1825eb42bSJan Lentfer /* 2825eb42bSJan Lentfer * securechasetrace.c 3825eb42bSJan Lentfer * Where all the hard work concerning secure tracing is done 4825eb42bSJan Lentfer * 5825eb42bSJan Lentfer * (c) 2005, 2006 NLnet Labs 6825eb42bSJan Lentfer * 7825eb42bSJan Lentfer * See the file LICENSE for the license 8825eb42bSJan Lentfer * 9825eb42bSJan Lentfer */ 10825eb42bSJan Lentfer 11825eb42bSJan Lentfer #include "drill.h" 12825eb42bSJan Lentfer #include <ldns/ldns.h> 13825eb42bSJan Lentfer 14825eb42bSJan Lentfer #define SELF "[S]" /* self sig ok */ 15825eb42bSJan Lentfer #define TRUST "[T]" /* chain from parent */ 16825eb42bSJan Lentfer #define BOGUS "[B]" /* bogus */ 17825eb42bSJan Lentfer #define UNSIGNED "[U]" /* no relevant dnssec data found */ 18825eb42bSJan Lentfer 19825eb42bSJan Lentfer #if 0 20825eb42bSJan Lentfer /* See if there is a key/ds in trusted that matches 21825eb42bSJan Lentfer * a ds in *ds. 22825eb42bSJan Lentfer */ 23825eb42bSJan Lentfer static ldns_rr_list * 24825eb42bSJan Lentfer ds_key_match(ldns_rr_list *ds, ldns_rr_list *trusted) 25825eb42bSJan Lentfer { 26825eb42bSJan Lentfer size_t i, j; 27825eb42bSJan Lentfer bool match; 28825eb42bSJan Lentfer ldns_rr *rr_i, *rr_j; 29825eb42bSJan Lentfer ldns_rr_list *keys; 30825eb42bSJan Lentfer 31825eb42bSJan Lentfer if (!trusted || !ds) { 32825eb42bSJan Lentfer return NULL; 33825eb42bSJan Lentfer } 34825eb42bSJan Lentfer 35825eb42bSJan Lentfer match = false; 36825eb42bSJan Lentfer keys = ldns_rr_list_new(); 37825eb42bSJan Lentfer if (!keys) { 38825eb42bSJan Lentfer return NULL; 39825eb42bSJan Lentfer } 40825eb42bSJan Lentfer 41825eb42bSJan Lentfer if (!ds || !trusted) { 42825eb42bSJan Lentfer return NULL; 43825eb42bSJan Lentfer } 44825eb42bSJan Lentfer 45825eb42bSJan Lentfer for (i = 0; i < ldns_rr_list_rr_count(trusted); i++) { 46825eb42bSJan Lentfer rr_i = ldns_rr_list_rr(trusted, i); 47825eb42bSJan Lentfer for (j = 0; j < ldns_rr_list_rr_count(ds); j++) { 48825eb42bSJan Lentfer 49825eb42bSJan Lentfer rr_j = ldns_rr_list_rr(ds, j); 50825eb42bSJan Lentfer if (ldns_rr_compare_ds(rr_i, rr_j)) { 51825eb42bSJan Lentfer match = true; 52825eb42bSJan Lentfer /* only allow unique RRs to match */ 53825eb42bSJan Lentfer ldns_rr_set_push_rr(keys, rr_i); 54825eb42bSJan Lentfer } 55825eb42bSJan Lentfer } 56825eb42bSJan Lentfer } 57825eb42bSJan Lentfer if (match) { 58825eb42bSJan Lentfer return keys; 59825eb42bSJan Lentfer } else { 60825eb42bSJan Lentfer return NULL; 61825eb42bSJan Lentfer } 62825eb42bSJan Lentfer } 63825eb42bSJan Lentfer #endif 64825eb42bSJan Lentfer 65825eb42bSJan Lentfer ldns_pkt * 66825eb42bSJan Lentfer get_dnssec_pkt(ldns_resolver *r, ldns_rdf *name, ldns_rr_type t) 67825eb42bSJan Lentfer { 68825eb42bSJan Lentfer ldns_pkt *p = NULL; 69825eb42bSJan Lentfer p = ldns_resolver_query(r, name, t, LDNS_RR_CLASS_IN, 0); 70825eb42bSJan Lentfer if (!p) { 71825eb42bSJan Lentfer return NULL; 72825eb42bSJan Lentfer } else { 73825eb42bSJan Lentfer if (verbosity >= 5) { 74825eb42bSJan Lentfer ldns_pkt_print(stdout, p); 75825eb42bSJan Lentfer } 76825eb42bSJan Lentfer return p; 77825eb42bSJan Lentfer } 78825eb42bSJan Lentfer } 79825eb42bSJan Lentfer 80825eb42bSJan Lentfer #ifdef HAVE_SSL 81825eb42bSJan Lentfer /* 82825eb42bSJan Lentfer * retrieve keys for this zone 83825eb42bSJan Lentfer */ 84825eb42bSJan Lentfer static ldns_pkt_type 85825eb42bSJan Lentfer get_key(ldns_pkt *p, ldns_rdf *apexname, ldns_rr_list **rrlist, ldns_rr_list **opt_sig) 86825eb42bSJan Lentfer { 87825eb42bSJan Lentfer return get_dnssec_rr(p, apexname, LDNS_RR_TYPE_DNSKEY, rrlist, opt_sig); 88825eb42bSJan Lentfer } 89825eb42bSJan Lentfer 90825eb42bSJan Lentfer /* 91825eb42bSJan Lentfer * check to see if we can find a DS rrset here which we can then follow 92825eb42bSJan Lentfer */ 93825eb42bSJan Lentfer static ldns_pkt_type 94825eb42bSJan Lentfer get_ds(ldns_pkt *p, ldns_rdf *ownername, ldns_rr_list **rrlist, ldns_rr_list **opt_sig) 95825eb42bSJan Lentfer { 96825eb42bSJan Lentfer return get_dnssec_rr(p, ownername, LDNS_RR_TYPE_DS, rrlist, opt_sig); 97825eb42bSJan Lentfer } 98825eb42bSJan Lentfer #endif /* HAVE_SSL */ 99825eb42bSJan Lentfer 100825eb42bSJan Lentfer void 101825eb42bSJan Lentfer remove_resolver_nameservers(ldns_resolver *res) 102825eb42bSJan Lentfer { 103825eb42bSJan Lentfer ldns_rdf *pop; 104825eb42bSJan Lentfer 105825eb42bSJan Lentfer /* remove the old nameserver from the resolver */ 106825eb42bSJan Lentfer while((pop = ldns_resolver_pop_nameserver(res))) { 107825eb42bSJan Lentfer ldns_rdf_deep_free(pop); 108825eb42bSJan Lentfer } 109825eb42bSJan Lentfer 110825eb42bSJan