3 * Some DNSSEC helper function are defined here
7 * See the file LICENSE for the license
12 #include <ldns/ldns.h>
14 /* get rr_type from a server from a server */
16 get_rr(ldns_resolver *res, ldns_rdf *zname, ldns_rr_type t, ldns_rr_class c)
18 /* query, retrieve, extract and return */
25 if (ldns_resolver_send(&p, res, zname, t, c, 0) != LDNS_STATUS_OK) {
29 found = ldns_pkt_rr_list_by_type(p, t, LDNS_SECTION_ANY_NOQUESTION);
35 drill_pkt_print(FILE *fd, ldns_resolver *r, ldns_pkt *p)
37 ldns_rr_list *new_nss;
38 ldns_rr_list *hostnames;
44 hostnames = ldns_get_rr_list_name_by_addr(r, ldns_pkt_answerfrom(p), 0, 0);
46 new_nss = ldns_pkt_rr_list_by_type(p,
47 LDNS_RR_TYPE_NS, LDNS_SECTION_ANSWER);
48 ldns_rr_list_print(fd, new_nss);
50 /* new_nss can be empty.... */
52 fprintf(fd, ";; Received %d bytes from %s#%d(",
53 (int) ldns_pkt_size(p),
54 ldns_rdf2str(ldns_pkt_answerfrom(p)),
55 (int) ldns_resolver_port(r));
56 /* if we can resolve this print it, other print the ip again */
59 ldns_rr_rdf(ldns_rr_list_rr(hostnames, 0), 0));
60 ldns_rr_list_deep_free(hostnames);
62 fprintf(fd, "%s", ldns_rdf2str(ldns_pkt_answerfrom(p)));
64 fprintf(fd, ") in %u ms\n\n", (unsigned int)ldns_pkt_querytime(p));
68 drill_pkt_print_footer(FILE *fd, ldns_resolver *r, ldns_pkt *p)
70 ldns_rr_list *hostnames;
76 hostnames = ldns_get_rr_list_name_by_addr(r, ldns_pkt_answerfrom(p), 0, 0);
78 fprintf(fd, ";; Received %d bytes from %s#%d(",
79 (int) ldns_pkt_size(p),
80 ldns_rdf2str(ldns_pkt_answerfrom(p)),
81 (int) ldns_resolver_port(r));
82 /* if we can resolve this print it, other print the ip again */
85 ldns_rr_rdf(ldns_rr_list_rr(hostnames, 0), 0));
86 ldns_rr_list_deep_free(hostnames);
88 fprintf(fd, "%s", ldns_rdf2str(ldns_pkt_answerfrom(p)));
90 fprintf(fd, ") in %u ms\n\n", (unsigned int)ldns_pkt_querytime(p));
93 * generic function to get some RRset from a nameserver
94 * and possible some signatures too (that would be the day...)
97 get_dnssec_rr(ldns_pkt *p, ldns_rdf *name, ldns_rr_type t,
98 ldns_rr_list **rrlist, ldns_rr_list **sig)
100 ldns_pkt_type pt = LDNS_PACKET_UNKNOWN;
101 ldns_rr_list *rr = NULL;
102 ldns_rr_list *sigs = NULL;
109 return LDNS_PACKET_UNKNOWN;
112 pt = ldns_pkt_reply_type(p);
114 rr = ldns_pkt_rr_list_by_name_and_type(p, name, t, LDNS_SECTION_ANSWER);
116 rr = ldns_pkt_rr_list_by_name_and_type(p, name, t, LDNS_SECTION_AUTHORITY);
118 sigs = ldns_pkt_rr_list_by_name_and_type(p, name, LDNS_RR_TYPE_RRSIG,
119 LDNS_SECTION_ANSWER);
121 sigs = ldns_pkt_rr_list_by_name_and_type(p, name, LDNS_RR_TYPE_RRSIG,
122 LDNS_SECTION_AUTHORITY);
125 /* A DS-referral - get the DS records if they are there */
126 rr = ldns_pkt_rr_list_by_type(p, t, LDNS_SECTION_AUTHORITY);
127 sigs = ldns_pkt_rr_list_by_type(p, LDNS_RR_TYPE_RRSIG,
128 LDNS_SECTION_AUTHORITY);
131 *sig = ldns_rr_list_new();
