1*825eb42bSJan Lentfer /* 2*825eb42bSJan Lentfer * chasetrace.c 3*825eb42bSJan Lentfer * Where all the hard work concerning chasing 4*825eb42bSJan Lentfer * and tracing is done 5*825eb42bSJan Lentfer * (c) 2005, 2006 NLnet Labs 6*825eb42bSJan Lentfer * 7*825eb42bSJan Lentfer * See the file LICENSE for the license 8*825eb42bSJan Lentfer * 9*825eb42bSJan Lentfer */ 10*825eb42bSJan Lentfer 11*825eb42bSJan Lentfer #include "drill.h" 12*825eb42bSJan Lentfer #include <ldns/ldns.h> 13*825eb42bSJan Lentfer 14*825eb42bSJan Lentfer /** 15*825eb42bSJan Lentfer * trace down from the root to name 16*825eb42bSJan Lentfer */ 17*825eb42bSJan Lentfer 18*825eb42bSJan Lentfer /* same naive method as in drill0.9 19*825eb42bSJan Lentfer * We resolver _ALL_ the names, which is ofcourse not needed 20*825eb42bSJan Lentfer * We _do_ use the local resolver to do that, so it still is 21*825eb42bSJan Lentfer * fast, but it can be made to run much faster 22*825eb42bSJan Lentfer */ 23*825eb42bSJan Lentfer ldns_pkt * 24*825eb42bSJan Lentfer do_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t, 25*825eb42bSJan Lentfer ldns_rr_class c) 26*825eb42bSJan Lentfer { 27*825eb42bSJan Lentfer ldns_resolver *res; 28*825eb42bSJan Lentfer ldns_pkt *p; 29*825eb42bSJan Lentfer ldns_rr_list *new_nss_a; 30*825eb42bSJan Lentfer ldns_rr_list *new_nss_aaaa; 31*825eb42bSJan Lentfer ldns_rr_list *final_answer; 32*825eb42bSJan Lentfer ldns_rr_list *new_nss; 33*825eb42bSJan Lentfer ldns_rr_list *hostnames; 34*825eb42bSJan Lentfer ldns_rr_list *ns_addr; 35*825eb42bSJan Lentfer uint16_t loop_count; 36*825eb42bSJan Lentfer ldns_rdf *pop; 37*825eb42bSJan Lentfer ldns_status status; 38*825eb42bSJan Lentfer size_t i; 39*825eb42bSJan Lentfer 40*825eb42bSJan Lentfer loop_count = 0; 41*825eb42bSJan Lentfer new_nss_a = NULL; 42*825eb42bSJan Lentfer new_nss_aaaa = NULL; 43*825eb42bSJan Lentfer new_nss = NULL; 44*825eb42bSJan Lentfer ns_addr = NULL; 45*825eb42bSJan Lentfer final_answer = NULL; 46*825eb42bSJan Lentfer p = ldns_pkt_new(); 47*825eb42bSJan Lentfer res = ldns_resolver_new(); 48*825eb42bSJan Lentfer 49*825eb42bSJan Lentfer if (!p || !res) { 50*825eb42bSJan Lentfer error("Memory allocation failed"); 51*825eb42bSJan Lentfer return NULL; 52*825eb42bSJan Lentfer } 53*825eb42bSJan Lentfer 54*825eb42bSJan Lentfer /* transfer some properties of local_res to res, 55*825eb42bSJan Lentfer * because they were given on the commandline */ 56*825eb42bSJan Lentfer ldns_resolver_set_ip6(res, 57*825eb42bSJan Lentfer ldns_resolver_ip6(local_res)); 58*825eb42bSJan Lentfer ldns_resolver_set_port(res, 59*825eb42bSJan Lentfer ldns_resolver_port(local_res)); 60*825eb42bSJan Lentfer ldns_resolver_set_debug(res, 