2 * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 2000-2002 Internet Software Consortium.
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
18 /* $Id: validator.c,v 1.91.2.8 2004/04/15 02:16:28 marka Exp $ */
23 #include <isc/print.h>
28 #include <dns/dnssec.h>
29 #include <dns/events.h>
30 #include <dns/keytable.h>
32 #include <dns/message.h>
34 #include <dns/rdata.h>
35 #include <dns/rdatastruct.h>
36 #include <dns/rdataset.h>
37 #include <dns/rdatatype.h>
38 #include <dns/resolver.h>
39 #include <dns/result.h>
40 #include <dns/validator.h>
43 #define VALIDATOR_MAGIC ISC_MAGIC('V', 'a', 'l', '?')
44 #define VALID_VALIDATOR(v) ISC_MAGIC_VALID(v, VALIDATOR_MAGIC)
46 #define VALATTR_SHUTDOWN 0x01
47 #define VALATTR_FOUNDNONEXISTENCE 0x02
48 #define VALATTR_TRIEDVERIFY 0x04
49 #define SHUTDOWN(v) (((v)->attributes & VALATTR_SHUTDOWN) != 0)
52 nullkeyvalidated(isc_task_t *task, isc_event_t *event);
54 static inline isc_boolean_t
55 containsnullkey(dns_validator_t *val, dns_rdataset_t *rdataset);
57 static inline isc_result_t
58 get_dst_key(dns_validator_t *val, dns_rdata_sig_t *siginfo,
59 dns_rdataset_t *rdataset);
61 static inline isc_result_t
62 validate(dns_validator_t *val, isc_boolean_t resume);
64 static inline isc_result_t
65 nxtvalidate(dns_validator_t *val, isc_boolean_t resume);
67 static inline isc_result_t
68 proveunsecure(dns_validator_t *val, isc_boolean_t resume);
71 validator_log(dns_validator_t *val, int level, const char *fmt, ...)
72 ISC_FORMAT_PRINTF(3, 4);
75 validator_done(dns_validator_t *val, isc_result_t result) {
78 if (val->event == NULL)
82 * Caller must be holding the lock.
85 val->event->result = result;
86 task = val->event->ev_sender;
87 val->event->ev_sender = val;
88 val->event->ev_type = DNS_EVENT_VALIDATORDONE;
89 val->event->ev_action = val->action;
90 val->event->ev_arg = val->arg;
91 isc_task_sendanddetach(&task, (isc_event_t **)&val->event);
96 auth_nonpending(dns_message_t *message) {
99 dns_rdataset_t *rdataset;
101 for (result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
102 result == ISC_R_SUCCESS;
103 result = dns_message_nextname(message, DNS_SECTION_AUTHORITY))
106 dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
107 for (rdataset = ISC_LIST_HEAD(name->list);
109 rdataset = ISC_LIST_NEXT(rdataset, link))
111 if (rdataset->trust == dns_trust_pending)
112 rdataset->trust = dns_trust_authauthority;
118 fetch_callback_validator(isc_task_t *task, isc_event_t *event) {
119 dns_fetchevent_t *devent;
120 dns_validator_t *val;
121 dns_rdataset_t *rdataset;
123 isc_result_t eresult;
126 INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
127 devent = (dns_fetchevent_t *)event;
128 val = devent->ev_arg;
129 rdataset = &val->frdataset;
130 eresult = devent->result;
132 isc_event_free(&event);
133 dns_resolver_destroyfetch(&val->fetch);
136 dns_validator_destroy(&val);
140 if (val->event == NULL) {
141 validator_log(val, ISC_LOG_DEBUG(3),
142 "fetch_callback_validator: event == NULL");
146 validator_log(val, ISC_LOG_DEBUG(3), "in fetch_callback_validator");
148 if (eresult == ISC_R_SUCCESS) {
149 validator_log(val, ISC_LOG_DEBUG(3),
150 "keyset with trust %d", rdataset->trust);
152 * Only extract the dst key if the keyset is secure.
154 if (rdataset->trust >= dns_trust_secure) {
155 result = get_dst_key(val, val->siginfo, rdataset);
156 if (result == ISC_R_SUCCESS)
157 val->keyset = &val->frdataset;
159 result = validate(val, ISC_TRUE);
160 if (result != DNS_R_WAIT) {
161 validator_done(val, result);
165 validator_log(val, ISC_LOG_DEBUG(3),
166 "fetch_callback_validator: got %s",
167 dns_result_totext(eresult));
168 validator_done(val, DNS_R_NOVALIDKEY);
174 * Free stuff from the event.
176 if (dns_rdataset_isassociated(&val->frdataset) &&
177 val->keyset != &val->frdataset)
178 dns_rdataset_disassociate(&val->frdataset);
179 if (dns_rdataset_isassociated(&val->fsigrdataset))
180 dns_rdataset_disassociate(&val->fsigrdataset);
184 fetch_callback_nullkey(isc_task_t *task, isc_event_t *event) {
185 dns_fetchevent_t *devent;
186 dns_validator_t *val;
187 dns_rdataset_t *rdataset, *sigrdataset;
189 isc_result_t eresult;
192 INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
193 devent = (dns_fetchevent_t *)event;
194 val = devent->ev_arg;
195 rdataset = &val->frdataset;
196 sigrdataset = &val->fsigrdataset;
197 eresult = devent->result;
199 dns_resolver_destroyfetch(&val->fetch);
202 dns_validator_destroy(&val);
203 isc_event_free(&event);
207 if (val->event == NULL) {
208 validator_log(val, ISC_LOG_DEBUG(3),
209 "fetch_callback_nullkey: event == NULL");
210 isc_event_free(&event);
214 validator_log(val, ISC_LOG_DEBUG(3), "in fetch_callback_nullkey");
217 if (eresult == ISC_R_SUCCESS) {
218 if (!containsnullkey(val, rdataset)) {
222 validator_log(val, ISC_LOG_DEBUG(3),
223 "found a keyset, no null key");
224 result = proveunsecure(val, ISC_TRUE);
225 if (result != DNS_R_WAIT)
226 validator_done(val, result);
229 * Don't free rdataset & sigrdataset, since
230 * they'll be freed in nullkeyvalidated.
