1 /* 2 * validator/validator.c - secure validator DNS query response module 3 * 4 * Copyright (c) 2007, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file contains a module that performs validation of DNS queries. 40 * According to RFC 4034. 41 */ 42 #include "config.h" 43 #include "validator/validator.h" 44 #include "validator/val_anchor.h" 45 #include "validator/val_kcache.h" 46 #include "validator/val_kentry.h" 47 #include "validator/val_utils.h" 48 #include "validator/val_nsec.h" 49 #include "validator/val_nsec3.h" 50 #include "validator/val_neg.h" 51 #include "validator/val_sigcrypt.h" 52 #include "validator/autotrust.h" 53 #include "services/cache/dns.h" 54 #include "util/data/dname.h" 55 #include "util/module.h" 56 #include "util/log.h" 57 #include "util/net_help.h" 58 #include "util/regional.h" 59 #include "util/config_file.h" 60 #include "util/fptr_wlist.h" 61 #include "sldns/rrdef.h" 62 #include "sldns/wire2str.h" 63 #include "sldns/str2wire.h" 64 65 /* forward decl for cache response and normal super inform calls of a DS */ 66 static void process_ds_response(struct module_qstate* qstate, 67 struct val_qstate* vq, int id, int rcode, struct dns_msg* msg, 68 struct query_info* qinfo, struct sock_list* origin); 69 70 /** fill up nsec3 key iterations config entry */ 71 static int 72 fill_nsec3_iter(struct val_env* ve, char* s, int c) 73 { 74 char* e; 75 int i; 76 free(ve->nsec3_keysize); 77 free(ve->nsec3_maxiter); 78 ve->nsec3_keysize = (size_t*)calloc(sizeof(size_t), (size_t)c); 79 ve->nsec3_maxiter = (size_t*)calloc(sizeof(size_t), (size_t)c); 80 if(!ve->nsec3_keysize || !ve->nsec3_maxiter) { 81 log_err("out of memory"); 82 return 0; 83 } 84 for(i=0; i<c; i++) { 85 ve->nsec3_keysize[i] = (size_t)strtol(s, &e, 10); 86 if(s == e) { 87 log_err("cannot parse: %s", s); 88 return 0; 89 } 90 s = e; 91 ve->nsec3_maxiter[i] = (size_t)strtol(s, &e, 10); 92 if(s == e) { 93 log_err("cannot parse: %s", s); 94 return 0; 95 } 96 s = e; 97 if(i>0 && ve->nsec3_keysize[i-1] >= ve->nsec3_keysize[i]) { 98 log_err("nsec3 key iterations not ascending: %d %d", 99 (int)ve->nsec3_keysize[i-1], 100 (int)ve->nsec3_keysize[i]); 101 return 0; 102 } 103 verbose(VERB_ALGO, "validator nsec3cfg keysz %d mxiter %d", 104 (int)ve->nsec3_keysize[i], (int)ve->nsec3_maxiter[i]); 105 } 106 return 1; 107 } 108 109 /** apply config settings to validator */ 110 static int 111 val_apply_cfg(struct module_env* env, struct val_env* val_env, 112 struct config_file* cfg) 113 { 114 int c; 115 val_env->bogus_ttl = (uint32_t)cfg->bogus_ttl; 116 if(!env->anchors) 117 env->anchors = anchors_create(); 118 if(!env->anchors) { 119 log_err("out of memory"); 120 return 0; 121 } 122 if(!val_env->kcache) 123 val_env->kcache = key_cache_create(cfg); 124 if(!val_env->kcache) { 125 log_err("out of memory"); 126 return 0; 127 } 128 env->key_cache = val_env->kcache; 129 if(!anchors_apply_cfg(env->anchors, cfg)) { 130 log_err("validator: error in trustanchors config"); 131 return 0; 132 } 133 val_env->date_override = cfg->val_date_override; 134 val_env->skew_min = cfg->val_sig_skew_min; 135 val_env->skew_max = cfg->val_sig_skew_max; 136 c = cfg_count_numbers(cfg->val_nsec3_key_iterations); 137 if(c < 1 || (c&1)) { 138 log_err("validator: unparseable or odd nsec3 key " 139 "iterations: %s", cfg->val_nsec3_key_iterations); 140 return 0; 141 } 142 val_env->nsec3_keyiter_count = c/2; 143 if(!fill_nsec3_iter(val_env, cfg->val_nsec3_key_iterations, c/2)) { 144 log_err("validator: cannot apply nsec3 key iterations"); 145 return 0; 146 } 147 if(!val_env->neg_cache) 148 val_env->neg_cache = val_neg_create(cfg, 149 val_env->nsec3_maxiter[val_env->nsec3_keyiter_count-1]); 150 if(!val_env->neg_cache) { 151 log_err("out of memory"); 152 return 0; 153 } 154 env->neg_cache = val_env->neg_cache; 155 return 1; 156 } 157 158 #ifdef USE_ECDSA_EVP_WORKAROUND 159 void ecdsa_evp_workaround_init(void); 160 #endif 161 int 162 val_init(struct module_env* env, int id) 163 { 164 struct val_env* val_env = (struct val_env*)calloc(1, 165 sizeof(struct val_env)); 166 if(!val_env) { 167 log_err("malloc failure"); 168 return 0; 169 } 170 env->modinfo[id] = (void*)val_env; 171 env->need_to_validate = 1; 172 lock_basic_init(&val_env->bogus_lock); 173 lock_protect(&val_env->bogus_lock, &val_env->num_rrset_bogus, 174 sizeof(val_env->num_rrset_bogus)); 175 #ifdef USE_ECDSA_EVP_WORKAROUND 176 ecdsa_evp_workaround_init(); 177 #endif 178 if(!val_apply_cfg(env, val_env, env->cfg)) { 179 log_err("validator: could not apply configuration settings."); 180 return 0; 181 } 182 183 return 1; 184 } 185 186 void 187 val_deinit(struct module_env* env, int id) 188 { 189 struct val_env* val_env; 190 if(!env || !env->modinfo[id]) 191 return; 192 val_env = (struct val_env*)env->modinfo[id]; 193 lock_basic_destroy(&val_env->bogus_lock); 194 anchors_delete(env->anchors); 195 env->anchors = NULL; 196 key_cache_delete(val_env->kcache); 197 neg_cache_delete(val_env->neg_cache); 198 free(val_env->nsec3_keysize); 199 free(val_env->nsec3_maxiter); 200 free(val_env); 201 env->modinfo[id] = NULL; 202 } 203 204 /** fill in message structure */ 205 static struct val_qstate* 206 val_new_getmsg(struct module_qstate* qstate, struct val_qstate* vq) 207 { 208 if(!qstate->return_msg || qstate->return_rcode != LDNS_RCODE_NOERROR) { 209 /* create a message to verify */ 210 verbose(VERB_ALGO, "constructing reply for validation"); 211 vq->orig_msg = (struct dns_msg*)regional_alloc(qstate->region, 212 sizeof(struct dns_msg)); 213 if(!vq->orig_msg) 214 return NULL; 215 vq->orig_msg->qinfo = qstate->qinfo; 216 vq->orig_msg->rep = (struct reply_info*)regional_alloc( 217 qstate->region, sizeof(struct reply_info)); 218 if(!vq->orig_msg->rep) 219 return NULL; 220 memset(vq->orig_msg->rep, 0, sizeof(struct reply_info)); 221 vq->orig_msg->rep->flags = (uint16_t)(qstate->return_rcode&0xf) 222 |BIT_QR|BIT_RA|(qstate->query_flags|(BIT_CD|BIT_RD)); 223 vq->orig_msg->rep->qdcount = 1; 224 } else { 225 vq->orig_msg = qstate->return_msg; 226 } 227 vq->qchase = qstate->qinfo; 228 /* chase reply will be an edited (sub)set of the orig msg rrset ptrs */ 229 vq->chase_reply = regional_alloc_init(qstate->region, 230 vq->orig_msg->rep, 231 sizeof(struct reply_info) - sizeof(struct rrset_ref)); 232 if(!vq->chase_reply) 233 return NULL; 234 if(vq->orig_msg->rep->rrset_count > RR_COUNT_MAX) 235 return NULL; /* protect against integer overflow */ 236 vq->chase_reply->rrsets = regional_alloc_init(qstate->region, 237 vq->orig_msg->rep->rrsets, sizeof(struct ub_packed_rrset_key*) 238 * vq->orig_msg->rep->rrset_count); 239 if(!vq->chase_reply->rrsets) 240 return NULL; 241 vq->rrset_skip = 0; 242 return vq; 243 } 244 245 /** allocate new validator query state */ 246 static struct val_qstate* 247 val_new(struct module_qstate* qstate, int id) 248 { 249 struct val_qstate* vq = (struct val_qstate*)regional_alloc( 250 qstate->region, sizeof(*vq)); 251 log_assert(!qstate->minfo[id]); 252 if(!vq) 253 return NULL; 254 memset(vq, 0, sizeof(*vq)); 255 qstate->minfo[id] = vq; 256 vq->state = VAL_INIT_STATE; 257 return val_new_getmsg(qstate, vq); 258 } 259 260 /** 261 * Exit validation with an error status 262 * 263 * @param qstate: query state 264 * @param id: validator id. 265 * @return false, for use by caller to return to stop processing. 266 */ 267 static int 268 val_error(struct module_qstate* qstate, int id) 269 { 270 qstate->ext_state[id] = module_error; 271 qstate->return_rcode = LDNS_RCODE_SERVFAIL; 272 return 0; 273 } 274 275 /** 276 * Check to see if a given response needs to go through the validation 277 * process. Typical reasons for this routine to return false are: CD bit was 278 * on in the original request, or the response is a kind of message that 279 * is unvalidatable (i.e., SERVFAIL, REFUSED, etc.) 280 * 281 * @param qstate: query state. 282 * @param ret_rc: rcode for this message (if noerror - examine ret_msg). 283 * @param ret_msg: return msg, can be NULL; look at rcode instead. 284 * @return true if the response could use validation (although this does not 285 * mean we can actually validate this response). 286 */ 287 static int 288 needs_validation(struct module_qstate* qstate, int ret_rc, 289 struct dns_msg* ret_msg) 290 { 291 int rcode; 292 293 /* If the CD bit is on in the original request, then you could think 294 * that we don't bother to validate anything. 295 * But this is signalled internally with the valrec flag. 296 * User queries are validated with BIT_CD to make our cache clean 297 * so that bogus messages get retried by the upstream also for 298 * downstream validators that set BIT_CD. 299 * For DNS64 bit_cd signals no dns64 processing, but we want to 300 * provide validation there too */ 301 /* 302 if(qstate->query_flags & BIT_CD) { 303 verbose(VERB_ALGO, "not validating response due to CD bit"); 304 return 0; 305 } 306 */ 307 if(qstate->is_valrec) { 308 verbose(VERB_ALGO, "not validating response, is valrec" 309 "(validation recursion lookup)"); 310 return 0; 311 } 312 313 if(ret_rc != LDNS_RCODE_NOERROR || !ret_msg) 314 rcode = ret_rc; 315 else rcode = (int)FLAGS_GET_RCODE(ret_msg->rep->flags); 316 317 if(rcode != LDNS_RCODE_NOERROR && rcode != LDNS_RCODE_NXDOMAIN) { 318 if(verbosity >= VERB_ALGO) { 319 char rc[16]; 320 rc[0]=0; 321 (void)sldns_wire2str_rcode_buf(rcode, rc, sizeof(rc)); 322 verbose(VERB_ALGO, "cannot validate non-answer, rcode %s", rc); 323 } 324 return 0; 325 } 326 327 /* cannot validate positive RRSIG response. (negatives can) */ 328 if(qstate->qinfo.qtype == LDNS_RR_TYPE_RRSIG && 329 rcode == LDNS_RCODE_NOERROR && ret_msg && 330 ret_msg->rep->an_numrrsets > 0) { 331 verbose(VERB_ALGO, "cannot validate RRSIG, no sigs on sigs."); 332 return 0; 333 } 334 return 1; 335 } 336 337 /** 338 * Check to see if the response has already been validated. 339 * @param ret_msg: return msg, can be NULL 340 * @return true if the response has already been validated 341 */ 342 static int 343 already_validated(struct dns_msg* ret_msg) 344 { 345 /* validate unchecked, and re-validate bogus messages */ 346 if (ret_msg && ret_msg->rep->security > sec_status_bogus) 347 { 348 verbose(VERB_ALGO, "response has already been validated: %s", 349 sec_status_to_string(ret_msg->rep->security)); 350 return 1; 351 } 352 return 0; 353 } 354 355 /** 356 * Generate a request for DNS data. 357 * 358 * @param qstate: query state that is the parent. 359 * @param id: module id. 360 * @param name: what name to query for. 361 * @param namelen: length of name. 362 * @param qtype: query type. 363 * @param qclass: query class. 364 * @param flags: additional flags, such as the CD bit (BIT_CD), or 0. 365 * @param newq: If the subquery is newly created, it is returned, 366 * otherwise NULL is returned 367 * @param detached: true if this qstate should not attach to the subquery 368 * @return false on alloc failure. 369 */ 370 static int 371 generate_request(struct module_qstate* qstate, int id, uint8_t* name, 372 size_t namelen, uint16_t qtype, uint16_t qclass, uint16_t flags, 373 struct module_qstate** newq, int detached) 374 { 375 struct val_qstate* vq = (struct val_qstate*)qstate->minfo[id]; 376 struct query_info ask; 377 int valrec; 378 ask.qname = name; 379 ask.qname_len = namelen; 380 ask.qtype = qtype; 381 ask.qclass = qclass; 382 ask.local_alias = NULL; 383 log_query_info(VERB_ALGO, "generate request", &ask); 384 /* enable valrec flag to avoid recursion to the same validation 385 * routine, this lookup is simply a lookup. DLVs need validation */ 386 if(qtype == LDNS_RR_TYPE_DLV) 387 valrec = 0; 388 else valrec = 1; 389 if(detached) { 390 struct mesh_state* sub = NULL; 391 fptr_ok(fptr_whitelist_modenv_add_sub( 392 qstate->env->add_sub)); 393 if(!(*qstate->env->add_sub)(qstate, &ask, 394 (uint16_t)(BIT_RD|flags), 0, valrec, newq, &sub)){ 395 log_err("Could not generate request: out of memory"); 396 return 0; 397 } 398 } 399 else { 400 fptr_ok(fptr_whitelist_modenv_attach_sub( 401 qstate->env->attach_sub)); 402 if(!