contrib/ldns/drill/securetrace.c

   1 /*
   2  * securechasetrace.c
   3  * Where all the hard work concerning secure tracing is done
   4  *
   5  * (c) 2005, 2006 NLnet Labs
   6  *
   7  * See the file LICENSE for the license
   8  *
   9  */
  10
  11 #include "drill.h"
  12 #include <ldns/ldns.h>
  13
  14 #define SELF "[S]"  /* self sig ok */
  15 #define TRUST "[T]" /* chain from parent */
  16 #define BOGUS "[B]" /* bogus */
  17 #define UNSIGNED "[U]" /* no relevant dnssec data found */
  18
  19 #if 0
  20 /* See if there is a key/ds in trusted that matches
  21  * a ds in *ds.
  22  */
  23 static ldns_rr_list *
  24 ds_key_match(ldns_rr_list *ds, ldns_rr_list *trusted)
  25 {
  26         size_t i, j;
  27         bool match;
  28         ldns_rr *rr_i, *rr_j;
  29         ldns_rr_list *keys;
  30
  31         if (!trusted || !ds) {
  32                 return NULL;
  33         }
  34
  35         match = false;
  36         keys = ldns_rr_list_new();
  37         if (!keys) {
  38                 return NULL;
  39         }
  40
  41         if (!ds || !trusted) {
  42                 return NULL;
  43         }
  44
  45         for (i = 0; i < ldns_rr_list_rr_count(trusted); i++) {
  46                 rr_i = ldns_rr_list_rr(trusted, i);
  47                 for (j = 0; j < ldns_rr_list_rr_count(ds); j++) {
  48
  49                         rr_j = ldns_rr_list_rr(ds, j);
  50                         if (ldns_rr_compare_ds(rr_i, rr_j)) {
  51                                 match = true;
  52                                 /* only allow unique RRs to match */
  53                                 ldns_rr_set_push_rr(keys, rr_i);
  54                         }
  55                 }
  56         }
  57         if (match) {
  58                 return keys;
  59         } else {
  60                 return NULL;
  61         }
  62 }
  63 #endif
  64
  65 ldns_pkt *
  66 get_dnssec_pkt(ldns_resolver *r, ldns_rdf *name, ldns_rr_type t)
  67 {
  68         ldns_pkt *p = NULL;
  69         p = ldns_resolver_query(r, name, t, LDNS_RR_CLASS_IN, 0);
  70         if (!p) {
  71                 return NULL;
  72         } else {
  73                 if (verbosity >= 5) {
  74                         ldns_pkt_print(stdout, p);
  75                 }
  76                 return p;
  77         }
  78 }
  79
  80 #ifdef HAVE_SSL
  81 /*
  82  * retrieve keys for this zone
  83  */
  84 static ldns_pkt_type
  85 get_key(ldns_pkt *p, ldns_rdf *apexname, ldns_rr_list **rrlist, ldns_rr_list **opt_sig)
  86 {
  87         return get_dnssec_rr(p, apexname, LDNS_RR_TYPE_DNSKEY, rrlist, opt_sig);
  88 }
  89
  90 /*
  91  * check to see if we can find a DS rrset here which we can then follow
  92  */
  93 static ldns_pkt_type
  94 get_ds(ldns_pkt *p, ldns_rdf *ownername, ldns_rr_list **rrlist, ldns_rr_list **opt_sig)
  95 {
  96         return get_dnssec_rr(p, ownername, LDNS_RR_TYPE_DS, rrlist, opt_sig);
  97 }
  98 #endif /* HAVE_SSL */
  99
 100 void
 101 remove_resolver_nameservers(ldns_resolver *res)
 102 {
 103         ldns_rdf *pop;
 104
 105         /* remove the old nameserver from the resolver */
 106         while((pop = ldns_resolver_pop_nameserver(res))) {
 107                 ldns_rdf_deep_free(pop);
 108         }
 109
 110 }
 111
 112 void
 113 show_current_nameservers(FILE *out, ldns_resolver *res)
 114 {
 115         size_t i;
 116         fprintf(out, "Current nameservers for resolver object:\n");
 117         for (i = 0; i < ldns_resolver_nameserver_count(res); i++) {
 118                 ldns_rdf_print(out, ldns_resolver_nameservers(res)[i]);
 119                 fprintf(out, "\n");
 120         }
 121 }
 122
 123 /*ldns_pkt **/
 124 #ifdef HAVE_SSL
 125 int
 126 do_secure_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t,
 127                 ldns_rr_class c, ldns_rr_list *trusted_keys, ldns_rdf *start_name
 128                )
 129 {
 130         ldns_resolver *res;
 131         ldns_pkt *p, *local_p;
 132         ldns_rr_list *new_nss;
 133         ldns_rr_list *ns_addr;
 134         ldns_rdf *pop;
 135         ldns_rdf **labels = NULL;
 136         ldns_status status, st;
 137         ssize_t i;
 138         size_t j;
 139         size_t k;
 140         size_t l;
 141         uint8_t labels_count;
 142
 143         /* dnssec */
 144         ldns_rr_list *key_list;
 145         ldns_rr_list *key_sig_list;
 146         ldns_rr_list *ds_list;
 147         ldns_rr_list *ds_sig_list;
 148         ldns_rr_list *correct_key_list;
 149         ldns_rr_list *trusted_ds_rrs;
 150         bool new_keys_trusted = false;
 151         ldns_rr_list *current_correct_keys;
 152         ldns_rr_list *dataset;
 153
 154         ldns_rr_list *nsec_rrs = NULL;
 155         ldns_rr_list *nsec_rr_sigs = NULL;
 156
 157         /* empty non-terminal check */
 158         bool ent;
 159
 160         /* glue handling */
 161         ldns_rr_list *new_ns_addr;
 162         ldns_rr_list *old_ns_addr;
 163         ldns_rr *ns_rr;
 164
 165         int result = 0;
 166
 167         /* printing niceness */
 168         const ldns_rr_descriptor *descriptor;
 169
 170         descriptor = ldns_rr_descript(t);
 171
 172         new_nss = NULL;
 173         ns_addr = NULL;
 174         key_list = NULL;
