Lines Matching +full:positive +full:- +full:phase
2 * validator/validator.c - secure validator DNS query response module
86 && rep->reason_bogus != LDNS_EDE_NONE
87 && rep->reason_bogus != LDNS_EDE_DNSSEC_BOGUS) return;
88 rep->reason_bogus = reason_bogus;
98 free(ve->nsec3_keysize);
99 free(ve->nsec3_maxiter);
100 ve->nsec3_keysize = (size_t*)calloc((size_t)c, sizeof(size_t));
101 ve->nsec3_maxiter = (size_t*)calloc((size_t)c, sizeof(size_t));
102 if(!ve->nsec3_keysize || !ve->nsec3_maxiter) {
107 ve->nsec3_keysize[i] = (size_t)strtol(s, &e, 10);
113 ve->nsec3_maxiter[i] = (size_t)strtol(s, &e, 10);
119 if(i>0 && ve->nsec3_keysize[i-1] >= ve->nsec3_keysize[i]) {
121 (int)ve->nsec3_keysize[i-1],
122 (int)ve->nsec3_keysize[i]);
126 (int)ve->nsec3_keysize[i], (int)ve->nsec3_maxiter[i]);
137 val_env->bogus_ttl = (uint32_t)cfg->bogus_ttl;
138 if(!env->anchors)
139 env->anchors = anchors_create();
140 if(!env->anchors) {
144 if (env->key_cache)
145 val_env->kcache = env->key_cache;
146 if(!val_env->kcache)
147 val_env->kcache = key_cache_create(cfg);
148 if(!val_env->kcache) {
152 env->key_cache = val_env->kcache;
153 if(!anchors_apply_cfg(env->anchors, cfg)) {
157 val_env->date_override = cfg->val_date_override;
158 val_env->skew_min = cfg->val_sig_skew_min;
159 val_env->skew_max = cfg->val_sig_skew_max;
160 val_env->max_restart = cfg->val_max_restart;
161 c = cfg_count_numbers(cfg->val_nsec3_key_iterations);
164 "iterations: %s", cfg->val_nsec3_key_iterations);
167 val_env->nsec3_keyiter_count = c/2;
168 if(!fill_nsec3_iter(val_env, cfg->val_nsec3_key_iterations, c/2)) {
172 if (env->neg_cache)
173 val_env->neg_cache = env->neg_cache;
174 if(!val_env->neg_cache)
175 val_env->neg_cache = val_neg_create(cfg,
176 val_env->nsec3_maxiter[val_env->nsec3_keyiter_count-1]);
177 if(!val_env->neg_cache) {
181 env->neg_cache = val_env->neg_cache;
197 env->modinfo[id] = (void*)val_env;
198 env->need_to_validate = 1;
199 lock_basic_init(&val_env->bogus_lock);
200 lock_protect(&val_env->bogus_lock, &val_env->num_rrset_bogus,
201 sizeof(val_env->num_rrset_bogus));
205 if(!val_apply_cfg(env, val_env, env->cfg)) {
209 if(env->cfg->disable_edns_do) {
211 env->anchors);
214 dname_str(anchor->name, b);
215 log_warn("validator: disable-edns-do is enabled, but there is a trust anchor for '%s'. Since DNSSEC could not work, the disable-edns-do setting is turned off. Continuing without it.", b);
216 lock_basic_unlock(&anchor->lock);
217 env->cfg->disable_edns_do = 0;
228 if(!env || !env->modinfo[id])
230 val_env = (struct val_env*)env->modinfo[id];
231 lock_basic_destroy(&val_env->bogus_lock);
232 anchors_delete(env->anchors);
233 env->anchors = NULL;
234 key_cache_delete(val_env->kcache);
235 env->key_cache = NULL;
236 neg_cache_delete(val_env->neg_cache);
237 env->neg_cache = NULL;
238 free(val_env->nsec3_keysize);
239 free(val_env->nsec3_maxiter);
241 env->modinfo[id] = NULL;
248 if(!qstate->return_msg || qstate->return_rcode != LDNS_RCODE_NOERROR) {
251 vq->orig_msg = (struct dns_msg*)regional_alloc(qstate->region,
253 if(!vq->orig_msg)
255 vq->orig_msg->qinfo = qstate->qinfo;
256 vq->orig_msg->rep = (struct reply_info*)regional_alloc(
257 qstate->region, sizeof(struct reply_info));
258 if(!vq->orig_msg->rep)
260 memset(vq->orig_msg->rep, 0, sizeof(struct reply_info));
261 vq->orig_msg->rep->flags = (uint16_t)(qstate->return_rcode&0xf)
262 |BIT_QR|BIT_RA|(qstate->query_flags|(BIT_CD|BIT_RD));
263 vq->orig_msg->rep->qdcount = 1;
264 vq->orig_msg->rep->reason_bogus = LDNS_EDE_NONE;
266 vq->orig_msg = qstate->return_msg;
268 vq->qchase = qstate->qinfo;
270 vq->chase_reply = regional_alloc_init(qstate->region,
271 vq->orig_msg->rep,
272 sizeof(struct reply_info) - sizeof(struct rrset_ref));
273 if(!vq->chase_reply)
275 if(vq->orig_msg->rep->rrset_count > RR_COUNT_MAX)
279 vq->chase_reply->rrsets = regional_alloc(qstate->region,
281 (vq->orig_msg->rep->rrset_count
282 + vq->orig_msg->rep->an_numrrsets));
283 if(!vq->chase_reply->rrsets)
285 memmove(vq->chase_reply->rrsets, vq->orig_msg->rep->rrsets,
287 vq->orig_msg->rep->rrset_count);
288 vq->rrset_skip = 0;
297 qstate->region, sizeof(*vq));
298 log_assert(!qstate->minfo[id]);
302 qstate->minfo[id] = vq;
303 vq->state = VAL_INIT_STATE;
314 temp_timer = vq->suspend_timer;
315 restart_count = vq->restart_count+1;
317 vq->suspend_timer = temp_timer;
318 vq->restart_count = restart_count;
319 vq->state = VAL_INIT_STATE;
332 qstate->ext_state[id] = module_error;
333 qstate->return_rcode = LDNS_RCODE_SERVFAIL;
344 * @param ret_rc: rcode for this message (if noerror - examine ret_msg).