(*qstate->env->attach_sub)(qstate, &ask, 403 (uint16_t)(BIT_RD|flags), 0, valrec, newq)){ 404 log_err("Could not generate request: out of memory"); 405 return 0; 406 } 407 } 408 /* newq; validator does not need state created for that 409 * query, and its a 'normal' for iterator as well */ 410 if(*newq) { 411 /* add our blacklist to the query blacklist */ 412 sock_list_merge(&(*newq)->blacklist, (*newq)->region, 413 vq->chain_blacklist); 414 } 415 qstate->ext_state[id] = module_wait_subquery; 416 return 1; 417 } 418 419 /** 420 * Generate, send and detach key tag signaling query. 421 * 422 * @param qstate: query state. 423 * @param id: module id. 424 * @param ta: trust anchor, locked. 425 * @return false on a processing error. 426 */ 427 static int 428 generate_keytag_query(struct module_qstate* qstate, int id, 429 struct trust_anchor* ta) 430 { 431 /* 3 bytes for "_ta", 5 bytes per tag (4 bytes + "-") */ 432 #define MAX_LABEL_TAGS (LDNS_MAX_LABELLEN-3)/5 433 size_t i, numtag; 434 uint16_t tags[MAX_LABEL_TAGS]; 435 char tagstr[LDNS_MAX_LABELLEN+1] = "_ta"; /* +1 for NULL byte */ 436 size_t tagstr_left = sizeof(tagstr) - strlen(tagstr); 437 char* tagstr_pos = tagstr + strlen(tagstr); 438 uint8_t dnamebuf[LDNS_MAX_DOMAINLEN+1]; /* +1 for label length byte */ 439 size_t dnamebuf_len = sizeof(dnamebuf); 440 uint8_t* keytagdname; 441 struct module_qstate* newq = NULL; 442 enum module_ext_state ext_state = qstate->ext_state[id]; 443 444 numtag = anchor_list_keytags(ta, tags, MAX_LABEL_TAGS); 445 if(numtag == 0) 446 return 0; 447 448 for(i=0; i<numtag; i++) { 449 /* Buffer can't overflow; numtag is limited to tags that fit in 450 * the buffer. */ 451 snprintf(tagstr_pos, tagstr_left, "-%04x", (unsigned)tags[i]); 452 tagstr_left -= strlen(tagstr_pos); 453 tagstr_pos += strlen(tagstr_pos); 454 } 455 456 sldns_str2wire_dname_buf_origin(tagstr, dnamebuf, &dnamebuf_len, 457 ta->name, ta->namelen); 458 if(!(keytagdname = (uint8_t*)regional_alloc_init(qstate->region, 459 dnamebuf, dnamebuf_len))) { 460 log_err("could not generate key tag query: out of memory"); 461 return 0; 462 } 463 464 log_nametypeclass(VERB_ALGO, "keytag query", keytagdname, 465 LDNS_RR_TYPE_NULL, ta->dclass); 466 if(!generate_request(qstate, id, keytagdname, dnamebuf_len, 467 LDNS_RR_TYPE_NULL, ta->dclass, 0, &newq, 1)) { 468 log_err("failed to generate key tag signaling request"); 469 return 0; 470 } 471 472 /* Not interrested in subquery response. Restore the ext_state, 473 * that might be changed by generate_request() */ 474 qstate->ext_state[id] = ext_state; 475 476 return 1; 477 } 478 479 /** 480 * Prime trust anchor for use. 481 * Generate and dispatch a priming query for the given trust anchor. 482 * The trust anchor can be DNSKEY or DS and does not have to be signed. 483 * 484 * @param qstate: query state. 485 * @param vq: validator query state. 486 * @param id: module id. 487 * @param toprime: what to prime. 488 * @return false on a processing error. 489 */ 490 static int 491 prime_trust_anchor(struct module_qstate* qstate, struct val_qstate* vq, 492 int id, struct trust_anchor* toprime) 493 { 494 struct module_qstate* newq = NULL; 495 int ret = generate_request(qstate, id, toprime->name, toprime->namelen, 496 LDNS_RR_TYPE_DNSKEY, toprime->dclass, BIT_CD, &newq, 0); 497 498 if(newq && qstate->env->cfg->trust_anchor_signaling && 499 !generate_keytag_query(qstate, id, toprime)) { 500 log_err("keytag signaling query failed"); 501 return 0; 502 } 503 504 if(!ret) { 505 log_err("Could not prime trust anchor: out of memory"); 506 return 0; 507 } 508 /* ignore newq; validator does not need state created for that 509 * query, and its a 'normal' for iterator as well */ 510 vq->wait_prime_ta = 1; /* to elicit PRIME_RESP_STATE processing 511 from the validator inform_super() routine */ 512 /* store trust anchor name for later lookup when prime returns */ 513 vq->trust_anchor_name = regional_alloc_init(qstate->region, 514 toprime->name, toprime->namelen); 515 vq->trust_anchor_len = toprime->namelen; 516 vq->trust_anchor_labs = toprime->namelabs; 517 if(!vq->trust_anchor_name) { 518 log_err("Could not prime trust anchor: out of memory"); 519 return 0; 520 } 521 return 1; 522 } 523 524 /** 525 * Validate if the ANSWER and AUTHORITY sections contain valid rrsets. 526 * They must be validly signed with the given key. 527 * Tries to validate ADDITIONAL rrsets as well, but only to check them. 528 * Allows unsigned CNAME after a DNAME that expands the DNAME. 529 * 530 * Note that by the time this method is called, the process of finding the 531 * trusted DNSKEY rrset that signs this response must already have been 532 * completed. 533 * 534 * @param qstate: query state. 535 * @param env: module env for verify. 536 * @param ve: validator env for verify. 537 * @param qchase: query that was made. 538 * @param chase_reply: answer to validate. 539 * @param key_entry: the key entry, which is trusted, and which matches 540 * the signer of the answer. The key entry isgood(). 541 * @return false if any of the rrsets in the an or ns sections of the message 542 * fail to verify. The message is then set to bogus. 543 */ 544 static int 545 validate_msg_signatures(struct module_qstate* qstate, struct module_env* env, 546 struct val_env* ve, struct query_info* qchase, 547 struct reply_info* chase_reply, struct key_entry_key* key_entry) 548 { 549 uint8_t* sname; 550 size_t i, slen; 551 struct ub_packed_rrset_key* s; 552 enum sec_status sec; 553 int dname_seen = 0; 554 char* reason = NULL; 555 556 /* validate the ANSWER section */ 557 for(i=0; i<chase_reply->an_numrrsets; i++) { 558 s = chase_reply->rrsets[i]; 559 /* Skip the CNAME following a (validated) DNAME. 560 * Because of the normalization routines in the iterator, 561 * there will always be an unsigned CNAME following a DNAME 562 * (unless qtype=DNAME). */ 563 if(dname_seen && ntohs(s->rk.type) == LDNS_RR_TYPE_CNAME) { 564 dname_seen = 0; 565 /* CNAME was synthesized by our own iterator */ 566 /* since the DNAME verified, mark the CNAME as secure */ 567 ((struct packed_rrset_data*)s->entry.data)->security = 568 sec_status_secure; 569 ((struct packed_rrset_data*)s->entry.data)->trust = 570 rrset_trust_validated; 571 continue; 572 } 573 574 /* Verify the answer rrset */ 575 sec = val_verify_rrset_entry(env, ve, s, key_entry, &reason, 576 LDNS_SECTION_ANSWER, qstate); 577 /* If the (answer) rrset failed to validate, then this 578 * message is BAD. */ 579 if(sec != sec_status_secure) { 580 log_nametypeclass(VERB_QUERY, "validator: response " 581 "has failed ANSWER rrset:", s->rk.dname, 582 ntohs(s->rk.type), ntohs(s->rk.rrset_class)); 583 errinf(qstate, reason); 584 if(ntohs(s->rk.type) == LDNS_RR_TYPE_CNAME) 585 errinf(qstate, "for CNAME"); 586 else if(ntohs(s->rk.type) == LDNS_RR_TYPE_DNAME) 587 errinf(qstate, "for DNAME"); 588 errinf_origin(qstate, qstate->reply_origin); 589 chase_reply->security = sec_status_bogus; 590 return 0; 591 } 592 593 /* Notice a DNAME that should be followed by an unsigned 594 * CNAME. */ 595 if(qchase->qtype != LDNS_RR_TYPE_DNAME && 596 ntohs(s->rk.type) == LDNS_RR_TYPE_DNAME) { 597 dname_seen = 1; 598 } 599 } 600 601 /* validate the AUTHORITY section */ 602 for(i=chase_reply->an_numrrsets; i<chase_reply->an_numrrsets+ 603 chase_reply->ns_numrrsets; i++) { 604 s = chase_reply->rrsets[i]; 605 sec = val_verify_rrset_entry(env, ve, s, key_entry, &reason, 606 LDNS_SECTION_AUTHORITY, qstate); 607 /* If anything in the authority section fails to be secure, 608 * we have a bad message. */ 609 if(sec != sec_status_secure) { 610 log_nametypeclass(VERB_QUERY, "validator: response " 611 "has failed AUTHORITY rrset:", s->rk.dname, 612 ntohs(s->rk.type), ntohs(s->rk.rrset_class)); 613 errinf(qstate, reason); 614 errinf_origin(qstate, qstate->reply_origin); 615 errinf_rrset(qstate, s); 616 chase_reply->security = sec_status_bogus; 617 return 0; 618 } 619 } 620 621 /* If set, the validator should clean the additional section of 622 * secure messages. */ 623 if(!env->cfg->val_clean_additional) 624 return 1; 625 /* attempt to validate the ADDITIONAL section rrsets */ 626 for(i=chase_reply->an_numrrsets+chase_reply->ns_numrrsets; 627 i<chase_reply->rrset_count; i++) { 628 s = chase_reply->rrsets[i]; 629 /* only validate rrs that have signatures with the key */ 630 /* leave others unchecked, those get removed later on too */ 631 val_find_rrset_signer(s, &sname, &slen); 632 if(sname && query_dname_compare(sname, key_entry->name)==0) 633 (void)val_verify_rrset_entry(env, ve, s, key_entry, 634 &reason, LDNS_SECTION_ADDITIONAL, qstate); 635 /* the additional section can fail to be secure, 636 * it is optional, check signature in case we need 637 * to clean the additional section later. */ 638 } 639 640 return 1; 641 } 642 643 /** 644 * Detect wrong truncated response (say from BIND 9.6.1 that is forwarding 645 * and saw the NS record without signatures from a referral). 646 * The positive response has a mangled authority section. 647 * Remove that authority section and the additional section. 648 * @param rep: reply 649 * @return true if a wrongly truncated response. 650 */ 651 static int 652 detect_wrongly_truncated(struct reply_info* rep) 653 { 654 size_t i; 655 /* only NS in authority, and it is bogus */ 656 if(rep->ns_numrrsets != 1 || rep->an_numrrsets == 0) 657 return 0; 658 if(ntohs(rep->rrsets[ rep->an_numrrsets ]->rk.type) != LDNS_RR_TYPE_NS) 659 return 0; 660 if(((struct packed_rrset_data*)rep->rrsets[ rep->an_numrrsets ] 661 ->entry.data)->security == sec_status_secure) 662 return 0; 663 /* answer section is present and secure */ 664 for(i=0; i<rep->an_numrrsets; i++) { 665 if(((struct packed_rrset_data*)rep->rrsets[ i ] 666 ->entry.data)->security != sec_status_secure) 667 return 0; 668 } 669 verbose(VERB_ALGO, "truncating to minimal response"); 670 return 1; 671 } 672 673 /** 674 * For messages that are not referrals, if the chase reply contains an 675 * unsigned NS record in the authority section it could have been 676 * inserted by a (BIND) forwarder that thinks the zone is insecure, and 677 * that has an NS record without signatures in cache. Remove the NS 678 * record since the reply does not hinge on that record (in the authority 679 * section), but do not remove it if it removes the last record from the 680 * answer+authority sections. 681 * @param chase_reply: the chased reply, we have a key for this contents, 682 * so we should have signatures for these rrsets and not having 683 * signatures means it will be bogus. 684 * @param orig_reply: original reply, remove NS from there as well because 685 * we cannot mark the NS record as DNSSEC valid because it is not 686 * validated by signatures. 687 */ 688 static void 689 remove_spurious_authority(struct reply_info* chase_reply, 690 struct reply_info* orig_reply) 691 { 692 size_t i, found = 0; 693 int remove = 0; 694 /* if no answer and only 1 auth RRset, do not remove that one */ 695 if(chase_reply->an_numrrsets == 0 && chase_reply->ns_numrrsets == 1) 696 return; 697 /* search authority section for unsigned NS records */ 698 for(i = chase_reply->an_numrrsets; 699 i < chase_reply->an_numrrsets+chase_reply->ns_numrrsets; i++) { 700 struct packed_rrset_data* d = (struct packed_rrset_data*) 701 chase_reply->rrsets[i]->entry.data; 702 if(ntohs(chase_reply->rrsets[i]->rk.type) == LDNS_RR_TYPE_NS 703 && d->rrsig_count == 0) { 704 found = i; 705 remove = 1; 706 break; 707 } 708 } 709 /* see if we found the entry */ 710 if(!remove) return; 711 log_rrset_key(VERB_ALGO, "Removing spurious unsigned NS record " 712 "(likely inserted by forwarder)", chase_reply->rrsets[found]); 713 714 /* find rrset in orig_reply */ 715 for(i = orig_reply->an_numrrsets; 716 i < orig_reply->an_numrrsets+orig_reply->ns_numrrsets; i++) { 717 if(ntohs(orig_reply->rrsets[i]->rk.type) == LDNS_RR_TYPE_NS 718 && query_dname_compare(orig_reply->rrsets[i]->rk.dname, 719 chase_reply->rrsets[found]->rk.dname) == 0) { 720 /* remove from orig_msg */ 721 val_reply_remove_auth(orig_reply, i); 722 break; 723 } 724 } 725 /* remove rrset from chase_reply */ 726 val_reply_remove_auth(chase_reply, found); 727 } 728 729 /** 730 * Given a "positive" response -- a response that contains an answer to the 731 * question, and no CNAME chain, validate this response. 