132 for (i = 0; i < ldns_rr_list_rr_count(sigs); i++) {
133 /* only add the sigs that cover this type */
134 if (ldns_rdf2rr_type(ldns_rr_rrsig_typecovered(ldns_rr_list_rr(sigs, i))) ==
136 ldns_rr_list_push_rr(*sig, ldns_rr_clone(ldns_rr_list_rr(sigs, i)));
140 ldns_rr_list_deep_free(sigs);
145 if (pt == LDNS_PACKET_NXDOMAIN || pt == LDNS_PACKET_NODATA) {
148 return LDNS_PACKET_ANSWER;
154 ldns_verify_denial(ldns_pkt *pkt, ldns_rdf *name, ldns_rr_type type, ldns_rr_list **nsec_rrs, ldns_rr_list **nsec_rr_sigs)
161 if (verbosity >= 5) {
162 printf("VERIFY DENIAL FROM:\n");
163 ldns_pkt_print(stdout, pkt);
166 result = LDNS_STATUS_CRYPTO_NO_RRSIG;
167 /* Try to see if there are NSECS in the packet */
168 nsecs = ldns_pkt_rr_list_by_type(pkt, LDNS_RR_TYPE_NSEC, LDNS_SECTION_ANY_NOQUESTION);
170 for (nsec_i = 0; nsec_i < ldns_rr_list_rr_count(nsecs); nsec_i++) {
171 /* there are four options:
172 * - name equals ownername and is covered by the type bitmap
173 * - name equals ownername but is not covered by the type bitmap
174 * - name falls within nsec coverage but is not equal to the owner name
175 * - name falls outside of nsec coverage
177 if (ldns_dname_compare(ldns_rr_owner(ldns_rr_list_rr(nsecs, nsec_i)), name) == 0) {
179 printf("CHECKING NSEC:\n");
180 ldns_rr_print(stdout, ldns_rr_list_rr(nsecs, nsec_i));
183 if (ldns_nsec_bitmap_covers_type(
184 ldns_nsec_get_bitmap(ldns_rr_list_rr(nsecs,
187 /* Error, according to the nsec this rrset is signed */
188 result = LDNS_STATUS_CRYPTO_NO_RRSIG;
190 /* ok nsec denies existence */
191 if (verbosity >= 3) {
192 printf(";; Existence of data set with this type denied by NSEC\n");
194 /*printf(";; Verifiably insecure.\n");*/
195 if (nsec_rrs && nsec_rr_sigs) {
196 (void) get_dnssec_rr(pkt, ldns_rr_owner(ldns_rr_list_rr(nsecs, nsec_i)), LDNS_RR_TYPE_NSEC, nsec_rrs, nsec_rr_sigs);
198 ldns_rr_list_deep_free(nsecs);
199 return LDNS_STATUS_OK;
201 } else if (ldns_nsec_covers_name(ldns_rr_list_rr(nsecs, nsec_i), name)) {
202 if (verbosity >= 3) {
203 printf(";; Existence of data set with this name denied by NSEC\n");
205 if (nsec_rrs && nsec_rr_sigs) {
206 (void) get_dnssec_rr(pkt, ldns_rr_owner(ldns_rr_list_rr(nsecs, nsec_i)), LDNS_RR_TYPE_NSEC, nsec_rrs, nsec_rr_sigs);
208 ldns_rr_list_deep_free(nsecs);
209 return LDNS_STATUS_OK;
211 /* nsec has nothing to do with this data */
214 ldns_rr_list_deep_free(nsecs);
219 /* NSEC3 draft -07 */
220 /*return hash name match*/
222 ldns_nsec3_exact_match(ldns_rdf *qname, ldns_rr_type qtype, ldns_rr_list *nsec3s) {
228 ldns_rdf *sname, *hashed_sname;
232 ldns_rr *result = NULL;
236 const ldns_rr_descriptor *descriptor;
240 if (verbosity >= 4) {
241 printf(";; finding exact match for ");
242 descriptor = ldns_rr_descript(qtype);
243 if (descriptor && descriptor->_name) {
244 printf("%s ", descriptor->_name);
