3 * Some DNSSEC helper function are defined here
7 * See the file LICENSE for the license
12 #include <ldns/ldns.h>
14 /* get rr_type from a server from a server */
16 get_rr(ldns_resolver *res, ldns_rdf *zname, ldns_rr_type t, ldns_rr_class c)
18 /* query, retrieve, extract and return */
25 if (ldns_resolver_send(&p, res, zname, t, c, 0) != LDNS_STATUS_OK) {
29 found = ldns_pkt_rr_list_by_type(p, t, LDNS_SECTION_ANY_NOQUESTION);
35 drill_pkt_print(FILE *fd, ldns_resolver *r, ldns_pkt *p)
37 ldns_rr_list *new_nss;
38 ldns_rr_list *hostnames;
44 hostnames = ldns_get_rr_list_name_by_addr(r, ldns_pkt_answerfrom(p), 0, 0);
46 new_nss = ldns_pkt_rr_list_by_type(p,
47 LDNS_RR_TYPE_NS, LDNS_SECTION_ANSWER);
48 ldns_rr_list_print(fd, new_nss);
50 /* new_nss can be empty.... */
52 fprintf(fd, ";; Received %d bytes from %s#%d(",
53 (int) ldns_pkt_size(p),
54 ldns_rdf2str(ldns_pkt_answerfrom(p)),
55 (int) ldns_resolver_port(r));
56 /* if we can resolve this print it, other print the ip again */
59 ldns_rr_rdf(ldns_rr_list_rr(hostnames, 0), 0));
60 ldns_rr_list_deep_free(hostnames);
62 fprintf(fd, "%s", ldns_rdf2str(ldns_pkt_answerfrom(p)));
64 fprintf(fd, ") in %u ms\n\n", (unsigned int)ldns_pkt_querytime(p));
68 drill_pkt_print_footer(FILE *fd, ldns_resolver *r, ldns_pkt *p)
70 ldns_rr_list *hostnames;
76 hostnames = ldns_get_rr_list_name_by_addr(r, ldns_pkt_answerfrom(p), 0, 0);
78 fprintf(fd, ";; Received %d bytes from %s#%d(",
79 (int) ldns_pkt_size(p),
80 ldns_rdf2str(ldns_pkt_answerfrom(p)),
81 (int) ldns_resolver_port(r));
82 /* if we can resolve this print it, other print the ip again */
85 ldns_rr_rdf(ldns_rr_list_rr(hostnames, 0), 0));
86 ldns_rr_list_deep_free(hostnames);
88 fprintf(fd, "%s", ldns_rdf2str(ldns_pkt_answerfrom(p)));
90 fprintf(fd, ") in %u ms\n\n", (unsigned int)ldns_pkt_querytime(p));
93 * generic function to get some RRset from a nameserver
94 * and possible some signatures too (that would be the day...)
97 get_dnssec_rr(ldns_pkt *p, ldns_rdf *name, ldns_rr_type t,
98 ldns_rr_list **rrlist, ldns_rr_list **sig)
100 ldns_pkt_type pt = LDNS_PACKET_UNKNOWN;
101 ldns_rr_list *rr = NULL;
102 ldns_rr_list *sigs = NULL;
109 return LDNS_PACKET_UNKNOWN;
112 pt = ldns_pkt_reply_type(p);
114 rr = ldns_pkt_rr_list_by_name_and_type(p, name, t, LDNS_SECTION_ANSWER);
116 rr = ldns_pkt_rr_list_by_name_and_type(p, name, t, LDNS_SECTION_AUTHORITY);
118 sigs = ldns_pkt_rr_list_by_name_and_type(p, name, LDNS_RR_TYPE_RRSIG,
119 LDNS_SECTION_ANSWER);
121 sigs = ldns_pkt_rr_list_by_name_and_type(p, name, LDNS_RR_TYPE_RRSIG,
122 LDNS_SECTION_AUTHORITY);
125 /* A DS-referral - get the DS records if they are there */
126 rr = ldns_pkt_rr_list_by_type(p, t, LDNS_SECTION_AUTHORITY);
127 sigs = ldns_pkt_rr_list_by_type(p, LDNS_RR_TYPE_RRSIG,
128 LDNS_SECTION_AUTHORITY);
131 *sig = ldns_rr_list_new();
132 for (i = 0; i < ldns_rr_list_rr_count(sigs); i++) {
133 /* only add the sigs that cover this type */
134 if (ldns_rdf2rr_type(ldns_rr_rrsig_typecovered(ldns_rr_list_rr(sigs, i))) ==