 175         ds_list = NULL;
 176
 177         p = NULL;
 178         local_p = NULL;
 179         res = ldns_resolver_new();
 180         key_sig_list = NULL;
 181         ds_sig_list = NULL;
 182
 183         if (!res) {
 184                 error("Memory allocation failed");
 185                 result = -1;
 186                 return result;
 187         }
 188
 189         correct_key_list = ldns_rr_list_new();
 190         if (!correct_key_list) {
 191                 error("Memory allocation failed");
 192                 result = -1;
 193                 return result;
 194         }
 195
 196         trusted_ds_rrs = ldns_rr_list_new();
 197         if (!trusted_ds_rrs) {
 198                 error("Memory allocation failed");
 199                 result = -1;
 200                 return result;
 201         }
 202         /* Add all preset trusted DS signatures to the list of trusted DS RRs. */
 203         for (j = 0; j < ldns_rr_list_rr_count(trusted_keys); j++) {
 204             ldns_rr* one_rr = ldns_rr_list_rr(trusted_keys, j);
 205             if (ldns_rr_get_type(one_rr)  == LDNS_RR_TYPE_DS) {
 206                 ldns_rr_list_push_rr(trusted_ds_rrs, ldns_rr_clone(one_rr));
 207             }
 208         }
 209
 210         /* transfer some properties of local_res to res */
 211         ldns_resolver_set_ip6(res,
 212                         ldns_resolver_ip6(local_res));
 213         ldns_resolver_set_port(res,
 214                         ldns_resolver_port(local_res));
 215         ldns_resolver_set_debug(res,
 216                         ldns_resolver_debug(local_res));
 217         ldns_resolver_set_fail(res,
 218                         ldns_resolver_fail(local_res));
 219         ldns_resolver_set_usevc(res,
 220                         ldns_resolver_usevc(local_res));
 221         ldns_resolver_set_random(res,
 222                         ldns_resolver_random(local_res));
 223         ldns_resolver_set_recursive(local_res, true);
 224
 225         ldns_resolver_set_recursive(res, false);
 226         ldns_resolver_set_dnssec_cd(res, false);
 227         ldns_resolver_set_dnssec(res, true);
 228
 229         /* setup the root nameserver in the new resolver */
 230         status = ldns_resolver_push_nameserver_rr_list(res, global_dns_root);
 231         if (status != LDNS_STATUS_OK) {
 232                 printf("ERRRRR: %s\n", ldns_get_errorstr_by_id(status));
 233                 ldns_rr_list_print(stdout, global_dns_root);
 234                 result = status;
 235                 goto done;
 236         }
 237         labels_count = ldns_dname_label_count(name);
 238         if (start_name) {
 239                 if (ldns_dname_is_subdomain(name, start_name)) {
 240                         labels_count -= ldns_dname_label_count(start_name);
 241                 } else {
 242                         fprintf(stderr, "Error; ");
 243                         ldns_rdf_print(stderr, name);
 244                         fprintf(stderr, " is not a subdomain of ");
 245                         ldns_rdf_print(stderr, start_name);
 246                         fprintf(stderr, "\n");
 247                         goto done;
 248                 }
 249         }
 250         labels = LDNS_XMALLOC(ldns_rdf*, labels_count + 2);
 251         if (!labels) {
 252                 goto done;
 253         }
 254         labels[0] = ldns_dname_new_frm_str(LDNS_ROOT_LABEL_STR);
 255         labels[1] = ldns_rdf_clone(name);
 256         for(i = 2 ; i < (ssize_t)labels_count + 2; i++) {
 257                 labels[i] = ldns_dname_left_chop(labels[i - 1]);
 258         }
 259
 260         /* get the nameserver for the label
 261          * ask: dnskey and ds for the label
 262          */
 263         for(i = (ssize_t)labels_count + 1; i > 0; i--) {
 264                 status = ldns_resolver_send(&local_p, res, labels[i], LDNS_RR_TYPE_NS, c, 0);
 265
 266                 if (verbosity >= 5) {
 267                         ldns_pkt_print(stdout, local_p);
 268                 }
 269
 270                 new_nss = ldns_pkt_rr_list_by_type(local_p,
 271                                         LDNS_RR_TYPE_NS, LDNS_SECTION_ANSWER);
 272                 if (!new_nss) {
 273                         /* if it's a delegation, servers put them in the auth section */
 274                         new_nss = ldns_pkt_rr_list_by_type(local_p,
 275                                         LDNS_RR_TYPE_NS, LDNS_SECTION_AUTHORITY);
 276                 }
 277
 278                 /* if this is the final step there might not be nameserver records
 279                    of course if the data is in the apex, there are, so cover both
 280                    cases */
 281                 if (new_nss || i > 1) {
 282                         for(j = 0; j < ldns_rr_list_rr_count(new_nss); j++) {
 283                                 ns_rr = ldns_rr_list_rr(new_nss, j);
 284                                 pop = ldns_rr_rdf(ns_rr, 0);
 285                                 if (!pop) {
 286                                         printf("nopo\n");
 287                                         break;
 288                                 }
 289                                 /* retrieve it's addresses */
 290                                 /* trust glue? */