364 if(qstate->query_flags & BIT_CD) {
369 if(qstate->is_valrec) {
377 else rcode = (int)FLAGS_GET_RCODE(ret_msg->rep->flags);
384 verbose(VERB_ALGO, "cannot validate non-answer, rcode %s", rc);
389 /* cannot validate positive RRSIG response. (negatives can) */
390 if(qstate->qinfo.qtype == LDNS_RR_TYPE_RRSIG &&
392 ret_msg->rep->an_numrrsets > 0) {
407 /* validate unchecked, and re-validate bogus messages */
408 if (ret_msg && ret_msg->rep->security > sec_status_bogus)
411 sec_status_to_string(ret_msg->rep->security));
437 struct val_qstate* vq = (struct val_qstate*)qstate->minfo[id];
450 fptr_ok(fptr_whitelist_modenv_detect_cycle(qstate->env->detect_cycle));
451 if((*qstate->env->detect_cycle)(qstate, &ask,
460 qstate->env->add_sub));
461 if(!(*qstate->env->add_sub)(qstate, &ask,
469 qstate->env->attach_sub));
470 if(!(*qstate->env->attach_sub)(qstate, &ask,
480 sock_list_merge(&(*newq)->blacklist, (*newq)->region,
481 vq->chain_blacklist);
483 qstate->ext_state[id] = module_wait_subquery;
499 /* 3 bytes for "_ta", 5 bytes per tag (4 bytes + "-") */
500 #define MAX_LABEL_TAGS (LDNS_MAX_LABELLEN-3)/5
504 size_t tagstr_left = sizeof(tagstr) - strlen(tagstr);
510 enum module_ext_state ext_state = qstate->ext_state[id];
519 snprintf(tagstr_pos, tagstr_left, "-%04x", (unsigned)tags[i]);
520 tagstr_left -= strlen(tagstr_pos);
525 ta->name, ta->namelen);
526 if(!(keytagdname = (uint8_t*)regional_alloc_init(qstate->region,
533 LDNS_RR_TYPE_NULL, ta->dclass);
535 LDNS_RR_TYPE_NULL, ta->dclass, 0, &newq, 1)) {
542 qstate->ext_state[id] = ext_state;
588 int ret = generate_request(qstate, id, toprime->name, toprime->namelen,
589 LDNS_RR_TYPE_DNSKEY, toprime->dclass, BIT_CD, &newq, 0);
591 if(newq && qstate->env->cfg->trust_anchor_signaling &&
603 vq->wait_prime_ta = 1; /* to elicit PRIME_RESP_STATE processing
606 vq->trust_anchor_name = regional_alloc_init(qstate->region,
607 toprime->name, toprime->namelen);
608 vq->trust_anchor_len = toprime->namelen;
609 vq->trust_anchor_labs = toprime->namelabs;
610 if(!vq->trust_anchor_name) {
654 if(vq->msg_signatures_state) {
656 vq->msg_signatures_state = 0;
661 for(i=0; i<chase_reply->an_numrrsets; i++) {
662 if(have_state && i <= vq->msg_signatures_index)
664 s = chase_reply->rrsets[i];
669 if(i>0 && ntohs(chase_reply->rrsets[i-1]->rk.type) ==
671 ntohs(s->rk.type) == LDNS_RR_TYPE_CNAME &&
672 ((struct packed_rrset_data*)chase_reply->rrsets[i-1]->entry.data)->security == sec_status_secure &&
673 dname_strict_subdomain_c(s->rk.dname, chase_reply->rrsets[i-1]->rk.dname)
677 ((struct packed_rrset_data*)s->entry.data)->security =
679 ((struct packed_rrset_data*)s->entry.data)->trust =
692 "has failed ANSWER rrset:", s->rk.dname,
693 ntohs(s->rk.type), ntohs(s->rk.rrset_class));
695 if(ntohs(s->rk.type) == LDNS_RR_TYPE_CNAME)
697 else if(ntohs(s->rk.type) == LDNS_RR_TYPE_DNAME)
699 errinf_origin(qstate, qstate->reply_origin);
700 chase_reply->security = sec_status_bogus;
708 i+1 < (env->cfg->val_clean_additional?
709 chase_reply->an_numrrsets+chase_reply->ns_numrrsets:
710 chase_reply->rrset_count)) {
716 vq->msg_signatures_state = 1;
717 vq->msg_signatures_index = i;
725 for(i=chase_reply->an_numrrsets; i<chase_reply->an_numrrsets+
726 chase_reply->ns_numrrsets; i++) {
727 if(have_state && i <= vq->msg_signatures_index)
729 s = chase_reply->rrsets[i];
737 "has failed AUTHORITY rrset:", s->rk.dname,
738 ntohs(s->rk.type), ntohs(s->rk.rrset_class));
740 errinf_origin(qstate, qstate->reply_origin);
742 chase_reply->security = sec_status_bogus;
748 i+1 < (env->cfg->val_clean_additional?
749 chase_reply->an_numrrsets+chase_reply->ns_numrrsets:
750 chase_reply->rrset_count)) {
752 vq->msg_signatures_state = 1;
753 vq->msg_signatures_index = i;
762 if(!env->cfg->val_clean_additional)
765 for(i=chase_reply->an_numrrsets+chase_reply->ns_numrrsets;
766 i<chase_reply->rrset_count; i++) {
767 if(have_state && i <= vq->msg_signatures_index)
769 s = chase_reply->rrsets[i];
775 if(sname && query_dname_compare(sname, key_entry->name)==0)
784 i+1 < chase_reply->rrset_count) {
786 vq->msg_signatures_state = 1;
787 vq->msg_signatures_index = i;
802 mesh_run(qstate->env->mesh, qstate->mesh_info, module_event_pass,
813 if(vq->suspend_count >= MAX_VALIDATION_SUSPENDS) {
822 vq->state = resume_state;
823 qstate->ext_state[id] = module_wait_reply;
824 if(!vq->suspend_timer) {
825 vq->suspend_timer = comm_timer_create(
826 qstate->env->worker_base,
828 if(!vq->suspend_timer) {
841 if(qstate->env->mesh->all.count >= qstate->env->mesh->max_reply_states)
843 else if(qstate->env->mesh->all.count >= qstate->env->mesh->max_reply_states/2)
845 else if(qstate->env->mesh->all.count >= qstate->env->mesh->max_reply_states/4)
847 if(vq->suspend_count > 3)
849 else if(vq->suspend_count > 0)
850 slack += vq->suspend_count;
854 /* Spread such timeouts within 90%-100% of the original timer. */
856 usec = base + ub_random_max(qstate->env->rnd, usec-base);
859 vq->suspend_count ++;
860 comm_timer_set(vq->suspend_timer, &tv);
867 * The positive response has a mangled authority section.
