3 * Where all the hard work concerning secure tracing is done
5 * (c) 2005, 2006 NLnet Labs
7 * See the file LICENSE for the license
12 #include <ldns/ldns.h>
14 #define SELF "[S]" /* self sig ok */
15 #define TRUST "[T]" /* chain from parent */
16 #define BOGUS "[B]" /* bogus */
17 #define UNSIGNED "[U]" /* no relevant dnssec data found */
20 /* See if there is a key/ds in trusted that matches
24 ds_key_match(ldns_rr_list *ds, ldns_rr_list *trusted)
31 if (!trusted || !ds) {
36 keys = ldns_rr_list_new();
41 if (!ds || !trusted) {
45 for (i = 0; i < ldns_rr_list_rr_count(trusted); i++) {
46 rr_i = ldns_rr_list_rr(trusted, i);
47 for (j = 0; j < ldns_rr_list_rr_count(ds); j++) {
49 rr_j = ldns_rr_list_rr(ds, j);
50 if (ldns_rr_compare_ds(rr_i, rr_j)) {
52 /* only allow unique RRs to match */
53 ldns_rr_set_push_rr(keys, rr_i);
66 get_dnssec_pkt(ldns_resolver *r, ldns_rdf *name, ldns_rr_type t)
69 p = ldns_resolver_query(r, name, t, LDNS_RR_CLASS_IN, 0);
74 ldns_pkt_print(stdout, p);
82 * retrieve keys for this zone
85 get_key(ldns_pkt *p, ldns_rdf *apexname, ldns_rr_list **rrlist, ldns_rr_list **opt_sig)
87 return get_dnssec_rr(p, apexname, LDNS_RR_TYPE_DNSKEY, rrlist, opt_sig);
91 * check to see if we can find a DS rrset here which we can then follow
94 get_ds(ldns_pkt *p, ldns_rdf *ownername, ldns_rr_list **rrlist, ldns_rr_list **opt_sig)
96 return get_dnssec_rr(p, ownername, LDNS_RR_TYPE_DS, rrlist, opt_sig);
101 remove_resolver_nameservers(ldns_resolver *res)
105 /* remove the old nameserver from the resolver */
106 while((pop = ldns_resolver_pop_nameserver(res))) {
107 ldns_rdf_deep_free(pop);
113 show_current_nameservers(FILE *out, ldns_resolver *res)
116 fprintf(out, "Current nameservers for resolver object:\n");
117 for (i = 0; i < ldns_resolver_nameserver_count(res); i++) {
118 ldns_rdf_print(out, ldns_resolver_nameservers(res)[i]);
126 do_secure_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t,
127 ldns_rr_class c, ldns_rr_list *trusted_keys, ldns_rdf *start_name
131 ldns_pkt *p, *local_p;
132 ldns_rr_list *new_nss_a;
133 ldns_rr_list *new_nss_aaaa;
134 ldns_rr_list *new_nss;
135 ldns_rr_list *ns_addr;
138 ldns_rdf **labels = NULL;
139 ldns_status status, st;
144 uint8_t labels_count;
148 ldns_rr_list *key_list;
149 ldns_rr_list *key_sig_list;
150 ldns_rr_list *ds_list;
151 ldns_rr_list *ds_sig_list;
152 ldns_rr_list *correct_key_list;
153 ldns_rr_list *trusted_ds_rrs;
154 bool new_keys_trusted = false;
155 ldns_rr_list *current_correct_keys;
156 ldns_rr_list *dataset;
158 ldns_rr_list *nsec_rrs = NULL;
159 ldns_rr_list *nsec_rr_sigs = NULL;
161 /* empty non-terminal check */
165 ldns_rr_list *new_ns_addr;
166 ldns_rr_list *old_ns_addr;
171 /* printing niceness */
172 const ldns_rr_descriptor *descriptor;
174 descriptor = ldns_rr_descript(t);
183 pt = LDNS_PACKET_UNKNOWN;
187 res = ldns_resolver_new();
192 error("Memory allocation failed");
197 correct_key_list = ldns_rr_list_new();
198 if (!correct_key_list) {
