1 /* 2 * validator/validator.h - secure validator DNS query response module 3 * 4 * Copyright (c) 2007, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file contains a module that performs validation of DNS queries. 40 * According to RFC 4034. 41 */ 42 43 #ifndef VALIDATOR_VALIDATOR_H 44 #define VALIDATOR_VALIDATOR_H 45 #include "util/module.h" 46 #include "util/data/msgreply.h" 47 #include "validator/val_utils.h" 48 struct val_anchors; 49 struct key_cache; 50 struct key_entry_key; 51 struct val_neg_cache; 52 struct config_strlist; 53 54 /** 55 * This is the TTL to use when a trust anchor fails to prime. A trust anchor 56 * will be primed no more often than this interval. Used when harden- 57 * dnssec-stripped is off and the trust anchor fails. 58 */ 59 #define NULL_KEY_TTL 60 /* seconds */ 60 61 /** 62 * TTL for bogus key entries. When a DS or DNSKEY fails in the chain of 63 * trust the entire zone for that name is blacked out for this TTL. 64 */ 65 #define BOGUS_KEY_TTL 60 /* seconds */ 66 67 /** max number of query restarts, number of IPs to probe */ 68 #define VAL_MAX_RESTART_COUNT 5 69 70 /** 71 * Global state for the validator. 72 */ 73 struct val_env { 74 /** key cache; these are validated keys. trusted keys only 75 * end up here after being primed. */ 76 struct key_cache* kcache; 77 78 /** aggressive negative cache. index into NSECs in rrset cache. */ 79 struct val_neg_cache* neg_cache; 80 81 /** for debug testing a fixed validation date can be entered. 82 * if 0, current time is used for rrsig validation */ 83 int32_t date_override; 84 85 /** clock skew min for signatures */ 86 int32_t skew_min; 87 88 /** clock skew max for signatures */ 89 int32_t skew_max; 90 91 /** TTL for bogus data; used instead of untrusted TTL from data. 92 * Bogus data will not be verified more often than this interval. 93 * seconds. */ 94 uint32_t bogus_ttl; 95 96 /** If set, the validator should clean the additional section of 97 * secure messages. 98 */ 99 int clean_additional; 100 101 /** 102 * If set, the validator will not make messages bogus, instead 103 * indeterminate is issued, so that no clients receive SERVFAIL. 104 * This allows an operator to run validation 'shadow' without 105 * hurting responses to clients. 106 */ 107 int permissive_mode; 108 109 /** 110 * Number of entries in the NSEC3 maximum iteration count table. 111 * Keep this table short, and sorted by size 112 */ 113 int nsec3_keyiter_count; 114 115 /** 116 * NSEC3 maximum iteration count per signing key size. 117 * This array contains key size values (in increasing order) 118 */ 119 size_t* nsec3_keysize; 120 121 /** 122 * NSEC3 maximum iteration count per signing key size. 123 * This array contains the maximum iteration count for the keysize 124 * in the keysize array. 125 */ 126 size_t* nsec3_maxiter; 127 128 /** lock on bogus counter */ 129 lock_basic_t bogus_lock; 130 /** number of times rrsets marked bogus */ 131 size_t num_rrset_bogus; 132 }; 133 134 /** 135 * State of the validator for a query. 136 */ 137 enum val_state { 138 /** initial state for validation */ 139 VAL_INIT_STATE = 0, 140 /** find the proper keys for validation, follow trust chain */ 141 VAL_FINDKEY_STATE, 142 /** validate the answer, using found key entry */ 143 VAL_VALIDATE_STATE, 144 /** finish up */ 145 VAL_FINISHED_STATE, 146 /** DLV lookup state, processing DLV queries */ 147 VAL_DLVLOOKUP_STATE 148 }; 149 150 /** 151 * Per query state for the validator module. 152 */ 153 struct val_qstate { 154 /** 155 * State of the validator module. 156 */ 157 enum val_state state; 158 159 /** 160 * The original message we have been given to validate. 