Lines Matching defs:val
104 #define NEEDNODATA(val) ((val->attributes & VALATTR_NEEDNODATA) != 0)
105 #define NEEDNOQNAME(val) ((val->attributes & VALATTR_NEEDNOQNAME) != 0)
106 #define NEEDNOWILDCARD(val) ((val->attributes & VALATTR_NEEDNOWILDCARD) != 0)
107 #define FOUNDNODATA(val) ((val->attributes & VALATTR_FOUNDNODATA) != 0)
108 #define FOUNDNOQNAME(val) ((val->attributes & VALATTR_FOUNDNOQNAME) != 0)
109 #define FOUNDNOWILDCARD(val) ((val->attributes & VALATTR_FOUNDNOWILDCARD) != 0)
110 #define FOUNDCLOSEST(val) ((val->attributes & VALATTR_FOUNDCLOSEST) != 0)
111 #define FOUNDOPTOUT(val) ((val->attributes & VALATTR_FOUNDOPTOUT) != 0)
126 destroy_validator(dns_validator_t *val);
129 select_signing_key(dns_validator_t *val, dns_rdataset_t *rdataset);
134 validate_async_done(dns_validator_t *val, isc_result_t result);
136 validate_async_run(dns_validator_t *val, isc_job_cb cb);
138 validate_helper_run(dns_validator_t *val, isc_job_cb cb);
143 validate_dnskey_dsset_done(dns_validator_t *val, isc_result_t result);
146 validate_nx(dns_validator_t *val, bool resume);
149 proveunsecure(dns_validator_t *val, bool have_ds, bool resume);
152 validator_logv(dns_validator_t *val, isc_logcategory_t *category,
157 validator_log(void *val, int level, const char *fmt, ...)
161 validator_logcreate(dns_validator_t *val, dns_name_t *name,
169 expire_rdatasets(dns_validator_t *val) {
170 if (dns_rdataset_isassociated(&val->frdataset)) {
171 dns_rdataset_expire(&val->frdataset);
173 if (dns_rdataset_isassociated(&val->fsigrdataset)) {
174 dns_rdataset_expire(&val->fsigrdataset);
182 disassociate_rdatasets(dns_validator_t *val) {
183 if (dns_rdataset_isassociated(&val->fdsset)) {
184 dns_rdataset_disassociate(&val->fdsset);
186 if (dns_rdataset_isassociated(&val->frdataset)) {
187 dns_rdataset_disassociate(&val->frdataset);
189 if (dns_rdataset_isassociated(&val->fsigrdataset)) {
190 dns_rdataset_disassociate(&val->fsigrdataset);
195 * Mark the rdatasets in val->vstat with trust level "answer",
202 markanswer(dns_validator_t *val, const char *where, const char *mbstext) {
203 if (val->mustbesecure && mbstext != NULL) {
204 validator_log(val, ISC_LOG_WARNING,
209 validator_log(val, ISC_LOG_DEBUG(3), "marking as answer (%s)", where);
210 if (val->rdataset != NULL) {
211 dns_rdataset_settrust(val->rdataset, dns_trust_answer);
213 if (val->sigrdataset != NULL) {
214 dns_rdataset_settrust(val->sigrdataset, dns_trust_answer);
221 * Mark the RRsets in val->vstat with trust level secure.
224 marksecure(dns_validator_t *val) {
225 dns_rdataset_settrust(val->rdataset, dns_trust_secure);
226 if (val->sigrdataset != NULL) {
227 dns_rdataset_settrust(val->sigrdataset, dns_trust_secure);
229 val->secure = true;
233 * Validator 'val' is finished; send the completion event to the loop
237 validator_done(dns_validator_t *val, isc_result_t result) {
238 if (COMPLETE(val)) {
242 val->attributes |= VALATTR_COMPLETE;
243 val->result = result;
245 isc_async_run(val->loop, val->cb, val);
372 dns_validator_t *val = arg;
373 dns_rdataset_t *rdataset = &val->frdataset;
375 isc_result_t result = select_signing_key(val, rdataset);
377 val->keyset = &val->frdataset;
380 (void)validate_async_run(val, resume_answer_with_key_done);
385 dns_validator_t *val = arg;
387 resume_answer(val);
398 dns_validator_t *val = resp->arg;
399 dns_rdataset_t *rdataset = &val->frdataset;
410 if (dns_rdataset_isassociated(&val->fsigrdataset)) {
411 dns_rdataset_disassociate(&val->fsigrdataset);
414 validator_log(val, ISC_LOG_DEBUG(3), "in fetch_callback_dnskey");
415 dns_resolver_destroyfetch(&val->fetch);
417 if (CANCELED(val) || CANCELING(val)) {
429 validator_log(val, ISC_LOG_DEBUG(3), "%s with trust %s",
439 result = validate_helper_run(val,
442 result = validate_async_run(val, resume_answer);
446 validator_log(val, ISC_LOG_DEBUG(3),
454 validate_async_done(val, result);
455 dns_validator_detach(&val);
465 dns_validator_t *val = resp->arg;
466 dns_rdataset_t *rdataset = &val->frdataset;
475 trustchain = ((val->attributes & VALATTR_INSECURITY) == 0);
484 if (dns_rdataset_isassociated(&val->fsigrdataset)) {
485 dns_rdataset_disassociate(&val->fsigrdataset);
488 validator_log(val, ISC_LOG_DEBUG(3), "in fetch_callback_ds");
489 dns_resolver_destroyfetch(&val->fetch);
491 if (CANCELED(val) || CANCELING(val)) {
504 validator_log(val, ISC_LOG_DEBUG(3),
507 val->dsset = &val->frdataset;
508 result = validate_async_run(val, validate_dnskey);
518 validator_log(val, ISC_LOG_DEBUG(3),
521 result = proveunsecure(val, false, false);
524 validator_log(val, ISC_LOG_DEBUG(3),
540 result = proveunsecure(val, false, true);
549 result = proveunsecure(val, true, true);
553 if (isdelegation(resp->foundname, &val->frdataset,
562 val, "fetch_callback_ds",
572 result = proveunsecure(val, false, true);
575 validator_log(val, ISC_LOG_DEBUG(3),