199 error("Memory allocation failed");
204 trusted_ds_rrs = ldns_rr_list_new();
206 if (!trusted_ds_rrs) {
207 error("Memory allocation failed");
212 /* transfer some properties of local_res to res */
213 ldns_resolver_set_ip6(res,
214 ldns_resolver_ip6(local_res));
215 ldns_resolver_set_port(res,
216 ldns_resolver_port(local_res));
217 ldns_resolver_set_debug(res,
218 ldns_resolver_debug(local_res));
219 ldns_resolver_set_fail(res,
220 ldns_resolver_fail(local_res));
221 ldns_resolver_set_usevc(res,
222 ldns_resolver_usevc(local_res));
223 ldns_resolver_set_random(res,
224 ldns_resolver_random(local_res));
225 ldns_resolver_set_recursive(local_res, true);
227 ldns_resolver_set_recursive(res, false);
228 ldns_resolver_set_dnssec_cd(res, false);
229 ldns_resolver_set_dnssec(res, true);
231 /* setup the root nameserver in the new resolver */
232 status = ldns_resolver_push_nameserver_rr_list(res, global_dns_root);
233 if (status != LDNS_STATUS_OK) {
234 printf("ERRRRR: %s\n", ldns_get_errorstr_by_id(status));
235 ldns_rr_list_print(stdout, global_dns_root);
238 labels_count = ldns_dname_label_count(name);
240 if (ldns_dname_is_subdomain(name, start_name)) {
241 labels_count -= ldns_dname_label_count(start_name);
243 fprintf(stderr, "Error; ");
244 ldns_rdf_print(stderr, name);
245 fprintf(stderr, " is not a subdomain of ");
246 ldns_rdf_print(stderr, start_name);
247 fprintf(stderr, "\n");
251 labels = LDNS_XMALLOC(ldns_rdf*, labels_count + 2);
255 labels[0] = ldns_dname_new_frm_str(LDNS_ROOT_LABEL_STR);
256 labels[1] = ldns_rdf_clone(name);
257 for(i = 2 ; i < (ssize_t)labels_count + 2; i++) {
258 labels[i] = ldns_dname_left_chop(labels[i - 1]);
260 /* if no servers is given with @, start by asking local resolver */
261 /* first part todo :) */
262 for (i = 0; i < (ssize_t) ldns_resolver_nameserver_count(local_res); i++) {
263 (void) ldns_resolver_push_nameserver(res, ldns_resolver_nameservers(local_res)[i]);
266 /* get the nameserver for the label
267 * ask: dnskey and ds for the label
269 for(i = (ssize_t)labels_count + 1; i > 0; i--) {
270 status = ldns_resolver_send(&local_p, res, labels[i], LDNS_RR_TYPE_NS, c, 0);
272 if (verbosity >= 5) {
273 ldns_pkt_print(stdout, local_p);
276 new_nss = ldns_pkt_rr_list_by_type(local_p,
277 LDNS_RR_TYPE_NS, LDNS_SECTION_ANSWER);
279 /* if it's a delegation, servers put them in the auth section */
280 new_nss = ldns_pkt_rr_list_by_type(local_p,
281 LDNS_RR_TYPE_NS, LDNS_SECTION_AUTHORITY);
284 /* if this is the final step there might not be nameserver records
285 of course if the data is in the apex, there are, so cover both
287 if (new_nss || i > 1) {
288 for(j = 0; j < ldns_rr_list_rr_count(new_nss); j++) {
289 ns_rr = ldns_rr_list_rr(new_nss, j);
290 pop = ldns_rr_rdf(ns_rr, 0);
295 /* retrieve it's addresses */
298 if (ldns_dname_is_subdomain(pop, labels[i])) {
299 new_ns_addr = ldns_pkt_rr_list_by_name_and_type(local_p, pop, LDNS_RR_TYPE_A, LDNS_SECTION_ADDITIONAL);