732 * 733 * The answer and authority RRsets must already be verified as secure. 734 * 735 * @param env: module env for verify. 736 * @param ve: validator env for verify. 737 * @param qchase: query that was made. 738 * @param chase_reply: answer to that query to validate. 739 * @param kkey: the key entry, which is trusted, and which matches 740 * the signer of the answer. The key entry isgood(). 741 */ 742 static void 743 validate_positive_response(struct module_env* env, struct val_env* ve, 744 struct query_info* qchase, struct reply_info* chase_reply, 745 struct key_entry_key* kkey) 746 { 747 uint8_t* wc = NULL; 748 int wc_NSEC_ok = 0; 749 int nsec3s_seen = 0; 750 size_t i; 751 struct ub_packed_rrset_key* s; 752 753 /* validate the ANSWER section - this will be the answer itself */ 754 for(i=0; i<chase_reply->an_numrrsets; i++) { 755 s = chase_reply->rrsets[i]; 756 757 /* Check to see if the rrset is the result of a wildcard 758 * expansion. If so, an additional check will need to be 759 * made in the authority section. */ 760 if(!val_rrset_wildcard(s, &wc)) { 761 log_nametypeclass(VERB_QUERY, "Positive response has " 762 "inconsistent wildcard sigs:", s->rk.dname, 763 ntohs(s->rk.type), ntohs(s->rk.rrset_class)); 764 chase_reply->security = sec_status_bogus; 765 return; 766 } 767 } 768 769 /* validate the AUTHORITY section as well - this will generally be 770 * the NS rrset (which could be missing, no problem) */ 771 for(i=chase_reply->an_numrrsets; i<chase_reply->an_numrrsets+ 772 chase_reply->ns_numrrsets; i++) { 773 s = chase_reply->rrsets[i]; 774 775 /* If this is a positive wildcard response, and we have a 776 * (just verified) NSEC record, try to use it to 1) prove 777 * that qname doesn't exist and 2) that the correct wildcard 778 * was used. */ 779 if(wc != NULL && ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC) { 780 if(val_nsec_proves_positive_wildcard(s, qchase, wc)) { 781 wc_NSEC_ok = 1; 782 } 783 /* if not, continue looking for proof */ 784 } 785 786 /* Otherwise, if this is a positive wildcard response and 787 * we have NSEC3 records */ 788 if(wc != NULL && ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC3) { 789 nsec3s_seen = 1; 790 } 791 } 792 793 /* If this was a positive wildcard response that we haven't already 794 * proven, and we have NSEC3 records, try to prove it using the NSEC3 795 * records. */ 796 if(wc != NULL && !wc_NSEC_ok && nsec3s_seen) { 797 enum sec_status sec = nsec3_prove_wildcard(env, ve, 798 chase_reply->rrsets+chase_reply->an_numrrsets, 799 chase_reply->ns_numrrsets, qchase, kkey, wc); 800 if(sec == sec_status_insecure) { 801 verbose(VERB_ALGO, "Positive wildcard response is " 802 "insecure"); 803 chase_reply->security = sec_status_insecure; 804 return; 805 } else if(sec == sec_status_secure) 806 wc_NSEC_ok = 1; 807 } 808 809 /* If after all this, we still haven't proven the positive wildcard 810 * response, fail. */ 811 if(wc != NULL && !wc_NSEC_ok) { 812 verbose(VERB_QUERY, "positive response was wildcard " 813 "expansion and did not prove original data " 814 "did not exist"); 815 chase_reply->security = sec_status_bogus; 816 return; 817 } 818 819 verbose(VERB_ALGO, "Successfully validated positive response"); 820 chase_reply->security = sec_status_secure; 821 } 822 823 /** 824 * Validate a NOERROR/NODATA signed response -- a response that has a 825 * NOERROR Rcode but no ANSWER section RRsets. This consists of making 826 * certain that the authority section NSEC/NSEC3s proves that the qname 827 * does exist and the qtype doesn't. 828 * 829 * The answer and authority RRsets must already be verified as secure. 830 * 831 * @param env: module env for verify. 832 * @param ve: validator env for verify. 833 * @param qchase: query that was made. 834 * @param chase_reply: answer to that query to validate. 835 * @param kkey: the key entry, which is trusted, and which matches 836 * the signer of the answer. The key entry isgood(). 837 */ 838 static void 839 validate_nodata_response(struct module_env* env, struct val_env* ve, 840 struct query_info* qchase, struct reply_info* chase_reply, 841 struct key_entry_key* kkey) 842 { 843 /* Since we are here, there must be nothing in the ANSWER section to 844 * validate. */ 845 /* (Note: CNAME/DNAME responses will not directly get here -- 846 * instead, they are chased down into individual CNAME validations, 847 * and at the end of the cname chain a POSITIVE, or CNAME_NOANSWER 848 * validation.) */ 849 850 /* validate the AUTHORITY section */ 851 int has_valid_nsec = 0; /* If true, then the NODATA has been proven.*/ 852 uint8_t* ce = NULL; /* for wildcard nodata responses. This is the 853 proven closest encloser. */ 854 uint8_t* wc = NULL; /* for wildcard nodata responses. wildcard nsec */ 855 int nsec3s_seen = 0; /* nsec3s seen */ 856 struct ub_packed_rrset_key* s; 857 size_t i; 858 859 for(i=chase_reply->an_numrrsets; i<chase_reply->an_numrrsets+ 860 chase_reply->ns_numrrsets; i++) { 861 s = chase_reply->rrsets[i]; 862 /* If we encounter an NSEC record, try to use it to prove 863 * NODATA. 864 * This needs to handle the ENT NODATA case. */ 865 if(ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC) { 866 if(nsec_proves_nodata(s, qchase, &wc)) { 867 has_valid_nsec = 1; 868 /* sets wc-encloser if wildcard applicable */ 869 } 870 if(val_nsec_proves_name_error(s, qchase->qname)) { 871 ce = nsec_closest_encloser(qchase->qname, s); 872 } 873 if(val_nsec_proves_insecuredelegation(s, qchase)) { 874 verbose(VERB_ALGO, "delegation is insecure"); 875 chase_reply->security = sec_status_insecure; 876 return; 877 } 878 } else if(ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC3) { 879 nsec3s_seen = 1; 880 } 881 } 882 883 /* check to see if we have a wildcard NODATA proof. */ 884 885 /* The wildcard NODATA is 1 NSEC proving that qname does not exist 886 * (and also proving what the closest encloser is), and 1 NSEC 887 * showing the matching wildcard, which must be *.closest_encloser. */ 888 if(wc && !ce) 889 has_valid_nsec = 0; 890 else if(wc && ce) { 891 if(query_dname_compare(wc, ce) != 0) { 892 has_valid_nsec = 0; 893 } 894 } 895 896 if(!has_valid_nsec && nsec3s_seen) { 897 enum sec_status sec = nsec3_prove_nodata(env, ve, 898 chase_reply->rrsets+chase_reply->an_numrrsets, 899 chase_reply->ns_numrrsets, qchase, kkey); 900 if(sec == sec_status_insecure) { 901 verbose(VERB_ALGO, "NODATA response is insecure"); 902 chase_reply->security = sec_status_insecure; 903 return; 904 } else if(sec == sec_status_secure) 905 has_valid_nsec = 1; 906 } 907 908 if(!has_valid_nsec) { 909 verbose(VERB_QUERY, "NODATA response failed to prove NODATA " 910 "status with NSEC/NSEC3"); 911 if(verbosity >= VERB_ALGO) 912 log_dns_msg("Failed NODATA", qchase, chase_reply); 913 chase_reply->security = sec_status_bogus; 914 return; 915 } 916 917 verbose(VERB_ALGO, "successfully validated NODATA response."); 918 chase_reply->security = sec_status_secure; 919 } 920 921 /** 922 * Validate a NAMEERROR signed response -- a response that has a NXDOMAIN 923 * Rcode. 924 * This consists of making certain that the authority section NSEC proves 925 * that the qname doesn't exist and the covering wildcard also doesn't exist.. 926 * 927 * The answer and authority RRsets must have already been verified as secure. 928 * 929 * @param env: module env for verify. 930 * @param ve: validator env for verify. 931 * @param qchase: query that was made. 932 * @param chase_reply: answer to that query to validate. 933 * @param kkey: the key entry, which is trusted, and which matches 934 * the signer of the answer. The key entry isgood(). 935 * @param rcode: adjusted RCODE, in case of RCODE/proof mismatch leniency. 936 */ 937 static void 938 validate_nameerror_response(struct module_env* env, struct val_env* ve, 939 struct query_info* qchase, struct reply_info* chase_reply, 940 struct key_entry_key* kkey, int* rcode) 941 { 942 int has_valid_nsec = 0; 943 int has_valid_wnsec = 0; 944 int nsec3s_seen = 0; 945 struct ub_packed_rrset_key* s; 946 size_t i; 947 948 for(i=chase_reply->an_numrrsets; i<chase_reply->an_numrrsets+ 949 chase_reply->ns_numrrsets; i++) { 950 s = chase_reply->rrsets[i]; 951 if(ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC) { 952 if(val_nsec_proves_name_error(s, qchase->qname)) 953 has_valid_nsec = 1; 954 if(val_nsec_proves_no_wc(s, qchase->qname, 955 qchase->qname_len)) 956 has_valid_wnsec = 1; 957 if(val_nsec_proves_insecuredelegation(s, qchase)) { 958 verbose(VERB_ALGO, "delegation is insecure"); 959 chase_reply->security = sec_status_insecure; 960 return; 961 } 962 } else if(ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC3) 963 nsec3s_seen = 1; 964 } 965 966 if((!has_valid_nsec || !has_valid_wnsec) && nsec3s_seen) { 967 /* use NSEC3 proof, both answer and auth rrsets, in case 968 * NSEC3s end up in the answer (due to qtype=NSEC3 or so) */ 969 chase_reply->security = nsec3_prove_nameerror(env, ve, 970 chase_reply->rrsets, chase_reply->an_numrrsets+ 971 chase_reply->ns_numrrsets, qchase, kkey); 972 if(chase_reply->security != sec_status_secure) { 973 verbose(VERB_QUERY, "NameError response failed nsec, " 974 "nsec3 proof was %s", sec_status_to_string( 975 chase_reply->security)); 976 return; 977 } 978 has_valid_nsec = 1; 979 has_valid_wnsec = 1; 980 } 981 982 /* If the message fails to prove either condition, it is bogus. */ 983 if(!has_valid_nsec) { 984 verbose(VERB_QUERY, "NameError response has failed to prove: " 985 "qname does not exist"); 986 chase_reply->security = sec_status_bogus; 987 /* Be lenient with RCODE in NSEC NameError responses */ 988 validate_nodata_response(env, ve, qchase, chase_reply, kkey); 989 if (chase_reply->security == sec_status_secure) 990 *rcode = LDNS_RCODE_NOERROR; 991 return; 992 } 993 994 if(!has_valid_wnsec) { 995 verbose(VERB_QUERY, "NameError response has failed to prove: " 996 "covering wildcard does not exist"); 997 chase_reply->security = sec_status_bogus; 998 /* Be lenient with RCODE in NSEC NameError responses */ 999 validate_nodata_response(env, ve, qchase, chase_reply, kkey); 1000 if (chase_reply->security == sec_status_secure) 1001 *rcode = LDNS_RCODE_NOERROR; 1002 return; 1003 } 1004 1005 /* Otherwise, we consider the message secure. */ 1006 verbose(VERB_ALGO, "successfully validated NAME ERROR response."); 1007 chase_reply->security = sec_status_secure; 1008 } 1009 1010 /** 1011 * Given a referral response, validate rrsets and take least trusted rrset 1012 * as the current validation status. 1013 * 1014 * Note that by the time this method is called, the process of finding the 1015 * trusted DNSKEY rrset that signs this response must already have been 1016 * completed. 1017 * 1018 * @param chase_reply: answer to validate. 1019 */ 1020 static void 1021 validate_referral_response(struct reply_info* chase_reply) 1022 { 1023 size_t i; 1024 enum sec_status s; 1025 /* message security equals lowest rrset security */ 1026 chase_reply->security = sec_status_secure; 1027 for(i=0; i<chase_reply->rrset_count; i++) { 1028 s = ((struct packed_rrset_data*)chase_reply->rrsets[i] 1029 ->entry.data)->security; 1030 if(s < chase_reply->security) 1031 chase_reply->security = s; 1032 } 1033 verbose(VERB_ALGO, "validated part of referral response as %s", 1034 sec_status_to_string(chase_reply->security)); 1035 } 1036 1037 /** 1038 * Given an "ANY" response -- a response that contains an answer to a 1039 * qtype==ANY question, with answers. This does no checking that all 1040 * types are present. 1041 * 1042 * NOTE: it may be possible to get parent-side delegation point records 1043 * here, which won't all be signed. Right now, this routine relies on the 1044 * upstream iterative resolver to not return these responses -- instead 1045 * treating them as referrals. 