584 validate_async_done(val, result);
585 dns_validator_detach(&val);
596 dns_validator_t *val = subvalidator->parent;
599 val->subvalidator = NULL;
601 if (CANCELED(val) || CANCELING(val)) {
606 validator_log(val, ISC_LOG_DEBUG(3), "in validator_callback_dnskey");
608 validator_log(val, ISC_LOG_DEBUG(3), "keyset with trust %s",
609 dns_trust_totext(val->frdataset.trust));
613 if (val->frdataset.trust >= dns_trust_secure) {
614 result = validate_helper_run(val,
617 result = validate_async_run(val, resume_answer);
621 expire_rdatasets(val);
623 validator_log(val, ISC_LOG_DEBUG(3),
633 validate_async_done(val, result);
644 dns_validator_t *val = subvalidator->parent;
648 val->subvalidator = NULL;
650 if (CANCELED(val) || CANCELING(val)) {
655 validator_log(val, ISC_LOG_DEBUG(3), "in validator_callback_ds");
659 validator_log(val, ISC_LOG_DEBUG(3), "%s with trust %s",
660 val->frdataset.type == dns_rdatatype_ds
663 dns_trust_totext(val->frdataset.trust));
664 have_dsset = (val->frdataset.type == dns_rdatatype_ds);
665 name = dns_fixedname_name(&val->fname);
666 if ((val->attributes & VALATTR_INSECURITY) != 0 &&
667 val->frdataset.covers == dns_rdatatype_ds &&
668 NEGATIVE(&val->frdataset) &&
669 isdelegation(name, &val->frdataset, DNS_R_NCACHENXRRSET))
671 result = markanswer(val, "validator_callback_ds",
673 } else if ((val->attributes & VALATTR_INSECURITY) != 0) {
674 result = proveunsecure(val, have_dsset, true);
676 result = validate_async_run(val, validate_dnskey);
680 expire_rdatasets(val);
682 validator_log(val, ISC_LOG_DEBUG(3),
692 validate_async_done(val, result);
703 dns_validator_t *val = subvalidator->parent;
707 INSIST((val->attributes & VALATTR_INSECURITY) != 0);
709 val->subvalidator = NULL;
711 if (CANCELED(val) || CANCELING(val)) {
716 validator_log(val, ISC_LOG_DEBUG(3), "in validator_callback_cname");
718 validator_log(val, ISC_LOG_DEBUG(3), "cname with trust %s",
719 dns_trust_totext(val->frdataset.trust));
720 result = proveunsecure(val, false, true);
723 expire_rdatasets(val);
725 validator_log(val, ISC_LOG_DEBUG(3),
735 validate_async_done(val, result);
748 dns_validator_t *val = subvalidator->parent;
754 val->subvalidator = NULL;
756 if (CANCELED(val) || CANCELING(val)) {
761 validator_log(val, ISC_LOG_DEBUG(3), "in validator_callback_nsec");
763 dns_name_t **proofs = val->proofs;
764 dns_name_t *wild = dns_fixedname_name(&val->wild);
768 (NEEDNODATA(val) || NEEDNOQNAME(val)) &&
769 !FOUNDNODATA(val) && !FOUNDNOQNAME(val) &&
770 dns_nsec_noexistnodata(val->type, val->name,
773 val) == ISC_R_SUCCESS)
776 val->attributes |= VALATTR_FOUNDNODATA;
777 if (NEEDNODATA(val)) {
786 val->attributes |= VALATTR_FOUNDNOQNAME;
788 closest = dns_fixedname_name(&val->closest);
800 val->attributes |= VALATTR_FOUNDCLOSEST;
806 if (NEEDNOQNAME(val)) {
813 result = validate_nx(val, true);
815 validator_log(val, ISC_LOG_DEBUG(3),
824 val->authfail++;
827 result = validate_nx(val, true);
835 validate_async_done(val, result);
851 view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) {
857 disassociate_rdatasets(val);
861 result = dns_view_find(val->view, name, type, 0, options, false, false,
862 NULL, NULL, foundname, &val->frdataset,
863 &val->fsigrdataset);
878 disassociate_rdatasets(val);
888 check_deadlock(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
892 for (parent = val; parent != NULL; parent = parent->parent) {
904 validator_log(val, ISC_LOG_DEBUG(3),
917 create_fetch(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
922 disassociate_rdatasets(val);
924 if (check_deadlock(val, name, type, NULL, NULL)) {
925 validator_log(val, ISC_LOG_DEBUG(3),
930 if ((val->options & DNS_VALIDATOR_NOCDFLAG) != 0) {
934 if ((val->options & DNS_VALIDATOR_NONTA) != 0) {
938 validator_logcreate(val, name, type, caller, "fetch");
940 dns_validator_ref(val);
942 val->view->resolver, name, type, NULL, NULL, NULL, NULL, 0,
943 fopts, 0, NULL, val->loop, callback, val, &val->frdataset,
944 &val->fsigrdataset, &val->fetch);
946 dns_validator_detach(&val);
956 create_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
967 if (check_deadlock(val, name, type, rdataset, sig)) {
968 validator_log(val, ISC_LOG_DEBUG(3),
974 vopts |= (val->options &
977 validator_logcreate(val, name, type, caller, "validator");
978 result = dns_validator_create(val->view, name, type, rdataset, sig,
979 NULL, vopts, val->loop, cb, val,
980 val->nvalidations, val->nfails, val->qc,
981 &val->subvalidator);
983 dns_validator_attach(val, &val->subvalidator->parent);
984 val->subvalidator->depth = val->depth + 1;
990 * Try to find a key that could have signed val->siginfo among those in
991 * 'rdataset'. If found, build a dst_key_t for it and point val->key at
994 * If val->key is already non-NULL, locate it in the rdataset and then
996 * set val->key to that.
