nant's projects / dragonfly.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Initial vendor import of ldns-1.6.4 into contrib.
[dragonfly.git] / contrib / ldns / drill / securetrace.c
1 /*
2  * securechasetrace.c
3  * Where all the hard work concerning secure tracing is done
4  *
5  * (c) 2005, 2006 NLnet Labs
6  *
7  * See the file LICENSE for the license
8  *
9  */
10
11 #include "drill.h"
12 #include <ldns/ldns.h>
13
14 #define SELF "[S]"  /* self sig ok */
15 #define TRUST "[T]" /* chain from parent */
16 #define BOGUS "[B]" /* bogus */
17 #define UNSIGNED "[U]" /* no relevant dnssec data found */
18
19 #if 0
20 /* See if there is a key/ds in trusted that matches
21  * a ds in *ds. 
22  */
23 static ldns_rr_list *
24 ds_key_match(ldns_rr_list *ds, ldns_rr_list *trusted)
25 {
26         size_t i, j;
27         bool match;
28         ldns_rr *rr_i, *rr_j;
29         ldns_rr_list *keys;
30
31         if (!trusted || !ds) {
32                 return NULL;
33         }
34
35         match = false;
36         keys = ldns_rr_list_new();
37         if (!keys) {
38                 return NULL;
39         }
40
41         if (!ds || !trusted) {
42                 return NULL;
43         }
44
45         for (i = 0; i < ldns_rr_list_rr_count(trusted); i++) {
46                 rr_i = ldns_rr_list_rr(trusted, i);
47                 for (j = 0; j < ldns_rr_list_rr_count(ds); j++) {
48
49                         rr_j = ldns_rr_list_rr(ds, j);
50                         if (ldns_rr_compare_ds(rr_i, rr_j)) {
51                                 match = true;
52                                 /* only allow unique RRs to match */
53                                 ldns_rr_set_push_rr(keys, rr_i); 
54                         }
55                 }
56         }
57         if (match) {
58                 return keys;
59         } else {
60                 return NULL;
61         }
62 }
63 #endif
64
65 ldns_pkt *
66 get_dnssec_pkt(ldns_resolver *r, ldns_rdf *name, ldns_rr_type t) 
67 {
68         ldns_pkt *p = NULL;
69         p = ldns_resolver_query(r, name, t, LDNS_RR_CLASS_IN, 0); 
70         if (!p) {
71                 return NULL;
72         } else {
73                 if (verbosity >= 5) {
74                         ldns_pkt_print(stdout, p);
75                 }
76                 return p;
77         }
78 }
79
80 #ifdef HAVE_SSL
81 /* 
82  * retrieve keys for this zone
83  */
84 static ldns_pkt_type
85 get_key(ldns_pkt *p, ldns_rdf *apexname, ldns_rr_list **rrlist, ldns_rr_list **opt_sig)
86 {
87         return get_dnssec_rr(p, apexname, LDNS_RR_TYPE_DNSKEY, rrlist, opt_sig);
88 }
89
90 /*
91  * check to see if we can find a DS rrset here which we can then follow
92  */
93 static ldns_pkt_type
94 get_ds(ldns_pkt *p, ldns_rdf *ownername, ldns_rr_list **rrlist, ldns_rr_list **opt_sig)
95 {
96         return get_dnssec_rr(p, ownername, LDNS_RR_TYPE_DS, rrlist, opt_sig);
97 }
98 #endif /* HAVE_SSL */
99
100 void
101 remove_resolver_nameservers(ldns_resolver *res)
102 {
103         ldns_rdf *pop;
104         
105         /* remove the old nameserver from the resolver */
106         while((pop = ldns_resolver_pop_nameserver(res))) {
107                 ldns_rdf_deep_free(pop);
108         }
109
110 }
111
112 void
113 show_current_nameservers(FILE *out, ldns_resolver *res)
114 {
115         size_t i;
116         fprintf(out, "Current nameservers for resolver object:\n");
117         for (i = 0; i < ldns_resolver_nameserver_count(res); i++) {
118                 ldns_rdf_print(out, ldns_resolver_nameservers(res)[i]);
119                 fprintf(out, "\n");
120         }
121 }
122         
123 /*ldns_pkt **/
124 #ifdef HAVE_SSL
125 int
126 do_secure_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t,
127                 ldns_rr_class c, ldns_rr_list *trusted_keys, ldns_rdf *start_name
128                )
129 {
130         ldns_resolver *res;
131         ldns_pkt *p, *local_p;
132         ldns_rr_list *new_nss_a;
133         ldns_rr_list *new_nss_aaaa;
134         ldns_rr_list *new_nss;
135         ldns_rr_list *ns_addr;
136         uint16_t loop_count;
137         ldns_rdf *pop; 
138         ldns_rdf **labels = NULL;
139         ldns_status status, st;
140         ssize_t i;
141         size_t j;
142         size_t k;
143         size_t l;
144         uint8_t labels_count;
145         ldns_pkt_type pt;
146
147         /* dnssec */
148         ldns_rr_list *key_list;
149         ldns_rr_list *key_sig_list;
150         ldns_rr_list *ds_list;
151         ldns_rr_list *ds_sig_list;
152         ldns_rr_list *correct_key_list;
153         ldns_rr_list *trusted_ds_rrs;
154         bool new_keys_trusted = false;
155         ldns_rr_list *current_correct_keys;
156         ldns_rr_list *dataset;
157
158         ldns_rr_list *nsec_rrs = NULL;
159         ldns_rr_list *nsec_rr_sigs = NULL;
160         
161         /* empty non-terminal check */
162         bool ent;
163
164         /* glue handling */
165         ldns_rr_list *new_ns_addr;
166         ldns_rr_list *old_ns_addr;
167         ldns_rr *ns_rr;
168         
169         int result = 0;
170         
171         /* printing niceness */
172         const ldns_rr_descriptor *descriptor;
173
174         descriptor = ldns_rr_descript(t);
175
176         loop_count = 0;
