DNSKEY. 2770 * @param vq: validator query state 2771 * @param id: module id. 2772 * @param rcode: rcode result value. 2773 * @param msg: result message (if rcode is OK). 2774 * @param qinfo: from the sub query state, query info. 2775 * @param origin: the origin of msg. 2776 */ 2777 static void 2778 process_dnskey_response(struct module_qstate* qstate, struct val_qstate* vq, 2779 int id, int rcode, struct dns_msg* msg, struct query_info* qinfo, 2780 struct sock_list* origin) 2781 { 2782 struct val_env* ve = (struct val_env*)qstate->env->modinfo[id]; 2783 struct key_entry_key* old = vq->key_entry; 2784 struct ub_packed_rrset_key* dnskey = NULL; 2785 int downprot; 2786 char* reason = NULL; 2787 sldns_ede_code reason_bogus = LDNS_EDE_DNSSEC_BOGUS; 2788 2789 if(rcode == LDNS_RCODE_NOERROR) 2790 dnskey = reply_find_answer_rrset(qinfo, msg->rep); 2791 2792 if(dnskey == NULL) { 2793 /* bad response */ 2794 verbose(VERB_DETAIL, "Missing DNSKEY RRset in response to " 2795 "DNSKEY query."); 2796 2797 if(vq->restart_count < ve->max_restart) { 2798 val_blacklist(&vq->chain_blacklist, qstate->region, 2799 origin, 1); 2800 qstate->errinf = NULL; 2801 vq->restart_count++; 2802 return; 2803 } 2804 reason = "No DNSKEY record"; 2805 reason_bogus = LDNS_EDE_DNSKEY_MISSING; 2806 vq->key_entry = key_entry_create_bad(qstate->region, 2807 qinfo->qname, qinfo->qname_len, qinfo->qclass, 2808 BOGUS_KEY_TTL, reason_bogus, reason, 2809 *qstate->env->now); 2810 if(!vq->key_entry) { 2811 log_err("alloc failure in missing dnskey response"); 2812 /* key_entry is NULL for failure in Validate */ 2813 } 2814 errinf_ede(qstate, reason, reason_bogus); 2815 errinf_origin(qstate, origin); 2816 errinf_dname(qstate, "for key", qinfo->qname); 2817 vq->state = VAL_VALIDATE_STATE; 2818 return; 2819 } 2820 if(!vq->ds_rrset) { 2821 log_err("internal error: no DS rrset for new DNSKEY response"); 2822 vq->key_entry = NULL; 2823 vq->state = VAL_VALIDATE_STATE; 2824 return; 2825 } 2826 downprot = qstate->env->cfg->harden_algo_downgrade; 2827 vq->key_entry = val_verify_new_DNSKEYs(qstate->region, qstate->env, 2828 ve, dnskey, vq->ds_rrset, downprot, &reason, &reason_bogus, qstate); 2829 2830 if(!vq->key_entry) { 2831 log_err("out of memory in verify new DNSKEYs"); 2832 vq->state = VAL_VALIDATE_STATE; 2833 return; 2834 } 2835 /* If the key entry isBad or isNull, then we can move on to the next 2836 * state. */ 2837 if(!key_entry_isgood(vq->key_entry)) { 2838 if(key_entry_isbad(vq->key_entry)) { 2839 if(vq->restart_count < ve->max_restart) { 2840 val_blacklist(&vq->chain_blacklist, 2841 qstate->region, origin, 1); 2842 qstate->errinf = NULL; 2843 vq->restart_count++; 2844 vq->key_entry = old; 2845 return; 2846 } 2847 verbose(VERB_DETAIL, "Did not match a DS to a DNSKEY, " 2848 "thus bogus."); 2849 errinf_ede(qstate, reason, reason_bogus); 2850 errinf_origin(qstate, origin); 2851 errinf_dname(qstate, "for key", qinfo->qname); 2852 } 2853 vq->chain_blacklist = NULL; 2854 vq->state = VAL_VALIDATE_STATE; 2855 return; 2856 } 2857 vq->chain_blacklist = NULL; 2858 qstate->errinf = NULL; 2859 2860 /* The DNSKEY validated, so cache it as a trusted key rrset. */ 2861 key_cache_insert(ve->kcache, vq->key_entry, 2862 qstate->env->cfg->val_log_level >= 2); 2863 2864 /* If good, we stay in the FINDKEY state. */ 2865 log_query_info(VERB_DETAIL, "validated DNSKEY", qinfo); 2866 } 2867 2868 /** 2869 * Process prime response 2870 * Sets the key entry in the state. 2871 * 2872 * @param qstate: query state that is validating and primed a trust anchor. 2873 * @param vq: validator query state 2874 * @param id: module id. 2875 * @param rcode: rcode result value. 2876 * @param msg: result message (if rcode is OK). 