3 * Where all the hard work concerning secure tracing is done
5 * (c) 2005, 2006 NLnet Labs
7 * See the file LICENSE for the license
12 #include <ldns/ldns.h>
14 #define SELF "[S]" /* self sig ok */
15 #define TRUST "[T]" /* chain from parent */
16 #define BOGUS "[B]" /* bogus */
17 #define UNSIGNED "[U]" /* no relevant dnssec data found */
20 /* See if there is a key/ds in trusted that matches
24 ds_key_match(ldns_rr_list *ds, ldns_rr_list *trusted)
31 if (!trusted || !ds) {
36 keys = ldns_rr_list_new();
41 if (!ds || !trusted) {
45 for (i = 0; i < ldns_rr_list_rr_count(trusted); i++) {
46 rr_i = ldns_rr_list_rr(trusted, i);
47 for (j = 0; j < ldns_rr_list_rr_count(ds); j++) {
49 rr_j = ldns_rr_list_rr(ds, j);
50 if (ldns_rr_compare_ds(rr_i, rr_j)) {
52 /* only allow unique RRs to match */
53 ldns_rr_set_push_rr(keys, rr_i);
66 get_dnssec_pkt(ldns_resolver *r, ldns_rdf *name, ldns_rr_type t)
69 p = ldns_resolver_query(r, name, t, LDNS_RR_CLASS_IN, 0);
74 ldns_pkt_print(stdout, p);
82 * retrieve keys for this zone
85 get_key(ldns_pkt *p, ldns_rdf *apexname, ldns_rr_list **rrlist, ldns_rr_list **opt_sig)
87 return get_dnssec_rr(p, apexname, LDNS_RR_TYPE_DNSKEY, rrlist, opt_sig);
91 * check to see if we can find a DS rrset here which we can then follow
94 get_ds(ldns_pkt *p, ldns_rdf *ownername, ldns_rr_list **rrlist, ldns_rr_list **opt_sig)
96 return get_dnssec_rr(p, ownername, LDNS_RR_TYPE_DS, rrlist, opt_sig);
101 remove_resolver_nameservers(ldns_resolver *res)
105 /* remove the old nameserver from the resolver */
106 while((pop = ldns_resolver_pop_nameserver(res))) {
107 ldns_rdf_deep_free(pop);
113 show_current_nameservers(FILE *out, ldns_resolver *res)
116 fprintf(out, "Current nameservers for resolver object:\n");
117 for (i = 0; i < ldns_resolver_nameserver_count(res); i++) {
118 ldns_rdf_print(out, ldns_resolver_nameservers(res)[i]);
126 do_secure_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t,
127 ldns_rr_class c, ldns_rr_list *trusted_keys, ldns_rdf *start_name
131 ldns_pkt *p, *local_p;
132 ldns_rr_list *new_nss_a;
133 ldns_rr_list *new_nss_aaaa;
134 ldns_rr_list *new_nss;
135 ldns_rr_list *ns_addr;
138 ldns_rdf **labels = NULL;
139 ldns_status status, st;
144 uint8_t labels_count;
148 ldns_rr_list *key_list;
149 ldns_rr_list *key_sig_list;
150 ldns_rr_list *ds_list;
151 ldns_rr_list *ds_sig_list;
152 ldns_rr_list *correct_key_list;
153 ldns_rr_list *trusted_ds_rrs;
154 bool new_keys_trusted = false;
155 ldns_rr_list *current_correct_keys;
156 ldns_rr_list *dataset;
158 ldns_rr_list *nsec_rrs = NULL;
159 ldns_rr_list *nsec_rr_sigs = NULL;
161 /* empty non-terminal check */
165 ldns_rr_list *new_ns_addr;
166 ldns_rr_list *old_ns_addr;
171 /* printing niceness */
172 const ldns_rr_descriptor *descriptor;
174 descriptor = ldns_rr_descript(t);
183 pt = LDNS_PACKET_UNKNOWN;
187 res = ldns_resolver_new();
192 error("Memory allocation failed");
197 correct_key_list = ldns_rr_list_new();
198 if (!correct_key_list) {