877 if(rep->ns_numrrsets != 1 || rep->an_numrrsets == 0)
879 if(ntohs(rep->rrsets[ rep->an_numrrsets ]->rk.type) != LDNS_RR_TYPE_NS)
881 if(((struct packed_rrset_data*)rep->rrsets[ rep->an_numrrsets ]
882 ->entry.data)->security == sec_status_secure)
885 for(i=0; i<rep->an_numrrsets; i++) {
886 if(((struct packed_rrset_data*)rep->rrsets[ i ]
887 ->entry.data)->security != sec_status_secure)
916 if(chase_reply->an_numrrsets == 0 && chase_reply->ns_numrrsets == 1)
919 for(i = chase_reply->an_numrrsets;
920 i < chase_reply->an_numrrsets+chase_reply->ns_numrrsets; i++) {
922 chase_reply->rrsets[i]->entry.data;
923 if(ntohs(chase_reply->rrsets[i]->rk.type) == LDNS_RR_TYPE_NS
924 && d->rrsig_count == 0) {
933 "(likely inserted by forwarder)", chase_reply->rrsets[found]);
936 for(i = orig_reply->an_numrrsets;
937 i < orig_reply->an_numrrsets+orig_reply->ns_numrrsets; i++) {
938 if(ntohs(orig_reply->rrsets[i]->rk.type) == LDNS_RR_TYPE_NS
939 && query_dname_compare(orig_reply->rrsets[i]->rk.dname,
940 chase_reply->rrsets[found]->rk.dname) == 0) {
951 * Given a "positive" response -- a response that contains an answer to the
983 /* validate the ANSWER section - this will be the answer itself */
984 for(i=0; i<chase_reply->an_numrrsets; i++) {
985 s = chase_reply->rrsets[i];
991 log_nametypeclass(VERB_QUERY, "Positive response has "
992 "inconsistent wildcard sigs:", s->rk.dname,
993 ntohs(s->rk.type), ntohs(s->rk.rrset_class));
994 chase_reply->security = sec_status_bogus;
998 if(wc && !wc_cached && env->cfg->aggressive_nsec) {
999 rrset_cache_update_wildcard(env->rrset_cache, s, wc, wl,
1000 env->alloc, *env->now);
1006 /* validate the AUTHORITY section as well - this will generally be
1008 for(i=chase_reply->an_numrrsets; i<chase_reply->an_numrrsets+
1009 chase_reply->ns_numrrsets; i++) {
1010 s = chase_reply->rrsets[i];
1012 /* If this is a positive wildcard response, and we have a
1016 if(wc != NULL && ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC) {
1023 /* Otherwise, if this is a positive wildcard response and
1025 if(wc != NULL && ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC3) {
1030 /* If this was a positive wildcard response that we haven't already
1034 nsec3_cache_table_init(&vq->nsec3_cache_table, qstate->region)) {
1036 chase_reply->rrsets+chase_reply->an_numrrsets,
1037 chase_reply->ns_numrrsets, qchase, kkey, wc,
1038 &vq->nsec3_cache_table, nsec3_calculations);
1040 verbose(VERB_ALGO, "Positive wildcard response is "
1042 chase_reply->security = sec_status_insecure;
1052 /* If after all this, we still haven't proven the positive wildcard
1055 verbose(VERB_QUERY, "positive response was wildcard "
1058 chase_reply->security = sec_status_bogus;
1063 verbose(VERB_ALGO, "Successfully validated positive response");
1064 chase_reply->security = sec_status_secure;
1068 * Validate a NOERROR/NODATA signed response -- a response that has a
1095 /* (Note: CNAME/DNAME responses will not directly get here --
1097 * and at the end of the cname chain a POSITIVE, or CNAME_NOANSWER
1110 for(i=chase_reply->an_numrrsets; i<chase_reply->an_numrrsets+
1111 chase_reply->ns_numrrsets; i++) {
1112 s = chase_reply->rrsets[i];
1116 if(ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC) {
1119 /* sets wc-encloser if wildcard applicable */
1121 if(val_nsec_proves_name_error(s, qchase->qname)) {
1122 ce = nsec_closest_encloser(qchase->qname, s);
1126 chase_reply->security = sec_status_insecure;
1129 } else if(ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC3) {
1148 nsec3_cache_table_init(&vq->nsec3_cache_table, qstate->region)) {
1150 chase_reply->rrsets+chase_reply->an_numrrsets,
1151 chase_reply->ns_numrrsets, qchase, kkey,
1152 &vq->nsec3_cache_table, nsec3_calculations);
1155 chase_reply->security = sec_status_insecure;
1171 chase_reply->security = sec_status_bogus;
1177 chase_reply->security = sec_status_secure;
1181 * Validate a NAMEERROR signed response -- a response that has a NXDOMAIN
1218 for(i=chase_reply->an_numrrsets; i<chase_reply->an_numrrsets+
1219 chase_reply->ns_numrrsets; i++) {
1220 s = chase_reply->rrsets[i];
1221 if(ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC) {
1222 if(val_nsec_proves_name_error(s, qchase->qname))
1224 ce = nsec_closest_encloser(qchase->qname, s);
1230 if(val_nsec_proves_no_wc(s, qchase->qname,
1231 qchase->qname_len))
1239 chase_reply->security = sec_status_insecure;
1242 } else if(ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC3)
1247 nsec3_cache_table_init(&vq->nsec3_cache_table, qstate->region)) {
1250 chase_reply->security = nsec3_prove_nameerror(env, ve,
1251 chase_reply->rrsets, chase_reply->an_numrrsets+
1252 chase_reply->ns_numrrsets, qchase, kkey,
1253 &vq->nsec3_cache_table, nsec3_calculations);
1254 if(chase_reply->security == sec_status_unchecked) {
1257 } else if(chase_reply->security != sec_status_secure) {
1260 chase_reply->security));
1275 if(chase_reply->security == sec_status_secure) {
1278 chase_reply->security = sec_status_bogus;
1291 if (chase_reply->security == sec_status_secure) {
1294 chase_reply->security = sec_status_bogus;
1302 chase_reply->security = sec_status_secure;
1321 chase_reply->security = sec_status_secure;
1322 for(i=0; i<chase_reply->rrset_count; i++) {
1323 s = ((struct packed_rrset_data*)chase_reply->rrsets[i]
1324 ->entry.data)->security;
1325 if(s < chase_reply->security)
1326 chase_reply->security = s;
1329 sec_status_to_string(chase_reply->security));
1333 * Given an "ANY" response -- a response that contains an answer to a
1337 * NOTE: it may be possible to get parent-side delegation point records
1339 * upstream iterative resolver to not return these responses -- instead
1343 * clarification. Clarification draft -05 says to not check all types are
1379 if(qchase->qtype != LDNS_RR_TYPE_ANY) {
1380 log_err("internal error: ANY validation called for non-ANY");
1381 chase_reply->security = sec_status_bogus;