1046 * 1047 * NOTE: RFC 4035 is silent on this issue, so this may change upon 1048 * clarification. Clarification draft -05 says to not check all types are 1049 * present. 1050 * 1051 * Note that by the time this method is called, the process of finding the 1052 * trusted DNSKEY rrset that signs this response must already have been 1053 * completed. 1054 * 1055 * @param env: module env for verify. 1056 * @param ve: validator env for verify. 1057 * @param qchase: query that was made. 1058 * @param chase_reply: answer to that query to validate. 1059 * @param kkey: the key entry, which is trusted, and which matches 1060 * the signer of the answer. The key entry isgood(). 1061 */ 1062 static void 1063 validate_any_response(struct module_env* env, struct val_env* ve, 1064 struct query_info* qchase, struct reply_info* chase_reply, 1065 struct key_entry_key* kkey) 1066 { 1067 /* all answer and auth rrsets already verified */ 1068 /* but check if a wildcard response is given, then check NSEC/NSEC3 1069 * for qname denial to see if wildcard is applicable */ 1070 uint8_t* wc = NULL; 1071 int wc_NSEC_ok = 0; 1072 int nsec3s_seen = 0; 1073 size_t i; 1074 struct ub_packed_rrset_key* s; 1075 1076 if(qchase->qtype != LDNS_RR_TYPE_ANY) { 1077 log_err("internal error: ANY validation called for non-ANY"); 1078 chase_reply->security = sec_status_bogus; 1079 return; 1080 } 1081 1082 /* validate the ANSWER section - this will be the answer itself */ 1083 for(i=0; i<chase_reply->an_numrrsets; i++) { 1084 s = chase_reply->rrsets[i]; 1085 1086 /* Check to see if the rrset is the result of a wildcard 1087 * expansion. If so, an additional check will need to be 1088 * made in the authority section. */ 1089 if(!val_rrset_wildcard(s, &wc)) { 1090 log_nametypeclass(VERB_QUERY, "Positive ANY response" 1091 " has inconsistent wildcard sigs:", 1092 s->rk.dname, ntohs(s->rk.type), 1093 ntohs(s->rk.rrset_class)); 1094 chase_reply->security = sec_status_bogus; 1095 return; 1096 } 1097 } 1098 1099 /* if it was a wildcard, check for NSEC/NSEC3s in both answer 1100 * and authority sections (NSEC may be moved to the ANSWER section) */ 1101 if(wc != NULL) 1102 for(i=0; i<chase_reply->an_numrrsets+chase_reply->ns_numrrsets; 1103 i++) { 1104 s = chase_reply->rrsets[i]; 1105 1106 /* If this is a positive wildcard response, and we have a 1107 * (just verified) NSEC record, try to use it to 1) prove 1108 * that qname doesn't exist and 2) that the correct wildcard 1109 * was used. */ 1110 if(ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC) { 1111 if(val_nsec_proves_positive_wildcard(s, qchase, wc)) { 1112 wc_NSEC_ok = 1; 1113 } 1114 /* if not, continue looking for proof */ 1115 } 1116 1117 /* Otherwise, if this is a positive wildcard response and 1118 * we have NSEC3 records */ 1119 if(ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC3) { 1120 nsec3s_seen = 1; 1121 } 1122 } 1123 1124 /* If this was a positive wildcard response that we haven't already 1125 * proven, and we have NSEC3 records, try to prove it using the NSEC3 1126 * records. */ 1127 if(wc != NULL && !wc_NSEC_ok && nsec3s_seen) { 1128 /* look both in answer and auth section for NSEC3s */ 1129 enum sec_status sec = nsec3_prove_wildcard(env, ve, 1130 chase_reply->rrsets, 1131 chase_reply->an_numrrsets+chase_reply->ns_numrrsets, 1132 qchase, kkey, wc); 1133 if(sec == sec_status_insecure) { 1134 verbose(VERB_ALGO, "Positive ANY wildcard response is " 1135 "insecure"); 1136 chase_reply->security = sec_status_insecure; 1137 return; 1138 } else if(sec == sec_status_secure) 1139 wc_NSEC_ok = 1; 1140 } 1141 1142 /* If after all this, we still haven't proven the positive wildcard 1143 * response, fail. */ 1144 if(wc != NULL && !wc_NSEC_ok) { 1145 verbose(VERB_QUERY, "positive ANY response was wildcard " 1146 "expansion and did not prove original data " 1147 "did not exist"); 1148 chase_reply->security = sec_status_bogus; 1149 return; 1150 } 1151 1152 verbose(VERB_ALGO, "Successfully validated positive ANY response"); 1153 chase_reply->security = sec_status_secure; 1154 } 1155 1156 /** 1157 * Validate CNAME response, or DNAME+CNAME. 1158 * This is just like a positive proof, except that this is about a 1159 * DNAME+CNAME. Possible wildcard proof. 1160 * Difference with positive proof is that this routine refuses 1161 * wildcarded DNAMEs. 1162 * 1163 * The answer and authority rrsets must already be verified as secure. 1164 * 1165 * @param env: module env for verify. 1166 * @param ve: validator env for verify. 1167 * @param qchase: query that was made. 1168 * @param chase_reply: answer to that query to validate. 1169 * @param kkey: the key entry, which is trusted, and which matches 1170 * the signer of the answer. The key entry isgood(). 1171 */ 1172 static void 1173 validate_cname_response(struct module_env* env, struct val_env* ve, 1174 struct query_info* qchase, struct reply_info* chase_reply, 1175 struct key_entry_key* kkey) 1176 { 1177 uint8_t* wc = NULL; 1178 int wc_NSEC_ok = 0; 1179 int nsec3s_seen = 0; 1180 size_t i; 1181 struct ub_packed_rrset_key* s; 1182 1183 /* validate the ANSWER section - this will be the CNAME (+DNAME) */ 1184 for(i=0; i<chase_reply->an_numrrsets; i++) { 1185 s = chase_reply->rrsets[i]; 1186 1187 /* Check to see if the rrset is the result of a wildcard 1188 * expansion. If so, an additional check will need to be 1189 * made in the authority section. */ 1190 if(!val_rrset_wildcard(s, &wc)) { 1191 log_nametypeclass(VERB_QUERY, "Cname response has " 1192 "inconsistent wildcard sigs:", s->rk.dname, 1193 ntohs(s->rk.type), ntohs(s->rk.rrset_class)); 1194 chase_reply->security = sec_status_bogus; 1195 return; 1196 } 1197 1198 /* Refuse wildcarded DNAMEs rfc 4597. 1199 * Do not follow a wildcarded DNAME because 1200 * its synthesized CNAME expansion is underdefined */ 1201 if(qchase->qtype != LDNS_RR_TYPE_DNAME && 1202 ntohs(s->rk.type) == LDNS_RR_TYPE_DNAME && wc) { 1203 log_nametypeclass(VERB_QUERY, "cannot validate a " 1204 "wildcarded DNAME:", s->rk.dname, 1205 ntohs(s->rk.type), ntohs(s->rk.rrset_class)); 1206 chase_reply->security = sec_status_bogus; 1207 return; 1208 } 1209 1210 /* If we have found a CNAME, stop looking for one. 1211 * The iterator has placed the CNAME chain in correct 1212 * order. */ 1213 if (ntohs(s->rk.type) == LDNS_RR_TYPE_CNAME) { 1214 break; 1215 } 1216 } 1217 1218 /* AUTHORITY section */ 1219 for(i=chase_reply->an_numrrsets; i<chase_reply->an_numrrsets+ 1220 chase_reply->ns_numrrsets; i++) { 1221 s = chase_reply->rrsets[i]; 1222 1223 /* If this is a positive wildcard response, and we have a 1224 * (just verified) NSEC record, try to use it to 1) prove 1225 * that qname doesn't exist and 2) that the correct wildcard 1226 * was used. */ 1227 if(wc != NULL && ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC) { 1228 if(val_nsec_proves_positive_wildcard(s, qchase, wc)) { 1229 wc_NSEC_ok = 1; 1230 } 1231 /* if not, continue looking for proof */ 1232 } 1233 1234 /* Otherwise, if this is a positive wildcard response and 1235 * we have NSEC3 records */ 1236 if(wc != NULL && ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC3) { 1237 nsec3s_seen = 1; 1238 } 1239 } 1240 1241 /* If this was a positive wildcard response that we haven't already 1242 * proven, and we have NSEC3 records, try to prove it using the NSEC3 1243 * records. */ 1244 if(wc != NULL && !wc_NSEC_ok && nsec3s_seen) { 1245 enum sec_status sec = nsec3_prove_wildcard(env, ve, 1246 chase_reply->rrsets+chase_reply->an_numrrsets, 1247 chase_reply->ns_numrrsets, qchase, kkey, wc); 1248 if(sec == sec_status_insecure) { 1249 verbose(VERB_ALGO, "wildcard CNAME response is " 1250 "insecure"); 1251 chase_reply->security = sec_status_insecure; 1252 return; 1253 } else if(sec == sec_status_secure) 1254 wc_NSEC_ok = 1; 1255 } 1256 1257 /* If after all this, we still haven't proven the positive wildcard 1258 * response, fail. */ 1259 if(wc != NULL && !wc_NSEC_ok) { 1260 verbose(VERB_QUERY, "CNAME response was wildcard " 1261 "expansion and did not prove original data " 1262 "did not exist"); 1263 chase_reply->security = sec_status_bogus; 1264 return; 1265 } 1266 1267 verbose(VERB_ALGO, "Successfully validated CNAME response"); 1268 chase_reply->security = sec_status_secure; 1269 } 1270 1271 /** 1272 * Validate CNAME NOANSWER response, no more data after a CNAME chain. 1273 * This can be a NODATA or a NAME ERROR case, but not both at the same time. 1274 * We don't know because the rcode has been set to NOERROR by the CNAME. 1275 * 1276 * The answer and authority rrsets must already be verified as secure. 1277 * 1278 * @param env: module env for verify. 1279 * @param ve: validator env for verify. 1280 * @param qchase: query that was made. 1281 * @param chase_reply: answer to that query to validate. 1282 * @param kkey: the key entry, which is trusted, and which matches 1283 * the signer of the answer. The key entry isgood(). 1284 */ 1285 static void 1286 validate_cname_noanswer_response(struct module_env* env, struct val_env* ve, 1287 struct query_info* qchase, struct reply_info* chase_reply, 1288 struct key_entry_key* kkey) 1289 { 1290 int nodata_valid_nsec = 0; /* If true, then NODATA has been proven.*/ 1291 uint8_t* ce = NULL; /* for wildcard nodata responses. This is the 1292 proven closest encloser. */ 1293 uint8_t* wc = NULL; /* for wildcard nodata responses. wildcard nsec */ 1294 int nxdomain_valid_nsec = 0; /* if true, nameerror has been proven */ 1295 int nxdomain_valid_wnsec = 0; 1296 int nsec3s_seen = 0; /* nsec3s seen */ 1297 struct ub_packed_rrset_key* s; 1298 size_t i; 1299 1300 /* the AUTHORITY section */ 1301 for(i=chase_reply->an_numrrsets; i<chase_reply->an_numrrsets+ 1302 chase_reply->ns_numrrsets; i++) { 1303 s = chase_reply->rrsets[i]; 1304 1305 /* If we encounter an NSEC record, try to use it to prove 1306 * NODATA. This needs to handle the ENT NODATA case. 1307 * Also try to prove NAMEERROR, and absence of a wildcard */ 1308 if(ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC) { 1309 if(nsec_proves_nodata(s, qchase, &wc)) { 1310 nodata_valid_nsec = 1; 1311 /* set wc encloser if wildcard applicable */ 1312 } 1313 if(val_nsec_proves_name_error(s, qchase->qname)) { 1314 ce = nsec_closest_encloser(qchase->qname, s); 1315 nxdomain_valid_nsec = 1; 1316 } 1317 if(val_nsec_proves_no_wc(s, qchase->qname, 1318 qchase->qname_len)) 1319 nxdomain_valid_wnsec = 1; 1320 if(val_nsec_proves_insecuredelegation(s, qchase)) { 1321 verbose(VERB_ALGO, "delegation is insecure"); 1322 chase_reply->security = sec_status_insecure; 1323 return; 1324 } 1325 } else if(ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC3) { 1326 nsec3s_seen = 1; 1327 } 1328 } 1329 1330 /* check to see if we have a wildcard NODATA proof. */ 1331 1332 /* The wildcard NODATA is 1 NSEC proving that qname does not exists 1333 * (and also proving what the closest encloser is), and 1 NSEC 1334 * showing the matching wildcard, which must be *.closest_encloser. */ 1335 if(wc && !ce) 1336 nodata_valid_nsec = 0; 1337 else if(wc && ce) { 1338 if(query_dname_compare(wc, ce) != 0) { 1339 nodata_valid_nsec = 0; 1340 } 1341 } 1342 if(nxdomain_valid_nsec && !nxdomain_valid_wnsec) { 1343 /* name error is missing wildcard denial proof */ 1344 nxdomain_valid_nsec = 0; 1345 } 1346 1347 if(nodata_valid_nsec && nxdomain_valid_nsec) { 1348 verbose(VERB_QUERY, "CNAMEchain to noanswer proves that name " 1349 "exists and not exists, bogus"); 1350 chase_reply->security = sec_status_bogus; 1351 return; 1352 } 1353 if(!nodata_valid_nsec && !nxdomain_valid_nsec && nsec3s_seen) { 1354 int nodata; 1355 enum sec_status sec = nsec3_prove_nxornodata(env, ve, 1356 chase_reply->rrsets+chase_reply->an_numrrsets, 1357 chase_reply->ns_numrrsets, qchase, kkey, &nodata); 1358 if(sec == sec_status_insecure) { 1359 verbose(VERB_ALGO, "CNAMEchain to noanswer response " 1360 "is insecure"); 1361 chase_reply->security = sec_status_insecure; 1362 return; 1363 } else if(sec == sec_status_secure) { 1364 if(nodata) 1365 nodata_valid_nsec = 1; 1366 else nxdomain_valid_nsec = 1; 1367 } 1368 } 1369 1370 if(!nodata_valid_nsec && !nxdomain_valid_nsec) { 1371 verbose(VERB_QUERY, "CNAMEchain to noanswer response failed " 1372 "to prove status with NSEC/NSEC3"); 1373 if(verbosity >= VERB_ALGO) 1374 log_dns_msg("Failed CNAMEnoanswer", qchase, chase_reply); 1375 chase_reply->security = sec_status_bogus; 1376 return; 1377 } 1378 1379 if(nodata_valid_nsec) 1380 verbose(VERB_ALGO, "successfully validated CNAME chain to a " 1381 "NODATA response."); 1382 else verbose(VERB_ALGO, "successfully validated CNAME chain to a " 1383 "NAMEERROR response."); 1384 chase_reply->security = sec_status_secure; 1385 } 1386 1387 /** 1388 * Process init state for validator. 