3 * Where all the hard work concerning secure tracing is done
5 * (c) 2005, 2006 NLnet Labs
7 * See the file LICENSE for the license
12 #include <ldns/ldns.h>
14 #define SELF "[S]" /* self sig ok */
15 #define TRUST "[T]" /* chain from parent */
16 #define BOGUS "[B]" /* bogus */
17 #define UNSIGNED "[U]" /* no relevant dnssec data found */
20 /* See if there is a key/ds in trusted that matches
24 ds_key_match(ldns_rr_list *ds, ldns_rr_list *trusted)
31 if (!trusted || !ds) {
36 keys = ldns_rr_list_new();
41 if (!ds || !trusted) {
45 for (i = 0; i < ldns_rr_list_rr_count(trusted); i++) {
46 rr_i = ldns_rr_list_rr(trusted, i);
47 for (j = 0; j < ldns_rr_list_rr_count(ds); j++) {
49 rr_j = ldns_rr_list_rr(ds, j);
50 if (ldns_rr_compare_ds(rr_i, rr_j)) {
52 /* only allow unique RRs to match */
53 ldns_rr_set_push_rr(keys, rr_i);
66 get_dnssec_pkt(ldns_resolver *r, ldns_rdf *name, ldns_rr_type t)
69 p = ldns_resolver_query(r, name, t, LDNS_RR_CLASS_IN, 0);
74 ldns_pkt_print(stdout, p);
82 * retrieve keys for this zone
85 get_key(ldns_pkt *p, ldns_rdf *apexname, ldns_rr_list **rrlist, ldns_rr_list **opt_sig)
87 return get_dnssec_rr(p, apexname, LDNS_RR_TYPE_DNSKEY, rrlist, opt_sig);
91 * check to see if we can find a DS rrset here which we can then follow
94 get_ds(ldns_pkt *p, ldns_rdf *ownername, ldns_rr_list **rrlist, ldns_rr_list **opt_sig)
96 return get_dnssec_rr(p, ownername, LDNS_RR_TYPE_DS, rrlist, opt_sig);
101 remove_resolver_nameservers(ldns_resolver *res)
105 /* remove the old nameserver from the resolver */
106 while((pop = ldns_resolver_pop_nameserver(res))) {
107 ldns_rdf_deep_free(pop);
113 show_current_nameservers(FILE *out, ldns_resolver *res)
116 fprintf(out, "Current nameservers for resolver object:\n");
117 for (i = 0; i < ldns_resolver_nameserver_count(res); i++) {
118 ldns_rdf_print(out, ldns_resolver_nameservers(res)[i]);
126 do_secure_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t,
127 ldns_rr_class c, ldns_rr_list *trusted_keys, ldns_rdf *start_name
131 ldns_pkt *p, *local_p;
132 ldns_rr_list *new_nss_a;
133 ldns_rr_list *new_nss_aaaa;
134 ldns_rr_list *new_nss;
135 ldns_rr_list *ns_addr;
138 ldns_rdf **labels = NULL;
139 ldns_status status, st;
144 uint8_t labels_count;
148 ldns_rr_list *key_list;
149 ldns_rr_list *key_sig_list;
150 ldns_rr_list *ds_list;
151 ldns_rr_list *ds_sig_list;
152 ldns_rr_list *correct_key_list;
153 ldns_rr_list *trusted_ds_rrs;
154 bool new_keys_trusted = false;
155 ldns_rr_list *current_correct_keys;
156 ldns_rr_list *dataset;
158 ldns_rr_list *nsec_rrs = NULL;
159 ldns_rr_list *nsec_rr_sigs = NULL;
161 /* empty non-terminal check */
165 ldns_rr_list *new_ns_addr;
166 ldns_rr_list *old_ns_addr;
171 /* printing niceness */
172 const ldns_rr_descriptor *descriptor;
174 descriptor = ldns_rr_descript(t);
183 pt = LDNS_PACKET_UNKNOWN;
187 res = ldns_resolver_new();
192 error("Memory allocation failed");
197 correct_key_list = ldns_rr_list_new();
198 if (!correct_key_list) {
199 error("Memory allocation failed");