Lentfer } 111825eb42bSJan Lentfer 112825eb42bSJan Lentfer void 113825eb42bSJan Lentfer show_current_nameservers(FILE *out, ldns_resolver *res) 114825eb42bSJan Lentfer { 115825eb42bSJan Lentfer size_t i; 116825eb42bSJan Lentfer fprintf(out, "Current nameservers for resolver object:\n"); 117825eb42bSJan Lentfer for (i = 0; i < ldns_resolver_nameserver_count(res); i++) { 118825eb42bSJan Lentfer ldns_rdf_print(out, ldns_resolver_nameservers(res)[i]); 119825eb42bSJan Lentfer fprintf(out, "\n"); 120825eb42bSJan Lentfer } 121825eb42bSJan Lentfer } 122825eb42bSJan Lentfer 123825eb42bSJan Lentfer /*ldns_pkt **/ 124825eb42bSJan Lentfer #ifdef HAVE_SSL 125825eb42bSJan Lentfer int 126825eb42bSJan Lentfer do_secure_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t, 127825eb42bSJan Lentfer ldns_rr_class c, ldns_rr_list *trusted_keys, ldns_rdf *start_name 128825eb42bSJan Lentfer ) 129825eb42bSJan Lentfer { 130825eb42bSJan Lentfer ldns_resolver *res; 131825eb42bSJan Lentfer ldns_pkt *p, *local_p; 132825eb42bSJan Lentfer ldns_rr_list *new_nss; 133825eb42bSJan Lentfer ldns_rr_list *ns_addr; 134825eb42bSJan Lentfer ldns_rdf *pop; 135825eb42bSJan Lentfer ldns_rdf **labels = NULL; 136825eb42bSJan Lentfer ldns_status status, st; 137825eb42bSJan Lentfer ssize_t i; 138825eb42bSJan Lentfer size_t j; 139825eb42bSJan Lentfer size_t k; 140825eb42bSJan Lentfer size_t l; 141825eb42bSJan Lentfer uint8_t labels_count; 142825eb42bSJan Lentfer 143825eb42bSJan Lentfer /* dnssec */ 144825eb42bSJan Lentfer ldns_rr_list *key_list; 145825eb42bSJan Lentfer ldns_rr_list *key_sig_list; 146825eb42bSJan Lentfer ldns_rr_list *ds_list; 147825eb42bSJan Lentfer ldns_rr_list *ds_sig_list; 148825eb42bSJan Lentfer ldns_rr_list *correct_key_list; 149825eb42bSJan Lentfer ldns_rr_list *trusted_ds_rrs; 150825eb42bSJan Lentfer bool new_keys_trusted = false; 151825eb42bSJan Lentfer ldns_rr_list *current_correct_keys; 152825eb42bSJan Lentfer ldns_rr_list *dataset; 153825eb42bSJan Lentfer 154825eb42bSJan Lentfer ldns_rr_list *nsec_rrs = NULL; 155825eb42bSJan Lentfer ldns_rr_list *nsec_rr_sigs = NULL; 156825eb42bSJan Lentfer 157825eb42bSJan Lentfer /* empty non-terminal check */ 158825eb42bSJan Lentfer bool ent; 159825eb42bSJan Lentfer 160825eb42bSJan Lentfer /* glue handling */ 161825eb42bSJan Lentfer ldns_rr_list *new_ns_addr; 162825eb42bSJan Lentfer ldns_rr_list *old_ns_addr; 163825eb42bSJan Lentfer ldns_rr *ns_rr; 164825eb42bSJan Lentfer 165825eb42bSJan Lentfer int result = 0; 166825eb42bSJan Lentfer 167825eb42bSJan Lentfer /* printing niceness */ 168825eb42bSJan Lentfer const ldns_rr_descriptor *descriptor; 169825eb42bSJan Lentfer 170825eb42bSJan Lentfer descriptor = ldns_rr_descript(t); 171825eb42bSJan Lentfer 172825eb42bSJan Lentfer new_nss = NULL; 173825eb42bSJan Lentfer ns_addr = NULL; 174825eb42bSJan Lentfer key_list = NULL; 175825eb42bSJan Lentfer ds_list = NULL; 176825eb42bSJan Lentfer 177825eb42bSJan Lentfer p = NULL; 178825eb42bSJan Lentfer local_p = NULL; 179825eb42bSJan Lentfer res = ldns_resolver_new(); 180825eb42bSJan Lentfer key_sig_list = NULL; 181825eb42bSJan Lentfer ds_sig_list = NULL; 182825eb42bSJan Lentfer 183825eb42bSJan Lentfer if (!res) { 184825eb42bSJan Lentfer error("Memory allocation failed"); 185825eb42bSJan Lentfer result = -1; 186825eb42bSJan Lentfer return result; 187825eb42bSJan Lentfer } 188825eb42bSJan Lentfer 189825eb42bSJan Lentfer correct_key_list = ldns_rr_list_new(); 190825eb42bSJan Lentfer if (!correct_key_list) { 191825eb42bSJan Lentfer error("Memory allocation failed"); 192825eb42bSJan Lentfer result = -1; 193825eb42bSJan Lentfer return result; 194825eb42bSJan Lentfer } 195825eb42bSJan Lentfer 196825eb42bSJan Lentfer trusted_ds_rrs = ldns_rr_list_new(); 197825eb42bSJan Lentfer if (!trusted_ds_rrs) { 198825eb42bSJan Lentfer error("Memory allocation failed"); 199825eb42bSJan Lentfer result = -1; 200825eb42bSJan Lentfer return result; 201825eb42bSJan Lentfer } 202ac996e71SJan Lentfer /* Add all preset trusted DS signatures to the list of trusted DS RRs. */ 203ac996e71SJan Lentfer for (j = 0; j < ldns_rr_list_rr_count(trusted_keys); j++) { 204ac996e71SJan Lentfer ldns_rr* one_rr = ldns_rr_list_rr(trusted_keys, j); 205ac996e71SJan Lentfer if (ldns_rr_get_type(one_rr) == LDNS_RR_TYPE_DS) { 206ac996e71SJan Lentfer ldns_rr_list_push_rr(trusted_ds_rrs, ldns_rr_clone(one_rr)); 207ac996e71SJan Lentfer } 208ac996e71SJan Lentfer } 209825eb42bSJan Lentfer 210825eb42bSJan Lentfer /* transfer some properties of local_res to res */ 211825eb42bSJan Lentfer ldns_resolver_set_ip6(res, 212825eb42bSJan Lentfer ldns_resolver_ip6(local_res)); 