61*825eb42bSJan Lentfer ldns_resolver_debug(local_res)); 62*825eb42bSJan Lentfer ldns_resolver_set_dnssec(res, 63*825eb42bSJan Lentfer ldns_resolver_dnssec(local_res)); 64*825eb42bSJan Lentfer ldns_resolver_set_fail(res, 65*825eb42bSJan Lentfer ldns_resolver_fail(local_res)); 66*825eb42bSJan Lentfer ldns_resolver_set_usevc(res, 67*825eb42bSJan Lentfer ldns_resolver_usevc(local_res)); 68*825eb42bSJan Lentfer ldns_resolver_set_random(res, 69*825eb42bSJan Lentfer ldns_resolver_random(local_res)); 70*825eb42bSJan Lentfer ldns_resolver_set_recursive(res, false); 71*825eb42bSJan Lentfer 72*825eb42bSJan Lentfer /* setup the root nameserver in the new resolver */ 73*825eb42bSJan Lentfer status = ldns_resolver_push_nameserver_rr_list(res, global_dns_root); 74*825eb42bSJan Lentfer if (status != LDNS_STATUS_OK) { 75*825eb42bSJan Lentfer fprintf(stderr, "Error adding root servers to resolver: %s\n", ldns_get_errorstr_by_id(status)); 76*825eb42bSJan Lentfer ldns_rr_list_print(stdout, global_dns_root); 77*825eb42bSJan Lentfer return NULL; 78*825eb42bSJan Lentfer } 79*825eb42bSJan Lentfer 80*825eb42bSJan Lentfer /* this must be a real query to local_res */ 81*825eb42bSJan Lentfer status = ldns_resolver_send(&p, res, ldns_dname_new_frm_str("."), LDNS_RR_TYPE_NS, c, 0); 82*825eb42bSJan Lentfer /* p can still be NULL */ 83*825eb42bSJan Lentfer 84*825eb42bSJan Lentfer 85*825eb42bSJan Lentfer if (ldns_pkt_empty(p)) { 86*825eb42bSJan Lentfer warning("No root server information received"); 87*825eb42bSJan Lentfer } 88*825eb42bSJan Lentfer 89*825eb42bSJan Lentfer if (status == LDNS_STATUS_OK) { 90*825eb42bSJan Lentfer if (!ldns_pkt_empty(p)) { 91*825eb42bSJan Lentfer drill_pkt_print(stdout, local_res, p); 92*825eb42bSJan Lentfer } 93*825eb42bSJan Lentfer } else { 94*825eb42bSJan Lentfer error("cannot use local resolver"); 95*825eb42bSJan Lentfer return NULL; 96*825eb42bSJan Lentfer } 97*825eb42bSJan Lentfer 98*825eb42bSJan Lentfer status = ldns_resolver_send(&p, res, name, t, c, 0); 99*825eb42bSJan Lentfer 100*825eb42bSJan Lentfer while(status == LDNS_STATUS_OK && 101*825eb42bSJan Lentfer ldns_pkt_reply_type(p) == LDNS_PACKET_REFERRAL) { 102*825eb42bSJan Lentfer 103*825eb42bSJan Lentfer if (!p) { 104*825eb42bSJan Lentfer /* some error occurred, bail out */ 105*825eb42bSJan Lentfer return NULL; 106*825eb42bSJan Lentfer } 107*825eb42bSJan Lentfer 108*825eb42bSJan Lentfer new_nss_a = ldns_pkt_rr_list_by_type(p, 109*825eb42bSJan Lentfer LDNS_RR_TYPE_A, LDNS_SECTION_ADDITIONAL); 110*825eb42bSJan Lentfer new_nss_aaaa = ldns_pkt_rr_list_by_type(p, 111*825eb42bSJan Lentfer LDNS_RR_TYPE_AAAA, LDNS_SECTION_ADDITIONAL); 112*825eb42bSJan Lentfer new_nss = ldns_pkt_rr_list_by_type(p, 