1002 select_signing_key(dns_validator_t *val, dns_rdataset_t *rdataset) {
1004 dns_rdata_rrsig_t *siginfo = val->siginfo;
1007 dst_key_t *oldkey = val->key;
1014 val->key = NULL;
1026 INSIST(val->key == NULL);
1028 val->view->mctx, no_rdata,
1029 &val->key);
1032 (dns_secalg_t)dst_key_alg(val->key) &&
1034 (dns_keytag_t)dst_key_id(val->key) &&
1035 (dst_key_flags(val->key) & DNS_KEYFLAG_REVOKE) ==
1037 dst_key_iszonekey(val->key))
1042 dst_key_free(&val->key);
1049 dst_key_free(&val->key);
1065 * Get the key that generated the signature in val->siginfo.
1068 seek_dnskey(dns_validator_t *val) {
1070 dns_rdata_rrsig_t *siginfo = val->siginfo;
1081 namereln = dns_name_fullcompare(val->name, &siginfo->signer, &order,
1094 if (val->rdataset->type == dns_rdatatype_dnskey) {
1102 if (dns_rdatatype_atparent(val->rdataset->type)) {
1110 if (val->rdataset->type == dns_rdatatype_soa ||
1111 val->rdataset->type == dns_rdatatype_ns)
1115 if (val->rdataset->type == dns_rdatatype_soa) {
1120 validator_log(val, ISC_LOG_DEBUG(3),
1129 result = view_find(val, &siginfo->signer, dns_rdatatype_dnskey);
1135 val->keyset = &val->frdataset;
1136 if ((DNS_TRUST_PENDING(val->frdataset.trust) ||
1137 DNS_TRUST_ANSWER(val->frdataset.trust)) &&
1138 dns_rdataset_isassociated(&val->fsigrdataset))
1146 val, &siginfo->signer, dns_rdatatype_dnskey,
1147 &val->frdataset, &val->fsigrdataset,
1153 } else if (DNS_TRUST_PENDING(val->frdataset.trust)) {
1159 } else if (val->frdataset.trust < dns_trust_secure) {
1164 val->key = NULL;
1170 validator_log(val, ISC_LOG_DEBUG(3),
1172 dns_trust_totext(val->frdataset.trust));
1177 if (dns_rdataset_isassociated(&val->frdataset) &&
1178 val->keyset != &val->frdataset)
1180 dns_rdataset_disassociate(&val->frdataset);
1182 if (dns_rdataset_isassociated(&val->fsigrdataset)) {
1183 dns_rdataset_disassociate(&val->fsigrdataset);
1186 return validate_helper_run(val, resume_answer_with_key);
1194 result = create_fetch(val, &siginfo->signer,
1220 if (dns_rdataset_isassociated(&val->frdataset) &&
1221 val->keyset != &val->frdataset)
1223 dns_rdataset_disassociate(&val->frdataset);
1225 if (dns_rdataset_isassociated(&val->fsigrdataset)) {
1226 dns_rdataset_disassociate(&val->fsigrdataset);
1244 over_max_validations(dns_validator_t *val) {
1245 if (val->nvalidations == NULL || (*val->nvalidations) > 0) {
1250 val->attributes |= VALATTR_MAXVALIDATIONS;
1255 consume_validation(dns_validator_t *val) {
1256 if (val->nvalidations == NULL) {
1259 INSIST((*val->nvalidations) > 0);
1261 (*val->nvalidations)--;
1265 over_max_fails(dns_validator_t *val) {
1266 if (val->nfails == NULL || (*val->nfails) > 0) {
1271 val->attributes |= VALATTR_MAXVALIDATIONFAILS;
1276 consume_validation_fail(dns_validator_t *val) {
1277 if (val->nfails == NULL) {
1280 INSIST((*val->nfails) > 0);
1282 (*val->nfails)--;
1286 * Is the DNSKEY rrset in val->rdataset self-signed?
1289 selfsigned_dnskey(dns_validator_t *val) {
1290 dns_rdataset_t *rdataset = val->rdataset;
1291 dns_rdataset_t *sigrdataset = val->sigrdataset;
1292 dns_name_t *name = val->name;
1294 isc_mem_t *mctx = val->view->mctx;
1353 dns_view_istrusted(val->view, name, &key))
1355 if (over_max_validations(val)) {
1361 val->view->maxbits, mctx, &sigrdata,
1372 consume_validation(val);
1378 dns_view_untrust(val->view, name, &key);
1381 consume_validation(val);
1382 if (over_max_fails(val)) {
1386 consume_validation_fail(val);
1393 dns_view_untrust(val->view, name, &key);
1413 verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata,
1420 val->attributes |= VALATTR_TRIEDVERIFY;
1422 if (over_max_validations(val)) {
1426 result = dns_dnssec_verify(val->name, val->rdataset, key, ignore,
1427 val->view->maxbits, val->view->mctx, rdata,
1430 val->view->acceptexpired)
1438 validator_log(val, ISC_LOG_INFO,
1443 validator_log(val, ISC_LOG_INFO,
1448 validator_log(val, ISC_LOG_DEBUG(3),
1453 if (!dns_name_equal(val->name, wild)) {
1461 closest = dns_fixedname_name(&val->closest);
1465 val->attributes |= VALATTR_NEEDNOQNAME;
1479 consume_validation(val);
1482 consume_validation(val);
1483 if (over_max_fails(val)) {
1487 consume_validation_fail(val);
1507 validate_answer_iter_done(dns_validator_t *val, isc_result_t result);
1513 validate_answer_iter_start(dns_validator_t *val) {
1520 val->attributes &= ~VALATTR_OFFLOADED;
1521 if (CANCELING(val)) {
1522 validator_cancel_finish(val);
1527 if (val->resume) {
1530 validator_log(val, ISC_LOG_DEBUG(3), "resuming validate");
1532 result = dns_rdataset_first(val->sigrdataset);