1386 /* validate the ANSWER section - this will be the answer itself */
1387 for(i=0; i<chase_reply->an_numrrsets; i++) {
1388 s = chase_reply->rrsets[i];
1394 log_nametypeclass(VERB_QUERY, "Positive ANY response"
1396 s->rk.dname, ntohs(s->rk.type),
1397 ntohs(s->rk.rrset_class));
1398 chase_reply->security = sec_status_bogus;
1407 for(i=0; i<chase_reply->an_numrrsets+chase_reply->ns_numrrsets;
1409 s = chase_reply->rrsets[i];
1411 /* If this is a positive wildcard response, and we have a
1415 if(ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC) {
1422 /* Otherwise, if this is a positive wildcard response and
1424 if(ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC3) {
1429 /* If this was a positive wildcard response that we haven't already
1433 nsec3_cache_table_init(&vq->nsec3_cache_table, qstate->region)) {
1436 chase_reply->rrsets,
1437 chase_reply->an_numrrsets+chase_reply->ns_numrrsets,
1438 qchase, kkey, wc, &vq->nsec3_cache_table,
1441 verbose(VERB_ALGO, "Positive ANY wildcard response is "
1443 chase_reply->security = sec_status_insecure;
1453 /* If after all this, we still haven't proven the positive wildcard
1456 verbose(VERB_QUERY, "positive ANY response was wildcard "
1459 chase_reply->security = sec_status_bogus;
1464 verbose(VERB_ALGO, "Successfully validated positive ANY response");
1465 chase_reply->security = sec_status_secure;
1470 * This is just like a positive proof, except that this is about a
1472 * Difference with positive proof is that this routine refuses
1503 /* validate the ANSWER section - this will be the CNAME (+DNAME) */
1504 for(i=0; i<chase_reply->an_numrrsets; i++) {
1505 s = chase_reply->rrsets[i];
1512 "inconsistent wildcard sigs:", s->rk.dname,
1513 ntohs(s->rk.type), ntohs(s->rk.rrset_class));
1514 chase_reply->security = sec_status_bogus;
1522 if(qchase->qtype != LDNS_RR_TYPE_DNAME &&
1523 ntohs(s->rk.type) == LDNS_RR_TYPE_DNAME && wc) {
1525 "wildcarded DNAME:", s->rk.dname,
1526 ntohs(s->rk.type), ntohs(s->rk.rrset_class));
1527 chase_reply->security = sec_status_bogus;
1535 if (ntohs(s->rk.type) == LDNS_RR_TYPE_CNAME) {
1541 for(i=chase_reply->an_numrrsets; i<chase_reply->an_numrrsets+
1542 chase_reply->ns_numrrsets; i++) {
1543 s = chase_reply->rrsets[i];
1545 /* If this is a positive wildcard response, and we have a
1549 if(wc != NULL && ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC) {
1556 /* Otherwise, if this is a positive wildcard response and
1558 if(wc != NULL && ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC3) {
1563 /* If this was a positive wildcard response that we haven't already
1567 nsec3_cache_table_init(&vq->nsec3_cache_table, qstate->region)) {
1569 chase_reply->rrsets+chase_reply->an_numrrsets,
1570 chase_reply->ns_numrrsets, qchase, kkey, wc,
1571 &vq->nsec3_cache_table, nsec3_calculations);
1575 chase_reply->security = sec_status_insecure;
1585 /* If after all this, we still haven't proven the positive wildcard
1591 chase_reply->security = sec_status_bogus;
1597 chase_reply->security = sec_status_secure;
1640 for(i=chase_reply->an_numrrsets; i<chase_reply->an_numrrsets+
1641 chase_reply->ns_numrrsets; i++) {
1642 s = chase_reply->rrsets[i];
1647 if(ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC) {
1652 if(val_nsec_proves_name_error(s, qchase->qname)) {
1653 ce = nsec_closest_encloser(qchase->qname, s);
1656 nsec_ce = nsec_closest_encloser(qchase->qname, s);
1662 if(val_nsec_proves_no_wc(s, qchase->qname,
1663 qchase->qname_len))
1671 chase_reply->security = sec_status_insecure;
1674 } else if(ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC3) {
1699 chase_reply->security = sec_status_bogus;
1704 nsec3_cache_table_init(&vq->nsec3_cache_table, qstate->region)) {
1707 chase_reply->rrsets+chase_reply->an_numrrsets,
1708 chase_reply->ns_numrrsets, qchase, kkey, &nodata,
1709 &vq->nsec3_cache_table, nsec3_calculations);
1713 chase_reply->security = sec_status_insecure;
1730 chase_reply->security = sec_status_bogus;
1740 chase_reply->security = sec_status_secure;
1769 qstate->query_flags, &qstate->qinfo, &vq->qchase,
1770 vq->orig_msg->rep, vq->rrset_skip);
1771 if(vq->restart_count > ve->max_restart) {
1777 update_reason_bogus(vq->chase_reply, LDNS_EDE_DNSSEC_BOGUS);
1782 vq->rrset_skip < vq->orig_msg->rep->rrset_count) {
1785 vq->qchase.qname = vq->orig_msg->rep->
1786 rrsets[vq->rrset_skip]->rk.dname;
1787 vq->qchase.qname_len = vq->orig_msg->rep->
1788 rrsets[vq->rrset_skip]->rk.dname_len;
1789 vq->qchase.qtype = ntohs(vq->orig_msg->rep->
1790 rrsets[vq->rrset_skip]->rk.type);
1791 vq->qchase.qclass = ntohs(vq->orig_msg->rep->
1792 rrsets[vq->rrset_skip]->rk.rrset_class);
1794 lookup_name = vq->qchase.qname;
1795 lookup_len = vq->qchase.qname_len;
1798 if(vq->qchase.qtype == LDNS_RR_TYPE_DS ||
1799 (vq->qchase.qtype == LDNS_RR_TYPE_NSEC &&
1800 vq->orig_msg->rep->rrset_count > vq->rrset_skip &&
1801 ntohs(vq->orig_msg->rep->rrsets[vq->rrset_skip]->rk.type) ==
1803 !(vq->orig_msg->rep->rrsets[vq->rrset_skip]->
1808 val_mark_indeterminate(vq->chase_reply, qstate->env->anchors,
1809 qstate->env->rrset_cache, qstate->env);
1810 vq->key_entry = NULL;
1811 vq->empty_DS_name = NULL;
1812 vq->ds_rrset = 0;
1813 anchor = anchors_lookup(qstate->env->anchors,
1814 lookup_name, lookup_len, vq->qchase.qclass);
1817 val_find_signer(subtype, &vq->qchase, vq->orig_msg->rep,
1818 vq->rrset_skip, &vq->signer_name, &vq->signer_len);
1819 if(vq->signer_name != NULL &&
1820 !dname_subdomain_c(lookup_name, vq->signer_name)) {
1822 "of lookupname, omitted", vq->signer_name, 0, 0);
1823 vq->signer_name = NULL;
1825 if(vq->signer_name == NULL) {
1829 lookup_name = vq->signer_name;
1830 lookup_len = vq->signer_len;
1835 if(subtype == VAL_CLASS_NAMEERROR && vq->signer_name &&
1836 anchor && dname_strict_subdomain_c(anchor->name, lookup_name)){
1837 lock_basic_unlock(&anchor->lock);
1838 anchor = anchors_lookup(qstate->env->anchors,
1839 lookup_name, lookup_len, vq->qchase.qclass);