177         new_nss_a = NULL;
178         new_nss_aaaa = NULL;
179         new_nss = NULL;
180         ns_addr = NULL;
181         key_list = NULL;
182         ds_list = NULL;
183         pt = LDNS_PACKET_UNKNOWN;
184
185         p = NULL;
186         local_p = NULL;
187         res = ldns_resolver_new();
188         key_sig_list = NULL;
189         ds_sig_list = NULL;
190         
191         if (!res) {
192                 error("Memory allocation failed");
193                 result = -1;
194                 return result;
195         }
196         
197         correct_key_list = ldns_rr_list_new();
198         if (!correct_key_list) {
199                 error("Memory allocation failed");
200                 result = -1;
201                 return result;
202         }
203
204         trusted_ds_rrs = ldns_rr_list_new();
205
206         if (!trusted_ds_rrs) {
207                 error("Memory allocation failed");
208                 result = -1;
209                 return result;
210         }
211
212         /* transfer some properties of local_res to res */
213         ldns_resolver_set_ip6(res, 
214                         ldns_resolver_ip6(local_res));
215         ldns_resolver_set_port(res, 
216                         ldns_resolver_port(local_res));
217         ldns_resolver_set_debug(res, 
218                         ldns_resolver_debug(local_res));
219         ldns_resolver_set_fail(res, 
220                         ldns_resolver_fail(local_res));
221         ldns_resolver_set_usevc(res, 
222                         ldns_resolver_usevc(local_res));
223         ldns_resolver_set_random(res, 
224                         ldns_resolver_random(local_res));
225         ldns_resolver_set_recursive(local_res, true);
226
227         ldns_resolver_set_recursive(res, false);
228         ldns_resolver_set_dnssec_cd(res, false);
229         ldns_resolver_set_dnssec(res, true);
230
231         /* setup the root nameserver in the new resolver */
232         status = ldns_resolver_push_nameserver_rr_list(res, global_dns_root);
233         if (status != LDNS_STATUS_OK) {
234                 printf("ERRRRR: %s\n", ldns_get_errorstr_by_id(status));
235                 ldns_rr_list_print(stdout, global_dns_root);
236                 return status;
237         }
238         labels_count = ldns_dname_label_count(name);
239         if (start_name) {
240                 if (ldns_dname_is_subdomain(name, start_name)) {
241                         labels_count -= ldns_dname_label_count(start_name);
242                 } else {
243                         fprintf(stderr, "Error; ");
244                         ldns_rdf_print(stderr, name);
245                         fprintf(stderr, " is not a subdomain of ");
246                         ldns_rdf_print(stderr, start_name);
247                         fprintf(stderr, "\n");
248                         goto done;
249                 }
250         }
251         labels = LDNS_XMALLOC(ldns_rdf*, labels_count + 2);
252         if (!labels) {
253                 goto done;
254         }
255         labels[0] = ldns_dname_new_frm_str(LDNS_ROOT_LABEL_STR);
256         labels[1] = ldns_rdf_clone(name);
257         for(i = 2 ; i < (ssize_t)labels_count + 2; i++) {
258                 labels[i] = ldns_dname_left_chop(labels[i - 1]);
259         }
260         /* if no servers is given with @, start by asking local resolver */
261         /* first part todo :) */
262         for (i = 0; i < (ssize_t) ldns_resolver_nameserver_count(local_res); i++) {
263                 (void) ldns_resolver_push_nameserver(res, ldns_resolver_nameservers(local_res)[i]);
264         }
265
266         /* get the nameserver for the label
267          * ask: dnskey and ds for the label 
268          */
269         for(i = (ssize_t)labels_count + 1; i > 0; i--) {
270                 status = ldns_resolver_send(&local_p, res, labels[i], LDNS_RR_TYPE_NS, c, 0);
271
272                 if (verbosity >= 5) {
273                         ldns_pkt_print(stdout, local_p);
274                 }
275
276                 new_nss = ldns_pkt_rr_list_by_type(local_p,
277                                         LDNS_RR_TYPE_NS, LDNS_SECTION_ANSWER);
278                 if (!new_nss) {
279                         /* if it's a delegation, servers put them in the auth section */
280                         new_nss = ldns_pkt_rr_list_by_type(local_p,
281                                         LDNS_RR_TYPE_NS, LDNS_SECTION_AUTHORITY);
282                 }
283
284                 /* if this is the final step there might not be nameserver records
285                    of course if the data is in the apex, there are, so cover both
286                    cases */
287                 if (new_nss || i > 1) {
288                         for(j = 0; j < ldns_rr_list_rr_count(new_nss); j++) {
289                                 ns_rr = ldns_rr_list_rr(new_nss, j);
290                                 pop = ldns_rr_rdf(ns_rr, 0);
291                                 if (!pop) {
292                                         printf("nopo\n");
293                                         break;
294                                 }
295                                 /* retrieve it's addresses */
296                                 /* trust glue? */