 291                                 new_ns_addr = NULL;
 292                                 if (ldns_dname_is_subdomain(pop, labels[i])) {
 293                                         new_ns_addr = ldns_pkt_rr_list_by_name_and_type(local_p, pop, LDNS_RR_TYPE_A, LDNS_SECTION_ADDITIONAL);
 294                                 }
 295                                 if (!new_ns_addr || ldns_rr_list_rr_count(new_ns_addr) == 0) {
 296                                         new_ns_addr = ldns_get_rr_list_addr_by_name(res, pop, c, 0);
 297                                 }
 298                                 if (!new_ns_addr || ldns_rr_list_rr_count(new_ns_addr) == 0) {
 299                                         new_ns_addr = ldns_get_rr_list_addr_by_name(local_res, pop, c, 0);
 300                                 }
 301
 302                                 if (new_ns_addr) {
 303                                         old_ns_addr = ns_addr;
 304                                         ns_addr = ldns_rr_list_cat_clone(ns_addr, new_ns_addr);
 305                                         ldns_rr_list_deep_free(old_ns_addr);
 306                                 }
 307                                 ldns_rr_list_deep_free(new_ns_addr);
 308                         }
 309                         ldns_rr_list_deep_free(new_nss);
 310
 311                         if (ns_addr) {
 312                                 remove_resolver_nameservers(res);
 313
 314                                 if (ldns_resolver_push_nameserver_rr_list(res, ns_addr) !=
 315                                                 LDNS_STATUS_OK) {
 316                                         error("Error adding new nameservers");
 317                                         ldns_pkt_free(local_p);
 318                                         goto done;
 319                                 }
 320                                 ldns_rr_list_deep_free(ns_addr);
 321                         } else {
 322                                 status = ldns_verify_denial(local_p, labels[i], LDNS_RR_TYPE_NS, &nsec_rrs, &nsec_rr_sigs);
 323
 324                                 /* verify the nsec3 themselves*/
 325                                 if (verbosity >= 4) {
 326                                         printf("NSEC(3) Records to verify:\n");
 327                                         ldns_rr_list_print(stdout, nsec_rrs);
 328                                         printf("With signatures:\n");
 329                                         ldns_rr_list_print(stdout, nsec_rr_sigs);
 330                                         printf("correct keys:\n");
 331                                         ldns_rr_list_print(stdout, correct_key_list);
 332                                 }
 333
 334                                 if (status == LDNS_STATUS_OK) {
 335                                         if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) {
 336                                                 fprintf(stdout, "%s ", TRUST);
 337                                                 fprintf(stdout, "Existence denied: ");
 338                                                 ldns_rdf_print(stdout, labels[i]);
 339         /*
 340                                                 if (descriptor && descriptor->_name) {
 341                                                         printf(" %s", descriptor->_name);
 342                                                 } else {
 343                                                         printf(" TYPE%u", t);
 344                                                 }
 345         */                                      fprintf(stdout, " NS\n");
 346                                         } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) {
 347                                                 fprintf(stdout, "%s ", SELF);
 348                                                 fprintf(stdout, "Existence denied: ");
 349                                                 ldns_rdf_print(stdout, labels[i]);
 350         /*
 351                                                 if (descriptor && descriptor->_name) {
 352                                                         printf(" %s", descriptor->_name);
 353                                                 } else {
 354                                                         printf(" TYPE%u", t);
 355                                                 }
 356         */
 357                                                 fprintf(stdout, " NS\n");
 358                                         } else {
 359                                                 fprintf(stdout, "%s ", BOGUS);
 360                                                 result = 1;
 361                                                 printf(";; Error verifying denial of existence for name ");
 362                                                 ldns_rdf_print(stdout, labels[i]);
 363         /*
 364                                                 printf(" type ");
 365                                                 if (descriptor && descriptor->_name) {
 366                                                         printf("%s", descriptor->_name);
 367                                                 } else {