2877 * @param origin: the origin of msg. 2878 */ 2879 static void 2880 process_prime_response(struct module_qstate* qstate, struct val_qstate* vq, 2881 int id, int rcode, struct dns_msg* msg, struct sock_list* origin) 2882 { 2883 struct val_env* ve = (struct val_env*)qstate->env->modinfo[id]; 2884 struct ub_packed_rrset_key* dnskey_rrset = NULL; 2885 struct trust_anchor* ta = anchor_find(qstate->env->anchors, 2886 vq->trust_anchor_name, vq->trust_anchor_labs, 2887 vq->trust_anchor_len, vq->qchase.qclass); 2888 if(!ta) { 2889 /* trust anchor revoked, restart with less anchors */ 2890 vq->state = VAL_INIT_STATE; 2891 if(!vq->trust_anchor_name) 2892 vq->state = VAL_VALIDATE_STATE; /* break a loop */ 2893 vq->trust_anchor_name = NULL; 2894 return; 2895 } 2896 /* Fetch and validate the keyEntry that corresponds to the 2897 * current trust anchor. */ 2898 if(rcode == LDNS_RCODE_NOERROR) { 2899 dnskey_rrset = reply_find_rrset_section_an(msg->rep, 2900 ta->name, ta->namelen, LDNS_RR_TYPE_DNSKEY, 2901 ta->dclass); 2902 } 2903 2904 if(ta->autr) { 2905 if(!autr_process_prime(qstate->env, ve, ta, dnskey_rrset, 2906 qstate)) { 2907 /* trust anchor revoked, restart with less anchors */ 2908 vq->state = VAL_INIT_STATE; 2909 vq->trust_anchor_name = NULL; 2910 return; 2911 } 2912 } 2913 vq->key_entry = primeResponseToKE(dnskey_rrset, ta, qstate, id); 2914 lock_basic_unlock(&ta->lock); 2915 if(vq->key_entry) { 2916 if(key_entry_isbad(vq->key_entry) 2917 && vq->restart_count < ve->max_restart) { 2918 val_blacklist(&vq->chain_blacklist, qstate->region, 2919 origin, 1); 2920 qstate->errinf = NULL; 2921 vq->restart_count++; 2922 vq->key_entry = NULL; 2923 vq->state = VAL_INIT_STATE; 2924 return; 2925 } 2926 vq->chain_blacklist = NULL; 2927 errinf_origin(qstate, origin); 2928 errinf_dname(qstate, "for trust anchor", ta->name); 2929 /* store the freshly primed entry in the cache */ 2930 key_cache_insert(ve->kcache, vq->key_entry, 2931 qstate->env->cfg->val_log_level >= 2); 2932 } 2933 2934 /* If the result of the prime is a null key, skip the FINDKEY state.*/ 2935 if(!vq->key_entry || key_entry_isnull(vq->key_entry) || 2936 key_entry_isbad(vq->key_entry)) { 2937 vq->state = VAL_VALIDATE_STATE; 2938 } 2939 /* the qstate will be reactivated after inform_super is done */ 2940 } 2941 2942 /* 2943 * inform validator super. 2944 * 2945 * @param qstate: query state that finished. 2946 * @param id: module id. 2947 * @param super: the qstate to inform. 2948 */ 2949 void 2950 val_inform_super(struct module_qstate* qstate, int id, 2951 struct module_qstate* super) 2952 { 2953 struct val_qstate* vq = (struct val_qstate*)super->minfo[id]; 2954 log_query_info(VERB_ALGO, "validator: inform_super, sub is", 2955 &qstate->qinfo); 2956 log_query_info(VERB_ALGO, "super is", &super->qinfo); 2957 if(!vq) { 2958 verbose(VERB_ALGO, "super: has no validator state"); 2959 return; 2960 } 2961 if(vq->wait_prime_ta) { 2962 vq->wait_prime_ta = 0; 2963 process_prime_response(super, vq, id, qstate->return_rcode, 2964 qstate->return_msg, qstate->reply_origin); 2965 return; 2966 } 2967 if(qstate->qinfo.qtype == LDNS_RR_TYPE_DS) { 2968 process_ds_response(super, vq, id, qstate->return_rcode, 2969 qstate->return_msg, &qstate->qinfo, 2970 qstate->reply_origin); 2971 return; 2972 } else if(qstate->qinfo.qtype == LDNS_RR_TYPE_DNSKEY) { 2973 process_dnskey_response(super, vq, id, qstate->return_rcode, 2974 qstate->return_msg, &qstate->qinfo, 2975 qstate->reply_origin); 2976 return; 2977 } 2978 log_err("internal error in validator: no inform_supers possible"); 2979 } 2980 2981 void 2982 val_clear(struct module_qstate* qstate, int id) 2983 { 2984 if(!qstate) 2985 return; 2986 /* everything is allocated in the region, so assign NULL */ 2987 qstate->minfo[id] = NULL; 2988 } 2989 2990 size_t 2991 val_get_mem(struct module_env* env, int id) 2992 { 2993 struct val_env* ve = (struct val_env*)env->modinfo[id]; 2994 if(!ve) 2995 return 0; 2996 return sizeof(*ve) + key_cache_get_mem(ve->kcache) + 2997 val_neg_get_mem(ve->neg_cache) + 2998 sizeof(size_t)*2*ve->nsec3_keyiter_count; 2999 } 3000 3001 /** 3002 * The validator function block 3003 */ 3004 static struct module_func_block val_block = { 3005 "validator", 3006 &val_init, &val_deinit, &val_operate, &val_inform_super, &val_clear, 3007 &val_get_mem 3008 }; 3009 3010 struct module_func_block* 3011 val_get_funcblock(void) 3012 { 3013 return &val_block; 3014 } 3015 3016 const char* 3017 val_state_to_string(enum val_state state) 3018 { 3019 switch(state) { 3020 case VAL_INIT_STATE: return "VAL_INIT_STATE"; 3021 case VAL_FINDKEY_STATE: return "VAL_FINDKEY_STATE"; 3022 case VAL_VALIDATE_STATE: return "VAL_VALIDATE_STATE"; 3023 case VAL_FINISHED_STATE: return "VAL_FINISHED_STATE"; 3024 } 3025 return "UNKNOWN VALIDATOR STATE"; 3026 } 3027 3028