232 isc_event_free(&event);
237 validator_log(val, ISC_LOG_DEBUG(3),
238 "found a keyset with a null key");
239 if (rdataset->trust >= dns_trust_secure) {
240 validator_log(val, ISC_LOG_DEBUG(3),
241 "insecurity proof succeeded");
242 val->event->rdataset->trust = dns_trust_answer;
243 validator_done(val, ISC_R_SUCCESS);
244 } else if (!dns_rdataset_isassociated(sigrdataset)) {
245 validator_log(val, ISC_LOG_DEBUG(3),
246 "insecurity proof failed");
247 validator_done(val, DNS_R_NOTINSECURE);
250 tname = dns_fixedname_name(&devent->foundname);
251 result = dns_validator_create(val->view, tname,
259 if (result != ISC_R_SUCCESS)
260 validator_done(val, result);
262 * Don't free rdataset & sigrdataset, since
263 * they'll be freed in nullkeyvalidated.
265 isc_event_free(&event);
270 } else if (eresult == DNS_R_NCACHENXDOMAIN ||
271 eresult == DNS_R_NCACHENXRRSET ||
272 eresult == DNS_R_NXDOMAIN ||
273 eresult == DNS_R_NXRRSET)
278 validator_log(val, ISC_LOG_DEBUG(3),
280 result = proveunsecure(val, ISC_TRUE);
281 if (result != DNS_R_WAIT)
282 validator_done(val, result);
284 validator_log(val, ISC_LOG_DEBUG(3),
285 "fetch_callback_nullkey: got %s",
286 dns_result_totext(eresult));
287 validator_done(val, DNS_R_NOVALIDKEY);
292 * Free stuff from the event.
294 if (dns_rdataset_isassociated(&val->frdataset))
295 dns_rdataset_disassociate(&val->frdataset);
296 if (dns_rdataset_isassociated(&val->fsigrdataset))
297 dns_rdataset_disassociate(&val->fsigrdataset);
298 isc_event_free(&event);
302 keyvalidated(isc_task_t *task, isc_event_t *event) {
303 dns_validatorevent_t *devent;
304 dns_validator_t *val;
306 isc_result_t eresult;
309 INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
311 devent = (dns_validatorevent_t *)event;
312 val = devent->ev_arg;
313 eresult = devent->result;
315 isc_event_free(&event);
318 dns_validator_destroy(&val);
322 if (val->event == NULL)
325 validator_log(val, ISC_LOG_DEBUG(3), "in keyvalidated");
327 if (eresult == ISC_R_SUCCESS) {
328 validator_log(val, ISC_LOG_DEBUG(3),
329 "keyset with trust %d", val->frdataset.trust);
331 * Only extract the dst key if the keyset is secure.
333 if (val->frdataset.trust >= dns_trust_secure)
334 (void) get_dst_key(val, val->siginfo, &val->frdataset);
335 result = validate(val, ISC_TRUE);
336 if (result != DNS_R_WAIT) {
337 validator_done(val, result);
341 validator_log(val, ISC_LOG_DEBUG(3),
342 "keyvalidated: got %s",
343 dns_result_totext(eresult));
344 validator_done(val, eresult);
349 dns_validator_destroy(&val->keyvalidator);
351 * Free stuff from the event.
353 if (dns_rdataset_isassociated(&val->frdataset))
354 dns_rdataset_disassociate(&val->frdataset);
355 if (dns_rdataset_isassociated(&val->fsigrdataset))
356 dns_rdataset_disassociate(&val->fsigrdataset);
360 nxtprovesnonexistence(dns_validator_t *val, dns_name_t *nxtname,
361 dns_rdataset_t *nxtset, dns_rdataset_t *signxtset)
364 dns_rdata_t rdata = DNS_RDATA_INIT;
365 isc_boolean_t isnxdomain;
368 INSIST(DNS_MESSAGE_VALID(val->event->message));
370 if (val->event->message->rcode == dns_rcode_nxdomain)
371 isnxdomain = ISC_TRUE;
373 isnxdomain = ISC_FALSE;
375 result = dns_rdataset_first(nxtset);
376 if (result != ISC_R_SUCCESS) {
377 validator_log(val, ISC_LOG_DEBUG(3),
378 "failure processing NXT set");
381 dns_rdataset_current(nxtset, &rdata);
383 validator_log(val, ISC_LOG_DEBUG(3),
384 "looking for relevant nxt");
385 order = dns_name_compare(val->event->name, nxtname);
388 * The names are the same. Look for the type present bit.
391 validator_log(val, ISC_LOG_DEBUG(3),
392 "NXT record seen at nonexistent name");
395 if (val->event->type >= 128) {
396 validator_log(val, ISC_LOG_DEBUG(3), "invalid type %d",
401 if (dns_nxt_typepresent(&rdata, val->event->type)) {
402 validator_log(val, ISC_LOG_DEBUG(3),
403 "type should not be present");
406 validator_log(val, ISC_LOG_DEBUG(3), "nxt bitmask ok");
407 } else if (order > 0) {
411 * The NXT owner name is less than the nonexistent name.
414 validator_log(val, ISC_LOG_DEBUG(3),
415 "missing NXT record at name");
418 if (dns_name_issubdomain(val->event->name, nxtname) &&
419 dns_nxt_typepresent(&rdata, dns_rdatatype_ns) &&
420 !dns_nxt_typepresent(&rdata, dns_rdatatype_soa))
423 * This NXT record is from somewhere higher in
424 * the DNS, and at the parent of a delegation.
425 * It can not be legitimately used here.