213825eb42bSJan Lentfer ldns_resolver_set_port(res, 214825eb42bSJan Lentfer ldns_resolver_port(local_res)); 215825eb42bSJan Lentfer ldns_resolver_set_debug(res, 216825eb42bSJan Lentfer ldns_resolver_debug(local_res)); 217825eb42bSJan Lentfer ldns_resolver_set_fail(res, 218825eb42bSJan Lentfer ldns_resolver_fail(local_res)); 219825eb42bSJan Lentfer ldns_resolver_set_usevc(res, 220825eb42bSJan Lentfer ldns_resolver_usevc(local_res)); 221825eb42bSJan Lentfer ldns_resolver_set_random(res, 222825eb42bSJan Lentfer ldns_resolver_random(local_res)); 223825eb42bSJan Lentfer ldns_resolver_set_recursive(local_res, true); 224825eb42bSJan Lentfer 225825eb42bSJan Lentfer ldns_resolver_set_recursive(res, false); 226825eb42bSJan Lentfer ldns_resolver_set_dnssec_cd(res, false); 227825eb42bSJan Lentfer ldns_resolver_set_dnssec(res, true); 228825eb42bSJan Lentfer 229825eb42bSJan Lentfer /* setup the root nameserver in the new resolver */ 230825eb42bSJan Lentfer status = ldns_resolver_push_nameserver_rr_list(res, global_dns_root); 231825eb42bSJan Lentfer if (status != LDNS_STATUS_OK) { 232825eb42bSJan Lentfer printf("ERRRRR: %s\n", ldns_get_errorstr_by_id(status)); 233825eb42bSJan Lentfer ldns_rr_list_print(stdout, global_dns_root); 234*d1b2b5caSJohn Marino result = status; 235*d1b2b5caSJohn Marino goto done; 236825eb42bSJan Lentfer } 237825eb42bSJan Lentfer labels_count = ldns_dname_label_count(name); 238825eb42bSJan Lentfer if (start_name) { 239825eb42bSJan Lentfer if (ldns_dname_is_subdomain(name, start_name)) { 240825eb42bSJan Lentfer labels_count -= ldns_dname_label_count(start_name); 241825eb42bSJan Lentfer } else { 242825eb42bSJan Lentfer fprintf(stderr, "Error; "); 243825eb42bSJan Lentfer ldns_rdf_print(stderr, name); 244825eb42bSJan Lentfer fprintf(stderr, " is not a subdomain of "); 245825eb42bSJan Lentfer ldns_rdf_print(stderr, start_name); 246825eb42bSJan Lentfer fprintf(stderr, "\n"); 247825eb42bSJan Lentfer goto done; 248825eb42bSJan Lentfer } 249825eb42bSJan Lentfer } 250825eb42bSJan Lentfer labels = LDNS_XMALLOC(ldns_rdf*, labels_count + 2); 251825eb42bSJan Lentfer if (!labels) { 252825eb42bSJan Lentfer goto done; 253825eb42bSJan Lentfer } 254825eb42bSJan Lentfer labels[0] = ldns_dname_new_frm_str(LDNS_ROOT_LABEL_STR); 255825eb42bSJan Lentfer labels[1] = ldns_rdf_clone(name); 256825eb42bSJan Lentfer for(i = 2 ; i < (ssize_t)labels_count + 2; i++) { 257825eb42bSJan Lentfer labels[i] = ldns_dname_left_chop(labels[i - 1]); 258825eb42bSJan Lentfer } 259825eb42bSJan Lentfer 260825eb42bSJan Lentfer /* get the nameserver for the label 261825eb42bSJan Lentfer * ask: dnskey and ds for the label 262825eb42bSJan Lentfer */ 263825eb42bSJan Lentfer for(i = (ssize_t)labels_count + 1; i > 0; i--) { 264825eb42bSJan Lentfer status = ldns_resolver_send(&local_p, res, labels[i], LDNS_RR_TYPE_NS, c, 0); 265825eb42bSJan Lentfer 266825eb42bSJan Lentfer if (verbosity >= 5) { 267825eb42bSJan Lentfer ldns_pkt_print(stdout, local_p); 268825eb42bSJan Lentfer } 269825eb42bSJan Lentfer 270825eb42bSJan Lentfer new_nss = ldns_pkt_rr_list_by_type(local_p, 271825eb42bSJan Lentfer LDNS_RR_TYPE_NS, LDNS_SECTION_ANSWER); 272825eb42bSJan Lentfer if (!new_nss) { 273825eb42bSJan Lentfer /* if it's a delegation, servers put them in the auth section */ 274825eb42bSJan Lentfer new_nss = ldns_pkt_rr_list_by_type(local_p, 275825eb42bSJan Lentfer LDNS_RR_TYPE_NS, LDNS_SECTION_AUTHORITY); 276825eb42bSJan Lentfer } 277825eb42bSJan Lentfer 278825eb42bSJan Lentfer /* if this is the final step there might not be nameserver records 279825eb42bSJan Lentfer of course if the data is in the apex, there are, so cover both 280825eb42bSJan Lentfer cases */ 281825eb42bSJan Lentfer if (new_nss || i > 1) { 282825eb42bSJan Lentfer for(j = 0; j < ldns_rr_list_rr_count(new_nss); j++) { 283825eb42bSJan Lentfer ns_rr = ldns_rr_list_rr(new_nss, j); 284825eb42bSJan Lentfer pop = ldns_rr_rdf(ns_rr, 0); 285825eb42bSJan Lentfer if (!pop) { 286825eb42bSJan Lentfer printf("nopo\n"); 287825eb42bSJan Lentfer break; 288825eb42bSJan Lentfer } 289825eb42bSJan Lentfer /* retrieve it's addresses */ 290825eb42bSJan Lentfer /* trust glue? */ 291825eb42bSJan Lentfer new_ns_addr = NULL; 292825eb42bSJan Lentfer if (ldns_dname_is_subdomain(pop, labels[i])) { 293825eb42bSJan Lentfer new_ns_addr = ldns_pkt_rr_list_by_name_and_type(local_p, pop, LDNS_RR_TYPE_A, LDNS_SECTION_ADDITIONAL); 294825eb42bSJan Lentfer } 295825eb42bSJan Lentfer if (!new_ns_addr || ldns_rr_list_rr_count(new_ns_addr) == 0) { 296825eb42bSJan Lentfer new_ns_addr = ldns_get_rr_list_addr_by_name(res, pop, c, 0); 297825eb42bSJan