113*825eb42bSJan Lentfer LDNS_RR_TYPE_NS, LDNS_SECTION_AUTHORITY); 114*825eb42bSJan Lentfer 115*825eb42bSJan Lentfer if (verbosity != -1) { 116*825eb42bSJan Lentfer ldns_rr_list_print(stdout, new_nss); 117*825eb42bSJan Lentfer } 118*825eb42bSJan Lentfer /* checks itself for verbosity */ 119*825eb42bSJan Lentfer drill_pkt_print_footer(stdout, local_res, p); 120*825eb42bSJan Lentfer 121*825eb42bSJan Lentfer /* remove the old nameserver from the resolver */ 122*825eb42bSJan Lentfer while((pop = ldns_resolver_pop_nameserver(res))) { /* do it */ } 123*825eb42bSJan Lentfer 124*825eb42bSJan Lentfer /* also check for new_nss emptyness */ 125*825eb42bSJan Lentfer 126*825eb42bSJan Lentfer if (!new_nss_aaaa && !new_nss_a) { 127*825eb42bSJan Lentfer /* 128*825eb42bSJan Lentfer * no nameserver found!!! 129*825eb42bSJan Lentfer * try to resolve the names we do got 130*825eb42bSJan Lentfer */ 131*825eb42bSJan Lentfer for(i = 0; i < ldns_rr_list_rr_count(new_nss); i++) { 132*825eb42bSJan Lentfer /* get the name of the nameserver */ 133*825eb42bSJan Lentfer pop = ldns_rr_rdf(ldns_rr_list_rr(new_nss, i), 0); 134*825eb42bSJan Lentfer if (!pop) { 135*825eb42bSJan Lentfer break; 136*825eb42bSJan Lentfer } 137*825eb42bSJan Lentfer 138*825eb42bSJan Lentfer ldns_rr_list_print(stdout, new_nss); 139*825eb42bSJan Lentfer ldns_rdf_print(stdout, pop); 140*825eb42bSJan Lentfer /* retrieve it's addresses */ 141*825eb42bSJan Lentfer ns_addr = ldns_rr_list_cat_clone(ns_addr, 142*825eb42bSJan Lentfer ldns_get_rr_list_addr_by_name(local_res, pop, c, 0)); 143*825eb42bSJan Lentfer } 144*825eb42bSJan Lentfer 145*825eb42bSJan Lentfer if (ns_addr) { 146*825eb42bSJan Lentfer if (ldns_resolver_push_nameserver_rr_list(res, ns_addr) != 147*825eb42bSJan Lentfer LDNS_STATUS_OK) { 148*825eb42bSJan Lentfer error("Error adding new nameservers"); 149*825eb42bSJan Lentfer ldns_pkt_free(p); 150*825eb42bSJan Lentfer return NULL; 151*825eb42bSJan Lentfer } 152*825eb42bSJan Lentfer ldns_rr_list_free(ns_addr); 153*825eb42bSJan Lentfer } else { 154*825eb42bSJan Lentfer ldns_rr_list_print(stdout, ns_addr); 155*825eb42bSJan Lentfer error("Could not find the nameserver ip addr; abort"); 156*825eb42bSJan Lentfer ldns_pkt_free(p); 157*825eb42bSJan Lentfer return NULL; 158*825eb42bSJan Lentfer } 159*825eb42bSJan Lentfer } 160*825eb42bSJan Lentfer 161*825eb42bSJan Lentfer /* add the new ones */ 162*825eb42bSJan Lentfer if (new_nss_aaaa) { 163*825eb42bSJan Lentfer if (ldns_resolver_push_nameserver_rr_list(res, new_nss_aaaa) != 164*825eb42bSJan Lentfer LDNS_STATUS_OK) { 165*825eb42bSJan Lentfer error("adding new nameservers"); 166*825eb42bSJan Lentfer ldns_pkt_free(p); 167*825eb42bSJan Lentfer