1843 vq->chase_reply->security = sec_status_indeterminate;
1844 update_reason_bogus(vq->chase_reply, LDNS_EDE_DNSSEC_INDETERMINATE);
1845 vq->state = VAL_FINISHED_STATE;
1850 qstate->qinfo.qtype == LDNS_RR_TYPE_DNSKEY &&
1851 query_dname_compare(lookup_name, qstate->qinfo.qname) == 0) {
1857 if(vq->rrset_skip > 0 || subtype == VAL_CLASS_CNAME ||
1861 val_fill_reply(vq->chase_reply, vq->orig_msg->rep,
1862 vq->rrset_skip, lookup_name, lookup_len,
1863 vq->signer_name);
1865 log_dns_msg("chased extract", &vq->qchase,
1866 vq->chase_reply);
1869 vq->key_entry = key_cache_obtain(ve->kcache, lookup_name, lookup_len,
1870 vq->qchase.qclass, qstate->region, *qstate->env->now);
1873 if(vq->key_entry == NULL && anchor == NULL) {
1875 vq->chase_reply->security = sec_status_indeterminate;
1876 update_reason_bogus(vq->chase_reply, LDNS_EDE_DNSSEC_INDETERMINATE);
1878 vq->state = VAL_FINISHED_STATE;
1883 else if(vq->key_entry == NULL || (anchor &&
1884 dname_strict_subdomain_c(anchor->name, vq->key_entry->name))) {
1886 if(anchor && anchor->numDS == 0 && anchor->numDNSKEY == 0) {
1887 vq->chase_reply->security = sec_status_insecure;
1888 val_mark_insecure(vq->chase_reply, anchor->name,
1889 qstate->env->rrset_cache, qstate->env);
1890 lock_basic_unlock(&anchor->lock);
1892 vq->state = VAL_FINISHED_STATE;
1898 lock_basic_unlock(&anchor->lock);
1901 lock_basic_unlock(&anchor->lock);
1904 vq->state = VAL_FINDKEY_STATE;
1908 lock_basic_unlock(&anchor->lock);
1911 if(key_entry_isnull(vq->key_entry)) {
1915 vq->chase_reply->security = sec_status_insecure;
1916 val_mark_insecure(vq->chase_reply, vq->key_entry->name,
1917 qstate->env->rrset_cache, qstate->env);
1919 vq->state = VAL_FINISHED_STATE;
1921 } else if(key_entry_isbad(vq->key_entry)) {
1923 sldns_ede_code ede = key_entry_get_reason_bogus(vq->key_entry);
1925 errinf_dname(qstate, "key for validation", vq->key_entry->name);
1928 errinf(qstate, key_entry_get_reason(vq->key_entry));
1931 vq->restart_count = ve->max_restart;
1932 vq->chase_reply->security = sec_status_bogus;
1933 update_reason_bogus(vq->chase_reply, ede);
1934 vq->state = VAL_FINISHED_STATE;
1938 /* otherwise, we have our "closest" cached key -- continue
1940 vq->state = VAL_FINDKEY_STATE;
1964 log_query_info(VERB_ALGO, "validator: FindKey", &vq->qchase);
1965 /* We know that state.key_entry is not 0 or bad key -- if it were,
1970 log_assert(vq->key_entry && !key_entry_isbad(vq->key_entry));
1971 if(key_entry_isnull(vq->key_entry)) {
1972 if(!generate_request(qstate, id, vq->ds_rrset->rk.dname,
1973 vq->ds_rrset->rk.dname_len, LDNS_RR_TYPE_DNSKEY,
1974 vq->qchase.qclass, BIT_CD, &newq, 0)) {
1981 target_key_name = vq->signer_name;
1982 target_key_len = vq->signer_len;
1984 target_key_name = vq->qchase.qname;
1985 target_key_len = vq->qchase.qname_len;
1988 current_key_name = vq->key_entry->name;
1992 vq->state = VAL_VALIDATE_STATE;
1996 if(vq->empty_DS_name) {
2001 vq->empty_DS_name) == 0) {
2005 errinf_origin(qstate, qstate->reply_origin);
2006 vq->chase_reply->security = sec_status_bogus;
2007 update_reason_bogus(vq->chase_reply, LDNS_EDE_RRSIGS_MISSING);
2008 vq->state = VAL_FINISHED_STATE;
2011 current_key_name = vq->empty_DS_name;
2021 vq->chase_reply->security = sec_status_bogus;
2022 vq->state = VAL_FINISHED_STATE;
2025 /* so this value is >= -1 */
2026 strip_lab = dname_count_labels(target_key_name) -
2027 dname_count_labels(current_key_name) - 1;
2028 log_assert(strip_lab >= -1);
2039 if(vq->ds_rrset)
2040 log_nametypeclass(VERB_ALGO, "DS RRset", vq->ds_rrset->rk.dname, LDNS_RR_TYPE_DS, LDNS_RR_CLASS_IN);
2043 if(vq->ds_rrset && query_dname_compare(vq->ds_rrset->rk.dname,
2044 vq->key_entry->name) != 0) {
2045 if(!generate_request(qstate, id, vq->ds_rrset->rk.dname,
2046 vq->ds_rrset->rk.dname_len, LDNS_RR_TYPE_DNSKEY,
2047 vq->qchase.qclass, BIT_CD, &newq, 0)) {
2054 if(!vq->ds_rrset || query_dname_compare(vq->ds_rrset->rk.dname,
2057 * there is no DS, check if that NSEC has DS-bit unset, and
2061 * a completely protocol-correct response.
2066 if(vq->sub_ds_msg) {
2067 /* We have a suspended DS reply from a sub-query;
2070 msg = vq->sub_ds_msg;
2072 msg, &msg->qinfo, NULL, &suspend, NULL);
2080 vq->sub_ds_msg = NULL;
2081 return 1; /* continue processing ds-response results */
2082 } else if(!qstate->blacklist && !vq->chain_blacklist &&
2083 (msg=val_find_DS(qstate->env, target_key_name,
2084 target_key_len, vq->qchase.qclass, qstate->region,
2085 vq->key_entry->name)) ) {
2088 msg, &msg->qinfo, NULL, &suspend, NULL);
2096 return 1; /* continue processing ds-response results */
2099 target_key_len, LDNS_RR_TYPE_DS, vq->qchase.qclass,
2108 if(!generate_request(qstate, id, vq->ds_rrset->rk.dname,
2109 vq->ds_rrset->rk.dname_len, LDNS_RR_TYPE_DNSKEY,
2110 vq->qchase.qclass, BIT_CD, &newq, 0)) {
2140 if(!vq->key_entry) {
2146 vq->state = VAL_FINISHED_STATE;
2149 if(key_entry_isnull(vq->key_entry)) {
2151 vq->signer_name?"":"unsigned ");
2152 vq->chase_reply->security = sec_status_insecure;
2153 val_mark_insecure(vq->chase_reply, vq->key_entry->name,
2154 qstate->env->rrset_cache, qstate->env);
2155 key_cache_insert(ve->kcache, vq->key_entry,
2156 qstate->env->cfg->val_log_level >= 2);
2160 if(key_entry_isbad(vq->key_entry)) {
2162 "of trust to keys for", vq->key_entry->name,
2163 LDNS_RR_TYPE_DNSKEY, vq->key_entry->key_class);
2164 vq->chase_reply->security = sec_status_bogus;
2165 update_reason_bogus(vq->chase_reply,
2166 key_entry_get_reason_bogus(vq->key_entry));
2168 key_entry_get_reason_bogus(vq->key_entry));
2169 if(vq->restart_count >= ve->max_restart)
2170 key_cache_insert(ve->kcache, vq->key_entry,
2171 qstate->env->cfg->val_log_level >= 2);
2177 if(vq->signer_name == NULL) {
2179 "signer name", &vq->qchase);
2183 errinf_origin(qstate, qstate->reply_origin);
2184 vq->chase_reply->security = sec_status_bogus;
2185 update_reason_bogus(vq->chase_reply, LDNS_EDE_RRSIGS_MISSING);
2188 subtype = val_classify_response(qstate->query_flags, &qstate->qinfo,