136 ldns_rr_list_push_rr(*sig, ldns_rr_clone(ldns_rr_list_rr(sigs, i)));
140 ldns_rr_list_deep_free(sigs);
145 if (pt == LDNS_PACKET_NXDOMAIN || pt == LDNS_PACKET_NODATA) {
148 return LDNS_PACKET_ANSWER;
154 ldns_verify_denial(ldns_pkt *pkt, ldns_rdf *name, ldns_rr_type type, ldns_rr_list **nsec_rrs, ldns_rr_list **nsec_rr_sigs)
161 if (verbosity >= 5) {
162 printf("VERIFY DENIAL FROM:\n");
163 ldns_pkt_print(stdout, pkt);
166 result = LDNS_STATUS_CRYPTO_NO_RRSIG;
167 /* Try to see if there are NSECS in the packet */
168 nsecs = ldns_pkt_rr_list_by_type(pkt, LDNS_RR_TYPE_NSEC, LDNS_SECTION_ANY_NOQUESTION);
170 for (nsec_i = 0; nsec_i < ldns_rr_list_rr_count(nsecs); nsec_i++) {
171 /* there are four options:
172 * - name equals ownername and is covered by the type bitmap
173 * - name equals ownername but is not covered by the type bitmap
174 * - name falls within nsec coverage but is not equal to the owner name
175 * - name falls outside of nsec coverage
177 if (ldns_dname_compare(ldns_rr_owner(ldns_rr_list_rr(nsecs, nsec_i)), name) == 0) {
179 printf("CHECKING NSEC:\n");
180 ldns_rr_print(stdout, ldns_rr_list_rr(nsecs, nsec_i));
183 if (ldns_nsec_bitmap_covers_type(
184 ldns_nsec_get_bitmap(ldns_rr_list_rr(nsecs,
187 /* Error, according to the nsec this rrset is signed */
188 result = LDNS_STATUS_CRYPTO_NO_RRSIG;
190 /* ok nsec denies existence */
191 if (verbosity >= 3) {
192 printf(";; Existence of data set with this type denied by NSEC\n");
194 /*printf(";; Verifiably insecure.\n");*/
195 if (nsec_rrs && nsec_rr_sigs) {
196 (void) get_dnssec_rr(pkt, ldns_rr_owner(ldns_rr_list_rr(nsecs, nsec_i)), LDNS_RR_TYPE_NSEC, nsec_rrs, nsec_rr_sigs);
198 ldns_rr_list_deep_free(nsecs);
199 return LDNS_STATUS_OK;
201 } else if (ldns_nsec_covers_name(ldns_rr_list_rr(nsecs, nsec_i), name)) {
202 if (verbosity >= 3) {
203 printf(";; Existence of data set with this name denied by NSEC\n");
205 if (nsec_rrs && nsec_rr_sigs) {
206 (void) get_dnssec_rr(pkt, ldns_rr_owner(ldns_rr_list_rr(nsecs, nsec_i)), LDNS_RR_TYPE_NSEC, nsec_rrs, nsec_rr_sigs);
208 ldns_rr_list_deep_free(nsecs);
209 return LDNS_STATUS_OK;
211 /* nsec has nothing to do with this data */
214 ldns_rr_list_deep_free(nsecs);
215 } else if( (nsecs = ldns_pkt_rr_list_by_type(pkt, LDNS_RR_TYPE_NSEC3, LDNS_SECTION_ANY_NOQUESTION)) ) {
216 ldns_rr_list* sigs = ldns_pkt_rr_list_by_type(pkt, LDNS_RR_TYPE_RRSIG, LDNS_SECTION_ANY_NOQUESTION);
217 ldns_rr* q = ldns_rr_new();
218 if(!sigs) return LDNS_STATUS_MEM_ERR;
219 if(!q) return LDNS_STATUS_MEM_ERR;
220 ldns_rr_set_question(q, 1);
221 ldns_rr_set_ttl(q, 0);
222 ldns_rr_set_owner(q, ldns_rdf_clone(name));
223 if(!ldns_rr_owner(q)) return LDNS_STATUS_MEM_ERR;
224 ldns_rr_set_type(q, type);
226 result = ldns_dnssec_verify_denial_nsec3(q, nsecs, sigs, ldns_pkt_get_rcode(pkt), type, ldns_pkt_ancount(pkt) == 0);
228 ldns_rr_list_deep_free(nsecs);
229 ldns_rr_list_deep_free(sigs);
234 /* NSEC3 draft -07 */
235 /*return hash name match*/
237 ldns_nsec3_exact_match(ldns_rdf *qname, ldns_rr_type qtype, ldns_rr_list *nsec3s) {