1537 validate_answer_iter_done(val, result);
1541 result = validate_async_run(val, validate_answer_process);
1547 dns_validator_t *val = arg;
1550 val->attributes &= ~VALATTR_OFFLOADED;
1551 if (CANCELING(val)) {
1552 validator_cancel_finish(val);
1557 val->resume = false;
1558 result = dns_rdataset_next(val->sigrdataset);
1562 validate_answer_iter_done(val, result);
1566 (void)validate_async_run(val, validate_answer_process);
1577 dns_validator_t *val = arg;
1580 if (CANCELED(val) || CANCELING(val)) {
1581 val->result = ISC_R_CANCELED;
1583 val->result = verify(val, val->key, &val->rdata,
1584 val->siginfo->keyid);
1587 switch (val->result) {
1592 if (val->key != NULL) {
1593 dst_key_free(&val->key);
1594 val->key = NULL;
1600 result = select_signing_key(val, val->keyset);
1605 INSIST(val->key != NULL);
1607 INSIST(val->key == NULL);
1610 (void)validate_async_run(val, validate_answer_signing_key_done);
1615 dns_validator_t *val = arg;
1617 val->attributes &= ~VALATTR_OFFLOADED;
1618 if (CANCELING(val)) {
1619 validator_cancel_finish(val);
1620 val->result = ISC_R_CANCELED;
1621 } else if (val->key != NULL) {
1623 (void)validate_helper_run(val, validate_answer_signing_key);
1627 validate_answer_finish(val);
1632 dns_validator_t *val = arg;
1635 val->attributes &= ~VALATTR_OFFLOADED;
1636 if (CANCELING(val)) {
1637 validator_cancel_finish(val);
1642 dns_rdata_reset(&val->rdata);
1644 dns_rdataset_current(val->sigrdataset, &val->rdata);
1645 if (val->siginfo == NULL) {
1646 val->siginfo = isc_mem_get(val->view->mctx,
1647 sizeof(*val->siginfo));
1649 result = dns_rdata_tostruct(&val->rdata, val->siginfo, NULL);
1658 if (!dns_resolver_algorithm_supported(val->view->resolver, val->name,
1659 val->siginfo->algorithm))
1664 if (!val->resume) {
1665 result = seek_dnskey(val);
1682 if (val->key == NULL) {
1683 val->resume = false;
1687 (void)validate_helper_run(val, validate_answer_signing_key);
1691 result = validate_async_run(val, validate_answer_iter_next);
1695 validate_async_done(val, result);
1700 dns_validator_t *val = arg;
1703 if (val->result == ISC_R_SUCCESS) {
1704 dns_rdataset_trimttl(val->rdataset, val->sigrdataset,
1705 val->siginfo, val->start,
1706 val->view->acceptexpired);
1709 if (val->key != NULL) {
1710 dst_key_free(&val->key);
1711 val->key = NULL;
1713 if (val->keyset != NULL) {
1714 dns_rdataset_disassociate(val->keyset);
1715 val->keyset = NULL;
1718 switch (val->result) {
1720 validator_log(val, ISC_LOG_DEBUG(3), "validation was canceled");
1721 validate_async_done(val, val->result);
1724 validator_log(val, ISC_LOG_DEBUG(3), "server is shutting down");
1725 validate_async_done(val, val->result);
1728 if (MAXVALIDATIONS(val)) {
1729 validator_log(val, ISC_LOG_DEBUG(3),
1731 } else if (MAXVALIDATIONFAILS(val)) {
1732 validator_log(val, ISC_LOG_DEBUG(3),
1737 val, ISC_LOG_DEBUG(3),
1740 validate_async_done(val, val->result);
1746 if (NEEDNOQNAME(val)) {
1747 if (val->message == NULL) {
1748 validator_log(val, ISC_LOG_DEBUG(3),
1750 validate_async_done(val, DNS_R_NOVALIDSIG);
1754 validator_log(val, ISC_LOG_DEBUG(3),
1756 result = validate_nx(val, false);
1757 validate_async_done(val, result);
1761 if (val->result == ISC_R_SUCCESS) {
1762 marksecure(val);
1763 validator_log(val, ISC_LOG_DEBUG(3),
1765 validate_async_done(val, val->result);
1769 validator_log(val, ISC_LOG_DEBUG(3), "verify failure: %s",
1770 isc_result_totext(val->result));
1771 (void)validate_async_run(val, validate_answer_iter_next);
1775 validate_answer_iter_done(dns_validator_t *val, isc_result_t result) {
1777 validator_log(val, ISC_LOG_DEBUG(3),
1780 validate_async_done(val, result);
1784 validator_log(val, ISC_LOG_INFO, "no valid signature found");
1785 validate_async_done(val, val->result);
1790 dns_validator_t *val = arg;
1792 val->resume = true;
1793 validate_answer_iter_start(val);
1798 dns_validator_t *val = arg;
1799 val->resume = false;
1800 validate_answer_iter_start(val);
1804 validate_async_run(dns_validator_t *val, isc_job_cb cb) {
1805 isc_async_run(val->loop, cb, val);
1810 validate_helper_run(dns_validator_t *val, isc_job_cb cb) {
1811 val->attributes |= VALATTR_OFFLOADED;
1812 isc_helper_run(val->loop, cb, val);
1817 validate_async_done(dns_validator_t *val, isc_result_t result) {
1819 (val->attributes & VALATTR_TRIEDVERIFY) == 0)
1822 validator_log(val, ISC_LOG_DEBUG(3),
1824 result = proveunsecure(val, false, false);
1832 validator_done(val, result);
1833 dns_validator_detach(&val);
1839 * (val->rdataset).