427 validator_log(val, ISC_LOG_DEBUG(3),
428 "ignoring parent nxt");
431 result = dns_rdata_tostruct(&rdata, &nxt, NULL);
432 if (result != ISC_R_SUCCESS)
434 dns_rdata_reset(&rdata);
435 order = dns_name_compare(val->event->name, &nxt.next);
438 * The NXT next name is less than the nonexistent
439 * name. This is only ok if the next name is the zone
442 dns_rdata_sig_t siginfo;
443 result = dns_rdataset_first(signxtset);
444 if (result != ISC_R_SUCCESS) {
445 validator_log(val, ISC_LOG_DEBUG(3),
446 "failure processing SIG NXT set");
447 dns_rdata_freestruct(&nxt);
450 dns_rdataset_current(signxtset, &rdata);
451 result = dns_rdata_tostruct(&rdata, &siginfo, NULL);
452 if (result != ISC_R_SUCCESS) {
453 validator_log(val, ISC_LOG_DEBUG(3),
454 "failure processing SIG NXT set");
455 dns_rdata_freestruct(&nxt);
458 if (!dns_name_equal(&siginfo.signer, &nxt.next)) {
459 validator_log(val, ISC_LOG_DEBUG(3),
460 "next name is not greater");
461 dns_rdata_freestruct(&nxt);
464 validator_log(val, ISC_LOG_DEBUG(3),
465 "nxt points to zone apex, ok");
467 dns_rdata_freestruct(&nxt);
468 validator_log(val, ISC_LOG_DEBUG(3),
471 validator_log(val, ISC_LOG_DEBUG(3),
472 "nxt owner name is not less");
474 * The NXT owner name is greater than the supposedly
475 * nonexistent name. This NXT is irrelevant.
483 authvalidated(isc_task_t *task, isc_event_t *event) {
484 dns_validatorevent_t *devent;
485 dns_validator_t *val;
486 dns_rdataset_t *rdataset, *sigrdataset;
488 isc_result_t eresult;
491 INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
493 devent = (dns_validatorevent_t *)event;
494 rdataset = devent->rdataset;
495 sigrdataset = devent->sigrdataset;
496 val = devent->ev_arg;
497 eresult = devent->result;
498 dns_validator_destroy(&val->authvalidator);
501 dns_validator_destroy(&val);
505 if (val->event == NULL)
508 validator_log(val, ISC_LOG_DEBUG(3), "in authvalidated");
510 if (eresult != ISC_R_SUCCESS) {
511 validator_log(val, ISC_LOG_DEBUG(3),
512 "authvalidated: got %s",
513 dns_result_totext(eresult));
514 result = nxtvalidate(val, ISC_TRUE);
515 if (result != DNS_R_WAIT)
516 validator_done(val, result);
518 if (rdataset->type == dns_rdatatype_nxt &&
519 nxtprovesnonexistence(val, devent->name, rdataset,
521 val->attributes |= VALATTR_FOUNDNONEXISTENCE;
523 result = nxtvalidate(val, ISC_TRUE);
524 if (result != DNS_R_WAIT)
525 validator_done(val, result);
530 * Free stuff from the event.
532 isc_event_free(&event);
536 negauthvalidated(isc_task_t *task, isc_event_t *event) {
537 dns_validatorevent_t *devent;
538 dns_validator_t *val;
539 isc_result_t eresult;
542 INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
544 devent = (dns_validatorevent_t *)event;
545 val = devent->ev_arg;
546 eresult = devent->result;
547 isc_event_free(&event);
548 dns_validator_destroy(&val->authvalidator);
551 dns_validator_destroy(&val);
555 if (val->event == NULL)
558 validator_log(val, ISC_LOG_DEBUG(3), "in negauthvalidated");
560 if (eresult == ISC_R_SUCCESS) {
561 val->attributes |= VALATTR_FOUNDNONEXISTENCE;
562 validator_log(val, ISC_LOG_DEBUG(3),
563 "nonexistence proof found");
564 auth_nonpending(val->event->message);
565 validator_done(val, ISC_R_SUCCESS);
567 validator_log(val, ISC_LOG_DEBUG(3),
568 "negauthvalidated: got %s",
569 dns_result_totext(eresult));
570 validator_done(val, eresult);
575 * Free stuff from the event.
577 if (dns_rdataset_isassociated(&val->frdataset))
578 dns_rdataset_disassociate(&val->frdataset);
582 nullkeyvalidated(isc_task_t *task, isc_event_t *event) {
583 dns_validatorevent_t *devent;
584 dns_validator_t *val;
586 isc_result_t eresult;
589 INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
591 devent = (dns_validatorevent_t *)event;
592 val = devent->ev_arg;
593 eresult = devent->result;
595 dns_name_free(devent->name, val->view->mctx);
596 isc_mem_put(val->view->mctx, devent->name, sizeof(dns_name_t));
597 dns_validator_destroy(&val->keyvalidator);
598 isc_event_free(&event);
601 dns_validator_destroy(&val);
605 if (val->event == NULL)
608 validator_log(val, ISC_LOG_DEBUG(3), "in nullkeyvalidated");
610 if (eresult == ISC_R_SUCCESS) {
611 validator_log(val, ISC_LOG_DEBUG(3),
612 "proved that name is in an unsecure domain");
613 validator_log(val, ISC_LOG_DEBUG(3), "marking as answer");
614 val->event->rdataset->trust = dns_trust_answer;
615 validator_done(val, ISC_R_SUCCESS);
617 result = proveunsecure(val, ISC_TRUE);
618 if (result != DNS_R_WAIT)
619 validator_done(val, result);
624 * Free stuff from the event.
626 if (dns_rdataset_isassociated(&val->frdataset))
627 dns_rdataset_disassociate(&val->frdataset);
628 if (dns_rdataset_isassociated(&val->fsigrdataset))
629 dns_rdataset_disassociate(&val->fsigrdataset);
633 * Try to find a null zone key among those in 'rdataset'. If found, build
634 * a dst_key_t for it and point val->key at it.