2189 &vq->qchase, vq->orig_msg->rep, vq->rrset_skip);
2191 remove_spurious_authority(vq->chase_reply, vq->orig_msg->rep);
2195 if(!validate_msg_signatures(qstate, vq, qstate->env, ve,
2196 vq->chase_reply, vq->key_entry, &suspend)) {
2205 * for positive replies*/
2208 detect_wrongly_truncated(vq->orig_msg->rep)) {
2210 vq->orig_msg->rep->ns_numrrsets = 0;
2211 vq->orig_msg->rep->ar_numrrsets = 0;
2212 vq->orig_msg->rep->rrset_count =
2213 vq->orig_msg->rep->an_numrrsets;
2214 vq->chase_reply->ns_numrrsets = 0;
2215 vq->chase_reply->ar_numrrsets = 0;
2216 vq->chase_reply->rrset_count =
2217 vq->chase_reply->an_numrrsets;
2218 qstate->errinf = NULL;
2229 verbose(VERB_ALGO, "Validating a positive response");
2230 validate_positive_response(qstate->env, ve,
2231 &vq->qchase, vq->chase_reply, vq->key_entry,
2239 verbose(VERB_DETAIL, "validate(positive): %s",
2241 vq->chase_reply->security));
2246 validate_nodata_response(qstate->env, ve,
2247 &vq->qchase, vq->chase_reply, vq->key_entry,
2257 vq->chase_reply->security));
2261 rcode = (int)FLAGS_GET_RCODE(vq->orig_msg->rep->flags);
2263 validate_nameerror_response(qstate->env, ve,
2264 &vq->qchase, vq->chase_reply, vq->key_entry, &rcode,
2274 vq->chase_reply->security));
2275 FLAGS_SET_RCODE(vq->orig_msg->rep->flags, rcode);
2276 FLAGS_SET_RCODE(vq->chase_reply->flags, rcode);
2281 validate_cname_response(qstate->env, ve,
2282 &vq->qchase, vq->chase_reply, vq->key_entry,
2292 vq->chase_reply->security));
2298 validate_cname_noanswer_response(qstate->env, ve,
2299 &vq->qchase, vq->chase_reply, vq->key_entry,
2309 vq->chase_reply->security));
2314 validate_referral_response(vq->chase_reply);
2317 vq->chase_reply->security));
2321 verbose(VERB_ALGO, "Validating a positive ANY "
2323 validate_any_response(qstate->env, ve, &vq->qchase,
2324 vq->chase_reply, vq->key_entry, qstate, vq,
2334 vq->chase_reply->security));
2341 if(vq->chase_reply->security == sec_status_bogus) {
2346 errinf_origin(qstate, qstate->reply_origin);
2367 qstate->query_flags, &qstate->qinfo, &vq->qchase,
2368 vq->orig_msg->rep, vq->rrset_skip);
2371 if(vq->rrset_skip == 0) {
2372 vq->orig_msg->rep->security = vq->chase_reply->security;
2373 update_reason_bogus(vq->orig_msg->rep, vq->chase_reply->reason_bogus);
2375 vq->rrset_skip < vq->orig_msg->rep->an_numrrsets +
2376 vq->orig_msg->rep->ns_numrrsets) {
2380 if(vq->chase_reply->security < vq->orig_msg->rep->security) {
2381 vq->orig_msg->rep->security =
2382 vq->chase_reply->security;
2383 update_reason_bogus(vq->orig_msg->rep, vq->chase_reply->reason_bogus);
2389 vq->rrset_skip = val_next_unchecked(vq->orig_msg->rep,
2390 vq->rrset_skip);
2391 if(vq->rrset_skip < vq->orig_msg->rep->rrset_count) {
2394 vq->chase_reply->security = sec_status_unchecked;
2395 vq->state = VAL_INIT_STATE;
2400 if(vq->chase_reply->security != sec_status_bogus &&
2403 if(!val_chase_cname(&vq->qchase, vq->orig_msg->rep,
2404 &vq->rrset_skip)) {
2406 vq->orig_msg->rep->security = sec_status_bogus;
2407 update_reason_bogus(vq->orig_msg->rep, LDNS_EDE_DNSSEC_BOGUS);
2411 &vq->qchase);
2412 vq->chase_reply->security = sec_status_unchecked;
2413 vq->state = VAL_INIT_STATE;
2418 if(vq->orig_msg->rep->security == sec_status_secure) {
2422 * that are not secure (if clean-additional option is set) */
2424 val_check_nonsecure(qstate->env, vq->orig_msg->rep);
2425 if(vq->orig_msg->rep->security == sec_status_secure) {
2427 &qstate->qinfo);
2428 if(!qstate->no_cache_store) {
2429 val_neg_addreply(qstate->env->neg_cache,
2430 vq->orig_msg->rep);
2435 /* if the result is bogus - set message ttl to bogus ttl to avoid
2437 if(vq->orig_msg->rep->security == sec_status_bogus) {
2441 if(vq->restart_count < ve->max_restart) {
2444 val_blacklist(&qstate->blacklist, qstate->region,
2445 qstate->reply_origin, 0);
2446 qstate->reply_origin = NULL;
2447 qstate->errinf = NULL;
2450 qstate->ext_state[id] = module_restart_next;
2454 if(qstate->env->cfg->serve_expired &&
2455 (e=msg_cache_lookup(qstate->env, qstate->qinfo.qname,
2456 qstate->qinfo.qname_len, qstate->qinfo.qtype,
2457 qstate->qinfo.qclass, qstate->query_flags,
2460 struct reply_info* rep = (struct reply_info*)e->entry.data;
2461 if(rep && rep->security > sec_status_bogus &&
2462 (!qstate->env->cfg->serve_expired_ttl ||
2463 qstate->env->cfg->serve_expired_ttl_reset ||
2464 *qstate->env->now <= rep->serve_expired_ttl)) {
2467 "exists; set serve-expired-norec-ttl "
2469 rep->serve_expired_norec_ttl = NORR_TTL +
2470 *qstate->env->now;
2471 if(qstate->env->cfg->serve_expired_ttl_reset &&
2472 *qstate->env->now + qstate->env->cfg->serve_expired_ttl
2473 > rep->serve_expired_ttl) {
2474 verbose(VERB_ALGO, "reset serve-expired-ttl for "
2476 rep->serve_expired_ttl = *qstate->env->now +
2477 qstate->env->cfg->serve_expired_ttl;
2480 * If serve-expired-client-timeout is enabled,
2481 * the client-timeout logic will try to find an
2486 qstate->return_rcode = LDNS_RCODE_SERVFAIL;
2487 qstate->return_msg = NULL;
2488 qstate->ext_state[id] = module_finished;
2489 lock_rw_unlock(&e->entry.lock);
2492 lock_rw_unlock(&e->entry.lock);
2495 vq->orig_msg->rep->ttl = ve->bogus_ttl;
2496 vq->orig_msg->rep->prefetch_ttl =
2497 PREFETCH_TTL_CALC(vq->orig_msg->rep->ttl);
2498 vq->orig_msg->rep->serve_expired_ttl =
2499 vq->orig_msg->rep->ttl + qstate->env->cfg->serve_expired_ttl;
2500 if((qstate->env->cfg->val_log_level >= 1 ||
2501 qstate->env->cfg->log_servfail) &&
2502 !qstate->env->cfg->val_log_squelch) {
2503 if(qstate->env->cfg->val_log_level < 2 &&
2504 !qstate->env->cfg->log_servfail)
2506 &qstate->qinfo);
2509 qstate->region);
2512 vq->orig_msg->rep->reason_bogus_str = err_str;
2523 if(qstate->env->cfg->val_permissive_mode)
2524 vq->orig_msg->rep->security = sec_status_indeterminate;
2527 if(vq->orig_msg->rep->security == sec_status_secure &&
2528 qstate->env->cfg->root_key_sentinel &&
2529 (qstate->qinfo.qtype == LDNS_RR_TYPE_A ||