297                                 new_ns_addr = NULL;
298                                 if (ldns_dname_is_subdomain(pop, labels[i])) {
299                                         new_ns_addr = ldns_pkt_rr_list_by_name_and_type(local_p, pop, LDNS_RR_TYPE_A, LDNS_SECTION_ADDITIONAL);
300                                 }
301                                 if (!new_ns_addr || ldns_rr_list_rr_count(new_ns_addr) == 0) {
302                                         new_ns_addr = ldns_get_rr_list_addr_by_name(res, pop, c, 0);
303                                 }
304                                 if (!new_ns_addr || ldns_rr_list_rr_count(new_ns_addr) == 0) {
305                                         new_ns_addr = ldns_get_rr_list_addr_by_name(local_res, pop, c, 0);
306                                 }
307
308                                 if (new_ns_addr) {
309                                         old_ns_addr = ns_addr;
310                                         ns_addr = ldns_rr_list_cat_clone(ns_addr, new_ns_addr);
311                                         ldns_rr_list_deep_free(old_ns_addr);
312                                 }
313                                 ldns_rr_list_deep_free(new_ns_addr);
314                         }
315                         ldns_rr_list_deep_free(new_nss);
316                         
317                         if (ns_addr) {
318                                 remove_resolver_nameservers(res);
319
320                                 if (ldns_resolver_push_nameserver_rr_list(res, ns_addr) != 
321                                                 LDNS_STATUS_OK) {
322                                         error("Error adding new nameservers");
323                                         ldns_pkt_free(local_p); 
324                                         goto done;
325                                 }
326                                 ldns_rr_list_deep_free(ns_addr);
327                         } else {
328                                 status = ldns_verify_denial(local_p, labels[i], LDNS_RR_TYPE_NS, &nsec_rrs, &nsec_rr_sigs);
329
330                                 /* verify the nsec3 themselves*/
331                                 if (verbosity >= 4) {
332                                         printf("NSEC(3) Records to verify:\n");
333                                         ldns_rr_list_print(stdout, nsec_rrs);
334                                         printf("With signatures:\n");
335                                         ldns_rr_list_print(stdout, nsec_rr_sigs);
336                                         printf("correct keys:\n");
337                                         ldns_rr_list_print(stdout, correct_key_list);
338                                 }
339                                 
340                                 if (status == LDNS_STATUS_OK) {
341                                         if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) {
342                                                 fprintf(stdout, "%s ", TRUST);
343                                                 fprintf(stdout, "Existence denied: ");
344                                                 ldns_rdf_print(stdout, labels[i]);
345         /*
346                                                 if (descriptor && descriptor->_name) {
347                                                         printf(" %s", descriptor->_name);
348                                                 } else {
349                                                         printf(" TYPE%u", t);
350                                                 }
351         */                                      fprintf(stdout, " NS\n");
352                                         } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) {
353                                                 fprintf(stdout, "%s ", SELF);
354                                                 fprintf(stdout, "Existence denied: ");
355                                                 ldns_rdf_print(stdout, labels[i]);
356         /*
357                                                 if (descriptor && descriptor->_name) {
358                                                         printf(" %s", descriptor->_name);
359                                                 } else {
360                                                         printf(" TYPE%u", t);
361                                                 }
362         */
363                                                 fprintf(stdout, " NS\n");
364                                         } else {
365                                                 fprintf(stdout, "%s ", BOGUS);
366                                                 result = 1;
367                                                 printf(";; Error verifying denial of existence for name ");
368                                                 ldns_rdf_print(stdout, labels[i]);
369         /*
370                                                 printf(" type ");
371                                                 if (descriptor && descriptor->_name) {
372                                                         printf("%s", descriptor->_name);
373                                                 } else {