636 static inline isc_boolean_t
637 containsnullkey(dns_validator_t *val, dns_rdataset_t *rdataset) {
639 dst_key_t *key = NULL;
641 dns_rdata_t rdata = DNS_RDATA_INIT;
642 isc_boolean_t found = ISC_FALSE;
644 result = dns_rdataset_first(rdataset);
645 if (result != ISC_R_SUCCESS)
647 while (result == ISC_R_SUCCESS && !found) {
648 dns_rdataset_current(rdataset, &rdata);
649 isc_buffer_init(&b, rdata.data, rdata.length);
650 isc_buffer_add(&b, rdata.length);
653 * The key name is unimportant, so we can avoid any name/text
656 result = dst_key_fromdns(dns_rootname, rdata.rdclass, &b,
657 val->view->mctx, &key);
658 if (result != ISC_R_SUCCESS)
660 if (dst_key_isnullkey(key))
663 dns_rdata_reset(&rdata);
664 result = dns_rdataset_next(rdataset);
670 * Try to find a key that could have signed 'siginfo' among those
671 * in 'rdataset'. If found, build a dst_key_t for it and point
674 * If val->key is non-NULL, this returns the next matching key.
676 static inline isc_result_t
677 get_dst_key(dns_validator_t *val, dns_rdata_sig_t *siginfo,
678 dns_rdataset_t *rdataset)
682 dns_rdata_t rdata = DNS_RDATA_INIT;
683 dst_key_t *oldkey = val->key;
684 isc_boolean_t foundold;
689 foundold = ISC_FALSE;
693 result = dns_rdataset_first(rdataset);
694 if (result != ISC_R_SUCCESS)
697 dns_rdataset_current(rdataset, &rdata);
699 isc_buffer_init(&b, rdata.data, rdata.length);
700 isc_buffer_add(&b, rdata.length);
701 INSIST(val->key == NULL);
702 result = dst_key_fromdns(&siginfo->signer, rdata.rdclass, &b,
703 val->view->mctx, &val->key);
704 if (result != ISC_R_SUCCESS)
706 if (siginfo->algorithm ==
707 (dns_secalg_t)dst_key_alg(val->key) &&
709 (dns_keytag_t)dst_key_id(val->key) &&
710 dst_key_iszonekey(val->key))
714 * This is the key we're looking for.
716 return (ISC_R_SUCCESS);
717 else if (dst_key_compare(oldkey, val->key) == ISC_TRUE)
720 dst_key_free(&oldkey);
723 dst_key_free(&val->key);
724 dns_rdata_reset(&rdata);
725 result = dns_rdataset_next(rdataset);
726 } while (result == ISC_R_SUCCESS);
727 if (result == ISC_R_NOMORE)
728 result = ISC_R_NOTFOUND;
732 dst_key_free(&oldkey);
737 static inline isc_result_t
738 get_key(dns_validator_t *val, dns_rdata_sig_t *siginfo) {
740 dns_validatorevent_t *event;
741 unsigned int nbits, nlabels;
743 dns_namereln_t namereln;
748 * Is the key name appropriate for this signature?
749 * This previously checked for self-signed keys. Now, if the key
750 * is self signed with a preconfigured key, it's ok.
752 namereln = dns_name_fullcompare(event->name, &siginfo->signer,
753 &order, &nlabels, &nbits);
754 if (namereln != dns_namereln_subdomain &&
755 namereln != dns_namereln_equal) {
757 * The key name is not at the same level
758 * as 'rdataset', nor is it closer to the
761 return (DNS_R_CONTINUE);
765 * Is the key used for the signature a security root?
767 INSIST(val->keynode == NULL);
768 val->keytable = val->view->secroots;
769 result = dns_keytable_findkeynode(val->view->secroots,
771 siginfo->algorithm, siginfo->keyid,
773 if (result == ISC_R_SUCCESS) {
775 * The key is a security root.
777 val->key = dns_keynode_key(val->keynode);
778 return (ISC_R_SUCCESS);
782 * A key set may not be self-signed unless the signing key is a
783 * security root. We don't want a KEY RR to authenticate
784 * itself, so we ignore the signature if it was not made by
785 * an ancestor of the KEY or a preconfigured key.
787 if (event->rdataset->type == dns_rdatatype_key &&
788 namereln == dns_namereln_equal)
790 validator_log(val, ISC_LOG_DEBUG(3),
791 "keyset was self-signed but not preconfigured");
792 return (DNS_R_CONTINUE);
796 * Do we know about this key?
798 if (dns_rdataset_isassociated(&val->frdataset))
799 dns_rdataset_disassociate(&val->frdataset);
800 if (dns_rdataset_isassociated(&val->fsigrdataset))
801 dns_rdataset_disassociate(&val->fsigrdataset);
802 result = dns_view_simplefind(val->view, &siginfo->signer,
803 dns_rdatatype_key, 0,
804 DNS_DBFIND_PENDINGOK, ISC_FALSE,
805 &val->frdataset, &val->fsigrdataset);
806 if (result == ISC_R_SUCCESS) {
808 * We have an rrset for the given keyname.
810 val->keyset = &val->frdataset;
811 if (val->frdataset.trust == dns_trust_pending &&
812 dns_rdataset_isassociated(&val->fsigrdataset))
815 * We know the key but haven't validated it yet.
817 result = dns_validator_create(val->view,
828 if (result != ISC_R_SUCCESS)
831 } else if (val->frdataset.trust == dns_trust_pending) {
833 * Having a pending key with no signature means that
834 * something is broken.
836 result = DNS_R_CONTINUE;
837 } else if (val->frdataset.trust < dns_trust_secure) {
839 * The key is legitimately insecure. There's no
840 * point in even attempting verification.