 368                                                         printf("TYPE%u", t);
 369                                                 }
 370         */                                      printf("NS: %s\n", ldns_get_errorstr_by_id(st));
 371                                         }
 372                                 } else {
 373                                         fprintf(stdout, "%s ", BOGUS);
 374                                         result = 1;
 375                                         printf(";; Error verifying denial of existence for name ");
 376                                         ldns_rdf_print(stdout, labels[i]);
 377                                         printf("NS: %s\n", ldns_get_errorstr_by_id(status));
 378                                 }
 379
 380                                 /* there might be an empty non-terminal, in which case we need to continue */
 381                                 ent = false;
 382                                 for (j = 0; j < ldns_rr_list_rr_count(nsec_rrs); j++) {
 383                                         if (ldns_dname_is_subdomain(ldns_rr_rdf(ldns_rr_list_rr(nsec_rrs, j), 0), labels[i])) {
 384                                                 ent = true;
 385                                         }
 386                                 }
 387                                 if (!ent) {
 388                                         ldns_rr_list_deep_free(nsec_rrs);
 389                                         ldns_rr_list_deep_free(nsec_rr_sigs);
 390                                         ldns_pkt_free(local_p);
 391                                         goto done;
 392                                 } else {
 393                                         printf(";; There is an empty non-terminal here, continue\n");
 394                                         continue;
 395                                 }
 396                         }
 397
 398                         if (ldns_resolver_nameserver_count(res) == 0) {
 399                                 error("No nameservers found for this node");
 400                                 goto done;
 401                         }
 402                 }
 403                 ldns_pkt_free(local_p);
 404
 405                 fprintf(stdout, ";; Domain: ");
 406                 ldns_rdf_print(stdout, labels[i]);
 407                 fprintf(stdout, "\n");
 408
 409                 /* retrieve keys for current domain, and verify them
 410                    if they match an already trusted DS, or if one of the
 411                    keys used to sign these is trusted, add the keys to
 412                    the trusted list */
 413                 p = get_dnssec_pkt(res, labels[i], LDNS_RR_TYPE_DNSKEY);
 414                 (void) get_key(p, labels[i], &key_list, &key_sig_list);
 415                 if (key_sig_list) {
 416                         if (key_list) {
 417                                 current_correct_keys = ldns_rr_list_new();
 418                                 if ((st = ldns_verify(key_list, key_sig_list, key_list, current_correct_keys)) ==
 419                                                 LDNS_STATUS_OK) {
 420                                         /* add all signed keys (don't just add current_correct, you'd miss
 421                                          * the zsk's then */
 422                                         for (j = 0; j < ldns_rr_list_rr_count(key_list); j++) {
 423                                                 ldns_rr_list_push_rr(correct_key_list, ldns_rr_clone(ldns_rr_list_rr(key_list, j)));
 424                                         }
 425
 426                                         /* check whether these keys were signed
 427                                          * by a trusted keys. if so, these
 428                                          * keys are also trusted */
 429                                         new_keys_trusted = false;
 430                                         for (k = 0; k < ldns_rr_list_rr_count(current_correct_keys); k++) {
 431                                                 for (j = 0; j < ldns_rr_list_rr_count(trusted_ds_rrs); j++) {
 432                                                         if (ldns_rr_compare_ds(ldns_rr_list_rr(current_correct_keys, k),
 433                                                                     ldns_rr_list_rr(trusted_ds_rrs, j))) {
 434                                                                 new_keys_trusted = true;
 435                                                         }
 436                                                 }
 437                                         }
 438
 439                                         /* also all keys are trusted if one of the current correct keys is trusted */
 440                                         for (k = 0; k < ldns_rr_list_rr_count(current_correct_keys); k++) {
 441                                                 for (j = 0; j < ldns_rr_list_rr_count(trusted_keys); j++) {
 442                                                         if (ldns_rr_compare(ldns_rr_list_rr(current_correct_keys, k),
 443                                                                             ldns_rr_list_rr(trusted_keys, j)) == 0) {