301 if (!new_ns_addr || ldns_rr_list_rr_count(new_ns_addr) == 0) {
302 new_ns_addr = ldns_get_rr_list_addr_by_name(res, pop, c, 0);
304 if (!new_ns_addr || ldns_rr_list_rr_count(new_ns_addr) == 0) {
305 new_ns_addr = ldns_get_rr_list_addr_by_name(local_res, pop, c, 0);
309 old_ns_addr = ns_addr;
310 ns_addr = ldns_rr_list_cat_clone(ns_addr, new_ns_addr);
311 ldns_rr_list_deep_free(old_ns_addr);
313 ldns_rr_list_deep_free(new_ns_addr);
315 ldns_rr_list_deep_free(new_nss);
318 remove_resolver_nameservers(res);
320 if (ldns_resolver_push_nameserver_rr_list(res, ns_addr) !=
322 error("Error adding new nameservers");
323 ldns_pkt_free(local_p);
326 ldns_rr_list_deep_free(ns_addr);
328 status = ldns_verify_denial(local_p, labels[i], LDNS_RR_TYPE_NS, &nsec_rrs, &nsec_rr_sigs);
330 /* verify the nsec3 themselves*/
331 if (verbosity >= 4) {
332 printf("NSEC(3) Records to verify:\n");
333 ldns_rr_list_print(stdout, nsec_rrs);
334 printf("With signatures:\n");
335 ldns_rr_list_print(stdout, nsec_rr_sigs);
336 printf("correct keys:\n");
337 ldns_rr_list_print(stdout, correct_key_list);
340 if (status == LDNS_STATUS_OK) {
341 if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) {
342 fprintf(stdout, "%s ", TRUST);
343 fprintf(stdout, "Existence denied: ");
344 ldns_rdf_print(stdout, labels[i]);
346 if (descriptor && descriptor->_name) {
347 printf(" %s", descriptor->_name);
349 printf(" TYPE%u", t);
351 */ fprintf(stdout, " NS\n");
352 } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) {
353 fprintf(stdout, "%s ", SELF);
354 fprintf(stdout, "Existence denied: ");
355 ldns_rdf_print(stdout, labels[i]);
357 if (descriptor && descriptor->_name) {
358 printf(" %s", descriptor->_name);
360 printf(" TYPE%u", t);
363 fprintf(stdout, " NS\n");
365 fprintf(stdout, "%s ", BOGUS);
367 printf(";; Error verifying denial of existence for name ");
368 ldns_rdf_print(stdout, labels[i]);
371 if (descriptor && descriptor->_name) {
372 printf("%s", descriptor->_name);
376 */ printf("NS: %s\n", ldns_get_errorstr_by_id(st));
379 fprintf(stdout, "%s ", BOGUS);
381 printf(";; Error verifying denial of existence for name ");
382 ldns_rdf_print(stdout, labels[i]);
383 printf("NS: %s\n", ldns_get_errorstr_by_id(status));
386 /* there might be an empty non-terminal, in which case we need to continue */
388 for (j = 0; j < ldns_rr_list_rr_count(nsec_rrs); j++) {
389 if (ldns_dname_is_subdomain(ldns_rr_rdf(ldns_rr_list_rr(nsec_rrs, j), 0), labels[i])) {
394 ldns_rr_list_deep_free(nsec_rrs);
395 ldns_rr_list_deep_free(nsec_rr_sigs);
396 ldns_pkt_free(local_p);
399 printf(";; There is an empty non-terminal here, continue\n");
404 if (ldns_resolver_nameserver_count(res) == 0) {
405 error("No nameservers found for this node");
409 ldns_pkt_free(local_p);
411 fprintf(stdout, ";; Domain: ");
412 ldns_rdf_print(stdout, labels[i]);
413 fprintf(stdout, "\n");
415 /* retrieve keys for current domain, and verify them
416 if they match an already trusted DS, or if one of the