204 trusted_ds_rrs = ldns_rr_list_new();
205 if (!trusted_ds_rrs) {
206 error("Memory allocation failed");
210 /* Add all preset trusted DS signatures to the list of trusted DS RRs. */
211 for (j = 0; j < ldns_rr_list_rr_count(trusted_keys); j++) {
212 ldns_rr* one_rr = ldns_rr_list_rr(trusted_keys, j);
213 if (ldns_rr_get_type(one_rr) == LDNS_RR_TYPE_DS) {
214 ldns_rr_list_push_rr(trusted_ds_rrs, ldns_rr_clone(one_rr));
218 /* transfer some properties of local_res to res */
219 ldns_resolver_set_ip6(res,
220 ldns_resolver_ip6(local_res));
221 ldns_resolver_set_port(res,
222 ldns_resolver_port(local_res));
223 ldns_resolver_set_debug(res,
224 ldns_resolver_debug(local_res));
225 ldns_resolver_set_fail(res,
226 ldns_resolver_fail(local_res));
227 ldns_resolver_set_usevc(res,
228 ldns_resolver_usevc(local_res));
229 ldns_resolver_set_random(res,
230 ldns_resolver_random(local_res));
231 ldns_resolver_set_recursive(local_res, true);
233 ldns_resolver_set_recursive(res, false);
234 ldns_resolver_set_dnssec_cd(res, false);
235 ldns_resolver_set_dnssec(res, true);
237 /* setup the root nameserver in the new resolver */
238 status = ldns_resolver_push_nameserver_rr_list(res, global_dns_root);
239 if (status != LDNS_STATUS_OK) {
240 printf("ERRRRR: %s\n", ldns_get_errorstr_by_id(status));
241 ldns_rr_list_print(stdout, global_dns_root);
244 labels_count = ldns_dname_label_count(name);
246 if (ldns_dname_is_subdomain(name, start_name)) {
247 labels_count -= ldns_dname_label_count(start_name);
249 fprintf(stderr, "Error; ");
250 ldns_rdf_print(stderr, name);
251 fprintf(stderr, " is not a subdomain of ");
252 ldns_rdf_print(stderr, start_name);
253 fprintf(stderr, "\n");
257 labels = LDNS_XMALLOC(ldns_rdf*, labels_count + 2);
261 labels[0] = ldns_dname_new_frm_str(LDNS_ROOT_LABEL_STR);
262 labels[1] = ldns_rdf_clone(name);
263 for(i = 2 ; i < (ssize_t)labels_count + 2; i++) {
264 labels[i] = ldns_dname_left_chop(labels[i - 1]);
266 /* if no servers is given with @, start by asking local resolver */
267 /* first part todo :) */
268 for (i = 0; i < (ssize_t) ldns_resolver_nameserver_count(local_res); i++) {
269 (void) ldns_resolver_push_nameserver(res, ldns_resolver_nameservers(local_res)[i]);
272 /* get the nameserver for the label
273 * ask: dnskey and ds for the label
275 for(i = (ssize_t)labels_count + 1; i > 0; i--) {
276 status = ldns_resolver_send(&local_p, res, labels[i], LDNS_RR_TYPE_NS, c, 0);
278 if (verbosity >= 5) {
279 ldns_pkt_print(stdout, local_p);
282 new_nss = ldns_pkt_rr_list_by_type(local_p,
283 LDNS_RR_TYPE_NS, LDNS_SECTION_ANSWER);
285 /* if it's a delegation, servers put them in the auth section */
286 new_nss = ldns_pkt_rr_list_by_type(local_p,
287 LDNS_RR_TYPE_NS, LDNS_SECTION_AUTHORITY);
290 /* if this is the final step there might not be nameserver records
291 of course if the data is in the apex, there are, so cover both
293 if (new_nss || i > 1) {
294 for(j = 0; j < ldns_rr_list_rr_count(new_nss); j++) {
295 ns_rr = ldns_rr_list_rr(new_nss, j);