2530 qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA)) {
2533 if(*qstate->qinfo.qname == strlen(SENTINEL_IS) +
2535 dname_lab_startswith(qstate->qinfo.qname, SENTINEL_IS,
2538 !anchor_has_keytag(qstate->env->anchors,
2539 (uint8_t*)"", 1, 0, vq->qchase.qclass, keytag)) {
2540 vq->orig_msg->rep->security =
2543 } else if(*qstate->qinfo.qname == strlen(SENTINEL_NOT) +
2545 dname_lab_startswith(qstate->qinfo.qname, SENTINEL_NOT,
2548 anchor_has_keytag(qstate->env->anchors,
2549 (uint8_t*)"", 1, 0, vq->qchase.qclass, keytag)) {
2550 vq->orig_msg->rep->security =
2556 /* Update rep->reason_bogus as it is the one being cached */
2557 update_reason_bogus(vq->orig_msg->rep, errinf_to_reason_bogus(qstate));
2559 if(qstate->query_flags&BIT_RD) {
2562 if(!qstate->no_cache_store) {
2563 if(!dns_cache_store(qstate->env, &vq->orig_msg->qinfo,
2564 vq->orig_msg->rep, 0, qstate->prefetch_leeway,
2565 0, qstate->region, qstate->query_flags,
2566 qstate->qstarttime)) {
2573 if(!dns_cache_store(qstate->env, &vq->orig_msg->qinfo,
2574 vq->orig_msg->rep, 1, 0, 0, qstate->region,
2575 qstate->query_flags, qstate->qstarttime)) {
2579 qstate->return_rcode = LDNS_RCODE_NOERROR;
2580 qstate->return_msg = vq->orig_msg;
2581 qstate->ext_state[id] = module_finished;
2601 val_state_to_string(vq->state));
2602 switch(vq->state) {
2617 vq->state);
2628 struct val_env* ve = (struct val_env*)qstate->env->modinfo[id];
2629 struct val_qstate* vq = (struct val_qstate*)qstate->minfo[id];
2631 "event:%s", id, strextstate(qstate->ext_state[id]),
2634 &qstate->qinfo);
2635 if(vq && qstate->qinfo.qname != vq->qchase.qname)
2637 &vq->qchase);
2644 qstate->ext_state[id] = module_wait_module;
2651 if(!needs_validation(qstate, qstate->return_rcode,
2652 qstate->return_msg)) {
2654 if(qstate->return_msg)
2655 qstate->return_msg->rep->security =
2657 qstate->ext_state[id] = module_finished;
2660 if(already_validated(qstate->return_msg)) {
2661 qstate->ext_state[id] = module_finished;
2664 if(qstate->rpz_applied) {
2666 if(qstate->return_msg)
2667 qstate->return_msg->rep->security =
2669 qstate->ext_state[id] = module_finished;
2674 if(qstate->qinfo.qclass == LDNS_RR_CLASS_ANY) {
2676 if(qstate->return_msg) {
2677 qstate->return_msg->rep->security =
2679 update_reason_bogus(qstate->return_msg->rep, LDNS_EDE_DNSSEC_BOGUS);
2681 qstate->ext_state[id] = module_finished;
2685 qstate->ext_state[id] = module_error; /* override this */
2690 qstate->ext_state[id] = module_error;
2693 } else if(!vq->orig_msg) {
2696 qstate->ext_state[id] = module_error;
2704 qstate->ext_state[id] = module_error; /* override this */
2710 qstate->ext_state[id] = module_error;
2734 struct val_env* ve = (struct val_env*)qstate->env->modinfo[id];
2740 int downprot = qstate->env->cfg->harden_algo_downgrade;
2745 log_nametypeclass(VERB_OPS, "failed to prime trust anchor -- "
2747 ta->name, LDNS_RR_TYPE_DNSKEY, ta->dclass);
2755 if(qstate->env->cfg->harden_dnssec_stripped) {
2757 kkey = key_entry_create_bad(qstate->region, ta->name,
2758 ta->namelen, ta->dclass, BOGUS_KEY_TTL,
2759 reason_bogus, rstr, *qstate->env->now);
2760 } else kkey = key_entry_create_null(qstate->region, ta->name,
2761 ta->namelen, ta->dclass, NULL_KEY_TTL,
2762 reason_bogus, rstr, *qstate->env->now);
2770 kkey = val_verify_new_DNSKEYs_with_ta(qstate->region, qstate->env, ve,
2771 dnskey_rrset, ta->ds_rrset, ta->dnskey_rrset, downprot,
2785 log_nametypeclass(VERB_OPS, "failed to prime trust anchor -- "
2787 ta->name, LDNS_RR_TYPE_DNSKEY, ta->dclass);
2790 if(qstate->env->cfg->harden_dnssec_stripped) {
2792 kkey = key_entry_create_bad(qstate->region, ta->name,
2793 ta->namelen, ta->dclass, BOGUS_KEY_TTL,
2795 *qstate->env->now);
2796 } else kkey = key_entry_create_null(qstate->region, ta->name,
2797 ta->namelen, ta->dclass, NULL_KEY_TTL,
2799 *qstate->env->now);
2808 ta->name, LDNS_RR_TYPE_DNSKEY, ta->dclass);
2840 struct val_env* ve = (struct val_env*)qstate->env->modinfo[id];
2867 subtype = val_classify_response(BIT_RD, qinfo, qinfo, msg->rep, 0);
2871 ds = reply_find_answer_rrset(qinfo, msg->rep);
2872 /* If there was no DS rrset, then we have mis-classified
2875 log_warn("internal error: POSITIVE DS response was "
2883 sec = val_verify_rrset_entry(qstate->env, ve, ds,
2884 vq->key_entry, &reason, &reason_bogus,
2899 *ke = key_entry_create_null(qstate->region,
2900 qinfo->qname, qinfo->qname_len, qinfo->qclass,
2903 *qstate->env->now);
2907 /* Otherwise, we return the positive response. */
2909 *ke = key_entry_create_rrset(qstate->region,
2910 qinfo->qname, qinfo->qname_len, qinfo->qclass, ds,
2911 NULL, LDNS_EDE_NONE, NULL, *qstate->env->now);
2921 if(!val_has_signed_nsecs(msg->rep, &reason)) {
2935 qstate->env, ve, qinfo, msg->rep, vq->key_entry,
2942 *ke = key_entry_create_null(qstate->region,
2943 qinfo->qname, qinfo->qname_len,
2944 qinfo->qclass, proof_ttl,
2946 *qstate->env->now);
2964 if(!nsec3_cache_table_init(&vq->nsec3_cache_table, qstate->region)) {
2971 sec = nsec3_prove_nods(qstate->env, ve,
2972 msg->rep->rrsets + msg->rep->an_numrrsets,
2973 msg->rep->ns_numrrsets, qinfo, vq->key_entry, &reason,
2974 &reason_bogus, qstate, &vq->nsec3_cache_table,
2979 * space. If nsec3-iter-count too high or
2984 *ke = key_entry_create_null(qstate->region,
2985 qinfo->qname, qinfo->qname_len,
2986 qinfo->qclass, proof_ttl,
2988 *qstate->env->now);
3021 cname = reply_find_rrset_section_an(msg->rep, qinfo->qname,
3022 qinfo->qname_len, LDNS_RR_TYPE_CNAME, qinfo->qclass);
3029 if(((struct packed_rrset_data*)cname->entry.data)->rrsig_count
3031 if(msg->rep->an_numrrsets != 0 && ntohs(msg->rep->
3032 rrsets[0]->rk.type)==LDNS_RR_TYPE_DNAME) {
3040 sec = val_verify_rrset_entry(qstate->env, ve, cname,
3041 vq->key_entry, &reason, &reason_bogus,
3059 if(FLAGS_GET_RCODE(msg->rep->flags) != LDNS_RCODE_NOERROR) {
3063 msg->rep->flags), rc, sizeof(rc));
3070 *ke = key_entry_create_bad(qstate->region, qinfo->qname,
3071 qinfo->qname_len, qinfo->qclass, BOGUS_KEY_TTL,