246 printf("TYPE%d ", qtype);
248 ldns_rdf_print(stdout, qname);
252 if (!qname || !nsec3s || ldns_rr_list_rr_count(nsec3s) < 1) {
253 if (verbosity >= 4) {
254 printf("no qname, nsec3s or list empty\n");
259 nsec = ldns_rr_list_rr(nsec3s, 0);
260 algorithm = ldns_nsec3_algorithm(nsec);
261 salt_length = ldns_nsec3_salt_length(nsec);
262 salt = ldns_nsec3_salt_data(nsec);
263 iterations = ldns_nsec3_iterations(nsec);
265 sname = ldns_rdf_clone(qname);
267 if (verbosity >= 4) {
268 printf(";; owner name hashes to: ");
270 hashed_sname = ldns_nsec3_hash_name(sname, algorithm, iterations, salt_length, salt);
272 zone_name = ldns_dname_left_chop(ldns_rr_owner(nsec));
273 status = ldns_dname_cat(hashed_sname, zone_name);
275 if (verbosity >= 4) {
276 ldns_rdf_print(stdout, hashed_sname);
280 for (nsec_i = 0; nsec_i < ldns_rr_list_rr_count(nsec3s); nsec_i++) {
281 nsec = ldns_rr_list_rr(nsec3s, nsec_i);
283 /* check values of iterations etc! */
286 if (ldns_dname_compare(ldns_rr_owner(nsec), hashed_sname) == 0) {
294 ldns_rdf_deep_free(zone_name);
295 ldns_rdf_deep_free(sname);
296 ldns_rdf_deep_free(hashed_sname);
299 if (verbosity >= 4) {
301 printf(";; Found.\n");
303 printf(";; Not foud.\n");
309 /*return the owner name of the closest encloser for name from the list of rrs */
310 /* this is NOT the hash, but the original name! */
312 ldns_nsec3_closest_encloser(ldns_rdf *qname, ldns_rr_type qtype, ldns_rr_list *nsec3s)
314 /* remember parameters, they must match */
320 ldns_rdf *sname, *hashed_sname, *tmp;
324 bool exact_match_found;
332 ldns_rdf *result = NULL;
334 if (!qname || !nsec3s || ldns_rr_list_rr_count(nsec3s) < 1) {
338 if (verbosity >= 4) {
339 printf(";; finding closest encloser for type %d ", qtype);
340 ldns_rdf_print(stdout, qname);
344 nsec = ldns_rr_list_rr(nsec3s, 0);
345 algorithm = ldns_nsec3_algorithm(nsec);
346 salt_length = ldns_nsec3_salt_length(nsec);
347 salt = ldns_nsec3_salt_data(nsec);
348 iterations = ldns_nsec3_iterations(nsec);
350 sname = ldns_rdf_clone(qname);
355 zone_name = ldns_dname_left_chop(ldns_rr_owner(nsec));
357 /* algorithm from nsec3-07 8.3 */
358 while (ldns_dname_label_count(sname) > 0) {
359 exact_match_found = false;
360 in_range_found = false;
362 if (verbosity >= 3) {
364 ldns_rdf_print(stdout, sname);
365 printf(" hashes to: ");
367 hashed_sname = ldns_nsec3_hash_name(sname, algorithm, iterations, salt_length, salt);
369 status = ldns_dname_cat(hashed_sname, zone_name);
371 if (verbosity >= 3) {
372 ldns_rdf_print(stdout, hashed_sname);
376 for (nsec_i = 0; nsec_i < ldns_rr_list_rr_count(nsec3s); nsec_i++) {
377 nsec = ldns_rr_list_rr(nsec3s, nsec_i);
379 /* check values of iterations etc! */
382 if (ldns_dname_compare(ldns_rr_owner(nsec), hashed_sname) == 0) {
383 if (verbosity >= 4) {
384 printf(";; exact match found\n");
386 exact_match_found = true;