Lentfer } 298825eb42bSJan Lentfer if (!new_ns_addr || ldns_rr_list_rr_count(new_ns_addr) == 0) { 299825eb42bSJan Lentfer new_ns_addr = ldns_get_rr_list_addr_by_name(local_res, pop, c, 0); 300825eb42bSJan Lentfer } 301825eb42bSJan Lentfer 302825eb42bSJan Lentfer if (new_ns_addr) { 303825eb42bSJan Lentfer old_ns_addr = ns_addr; 304825eb42bSJan Lentfer ns_addr = ldns_rr_list_cat_clone(ns_addr, new_ns_addr); 305825eb42bSJan Lentfer ldns_rr_list_deep_free(old_ns_addr); 306825eb42bSJan Lentfer } 307825eb42bSJan Lentfer ldns_rr_list_deep_free(new_ns_addr); 308825eb42bSJan Lentfer } 309825eb42bSJan Lentfer ldns_rr_list_deep_free(new_nss); 310825eb42bSJan Lentfer 311825eb42bSJan Lentfer if (ns_addr) { 312825eb42bSJan Lentfer remove_resolver_nameservers(res); 313825eb42bSJan Lentfer 314825eb42bSJan Lentfer if (ldns_resolver_push_nameserver_rr_list(res, ns_addr) != 315825eb42bSJan Lentfer LDNS_STATUS_OK) { 316825eb42bSJan Lentfer error("Error adding new nameservers"); 317825eb42bSJan Lentfer ldns_pkt_free(local_p); 318825eb42bSJan Lentfer goto done; 319825eb42bSJan Lentfer } 320825eb42bSJan Lentfer ldns_rr_list_deep_free(ns_addr); 321825eb42bSJan Lentfer } else { 322825eb42bSJan Lentfer status = ldns_verify_denial(local_p, labels[i], LDNS_RR_TYPE_NS, &nsec_rrs, &nsec_rr_sigs); 323825eb42bSJan Lentfer 324825eb42bSJan Lentfer /* verify the nsec3 themselves*/ 325825eb42bSJan Lentfer if (verbosity >= 4) { 326825eb42bSJan Lentfer printf("NSEC(3) Records to verify:\n"); 327825eb42bSJan Lentfer ldns_rr_list_print(stdout, nsec_rrs); 328825eb42bSJan Lentfer printf("With signatures:\n"); 329825eb42bSJan Lentfer ldns_rr_list_print(stdout, nsec_rr_sigs); 330825eb42bSJan Lentfer printf("correct keys:\n"); 331825eb42bSJan Lentfer ldns_rr_list_print(stdout, correct_key_list); 332825eb42bSJan Lentfer } 333825eb42bSJan Lentfer 334825eb42bSJan Lentfer if (status == LDNS_STATUS_OK) { 335825eb42bSJan Lentfer if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) { 336825eb42bSJan Lentfer fprintf(stdout, "%s ", TRUST); 337825eb42bSJan Lentfer fprintf(stdout, "Existence denied: "); 338825eb42bSJan Lentfer ldns_rdf_print(stdout, labels[i]); 339825eb42bSJan Lentfer /* 340825eb42bSJan Lentfer if (descriptor && descriptor->_name) { 341825eb42bSJan Lentfer printf(" %s", descriptor->_name); 342825eb42bSJan Lentfer } else { 343825eb42bSJan Lentfer printf(" TYPE%u", t); 344825eb42bSJan Lentfer } 345825eb42bSJan Lentfer */ fprintf(stdout, " NS\n"); 346825eb42bSJan Lentfer } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) { 347825eb42bSJan Lentfer fprintf(stdout, "%s ", SELF); 348825eb42bSJan Lentfer fprintf(stdout, "Existence denied: "); 349825eb42bSJan Lentfer ldns_rdf_print(stdout, labels[i]); 350825eb42bSJan Lentfer /* 351825eb42bSJan Lentfer if (descriptor && descriptor->_name) { 352825eb42bSJan Lentfer printf(" %s", descriptor->_name); 353825eb42bSJan Lentfer } else { 354825eb42bSJan Lentfer printf(" TYPE%u", t); 355825eb42bSJan Lentfer } 356825eb42bSJan Lentfer */ 357825eb42bSJan Lentfer fprintf(stdout, " NS\n"); 358825eb42bSJan Lentfer } else { 359825eb42bSJan Lentfer fprintf(stdout, "%s ", BOGUS); 360825eb42bSJan Lentfer result = 1; 361825eb42bSJan Lentfer printf(";; Error verifying denial of existence for name "); 362825eb42bSJan Lentfer ldns_rdf_print(stdout, labels[i]); 363825eb42bSJan Lentfer /* 364825eb42bSJan Lentfer printf(" type "); 365825eb42bSJan Lentfer if (descriptor && descriptor->_name) { 366825eb42bSJan Lentfer printf("%s", descriptor->_name); 367825eb42bSJan Lentfer } else { 368825eb42bSJan Lentfer printf("TYPE%u", t); 369825eb42bSJan Lentfer } 370825eb42bSJan Lentfer */ printf("NS: %s\n", ldns_get_errorstr_by_id(st)); 371825eb42bSJan Lentfer } 372825eb42bSJan Lentfer } else { 373825eb42bSJan Lentfer fprintf(stdout, "%s ", BOGUS); 374825eb42bSJan Lentfer result = 1; 375825eb42bSJan Lentfer printf(";; Error verifying denial of existence for name "); 376825eb42bSJan Lentfer ldns_rdf_print(stdout, labels[i]); 377825eb42bSJan Lentfer printf("NS: %s\n", ldns_get_errorstr_by_id(status)); 378825eb42bSJan Lentfer } 379825eb42bSJan Lentfer 380825eb42bSJan Lentfer /* there might be an empty non-terminal, in which case we need to continue */ 381825eb42bSJan Lentfer ent = false; 382825eb42bSJan Lentfer for (j = 0; j < ldns_rr_list_rr_count(nsec_rrs); j++) { 383825eb42bSJan Lentfer if (ldns_dname_is_subdomain(ldns_rr_rdf(ldns_rr_list_rr(nsec_rrs, j), 0), labels[i])) { 384825eb42bSJan Lentfer ent = true; 385825eb42bSJan Lentfer } 386825eb42bSJan Lentfer } 387825eb42bSJan Lentfer if (!ent) { 388825eb42bSJan Lentfer ldns_rr_list_deep_free(nsec_rrs); 