417 keys used to sign these is trusted, add the keys to
419 p = get_dnssec_pkt(res, labels[i], LDNS_RR_TYPE_DNSKEY);
420 pt = get_key(p, labels[i], &key_list, &key_sig_list);
423 current_correct_keys = ldns_rr_list_new();
424 if ((st = ldns_verify(key_list, key_sig_list, key_list, current_correct_keys)) ==
426 /* add all signed keys (don't just add current_correct, you'd miss
428 for (j = 0; j < ldns_rr_list_rr_count(key_list); j++) {
429 ldns_rr_list_push_rr(correct_key_list, ldns_rr_clone(ldns_rr_list_rr(key_list, j)));
432 /* check whether these keys were signed
433 * by a trusted keys. if so, these
434 * keys are also trusted */
435 new_keys_trusted = false;
436 for (k = 0; k < ldns_rr_list_rr_count(current_correct_keys); k++) {
437 for (j = 0; j < ldns_rr_list_rr_count(trusted_ds_rrs); j++) {
438 if (ldns_rr_compare_ds(ldns_rr_list_rr(current_correct_keys, k),
439 ldns_rr_list_rr(trusted_ds_rrs, j))) {
440 new_keys_trusted = true;
445 /* also all keys are trusted if one of the current correct keys is trusted */
446 for (k = 0; k < ldns_rr_list_rr_count(current_correct_keys); k++) {
447 for (j = 0; j < ldns_rr_list_rr_count(trusted_keys); j++) {
448 if (ldns_rr_compare(ldns_rr_list_rr(current_correct_keys, k),
449 ldns_rr_list_rr(trusted_keys, j)) == 0) {
450 new_keys_trusted = true;
456 if (new_keys_trusted) {
457 ldns_rr_list_push_rr_list(trusted_keys, key_list);
458 print_rr_list_abbr(stdout, key_list, TRUST);
459 ldns_rr_list_free(key_list);
462 if (verbosity >= 2) {
463 printf(";; Signature ok but no chain to a trusted key or ds record\n");
465 print_rr_list_abbr(stdout, key_list, SELF);
466 ldns_rr_list_deep_free(key_list);
470 print_rr_list_abbr(stdout, key_list, BOGUS);
472 ldns_rr_list_deep_free(key_list);
475 ldns_rr_list_free(current_correct_keys);
476 current_correct_keys = NULL;
478 printf(";; No DNSKEY record found for ");
479 ldns_rdf_print(stdout, labels[i]);
485 ldns_rr_list_deep_free(key_sig_list);
488 /* check the DS records for the next child domain */
490 p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS);
491 pt = get_ds(p, labels[i-1], &ds_list, &ds_sig_list);
495 ldns_rr_list_deep_free(ds_sig_list);
497 p = get_dnssec_pkt(res, name, LDNS_RR_TYPE_DNSKEY);
498 pt = get_ds(p, NULL, &ds_list, &ds_sig_list);
502 if (verbosity >= 4) {
503 printf("VERIFYING:\n");
504 printf("DS LIST:\n");
505 ldns_rr_list_print(stdout, ds_list);
507 ldns_rr_list_print(stdout, ds_sig_list);
509 ldns_rr_list_print(stdout, correct_key_list);
512 current_correct_keys = ldns_rr_list_new();
514 if ((st = ldns_verify(ds_list, ds_sig_list, correct_key_list, current_correct_keys)) ==
516 /* if the ds is signed by a trusted key and a key from correct keys
517 matches that ds, add that key to the trusted keys */
518 new_keys_trusted = false;
519 if (verbosity >= 2) {
520 printf("Checking if signing key is trusted:\n");
522 for (j = 0; j < ldns_rr_list_rr_count(current_correct_keys); j++) {