199 error("Memory allocation failed");
204 trusted_ds_rrs = ldns_rr_list_new();
205 if (!trusted_ds_rrs) {
206 error("Memory allocation failed");
210 /* Add all preset trusted DS signatures to the list of trusted DS RRs. */
211 for (j = 0; j < ldns_rr_list_rr_count(trusted_keys); j++) {
212 ldns_rr* one_rr = ldns_rr_list_rr(trusted_keys, j);
213 if (ldns_rr_get_type(one_rr) == LDNS_RR_TYPE_DS) {
214 ldns_rr_list_push_rr(trusted_ds_rrs, ldns_rr_clone(one_rr));
218 /* transfer some properties of local_res to res */
219 ldns_resolver_set_ip6(res,
220 ldns_resolver_ip6(local_res));
221 ldns_resolver_set_port(res,
222 ldns_resolver_port(local_res));
223 ldns_resolver_set_debug(res,
224 ldns_resolver_debug(local_res));
225 ldns_resolver_set_fail(res,
226 ldns_resolver_fail(local_res));
227 ldns_resolver_set_usevc(res,
228 ldns_resolver_usevc(local_res));
229 ldns_resolver_set_random(res,
230 ldns_resolver_random(local_res));
231 ldns_resolver_set_recursive(local_res, true);
233 ldns_resolver_set_recursive(res, false);
234 ldns_resolver_set_dnssec_cd(res, false);
235 ldns_resolver_set_dnssec(res, true);
237 /* setup the root nameserver in the new resolver */
238 status = ldns_resolver_push_nameserver_rr_list(res, global_dns_root);
239 if (status != LDNS_STATUS_OK) {
240 printf("ERRRRR: %s\n", ldns_get_errorstr_by_id(status));
241 ldns_rr_list_print(stdout, global_dns_root);
244 labels_count = ldns_dname_label_count(name);
246 if (ldns_dname_is_subdomain(name, start_name)) {
247 labels_count -= ldns_dname_label_count(start_name);
249 fprintf(stderr, "Error; ");
250 ldns_rdf_print(stderr, name);
251 fprintf(stderr, " is not a subdomain of ");
252 ldns_rdf_print(stderr, start_name);
253 fprintf(stderr, "\n");
257 labels = LDNS_XMALLOC(ldns_rdf*, labels_count + 2);
261 labels[0] = ldns_dname_new_frm_str(LDNS_ROOT_LABEL_STR);
262 labels[1] = ldns_rdf_clone(name);
263 for(i = 2 ; i < (ssize_t)labels_count + 2; i++) {
264 labels[i] = ldns_dname_left_chop(labels[i - 1]);
267 /* get the nameserver for the label
268 * ask: dnskey and ds for the label
270 for(i = (ssize_t)labels_count + 1; i > 0; i--) {
271 status = ldns_resolver_send(&local_p, res, labels[i], LDNS_RR_TYPE_NS, c, 0);
273 if (verbosity >= 5) {
274 ldns_pkt_print(stdout, local_p);
277 new_nss = ldns_pkt_rr_list_by_type(local_p,
278 LDNS_RR_TYPE_NS, LDNS_SECTION_ANSWER);
280 /* if it's a delegation, servers put them in the auth section */
281 new_nss = ldns_pkt_rr_list_by_type(local_p,
282 LDNS_RR_TYPE_NS, LDNS_SECTION_AUTHORITY);
285 /* if this is the final step there might not be nameserver records
286 of course if the data is in the apex, there are, so cover both
288 if (new_nss || i > 1) {
289 for(j = 0; j < ldns_rr_list_rr_count(new_nss); j++) {
290 ns_rr = ldns_rr_list_rr(new_nss, j);
291 pop = ldns_rr_rdf(ns_rr, 0);
296 /* retrieve it's addresses */
299 if (ldns_dname_is_subdomain(pop, labels[i])) {
300 new_ns_addr = ldns_pkt_rr_list_by_name_and_type(local_p, pop, LDNS_RR_TYPE_A, LDNS_SECTION_ADDITIONAL);