 444                                                                             new_keys_trusted = true;
 445                                                         }
 446                                                 }
 447                                         }
 448
 449
 450                                         if (new_keys_trusted) {
 451                                                 ldns_rr_list_push_rr_list(trusted_keys, key_list);
 452                                                 print_rr_list_abbr(stdout, key_list, TRUST);
 453                                                 ldns_rr_list_free(key_list);
 454                                                 key_list = NULL;
 455                                         } else {
 456                                                 if (verbosity >= 2) {
 457                                                         printf(";; Signature ok but no chain to a trusted key or ds record\n");
 458                                                 }
 459                                                 print_rr_list_abbr(stdout, key_list, SELF);
 460                                                 ldns_rr_list_deep_free(key_list);
 461                                                 key_list = NULL;
 462                                         }
 463                                 } else {
 464                                         print_rr_list_abbr(stdout, key_list, BOGUS);
 465                                         result = 2;
 466                                         ldns_rr_list_deep_free(key_list);
 467                                         key_list = NULL;
 468                                 }
 469                                 ldns_rr_list_free(current_correct_keys);
 470                                 current_correct_keys = NULL;
 471                         } else {
 472                                 printf(";; No DNSKEY record found for ");
 473                                 ldns_rdf_print(stdout, labels[i]);
 474                                 printf("\n");
 475                         }
 476                 }
 477
 478                 ldns_pkt_free(p);
 479                 ldns_rr_list_deep_free(key_sig_list);
 480                 key_sig_list = NULL;
 481
 482                 /* check the DS records for the next child domain */
 483                 if (i > 1) {
 484                         p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS);
 485                         (void) get_ds(p, labels[i-1], &ds_list, &ds_sig_list);
 486                         if (!ds_list) {
 487                                 ldns_pkt_free(p);
 488                                 if (ds_sig_list) {
 489                                         ldns_rr_list_deep_free(ds_sig_list);
 490                                 }
 491                                 p = get_dnssec_pkt(res, name, LDNS_RR_TYPE_DNSKEY);
 492                                 (void) get_ds(p, NULL, &ds_list, &ds_sig_list);
 493                         }
 494                         if (ds_sig_list) {
 495                                 if (ds_list) {
 496                                         if (verbosity >= 4) {
 497                                                 printf("VERIFYING:\n");
 498                                                 printf("DS LIST:\n");
 499                                                 ldns_rr_list_print(stdout, ds_list);
 500                                                 printf("SIGS:\n");
 501                                                 ldns_rr_list_print(stdout, ds_sig_list);
 502                                                 printf("KEYS:\n");
 503                                                 ldns_rr_list_print(stdout, correct_key_list);
 504                                         }
 505
 506                                         current_correct_keys = ldns_rr_list_new();
 507
 508                                         if ((st = ldns_verify(ds_list, ds_sig_list, correct_key_list, current_correct_keys)) ==
 509                                                         LDNS_STATUS_OK) {
 510                                                 /* if the ds is signed by a trusted key and a key from correct keys
 511                                                    matches that ds, add that key to the trusted keys */
 512                                                 new_keys_trusted = false;
 513                                                 if (verbosity >= 2) {
 514                                                         printf("Checking if signing key is trusted:\n");
 515                                                 }
 516                                                 for (j = 0; j < ldns_rr_list_rr_count(current_correct_keys); j++) {
 517                                                         if (verbosity >= 2) {
 518                                                                 printf("New key: ");
 519                                                                 ldns_rr_print(stdout, ldns_rr_list_rr(current_correct_keys, j));
 520                                                         }
 521                                                         for (k = 0; k < ldns_rr_list_rr_count(trusted_keys); k++) {