389825eb42bSJan Lentfer ldns_rr_list_deep_free(nsec_rr_sigs); 390825eb42bSJan Lentfer ldns_pkt_free(local_p); 391825eb42bSJan Lentfer goto done; 392825eb42bSJan Lentfer } else { 393825eb42bSJan Lentfer printf(";; There is an empty non-terminal here, continue\n"); 394ac996e71SJan Lentfer continue; 395825eb42bSJan Lentfer } 396825eb42bSJan Lentfer } 397825eb42bSJan Lentfer 398825eb42bSJan Lentfer if (ldns_resolver_nameserver_count(res) == 0) { 399825eb42bSJan Lentfer error("No nameservers found for this node"); 400825eb42bSJan Lentfer goto done; 401825eb42bSJan Lentfer } 402825eb42bSJan Lentfer } 403825eb42bSJan Lentfer ldns_pkt_free(local_p); 404825eb42bSJan Lentfer 405825eb42bSJan Lentfer fprintf(stdout, ";; Domain: "); 406825eb42bSJan Lentfer ldns_rdf_print(stdout, labels[i]); 407825eb42bSJan Lentfer fprintf(stdout, "\n"); 408825eb42bSJan Lentfer 409825eb42bSJan Lentfer /* retrieve keys for current domain, and verify them 410825eb42bSJan Lentfer if they match an already trusted DS, or if one of the 411825eb42bSJan Lentfer keys used to sign these is trusted, add the keys to 412825eb42bSJan Lentfer the trusted list */ 413825eb42bSJan Lentfer p = get_dnssec_pkt(res, labels[i], LDNS_RR_TYPE_DNSKEY); 414*d1b2b5caSJohn Marino (void) get_key(p, labels[i], &key_list, &key_sig_list); 415825eb42bSJan Lentfer if (key_sig_list) { 416825eb42bSJan Lentfer if (key_list) { 417825eb42bSJan Lentfer current_correct_keys = ldns_rr_list_new(); 418825eb42bSJan Lentfer if ((st = ldns_verify(key_list, key_sig_list, key_list, current_correct_keys)) == 419825eb42bSJan Lentfer LDNS_STATUS_OK) { 420825eb42bSJan Lentfer /* add all signed keys (don't just add current_correct, you'd miss 421825eb42bSJan Lentfer * the zsk's then */ 422825eb42bSJan Lentfer for (j = 0; j < ldns_rr_list_rr_count(key_list); j++) { 423825eb42bSJan Lentfer ldns_rr_list_push_rr(correct_key_list, ldns_rr_clone(ldns_rr_list_rr(key_list, j))); 424825eb42bSJan Lentfer } 425825eb42bSJan Lentfer 426825eb42bSJan Lentfer /* check whether these keys were signed 427825eb42bSJan Lentfer * by a trusted keys. if so, these 428825eb42bSJan Lentfer * keys are also trusted */ 429825eb42bSJan Lentfer new_keys_trusted = false; 430825eb42bSJan Lentfer for (k = 0; k < ldns_rr_list_rr_count(current_correct_keys); k++) { 431825eb42bSJan Lentfer for (j = 0; j < ldns_rr_list_rr_count(trusted_ds_rrs); j++) { 432825eb42bSJan Lentfer if (ldns_rr_compare_ds(ldns_rr_list_rr(current_correct_keys, k), 433825eb42bSJan Lentfer ldns_rr_list_rr(trusted_ds_rrs, j))) { 434825eb42bSJan Lentfer new_keys_trusted = true; 435825eb42bSJan Lentfer } 436825eb42bSJan Lentfer } 437825eb42bSJan Lentfer } 438825eb42bSJan Lentfer 439825eb42bSJan Lentfer /* also all keys are trusted if one of the current correct keys is trusted */ 440825eb42bSJan Lentfer for (k = 0; k < ldns_rr_list_rr_count(current_correct_keys); k++) { 441825eb42bSJan Lentfer for (j = 0; j < ldns_rr_list_rr_count(trusted_keys); j++) { 442825eb42bSJan Lentfer if (ldns_rr_compare(ldns_rr_list_rr(current_correct_keys, k), 443825eb42bSJan Lentfer ldns_rr_list_rr(trusted_keys, j)) == 0) { 444825eb42bSJan Lentfer new_keys_trusted = true; 445825eb42bSJan Lentfer } 446825eb42bSJan Lentfer } 447825eb42bSJan Lentfer } 448825eb42bSJan Lentfer 449825eb42bSJan Lentfer 450825eb42bSJan Lentfer if (new_keys_trusted) { 451825eb42bSJan Lentfer ldns_rr_list_push_rr_list(trusted_keys, key_list); 452825eb42bSJan Lentfer print_rr_list_abbr(stdout, key_list, TRUST); 453825eb42bSJan Lentfer ldns_rr_list_free(key_list); 454825eb42bSJan Lentfer key_list = NULL; 455825eb42bSJan Lentfer } else { 456825eb42bSJan Lentfer if (verbosity >= 2) { 457825eb42bSJan Lentfer printf(";; Signature ok but no chain to a trusted key or ds record\n"); 458825eb42bSJan Lentfer } 459825eb42bSJan Lentfer print_rr_list_abbr(stdout, key_list, SELF); 460825eb42bSJan Lentfer ldns_rr_list_deep_free(key_list); 461825eb42bSJan Lentfer key_list = NULL; 462825eb42bSJan Lentfer } 463825eb42bSJan Lentfer } else { 464825eb42bSJan Lentfer print_rr_list_abbr(stdout, key_list, BOGUS); 465825eb42bSJan Lentfer result = 2; 466825eb42bSJan Lentfer ldns_rr_list_deep_free(key_list); 467825eb42bSJan Lentfer key_list = NULL; 468825eb42bSJan Lentfer } 469825eb42bSJan Lentfer ldns_rr_list_free(current_correct_keys); 470825eb42bSJan Lentfer current_correct_keys = NULL; 471825eb42bSJan Lentfer } else { 472825eb42bSJan Lentfer printf(";; No DNSKEY record found for "); 473825eb42bSJan Lentfer ldns_rdf_print(stdout, labels[i]); 474825eb42bSJan Lentfer printf("\n"); 475825eb42bSJan Lentfer } 476825eb42bSJan