3072 reason_bogus, reason, *qstate->env->now);
3102 struct val_env* ve = (struct val_env*)qstate->env->modinfo[id];
3104 uint8_t* olds = vq->empty_DS_name;
3107 vq->empty_DS_name = NULL;
3108 if(sub_qstate && sub_qstate->rpz_applied) {
3111 vq->key_entry = NULL;
3112 vq->state = VAL_FINISHED_STATE;
3113 vq->chase_reply->security = sec_status_insecure;
3122 vq->key_entry = NULL; /* make it error */
3123 vq->state = VAL_VALIDATE_STATE;
3130 vq->key_entry = NULL; /* make it error */
3131 vq->state = VAL_VALIDATE_STATE;
3136 vq->empty_DS_name = regional_alloc_init(qstate->region,
3137 qinfo->qname, qinfo->qname_len);
3138 if(!vq->empty_DS_name) {
3140 vq->key_entry = NULL; /* make it error */
3141 vq->state = VAL_VALIDATE_STATE;
3144 vq->empty_DS_len = qinfo->qname_len;
3145 vq->chain_blacklist = NULL;
3149 vq->ds_rrset = key_entry_get_rrset(dske, qstate->region);
3150 if(!vq->ds_rrset) {
3152 vq->key_entry = NULL; /* make it error */
3153 vq->state = VAL_VALIDATE_STATE;
3156 vq->chain_blacklist = NULL; /* fresh blacklist for next part*/
3159 && vq->restart_count < ve->max_restart) {
3160 vq->empty_DS_name = olds;
3161 val_blacklist(&vq->chain_blacklist, qstate->region, origin, 1);
3162 qstate->errinf = NULL;
3163 vq->restart_count++;
3167 errinf_dname(qstate, "for DS", qinfo->qname);
3172 vq->key_entry = dske;
3173 /* The FINDKEY phase has ended, so move on. */
3174 vq->state = VAL_VALIDATE_STATE;
3201 struct val_env* ve = (struct val_env*)qstate->env->modinfo[id];
3202 struct key_entry_key* old = vq->key_entry;
3209 if(sub_qstate && sub_qstate->rpz_applied) {
3212 vq->key_entry = NULL;
3213 vq->state = VAL_FINISHED_STATE;
3214 vq->chase_reply->security = sec_status_insecure;
3219 dnskey = reply_find_answer_rrset(qinfo, msg->rep);
3228 if(vq->restart_count < ve->max_restart) {
3229 val_blacklist(&vq->chain_blacklist, qstate->region,
3231 qstate->errinf = NULL;
3232 vq->restart_count++;
3243 vq->key_entry = key_entry_create_bad(qstate->region,
3244 qinfo->qname, qinfo->qname_len, qinfo->qclass,
3245 BOGUS_KEY_TTL, reason_bogus, rstr, *qstate->env->now);
3246 if(!vq->key_entry) {
3252 errinf_dname(qstate, "for key", qinfo->qname);
3253 vq->state = VAL_VALIDATE_STATE;
3256 if(!vq->ds_rrset) {
3258 vq->key_entry = NULL;
3259 vq->state = VAL_VALIDATE_STATE;
3262 downprot = qstate->env->cfg->harden_algo_downgrade;
3263 vq->key_entry = val_verify_new_DNSKEYs(qstate->region, qstate->env,
3264 ve, dnskey, vq->ds_rrset, downprot, &reason, &reason_bogus,
3267 if(!vq->key_entry) {
3269 vq->state = VAL_VALIDATE_STATE;
3274 if(!key_entry_isgood(vq->key_entry)) {
3275 if(key_entry_isbad(vq->key_entry)) {
3276 if(vq->restart_count < ve->max_restart) {
3277 val_blacklist(&vq->chain_blacklist,
3278 qstate->region, origin, 1);
3279 qstate->errinf = NULL;
3280 vq->restart_count++;
3281 vq->key_entry = old;
3288 errinf_dname(qstate, "for key", qinfo->qname);
3290 vq->chain_blacklist = NULL;
3291 vq->state = VAL_VALIDATE_STATE;
3294 vq->chain_blacklist = NULL;
3295 qstate->errinf = NULL;
3298 key_cache_insert(ve->kcache, vq->key_entry,
3299 qstate->env->cfg->val_log_level >= 2);
3323 struct val_env* ve = (struct val_env*)qstate->env->modinfo[id];
3325 struct trust_anchor* ta = anchor_find(qstate->env->anchors,
3326 vq->trust_anchor_name, vq->trust_anchor_labs,
3327 vq->trust_anchor_len, vq->qchase.qclass);
3330 vq->state = VAL_INIT_STATE;
3331 if(!vq->trust_anchor_name)
3332 vq->state = VAL_VALIDATE_STATE; /* break a loop */
3333 vq->trust_anchor_name = NULL;
3339 dnskey_rrset = reply_find_rrset_section_an(msg->rep,
3340 ta->name, ta->namelen, LDNS_RR_TYPE_DNSKEY,
3341 ta->dclass);
3344 if(ta->autr) {
3345 if(!autr_process_prime(qstate->env, ve, ta, dnskey_rrset,
3348 vq->state = VAL_INIT_STATE;
3349 vq->trust_anchor_name = NULL;
3353 vq->key_entry = primeResponseToKE(dnskey_rrset, ta, qstate, id,
3355 lock_basic_unlock(&ta->lock);
3356 if(vq->key_entry) {
3357 if(key_entry_isbad(vq->key_entry)
3358 && vq->restart_count < ve->max_restart) {
3359 val_blacklist(&vq->chain_blacklist, qstate->region,
3361 qstate->errinf = NULL;
3362 vq->restart_count++;
3363 vq->key_entry = NULL;
3364 vq->state = VAL_INIT_STATE;
3367 vq->chain_blacklist = NULL;
3369 errinf_dname(qstate, "for trust anchor", ta->name);
3371 key_cache_insert(ve->kcache, vq->key_entry,
3372 qstate->env->cfg->val_log_level >= 2);
3376 if(!vq->key_entry || key_entry_isnull(vq->key_entry) ||
3377 key_entry_isbad(vq->key_entry)) {
3378 vq->state = VAL_VALIDATE_STATE;
3394 struct val_qstate* vq = (struct val_qstate*)super->minfo[id];
3396 &qstate->qinfo);
3397 log_query_info(VERB_ALGO, "super is", &super->qinfo);
3402 if(vq->wait_prime_ta) {
3403 vq->wait_prime_ta = 0;
3404 process_prime_response(super, vq, id, qstate->return_rcode,
3405 qstate->return_msg, qstate->reply_origin, qstate);
3408 if(qstate->qinfo.qtype == LDNS_RR_TYPE_DS) {
3410 process_ds_response(super, vq, id, qstate->return_rcode,
3411 qstate->return_msg, &qstate->qinfo,
3412 qstate->reply_origin, &suspend, qstate);
3414 * it will be re-initiated if needed later on.
3418 if(vq->nsec3_cache_table.ct) {
3419 vq->nsec3_cache_table.ct = NULL;
3422 /* deep copy the return_msg to vq->sub_ds_msg; it will
3424 * that the initial calculations will be re-caclulated
3425 * and re-suspended there before continuing. */
3426 vq->sub_ds_msg = dns_msg_deepcopy_region(
3427 qstate->return_msg, super->region);
3430 } else if(qstate->qinfo.qtype == LDNS_RR_TYPE_DNSKEY) {
3431 process_dnskey_response(super, vq, id, qstate->return_rcode,
3432 qstate->return_msg, &qstate->qinfo,
3433 qstate->reply_origin, qstate);
3445 vq = (struct val_qstate*)qstate->minfo[id];
3447 if(vq->suspend_timer) {
3448 comm_timer_delete(vq->suspend_timer);
3452 qstate->minfo[id] = NULL;
3458 struct val_env* ve = (struct val_env*)env->modinfo[id];
3461 return sizeof(*ve) + key_cache_get_mem(ve->kcache) +
3462 val_neg_get_mem(ve->neg_cache) +
3463 sizeof(size_t)*2*ve->nsec3_keyiter_count;