 522                                                                 if (verbosity >= 2) {
 523                                                                         printf("\tTrusted key: ");
 524                                                                         ldns_rr_print(stdout, ldns_rr_list_rr(trusted_keys, k));
 525                                                                 }
 526                                                                 if (ldns_rr_compare(ldns_rr_list_rr(current_correct_keys, j),
 527                                                                     ldns_rr_list_rr(trusted_keys, k)) == 0) {
 528                                                                         if (verbosity >= 2) {
 529                                                                                 printf("Key is now trusted!\n");
 530                                                                         }
 531                                                                         for (l = 0; l < ldns_rr_list_rr_count(ds_list); l++) {
 532                                                                                 ldns_rr_list_push_rr(trusted_ds_rrs, ldns_rr_clone(ldns_rr_list_rr(ds_list, l)));
 533                                                                                 new_keys_trusted = true;
 534                                                                         }
 535                                                                 }
 536                                                         }
 537                                                 }
 538                                                 if (new_keys_trusted) {
 539                                                         print_rr_list_abbr(stdout, ds_list, TRUST);
 540                                                 } else {
 541                                                         print_rr_list_abbr(stdout, ds_list, SELF);
 542                                                 }
 543                                         } else {
 544                                                 result = 3;
 545                                                 print_rr_list_abbr(stdout, ds_list, BOGUS);
 546                                         }
 547
 548                                         ldns_rr_list_free(current_correct_keys);
 549                                         current_correct_keys = NULL;
 550                                 } else {
 551                                         /* wait apparently there were no keys either, go back to the ds packet */
 552                                         ldns_pkt_free(p);
 553                                         ldns_rr_list_deep_free(ds_sig_list);
 554                                         p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS);
 555                                         (void) get_ds(p, labels[i-1], &ds_list, &ds_sig_list);
 556
 557                                         status = ldns_verify_denial(p, labels[i-1], LDNS_RR_TYPE_DS, &nsec_rrs, &nsec_rr_sigs);
 558
 559                                         if (verbosity >= 4) {
 560                                                 printf("NSEC(3) Records to verify:\n");
 561                                                 ldns_rr_list_print(stdout, nsec_rrs);
 562                                                 printf("With signatures:\n");
 563                                                 ldns_rr_list_print(stdout, nsec_rr_sigs);
 564                                                 printf("correct keys:\n");
 565                                                 ldns_rr_list_print(stdout, correct_key_list);
 566                                         }
 567
 568                                         if (status == LDNS_STATUS_OK) {
 569                                                 if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) {
 570                                                         fprintf(stdout, "%s ", TRUST);
 571                                                         fprintf(stdout, "Existence denied: ");
 572                                                         ldns_rdf_print(stdout, labels[i-1]);
 573                                                         printf(" DS");
 574                                                         fprintf(stdout, "\n");
 575                                                 } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) {
 576                                                         fprintf(stdout, "%s ", SELF);
 577                                                         fprintf(stdout, "Existence denied: ");
 578                                                         ldns_rdf_print(stdout, labels[i-1]);
 579                                                         printf(" DS");
 580                                                         fprintf(stdout, "\n");
 581                                                 } else {
 582                                                         result = 4;
 583                                                         fprintf(stdout, "%s ", BOGUS);
 584                                                         printf("Error verifying denial of existence for ");