return NULL; 168*825eb42bSJan Lentfer } 169*825eb42bSJan Lentfer } 170*825eb42bSJan Lentfer if (new_nss_a) { 171*825eb42bSJan Lentfer if (ldns_resolver_push_nameserver_rr_list(res, new_nss_a) != 172*825eb42bSJan Lentfer LDNS_STATUS_OK) { 173*825eb42bSJan Lentfer error("adding new nameservers"); 174*825eb42bSJan Lentfer ldns_pkt_free(p); 175*825eb42bSJan Lentfer return NULL; 176*825eb42bSJan Lentfer } 177*825eb42bSJan Lentfer } 178*825eb42bSJan Lentfer 179*825eb42bSJan Lentfer if (loop_count++ > 20) { 180*825eb42bSJan Lentfer /* unlikely that we are doing something usefull */ 181*825eb42bSJan Lentfer error("Looks like we are looping"); 182*825eb42bSJan Lentfer ldns_pkt_free(p); 183*825eb42bSJan Lentfer return NULL; 184*825eb42bSJan Lentfer } 185*825eb42bSJan Lentfer 186*825eb42bSJan Lentfer status = ldns_resolver_send(&p, res, name, t, c, 0); 187*825eb42bSJan Lentfer new_nss_aaaa = NULL; 188*825eb42bSJan Lentfer new_nss_a = NULL; 189*825eb42bSJan Lentfer ns_addr = NULL; 190*825eb42bSJan Lentfer } 191*825eb42bSJan Lentfer 192*825eb42bSJan Lentfer status = ldns_resolver_send(&p, res, name, t, c, 0); 193*825eb42bSJan Lentfer 194*825eb42bSJan Lentfer if (!p) { 195*825eb42bSJan Lentfer return NULL; 196*825eb42bSJan Lentfer } 197*825eb42bSJan Lentfer 198*825eb42bSJan Lentfer hostnames = ldns_get_rr_list_name_by_addr(local_res, 199*825eb42bSJan Lentfer ldns_pkt_answerfrom(p), 0, 0); 200*825eb42bSJan Lentfer 201*825eb42bSJan Lentfer new_nss = ldns_pkt_authority(p); 202*825eb42bSJan Lentfer final_answer = ldns_pkt_answer(p); 203*825eb42bSJan Lentfer 204*825eb42bSJan Lentfer if (verbosity != -1) { 205*825eb42bSJan Lentfer ldns_rr_list_print(stdout, final_answer); 206*825eb42bSJan Lentfer ldns_rr_list_print(stdout, new_nss); 207*825eb42bSJan Lentfer 208*825eb42bSJan Lentfer } 209*825eb42bSJan Lentfer drill_pkt_print_footer(stdout, local_res, p); 210*825eb42bSJan Lentfer ldns_pkt_free(p); 211*825eb42bSJan Lentfer return NULL; 212*825eb42bSJan Lentfer } 213*825eb42bSJan Lentfer 214*825eb42bSJan Lentfer 215*825eb42bSJan Lentfer /** 216*825eb42bSJan Lentfer * Chase the given rr to a known and trusted key 217*825eb42bSJan Lentfer * 218*825eb42bSJan Lentfer * Based on drill 0.9 219*825eb42bSJan Lentfer * 220*825eb42bSJan Lentfer * the last argument prev_key_list, if not null, and type == DS, then the ds 221*825eb42bSJan Lentfer * rr list we have must all be a ds for the keys in this list 222*825eb42bSJan Lentfer */ 223*825eb42bSJan Lentfer #ifdef HAVE_SSL 224*825eb42bSJan Lentfer ldns_status 225*825eb42bSJan Lentfer do_chase(ldns_resolver *res, 226*825eb42bSJan Lentfer ldns_rdf *name, 227*825eb42bSJan Lentfer ldns_rr_type type, 228*825eb42bSJan Lentfer ldns_rr_class