296 pop = ldns_rr_rdf(ns_rr, 0);
301 /* retrieve it's addresses */
304 if (ldns_dname_is_subdomain(pop, labels[i])) {
305 new_ns_addr = ldns_pkt_rr_list_by_name_and_type(local_p, pop, LDNS_RR_TYPE_A, LDNS_SECTION_ADDITIONAL);
307 if (!new_ns_addr || ldns_rr_list_rr_count(new_ns_addr) == 0) {
308 new_ns_addr = ldns_get_rr_list_addr_by_name(res, pop, c, 0);
310 if (!new_ns_addr || ldns_rr_list_rr_count(new_ns_addr) == 0) {
311 new_ns_addr = ldns_get_rr_list_addr_by_name(local_res, pop, c, 0);
315 old_ns_addr = ns_addr;
316 ns_addr = ldns_rr_list_cat_clone(ns_addr, new_ns_addr);
317 ldns_rr_list_deep_free(old_ns_addr);
319 ldns_rr_list_deep_free(new_ns_addr);
321 ldns_rr_list_deep_free(new_nss);
324 remove_resolver_nameservers(res);
326 if (ldns_resolver_push_nameserver_rr_list(res, ns_addr) !=
328 error("Error adding new nameservers");
329 ldns_pkt_free(local_p);
332 ldns_rr_list_deep_free(ns_addr);
334 status = ldns_verify_denial(local_p, labels[i], LDNS_RR_TYPE_NS, &nsec_rrs, &nsec_rr_sigs);
336 /* verify the nsec3 themselves*/
337 if (verbosity >= 4) {
338 printf("NSEC(3) Records to verify:\n");
339 ldns_rr_list_print(stdout, nsec_rrs);
340 printf("With signatures:\n");
341 ldns_rr_list_print(stdout, nsec_rr_sigs);
342 printf("correct keys:\n");
343 ldns_rr_list_print(stdout, correct_key_list);
346 if (status == LDNS_STATUS_OK) {
347 if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) {
348 fprintf(stdout, "%s ", TRUST);
349 fprintf(stdout, "Existence denied: ");
350 ldns_rdf_print(stdout, labels[i]);
352 if (descriptor && descriptor->_name) {
353 printf(" %s", descriptor->_name);
355 printf(" TYPE%u", t);
357 */ fprintf(stdout, " NS\n");
358 } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) {
359 fprintf(stdout, "%s ", SELF);
360 fprintf(stdout, "Existence denied: ");
361 ldns_rdf_print(stdout, labels[i]);
363 if (descriptor && descriptor->_name) {
364 printf(" %s", descriptor->_name);
366 printf(" TYPE%u", t);
369 fprintf(stdout, " NS\n");
371 fprintf(stdout, "%s ", BOGUS);
373 printf(";; Error verifying denial of existence for name ");
374 ldns_rdf_print(stdout, labels[i]);
377 if (descriptor && descriptor->_name) {
378 printf("%s", descriptor->_name);
382 */ printf("NS: %s\n", ldns_get_errorstr_by_id(st));
385 fprintf(stdout, "%s ", BOGUS);
387 printf(";; Error verifying denial of existence for name ");
388 ldns_rdf_print(stdout, labels[i]);
389 printf("NS: %s\n", ldns_get_errorstr_by_id(status));
392 /* there might be an empty non-terminal, in which case we need to continue */
394 for (j = 0; j < ldns_rr_list_rr_count(nsec_rrs); j++) {
395 if (ldns_dname_is_subdomain(ldns_rr_rdf(ldns_rr_list_rr(nsec_rrs, j), 0), labels[i])) {
400 ldns_rr_list_deep_free(nsec_rrs);
401 ldns_rr_list_deep_free(nsec_rr_sigs);
402 ldns_pkt_free(local_p);
405 printf(";; There is an empty non-terminal here, continue\n");
411 if (ldns_resolver_nameserver_count(res) == 0) {
412 error("No nameservers found for this node");
416 ldns_pkt_free(local_p);
418 fprintf(stdout, ";; Domain: ");