374                                                         printf("TYPE%u", t);
375                                                 }
376         */                                      printf("NS: %s\n", ldns_get_errorstr_by_id(st));
377                                         }
378                                 } else {
379                                         fprintf(stdout, "%s ", BOGUS);
380                                         result = 1;
381                                         printf(";; Error verifying denial of existence for name ");
382                                         ldns_rdf_print(stdout, labels[i]);
383                                         printf("NS: %s\n", ldns_get_errorstr_by_id(status));
384                                 }
385                                 
386                                 /* there might be an empty non-terminal, in which case we need to continue */
387                                 ent = false;
388                                 for (j = 0; j < ldns_rr_list_rr_count(nsec_rrs); j++) {
389                                         if (ldns_dname_is_subdomain(ldns_rr_rdf(ldns_rr_list_rr(nsec_rrs, j), 0), labels[i])) {
390                                                 ent = true;
391                                         }
392                                 }
393                                 if (!ent) {
394                                         ldns_rr_list_deep_free(nsec_rrs);
395                                         ldns_rr_list_deep_free(nsec_rr_sigs);
396                                         ldns_pkt_free(local_p);
397                                         goto done;
398                                 } else {
399                                         printf(";; There is an empty non-terminal here, continue\n");
400                                 }
401                                 goto done;
402                         }
403                         
404                         if (ldns_resolver_nameserver_count(res) == 0) {
405                                 error("No nameservers found for this node");
406                                 goto done;
407                         }
408                 }
409                 ldns_pkt_free(local_p);
410
411                 fprintf(stdout, ";; Domain: ");
412                 ldns_rdf_print(stdout, labels[i]);
413                 fprintf(stdout, "\n");
414
415                 /* retrieve keys for current domain, and verify them
416                    if they match an already trusted DS, or if one of the
417                    keys used to sign these is trusted, add the keys to 
418                    the trusted list */
419                 p = get_dnssec_pkt(res, labels[i], LDNS_RR_TYPE_DNSKEY);
420                 pt = get_key(p, labels[i], &key_list, &key_sig_list);
421                 if (key_sig_list) {
422                         if (key_list) {
423                                 current_correct_keys = ldns_rr_list_new();
424                                 if ((st = ldns_verify(key_list, key_sig_list, key_list, current_correct_keys)) ==
425                                                 LDNS_STATUS_OK) {
426                                         /* add all signed keys (don't just add current_correct, you'd miss
427                                          * the zsk's then */
428                                         for (j = 0; j < ldns_rr_list_rr_count(key_list); j++) {
429                                                 ldns_rr_list_push_rr(correct_key_list, ldns_rr_clone(ldns_rr_list_rr(key_list, j)));
430                                         }
431                                         
432                                         /* check whether these keys were signed
433                                          * by a trusted keys. if so, these 
434                                          * keys are also trusted */
435                                         new_keys_trusted = false;
436                                         for (k = 0; k < ldns_rr_list_rr_count(current_correct_keys); k++) {
437                                                 for (j = 0; j < ldns_rr_list_rr_count(trusted_ds_rrs); j++) {
438                                                         if (ldns_rr_compare_ds(ldns_rr_list_rr(current_correct_keys, k),
439                                                                     ldns_rr_list_rr(trusted_ds_rrs, j))) {
440                                                                 new_keys_trusted = true;
441                                                         }
442                                                 }
443                                         }
444
445                                         /* also all keys are trusted if one of the current correct keys is trusted */
446                                         for (k = 0; k < ldns_rr_list_rr_count(current_correct_keys); k++) {
447                                                 for (j = 0; j < ldns_rr_list_rr_count(trusted_keys); j++) {
448                                                         if (ldns_rr_compare(ldns_rr_list_rr(current_correct_keys, k),
449                                                                             ldns_rr_list_rr(trusted_keys, j)) == 0) {