523 if (verbosity >= 2) {
525 ldns_rr_print(stdout, ldns_rr_list_rr(current_correct_keys, j));
527 for (k = 0; k < ldns_rr_list_rr_count(trusted_keys); k++) {
528 if (verbosity >= 2) {
529 printf("\tTrusted key: ");
530 ldns_rr_print(stdout, ldns_rr_list_rr(trusted_keys, k));
532 if (ldns_rr_compare(ldns_rr_list_rr(current_correct_keys, j),
533 ldns_rr_list_rr(trusted_keys, k)) == 0) {
534 if (verbosity >= 2) {
535 printf("Key is now trusted!\n");
537 for (l = 0; l < ldns_rr_list_rr_count(ds_list); l++) {
538 ldns_rr_list_push_rr(trusted_ds_rrs, ldns_rr_clone(ldns_rr_list_rr(ds_list, l)));
539 new_keys_trusted = true;
544 if (new_keys_trusted) {
545 print_rr_list_abbr(stdout, ds_list, TRUST);
547 print_rr_list_abbr(stdout, ds_list, SELF);
551 print_rr_list_abbr(stdout, ds_list, BOGUS);
554 ldns_rr_list_free(current_correct_keys);
555 current_correct_keys = NULL;
557 /* wait apparently there were no keys either, go back to the ds packet */
559 ldns_rr_list_deep_free(ds_sig_list);
560 p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS);
561 pt = get_ds(p, labels[i-1], &ds_list, &ds_sig_list);
563 status = ldns_verify_denial(p, labels[i-1], LDNS_RR_TYPE_DS, &nsec_rrs, &nsec_rr_sigs);
565 if (verbosity >= 4) {
566 printf("NSEC(3) Records to verify:\n");
567 ldns_rr_list_print(stdout, nsec_rrs);
568 printf("With signatures:\n");
569 ldns_rr_list_print(stdout, nsec_rr_sigs);
570 printf("correct keys:\n");
571 ldns_rr_list_print(stdout, correct_key_list);
574 if (status == LDNS_STATUS_OK) {
575 if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) {
576 fprintf(stdout, "%s ", TRUST);
577 fprintf(stdout, "Existence denied: ");
578 ldns_rdf_print(stdout, labels[i-1]);
580 fprintf(stdout, "\n");
581 } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) {
582 fprintf(stdout, "%s ", SELF);
583 fprintf(stdout, "Existence denied: ");
584 ldns_rdf_print(stdout, labels[i-1]);
586 fprintf(stdout, "\n");
589 fprintf(stdout, "%s ", BOGUS);
590 printf("Error verifying denial of existence for ");
591 ldns_rdf_print(stdout, labels[i-1]);
593 printf(": %s\n", ldns_get_errorstr_by_id(st));
598 if (status == LDNS_STATUS_CRYPTO_NO_RRSIG) {
599 printf(";; No DS for ");
600 ldns_rdf_print(stdout, labels[i - 1]);
602 printf("[B] Unable to verify denial of existence for ");
603 ldns_rdf_print(stdout, labels[i - 1]);
604 printf(" DS: %s\n", ldns_get_errorstr_by_id(status));
607 if (verbosity >= 2) {
608 printf(";; No ds record for delegation\n");
612 ldns_rr_list_deep_free(ds_list);
615 /* if this is the last label, just verify the data and stop */
616 p = get_dnssec_pkt(res, labels[i], t);
617 pt = get_dnssec_rr(p, labels[i], t, &dataset, &key_sig_list);
618 if (dataset && ldns_rr_list_rr_count(dataset) > 0) {
619 if (key_sig_list && ldns_rr_list_rr_count(key_sig_list) > 0) {
621 /* If this is a wildcard, you must be able to deny exact match */
622 if ((st = ldns_verify(dataset, key_sig_list, trusted_keys, NULL)) == LDNS_STATUS_OK) {