243 ldns_rdf *sname, *hashed_sname;
247 ldns_rr *result = NULL;
251 const ldns_rr_descriptor *descriptor;
255 if (verbosity >= 4) {
256 printf(";; finding exact match for ");
257 descriptor = ldns_rr_descript(qtype);
258 if (descriptor && descriptor->_name) {
259 printf("%s ", descriptor->_name);
261 printf("TYPE%d ", qtype);
263 ldns_rdf_print(stdout, qname);
267 if (!qname || !nsec3s || ldns_rr_list_rr_count(nsec3s) < 1) {
268 if (verbosity >= 4) {
269 printf("no qname, nsec3s or list empty\n");
274 nsec = ldns_rr_list_rr(nsec3s, 0);
275 algorithm = ldns_nsec3_algorithm(nsec);
276 salt_length = ldns_nsec3_salt_length(nsec);
277 salt = ldns_nsec3_salt_data(nsec);
278 iterations = ldns_nsec3_iterations(nsec);
280 sname = ldns_rdf_clone(qname);
282 if (verbosity >= 4) {
283 printf(";; owner name hashes to: ");
285 hashed_sname = ldns_nsec3_hash_name(sname, algorithm, iterations, salt_length, salt);
287 zone_name = ldns_dname_left_chop(ldns_rr_owner(nsec));
288 status = ldns_dname_cat(hashed_sname, zone_name);
290 if (verbosity >= 4) {
291 ldns_rdf_print(stdout, hashed_sname);
295 for (nsec_i = 0; nsec_i < ldns_rr_list_rr_count(nsec3s); nsec_i++) {
296 nsec = ldns_rr_list_rr(nsec3s, nsec_i);
298 /* check values of iterations etc! */
301 if (ldns_dname_compare(ldns_rr_owner(nsec), hashed_sname) == 0) {
309 ldns_rdf_deep_free(zone_name);
310 ldns_rdf_deep_free(sname);
311 ldns_rdf_deep_free(hashed_sname);
314 if (verbosity >= 4) {
316 printf(";; Found.\n");
318 printf(";; Not foud.\n");
324 /*return the owner name of the closest encloser for name from the list of rrs */
325 /* this is NOT the hash, but the original name! */
327 ldns_nsec3_closest_encloser(ldns_rdf *qname, ldns_rr_type qtype, ldns_rr_list *nsec3s)
329 /* remember parameters, they must match */
335 ldns_rdf *sname, *hashed_sname, *tmp;
339 bool exact_match_found;
347 ldns_rdf *result = NULL;
349 if (!qname || !nsec3s || ldns_rr_list_rr_count(nsec3s) < 1) {
353 if (verbosity >= 4) {
354 printf(";; finding closest encloser for type %d ", qtype);
355 ldns_rdf_print(stdout, qname);
359 nsec = ldns_rr_list_rr(nsec3s, 0);
360 algorithm = ldns_nsec3_algorithm(nsec);
361 salt_length = ldns_nsec3_salt_length(nsec);
362 salt = ldns_nsec3_salt_data(nsec);
363 iterations = ldns_nsec3_iterations(nsec);
365 sname = ldns_rdf_clone(qname);
370 zone_name = ldns_dname_left_chop(ldns_rr_owner(nsec));
372 /* algorithm from nsec3-07 8.3 */
373 while (ldns_dname_label_count(sname) > 0) {
374 exact_match_found = false;
375 in_range_found = false;
377 if (verbosity >= 3) {
379 ldns_rdf_print(stdout, sname);
380 printf(" hashes to: ");
382 hashed_sname = ldns_nsec3_hash_name(sname, algorithm, iterations, salt_length, salt);
384 status = ldns_dname_cat(hashed_sname, zone_name);
386 if (verbosity >= 3) {
387 ldns_rdf_print(stdout, hashed_sname);
391 for (nsec_i = 0; nsec_i < ldns_rr_list_rr_count(nsec3s); nsec_i++) {
392 nsec = ldns_rr_list_rr(nsec3s, nsec_i);
394 /* check values of iterations etc! */