450                                                                             new_keys_trusted = true;
451                                                         }
452                                                 }
453                                         }
454
455
456                                         if (new_keys_trusted) {
457                                                 ldns_rr_list_push_rr_list(trusted_keys, key_list);
458                                                 print_rr_list_abbr(stdout, key_list, TRUST);
459                                                 ldns_rr_list_free(key_list);
460                                                 key_list = NULL;
461                                         } else {
462                                                 if (verbosity >= 2) {
463                                                         printf(";; Signature ok but no chain to a trusted key or ds record\n");
464                                                 }
465                                                 print_rr_list_abbr(stdout, key_list, SELF);
466                                                 ldns_rr_list_deep_free(key_list);
467                                                 key_list = NULL;
468                                         }
469                                 } else {
470                                         print_rr_list_abbr(stdout, key_list, BOGUS);
471                                         result = 2;
472                                         ldns_rr_list_deep_free(key_list);
473                                         key_list = NULL;
474                                 }
475                                 ldns_rr_list_free(current_correct_keys);
476                                 current_correct_keys = NULL;
477                         } else {
478                                 printf(";; No DNSKEY record found for ");
479                                 ldns_rdf_print(stdout, labels[i]);
480                                 printf("\n");
481                         }
482                 }
483
484                 ldns_pkt_free(p);
485                 ldns_rr_list_deep_free(key_sig_list);
486                 key_sig_list = NULL;
487
488                 /* check the DS records for the next child domain */
489                 if (i > 1) {
490                         p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS);
491                         pt = get_ds(p, labels[i-1], &ds_list, &ds_sig_list);
492                         if (!ds_list) {
493                                 ldns_pkt_free(p);
494                                 if (ds_sig_list) {
495                                         ldns_rr_list_deep_free(ds_sig_list);
496                                 }
497                                 p = get_dnssec_pkt(res, name, LDNS_RR_TYPE_DNSKEY);
498                                 pt = get_ds(p, NULL, &ds_list, &ds_sig_list); 
499                         }
500                         if (ds_sig_list) {
501                                 if (ds_list) {
502                                         if (verbosity >= 4) {
503                                                 printf("VERIFYING:\n");
504                                                 printf("DS LIST:\n");
505                                                 ldns_rr_list_print(stdout, ds_list);
506                                                 printf("SIGS:\n");
507                                                 ldns_rr_list_print(stdout, ds_sig_list);
508                                                 printf("KEYS:\n");
509                                                 ldns_rr_list_print(stdout, correct_key_list);
510                                         }
511
512                                         current_correct_keys = ldns_rr_list_new();
513
514                                         if ((st = ldns_verify(ds_list, ds_sig_list, correct_key_list, current_correct_keys)) ==
515                                                         LDNS_STATUS_OK) {
516                                                 /* if the ds is signed by a trusted key and a key from correct keys
517                                                    matches that ds, add that key to the trusted keys */
518                                                 new_keys_trusted = false;
519                                                 if (verbosity >= 2) {
520                                                         printf("Checking if signing key is trusted:\n");
521                                                 }
522                                                 for (j = 0; j < ldns_rr_list_rr_count(current_correct_keys); j++) {
523                                                         if (verbosity >= 2) {
524                                                                 printf("New key: ");
525                                                                 ldns_rr_print(stdout, ldns_rr_list_rr(current_correct_keys, j));
526                                                         }
527                                                         for (k = 0; k < ldns_rr_list_rr_count(trusted_keys); k++) {
528                                                                 if (verbosity >= 2) {