302 if (!new_ns_addr || ldns_rr_list_rr_count(new_ns_addr) == 0) {
303 new_ns_addr = ldns_get_rr_list_addr_by_name(res, pop, c, 0);
305 if (!new_ns_addr || ldns_rr_list_rr_count(new_ns_addr) == 0) {
306 new_ns_addr = ldns_get_rr_list_addr_by_name(local_res, pop, c, 0);
310 old_ns_addr = ns_addr;
311 ns_addr = ldns_rr_list_cat_clone(ns_addr, new_ns_addr);
312 ldns_rr_list_deep_free(old_ns_addr);
314 ldns_rr_list_deep_free(new_ns_addr);
316 ldns_rr_list_deep_free(new_nss);
319 remove_resolver_nameservers(res);
321 if (ldns_resolver_push_nameserver_rr_list(res, ns_addr) !=
323 error("Error adding new nameservers");
324 ldns_pkt_free(local_p);
327 ldns_rr_list_deep_free(ns_addr);
329 status = ldns_verify_denial(local_p, labels[i], LDNS_RR_TYPE_NS, &nsec_rrs, &nsec_rr_sigs);
331 /* verify the nsec3 themselves*/
332 if (verbosity >= 4) {
333 printf("NSEC(3) Records to verify:\n");
334 ldns_rr_list_print(stdout, nsec_rrs);
335 printf("With signatures:\n");
336 ldns_rr_list_print(stdout, nsec_rr_sigs);
337 printf("correct keys:\n");
338 ldns_rr_list_print(stdout, correct_key_list);
341 if (status == LDNS_STATUS_OK) {
342 if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) {
343 fprintf(stdout, "%s ", TRUST);
344 fprintf(stdout, "Existence denied: ");
345 ldns_rdf_print(stdout, labels[i]);
347 if (descriptor && descriptor->_name) {
348 printf(" %s", descriptor->_name);
350 printf(" TYPE%u", t);
352 */ fprintf(stdout, " NS\n");
353 } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) {
354 fprintf(stdout, "%s ", SELF);
355 fprintf(stdout, "Existence denied: ");
356 ldns_rdf_print(stdout, labels[i]);
358 if (descriptor && descriptor->_name) {
359 printf(" %s", descriptor->_name);
361 printf(" TYPE%u", t);
364 fprintf(stdout, " NS\n");
366 fprintf(stdout, "%s ", BOGUS);
368 printf(";; Error verifying denial of existence for name ");
369 ldns_rdf_print(stdout, labels[i]);
372 if (descriptor && descriptor->_name) {
373 printf("%s", descriptor->_name);
377 */ printf("NS: %s\n", ldns_get_errorstr_by_id(st));
380 fprintf(stdout, "%s ", BOGUS);
382 printf(";; Error verifying denial of existence for name ");
383 ldns_rdf_print(stdout, labels[i]);
384 printf("NS: %s\n", ldns_get_errorstr_by_id(status));
387 /* there might be an empty non-terminal, in which case we need to continue */
389 for (j = 0; j < ldns_rr_list_rr_count(nsec_rrs); j++) {
390 if (ldns_dname_is_subdomain(ldns_rr_rdf(ldns_rr_list_rr(nsec_rrs, j), 0), labels[i])) {
395 ldns_rr_list_deep_free(nsec_rrs);
396 ldns_rr_list_deep_free(nsec_rr_sigs);
397 ldns_pkt_free(local_p);
400 printf(";; There is an empty non-terminal here, continue\n");
406 if (ldns_resolver_nameserver_count(res) == 0) {
407 error("No nameservers found for this node");
411 ldns_pkt_free(local_p);
413 fprintf(stdout, ";; Domain: ");
414 ldns_rdf_print(stdout, labels[i]);
415 fprintf(stdout, "\n");
417 /* retrieve keys for current domain, and verify them