c, 229*825eb42bSJan Lentfer ldns_rr_list *trusted_keys, 230*825eb42bSJan Lentfer ldns_pkt *pkt_o, 231*825eb42bSJan Lentfer uint16_t qflags, 232*825eb42bSJan Lentfer ldns_rr_list *prev_key_list, 233*825eb42bSJan Lentfer int verbosity) 234*825eb42bSJan Lentfer { 235*825eb42bSJan Lentfer ldns_rr_list *rrset = NULL; 236*825eb42bSJan Lentfer ldns_status result; 237*825eb42bSJan Lentfer ldns_rr *orig_rr = NULL; 238*825eb42bSJan Lentfer 239*825eb42bSJan Lentfer bool cname_followed = false; 240*825eb42bSJan Lentfer /* 241*825eb42bSJan Lentfer ldns_rr_list *sigs; 242*825eb42bSJan Lentfer ldns_rr *cur_sig; 243*825eb42bSJan Lentfer uint16_t sig_i; 244*825eb42bSJan Lentfer ldns_rr_list *keys; 245*825eb42bSJan Lentfer */ 246*825eb42bSJan Lentfer ldns_pkt *pkt; 247*825eb42bSJan Lentfer ldns_status tree_result; 248*825eb42bSJan Lentfer ldns_dnssec_data_chain *chain; 249*825eb42bSJan Lentfer ldns_dnssec_trust_tree *tree; 250*825eb42bSJan Lentfer 251*825eb42bSJan Lentfer const ldns_rr_descriptor *descriptor; 252*825eb42bSJan Lentfer descriptor = ldns_rr_descript(type); 253*825eb42bSJan Lentfer 254*825eb42bSJan Lentfer ldns_dname2canonical(name); 255*825eb42bSJan Lentfer 256*825eb42bSJan Lentfer pkt = ldns_pkt_clone(pkt_o); 257*825eb42bSJan Lentfer if (!name) { 258*825eb42bSJan Lentfer mesg("No name to chase"); 259*825eb42bSJan Lentfer ldns_pkt_free(pkt); 260*825eb42bSJan Lentfer return LDNS_STATUS_EMPTY_LABEL; 261*825eb42bSJan Lentfer } 262*825eb42bSJan Lentfer if (verbosity != -1) { 263*825eb42bSJan Lentfer printf(";; Chasing: "); 264*825eb42bSJan Lentfer ldns_rdf_print(stdout, name); 265*825eb42bSJan Lentfer if (descriptor && descriptor->_name) { 266*825eb42bSJan Lentfer printf(" %s\n", descriptor->_name); 267*825eb42bSJan Lentfer } else { 268*825eb42bSJan Lentfer printf(" type %d\n", type); 269*825eb42bSJan Lentfer } 270*825eb42bSJan Lentfer } 271*825eb42bSJan Lentfer 272*825eb42bSJan Lentfer if (!trusted_keys || ldns_rr_list_rr_count(trusted_keys) < 1) { 273*825eb42bSJan Lentfer warning("No trusted keys specified"); 274*825eb42bSJan Lentfer } 275*825eb42bSJan Lentfer 276*825eb42bSJan Lentfer if (pkt) { 277*825eb42bSJan Lentfer rrset = ldns_pkt_rr_list_by_name_and_type(pkt, 278*825eb42bSJan Lentfer name, 279*825eb42bSJan Lentfer type, 280*825eb42bSJan Lentfer LDNS_SECTION_ANSWER 281*825eb42bSJan Lentfer ); 282*825eb42bSJan Lentfer if (!rrset) { 283*825eb42bSJan Lentfer /* nothing in answer, try authority */ 284*825eb42bSJan Lentfer rrset = ldns_pkt_rr_list_by_name_and_type(pkt, 285*825eb42bSJan Lentfer name, 286*825eb42bSJan Lentfer type, 287*825eb42bSJan Lentfer LDNS_SECTION_AUTHORITY 288*825eb42bSJan Lentfer ); 289*825eb42bSJan Lentfer } 