529                                                                         printf("\tTrusted key: ");
530                                                                         ldns_rr_print(stdout, ldns_rr_list_rr(trusted_keys, k));
531                                                                 }
532                                                                 if (ldns_rr_compare(ldns_rr_list_rr(current_correct_keys, j),
533                                                                     ldns_rr_list_rr(trusted_keys, k)) == 0) {
534                                                                         if (verbosity >= 2) {
535                                                                                 printf("Key is now trusted!\n");
536                                                                         }
537                                                                         for (l = 0; l < ldns_rr_list_rr_count(ds_list); l++) {
538                                                                                 ldns_rr_list_push_rr(trusted_ds_rrs, ldns_rr_clone(ldns_rr_list_rr(ds_list, l)));
539                                                                                 new_keys_trusted = true;
540                                                                         }
541                                                                 }
542                                                         }
543                                                 }
544                                                 if (new_keys_trusted) {
545                                                         print_rr_list_abbr(stdout, ds_list, TRUST);
546                                                 } else {
547                                                         print_rr_list_abbr(stdout, ds_list, SELF);
548                                                 }
549                                         } else {
550                                                 result = 3;
551                                                 print_rr_list_abbr(stdout, ds_list, BOGUS);
552                                         }
553
554                                         ldns_rr_list_free(current_correct_keys);
555                                         current_correct_keys = NULL;
556                                 } else {
557                                         /* wait apparently there were no keys either, go back to the ds packet */
558                                         ldns_pkt_free(p);
559                                         ldns_rr_list_deep_free(ds_sig_list);
560                                         p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS);
561                                         pt = get_ds(p, labels[i-1], &ds_list, &ds_sig_list);
562                                         
563                                         status = ldns_verify_denial(p, labels[i-1], LDNS_RR_TYPE_DS, &nsec_rrs, &nsec_rr_sigs);
564
565                                         if (verbosity >= 4) {
566                                                 printf("NSEC(3) Records to verify:\n");
567                                                 ldns_rr_list_print(stdout, nsec_rrs);
568                                                 printf("With signatures:\n");
569                                                 ldns_rr_list_print(stdout, nsec_rr_sigs);
570                                                 printf("correct keys:\n");
571                                                 ldns_rr_list_print(stdout, correct_key_list);
572                                         }
573
574                                         if (status == LDNS_STATUS_OK) {
575                                                 if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) {
576                                                         fprintf(stdout, "%s ", TRUST);
577                                                         fprintf(stdout, "Existence denied: ");
578                                                         ldns_rdf_print(stdout, labels[i-1]);
579                                                         printf(" DS");
580                                                         fprintf(stdout, "\n");
581                                                 } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) {
582                                                         fprintf(stdout, "%s ", SELF);
583                                                         fprintf(stdout, "Existence denied: ");
584                                                         ldns_rdf_print(stdout, labels[i-1]);
585                                                         printf(" DS");
586                                                         fprintf(stdout, "\n");
587                                                 } else {
588                                                         result = 4;
589                                                         fprintf(stdout, "%s ", BOGUS);
590                                                         printf("Error verifying denial of existence for ");
591                                                         ldns_rdf_print(stdout, labels[i-1]);