843 result = ISC_R_SUCCESS;
846 * See if we've got the key used in the signature.
848 validator_log(val, ISC_LOG_DEBUG(3),
849 "keyset with trust %d",
850 val->frdataset.trust);
851 result = get_dst_key(val, siginfo, val->keyset);
852 if (result != ISC_R_SUCCESS) {
854 * Either the key we're looking for is not
855 * in the rrset, or something bad happened.
858 result = DNS_R_CONTINUE;
861 } else if (result == ISC_R_NOTFOUND) {
863 * We don't know anything about this key.
866 result = dns_resolver_createfetch(val->view->resolver,
870 val->event->ev_sender,
871 fetch_callback_validator,
876 if (result != ISC_R_SUCCESS)
879 } else if (result == DNS_R_NCACHENXDOMAIN ||
880 result == DNS_R_NCACHENXRRSET ||
881 result == DNS_R_NXDOMAIN ||
882 result == DNS_R_NXRRSET)
885 * This key doesn't exist.
887 result = DNS_R_CONTINUE;
890 if (dns_rdataset_isassociated(&val->frdataset) &&
891 val->keyset != &val->frdataset)
892 dns_rdataset_disassociate(&val->frdataset);
893 if (dns_rdataset_isassociated(&val->fsigrdataset))
894 dns_rdataset_disassociate(&val->fsigrdataset);
900 * If the rdataset being validated is a key set, is each key a security root?
903 issecurityroot(dns_validator_t *val) {
905 dns_rdataset_t *rdataset;
907 dns_keytable_t *secroots;
908 dns_rdata_t rdata = DNS_RDATA_INIT;
910 dns_keynode_t *keynode, *nextnode;
911 dst_key_t *key, *secrootkey;
912 isc_boolean_t match = ISC_FALSE;
914 name = val->event->name;
915 rdataset = val->event->rdataset;
916 mctx = val->view->mctx;
917 secroots = val->view->secroots;
919 for (result = dns_rdataset_first(rdataset);
920 result == ISC_R_SUCCESS;
921 result = dns_rdataset_next(rdataset))
923 dns_rdataset_current(rdataset, &rdata);
925 result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &key);
926 dns_rdata_reset(&rdata);
927 if (result != ISC_R_SUCCESS)
930 result = dns_keytable_findkeynode(
932 (dns_secalg_t)dst_key_alg(key),
937 while (result == ISC_R_SUCCESS) {
938 secrootkey = dns_keynode_key(keynode);
939 if (dst_key_compare(key, secrootkey)) {
941 dns_keytable_detachkeynode(secroots, &keynode);
945 result = dns_keytable_findnextkeynode(secroots,
948 dns_keytable_detachkeynode(secroots, &keynode);
959 * Attempts positive response validation.
962 * ISC_R_SUCCESS Validation completed successfully
963 * DNS_R_WAIT Validation has started but is waiting
965 * Other return codes are possible and all indicate failure.
967 static inline isc_result_t
968 validate(dns_validator_t *val, isc_boolean_t resume) {
970 dns_validatorevent_t *event;
971 dns_rdata_t rdata = DNS_RDATA_INIT;
974 * Caller must be holding the validator lock.
980 * If this is a security root, it's ok.
983 dns_fixedname_t fsecroot;
986 dns_fixedname_init(&fsecroot);
987 secroot = dns_fixedname_name(&fsecroot);
988 result = dns_keytable_finddeepestmatch(val->view->secroots,
991 if (result == ISC_R_SUCCESS &&
992 val->event->type == dns_rdatatype_key &&
993 dns_name_equal(val->event->name, secroot) &&
996 val->event->rdataset->trust = dns_trust_secure;
997 return (ISC_R_SUCCESS);
1003 * We already have a sigrdataset.
1005 result = ISC_R_SUCCESS;
1006 validator_log(val, ISC_LOG_DEBUG(3), "resuming validate");
1008 result = dns_rdataset_first(event->sigrdataset);
1012 result == ISC_R_SUCCESS;
1013 result = dns_rdataset_next(event->sigrdataset))
1015 dns_rdata_reset(&rdata);
1016 dns_rdataset_current(event->sigrdataset, &rdata);
1017 if (val->siginfo != NULL)
1018 isc_mem_put(val->view->mctx, val->siginfo,
1019 sizeof *val->siginfo);
1020 val->siginfo = isc_mem_get(val->view->mctx,
1021 sizeof *val->siginfo);
1022 if (val->siginfo == NULL)
1023 return (ISC_R_NOMEMORY);
1024 dns_rdata_tostruct(&rdata, val->siginfo, NULL);
1027 * At this point we could check that the signature algorithm
1028 * was known and "sufficiently good". For now, any algorithm
1033 result = get_key(val, val->siginfo);
1034 if (result == DNS_R_CONTINUE)
1035 continue; /* Try the next SIG RR. */
1036 if (result != ISC_R_SUCCESS)
1040 if (val->key == NULL) {
1041 event->rdataset->trust = dns_trust_answer;
1042 event->sigrdataset->trust = dns_trust_answer;
1043 validator_log(val, ISC_LOG_DEBUG(3),
1044 "marking as answer");
1045 return (ISC_R_SUCCESS);
1050 val->attributes |= VALATTR_TRIEDVERIFY;
1051 result = dns_dnssec_verify(event->name,
1053 val->key, ISC_FALSE,
1054 val->view->mctx, &rdata);
1055 validator_log(val, ISC_LOG_DEBUG(3),
1056 "verify rdataset: %s",
1057 isc_result_totext(result));
1058 if (result == ISC_R_SUCCESS)
1060 if (val->keynode != NULL) {
1061 dns_keynode_t *nextnode = NULL;