418 if they match an already trusted DS, or if one of the
419 keys used to sign these is trusted, add the keys to
421 p = get_dnssec_pkt(res, labels[i], LDNS_RR_TYPE_DNSKEY);
422 pt = get_key(p, labels[i], &key_list, &key_sig_list);
425 current_correct_keys = ldns_rr_list_new();
426 if ((st = ldns_verify(key_list, key_sig_list, key_list, current_correct_keys)) ==
428 /* add all signed keys (don't just add current_correct, you'd miss
430 for (j = 0; j < ldns_rr_list_rr_count(key_list); j++) {
431 ldns_rr_list_push_rr(correct_key_list, ldns_rr_clone(ldns_rr_list_rr(key_list, j)));
434 /* check whether these keys were signed
435 * by a trusted keys. if so, these
436 * keys are also trusted */
437 new_keys_trusted = false;
438 for (k = 0; k < ldns_rr_list_rr_count(current_correct_keys); k++) {
439 for (j = 0; j < ldns_rr_list_rr_count(trusted_ds_rrs); j++) {
440 if (ldns_rr_compare_ds(ldns_rr_list_rr(current_correct_keys, k),
441 ldns_rr_list_rr(trusted_ds_rrs, j))) {
442 new_keys_trusted = true;
447 /* also all keys are trusted if one of the current correct keys is trusted */
448 for (k = 0; k < ldns_rr_list_rr_count(current_correct_keys); k++) {
449 for (j = 0; j < ldns_rr_list_rr_count(trusted_keys); j++) {
450 if (ldns_rr_compare(ldns_rr_list_rr(current_correct_keys, k),
451 ldns_rr_list_rr(trusted_keys, j)) == 0) {
452 new_keys_trusted = true;
458 if (new_keys_trusted) {
459 ldns_rr_list_push_rr_list(trusted_keys, key_list);
460 print_rr_list_abbr(stdout, key_list, TRUST);
461 ldns_rr_list_free(key_list);
464 if (verbosity >= 2) {
465 printf(";; Signature ok but no chain to a trusted key or ds record\n");
467 print_rr_list_abbr(stdout, key_list, SELF);
468 ldns_rr_list_deep_free(key_list);
472 print_rr_list_abbr(stdout, key_list, BOGUS);
474 ldns_rr_list_deep_free(key_list);
477 ldns_rr_list_free(current_correct_keys);
478 current_correct_keys = NULL;
480 printf(";; No DNSKEY record found for ");
481 ldns_rdf_print(stdout, labels[i]);
487 ldns_rr_list_deep_free(key_sig_list);
490 /* check the DS records for the next child domain */
492 p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS);
493 pt = get_ds(p, labels[i-1], &ds_list, &ds_sig_list);
497 ldns_rr_list_deep_free(ds_sig_list);
499 p = get_dnssec_pkt(res, name, LDNS_RR_TYPE_DNSKEY);
500 pt = get_ds(p, NULL, &ds_list, &ds_sig_list);
504 if (verbosity >= 4) {
505 printf("VERIFYING:\n");
506 printf("DS LIST:\n");
507 ldns_rr_list_print(stdout, ds_list);
509 ldns_rr_list_print(stdout, ds_sig_list);
511 ldns_rr_list_print(stdout, correct_key_list);
514 current_correct_keys = ldns_rr_list_new();
516 if ((st = ldns_verify(ds_list, ds_sig_list, correct_key_list, current_correct_keys)) ==
518 /* if the ds is signed by a trusted key and a key from correct keys
519 matches that ds, add that key to the trusted keys */
520 new_keys_trusted = false;
521 if (verbosity >= 2) {
522 printf("Checking if signing key is trusted:\n");
524 for (j = 0; j < ldns_rr_list_rr_count(current_correct_keys); j++) {