592                                                         printf(" DS");
593                                                         printf(": %s\n", ldns_get_errorstr_by_id(st));
594                                                 }
595                                                 
596                                         
597                                         } else {
598                                                 if (status == LDNS_STATUS_CRYPTO_NO_RRSIG) {
599                                                         printf(";; No DS for ");
600                                                         ldns_rdf_print(stdout, labels[i - 1]);
601                                                 } else {
602                                                         printf("[B] Unable to verify denial of existence for ");
603                                                         ldns_rdf_print(stdout, labels[i - 1]);
604                                                         printf(" DS: %s\n", ldns_get_errorstr_by_id(status));
605                                                 }
606                                         }
607                                         if (verbosity >= 2) {
608                                                 printf(";; No ds record for delegation\n");
609                                         }
610                                 }
611                         }
612                         ldns_rr_list_deep_free(ds_list);
613                         ldns_pkt_free(p);
614                 } else {
615                         /* if this is the last label, just verify the data and stop */
616                         p = get_dnssec_pkt(res, labels[i], t);
617                         pt = get_dnssec_rr(p, labels[i], t, &dataset, &key_sig_list);
618                         if (dataset && ldns_rr_list_rr_count(dataset) > 0) {
619                                 if (key_sig_list && ldns_rr_list_rr_count(key_sig_list) > 0) {
620
621                                         /* If this is a wildcard, you must be able to deny exact match */
622                                         if ((st = ldns_verify(dataset, key_sig_list, trusted_keys, NULL)) == LDNS_STATUS_OK) {
623                                                 fprintf(stdout, "%s ", TRUST);
624                                                 ldns_rr_list_print(stdout, dataset);
625                                         } else if ((st = ldns_verify(dataset, key_sig_list, correct_key_list, NULL)) == LDNS_STATUS_OK) {
626                                                 fprintf(stdout, "%s ", SELF);
627                                                 ldns_rr_list_print(stdout, dataset);
628                                         } else {
629                                                 result = 5;
630                                                 fprintf(stdout, "%s ", BOGUS);
631                                                 ldns_rr_list_print(stdout, dataset);
632                                                 printf(";; Error: %s\n", ldns_get_errorstr_by_id(st));
633                                         }
634                                 } else {
635                                         fprintf(stdout, "%s ", UNSIGNED);
636                                         ldns_rr_list_print(stdout, dataset);
637                                 }
638                                 ldns_rr_list_deep_free(dataset);
639                         } else {
640                                 status = ldns_verify_denial(p, name, t, &nsec_rrs, &nsec_rr_sigs);
641                                 if (status == LDNS_STATUS_OK) {
642                                         /* verify the nsec3 themselves*/
643                                         if (verbosity >= 5) {
644                                                 printf("NSEC(3) Records to verify:\n");
645                                                 ldns_rr_list_print(stdout, nsec_rrs);
646                                                 printf("With signatures:\n");
647                                                 ldns_rr_list_print(stdout, nsec_rr_sigs);
648                                                 printf("correct keys:\n");
649                                                 ldns_rr_list_print(stdout, correct_key_list);
650 /*
651                                                 printf("trusted keys at %p:\n", trusted_keys);
652                                                 ldns_rr_list_print(stdout, trusted_keys);
653 */                                      }
654                                         
655                                         if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) {
656                                                 fprintf(stdout, "%s ", TRUST);
657                                                 fprintf(stdout, "Existence denied: ");
658                                                 ldns_rdf_print(stdout, name);
659                                                 if (descriptor && descriptor->_name) {
660                                                         printf(" %s", descriptor->_name);
661                                                 } else {
662                                                         printf(" TYPE%u", t);