1389 * Process the INIT state. First tier responses start in the INIT state. 1390 * This is where they are vetted for validation suitability, and the initial 1391 * key search is done. 1392 * 1393 * Currently, events the come through this routine will be either promoted 1394 * to FINISHED/CNAME_RESP (no validation needed), FINDKEY (next step to 1395 * validation), or will be (temporarily) retired and a new priming request 1396 * event will be generated. 1397 * 1398 * @param qstate: query state. 1399 * @param vq: validator query state. 1400 * @param ve: validator shared global environment. 1401 * @param id: module id. 1402 * @return true if the event should be processed further on return, false if 1403 * not. 1404 */ 1405 static int 1406 processInit(struct module_qstate* qstate, struct val_qstate* vq, 1407 struct val_env* ve, int id) 1408 { 1409 uint8_t* lookup_name; 1410 size_t lookup_len; 1411 struct trust_anchor* anchor; 1412 enum val_classification subtype = val_classify_response( 1413 qstate->query_flags, &qstate->qinfo, &vq->qchase, 1414 vq->orig_msg->rep, vq->rrset_skip); 1415 if(vq->restart_count > VAL_MAX_RESTART_COUNT) { 1416 verbose(VERB_ALGO, "restart count exceeded"); 1417 return val_error(qstate, id); 1418 } 1419 verbose(VERB_ALGO, "validator classification %s", 1420 val_classification_to_string(subtype)); 1421 if(subtype == VAL_CLASS_REFERRAL && 1422 vq->rrset_skip < vq->orig_msg->rep->rrset_count) { 1423 /* referral uses the rrset name as qchase, to find keys for 1424 * that rrset */ 1425 vq->qchase.qname = vq->orig_msg->rep-> 1426 rrsets[vq->rrset_skip]->rk.dname; 1427 vq->qchase.qname_len = vq->orig_msg->rep-> 1428 rrsets[vq->rrset_skip]->rk.dname_len; 1429 vq->qchase.qtype = ntohs(vq->orig_msg->rep-> 1430 rrsets[vq->rrset_skip]->rk.type); 1431 vq->qchase.qclass = ntohs(vq->orig_msg->rep-> 1432 rrsets[vq->rrset_skip]->rk.rrset_class); 1433 } 1434 lookup_name = vq->qchase.qname; 1435 lookup_len = vq->qchase.qname_len; 1436 /* for type DS look at the parent side for keys/trustanchor */ 1437 /* also for NSEC not at apex */ 1438 if(vq->qchase.qtype == LDNS_RR_TYPE_DS || 1439 (vq->qchase.qtype == LDNS_RR_TYPE_NSEC && 1440 vq->orig_msg->rep->rrset_count > vq->rrset_skip && 1441 ntohs(vq->orig_msg->rep->rrsets[vq->rrset_skip]->rk.type) == 1442 LDNS_RR_TYPE_NSEC && 1443 !(vq->orig_msg->rep->rrsets[vq->rrset_skip]-> 1444 rk.flags&PACKED_RRSET_NSEC_AT_APEX))) { 1445 dname_remove_label(&lookup_name, &lookup_len); 1446 } 1447 1448 val_mark_indeterminate(vq->chase_reply, qstate->env->anchors, 1449 qstate->env->rrset_cache, qstate->env); 1450 vq->key_entry = NULL; 1451 vq->empty_DS_name = NULL; 1452 vq->ds_rrset = 0; 1453 anchor = anchors_lookup(qstate->env->anchors, 1454 lookup_name, lookup_len, vq->qchase.qclass); 1455 1456 /* Determine the signer/lookup name */ 1457 val_find_signer(subtype, &vq->qchase, vq->orig_msg->rep, 1458 vq->rrset_skip, &vq->signer_name, &vq->signer_len); 1459 if(vq->signer_name != NULL && 1460 !dname_subdomain_c(lookup_name, vq->signer_name)) { 1461 log_nametypeclass(VERB_ALGO, "this signer name is not a parent " 1462 "of lookupname, omitted", vq->signer_name, 0, 0); 1463 vq->signer_name = NULL; 1464 } 1465 if(vq->signer_name == NULL) { 1466 log_nametypeclass(VERB_ALGO, "no signer, using", lookup_name, 1467 0, 0); 1468 } else { 1469 lookup_name = vq->signer_name; 1470 lookup_len = vq->signer_len; 1471 log_nametypeclass(VERB_ALGO, "signer is", lookup_name, 0, 0); 1472 } 1473 1474 /* for NXDOMAIN it could be signed by a parent of the trust anchor */ 1475 if(subtype == VAL_CLASS_NAMEERROR && vq->signer_name && 1476 anchor && dname_strict_subdomain_c(anchor->name, lookup_name)){ 1477 lock_basic_unlock(&anchor->lock); 1478 anchor = anchors_lookup(qstate->env->anchors, 1479 lookup_name, lookup_len, vq->qchase.qclass); 1480 if(!anchor) { /* unsigned parent denies anchor*/ 1481 verbose(VERB_QUERY, "unsigned parent zone denies" 1482 " trust anchor, indeterminate"); 1483 vq->chase_reply->security = sec_status_indeterminate; 1484 vq->state = VAL_FINISHED_STATE; 1485 return 1; 1486 } 1487 verbose(VERB_ALGO, "trust anchor NXDOMAIN by signed parent"); 1488 } else if(subtype == VAL_CLASS_POSITIVE && 1489 qstate->qinfo.qtype == LDNS_RR_TYPE_DNSKEY && 1490 query_dname_compare(lookup_name, qstate->qinfo.qname) == 0) { 1491 /* is a DNSKEY so lookup a bit higher since we want to 1492 * get it from a parent or from trustanchor */ 1493 dname_remove_label(&lookup_name, &lookup_len); 1494 } 1495 1496 if(vq->rrset_skip > 0 || subtype == VAL_CLASS_CNAME || 1497 subtype == VAL_CLASS_REFERRAL) { 1498 /* extract this part of orig_msg into chase_reply for 1499 * the eventual VALIDATE stage */ 1500 val_fill_reply(vq->chase_reply, vq->orig_msg->rep, 1501 vq->rrset_skip, lookup_name, lookup_len, 1502 vq->signer_name); 1503 if(verbosity >= VERB_ALGO) 1504 log_dns_msg("chased extract", &vq->qchase, 1505 vq->chase_reply); 1506 } 1507 1508 vq->key_entry = key_cache_obtain(ve->kcache, lookup_name, lookup_len, 1509 vq->qchase.qclass, qstate->region, *qstate->env->now); 1510 1511 /* there is no key(from DLV) and no trust anchor */ 1512 if(vq->key_entry == NULL && anchor == NULL) { 1513 /*response isn't under a trust anchor, so we cannot validate.*/ 1514 vq->chase_reply->security = sec_status_indeterminate; 1515 /* go to finished state to cache this result */ 1516 vq->state = VAL_FINISHED_STATE; 1517 return 1; 1518 } 1519 /* if not key, or if keyentry is *above* the trustanchor, i.e. 1520 * the keyentry is based on another (higher) trustanchor */ 1521 else if(vq->key_entry == NULL || (anchor && 1522 dname_strict_subdomain_c(anchor->name, vq->key_entry->name))) { 1523 /* trust anchor is an 'unsigned' trust anchor */ 1524 if(anchor && anchor->numDS == 0 && anchor->numDNSKEY == 0) { 1525 vq->chase_reply->security = sec_status_insecure; 1526 val_mark_insecure(vq->chase_reply, anchor->name, 1527 qstate->env->rrset_cache, qstate->env); 1528 lock_basic_unlock(&anchor->lock); 1529 vq->dlv_checked=1; /* skip DLV check */ 1530 /* go to finished state to cache this result */ 1531 vq->state = VAL_FINISHED_STATE; 1532 return 1; 1533 } 1534 /* fire off a trust anchor priming query. */ 1535 verbose(VERB_DETAIL, "prime trust anchor"); 1536 if(!prime_trust_anchor(qstate, vq, id, anchor)) { 1537 lock_basic_unlock(&anchor->lock); 1538 return val_error(qstate, id); 1539 } 1540 lock_basic_unlock(&anchor->lock); 1541 /* and otherwise, don't continue processing this event. 1542 * (it will be reactivated when the priming query returns). */ 1543 vq->state = VAL_FINDKEY_STATE; 1544 return 0; 1545 } 1546 if(anchor) { 1547 lock_basic_unlock(&anchor->lock); 1548 } 1549 1550 if(key_entry_isnull(vq->key_entry)) { 1551 /* response is under a null key, so we cannot validate 1552 * However, we do set the status to INSECURE, since it is 1553 * essentially proven insecure. */ 1554 vq->chase_reply->security = sec_status_insecure; 1555 val_mark_insecure(vq->chase_reply, vq->key_entry->name, 1556 qstate->env->rrset_cache, qstate->env); 1557 /* go to finished state to cache this result */ 1558 vq->state = VAL_FINISHED_STATE; 1559 return 1; 1560 } else if(key_entry_isbad(vq->key_entry)) { 1561 /* key is bad, chain is bad, reply is bogus */ 1562 errinf_dname(qstate, "key for validation", vq->key_entry->name); 1563 errinf(qstate, "is marked as invalid"); 1564 if(key_entry_get_reason(vq->key_entry)) { 1565 errinf(qstate, "because of a previous"); 1566 errinf(qstate, key_entry_get_reason(vq->key_entry)); 1567 } 1568 /* no retries, stop bothering the authority until timeout */ 1569 vq->restart_count = VAL_MAX_RESTART_COUNT; 1570 vq->chase_reply->security = sec_status_bogus; 1571 vq->state = VAL_FINISHED_STATE; 1572 return 1; 1573 } 1574 1575 /* otherwise, we have our "closest" cached key -- continue 1576 * processing in the next state. */ 1577 vq->state = VAL_FINDKEY_STATE; 1578 return 1; 1579 } 1580 1581 /** 1582 * Process the FINDKEY state. Generally this just calculates the next name 1583 * to query and either issues a DS or a DNSKEY query. It will check to see 1584 * if the correct key has already been reached, in which case it will 1585 * advance the event to the next state. 1586 * 1587 * @param qstate: query state. 1588 * @param vq: validator query state. 1589 * @param id: module id. 1590 * @return true if the event should be processed further on return, false if 1591 * not. 1592 */ 1593 static int 1594 processFindKey(struct module_qstate* qstate, struct val_qstate* vq, int id) 1595 { 1596 uint8_t* target_key_name, *current_key_name; 1597 size_t target_key_len; 1598 int strip_lab; 1599 struct module_qstate* newq = NULL; 1600 1601 log_query_info(VERB_ALGO, "validator: FindKey", &vq->qchase); 1602 /* We know that state.key_entry is not 0 or bad key -- if it were, 1603 * then previous processing should have directed this event to 1604 * a different state. 1605 * It could be an isnull key, which signals that a DLV was just 1606 * done and the DNSKEY after the DLV failed with dnssec-retry state 1607 * and the DNSKEY has to be performed again. */ 1608 log_assert(vq->key_entry && !key_entry_isbad(vq->key_entry)); 1609 if(key_entry_isnull(vq->key_entry)) { 1610 if(!generate_request(qstate, id, vq->ds_rrset->rk.dname, 1611 vq->ds_rrset->rk.dname_len, LDNS_RR_TYPE_DNSKEY, 1612 vq->qchase.qclass, BIT_CD, &newq, 0)) { 1613 log_err("mem error generating DNSKEY request"); 1614 return val_error(qstate, id); 1615 } 1616 return 0; 1617 } 1618 1619 target_key_name = vq->signer_name; 1620 target_key_len = vq->signer_len; 1621 if(!target_key_name) { 1622 target_key_name = vq->qchase.qname; 1623 target_key_len = vq->qchase.qname_len; 1624 } 1625 1626 current_key_name = vq->key_entry->name; 1627 1628 /* If our current key entry matches our target, then we are done. */ 1629 if(query_dname_compare(target_key_name, current_key_name) == 0) { 1630 vq->state = VAL_VALIDATE_STATE; 1631 return 1; 1632 } 1633 1634 if(vq->empty_DS_name) { 1635 /* if the last empty nonterminal/emptyDS name we detected is 1636 * below the current key, use that name to make progress 1637 * along the chain of trust */ 1638 if(query_dname_compare(target_key_name, 1639 vq->empty_DS_name) == 0) { 1640 /* do not query for empty_DS_name again */ 1641 verbose(VERB_ALGO, "Cannot retrieve DS for signature"); 1642 errinf(qstate, "no signatures"); 1643 errinf_origin(qstate, qstate->reply_origin); 1644 vq->chase_reply->security = sec_status_bogus; 1645 vq->state = VAL_FINISHED_STATE; 1646 return 1; 1647 } 1648 current_key_name = vq->empty_DS_name; 1649 } 1650 1651 log_nametypeclass(VERB_ALGO, "current keyname", current_key_name, 1652 LDNS_RR_TYPE_DNSKEY, LDNS_RR_CLASS_IN); 1653 log_nametypeclass(VERB_ALGO, "target keyname", target_key_name, 1654 LDNS_RR_TYPE_DNSKEY, LDNS_RR_CLASS_IN); 1655 /* assert we are walking down the DNS tree */ 1656 if(!dname_subdomain_c(target_key_name, current_key_name)) { 1657 verbose(VERB_ALGO, "bad signer name"); 1658 vq->chase_reply->security = sec_status_bogus; 1659 vq->state = VAL_FINISHED_STATE; 1660 return 1; 1661 } 1662 /* so this value is >= -1 */ 1663 strip_lab = dname_count_labels(target_key_name) - 1664 dname_count_labels(current_key_name) - 1; 1665 log_assert(strip_lab >= -1); 1666 verbose(VERB_ALGO, "striplab %d", strip_lab); 1667 if(strip_lab > 0) { 1668 dname_remove_labels(&target_key_name, &target_key_len, 1669 strip_lab); 1670 } 1671 log_nametypeclass(VERB_ALGO, "next keyname", target_key_name, 1672 LDNS_RR_TYPE_DNSKEY, LDNS_RR_CLASS_IN); 1673 1674 /* The next step is either to query for the next DS, or to query 1675 * for the next DNSKEY. */ 1676 if(vq->ds_rrset) 1677 log_nametypeclass(VERB_ALGO, "DS RRset", vq->ds_rrset->rk.dname, LDNS_RR_TYPE_DS, LDNS_RR_CLASS_IN); 1678 else verbose(VERB_ALGO, "No DS RRset"); 1679 1680 if(vq->ds_rrset && query_dname_compare(vq->ds_rrset->rk.dname, 1681 vq->key_entry->name) != 0) { 1682 if(!generate_request(qstate, id, vq->ds_rrset->rk.dname, 1683 vq->ds_rrset->rk.dname_len, LDNS_RR_TYPE_DNSKEY, 1684 vq->qchase.qclass, BIT_CD, &newq, 0)) { 1685 log_err("mem error generating DNSKEY request"); 1686 return val_error(qstate, id); 1687 } 1688 return 0; 1689 } 1690 1691 if(!vq->ds_rrset || query_dname_compare(vq->ds_rrset->rk.dname, 1692 target_key_name) != 0) { 1693 /* check if there is a cache entry : pick up an NSEC if 1694 * there is no DS, check if that NSEC has DS-bit unset, and 1695 * thus can disprove the secure delegation we seek. 1696 * We can then use that NSEC even in the absence of a SOA 1697 * record that would be required by the iterator to supply 1698 * a completely protocol-correct response. 