419 ldns_rdf_print(stdout, labels[i]);
420 fprintf(stdout, "\n");
422 /* retrieve keys for current domain, and verify them
423 if they match an already trusted DS, or if one of the
424 keys used to sign these is trusted, add the keys to
426 p = get_dnssec_pkt(res, labels[i], LDNS_RR_TYPE_DNSKEY);
427 pt = get_key(p, labels[i], &key_list, &key_sig_list);
430 current_correct_keys = ldns_rr_list_new();
431 if ((st = ldns_verify(key_list, key_sig_list, key_list, current_correct_keys)) ==
433 /* add all signed keys (don't just add current_correct, you'd miss
435 for (j = 0; j < ldns_rr_list_rr_count(key_list); j++) {
436 ldns_rr_list_push_rr(correct_key_list, ldns_rr_clone(ldns_rr_list_rr(key_list, j)));
439 /* check whether these keys were signed
440 * by a trusted keys. if so, these
441 * keys are also trusted */
442 new_keys_trusted = false;
443 for (k = 0; k < ldns_rr_list_rr_count(current_correct_keys); k++) {
444 for (j = 0; j < ldns_rr_list_rr_count(trusted_ds_rrs); j++) {
445 if (ldns_rr_compare_ds(ldns_rr_list_rr(current_correct_keys, k),
446 ldns_rr_list_rr(trusted_ds_rrs, j))) {
447 new_keys_trusted = true;
452 /* also all keys are trusted if one of the current correct keys is trusted */
453 for (k = 0; k < ldns_rr_list_rr_count(current_correct_keys); k++) {
454 for (j = 0; j < ldns_rr_list_rr_count(trusted_keys); j++) {
455 if (ldns_rr_compare(ldns_rr_list_rr(current_correct_keys, k),
456 ldns_rr_list_rr(trusted_keys, j)) == 0) {
457 new_keys_trusted = true;
463 if (new_keys_trusted) {
464 ldns_rr_list_push_rr_list(trusted_keys, key_list);
465 print_rr_list_abbr(stdout, key_list, TRUST);
466 ldns_rr_list_free(key_list);
469 if (verbosity >= 2) {
470 printf(";; Signature ok but no chain to a trusted key or ds record\n");
472 print_rr_list_abbr(stdout, key_list, SELF);
473 ldns_rr_list_deep_free(key_list);
477 print_rr_list_abbr(stdout, key_list, BOGUS);
479 ldns_rr_list_deep_free(key_list);
482 ldns_rr_list_free(current_correct_keys);
483 current_correct_keys = NULL;
485 printf(";; No DNSKEY record found for ");
486 ldns_rdf_print(stdout, labels[i]);
492 ldns_rr_list_deep_free(key_sig_list);
495 /* check the DS records for the next child domain */
497 p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS);
498 pt = get_ds(p, labels[i-1], &ds_list, &ds_sig_list);
502 ldns_rr_list_deep_free(ds_sig_list);
504 p = get_dnssec_pkt(res, name, LDNS_RR_TYPE_DNSKEY);
505 pt = get_ds(p, NULL, &ds_list, &ds_sig_list);
509 if (verbosity >= 4) {
510 printf("VERIFYING:\n");
511 printf("DS LIST:\n");
512 ldns_rr_list_print(stdout, ds_list);
514 ldns_rr_list_print(stdout, ds_sig_list);
516 ldns_rr_list_print(stdout, correct_key_list);
519 current_correct_keys = ldns_rr_list_new();
521 if ((st = ldns_verify(ds_list, ds_sig_list, correct_key_list, current_correct_keys)) ==
523 /* if the ds is signed by a trusted key and a key from correct keys
524 matches that ds, add that key to the trusted keys */
525 new_keys_trusted = false;
526 if (verbosity >= 2) {