525 if (verbosity >= 2) {
527 ldns_rr_print(stdout, ldns_rr_list_rr(current_correct_keys, j));
529 for (k = 0; k < ldns_rr_list_rr_count(trusted_keys); k++) {
530 if (verbosity >= 2) {
531 printf("\tTrusted key: ");
532 ldns_rr_print(stdout, ldns_rr_list_rr(trusted_keys, k));
534 if (ldns_rr_compare(ldns_rr_list_rr(current_correct_keys, j),
535 ldns_rr_list_rr(trusted_keys, k)) == 0) {
536 if (verbosity >= 2) {
537 printf("Key is now trusted!\n");
539 for (l = 0; l < ldns_rr_list_rr_count(ds_list); l++) {
540 ldns_rr_list_push_rr(trusted_ds_rrs, ldns_rr_clone(ldns_rr_list_rr(ds_list, l)));
541 new_keys_trusted = true;
546 if (new_keys_trusted) {
547 print_rr_list_abbr(stdout, ds_list, TRUST);
549 print_rr_list_abbr(stdout, ds_list, SELF);
553 print_rr_list_abbr(stdout, ds_list, BOGUS);
556 ldns_rr_list_free(current_correct_keys);
557 current_correct_keys = NULL;
559 /* wait apparently there were no keys either, go back to the ds packet */
561 ldns_rr_list_deep_free(ds_sig_list);
562 p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS);
563 pt = get_ds(p, labels[i-1], &ds_list, &ds_sig_list);
565 status = ldns_verify_denial(p, labels[i-1], LDNS_RR_TYPE_DS, &nsec_rrs, &nsec_rr_sigs);
567 if (verbosity >= 4) {
568 printf("NSEC(3) Records to verify:\n");
569 ldns_rr_list_print(stdout, nsec_rrs);
570 printf("With signatures:\n");
571 ldns_rr_list_print(stdout, nsec_rr_sigs);
572 printf("correct keys:\n");
573 ldns_rr_list_print(stdout, correct_key_list);
576 if (status == LDNS_STATUS_OK) {
577 if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) {
578 fprintf(stdout, "%s ", TRUST);
579 fprintf(stdout, "Existence denied: ");
580 ldns_rdf_print(stdout, labels[i-1]);
582 fprintf(stdout, "\n");
583 } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) {
584 fprintf(stdout, "%s ", SELF);
585 fprintf(stdout, "Existence denied: ");
586 ldns_rdf_print(stdout, labels[i-1]);
588 fprintf(stdout, "\n");
591 fprintf(stdout, "%s ", BOGUS);
592 printf("Error verifying denial of existence for ");
593 ldns_rdf_print(stdout, labels[i-1]);
595 printf(": %s\n", ldns_get_errorstr_by_id(st));
600 if (status == LDNS_STATUS_CRYPTO_NO_RRSIG) {
601 printf(";; No DS for ");
602 ldns_rdf_print(stdout, labels[i - 1]);
604 printf("[B] Unable to verify denial of existence for ");
605 ldns_rdf_print(stdout, labels[i - 1]);
606 printf(" DS: %s\n", ldns_get_errorstr_by_id(status));
609 if (verbosity >= 2) {
610 printf(";; No ds record for delegation\n");
614 ldns_rr_list_deep_free(ds_list);
617 /* if this is the last label, just verify the data and stop */
618 p = get_dnssec_pkt(res, labels[i], t);
619 pt = get_dnssec_rr(p, labels[i], t, &dataset, &key_sig_list);
620 if (dataset && ldns_rr_list_rr_count(dataset) > 0) {
621 if (key_sig_list && ldns_rr_list_rr_count(key_sig_list) > 0) {
623 /* If this is a wildcard, you must be able to deny exact match */
624 if ((st = ldns_verify(dataset, key_sig_list, trusted_keys, NULL)) == LDNS_STATUS_OK) {