1842 check_signer(dns_validator_t *val, dns_rdata_t *keyrdata, uint16_t keyid,
1848 for (result = dns_rdataset_first(val->sigrdataset);
1850 result = dns_rdataset_next(val->sigrdataset))
1854 dns_rdataset_current(val->sigrdataset, &rdata);
1862 val->name, keyrdata, val->view->mctx, &dstkey);
1870 result = verify(val, dstkey, &rdata, sig.keyid);
1897 get_dsset(dns_validator_t *val, dns_name_t *tname, isc_result_t *resp) {
1900 result = view_find(val, tname, dns_rdatatype_ds);
1906 val->dsset = &val->frdataset;
1907 if ((DNS_TRUST_PENDING(val->frdataset.trust) ||
1908 DNS_TRUST_ANSWER(val->frdataset.trust)) &&
1909 dns_rdataset_isassociated(&val->fsigrdataset))
1915 val, tname, dns_rdatatype_ds, &val->frdataset,
1916 &val->fsigrdataset, validator_callback_ds,
1923 } else if (DNS_TRUST_PENDING(val->frdataset.trust)) {
1927 disassociate_rdatasets(val);
1928 validator_log(val, ISC_LOG_DEBUG(2),
1939 result = create_fetch(val, tname, dns_rdatatype_ds,
1956 disassociate_rdatasets(val);
1957 validator_log(val, ISC_LOG_DEBUG(2), "no DS record");
1973 validate_dnskey_dsset_done(dns_validator_t *val, isc_result_t result) {
1980 marksecure(val);
1981 validator_log(val, ISC_LOG_DEBUG(3), "marking as secure (DS)");
1984 if (!val->supported_algorithm) {
1985 validator_log(val, ISC_LOG_DEBUG(3),
1988 val, "validate_dnskey (3)",
1994 validator_log(val, ISC_LOG_INFO,
1999 if (val->dsset == &val->fdsset) {
2000 val->dsset = NULL;
2001 dns_rdataset_disassociate(&val->fdsset);
2004 validate_async_done(val, result);
2008 validate_dnskey_dsset(dns_validator_t *val) {
2015 dns_rdataset_current(val->dsset, &dsrdata);
2019 if (ds.digest_type == DNS_DSDIGEST_SHA1 && val->digest_sha1 == false) {
2023 if (!dns_resolver_ds_digest_supported(val->view->resolver, val->name,
2029 if (!dns_resolver_algorithm_supported(val->view->resolver, val->name,
2035 val->supported_algorithm = true;
2040 result = dns_dnssec_matchdskey(val->name, &dsrdata, val->rdataset,
2043 validator_log(val, ISC_LOG_DEBUG(3), "no DNSKEY matching DS");
2050 result = check_signer(val, &keyrdata, ds.key_tag, ds.algorithm);
2052 validator_log(val, ISC_LOG_DEBUG(3),
2066 dns_validator_t *val = arg;
2068 if (CANCELED(val) || CANCELING(val)) {
2069 val->result = ISC_R_CANCELED;
2071 val->result = dns_rdataset_next(val->dsset);
2074 if (val->result == ISC_R_SUCCESS) {
2076 val->result = validate_dnskey_dsset(val);
2079 validate_async_run(val, validate_dnskey_dsset_next_done);
2084 dns_validator_t *val = arg;
2085 isc_result_t result = val->result;
2087 val->attributes &= ~VALATTR_OFFLOADED;
2088 if (CANCELING(val)) {
2089 validator_cancel_finish(val);
2104 (void)validate_helper_run(val, validate_dnskey_dsset_next);
2108 validate_dnskey_dsset_done(val, result);
2113 validate_dnskey_dsset_first(dns_validator_t *val) {
2116 if (CANCELED(val) || CANCELING(val)) {
2119 result = dns_rdataset_first(val->dsset);
2124 result = validate_dnskey_dsset(val);
2126 (void)validate_helper_run(val,
2132 validate_dnskey_dsset_done(val, result);
2137 dns_validator_t *val = arg;
2142 if (CANCELED(val) || CANCELING(val)) {
2151 if (val->dsset == NULL) {
2152 result = dns_keytable_find(val->keytable, val->name, &keynode);
2154 if (dns_keynode_dsset(keynode, &val->fdsset)) {
2155 val->dsset = &val->fdsset;
2164 if (val->dsset == NULL) {
2171 if (dns_name_equal(val->name, dns_rootname)) {
2172 if ((val->attributes & VALATTR_TRIEDVERIFY) != 0) {
2173 validator_log(val, ISC_LOG_DEBUG(3),
2176 validator_log(val, ISC_LOG_DEBUG(3),
2186 result = get_dsset(val, val->name, &tresult);
2196 INSIST(val->dsset != NULL);
2198 if (val->dsset->trust < dns_trust_secure) {
2199 result = markanswer(val, "validate_dnskey (2)", "insecure DS");
2209 val->supported_algorithm = false;
2217 val->digest_sha1 = true;
2219 for (result = dns_rdataset_first(val->dsset); result == ISC_R_SUCCESS;
2220 result = dns_rdataset_next(val->dsset))
2223 dns_rdataset_current(val->dsset, &dsrdata);
2228 val->view->resolver, val->name, ds.digest_type))
2233 if (!dns_resolver_algorithm_supported(val->view->resolver,
2234 val->name, ds.algorithm))
2244 val->digest_sha1 = false;
2249 validate_dnskey_dsset_first(val);
2253 if (val->dsset == &val->fdsset) {
2254 val->dsset = NULL;
2255 dns_rdataset_disassociate(&val->fdsset);
2257 validate_async_done(val, result);
2266 val_rdataset_first(dns_validator_t *val, dns_name_t **namep,
2268 dns_message_t *message = val->message;
2290 result = dns_rdataset_first(val->rdataset);
2292 dns_ncache_current(val->rdataset, *namep, *rdatasetp);
2299 val_rdataset_next(dns_validator_t *val, dns_name_t **namep,