397 if (ldns_dname_compare(ldns_rr_owner(nsec), hashed_sname) == 0) {
398 if (verbosity >= 4) {
399 printf(";; exact match found\n");
401 exact_match_found = true;
402 } else if (ldns_nsec_covers_name(nsec, hashed_sname)) {
403 if (verbosity >= 4) {
404 printf(";; in range of an nsec\n");
406 in_range_found = true;
410 if (!exact_match_found && in_range_found) {
412 } else if (exact_match_found && flag) {
413 result = ldns_rdf_clone(sname);
414 } else if (exact_match_found && !flag) {
416 if (verbosity >= 4) {
417 printf(";; the closest encloser is the same name (ie. this is an exact match, ie there is no closest encloser)\n");
419 ldns_rdf_deep_free(hashed_sname);
425 ldns_rdf_deep_free(hashed_sname);
427 sname = ldns_dname_left_chop(sname);
428 ldns_rdf_deep_free(tmp);
433 ldns_rdf_deep_free(zone_name);
434 ldns_rdf_deep_free(sname);
437 if (verbosity >= 4) {
438 printf(";; no closest encloser found\n");
442 /* todo checks from end of 6.2. here or in caller? */
447 /* special case were there was a wildcard expansion match, the exact match must be disproven */
449 ldns_verify_denial_wildcard(ldns_pkt *pkt, ldns_rdf *name, ldns_rr_type type, ldns_rr_list **nsec_rrs, ldns_rr_list **nsec_rr_sigs)
451 ldns_rdf *nsec3_ce = NULL;
452 ldns_rr *nsec3_ex = NULL;
453 ldns_rdf *wildcard_name = NULL;
454 ldns_rdf *nsec3_wc_ce = NULL;
455 ldns_rr *nsec3_wc_ex = NULL;
456 ldns_rdf *chopped_dname = NULL;
458 ldns_status result = LDNS_STATUS_ERR;
460 nsecs = ldns_pkt_rr_list_by_type(pkt, LDNS_RR_TYPE_NSEC3, LDNS_SECTION_ANY_NOQUESTION);
462 wildcard_name = ldns_dname_new_frm_str("*");
463 chopped_dname = ldns_dname_left_chop(name);
464 result = ldns_dname_cat(wildcard_name, chopped_dname);
465 ldns_rdf_deep_free(chopped_dname);
467 nsec3_ex = ldns_nsec3_exact_match(name, type, nsecs);
468 nsec3_ce = ldns_nsec3_closest_encloser(name, type, nsecs);
469 nsec3_wc_ce = ldns_nsec3_closest_encloser(wildcard_name, type, nsecs);
470 nsec3_wc_ex = ldns_nsec3_exact_match(wildcard_name, type, nsecs);
473 if (verbosity >= 3) {
474 printf(";; Error, exact match for for name found, but should not exist (draft -07 section 8.8)\n");
476 result = LDNS_STATUS_NSEC3_ERR;
477 } else if (!nsec3_ce) {
478 if (verbosity >= 3) {
479 printf(";; Error, closest encloser for exact match missing in wildcard response (draft -07 section 8.8)\n");
481 result = LDNS_STATUS_NSEC3_ERR;
483 } else if (!nsec3_wc_ex) {
484 printf(";; Error, no wildcard nsec3 match: ");
485 ldns_rdf_print(stdout, wildcard_name);
486 printf(" (draft -07 section 8.8)\n");
487 result = LDNS_STATUS_NSEC3_ERR;
489 /* } else if (!nsec */
491 if (verbosity >= 3) {
492 printf(";; wilcard expansion proven\n");
494 result = LDNS_STATUS_OK;
497 if (verbosity >= 3) {
498 printf(";; Error: no NSEC or NSEC3 records in answer\n");
500 result = LDNS_STATUS_CRYPTO_NO_RRSIG;
503 if (nsecs && nsec_rrs && nsec_rr_sigs) {
504 (void) get_dnssec_rr(pkt, ldns_rr_owner(ldns_rr_list_rr(nsecs, 0)), LDNS_RR_TYPE_NSEC3, nsec_rrs, nsec_rr_sigs);
nant's projects / dragonfly.git / blob