161 */ 162 struct dns_msg* orig_msg; 163 164 /** 165 * The query restart count 166 */ 167 int restart_count; 168 /** The blacklist saved for chainoftrust elements */ 169 struct sock_list* chain_blacklist; 170 171 /** 172 * The query name we have chased to; qname after following CNAMEs 173 */ 174 struct query_info qchase; 175 176 /** 177 * The chased reply, extract from original message. Can be: 178 * o CNAME 179 * o DNAME + CNAME 180 * o answer 181 * plus authority, additional (nsecs) that have same signature. 182 */ 183 struct reply_info* chase_reply; 184 185 /** 186 * The cname skip value; the number of rrsets that have been skipped 187 * due to chasing cnames. This is the offset into the 188 * orig_msg->rep->rrsets array, into the answer section. 189 * starts at 0 - for the full original message. 190 * if it is >0 - qchase followed the cname, chase_reply setup to be 191 * that message and relevant authority rrsets. 192 * 193 * The skip is also used for referral messages, where it will 194 * range from 0, over the answer, authority and additional sections. 195 */ 196 size_t rrset_skip; 197 198 /** trust anchor name */ 199 uint8_t* trust_anchor_name; 200 /** trust anchor labels */ 201 int trust_anchor_labs; 202 /** trust anchor length */ 203 size_t trust_anchor_len; 204 205 /** the DS rrset */ 206 struct ub_packed_rrset_key* ds_rrset; 207 208 /** domain name for empty nonterminal detection */ 209 uint8_t* empty_DS_name; 210 /** length of empty_DS_name */ 211 size_t empty_DS_len; 212 213 /** the current key entry */ 214 struct key_entry_key* key_entry; 215 216 /** subtype */ 217 enum val_classification subtype; 218 219 /** signer name */ 220 uint8_t* signer_name; 221 /** length of signer_name */ 222 size_t signer_len; 223 224 /** true if this state is waiting to prime a trust anchor */ 225 int wait_prime_ta; 226 227 /** have we already checked the DLV? */ 228 int dlv_checked; 229 /** The name for which the DLV is looked up. For the current message 230 * or for the current RRset (for CNAME, REFERRAL types). 231 * If there is signer name, that may be it, else a domain name */ 232 uint8_t* dlv_lookup_name; 233 /** length of dlv lookup name */ 234 size_t dlv_lookup_name_len; 235 /** Name at which chain of trust stopped with insecure, starting DLV 236 * DLV must result in chain going further down */ 237 uint8_t* dlv_insecure_at; 238 /** length of dlv insecure point name */ 239 size_t dlv_insecure_at_len; 240 /** status of DLV lookup. Indication to VAL_DLV_STATE what to do */ 241 enum dlv_status { 242 dlv_error, /* server failure */ 243 dlv_success, /* got a DLV */ 244 dlv_ask_higher, /* ask again */ 245 dlv_there_is_no_dlv /* got no DLV, sure of it */ 246 } dlv_status; 247 }; 248 249 /** 250 * Get the validator function block. 251 * @return: function block with function pointers to validator methods. 252 */ 253 struct module_func_block* val_get_funcblock(void); 254 255 /** 256 * Get validator state as a string 257 * @param state: to convert 258 * @return constant string that is printable. 259 */ 260 const char* val_state_to_string(enum val_state state); 261 262 /** validator init */ 263 int val_init(struct module_env* env, int id); 264 265 /** validator deinit */ 266 void val_deinit(struct module_env* env, int id); 267 268 /** validator operate on a query */ 269 void val_operate(struct module_qstate* qstate, enum module_ev event, int id, 270 struct outbound_entry* outbound); 271 272 /** 273 * inform validator super. 274 * 275 * @param qstate: query state that finished. 276 * @param id: module id. 277 * @param super: the qstate to inform. 278 */ 279 void val_inform_super(struct module_qstate* qstate, int id, 280 struct module_qstate* super); 281 282 /** validator cleanup query state */ 283 void val_clear(struct module_qstate* qstate, int id); 284 285 /** 286 * Debug helper routine that assists worker in determining memory in 287 * use. 288 * @param env: module environment 289 * @param id: module id. 290 * @return memory in use in bytes. 291 */ 292 size_t val_get_mem(struct module_env* env, int id); 293 294 #endif /* VALIDATOR_VALIDATOR_H */ 295