2301 dns_message_t *message = val->message;
2324 result = dns_rdataset_next(val->rdataset);
2326 dns_ncache_current(val->rdataset, *namep, *rdatasetp);
2341 checkwildcard(dns_validator_t *val, dns_rdatatype_t type,
2351 wild = dns_fixedname_name(&val->wild);
2354 validator_log(val, ISC_LOG_DEBUG(3),
2360 validator_log(val, ISC_LOG_DEBUG(3), "in checkwildcard: %s", namebuf);
2362 if (val->message == NULL) {
2370 for (result = val_rdataset_first(val, &name, &rdataset);
2372 result = val_rdataset_next(val, &name, &rdataset))
2381 (NEEDNODATA(val) || NEEDNOWILDCARD(val)) &&
2382 !FOUNDNODATA(val) && !FOUNDNOWILDCARD(val) &&
2383 dns_nsec_noexistnodata(val->type, wild, name, rdataset,
2385 val) == ISC_R_SUCCESS)
2387 dns_name_t **proofs = val->proofs;
2389 val->attributes |= VALATTR_FOUNDNODATA;
2391 if (exists && !data && NEEDNODATA(val)) {
2395 val->attributes |= VALATTR_FOUNDNOWILDCARD;
2397 if (!exists && NEEDNOQNAME(val)) {
2407 (NEEDNODATA(val) || NEEDNOWILDCARD(val)) &&
2408 !FOUNDNODATA(val) && !FOUNDNOWILDCARD(val) &&
2410 val->type, wild, name, rdataset, zonename, &exists,
2412 validator_log, val) == ISC_R_SUCCESS)
2414 dns_name_t **proofs = val->proofs;
2416 val->attributes |= VALATTR_FOUNDNODATA;
2418 if (exists && !data && NEEDNODATA(val)) {
2422 val->attributes |= VALATTR_FOUNDNOWILDCARD;
2424 if (!exists && NEEDNOQNAME(val)) {
2448 findnsec3proofs(dns_validator_t *val) {
2455 dns_name_t **proofs = val->proofs;
2464 if (val->message == NULL) {
2472 for (result = val_rdataset_first(val, &name, &rdataset);
2474 result = val_rdataset_next(val, &name, &rdataset))
2482 result = dns_nsec3_noexistnodata(val->type, val->name, name,
2485 NULL, validator_log, val);
2506 * If the val->closest is set then we want to use it otherwise
2509 if (dns_name_countlabels(dns_fixedname_name(&val->closest)) != 0) {
2512 dns_name_format(dns_fixedname_name(&val->closest), namebuf,
2514 validator_log(val, ISC_LOG_DEBUG(3),
2517 dns_name_copy(dns_fixedname_name(&val->closest), closest);
2525 for (result = val_rdataset_first(val, &name, &rdataset);
2527 result = val_rdataset_next(val, &name, &rdataset))
2543 val->type, val->name, name, rdataset, zonename, &exists,
2545 closestp, nearest, validator_log, val);
2547 val->attributes |= VALATTR_FOUNDUNKNOWN;
2554 if (NEEDNOQNAME(val) &&
2560 } else if (NEEDNODATA(val) &&
2564 } else if (NEEDNOWILDCARD(val) &&
2581 if (exists && !data && NEEDNODATA(val)) {
2582 val->attributes |= VALATTR_FOUNDNODATA;
2586 val->attributes |= VALATTR_FOUNDNOQNAME;
2589 val->attributes |= VALATTR_FOUNDOPTOUT;
2607 val->attributes |= VALATTR_FOUNDCLOSEST;
2609 dns_fixedname_name(&val->wild),
2613 val->attributes &= ~VALATTR_FOUNDNOQNAME;
2614 val->attributes &= ~VALATTR_FOUNDOPTOUT;
2621 if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) &&
2622 ((NEEDNODATA(val) && !FOUNDNODATA(val)) || NEEDNOWILDCARD(val)))
2624 result = checkwildcard(val, dns_rdatatype_nsec3, zonename);
2648 validate_neg_rrset(dns_validator_t *val, dns_name_t *name,
2662 if (val->type == dns_rdatatype_dnskey &&
2664 dns_name_equal(name, val->name))
2678 val->nxset = rdataset;
2679 result = create_validator(val, name, rdataset->type, rdataset,
2686 val->authcount++;
2694 validate_authority(dns_validator_t *val, bool resume) {
2696 dns_message_t *message = val->message;
2713 rdataset = ISC_LIST_NEXT(val->nxset, link);
2714 val->nxset = NULL;
2738 result = validate_neg_rrset(val, name, rdataset,
2755 validate_ncache(dns_validator_t *val, bool resume) {
2760 result = dns_rdataset_first(val->rdataset);
2762 result = dns_rdataset_next(val->rdataset);
2766 result = dns_rdataset_next(val->rdataset))
2770 disassociate_rdatasets(val);
2772 name = dns_fixedname_initname(&val->fname);
2773 rdataset = &val->frdataset;
2774 dns_ncache_current(val->rdataset, name, rdataset);
2776 if (val->frdataset.type == dns_rdatatype_rrsig) {
2780 result = dns_ncache_getsigrdataset(val->rdataset, name,
2782 &val->fsigrdataset);
2784 sigrdataset = &val->fsigrdataset;
2787 result = validate_neg_rrset(val, name, rdataset, sigrdataset);
2815 validate_nx(dns_validator_t *val, bool resume) {
2819 validator_log(val, ISC_LOG_DEBUG(3), "resuming validate_nx");
2822 if (val->message == NULL) {
2823 result = validate_ncache(val, resume);
2825 result = validate_authority(val, resume);
2836 if (!NEEDNODATA(val) && !NEEDNOWILDCARD(val) && NEEDNOQNAME(val)) {
2837 if (!FOUNDNOQNAME(val)) {
2838 result = findnsec3proofs(val);
2840 validator_log(val, ISC_LOG_DEBUG(3),
2842 markanswer(val, "validate_nx (3)", NULL);
2847 if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) && !FOUNDOPTOUT(val))