290*825eb42bSJan Lentfer /* answer might be a cname, chase that first, then chase 291*825eb42bSJan Lentfer cname target? (TODO) */ 292*825eb42bSJan Lentfer if (!rrset) { 293*825eb42bSJan Lentfer cname_followed = true; 294*825eb42bSJan Lentfer rrset = ldns_pkt_rr_list_by_name_and_type(pkt, 295*825eb42bSJan Lentfer name, 296*825eb42bSJan Lentfer LDNS_RR_TYPE_CNAME, 297*825eb42bSJan Lentfer LDNS_SECTION_ANSWER 298*825eb42bSJan Lentfer ); 299*825eb42bSJan Lentfer if (!rrset) { 300*825eb42bSJan Lentfer /* nothing in answer, try authority */ 301*825eb42bSJan Lentfer rrset = ldns_pkt_rr_list_by_name_and_type(pkt, 302*825eb42bSJan Lentfer name, 303*825eb42bSJan Lentfer LDNS_RR_TYPE_CNAME, 304*825eb42bSJan Lentfer LDNS_SECTION_AUTHORITY 305*825eb42bSJan Lentfer ); 306*825eb42bSJan Lentfer } 307*825eb42bSJan Lentfer } 308*825eb42bSJan Lentfer } else { 309*825eb42bSJan Lentfer /* no packet? */ 310*825eb42bSJan Lentfer if (verbosity >= 0) { 311*825eb42bSJan Lentfer fprintf(stderr, "%s", ldns_get_errorstr_by_id(LDNS_STATUS_MEM_ERR)); 312*825eb42bSJan Lentfer fprintf(stderr, "\n"); 313*825eb42bSJan Lentfer } 314*825eb42bSJan Lentfer return LDNS_STATUS_MEM_ERR; 315*825eb42bSJan Lentfer } 316*825eb42bSJan Lentfer 317*825eb42bSJan Lentfer if (!rrset) { 318*825eb42bSJan Lentfer /* not found in original packet, try again */ 319*825eb42bSJan Lentfer ldns_pkt_free(pkt); 320*825eb42bSJan Lentfer pkt = NULL; 321*825eb42bSJan Lentfer pkt = ldns_resolver_query(res, name, type, c, qflags); 322*825eb42bSJan Lentfer 323*825eb42bSJan Lentfer if (!pkt) { 324*825eb42bSJan Lentfer if (verbosity >= 0) { 325*825eb42bSJan Lentfer fprintf(stderr, "%s", ldns_get_errorstr_by_id(LDNS_STATUS_NETWORK_ERR)); 326*825eb42bSJan Lentfer fprintf(stderr, "\n"); 327*825eb42bSJan Lentfer } 328*825eb42bSJan Lentfer return LDNS_STATUS_NETWORK_ERR; 329*825eb42bSJan Lentfer } 330*825eb42bSJan Lentfer if (verbosity >= 5) { 331*825eb42bSJan Lentfer ldns_pkt_print(stdout, pkt); 332*825eb42bSJan Lentfer } 333*825eb42bSJan Lentfer 334*825eb42bSJan Lentfer rrset = ldns_pkt_rr_list_by_name_and_type(pkt, 335*825eb42bSJan Lentfer name, 336*825eb42bSJan Lentfer type, 337*825eb42bSJan Lentfer LDNS_SECTION_ANSWER 338*825eb42bSJan Lentfer ); 339*825eb42bSJan Lentfer } 340*825eb42bSJan Lentfer 341*825eb42bSJan Lentfer orig_rr = ldns_rr_new(); 342*825eb42bSJan Lentfer 343*825eb42bSJan Lentfer /* if the answer had no answer section, we need to construct our own rr (for instance if 344*825eb42bSJan Lentfer * the rr qe asked for doesn't exist. This rr will be destroyed when the chain is freed */ 345*825eb42bSJan Lentfer if (ldns_pkt_ancount(pkt) < 1) { 346*825eb42bSJan Lentfer ldns_rr_set_type(orig_rr, type); 