1699 * Uses negative cache for NSEC3 lookup of DS responses. */ 1700 /* only if cache not blacklisted, of course */ 1701 struct dns_msg* msg; 1702 if(!qstate->blacklist && !vq->chain_blacklist && 1703 (msg=val_find_DS(qstate->env, target_key_name, 1704 target_key_len, vq->qchase.qclass, qstate->region, 1705 vq->key_entry->name)) ) { 1706 verbose(VERB_ALGO, "Process cached DS response"); 1707 process_ds_response(qstate, vq, id, LDNS_RCODE_NOERROR, 1708 msg, &msg->qinfo, NULL); 1709 return 1; /* continue processing ds-response results */ 1710 } 1711 if(!generate_request(qstate, id, target_key_name, 1712 target_key_len, LDNS_RR_TYPE_DS, vq->qchase.qclass, 1713 BIT_CD, &newq, 0)) { 1714 log_err("mem error generating DS request"); 1715 return val_error(qstate, id); 1716 } 1717 return 0; 1718 } 1719 1720 /* Otherwise, it is time to query for the DNSKEY */ 1721 if(!generate_request(qstate, id, vq->ds_rrset->rk.dname, 1722 vq->ds_rrset->rk.dname_len, LDNS_RR_TYPE_DNSKEY, 1723 vq->qchase.qclass, BIT_CD, &newq, 0)) { 1724 log_err("mem error generating DNSKEY request"); 1725 return val_error(qstate, id); 1726 } 1727 1728 return 0; 1729 } 1730 1731 /** 1732 * Process the VALIDATE stage, the init and findkey stages are finished, 1733 * and the right keys are available to validate the response. 1734 * Or, there are no keys available, in order to invalidate the response. 1735 * 1736 * After validation, the status is recorded in the message and rrsets, 1737 * and finished state is started. 1738 * 1739 * @param qstate: query state. 1740 * @param vq: validator query state. 1741 * @param ve: validator shared global environment. 1742 * @param id: module id. 1743 * @return true if the event should be processed further on return, false if 1744 * not. 1745 */ 1746 static int 1747 processValidate(struct module_qstate* qstate, struct val_qstate* vq, 1748 struct val_env* ve, int id) 1749 { 1750 enum val_classification subtype; 1751 int rcode; 1752 1753 if(!vq->key_entry) { 1754 verbose(VERB_ALGO, "validate: no key entry, failed"); 1755 return val_error(qstate, id); 1756 } 1757 1758 /* This is the default next state. */ 1759 vq->state = VAL_FINISHED_STATE; 1760 1761 /* Unsigned responses must be underneath a "null" key entry.*/ 1762 if(key_entry_isnull(vq->key_entry)) { 1763 verbose(VERB_DETAIL, "Verified that %sresponse is INSECURE", 1764 vq->signer_name?"":"unsigned "); 1765 vq->chase_reply->security = sec_status_insecure; 1766 val_mark_insecure(vq->chase_reply, vq->key_entry->name, 1767 qstate->env->rrset_cache, qstate->env); 1768 key_cache_insert(ve->kcache, vq->key_entry, qstate); 1769 return 1; 1770 } 1771 1772 if(key_entry_isbad(vq->key_entry)) { 1773 log_nametypeclass(VERB_DETAIL, "Could not establish a chain " 1774 "of trust to keys for", vq->key_entry->name, 1775 LDNS_RR_TYPE_DNSKEY, vq->key_entry->key_class); 1776 vq->chase_reply->security = sec_status_bogus; 1777 errinf(qstate, "while building chain of trust"); 1778 if(vq->restart_count >= VAL_MAX_RESTART_COUNT) 1779 key_cache_insert(ve->kcache, vq->key_entry, qstate); 1780 return 1; 1781 } 1782 1783 /* signerName being null is the indicator that this response was 1784 * unsigned */ 1785 if(vq->signer_name == NULL) { 1786 log_query_info(VERB_ALGO, "processValidate: state has no " 1787 "signer name", &vq->qchase); 1788 verbose(VERB_DETAIL, "Could not establish validation of " 1789 "INSECURE status of unsigned response."); 1790 errinf(qstate, "no signatures"); 1791 errinf_origin(qstate, qstate->reply_origin); 1792 vq->chase_reply->security = sec_status_bogus; 1793 return 1; 1794 } 1795 subtype = val_classify_response(qstate->query_flags, &qstate->qinfo, 1796 &vq->qchase, vq->orig_msg->rep, vq->rrset_skip); 1797 if(subtype != VAL_CLASS_REFERRAL) 1798 remove_spurious_authority(vq->chase_reply, vq->orig_msg->rep); 1799 1800 /* check signatures in the message; 1801 * answer and authority must be valid, additional is only checked. */ 1802 if(!validate_msg_signatures(qstate, qstate->env, ve, &vq->qchase, 1803 vq->chase_reply, vq->key_entry)) { 1804 /* workaround bad recursor out there that truncates (even 1805 * with EDNS4k) to 512 by removing RRSIG from auth section 1806 * for positive replies*/ 1807 if((subtype == VAL_CLASS_POSITIVE || subtype == VAL_CLASS_ANY 1808 || subtype == VAL_CLASS_CNAME) && 1809 detect_wrongly_truncated(vq->orig_msg->rep)) { 1810 /* truncate the message some more */ 1811 vq->orig_msg->rep->ns_numrrsets = 0; 1812 vq->orig_msg->rep->ar_numrrsets = 0; 1813 vq->orig_msg->rep->rrset_count = 1814 vq->orig_msg->rep->an_numrrsets; 1815 vq->chase_reply->ns_numrrsets = 0; 1816 vq->chase_reply->ar_numrrsets = 0; 1817 vq->chase_reply->rrset_count = 1818 vq->chase_reply->an_numrrsets; 1819 qstate->errinf = NULL; 1820 } 1821 else { 1822 verbose(VERB_DETAIL, "Validate: message contains " 1823 "bad rrsets"); 1824 return 1; 1825 } 1826 } 1827 1828 switch(subtype) { 1829 case VAL_CLASS_POSITIVE: 1830 verbose(VERB_ALGO, "Validating a positive response"); 1831 validate_positive_response(qstate->env, ve, 1832 &vq->qchase, vq->chase_reply, vq->key_entry); 1833 verbose(VERB_DETAIL, "validate(positive): %s", 1834 sec_status_to_string( 1835 vq->chase_reply->security)); 1836 break; 1837 1838 case VAL_CLASS_NODATA: 1839 verbose(VERB_ALGO, "Validating a nodata response"); 1840 validate_nodata_response(qstate->env, ve, 1841 &vq->qchase, vq->chase_reply, vq->key_entry); 1842 verbose(VERB_DETAIL, "validate(nodata): %s", 1843 sec_status_to_string( 1844 vq->chase_reply->security)); 1845 break; 1846 1847 case VAL_CLASS_NAMEERROR: 1848 rcode = (int)FLAGS_GET_RCODE(vq->orig_msg->rep->flags); 1849 verbose(VERB_ALGO, "Validating a nxdomain response"); 1850 validate_nameerror_response(qstate->env, ve, 1851 &vq->qchase, vq->chase_reply, vq->key_entry, &rcode); 1852 verbose(VERB_DETAIL, "validate(nxdomain): %s", 1853 sec_status_to_string( 1854 vq->chase_reply->security)); 1855 FLAGS_SET_RCODE(vq->orig_msg->rep->flags, rcode); 1856 FLAGS_SET_RCODE(vq->chase_reply->flags, rcode); 1857 break; 1858 1859 case VAL_CLASS_CNAME: 1860 verbose(VERB_ALGO, "Validating a cname response"); 1861 validate_cname_response(qstate->env, ve, 1862 &vq->qchase, vq->chase_reply, vq->key_entry); 1863 verbose(VERB_DETAIL, "validate(cname): %s", 1864 sec_status_to_string( 1865 vq->chase_reply->security)); 1866 break; 1867 1868 case VAL_CLASS_CNAMENOANSWER: 1869 verbose(VERB_ALGO, "Validating a cname noanswer " 1870 "response"); 1871 validate_cname_noanswer_response(qstate->env, ve, 1872 &vq->qchase, vq->chase_reply, vq->key_entry); 1873 verbose(VERB_DETAIL, "validate(cname_noanswer): %s", 1874 sec_status_to_string( 1875 vq->chase_reply->security)); 1876 break; 1877 1878 case VAL_CLASS_REFERRAL: 1879 verbose(VERB_ALGO, "Validating a referral response"); 1880 validate_referral_response(vq->chase_reply); 1881 verbose(VERB_DETAIL, "validate(referral): %s", 1882 sec_status_to_string( 1883 vq->chase_reply->security)); 1884 break; 1885 1886 case VAL_CLASS_ANY: 1887 verbose(VERB_ALGO, "Validating a positive ANY " 1888 "response"); 1889 validate_any_response(qstate->env, ve, &vq->qchase, 1890 vq->chase_reply, vq->key_entry); 1891 verbose(VERB_DETAIL, "validate(positive_any): %s", 1892 sec_status_to_string( 1893 vq->chase_reply->security)); 1894 break; 1895 1896 default: 1897 log_err("validate: unhandled response subtype: %d", 1898 subtype); 1899 } 1900 if(vq->chase_reply->security == sec_status_bogus) { 1901 if(subtype == VAL_CLASS_POSITIVE) 1902 errinf(qstate, "wildcard"); 1903 else errinf(qstate, val_classification_to_string(subtype)); 1904 errinf(qstate, "proof failed"); 1905 errinf_origin(qstate, qstate->reply_origin); 1906 } 1907 1908 return 1; 1909 } 1910 1911 /** 1912 * Init DLV check. 1913 * DLV is going to be decommissioned, but the code is still here for some time. 1914 * 1915 * Called when a query is determined by other trust anchors to be insecure 1916 * (or indeterminate). Then we look if there is a key in the DLV. 1917 * Performs aggressive negative cache check to see if there is no key. 1918 * Otherwise, spawns a DLV query, and changes to the DLV wait state. 1919 * 1920 * @param qstate: query state. 1921 * @param vq: validator query state. 1922 * @param ve: validator shared global environment. 1923 * @param id: module id. 1924 * @return true if there is no DLV. 1925 * false: processing is finished for the validator operate(). 1926 * This function may exit in three ways: 1927 * o no DLV (aggressive cache), so insecure. (true) 1928 * o error - stop processing (false) 1929 * o DLV lookup was started, stop processing (false) 1930 */ 1931 static int 1932 val_dlv_init(struct module_qstate* qstate, struct val_qstate* vq, 1933 struct val_env* ve, int id) 1934 { 1935 uint8_t* nm; 1936 size_t nm_len; 1937 struct module_qstate* newq = NULL; 1938 /* there must be a DLV configured */ 1939 log_assert(qstate->env->anchors->dlv_anchor); 1940 /* this bool is true to avoid looping in the DLV checks */ 1941 log_assert(vq->dlv_checked); 1942 1943 /* init the DLV lookup variables */ 1944 vq->dlv_lookup_name = NULL; 1945 vq->dlv_lookup_name_len = 0; 1946 vq->dlv_insecure_at = NULL; 1947 vq->dlv_insecure_at_len = 0; 1948 1949 /* Determine the name for which we want to lookup DLV. 1950 * This name is for the current message, or 1951 * for the current RRset for CNAME, referral subtypes. 1952 * If there is a signer, use that, otherwise the domain name */ 1953 if(vq->signer_name) { 1954 nm = vq->signer_name; 1955 nm_len = vq->signer_len; 1956 } else { 1957 /* use qchase */ 1958 nm = vq->qchase.qname; 1959 nm_len = vq->qchase.qname_len; 1960 if(vq->qchase.qtype == LDNS_RR_TYPE_DS) 1961 dname_remove_label(&nm, &nm_len); 1962 } 1963 log_nametypeclass(VERB_ALGO, "DLV init look", nm, LDNS_RR_TYPE_DS, 1964 vq->qchase.qclass); 1965 log_assert(nm && nm_len); 1966 /* sanity check: no DLV lookups below the DLV anchor itself. 