Lentfer } 477825eb42bSJan Lentfer 478825eb42bSJan Lentfer ldns_pkt_free(p); 479825eb42bSJan Lentfer ldns_rr_list_deep_free(key_sig_list); 480825eb42bSJan Lentfer key_sig_list = NULL; 481825eb42bSJan Lentfer 482825eb42bSJan Lentfer /* check the DS records for the next child domain */ 483825eb42bSJan Lentfer if (i > 1) { 484825eb42bSJan Lentfer p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS); 485*d1b2b5caSJohn Marino (void) get_ds(p, labels[i-1], &ds_list, &ds_sig_list); 486825eb42bSJan Lentfer if (!ds_list) { 487825eb42bSJan Lentfer ldns_pkt_free(p); 488825eb42bSJan Lentfer if (ds_sig_list) { 489825eb42bSJan Lentfer ldns_rr_list_deep_free(ds_sig_list); 490825eb42bSJan Lentfer } 491825eb42bSJan Lentfer p = get_dnssec_pkt(res, name, LDNS_RR_TYPE_DNSKEY); 492*d1b2b5caSJohn Marino (void) get_ds(p, NULL, &ds_list, &ds_sig_list); 493825eb42bSJan Lentfer } 494825eb42bSJan Lentfer if (ds_sig_list) { 495825eb42bSJan Lentfer if (ds_list) { 496825eb42bSJan Lentfer if (verbosity >= 4) { 497825eb42bSJan Lentfer printf("VERIFYING:\n"); 498825eb42bSJan Lentfer printf("DS LIST:\n"); 499825eb42bSJan Lentfer ldns_rr_list_print(stdout, ds_list); 500825eb42bSJan Lentfer printf("SIGS:\n"); 501825eb42bSJan Lentfer ldns_rr_list_print(stdout, ds_sig_list); 502825eb42bSJan Lentfer printf("KEYS:\n"); 503825eb42bSJan Lentfer ldns_rr_list_print(stdout, correct_key_list); 504825eb42bSJan Lentfer } 505825eb42bSJan Lentfer 506825eb42bSJan Lentfer current_correct_keys = ldns_rr_list_new(); 507825eb42bSJan Lentfer 508825eb42bSJan Lentfer if ((st = ldns_verify(ds_list, ds_sig_list, correct_key_list, current_correct_keys)) == 509825eb42bSJan Lentfer LDNS_STATUS_OK) { 510825eb42bSJan Lentfer /* if the ds is signed by a trusted key and a key from correct keys 511825eb42bSJan Lentfer matches that ds, add that key to the trusted keys */ 512825eb42bSJan Lentfer new_keys_trusted = false; 513825eb42bSJan Lentfer if (verbosity >= 2) { 514825eb42bSJan Lentfer printf("Checking if signing key is trusted:\n"); 515825eb42bSJan Lentfer } 516825eb42bSJan Lentfer for (j = 0; j < ldns_rr_list_rr_count(current_correct_keys); j++) { 517825eb42bSJan Lentfer if (verbosity >= 2) { 518825eb42bSJan Lentfer printf("New key: "); 519825eb42bSJan Lentfer ldns_rr_print(stdout, ldns_rr_list_rr(current_correct_keys, j)); 520825eb42bSJan Lentfer } 521825eb42bSJan Lentfer for (k = 0; k < ldns_rr_list_rr_count(trusted_keys); k++) { 522825eb42bSJan Lentfer if (verbosity >= 2) { 523825eb42bSJan Lentfer printf("\tTrusted key: "); 524825eb42bSJan Lentfer ldns_rr_print(stdout, ldns_rr_list_rr(trusted_keys, k)); 525825eb42bSJan Lentfer } 526825eb42bSJan Lentfer if (ldns_rr_compare(ldns_rr_list_rr(current_correct_keys, j), 527825eb42bSJan Lentfer ldns_rr_list_rr(trusted_keys, k)) == 0) { 528825eb42bSJan Lentfer if (verbosity >= 2) { 529825eb42bSJan Lentfer printf("Key is now trusted!\n"); 530825eb42bSJan Lentfer } 531825eb42bSJan Lentfer for (l = 0; l < ldns_rr_list_rr_count(ds_list); l++) { 532825eb42bSJan Lentfer ldns_rr_list_push_rr(trusted_ds_rrs, ldns_rr_clone(ldns_rr_list_rr(ds_list, l))); 533825eb42bSJan Lentfer new_keys_trusted = true; 534825eb42bSJan Lentfer } 535825eb42bSJan Lentfer } 536825eb42bSJan Lentfer } 537825eb42bSJan Lentfer } 538825eb42bSJan Lentfer if (new_keys_trusted) { 539825eb42bSJan Lentfer print_rr_list_abbr(stdout, ds_list, TRUST); 540825eb42bSJan Lentfer } else { 541825eb42bSJan Lentfer print_rr_list_abbr(stdout, ds_list, SELF); 542825eb42bSJan Lentfer } 543825eb42bSJan Lentfer } else { 544825eb42bSJan Lentfer result = 3; 545825eb42bSJan Lentfer print_rr_list_abbr(stdout, ds_list, BOGUS); 546825eb42bSJan Lentfer } 547825eb42bSJan Lentfer 548825eb42bSJan Lentfer ldns_rr_list_free(current_correct_keys); 549825eb42bSJan Lentfer current_correct_keys = NULL; 550825eb42bSJan Lentfer } else { 551825eb42bSJan Lentfer /* wait apparently there were no keys either, go back to the ds packet */ 552825eb42bSJan Lentfer ldns_pkt_free(p); 553825eb42bSJan Lentfer ldns_rr_list_deep_free(ds_sig_list); 554825eb42bSJan Lentfer p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS); 555*d1b2b5caSJohn Marino (void) get_ds(p, labels[i-1], &ds_list, &ds_sig_list); 556825eb42bSJan Lentfer 557825eb42bSJan Lentfer status = ldns_verify_denial(p, labels[i-1], LDNS_RR_TYPE_DS, &nsec_rrs, &nsec_rr_sigs); 558825eb42bSJan Lentfer 559825eb42bSJan Lentfer if (verbosity >= 4) { 560825eb42bSJan Lentfer printf("NSEC(3) Records to verify:\n"); 561825eb42bSJan Lentfer ldns_rr_list_print(stdout, nsec_rrs); 562825eb42bSJan Lentfer printf("With signatures:\n"); 563825eb42bSJan Lentfer