625 fprintf(stdout, "%s ", TRUST);
626 ldns_rr_list_print(stdout, dataset);
627 } else if ((st = ldns_verify(dataset, key_sig_list, correct_key_list, NULL)) == LDNS_STATUS_OK) {
628 fprintf(stdout, "%s ", SELF);
629 ldns_rr_list_print(stdout, dataset);
632 fprintf(stdout, "%s ", BOGUS);
633 ldns_rr_list_print(stdout, dataset);
634 printf(";; Error: %s\n", ldns_get_errorstr_by_id(st));
637 fprintf(stdout, "%s ", UNSIGNED);
638 ldns_rr_list_print(stdout, dataset);
640 ldns_rr_list_deep_free(dataset);
642 status = ldns_verify_denial(p, name, t, &nsec_rrs, &nsec_rr_sigs);
643 if (status == LDNS_STATUS_OK) {
644 /* verify the nsec3 themselves*/
645 if (verbosity >= 5) {
646 printf("NSEC(3) Records to verify:\n");
647 ldns_rr_list_print(stdout, nsec_rrs);
648 printf("With signatures:\n");
649 ldns_rr_list_print(stdout, nsec_rr_sigs);
650 printf("correct keys:\n");
651 ldns_rr_list_print(stdout, correct_key_list);
653 printf("trusted keys at %p:\n", trusted_keys);
654 ldns_rr_list_print(stdout, trusted_keys);
657 if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) {
658 fprintf(stdout, "%s ", TRUST);
659 fprintf(stdout, "Existence denied: ");
660 ldns_rdf_print(stdout, name);
661 if (descriptor && descriptor->_name) {
662 printf(" %s", descriptor->_name);
664 printf(" TYPE%u", t);
666 fprintf(stdout, "\n");
667 } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) {
668 fprintf(stdout, "%s ", SELF);
669 fprintf(stdout, "Existence denied: ");
670 ldns_rdf_print(stdout, name);
671 if (descriptor && descriptor->_name) {
672 printf(" %s", descriptor->_name);
674 printf(" TYPE%u", t);
676 fprintf(stdout, "\n");
679 fprintf(stdout, "%s ", BOGUS);
680 printf("Error verifying denial of existence for ");
681 ldns_rdf_print(stdout, name);
683 if (descriptor && descriptor->_name) {
684 printf("%s", descriptor->_name);
688 printf(": %s\n", ldns_get_errorstr_by_id(st));
691 ldns_rr_list_deep_free(nsec_rrs);
692 ldns_rr_list_deep_free(nsec_rr_sigs);
696 if (status == LDNS_STATUS_CRYPTO_NO_RRSIG) {
697 printf("%s ", UNSIGNED);
698 printf("No data found for: ");
699 ldns_rdf_print(stdout, name);
701 if (descriptor && descriptor->_name) {
702 printf("%s", descriptor->_name);
708 printf("[B] Unable to verify denial of existence for ");
709 ldns_rdf_print(stdout, name);
711 if (descriptor && descriptor->_name) {
712 printf("%s", descriptor->_name);
728 ldns_rr_list_deep_free(key_list);
730 ldns_rr_list_deep_free(key_sig_list);
733 ldns_rr_list_deep_free(ds_sig_list);
736 printf(";;" SELF " self sig OK; " BOGUS " bogus; " TRUST " trusted\n");
738 printf("Trusted keys:\n");
739 ldns_rr_list_print(stdout, trusted_keys);
740 printf("trusted dss:\n");
741 ldns_rr_list_print(stdout, trusted_ds_rrs);
745 ldns_rr_list_deep_free(trusted_ds_rrs);
746 ldns_rr_list_deep_free(correct_key_list);
747 ldns_resolver_deep_free(res);
749 for(i = 0 ; i < (ssize_t)labels_count + 2; i++) {
750 ldns_rdf_deep_free(labels[i]);
756 #endif /* HAVE_SSL */