 585                                                         ldns_rdf_print(stdout, labels[i-1]);
 586                                                         printf(" DS");
 587                                                         printf(": %s\n", ldns_get_errorstr_by_id(st));
 588                                                 }
 589
 590
 591                                         } else {
 592                                                 if (status == LDNS_STATUS_CRYPTO_NO_RRSIG) {
 593                                                         printf(";; No DS for ");
 594                                                         ldns_rdf_print(stdout, labels[i - 1]);
 595                                                 } else {
 596                                                         printf("[B] Unable to verify denial of existence for ");
 597                                                         ldns_rdf_print(stdout, labels[i - 1]);
 598                                                         printf(" DS: %s\n", ldns_get_errorstr_by_id(status));
 599                                                 }
 600                                         }
 601                                         if (verbosity >= 2) {
 602                                                 printf(";; No ds record for delegation\n");
 603                                         }
 604                                 }
 605                         }
 606                         ldns_rr_list_deep_free(ds_list);
 607                         ldns_pkt_free(p);
 608                 } else {
 609                         /* if this is the last label, just verify the data and stop */
 610                         p = get_dnssec_pkt(res, labels[i], t);
 611                         (void) get_dnssec_rr(p, labels[i], t, &dataset, &key_sig_list);
 612                         if (dataset && ldns_rr_list_rr_count(dataset) > 0) {
 613                                 if (key_sig_list && ldns_rr_list_rr_count(key_sig_list) > 0) {
 614
 615                                         /* If this is a wildcard, you must be able to deny exact match */
 616                                         if ((st = ldns_verify(dataset, key_sig_list, trusted_keys, NULL)) == LDNS_STATUS_OK) {
 617                                                 fprintf(stdout, "%s ", TRUST);
 618                                                 ldns_rr_list_print(stdout, dataset);
 619                                         } else if ((st = ldns_verify(dataset, key_sig_list, correct_key_list, NULL)) == LDNS_STATUS_OK) {
 620                                                 fprintf(stdout, "%s ", SELF);
 621                                                 ldns_rr_list_print(stdout, dataset);
 622                                         } else {
 623                                                 result = 5;
 624                                                 fprintf(stdout, "%s ", BOGUS);
 625                                                 ldns_rr_list_print(stdout, dataset);
 626                                                 printf(";; Error: %s\n", ldns_get_errorstr_by_id(st));
 627                                         }
 628                                 } else {
 629                                         fprintf(stdout, "%s ", UNSIGNED);
 630                                         ldns_rr_list_print(stdout, dataset);
 631                                 }
 632                                 ldns_rr_list_deep_free(dataset);
 633                         } else {
 634                                 status = ldns_verify_denial(p, name, t, &nsec_rrs, &nsec_rr_sigs);
 635                                 if (status == LDNS_STATUS_OK) {
 636                                         /* verify the nsec3 themselves*/
 637                                         if (verbosity >= 5) {
 638                                                 printf("NSEC(3) Records to verify:\n");
 639                                                 ldns_rr_list_print(stdout, nsec_rrs);
 640                                                 printf("With signatures:\n");
 641                                                 ldns_rr_list_print(stdout, nsec_rr_sigs);
 642                                                 printf("correct keys:\n");
 643                                                 ldns_rr_list_print(stdout, correct_key_list);
 644 /*
 645                                                 printf("trusted keys at %p:\n", trusted_keys);
 646                                                 ldns_rr_list_print(stdout, trusted_keys);
 647 */                                      }
 648
 649                                         if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) {
 650                                                 fprintf(stdout, "%s ", TRUST);
 651                                                 fprintf(stdout, "Existence denied: ");
 652                                                 ldns_rdf_print(stdout, name);
 653                                                 if (descriptor && descriptor->_name) {
 654                                                         printf(" %s", descriptor->_name);
 655                                                 } else {