2849 validator_log(val, ISC_LOG_DEBUG(3),
2851 marksecure(val);
2853 } else if (FOUNDOPTOUT(val) &&
2855 dns_fixedname_name(&val->wild)) != 0)
2857 validator_log(val, ISC_LOG_DEBUG(3),
2859 val->optout = true;
2860 markanswer(val, "validate_nx (1)", NULL);
2862 } else if ((val->attributes & VALATTR_FOUNDUNKNOWN) != 0) {
2863 validator_log(val, ISC_LOG_DEBUG(3),
2865 markanswer(val, "validate_nx (2)", NULL);
2869 validator_log(val, ISC_LOG_DEBUG(3), "noqname proof not found");
2873 if (!FOUNDNOQNAME(val) && !FOUNDNODATA(val)) {
2874 result = findnsec3proofs(val);
2876 validator_log(val, ISC_LOG_DEBUG(3),
2878 markanswer(val, "validate_nx (4)", NULL);
2886 if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) &&
2887 ((NEEDNODATA(val) && !FOUNDNODATA(val)) || NEEDNOWILDCARD(val)))
2889 result = checkwildcard(val, dns_rdatatype_nsec, NULL);
2895 if ((NEEDNODATA(val) && (FOUNDNODATA(val) || FOUNDOPTOUT(val))) ||
2896 (NEEDNOQNAME(val) && FOUNDNOQNAME(val) && NEEDNOWILDCARD(val) &&
2897 FOUNDNOWILDCARD(val) && FOUNDCLOSEST(val)))
2899 if ((val->attributes & VALATTR_FOUNDOPTOUT) != 0) {
2900 val->optout = true;
2902 validator_log(val, ISC_LOG_DEBUG(3),
2904 if (val->message == NULL) {
2905 marksecure(val);
2907 val->secure = true;
2912 if (val->authfail != 0 && val->authcount == val->authfail) {
2916 return proveunsecure(val, false, false);
2924 check_ds_algs(dns_validator_t *val, dns_name_t *name,
2937 if (dns_resolver_ds_digest_supported(val->view->resolver, name,
2939 dns_resolver_algorithm_supported(val->view->resolver, name,
2951 * seek_ds is called to look up DS rrsets at the label of val->name
2952 * indicated by val->labels. This is done while building an insecurity
2965 seek_ds(dns_validator_t *val, isc_result_t *resp) {
2970 dns_name_t *tname = dns_fixedname_initname(&val->fname);
2972 if (val->labels == dns_name_countlabels(val->name)) {
2973 dns_name_copy(val->name, tname);
2975 dns_name_split(val->name, val->labels, NULL, tname);
2979 validator_log(val, ISC_LOG_DEBUG(3), "checking existence of DS at '%s'",
2982 result = view_find(val, tname, dns_rdatatype_ds);
2989 if (val->frdataset.trust >= dns_trust_secure) {
2990 if (!check_ds_algs(val, tname, &val->frdataset)) {
2992 val, ISC_LOG_DEBUG(3),
2995 *resp = markanswer(val, "proveunsecure (5)",
3007 if (dns_rdataset_isassociated(&val->fsigrdataset)) {
3009 val, tname, dns_rdatatype_ds, &val->frdataset,
3010 &val->fsigrdataset, validator_callback_ds,
3020 validator_log(val, ISC_LOG_DEBUG(3),
3032 result = create_fetch(val, tname, dns_rdatatype_ds,
3048 if (DNS_TRUST_PENDING(val->frdataset.trust) ||
3049 DNS_TRUST_ANSWER(val->frdataset.trust))
3052 val, tname, dns_rdatatype_ds, &val->frdataset,
3053 &val->fsigrdataset, validator_callback_ds,
3068 !dns_rdataset_isassociated(&val->frdataset) &&
3069 dns_view_findzonecut(val->view, tname, found, NULL, 0, 0,
3074 *resp = markanswer(val, "proveunsecure (3)",
3079 if (val->frdataset.trust < dns_trust_secure) {
3086 validator_log(val, ISC_LOG_WARNING,
3093 if (isdelegation(tname, &val->frdataset, result)) {
3094 *resp = markanswer(val, "proveunsecure (4)",
3107 if (!dns_rdataset_isassociated(&val->frdataset)) {
3114 } else if (DNS_TRUST_PENDING(val->frdataset.trust) ||
3115 DNS_TRUST_ANSWER(val->frdataset.trust))
3124 val, tname, dns_rdatatype_ds, &val->frdataset,
3125 &val->fsigrdataset, validator_callback_ds,
3131 } else if (val->frdataset.trust < dns_trust_secure) {
3138 validator_log(val, ISC_LOG_WARNING,
3149 if (DNS_TRUST_PENDING(val->frdataset.trust) ||
3150 DNS_TRUST_ANSWER(val->frdataset.trust))
3153 val, tname, dns_rdatatype_cname,
3154 &val->frdataset, &val->fsigrdataset,
3187 * \li ISC_R_SUCCESS val->name is in an unsecure zone
3189 * \li DNS_R_MUSTBESECURE val->name is supposed to be secure
3197 proveunsecure(dns_validator_t *val, bool have_ds, bool resume) {
3207 val->attributes |= VALATTR_INSECURITY;
3209 dns_name_copy(val->name, secroot);
3216 if (val->type == dns_rdatatype_ds && labels > 1U) {
3220 result = dns_keytable_finddeepestmatch(val->keytable, secroot, secroot);
3222 validator_log(val, ISC_LOG_DEBUG(3), "not beneath secure root");
3223 return markanswer(val, "proveunsecure (1)",
3235 val->labels = dns_name_countlabels(secroot) + 1;
3237 validator_log(val, ISC_LOG_DEBUG(3), "resuming proveunsecure");
3244 if (have_ds && val->frdataset.trust >= dns_trust_secure &&
3245 !check_ds_algs(val, dns_fixedname_name(&val->fname),
3246 &val->frdataset))
3248 dns_name_format(dns_fixedname_name(&val->fname),
3250 validator_log(val, ISC_LOG_DEBUG(3),