1967 * Like, an securely insecure delegation there makes no sense. */ 1968 if(dname_subdomain_c(nm, qstate->env->anchors->dlv_anchor->name)) { 1969 verbose(VERB_ALGO, "DLV lookup within DLV repository denied"); 1970 return 1; 1971 } 1972 /* concat name (minus root label) + dlv name */ 1973 vq->dlv_lookup_name_len = nm_len - 1 + 1974 qstate->env->anchors->dlv_anchor->namelen; 1975 vq->dlv_lookup_name = regional_alloc(qstate->region, 1976 vq->dlv_lookup_name_len); 1977 if(!vq->dlv_lookup_name) { 1978 log_err("Out of memory preparing DLV lookup"); 1979 return val_error(qstate, id); 1980 } 1981 memmove(vq->dlv_lookup_name, nm, nm_len-1); 1982 memmove(vq->dlv_lookup_name+nm_len-1, 1983 qstate->env->anchors->dlv_anchor->name, 1984 qstate->env->anchors->dlv_anchor->namelen); 1985 log_nametypeclass(VERB_ALGO, "DLV name", vq->dlv_lookup_name, 1986 LDNS_RR_TYPE_DLV, vq->qchase.qclass); 1987 1988 /* determine where the insecure point was determined, the DLV must 1989 * be equal or below that to continue building the trust chain 1990 * down. May be NULL if no trust chain was built yet */ 1991 nm = NULL; 1992 if(vq->key_entry && key_entry_isnull(vq->key_entry)) { 1993 nm = vq->key_entry->name; 1994 nm_len = vq->key_entry->namelen; 1995 } 1996 if(nm) { 1997 vq->dlv_insecure_at_len = nm_len - 1 + 1998 qstate->env->anchors->dlv_anchor->namelen; 1999 vq->dlv_insecure_at = regional_alloc(qstate->region, 2000 vq->dlv_insecure_at_len); 2001 if(!vq->dlv_insecure_at) { 2002 log_err("Out of memory preparing DLV lookup"); 2003 return val_error(qstate, id); 2004 } 2005 memmove(vq->dlv_insecure_at, nm, nm_len-1); 2006 memmove(vq->dlv_insecure_at+nm_len-1, 2007 qstate->env->anchors->dlv_anchor->name, 2008 qstate->env->anchors->dlv_anchor->namelen); 2009 log_nametypeclass(VERB_ALGO, "insecure_at", 2010 vq->dlv_insecure_at, 0, vq->qchase.qclass); 2011 } 2012 2013 /* If we can find the name in the aggressive negative cache, 2014 * give up; insecure is the answer */ 2015 while(val_neg_dlvlookup(ve->neg_cache, vq->dlv_lookup_name, 2016 vq->dlv_lookup_name_len, vq->qchase.qclass, 2017 qstate->env->rrset_cache, *qstate->env->now)) { 2018 /* go up */ 2019 dname_remove_label(&vq->dlv_lookup_name, 2020 &vq->dlv_lookup_name_len); 2021 /* too high? */ 2022 if(!dname_subdomain_c(vq->dlv_lookup_name, 2023 qstate->env->anchors->dlv_anchor->name)) { 2024 verbose(VERB_ALGO, "ask above dlv repo"); 2025 return 1; /* Above the repo is insecure */ 2026 } 2027 /* above chain of trust? */ 2028 if(vq->dlv_insecure_at && !dname_subdomain_c( 2029 vq->dlv_lookup_name, vq->dlv_insecure_at)) { 2030 verbose(VERB_ALGO, "ask above insecure endpoint"); 2031 return 1; 2032 } 2033 } 2034 2035 /* perform a lookup for the DLV; with validation */ 2036 vq->state = VAL_DLVLOOKUP_STATE; 2037 if(!generate_request(qstate, id, vq->dlv_lookup_name, 2038 vq->dlv_lookup_name_len, LDNS_RR_TYPE_DLV, 2039 vq->qchase.qclass, 0, &newq, 0)) { 2040 return val_error(qstate, id); 2041 } 2042 2043 /* Find the closest encloser DLV from the repository. 2044 * then that is used to build another chain of trust 2045 * This may first require a query 'too low' that has NSECs in 2046 * the answer, from which we determine the closest encloser DLV. 2047 * When determine the closest encloser, skip empty nonterminals, 2048 * since we want a nonempty node in the DLV repository. */ 2049 2050 return 0; 2051 } 2052 2053 /** 2054 * The Finished state. The validation status (good or bad) has been determined. 2055 * 2056 * @param qstate: query state. 2057 * @param vq: validator query state. 2058 * @param ve: validator shared global environment. 2059 * @param id: module id. 2060 * @return true if the event should be processed further on return, false if 2061 * not. 2062 */ 2063 static int 2064 processFinished(struct module_qstate* qstate, struct val_qstate* vq, 2065 struct val_env* ve, int id) 2066 { 2067 enum val_classification subtype = val_classify_response( 2068 qstate->query_flags, &qstate->qinfo, &vq->qchase, 2069 vq->orig_msg->rep, vq->rrset_skip); 2070 2071 /* if the result is insecure or indeterminate and we have not 2072 * checked the DLV yet, check the DLV */ 2073 if((vq->chase_reply->security == sec_status_insecure || 2074 vq->chase_reply->security == sec_status_indeterminate) && 2075 qstate->env->anchors->dlv_anchor && !vq->dlv_checked) { 2076 vq->dlv_checked = 1; 2077 if(!val_dlv_init(qstate, vq, ve, id)) 2078 return 0; 2079 } 2080 2081 /* store overall validation result in orig_msg */ 2082 if(vq->rrset_skip == 0) 2083 vq->orig_msg->rep->security = vq->chase_reply->security; 2084 else if(subtype != VAL_CLASS_REFERRAL || 2085 vq->rrset_skip < vq->orig_msg->rep->an_numrrsets + 2086 vq->orig_msg->rep->ns_numrrsets) { 2087 /* ignore sec status of additional section if a referral 2088 * type message skips there and 2089 * use the lowest security status as end result. */ 2090 if(vq->chase_reply->security < vq->orig_msg->rep->security) 2091 vq->orig_msg->rep->security = 2092 vq->chase_reply->security; 2093 } 2094 2095 if(subtype == VAL_CLASS_REFERRAL) { 2096 /* for a referral, move to next unchecked rrset and check it*/ 2097 vq->rrset_skip = val_next_unchecked(vq->orig_msg->rep, 2098 vq->rrset_skip); 2099 if(vq->rrset_skip < vq->orig_msg->rep->rrset_count) { 2100 /* and restart for this rrset */ 2101 verbose(VERB_ALGO, "validator: go to next rrset"); 2102 vq->chase_reply->security = sec_status_unchecked; 2103 vq->dlv_checked = 0; /* can do DLV for this RR */ 2104 vq->state = VAL_INIT_STATE; 2105 return 1; 2106 } 2107 /* referral chase is done */ 2108 } 2109 if(vq->chase_reply->security != sec_status_bogus && 2110 subtype == VAL_CLASS_CNAME) { 2111 /* chase the CNAME; process next part of the message */ 2112 if(!val_chase_cname(&vq->qchase, vq->orig_msg->rep, 2113 &vq->rrset_skip)) { 2114 verbose(VERB_ALGO, "validator: failed to chase CNAME"); 2115 vq->orig_msg->rep->security = sec_status_bogus; 2116 } else { 2117 /* restart process for new qchase at rrset_skip */ 2118 log_query_info(VERB_ALGO, "validator: chased to", 2119 &vq->qchase); 2120 vq->chase_reply->security = sec_status_unchecked; 2121 vq->dlv_checked = 0; /* can do DLV for this RR */ 2122 vq->state = VAL_INIT_STATE; 2123 return 1; 2124 } 2125 } 2126 2127 if(vq->orig_msg->rep->security == sec_status_secure) { 2128 /* If the message is secure, check that all rrsets are 2129 * secure (i.e. some inserted RRset for CNAME chain with 2130 * a different signer name). And drop additional rrsets 2131 * that are not secure (if clean-additional option is set) */ 2132 /* this may cause the msg to be marked bogus */ 2133 val_check_nonsecure(qstate->env, vq->orig_msg->rep); 2134 if(vq->orig_msg->rep->security == sec_status_secure) { 2135 log_query_info(VERB_DETAIL, "validation success", 2136 &qstate->qinfo); 2137 } 2138 } 2139 2140 /* if the result is bogus - set message ttl to bogus ttl to avoid 2141 * endless bogus revalidation */ 2142 if(vq->orig_msg->rep->security == sec_status_bogus) { 2143 /* see if we can try again to fetch data */ 2144 if(vq->restart_count < VAL_MAX_RESTART_COUNT) { 2145 int restart_count = vq->restart_count+1; 2146 verbose(VERB_ALGO, "validation failed, " 2147 "blacklist and retry to fetch data"); 2148 val_blacklist(&qstate->blacklist, qstate->region, 2149 qstate->reply_origin, 0); 2150 qstate->reply_origin = NULL; 2151 qstate->errinf = NULL; 2152 memset(vq, 0, sizeof(*vq)); 2153 vq->restart_count = restart_count; 2154 vq->state = VAL_INIT_STATE; 2155 verbose(VERB_ALGO, "pass back to next module"); 2156 qstate->ext_state[id] = module_restart_next; 2157 return 0; 2158 } 2159 2160 vq->orig_msg->rep->ttl = ve->bogus_ttl; 2161 vq->orig_msg->rep->prefetch_ttl = 2162 PREFETCH_TTL_CALC(vq->orig_msg->rep->ttl); 2163 if(qstate->env->cfg->val_log_level >= 1 && 2164 !qstate->env->cfg->val_log_squelch) { 2165 if(qstate->env->cfg->val_log_level < 2) 2166 log_query_info(0, "validation failure", 2167 &qstate->qinfo); 2168 else { 2169 char* err = errinf_to_str(qstate); 2170 if(err) log_info("%s", err); 2171 free(err); 2172 } 2173 } 2174 /* 2175 * If set, the validator will not make messages bogus, instead 2176 * indeterminate is issued, so that no clients receive SERVFAIL. 2177 * This allows an operator to run validation 'shadow' without 2178 * hurting responses to clients. 2179 */ 2180 /* If we are in permissive mode, bogus gets indeterminate */ 2181 if(qstate->env->cfg->val_permissive_mode) 2182 vq->orig_msg->rep->security = sec_status_indeterminate; 2183 } 2184 2185 /* store results in cache */ 2186 if(qstate->query_flags&BIT_RD) { 2187 /* if secure, this will override cache anyway, no need 2188 * to check if from parentNS */ 2189 if(!qstate->no_cache_store) { 2190 if(!dns_cache_store(qstate->env, &vq->orig_msg->qinfo, 2191 vq->orig_msg->rep, 0, qstate->prefetch_leeway, 0, NULL, 2192 qstate->query_flags)) { 2193 log_err("out of memory caching validator results"); 2194 } 2195 } 2196 } else { 2197 /* for a referral, store the verified RRsets */ 2198 /* and this does not get prefetched, so no leeway */ 2199 if(!dns_cache_store(qstate->env, &vq->orig_msg->qinfo, 2200 vq->orig_msg->rep, 1, 0, 0, NULL, 2201 qstate->query_flags)) { 2202 log_err("out of memory caching validator results"); 2203 } 2204 } 2205 qstate->return_rcode = LDNS_RCODE_NOERROR; 2206 qstate->return_msg = vq->orig_msg; 2207 qstate->ext_state[id] = module_finished; 2208 return 0; 2209 } 2210 2211 /** 2212 * The DLVLookup state. Process DLV lookups. 2213 * 2214 * @param qstate: query state. 2215 * @param vq: validator query state. 2216 * @param ve: validator shared global environment. 2217 * @param id: module id. 2218 * @return true if the event should be processed further on return, false if 2219 * not. 2220 */ 2221 static int 2222 processDLVLookup(struct module_qstate* qstate, struct val_qstate* vq, 2223 struct val_env* ve, int id) 2224 { 2225 struct module_qstate* newq = NULL; 2226 /* see if this we are ready to continue normal resolution */ 2227 /* we may need more DLV lookups */ 2228 if(vq->dlv_status==dlv_error) 2229 verbose(VERB_ALGO, "DLV woke up with status dlv_error"); 2230 else if(vq->dlv_status==dlv_success) 2231 verbose(VERB_ALGO, "DLV woke up with status dlv_success"); 2232 else if(vq->dlv_status==dlv_ask_higher) 2233 verbose(VERB_ALGO, "DLV woke up with status dlv_ask_higher"); 2234 else if(vq->dlv_status==dlv_there_is_no_dlv) 2235 verbose(VERB_ALGO, "DLV woke up with status dlv_there_is_no_dlv"); 2236 else verbose(VERB_ALGO, "DLV woke up with status unknown"); 2237 2238 if(vq->dlv_status == dlv_error) { 2239 verbose(VERB_QUERY, "failed DLV lookup"); 2240 return val_error(qstate, id); 2241 } else if(vq->dlv_status == dlv_success) { 2242 uint8_t* nm; 2243 size_t nmlen; 2244 /* chain continues with DNSKEY, continue in FINDKEY */ 2245 vq->state = VAL_FINDKEY_STATE; 2246 2247 /* strip off the DLV suffix from the name; could result in . */ 2248 log_assert(dname_subdomain_c(vq->ds_rrset->rk.dname, 2249 qstate->env->anchors->dlv_anchor->name)); 2250 nmlen = vq->ds_rrset->rk.dname_len - 2251 qstate->env->anchors->dlv_anchor->namelen + 1; 2252 nm = regional_alloc_init(qstate->region, 2253 vq->ds_rrset->rk.dname, nmlen); 2254 if(!nm) { 2255 log_err("Out of memory in DLVLook"); 2256 return val_error(qstate, id); 2257 } 2258 nm[nmlen-1] = 0; 2259 2260 vq->ds_rrset->rk.dname = nm; 2261 vq->ds_rrset->rk.dname_len = nmlen; 2262 2263 /* create a nullentry for the key so the dnskey lookup 2264 * can be retried after a validation failure for it */ 2265 vq->key_entry = key_entry_create_null(qstate->region, 2266 nm, nmlen, vq->qchase.qclass, 0, 0); 2267 if(!vq->key_entry) { 2268 log_err("Out of memory in DLVLook"); 2269 return val_error(qstate, id); 2270 } 2271 2272 if(!generate_request(qstate, id, vq->ds_rrset->rk.dname, 2273 vq->ds_rrset->rk.dname_len, LDNS_RR_TYPE_DNSKEY, 2274 vq->qchase.qclass, BIT_CD, &newq, 0)) { 2275 log_err("mem error generating DNSKEY request"); 2276 return val_error(qstate, id); 2277 } 2278 return 0; 2279 } else if(vq->dlv_status == dlv_there_is_no_dlv) { 2280 /* continue with the insecure result we got */ 2281 vq->state = VAL_FINISHED_STATE; 2282 return 1; 2283 } 2284 log_assert(vq->dlv_status == dlv_ask_higher); 2285 2286 /* ask higher, make sure we stay in DLV repo, below dlv_at */ 2287 if(!dname_subdomain_c(vq->dlv_lookup_name, 2288 qstate->env->anchors->dlv_anchor->name)) { 2289 /* just like, there is no DLV */ 2290 verbose(VERB_ALGO, "ask above dlv repo"); 2291 vq->state = VAL_FINISHED_STATE; 2292 return 1; 2293 } 2294 if(vq->dlv_insecure_at && !dname_subdomain_c(vq->dlv_lookup_name, 2295 vq->dlv_insecure_at)) { 2296 /* already checked a chain lower than dlv_lookup_name */ 2297 verbose(VERB_ALGO, "ask above insecure endpoint"); 2298 log_nametypeclass(VERB_ALGO, "enpt", vq->dlv_insecure_at, 0, 0); 2299 vq->state = VAL_FINISHED_STATE; 2300 return 1; 2301 } 2302 2303 /* check negative cache before making new request */ 2304 if(val_neg_dlvlookup(ve->neg_cache, vq->dlv_lookup_name, 2305 vq->dlv_lookup_name_len, vq->qchase.qclass, 2306 qstate->env->rrset_cache, *qstate->env->now)) { 2307 /* does not exist, go up one (go higher). */ 2308 dname_remove_label(&vq->dlv_lookup_name, 2309 &vq->dlv_lookup_name_len); 2310 /* limit number of labels, limited number of recursion */ 2311 return processDLVLookup(qstate, vq, ve, id); 2312 } 2313 2314 if(!generate_request(qstate, id, vq->dlv_lookup_name, 2315 vq->dlv_lookup_name_len, LDNS_RR_TYPE_DLV, 2316 vq->qchase.qclass, 0, &newq, 0)) { 2317 return val_error(qstate, id); 2318 } 2319 2320 return 0; 2321 } 2322 2323 /** 2324 * Handle validator state. 