1062 result = dns_keytable_findnextkeynode(
1066 dns_keytable_detachkeynode(val->keytable,
1068 val->keynode = nextnode;
1069 if (result != ISC_R_SUCCESS) {
1073 val->key = dns_keynode_key(val->keynode);
1075 if (get_dst_key(val, val->siginfo, val->keyset)
1080 if (result != ISC_R_SUCCESS)
1081 validator_log(val, ISC_LOG_DEBUG(3),
1082 "failed to verify rdataset");
1087 isc_stdtime_get(&now);
1088 ttl = ISC_MIN(event->rdataset->ttl,
1089 val->siginfo->timeexpire - now);
1090 if (val->keyset != NULL)
1091 ttl = ISC_MIN(ttl, val->keyset->ttl);
1092 event->rdataset->ttl = ttl;
1093 event->sigrdataset->ttl = ttl;
1096 if (val->keynode != NULL)
1097 dns_keytable_detachkeynode(val->keytable,
1100 if (val->key != NULL)
1101 dst_key_free(&val->key);
1102 if (val->keyset != NULL) {
1103 dns_rdataset_disassociate(val->keyset);
1108 if (result == ISC_R_SUCCESS) {
1109 event->rdataset->trust = dns_trust_secure;
1110 event->sigrdataset->trust = dns_trust_secure;
1111 validator_log(val, ISC_LOG_DEBUG(3),
1112 "marking as secure");
1115 validator_log(val, ISC_LOG_DEBUG(3),
1116 "verify failure: %s",
1117 isc_result_totext(result));
1121 if (result != ISC_R_NOMORE) {
1122 validator_log(val, ISC_LOG_DEBUG(3),
1123 "failed to iterate signatures: %s",
1124 isc_result_totext(result));
1128 validator_log(val, ISC_LOG_INFO, "no valid signature found");
1129 return (DNS_R_NOVALIDSIG);
1133 static inline isc_result_t
1134 nxtvalidate(dns_validator_t *val, isc_boolean_t resume) {
1136 dns_message_t *message = val->event->message;
1137 isc_result_t result;
1140 result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
1141 if (result != ISC_R_SUCCESS)
1142 validator_done(val, ISC_R_NOTFOUND);
1144 result = ISC_R_SUCCESS;
1145 validator_log(val, ISC_LOG_DEBUG(3), "resuming nxtvalidate");
1149 result == ISC_R_SUCCESS;
1150 result = dns_message_nextname(message, DNS_SECTION_AUTHORITY))
1152 dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
1155 dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
1157 rdataset = ISC_LIST_NEXT(val->currentset, link);
1158 val->currentset = NULL;
1162 rdataset = ISC_LIST_HEAD(name->list);
1166 rdataset = ISC_LIST_NEXT(rdataset, link))
1168 if (rdataset->type == dns_rdatatype_sig)
1171 for (sigrdataset = ISC_LIST_HEAD(name->list);
1172 sigrdataset != NULL;
1173 sigrdataset = ISC_LIST_NEXT(sigrdataset,
1176 if (sigrdataset->type == dns_rdatatype_sig &&
1177 sigrdataset->covers == rdataset->type)
1180 if (sigrdataset == NULL)
1182 val->seensig = ISC_TRUE;
1184 * If a signed zone is missing the zone key, bad
1185 * things could happen. A query for data in the zone
1186 * would lead to a query for the zone key, which
1187 * would return a negative answer, which would contain
1188 * an SOA and an NXT signed by the missing key, which
1189 * would trigger another query for the KEY (since the
1190 * first one is still in progress), and go into an
1191 * infinite loop. Avoid that.
1193 if (val->event->type == dns_rdatatype_key &&
1194 dns_name_equal(name, val->event->name))
1196 dns_rdata_t nxt = DNS_RDATA_INIT;
1198 if (rdataset->type != dns_rdatatype_nxt)
1201 result = dns_rdataset_first(rdataset);
1202 if (result != ISC_R_SUCCESS)
1204 dns_rdataset_current(rdataset, &nxt);
1205 if (dns_nxt_typepresent(&nxt,
1209 val->authvalidator = NULL;
1210 val->currentset = rdataset;
1211 result = dns_validator_create(val->view, name,
1219 &val->authvalidator);
1220 if (result != ISC_R_SUCCESS)
1222 return (DNS_R_WAIT);
1226 if (result == ISC_R_NOMORE)
1227 result = ISC_R_SUCCESS;
1228 if (result != ISC_R_SUCCESS)
1229 validator_done(val, result);
1231 if ((val->attributes & VALATTR_FOUNDNONEXISTENCE) == 0) {
1232 if (!val->seensig) {
1233 result = dns_validator_create(val->view, name,
1240 &val->authvalidator);
1241 if (result != ISC_R_SUCCESS)
1243 return (DNS_R_WAIT);
1245 validator_log(val, ISC_LOG_DEBUG(3),
1246 "nonexistence proof not found");
1247 return (DNS_R_NOVALIDNXT);
1249 validator_log(val, ISC_LOG_DEBUG(3),
1250 "nonexistence proof found");
1251 return (ISC_R_SUCCESS);
1255 static inline isc_result_t
1256 proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
1257 isc_result_t result;
1258 dns_fixedname_t secroot, tfname;
1261 dns_fixedname_init(&secroot);
1262 dns_fixedname_init(&tfname);
1263 result = dns_keytable_finddeepestmatch(val->view->secroots,
1265 dns_fixedname_name(&secroot));
1267 * If the name is not under a security root, it must be insecure.
1269 if (result == ISC_R_NOTFOUND)
1270 return (ISC_R_SUCCESS);
1272 else if (result != ISC_R_SUCCESS)
1276 * If this is a security root, it's ok.