623 fprintf(stdout, "%s ", TRUST);
624 ldns_rr_list_print(stdout, dataset);
625 } else if ((st = ldns_verify(dataset, key_sig_list, correct_key_list, NULL)) == LDNS_STATUS_OK) {
626 fprintf(stdout, "%s ", SELF);
627 ldns_rr_list_print(stdout, dataset);
630 fprintf(stdout, "%s ", BOGUS);
631 ldns_rr_list_print(stdout, dataset);
632 printf(";; Error: %s\n", ldns_get_errorstr_by_id(st));
635 fprintf(stdout, "%s ", UNSIGNED);
636 ldns_rr_list_print(stdout, dataset);
638 ldns_rr_list_deep_free(dataset);
640 status = ldns_verify_denial(p, name, t, &nsec_rrs, &nsec_rr_sigs);
641 if (status == LDNS_STATUS_OK) {
642 /* verify the nsec3 themselves*/
643 if (verbosity >= 5) {
644 printf("NSEC(3) Records to verify:\n");
645 ldns_rr_list_print(stdout, nsec_rrs);
646 printf("With signatures:\n");
647 ldns_rr_list_print(stdout, nsec_rr_sigs);
648 printf("correct keys:\n");
649 ldns_rr_list_print(stdout, correct_key_list);
651 printf("trusted keys at %p:\n", trusted_keys);
652 ldns_rr_list_print(stdout, trusted_keys);
655 if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) {
656 fprintf(stdout, "%s ", TRUST);
657 fprintf(stdout, "Existence denied: ");
658 ldns_rdf_print(stdout, name);
659 if (descriptor && descriptor->_name) {
660 printf(" %s", descriptor->_name);
662 printf(" TYPE%u", t);
664 fprintf(stdout, "\n");
665 } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) {
666 fprintf(stdout, "%s ", SELF);
667 fprintf(stdout, "Existence denied: ");
668 ldns_rdf_print(stdout, name);
669 if (descriptor && descriptor->_name) {
670 printf(" %s", descriptor->_name);
672 printf(" TYPE%u", t);
674 fprintf(stdout, "\n");
677 fprintf(stdout, "%s ", BOGUS);
678 printf("Error verifying denial of existence for ");
679 ldns_rdf_print(stdout, name);
681 if (descriptor && descriptor->_name) {
682 printf("%s", descriptor->_name);
686 printf(": %s\n", ldns_get_errorstr_by_id(st));
689 ldns_rr_list_deep_free(nsec_rrs);
690 ldns_rr_list_deep_free(nsec_rr_sigs);
694 if (status == LDNS_STATUS_CRYPTO_NO_RRSIG) {
695 printf("%s ", UNSIGNED);
696 printf("No data found for: ");
697 ldns_rdf_print(stdout, name);
699 if (descriptor && descriptor->_name) {
700 printf("%s", descriptor->_name);
706 printf("[B] Unable to verify denial of existence for ");
707 ldns_rdf_print(stdout, name);
709 if (descriptor && descriptor->_name) {
710 printf("%s", descriptor->_name);
726 ldns_rr_list_deep_free(key_list);
728 ldns_rr_list_deep_free(key_sig_list);
731 ldns_rr_list_deep_free(ds_sig_list);
734 printf(";;" SELF " self sig OK; " BOGUS " bogus; " TRUST " trusted\n");
736 printf("Trusted keys:\n");
737 ldns_rr_list_print(stdout, trusted_keys);
738 printf("trusted dss:\n");
739 ldns_rr_list_print(stdout, trusted_ds_rrs);
743 ldns_rr_list_deep_free(trusted_ds_rrs);
744 ldns_rr_list_deep_free(correct_key_list);
745 ldns_resolver_deep_free(res);
747 for(i = 0 ; i < (ssize_t)labels_count + 2; i++) {
748 ldns_rdf_deep_free(labels[i]);
754 #endif /* HAVE_SSL */