527 printf("Checking if signing key is trusted:\n");
529 for (j = 0; j < ldns_rr_list_rr_count(current_correct_keys); j++) {
530 if (verbosity >= 2) {
532 ldns_rr_print(stdout, ldns_rr_list_rr(current_correct_keys, j));
534 for (k = 0; k < ldns_rr_list_rr_count(trusted_keys); k++) {
535 if (verbosity >= 2) {
536 printf("\tTrusted key: ");
537 ldns_rr_print(stdout, ldns_rr_list_rr(trusted_keys, k));
539 if (ldns_rr_compare(ldns_rr_list_rr(current_correct_keys, j),
540 ldns_rr_list_rr(trusted_keys, k)) == 0) {
541 if (verbosity >= 2) {
542 printf("Key is now trusted!\n");
544 for (l = 0; l < ldns_rr_list_rr_count(ds_list); l++) {
545 ldns_rr_list_push_rr(trusted_ds_rrs, ldns_rr_clone(ldns_rr_list_rr(ds_list, l)));
546 new_keys_trusted = true;
551 if (new_keys_trusted) {
552 print_rr_list_abbr(stdout, ds_list, TRUST);
554 print_rr_list_abbr(stdout, ds_list, SELF);
558 print_rr_list_abbr(stdout, ds_list, BOGUS);
561 ldns_rr_list_free(current_correct_keys);
562 current_correct_keys = NULL;
564 /* wait apparently there were no keys either, go back to the ds packet */
566 ldns_rr_list_deep_free(ds_sig_list);
567 p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS);
568 pt = get_ds(p, labels[i-1], &ds_list, &ds_sig_list);
570 status = ldns_verify_denial(p, labels[i-1], LDNS_RR_TYPE_DS, &nsec_rrs, &nsec_rr_sigs);
572 if (verbosity >= 4) {
573 printf("NSEC(3) Records to verify:\n");
574 ldns_rr_list_print(stdout, nsec_rrs);
575 printf("With signatures:\n");
576 ldns_rr_list_print(stdout, nsec_rr_sigs);
577 printf("correct keys:\n");
578 ldns_rr_list_print(stdout, correct_key_list);
581 if (status == LDNS_STATUS_OK) {
582 if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) {
583 fprintf(stdout, "%s ", TRUST);
584 fprintf(stdout, "Existence denied: ");
585 ldns_rdf_print(stdout, labels[i-1]);
587 fprintf(stdout, "\n");
588 } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) {
589 fprintf(stdout, "%s ", SELF);
590 fprintf(stdout, "Existence denied: ");
591 ldns_rdf_print(stdout, labels[i-1]);
593 fprintf(stdout, "\n");
596 fprintf(stdout, "%s ", BOGUS);
597 printf("Error verifying denial of existence for ");
598 ldns_rdf_print(stdout, labels[i-1]);
600 printf(": %s\n", ldns_get_errorstr_by_id(st));
605 if (status == LDNS_STATUS_CRYPTO_NO_RRSIG) {
606 printf(";; No DS for ");
607 ldns_rdf_print(stdout, labels[i - 1]);
609 printf("[B] Unable to verify denial of existence for ");
610 ldns_rdf_print(stdout, labels[i - 1]);
611 printf(" DS: %s\n", ldns_get_errorstr_by_id(status));
614 if (verbosity >= 2) {
615 printf(";; No ds record for delegation\n");
619 ldns_rr_list_deep_free(ds_list);
622 /* if this is the last label, just verify the data and stop */
623 p = get_dnssec_pkt(res, labels[i], t);
624 pt = get_dnssec_rr(p, labels[i], t, &dataset, &key_sig_list);
625 if (dataset && ldns_rr_list_rr_count(dataset) > 0) {
626 if (key_sig_list && ldns_rr_list_rr_count(key_sig_list) > 0) {
628 /* If this is a wildcard, you must be able to deny exact match */