1278 if (val->event->type == dns_rdatatype_key &&
1279 dns_name_equal(val->event->name, dns_fixedname_name(&secroot)) &&
1280 issecurityroot(val))
1282 val->event->rdataset->trust = dns_trust_secure;
1283 return (ISC_R_SUCCESS);
1287 val->labels = dns_name_depth(dns_fixedname_name(&secroot)) + 1;
1289 validator_log(val, ISC_LOG_DEBUG(3), "resuming proveunsecure");
1294 val->labels <= dns_name_depth(val->event->name);
1299 if (val->labels == dns_name_depth(val->event->name)) {
1300 if (val->event->type == dns_rdatatype_key)
1302 tname = val->event->name;
1304 tname = dns_fixedname_name(&tfname);
1305 result = dns_name_splitatdepth(val->event->name,
1308 if (result != ISC_R_SUCCESS)
1312 dns_name_format(tname, namebuf, sizeof(namebuf));
1313 validator_log(val, ISC_LOG_DEBUG(3),
1314 "looking for null keyset at '%s'",
1317 if (dns_rdataset_isassociated(&val->frdataset))
1318 dns_rdataset_disassociate(&val->frdataset);
1319 if (dns_rdataset_isassociated(&val->fsigrdataset))
1320 dns_rdataset_disassociate(&val->fsigrdataset);
1322 result = dns_view_simplefind(val->view, tname,
1323 dns_rdatatype_key, 0,
1324 DNS_DBFIND_PENDINGOK, ISC_FALSE,
1326 &val->fsigrdataset);
1327 if (result == ISC_R_SUCCESS) {
1328 dns_name_t *fname = NULL;
1330 if (!dns_rdataset_isassociated(&val->fsigrdataset)) {
1331 result = DNS_R_NOTINSECURE;
1334 validator_log(val, ISC_LOG_DEBUG(3),
1335 "found keyset, looking for null key");
1336 if (!containsnullkey(val, &val->frdataset))
1339 if (val->frdataset.trust >= dns_trust_secure) {
1340 validator_log(val, ISC_LOG_DEBUG(3),
1341 "insecurity proof succeeded");
1342 val->event->rdataset->trust = dns_trust_answer;
1343 result = ISC_R_SUCCESS;
1347 fname = isc_mem_get(val->view->mctx, sizeof *fname);
1349 return (ISC_R_NOMEMORY);
1350 dns_name_init(fname, NULL);
1351 result = dns_name_dup(tname, val->view->mctx, fname);
1352 if (result != ISC_R_SUCCESS) {
1353 isc_mem_put(val->view->mctx, fname,
1355 result = ISC_R_NOMEMORY;
1359 result = dns_validator_create(val->view,
1369 &val->keyvalidator);
1370 if (result != ISC_R_SUCCESS)
1372 return (DNS_R_WAIT);
1373 } else if (result == ISC_R_NOTFOUND) {
1375 result = dns_resolver_createfetch(val->view->resolver,
1378 NULL, NULL, NULL, 0,
1379 val->event->ev_sender,
1380 fetch_callback_nullkey,
1385 if (result != ISC_R_SUCCESS)
1387 return (DNS_R_WAIT);
1388 } else if (result == DNS_R_NCACHENXDOMAIN ||
1389 result == DNS_R_NCACHENXRRSET ||
1390 result == DNS_R_NXDOMAIN ||
1391 result == DNS_R_NXRRSET)
1397 validator_log(val, ISC_LOG_DEBUG(3), "insecurity proof failed");
1398 return (DNS_R_NOTINSECURE); /* Didn't find a null key */
1401 if (dns_rdataset_isassociated(&val->frdataset))
1402 dns_rdataset_disassociate(&val->frdataset);
1403 if (dns_rdataset_isassociated(&val->fsigrdataset))
1404 dns_rdataset_disassociate(&val->fsigrdataset);
1409 validator_start(isc_task_t *task, isc_event_t *event) {
1410 dns_validator_t *val;
1411 dns_validatorevent_t *vevent;
1412 isc_result_t result = ISC_R_FAILURE;
1415 REQUIRE(event->ev_type == DNS_EVENT_VALIDATORSTART);
1416 vevent = (dns_validatorevent_t *)event;
1417 val = vevent->validator;
1419 /* If the validator has been cancelled, val->event == NULL */
1420 if (val->event == NULL)
1423 validator_log(val, ISC_LOG_DEBUG(3), "starting");
1427 if (val->event->rdataset != NULL && val->event->sigrdataset != NULL) {
1428 isc_result_t saved_result;
1431 * This looks like a simple validation. We say "looks like"
1432 * because we don't know if wildcards are involved yet so it
1433 * could still get complicated.
1435 validator_log(val, ISC_LOG_DEBUG(3),
1436 "attempting positive response validation");
1438 result = validate(val, ISC_FALSE);
1439 if (result == DNS_R_NOVALIDSIG &&
1440 (val->attributes & VALATTR_TRIEDVERIFY) == 0)
1442 saved_result = result;
1443 validator_log(val, ISC_LOG_DEBUG(3),
1444 "falling back to insecurity proof");
1445 result = proveunsecure(val, ISC_FALSE);
1446 if (result == DNS_R_NOTINSECURE)
1447 result = saved_result;
1449 } else if (val->event->rdataset != NULL) {
1451 * This is either an unsecure subdomain or a response from
1454 validator_log(val, ISC_LOG_DEBUG(3),
1455 "attempting insecurity proof");
1457 result = proveunsecure(val, ISC_FALSE);
1458 } else if (val->event->rdataset == NULL &&
1459 val->event->sigrdataset == NULL)
1462 * This is a nonexistence validation.
1464 validator_log(val, ISC_LOG_DEBUG(3),
1465 "attempting negative response validation");
1467 result = nxtvalidate(val, ISC_FALSE);
1470 * This shouldn't happen.