347*825eb42bSJan Lentfer ldns_rr_set_owner(orig_rr, ldns_rdf_clone(name)); 348*825eb42bSJan Lentfer 349*825eb42bSJan Lentfer chain = ldns_dnssec_build_data_chain(res, qflags, rrset, pkt, ldns_rr_clone(orig_rr)); 350*825eb42bSJan Lentfer } else { 351*825eb42bSJan Lentfer /* chase the first answer */ 352*825eb42bSJan Lentfer chain = ldns_dnssec_build_data_chain(res, qflags, rrset, pkt, NULL); 353*825eb42bSJan Lentfer } 354*825eb42bSJan Lentfer 355*825eb42bSJan Lentfer if (verbosity >= 4) { 356*825eb42bSJan Lentfer printf("\n\nDNSSEC Data Chain:\n"); 357*825eb42bSJan Lentfer ldns_dnssec_data_chain_print(stdout, chain); 358*825eb42bSJan Lentfer } 359*825eb42bSJan Lentfer 360*825eb42bSJan Lentfer result = LDNS_STATUS_OK; 361*825eb42bSJan Lentfer 362*825eb42bSJan Lentfer tree = ldns_dnssec_derive_trust_tree(chain, NULL); 363*825eb42bSJan Lentfer 364*825eb42bSJan Lentfer if (verbosity >= 2) { 365*825eb42bSJan Lentfer printf("\n\nDNSSEC Trust tree:\n"); 366*825eb42bSJan Lentfer ldns_dnssec_trust_tree_print(stdout, tree, 0, true); 367*825eb42bSJan Lentfer } 368*825eb42bSJan Lentfer 369*825eb42bSJan Lentfer if (ldns_rr_list_rr_count(trusted_keys) > 0) { 370*825eb42bSJan Lentfer tree_result = ldns_dnssec_trust_tree_contains_keys(tree, trusted_keys); 371*825eb42bSJan Lentfer 372*825eb42bSJan Lentfer if (tree_result == LDNS_STATUS_DNSSEC_EXISTENCE_DENIED) { 373*825eb42bSJan Lentfer if (verbosity >= 1) { 374*825eb42bSJan Lentfer printf("Existence denied or verifiably insecure\n"); 375*825eb42bSJan Lentfer } 376*825eb42bSJan Lentfer result = LDNS_STATUS_OK; 377*825eb42bSJan Lentfer } else if (tree_result != LDNS_STATUS_OK) { 378*825eb42bSJan Lentfer if (verbosity >= 1) { 379*825eb42bSJan Lentfer printf("No trusted keys found in tree: first error was: %s\n", ldns_get_errorstr_by_id(tree_result)); 380*825eb42bSJan Lentfer } 381*825eb42bSJan Lentfer result = tree_result; 382*825eb42bSJan Lentfer } 383*825eb42bSJan Lentfer 384*825eb42bSJan Lentfer } else { 385*825eb42bSJan Lentfer if (verbosity >= 0) { 386*825eb42bSJan Lentfer printf("You have not provided any trusted keys.\n"); 387*825eb42bSJan Lentfer } 388*825eb42bSJan Lentfer } 389*825eb42bSJan Lentfer 390*825eb42bSJan Lentfer ldns_rr_free(orig_rr); 391*825eb42bSJan Lentfer ldns_dnssec_trust_tree_free(tree); 392*825eb42bSJan Lentfer ldns_dnssec_data_chain_deep_free(chain); 393*825eb42bSJan Lentfer 394*825eb42bSJan Lentfer ldns_rr_list_deep_free(rrset); 395*825eb42bSJan Lentfer ldns_pkt_free(pkt); 396*825eb42bSJan Lentfer /* ldns_rr_free(orig_rr);*/ 397*825eb42bSJan Lentfer 398*825eb42bSJan Lentfer return result; 399*825eb42bSJan Lentfer } 400*825eb42bSJan Lentfer #endif /* HAVE_SSL */ 401*825eb42bSJan Lentfer 402