 656                                                         printf(" TYPE%u", t);
 657                                                 }
 658                                                 fprintf(stdout, "\n");
 659                                         } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) {
 660                                                 fprintf(stdout, "%s ", SELF);
 661                                                 fprintf(stdout, "Existence denied: ");
 662                                                 ldns_rdf_print(stdout, name);
 663                                                 if (descriptor && descriptor->_name) {
 664                                                         printf(" %s", descriptor->_name);
 665                                                 } else {
 666                                                         printf(" TYPE%u", t);
 667                                                 }
 668                                                 fprintf(stdout, "\n");
 669                                         } else {
 670                                                 result = 6;
 671                                                 fprintf(stdout, "%s ", BOGUS);
 672                                                 printf("Error verifying denial of existence for ");
 673                                                 ldns_rdf_print(stdout, name);
 674                                                 printf(" type ");
 675                                                 if (descriptor && descriptor->_name) {
 676                                                         printf("%s", descriptor->_name);
 677                                                 } else {
 678                                                         printf("TYPE%u", t);
 679                                                 }
 680                                                 printf(": %s\n", ldns_get_errorstr_by_id(st));
 681                                         }
 682
 683                                         ldns_rr_list_deep_free(nsec_rrs);
 684                                         ldns_rr_list_deep_free(nsec_rr_sigs);
 685                                 } else {
 686 /*
 687 */
 688                                         if (status == LDNS_STATUS_CRYPTO_NO_RRSIG) {
 689                                                 printf("%s ", UNSIGNED);
 690                                                 printf("No data found for: ");
 691                                                 ldns_rdf_print(stdout, name);
 692                                                 printf(" type ");
 693                                                 if (descriptor && descriptor->_name) {
 694                                                         printf("%s", descriptor->_name);
 695                                                 } else {
 696                                                         printf("TYPE%u", t);
 697                                                 }
 698                                                 printf("\n");
 699                                         } else {
 700                                                 printf("[B] Unable to verify denial of existence for ");
 701                                                 ldns_rdf_print(stdout, name);
 702                                                 printf(" type ");
 703                                                 if (descriptor && descriptor->_name) {
 704                                                         printf("%s", descriptor->_name);
 705                                                 } else {
 706                                                         printf("TYPE%u", t);
 707                                                 }
 708                                                 printf("\n");
 709                                         }
 710
 711                                 }
 712                         }
 713                         ldns_pkt_free(p);
 714                 }
 715
 716                 new_nss = NULL;
 717                 ns_addr = NULL;
 718                 ldns_rr_list_deep_free(key_list);
 719                 key_list = NULL;
 720                 ldns_rr_list_deep_free(key_sig_list);
 721                 key_sig_list = NULL;
 722                 ds_list = NULL;
 723                 ldns_rr_list_deep_free(ds_sig_list);
 724                 ds_sig_list = NULL;
 725         }
 726         printf(";;" SELF " self sig OK; " BOGUS " bogus; " TRUST " trusted\n");
 727         /* verbose mode?
 728         printf("Trusted keys:\n");
 729         ldns_rr_list_print(stdout, trusted_keys);
 730         printf("trusted dss:\n");
 731         ldns_rr_list_print(stdout, trusted_ds_rrs);
 732         */
 733
 734         done:
 735         ldns_rr_list_deep_free(trusted_ds_rrs);
 736         ldns_rr_list_deep_free(correct_key_list);
 737         ldns_resolver_deep_free(res);
 738         if (labels) {
 739                 for(i = 0 ; i < (ssize_t)labels_count + 2; i++) {
 740                         ldns_rdf_deep_free(labels[i]);
 741                 }
 742                 LDNS_FREE(labels);
 743         }
 744         return result;
 745 }
 746 #endif /* HAVE_SSL */