387 } else if (ldns_nsec_covers_name(nsec, hashed_sname)) {
388 if (verbosity >= 4) {
389 printf(";; in range of an nsec\n");
391 in_range_found = true;
395 if (!exact_match_found && in_range_found) {
397 } else if (exact_match_found && flag) {
398 result = ldns_rdf_clone(sname);
399 } else if (exact_match_found && !flag) {
401 if (verbosity >= 4) {
402 printf(";; the closest encloser is the same name (ie. this is an exact match, ie there is no closest encloser)\n");
404 ldns_rdf_deep_free(hashed_sname);
410 ldns_rdf_deep_free(hashed_sname);
412 sname = ldns_dname_left_chop(sname);
413 ldns_rdf_deep_free(tmp);
418 ldns_rdf_deep_free(zone_name);
419 ldns_rdf_deep_free(sname);
422 if (verbosity >= 4) {
423 printf(";; no closest encloser found\n");
427 /* todo checks from end of 6.2. here or in caller? */
432 /* special case were there was a wildcard expansion match, the exact match must be disproven */
434 ldns_verify_denial_wildcard(ldns_pkt *pkt, ldns_rdf *name, ldns_rr_type type, ldns_rr_list **nsec_rrs, ldns_rr_list **nsec_rr_sigs)
436 ldns_rdf *nsec3_ce = NULL;
437 ldns_rr *nsec3_ex = NULL;
438 ldns_rdf *wildcard_name = NULL;
439 ldns_rdf *nsec3_wc_ce = NULL;
440 ldns_rr *nsec3_wc_ex = NULL;
441 ldns_rdf *chopped_dname = NULL;
443 ldns_status result = LDNS_STATUS_ERR;
445 nsecs = ldns_pkt_rr_list_by_type(pkt, LDNS_RR_TYPE_NSEC3, LDNS_SECTION_ANY_NOQUESTION);
447 wildcard_name = ldns_dname_new_frm_str("*");
448 chopped_dname = ldns_dname_left_chop(name);
449 result = ldns_dname_cat(wildcard_name, chopped_dname);
450 ldns_rdf_deep_free(chopped_dname);
452 nsec3_ex = ldns_nsec3_exact_match(name, type, nsecs);
453 nsec3_ce = ldns_nsec3_closest_encloser(name, type, nsecs);
454 nsec3_wc_ce = ldns_nsec3_closest_encloser(wildcard_name, type, nsecs);
455 nsec3_wc_ex = ldns_nsec3_exact_match(wildcard_name, type, nsecs);
458 if (verbosity >= 3) {
459 printf(";; Error, exact match for for name found, but should not exist (draft -07 section 8.8)\n");
461 result = LDNS_STATUS_NSEC3_ERR;
462 } else if (!nsec3_ce) {
463 if (verbosity >= 3) {
464 printf(";; Error, closest encloser for exact match missing in wildcard response (draft -07 section 8.8)\n");
466 result = LDNS_STATUS_NSEC3_ERR;
468 } else if (!nsec3_wc_ex) {
469 printf(";; Error, no wildcard nsec3 match: ");
470 ldns_rdf_print(stdout, wildcard_name);
471 printf(" (draft -07 section 8.8)\n");
472 result = LDNS_STATUS_NSEC3_ERR;
474 /* } else if (!nsec */
476 if (verbosity >= 3) {
477 printf(";; wilcard expansion proven\n");
479 result = LDNS_STATUS_OK;
482 if (verbosity >= 3) {
483 printf(";; Error: no NSEC or NSEC3 records in answer\n");
485 result = LDNS_STATUS_CRYPTO_NO_RRSIG;
488 if (nsecs && nsec_rrs && nsec_rr_sigs) {
489 (void) get_dnssec_rr(pkt, ldns_rr_owner(ldns_rr_list_rr(nsecs, 0)), LDNS_RR_TYPE_NSEC3, nsec_rrs, nsec_rr_sigs);