1475 if (result != DNS_R_WAIT)
1476 validator_done(val, result);
1482 dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
1483 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
1484 dns_message_t *message, unsigned int options,
1485 isc_task_t *task, isc_taskaction_t action, void *arg,
1486 dns_validator_t **validatorp)
1488 isc_result_t result;
1489 dns_validator_t *val;
1491 dns_validatorevent_t *event;
1493 REQUIRE(name != NULL);
1495 REQUIRE(rdataset != NULL ||
1496 (rdataset == NULL && sigrdataset == NULL && message != NULL));
1497 REQUIRE(options == 0);
1498 REQUIRE(validatorp != NULL && *validatorp == NULL);
1501 result = ISC_R_FAILURE;
1503 val = isc_mem_get(view->mctx, sizeof *val);
1505 return (ISC_R_NOMEMORY);
1507 dns_view_weakattach(view, &val->view);
1508 event = (dns_validatorevent_t *)
1509 isc_event_allocate(view->mctx, task,
1510 DNS_EVENT_VALIDATORSTART,
1511 validator_start, NULL,
1512 sizeof (dns_validatorevent_t));
1513 if (event == NULL) {
1514 result = ISC_R_NOMEMORY;
1517 isc_task_attach(task, &tclone);
1518 event->validator = val;
1519 event->result = ISC_R_FAILURE;
1522 event->rdataset = rdataset;
1523 event->sigrdataset = sigrdataset;
1524 event->message = message;
1525 result = isc_mutex_init(&val->lock);
1526 if (result != ISC_R_SUCCESS)
1529 val->options = options;
1530 val->attributes = 0;
1532 val->keyvalidator = NULL;
1533 val->authvalidator = NULL;
1534 val->keynode = NULL;
1536 val->siginfo = NULL;
1538 val->action = action;
1541 val->currentset = NULL;
1543 val->seensig = ISC_FALSE;
1544 dns_rdataset_init(&val->frdataset);
1545 dns_rdataset_init(&val->fsigrdataset);
1546 ISC_LINK_INIT(val, link);
1547 val->magic = VALIDATOR_MAGIC;
1549 isc_task_send(task, ISC_EVENT_PTR(&event));
1553 return (ISC_R_SUCCESS);
1556 isc_task_detach(&tclone);
1557 isc_event_free((isc_event_t **)&val->event);
1560 dns_view_weakdetach(&val->view);
1561 isc_mem_put(view->mctx, val, sizeof *val);
1567 dns_validator_cancel(dns_validator_t *validator) {
1568 REQUIRE(VALID_VALIDATOR(validator));
1570 LOCK(&validator->lock);
1572 validator_log(validator, ISC_LOG_DEBUG(3), "dns_validator_cancel");
1574 if (validator->event != NULL) {
1575 validator_done(validator, ISC_R_CANCELED);
1577 if (validator->fetch != NULL)
1578 dns_resolver_cancelfetch(validator->fetch);
1580 if (validator->keyvalidator != NULL)
1581 dns_validator_cancel(validator->keyvalidator);
1583 if (validator->authvalidator != NULL)
1584 dns_validator_cancel(validator->authvalidator);
1586 UNLOCK(&validator->lock);
1590 destroy(dns_validator_t *val) {
1593 REQUIRE(SHUTDOWN(val));
1594 REQUIRE(val->event == NULL);
1595 REQUIRE(val->fetch == NULL);
1597 if (val->keynode != NULL)
1598 dns_keytable_detachkeynode(val->keytable, &val->keynode);
1599 else if (val->key != NULL)
1600 dst_key_free(&val->key);
1601 if (val->keyvalidator != NULL)
1602 dns_validator_destroy(&val->keyvalidator);
1603 if (val->authvalidator != NULL)
1604 dns_validator_destroy(&val->authvalidator);
1605 mctx = val->view->mctx;
1606 if (val->siginfo != NULL)
1607 isc_mem_put(mctx, val->siginfo, sizeof *val->siginfo);
1608 DESTROYLOCK(&val->lock);
1609 dns_view_weakdetach(&val->view);
1611 isc_mem_put(mctx, val, sizeof *val);
1615 dns_validator_destroy(dns_validator_t **validatorp) {
1616 dns_validator_t *val;
1617 isc_boolean_t want_destroy = ISC_FALSE;
1619 REQUIRE(validatorp != NULL);
1621 REQUIRE(VALID_VALIDATOR(val));
1625 REQUIRE(val->event == NULL);
1627 validator_log(val, ISC_LOG_DEBUG(3), "dns_validator_destroy");
1629 val->attributes |= VALATTR_SHUTDOWN;
1630 if (val->fetch == NULL && val->keyvalidator == NULL &&
1631 val->authvalidator == NULL)
1632 want_destroy = ISC_TRUE;
1644 validator_logv(dns_validator_t *val, isc_logcategory_t *category,
1645 isc_logmodule_t *module, int level, const char *fmt, va_list ap)
1646 ISC_FORMAT_PRINTF(5, 0);
1649 validator_logv(dns_validator_t *val, isc_logcategory_t *category,
1650 isc_logmodule_t *module, int level, const char *fmt, va_list ap)
1654 vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
1656 if (val->event != NULL && val->event->name != NULL) {
1662 dns_name_format(val->event->name, namebuf, sizeof(namebuf));
1664 isc_buffer_init(&b, (unsigned char *)typebuf, sizeof(typebuf));
1665 if (dns_rdatatype_totext(val->event->type, &b)
1668 isc_buffer_clear(&b);
1669 isc_buffer_putstr(&b, "<bad type>");
1671 isc_buffer_usedregion(&b, &r);
1672 isc_log_write(dns_lctx, category, module, level,
1673 "validating %s %.*s: %s", namebuf,
1674 (int)r.length, (char *)r.base, msgbuf);
1676 isc_log_write(dns_lctx, category, module, level,
1677 "validator @%p: %s", val, msgbuf);
1683 validator_log(dns_validator_t *val, int level, const char *fmt, ...)
1687 if (! isc_log_wouldlog(dns_lctx, level))
1691 validator_logv(val, DNS_LOGCATEGORY_DNSSEC,
1692 DNS_LOGMODULE_VALIDATOR, level, fmt, ap);