3253 result = markanswer(val, "proveunsecure (2)", namebuf);
3256 val->labels++;
3263 while (val->labels <= dns_name_countlabels(val->name)) {
3266 result = seek_ds(val, &tresult);
3273 val->labels++;
3277 validator_log(val, ISC_LOG_DEBUG(3), "insecurity proof failed: %s",
3283 disassociate_rdatasets(val);
3302 dns_validator_t *val = (dns_validator_t *)arg;
3305 if (CANCELED(val) || CANCELING(val)) {
3310 validator_log(val, ISC_LOG_DEBUG(3), "starting");
3312 if (val->rdataset != NULL && val->sigrdataset != NULL) {
3317 validator_log(val, ISC_LOG_DEBUG(3),
3320 INSIST(dns_rdataset_isassociated(val->rdataset));
3321 INSIST(dns_rdataset_isassociated(val->sigrdataset));
3323 result = selfsigned_dnskey(val);
3328 result = validate_async_run(val, validate_dnskey);
3331 result = validate_async_run(val, validate_answer);
3336 } else if (val->rdataset != NULL && val->rdataset->type != 0) {
3341 INSIST(dns_rdataset_isassociated(val->rdataset));
3342 validator_log(val, ISC_LOG_DEBUG(3),
3345 result = proveunsecure(val, false, false);
3347 validator_log(val, ISC_LOG_INFO,
3351 } else if (val->rdataset == NULL && val->sigrdataset == NULL) {
3355 validator_log(val, ISC_LOG_DEBUG(3),
3359 if (val->message->rcode == dns_rcode_nxdomain) {
3360 val->attributes |= VALATTR_NEEDNOQNAME;
3361 val->attributes |= VALATTR_NEEDNOWILDCARD;
3363 val->attributes |= VALATTR_NEEDNODATA;
3366 result = validate_nx(val, false);
3367 } else if (val->rdataset != NULL && NEGATIVE(val->rdataset)) {
3371 validator_log(val, ISC_LOG_DEBUG(3),
3375 if (NXDOMAIN(val->rdataset)) {
3376 val->attributes |= VALATTR_NEEDNOQNAME;
3377 val->attributes |= VALATTR_NEEDNOWILDCARD;
3379 val->attributes |= VALATTR_NEEDNODATA;
3382 result = validate_nx(val, false);
3388 validate_async_done(val, result);
3399 dns_validator_t *val = NULL;
3412 val = isc_mem_get(view->mctx, sizeof(*val));
3413 *val = (dns_validator_t){
3431 isc_refcount_init(&val->references, 1);
3432 dns_view_attach(view, &val->view);
3434 dns_message_attach(message, &val->message);
3438 isc_counter_attach(qc, &val->qc);
3441 val->mustbesecure = dns_resolver_getmustbesecure(view->resolver, name);
3442 dns_rdataset_init(&val->fdsset);
3443 dns_rdataset_init(&val->frdataset);
3444 dns_rdataset_init(&val->fsigrdataset);
3445 dns_fixedname_init(&val->wild);
3446 dns_fixedname_init(&val->closest);
3447 val->start = isc_stdtime_now();
3448 val->magic = VALIDATOR_MAGIC;
3451 dns_validator_ref(val);
3452 (void)validate_async_run(val, validator_start);
3455 *validatorp = val;
3461 dns_validator_send(dns_validator_t *val) {
3462 REQUIRE(VALID_VALIDATOR(val));
3463 REQUIRE(val->tid == isc_tid());
3465 INSIST((val->options & DNS_VALIDATOR_DEFER) != 0);
3466 val->options &= ~DNS_VALIDATOR_DEFER;
3468 dns_validator_ref(val);
3469 (void)validate_async_run(val, validator_start);
3506 destroy_validator(dns_validator_t *val) {
3509 REQUIRE(val->fetch == NULL);
3510 REQUIRE(val->subvalidator == NULL);
3512 val->magic = 0;
3513 if (val->key != NULL) {
3514 dst_key_free(&val->key);
3516 if (val->keytable != NULL) {
3517 dns_keytable_detach(&val->keytable);
3519 disassociate_rdatasets(val);
3520 mctx = val->view->mctx;
3521 if (val->siginfo != NULL) {
3522 isc_mem_put(mctx, val->siginfo, sizeof(*val->siginfo));
3524 if (val->message != NULL) {
3525 dns_message_detach(&val->message);
3527 if (val->qc != NULL) {
3528 isc_counter_detach(&val->qc);
3530 dns_view_detach(&val->view);
3531 isc_loop_detach(&val->loop);
3532 isc_mem_put(mctx, val, sizeof(*val));
3536 dns_validator_shutdown(dns_validator_t *val) {
3537 REQUIRE(VALID_VALIDATOR(val));
3538 REQUIRE(COMPLETE(val));
3539 REQUIRE(val->tid == isc_tid());
3541 validator_log(val, ISC_LOG_DEBUG(4), "dns_validator_shutdown");
3547 * val->name during logging, because the owner may destroy it after this
3550 val->name = NULL;
3554 validator_logv(dns_validator_t *val, isc_logcategory_t *category,
3559 int depth = val->depth * 2;
3575 if (val->view->rdclass == dns_rdataclass_in &&
3576 (strcmp(val->view->name, "_default") == 0 ||
3577 strcmp(val->view->name, DNS_CLIENTVIEW_NAME) == 0))
3582 viewname = val->view->name;
3586 if (val->name != NULL) {
3590 dns_name_format(val->name, namebuf, sizeof(namebuf));
3591 dns_rdatatype_format(val->type, typebuf, sizeof(typebuf));
3598 sep2, depth, spaces, val, msgbuf);
3603 validator_log(void *val, int level, const char *fmt, ...) {
3612 validator_logv(val, DNS_LOGCATEGORY_DNSSEC, DNS_LOGMODULE_VALIDATOR,
3618 validator_logcreate(dns_validator_t *val, dns_name_t *name,
3626 validator_log(val, ISC_LOG_DEBUG(9), "%s: creating %s for %s %s",