629 if ((st = ldns_verify(dataset, key_sig_list, trusted_keys, NULL)) == LDNS_STATUS_OK) {
630 fprintf(stdout, "%s ", TRUST);
631 ldns_rr_list_print(stdout, dataset);
632 } else if ((st = ldns_verify(dataset, key_sig_list, correct_key_list, NULL)) == LDNS_STATUS_OK) {
633 fprintf(stdout, "%s ", SELF);
634 ldns_rr_list_print(stdout, dataset);
637 fprintf(stdout, "%s ", BOGUS);
638 ldns_rr_list_print(stdout, dataset);
639 printf(";; Error: %s\n", ldns_get_errorstr_by_id(st));
642 fprintf(stdout, "%s ", UNSIGNED);
643 ldns_rr_list_print(stdout, dataset);
645 ldns_rr_list_deep_free(dataset);
647 status = ldns_verify_denial(p, name, t, &nsec_rrs, &nsec_rr_sigs);
648 if (status == LDNS_STATUS_OK) {
649 /* verify the nsec3 themselves*/
650 if (verbosity >= 5) {
651 printf("NSEC(3) Records to verify:\n");
652 ldns_rr_list_print(stdout, nsec_rrs);
653 printf("With signatures:\n");
654 ldns_rr_list_print(stdout, nsec_rr_sigs);
655 printf("correct keys:\n");
656 ldns_rr_list_print(stdout, correct_key_list);
658 printf("trusted keys at %p:\n", trusted_keys);
659 ldns_rr_list_print(stdout, trusted_keys);
662 if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) {
663 fprintf(stdout, "%s ", TRUST);
664 fprintf(stdout, "Existence denied: ");
665 ldns_rdf_print(stdout, name);
666 if (descriptor && descriptor->_name) {
667 printf(" %s", descriptor->_name);
669 printf(" TYPE%u", t);
671 fprintf(stdout, "\n");
672 } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) {
673 fprintf(stdout, "%s ", SELF);
674 fprintf(stdout, "Existence denied: ");
675 ldns_rdf_print(stdout, name);
676 if (descriptor && descriptor->_name) {
677 printf(" %s", descriptor->_name);
679 printf(" TYPE%u", t);
681 fprintf(stdout, "\n");
684 fprintf(stdout, "%s ", BOGUS);
685 printf("Error verifying denial of existence for ");
686 ldns_rdf_print(stdout, name);
688 if (descriptor && descriptor->_name) {
689 printf("%s", descriptor->_name);
693 printf(": %s\n", ldns_get_errorstr_by_id(st));
696 ldns_rr_list_deep_free(nsec_rrs);
697 ldns_rr_list_deep_free(nsec_rr_sigs);
701 if (status == LDNS_STATUS_CRYPTO_NO_RRSIG) {
702 printf("%s ", UNSIGNED);
703 printf("No data found for: ");
704 ldns_rdf_print(stdout, name);
706 if (descriptor && descriptor->_name) {
707 printf("%s", descriptor->_name);
713 printf("[B] Unable to verify denial of existence for ");
714 ldns_rdf_print(stdout, name);
716 if (descriptor && descriptor->_name) {
717 printf("%s", descriptor->_name);
733 ldns_rr_list_deep_free(key_list);
735 ldns_rr_list_deep_free(key_sig_list);
738 ldns_rr_list_deep_free(ds_sig_list);
741 printf(";;" SELF " self sig OK; " BOGUS " bogus; " TRUST " trusted\n");
743 printf("Trusted keys:\n");
744 ldns_rr_list_print(stdout, trusted_keys);
745 printf("trusted dss:\n");
746 ldns_rr_list_print(stdout, trusted_ds_rrs);
750 ldns_rr_list_deep_free(trusted_ds_rrs);
751 ldns_rr_list_deep_free(correct_key_list);
752 ldns_resolver_deep_free(res);
754 for(i = 0 ; i < (ssize_t)labels_count + 2; i++) {
755 ldns_rdf_deep_free(labels[i]);
761 #endif /* HAVE_SSL */