ldns_rr_list_print(stdout, nsec_rr_sigs); 564825eb42bSJan Lentfer printf("correct keys:\n"); 565825eb42bSJan Lentfer ldns_rr_list_print(stdout, correct_key_list); 566825eb42bSJan Lentfer } 567825eb42bSJan Lentfer 568825eb42bSJan Lentfer if (status == LDNS_STATUS_OK) { 569825eb42bSJan Lentfer if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) { 570825eb42bSJan Lentfer fprintf(stdout, "%s ", TRUST); 571825eb42bSJan Lentfer fprintf(stdout, "Existence denied: "); 572825eb42bSJan Lentfer ldns_rdf_print(stdout, labels[i-1]); 573825eb42bSJan Lentfer printf(" DS"); 574825eb42bSJan Lentfer fprintf(stdout, "\n"); 575825eb42bSJan Lentfer } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) { 576825eb42bSJan Lentfer fprintf(stdout, "%s ", SELF); 577825eb42bSJan Lentfer fprintf(stdout, "Existence denied: "); 578825eb42bSJan Lentfer ldns_rdf_print(stdout, labels[i-1]); 579825eb42bSJan Lentfer printf(" DS"); 580825eb42bSJan Lentfer fprintf(stdout, "\n"); 581825eb42bSJan Lentfer } else { 582825eb42bSJan Lentfer result = 4; 583825eb42bSJan Lentfer fprintf(stdout, "%s ", BOGUS); 584825eb42bSJan Lentfer printf("Error verifying denial of existence for "); 585825eb42bSJan Lentfer ldns_rdf_print(stdout, labels[i-1]); 586825eb42bSJan Lentfer printf(" DS"); 587825eb42bSJan Lentfer printf(": %s\n", ldns_get_errorstr_by_id(st)); 588825eb42bSJan Lentfer } 589825eb42bSJan Lentfer 590825eb42bSJan Lentfer 591825eb42bSJan Lentfer } else { 592825eb42bSJan Lentfer if (status == LDNS_STATUS_CRYPTO_NO_RRSIG) { 593825eb42bSJan Lentfer printf(";; No DS for "); 594825eb42bSJan Lentfer ldns_rdf_print(stdout, labels[i - 1]); 595825eb42bSJan Lentfer } else { 596825eb42bSJan Lentfer printf("[B] Unable to verify denial of existence for "); 597825eb42bSJan Lentfer ldns_rdf_print(stdout, labels[i - 1]); 598825eb42bSJan Lentfer printf(" DS: %s\n", ldns_get_errorstr_by_id(status)); 599825eb42bSJan Lentfer } 600825eb42bSJan Lentfer } 601825eb42bSJan Lentfer if (verbosity >= 2) { 602825eb42bSJan Lentfer printf(";; No ds record for delegation\n"); 603825eb42bSJan Lentfer } 604825eb42bSJan Lentfer } 605825eb42bSJan Lentfer } 606825eb42bSJan Lentfer ldns_rr_list_deep_free(ds_list); 607825eb42bSJan Lentfer ldns_pkt_free(p); 608825eb42bSJan Lentfer } else { 609825eb42bSJan Lentfer /* if this is the last label, just verify the data and stop */ 610825eb42bSJan Lentfer p = get_dnssec_pkt(res, labels[i], t); 611*d1b2b5caSJohn Marino (void) get_dnssec_rr(p, labels[i], t, &dataset, &key_sig_list); 612825eb42bSJan Lentfer if (dataset && ldns_rr_list_rr_count(dataset) > 0) { 613825eb42bSJan Lentfer if (key_sig_list && ldns_rr_list_rr_count(key_sig_list) > 0) { 614825eb42bSJan Lentfer 615825eb42bSJan Lentfer /* If this is a wildcard, you must be able to deny exact match */ 616825eb42bSJan Lentfer if ((st = ldns_verify(dataset, key_sig_list, trusted_keys, NULL)) == LDNS_STATUS_OK) { 617825eb42bSJan Lentfer fprintf(stdout, "%s ", TRUST); 618825eb42bSJan Lentfer ldns_rr_list_print(stdout, dataset); 619825eb42bSJan Lentfer } else if ((st = ldns_verify(dataset, key_sig_list, correct_key_list, NULL)) == LDNS_STATUS_OK) { 620825eb42bSJan Lentfer fprintf(stdout, "%s ", SELF); 621825eb42bSJan Lentfer ldns_rr_list_print(stdout, dataset); 622825eb42bSJan Lentfer } else { 623825eb42bSJan Lentfer result = 5; 624825eb42bSJan Lentfer fprintf(stdout, "%s ", BOGUS); 625825eb42bSJan Lentfer ldns_rr_list_print(stdout, dataset); 626825eb42bSJan Lentfer printf(";; Error: %s\n", ldns_get_errorstr_by_id(st)); 627825eb42bSJan Lentfer } 628825eb42bSJan Lentfer } else { 629825eb42bSJan Lentfer fprintf(stdout, "%s ", UNSIGNED); 630825eb42bSJan Lentfer ldns_rr_list_print(stdout, dataset); 631825eb42bSJan Lentfer } 632825eb42bSJan Lentfer ldns_rr_list_deep_free(dataset); 633825eb42bSJan Lentfer } else { 634825eb42bSJan Lentfer status = ldns_verify_denial(p, name, t, &nsec_rrs, &nsec_rr_sigs); 635825eb42bSJan Lentfer if (status == LDNS_STATUS_OK) { 636825eb42bSJan Lentfer /* verify the nsec3 themselves*/ 637825eb42bSJan Lentfer if (verbosity >= 5) { 638825eb42bSJan Lentfer printf("NSEC(3) Records to verify:\n"); 639825eb42bSJan Lentfer ldns_rr_list_print(stdout, nsec_rrs); 640825eb42bSJan Lentfer printf("With signatures:\n"); 641825eb42bSJan Lentfer ldns_rr_list_print(stdout, nsec_rr_sigs); 642825eb42bSJan Lentfer printf("correct keys:\n"); 643825eb42bSJan Lentfer ldns_rr_list_print(stdout, correct_key_list); 644825eb42bSJan Lentfer /* 645825eb42bSJan Lentfer printf("trusted keys at %p:\n", trusted_keys); 646825eb42bSJan Lentfer ldns_rr_list_print(stdout, trusted_keys); 647825eb42bSJan Lentfer */ } 648825eb42bSJan Lentfer 649825eb42bSJan Lentfer if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) { 650825eb42bSJan Lentfer fprintf(stdout, "%s ", TRUST); 651825eb42bSJan Lentfer fprintf(stdout, "Existence denied: "); 652825eb42bSJan Lentfer ldns_rdf_print(stdout, name); 653825eb42bSJan Lentfer if (descriptor && descriptor->_name) { 654825eb42bSJan Lentfer printf(" %s", descriptor->_name); 655825eb42bSJan Lentfer } else { 656825eb42bSJan Lentfer printf(" TYPE%u", t); 657825eb42bSJan Lentfer } 658825eb42bSJan Lentfer fprintf(stdout, "\n"); 659825eb42bSJan Lentfer } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) { 660825eb42bSJan Lentfer fprintf(stdout, "%s ", SELF); 661825eb42bSJan Lentfer fprintf(stdout, "Existence denied: "); 662825eb42bSJan Lentfer ldns_rdf_print(stdout, name); 663825eb42bSJan Lentfer if (descriptor && descriptor->_name) { 664825eb42bSJan Lentfer printf(" %s", descriptor->_name); 665825eb42bSJan Lentfer } else { 666825eb42bSJan Lentfer printf(" TYPE%u", t); 667825eb42bSJan Lentfer } 668825eb42bSJan Lentfer fprintf(stdout, "\n"); 669825eb42bSJan Lentfer } else { 670825eb42bSJan Lentfer result = 6; 671825eb42bSJan Lentfer fprintf(stdout, "%s ", BOGUS); 672825eb42bSJan Lentfer printf("Error verifying denial of existence for "); 673825eb42bSJan Lentfer ldns_rdf_print(stdout, name); 674825eb42bSJan Lentfer printf(" type "); 675825eb42bSJan Lentfer if (descriptor && descriptor->_name) { 676825eb42bSJan Lentfer printf("%s", descriptor->_name); 677825eb42bSJan Lentfer } else { 678825eb42bSJan Lentfer printf("TYPE%u", t); 679825eb42bSJan Lentfer } 680825eb42bSJan Lentfer printf(": %s\n", ldns_get_errorstr_by_id(st)); 681825eb42bSJan Lentfer } 682825eb42bSJan Lentfer 683825eb42bSJan Lentfer ldns_rr_list_deep_free(nsec_rrs); 684825eb42bSJan Lentfer ldns_rr_list_deep_free(nsec_rr_sigs); 685825eb42bSJan Lentfer } else { 686825eb42bSJan Lentfer /* 687825eb42bSJan Lentfer */ 688825eb42bSJan Lentfer if (status == LDNS_STATUS_CRYPTO_NO_RRSIG) { 689825eb42bSJan Lentfer printf("%s ", UNSIGNED); 690825eb42bSJan Lentfer printf("No data found for: "); 691825eb42bSJan Lentfer ldns_rdf_print(stdout, name); 692825eb42bSJan Lentfer printf(" type "); 693825eb42bSJan Lentfer if (descriptor && descriptor->_name) { 694825eb42bSJan Lentfer printf("%s", descriptor->_name); 695825eb42bSJan Lentfer } else { 696825eb42bSJan Lentfer printf("TYPE%u", t); 697825eb42bSJan Lentfer } 698825eb42bSJan Lentfer printf("\n"); 699825eb42bSJan Lentfer } else { 700825eb42bSJan Lentfer printf("[B] Unable to verify denial of existence for "); 701825eb42bSJan Lentfer ldns_rdf_print(stdout, name); 702825eb42bSJan Lentfer printf(" type "); 703825eb42bSJan Lentfer if (descriptor && descriptor->_name) { 704825eb42bSJan Lentfer printf("%s", descriptor->_name); 705825eb42bSJan Lentfer } else { 706825eb42bSJan Lentfer printf("TYPE%u", t); 707825eb42bSJan Lentfer } 708825eb42bSJan Lentfer printf("\n"); 709825eb42bSJan Lentfer } 710825eb42bSJan Lentfer 711825eb42bSJan Lentfer } 712825eb42bSJan Lentfer } 713825eb42bSJan Lentfer ldns_pkt_free(p); 714825eb42bSJan Lentfer } 715825eb42bSJan Lentfer 716825eb42bSJan Lentfer new_nss = NULL; 717825eb42bSJan Lentfer ns_addr = NULL; 718825eb42bSJan Lentfer ldns_rr_list_deep_free(key_list); 719825eb42bSJan Lentfer key_list = NULL; 720825eb42bSJan Lentfer ldns_rr_list_deep_free(key_sig_list); 721825eb42bSJan Lentfer key_sig_list = NULL; 722825eb42bSJan Lentfer ds_list = NULL; 723825eb42bSJan Lentfer ldns_rr_list_deep_free(ds_sig_list); 724825eb42bSJan Lentfer ds_sig_list = NULL; 725825eb42bSJan Lentfer } 726825eb42bSJan Lentfer printf(";;" SELF " self sig OK; " BOGUS " bogus; " TRUST " trusted\n"); 727825eb42bSJan Lentfer /* verbose mode? 728825eb42bSJan Lentfer printf("Trusted keys:\n"); 729825eb42bSJan Lentfer ldns_rr_list_print(stdout, trusted_keys); 730825eb42bSJan Lentfer printf("trusted dss:\n"); 731825eb42bSJan Lentfer ldns_rr_list_print(stdout, trusted_ds_rrs); 732825eb42bSJan Lentfer */ 733825eb42bSJan Lentfer 734825eb42bSJan Lentfer done: 735825eb42bSJan Lentfer ldns_rr_list_deep_free(trusted_ds_rrs); 736825eb42bSJan Lentfer ldns_rr_list_deep_free(correct_key_list); 737825eb42bSJan Lentfer ldns_resolver_deep_free(res); 738825eb42bSJan Lentfer if (labels) { 739825eb42bSJan Lentfer for(i = 0 ; i < (ssize_t)labels_count + 2; i++) { 740825eb42bSJan Lentfer ldns_rdf_deep_free(labels[i]); 741825eb42bSJan Lentfer } 742825eb42bSJan Lentfer LDNS_FREE(labels); 743825eb42bSJan Lentfer } 744825eb42bSJan Lentfer return result; 745825eb42bSJan Lentfer } 746825eb42bSJan Lentfer #endif /* HAVE_SSL */ 747