663                                                 }
664                                                 fprintf(stdout, "\n");
665                                         } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) {
666                                                 fprintf(stdout, "%s ", SELF);
667                                                 fprintf(stdout, "Existence denied: ");
668                                                 ldns_rdf_print(stdout, name);
669                                                 if (descriptor && descriptor->_name) {
670                                                         printf(" %s", descriptor->_name);
671                                                 } else {
672                                                         printf(" TYPE%u", t);
673                                                 }
674                                                 fprintf(stdout, "\n");
675                                         } else {
676                                                 result = 6;
677                                                 fprintf(stdout, "%s ", BOGUS);
678                                                 printf("Error verifying denial of existence for ");
679                                                 ldns_rdf_print(stdout, name);
680                                                 printf(" type ");
681                                                 if (descriptor && descriptor->_name) {
682                                                         printf("%s", descriptor->_name);
683                                                 } else {
684                                                         printf("TYPE%u", t);
685                                                 }
686                                                 printf(": %s\n", ldns_get_errorstr_by_id(st));
687                                         }
688                                         
689                                         ldns_rr_list_deep_free(nsec_rrs);
690                                         ldns_rr_list_deep_free(nsec_rr_sigs);
691                                 } else {
692 /*
693 */
694                                         if (status == LDNS_STATUS_CRYPTO_NO_RRSIG) {
695                                                 printf("%s ", UNSIGNED);
696                                                 printf("No data found for: ");
697                                                 ldns_rdf_print(stdout, name);
698                                                 printf(" type ");
699                                                 if (descriptor && descriptor->_name) {
700                                                         printf("%s", descriptor->_name);
701                                                 } else {
702                                                         printf("TYPE%u", t);
703                                                 }
704                                                 printf("\n");
705                                         } else {
706                                                 printf("[B] Unable to verify denial of existence for ");
707                                                 ldns_rdf_print(stdout, name);
708                                                 printf(" type ");
709                                                 if (descriptor && descriptor->_name) {
710                                                         printf("%s", descriptor->_name);
711                                                 } else {
712                                                         printf("TYPE%u", t);
713                                                 }
714                                                 printf("\n");
715                                         }
716                                 
717                                 }
718                         }
719                         ldns_pkt_free(p);
720                 }
721
722                 new_nss_aaaa = NULL;
723                 new_nss_a = NULL;
724                 new_nss = NULL;
725                 ns_addr = NULL;
726                 ldns_rr_list_deep_free(key_list);
727                 key_list = NULL;
728                 ldns_rr_list_deep_free(key_sig_list);
729                 key_sig_list = NULL;
730                 ds_list = NULL;
731                 ldns_rr_list_deep_free(ds_sig_list);
732                 ds_sig_list = NULL;
733         }
734         printf(";;" SELF " self sig OK; " BOGUS " bogus; " TRUST " trusted\n");
735         /* verbose mode?
736         printf("Trusted keys:\n");
737         ldns_rr_list_print(stdout, trusted_keys);
738         printf("trusted dss:\n");
739         ldns_rr_list_print(stdout, trusted_ds_rrs);
740         */
741
742         done:
743         ldns_rr_list_deep_free(trusted_ds_rrs);
744         ldns_rr_list_deep_free(correct_key_list);
745         ldns_resolver_deep_free(res);
746         if (labels) {
747                 for(i = 0 ; i < (ssize_t)labels_count + 2; i++) {
748                         ldns_rdf_deep_free(labels[i]);
749                 }
750                 LDNS_FREE(labels);
751         }
752         return result;
753 }
754 #endif /* HAVE_SSL */
Nuno's DragonFly repo.