2325 * If a method returns true, the next state is started. If false, then 2326 * processing will stop. 2327 * @param qstate: query state. 2328 * @param vq: validator query state. 2329 * @param ve: validator shared global environment. 2330 * @param id: module id. 2331 */ 2332 static void 2333 val_handle(struct module_qstate* qstate, struct val_qstate* vq, 2334 struct val_env* ve, int id) 2335 { 2336 int cont = 1; 2337 while(cont) { 2338 verbose(VERB_ALGO, "val handle processing q with state %s", 2339 val_state_to_string(vq->state)); 2340 switch(vq->state) { 2341 case VAL_INIT_STATE: 2342 cont = processInit(qstate, vq, ve, id); 2343 break; 2344 case VAL_FINDKEY_STATE: 2345 cont = processFindKey(qstate, vq, id); 2346 break; 2347 case VAL_VALIDATE_STATE: 2348 cont = processValidate(qstate, vq, ve, id); 2349 break; 2350 case VAL_FINISHED_STATE: 2351 cont = processFinished(qstate, vq, ve, id); 2352 break; 2353 case VAL_DLVLOOKUP_STATE: 2354 cont = processDLVLookup(qstate, vq, ve, id); 2355 break; 2356 default: 2357 log_warn("validator: invalid state %d", 2358 vq->state); 2359 cont = 0; 2360 break; 2361 } 2362 } 2363 } 2364 2365 void 2366 val_operate(struct module_qstate* qstate, enum module_ev event, int id, 2367 struct outbound_entry* outbound) 2368 { 2369 struct val_env* ve = (struct val_env*)qstate->env->modinfo[id]; 2370 struct val_qstate* vq = (struct val_qstate*)qstate->minfo[id]; 2371 verbose(VERB_QUERY, "validator[module %d] operate: extstate:%s " 2372 "event:%s", id, strextstate(qstate->ext_state[id]), 2373 strmodulevent(event)); 2374 log_query_info(VERB_QUERY, "validator operate: query", 2375 &qstate->qinfo); 2376 if(vq && qstate->qinfo.qname != vq->qchase.qname) 2377 log_query_info(VERB_QUERY, "validator operate: chased to", 2378 &vq->qchase); 2379 (void)outbound; 2380 if(event == module_event_new || 2381 (event == module_event_pass && vq == NULL)) { 2382 2383 /* pass request to next module, to get it */ 2384 verbose(VERB_ALGO, "validator: pass to next module"); 2385 qstate->ext_state[id] = module_wait_module; 2386 return; 2387 } 2388 if(event == module_event_moddone) { 2389 /* check if validation is needed */ 2390 verbose(VERB_ALGO, "validator: nextmodule returned"); 2391 2392 if(!needs_validation(qstate, qstate->return_rcode, 2393 qstate->return_msg)) { 2394 /* no need to validate this */ 2395 if(qstate->return_msg) 2396 qstate->return_msg->rep->security = 2397 sec_status_indeterminate; 2398 qstate->ext_state[id] = module_finished; 2399 return; 2400 } 2401 if(already_validated(qstate->return_msg)) { 2402 qstate->ext_state[id] = module_finished; 2403 return; 2404 } 2405 /* qclass ANY should have validation result from spawned 2406 * queries. If we get here, it is bogus or an internal error */ 2407 if(qstate->qinfo.qclass == LDNS_RR_CLASS_ANY) { 2408 verbose(VERB_ALGO, "cannot validate classANY: bogus"); 2409 if(qstate->return_msg) 2410 qstate->return_msg->rep->security = 2411 sec_status_bogus; 2412 qstate->ext_state[id] = module_finished; 2413 return; 2414 } 2415 /* create state to start validation */ 2416 qstate->ext_state[id] = module_error; /* override this */ 2417 if(!vq) { 2418 vq = val_new(qstate, id); 2419 if(!vq) { 2420 log_err("validator: malloc failure"); 2421 qstate->ext_state[id] = module_error; 2422 return; 2423 } 2424 } else if(!vq->orig_msg) { 2425 if(!val_new_getmsg(qstate, vq)) { 2426 log_err("validator: malloc failure"); 2427 qstate->ext_state[id] = module_error; 2428 return; 2429 } 2430 } 2431 val_handle(qstate, vq, ve, id); 2432 return; 2433 } 2434 if(event == module_event_pass) { 2435 qstate->ext_state[id] = module_error; /* override this */ 2436 /* continue processing, since val_env exists */ 2437 val_handle(qstate, vq, ve, id); 2438 return; 2439 } 2440 log_err("validator: bad event %s", strmodulevent(event)); 2441 qstate->ext_state[id] = module_error; 2442 return; 2443 } 2444 2445 /** 2446 * Evaluate the response to a priming request. 2447 * 2448 * @param dnskey_rrset: DNSKEY rrset (can be NULL if none) in prime reply. 2449 * (this rrset is allocated in the wrong region, not the qstate). 2450 * @param ta: trust anchor. 2451 * @param qstate: qstate that needs key. 2452 * @param id: module id. 2453 * @return new key entry or NULL on allocation failure. 2454 * The key entry will either contain a validated DNSKEY rrset, or 2455 * represent a Null key (query failed, but validation did not), or a 2456 * Bad key (validation failed). 2457 */ 2458 static struct key_entry_key* 2459 primeResponseToKE(struct ub_packed_rrset_key* dnskey_rrset, 2460 struct trust_anchor* ta, struct module_qstate* qstate, int id) 2461 { 2462 struct val_env* ve = (struct val_env*)qstate->env->modinfo[id]; 2463 struct key_entry_key* kkey = NULL; 2464 enum sec_status sec = sec_status_unchecked; 2465 char* reason = NULL; 2466 int downprot = qstate->env->cfg->harden_algo_downgrade; 2467 2468 if(!dnskey_rrset) { 2469 log_nametypeclass(VERB_OPS, "failed to prime trust anchor -- " 2470 "could not fetch DNSKEY rrset", 2471 ta->name, LDNS_RR_TYPE_DNSKEY, ta->dclass); 2472 if(qstate->env->cfg->harden_dnssec_stripped) { 2473 errinf(qstate, "no DNSKEY rrset"); 2474 kkey = key_entry_create_bad(qstate->region, ta->name, 2475 ta->namelen, ta->dclass, BOGUS_KEY_TTL, 2476 *qstate->env->now); 2477 } else kkey = key_entry_create_null(qstate->region, ta->name, 2478 ta->namelen, ta->dclass, NULL_KEY_TTL, 2479 *qstate->env->now); 2480 if(!kkey) { 2481 log_err("out of memory: allocate fail prime key"); 2482 return NULL; 2483 } 2484 return kkey; 2485 } 2486 /* attempt to verify with trust anchor DS and DNSKEY */ 2487 kkey = val_verify_new_DNSKEYs_with_ta(qstate->region, qstate->env, ve, 2488 dnskey_rrset, ta->ds_rrset, ta->dnskey_rrset, downprot, 2489 &reason, qstate); 2490 if(!kkey) { 2491 log_err("out of memory: verifying prime TA"); 2492 return NULL; 2493 } 2494 if(key_entry_isgood(kkey)) 2495 sec = sec_status_secure; 2496 else 2497 sec = sec_status_bogus; 2498 verbose(VERB_DETAIL, "validate keys with anchor(DS): %s", 2499 sec_status_to_string(sec)); 2500 2501 if(sec != sec_status_secure) { 2502 log_nametypeclass(VERB_OPS, "failed to prime trust anchor -- " 2503 "DNSKEY rrset is not secure", 2504 ta->name, LDNS_RR_TYPE_DNSKEY, ta->dclass); 2505 /* NOTE: in this case, we should probably reject the trust 2506 * anchor for longer, perhaps forever. */ 2507 if(qstate->env->cfg->harden_dnssec_stripped) { 2508 errinf(qstate, reason); 2509 kkey = key_entry_create_bad(qstate->region, ta->name, 2510 ta->namelen, ta->dclass, BOGUS_KEY_TTL, 2511 *qstate->env->now); 2512 } else kkey = key_entry_create_null(qstate->region, ta->name, 2513 ta->namelen, ta->dclass, NULL_KEY_TTL, 2514 *qstate->env->now); 2515 if(!kkey) { 2516 log_err("out of memory: allocate null prime key"); 2517 return NULL; 2518 } 2519 return kkey; 2520 } 2521 2522 log_nametypeclass(VERB_DETAIL, "Successfully primed trust anchor", 2523 ta->name, LDNS_RR_TYPE_DNSKEY, ta->dclass); 2524 return kkey; 2525 } 2526 2527 /** 2528 * In inform supers, with the resulting message and rcode and the current 2529 * keyset in the super state, validate the DS response, returning a KeyEntry. 2530 * 2531 * @param qstate: query state that is validating and asked for a DS. 2532 * @param vq: validator query state 2533 * @param id: module id. 2534 * @param rcode: rcode result value. 2535 * @param msg: result message (if rcode is OK). 2536 * @param qinfo: from the sub query state, query info. 2537 * @param ke: the key entry to return. It returns 2538 * is_bad if the DS response fails to validate, is_null if the 2539 * DS response indicated an end to secure space, is_good if the DS 2540 * validated. It returns ke=NULL if the DS response indicated that the 2541 * request wasn't a delegation point. 2542 * @return 0 on servfail error (malloc failure). 2543 */ 2544 static int 2545 ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq, 2546 int id, int rcode, struct dns_msg* msg, struct query_info* qinfo, 2547 struct key_entry_key** ke) 2548 { 2549 struct val_env* ve = (struct val_env*)qstate->env->modinfo[id]; 2550 char* reason = NULL; 2551 enum val_classification subtype; 2552 if(rcode != LDNS_RCODE_NOERROR) { 2553 char rc[16]; 2554 rc[0]=0; 2555 (void)sldns_wire2str_rcode_buf(rcode, rc, sizeof(rc)); 2556 /* errors here pretty much break validation */ 2557 verbose(VERB_DETAIL, "DS response was error, thus bogus"); 2558 errinf(qstate, rc); 2559 errinf(qstate, "no DS"); 2560 goto return_bogus; 2561 } 2562 2563 subtype = val_classify_response(BIT_RD, qinfo, qinfo, msg->rep, 0); 2564 if(subtype == VAL_CLASS_POSITIVE) { 2565 struct ub_packed_rrset_key* ds; 2566 enum sec_status sec; 2567 ds = reply_find_answer_rrset(qinfo, msg->rep); 2568 /* If there was no DS rrset, then we have mis-classified 2569 * this message. */ 2570 if(!ds) { 2571 log_warn("internal error: POSITIVE DS response was " 2572 "missing DS."); 2573 errinf(qstate, "no DS record"); 2574 goto return_bogus; 2575 } 2576 /* Verify only returns BOGUS or SECURE. If the rrset is 2577 * bogus, then we are done. */ 2578 sec = val_verify_rrset_entry(qstate->env, ve, ds, 2579 vq->key_entry, &reason, LDNS_SECTION_ANSWER, qstate); 2580 if(sec != sec_status_secure) { 2581 verbose(VERB_DETAIL, "DS rrset in DS response did " 2582 "not verify"); 2583 errinf(qstate, reason); 2584 goto return_bogus; 2585 } 2586 2587 /* If the DS rrset validates, we still have to make sure 2588 * that they are usable. */ 2589 if(!val_dsset_isusable(ds)) { 2590 /* If they aren't usable, then we treat it like 2591 * there was no DS. */ 2592 *ke = key_entry_create_null(qstate->region, 2593 qinfo->qname, qinfo->qname_len, qinfo->qclass, 2594 ub_packed_rrset_ttl(ds), *qstate->env->now); 2595 return (*ke) != NULL; 2596 } 2597 2598 /* Otherwise, we return the positive response. */ 2599 log_query_info(VERB_DETAIL, "validated DS", qinfo); 2600 *ke = key_entry_create_rrset(qstate->region, 2601 qinfo->qname, qinfo->qname_len, qinfo->qclass, ds, 2602 NULL, *qstate->env->now); 2603 return (*ke) != NULL; 2604 } else if(subtype == VAL_CLASS_NODATA || 2605 subtype == VAL_CLASS_NAMEERROR) { 2606 /* NODATA means that the qname exists, but that there was 2607 * no DS. This is a pretty normal case. */ 2608 time_t proof_ttl = 0; 2609 enum sec_status sec; 2610 2611 /* make sure there are NSECs or NSEC3s with signatures */ 2612 if(!val_has_signed_nsecs(msg->rep, &reason)) { 2613 verbose(VERB_ALGO, "no NSECs: %s", reason); 2614 errinf(qstate, reason); 2615 goto return_bogus; 2616 } 2617 2618 /* For subtype Name Error. 2619 * attempt ANS 2.8.1.0 compatibility where it sets rcode 2620 * to nxdomain, but really this is an Nodata/Noerror response. 2621 * Find and prove the empty nonterminal in that case */ 2622 2623 /* Try to prove absence of the DS with NSEC */ 2624 sec = val_nsec_prove_nodata_dsreply( 2625 qstate->env, ve, qinfo, msg->rep, vq->key_entry, 2626 &proof_ttl, &reason, qstate); 2627 switch(sec) { 2628 case sec_status_secure: 2629 verbose(VERB_DETAIL, "NSEC RRset for the " 2630 "referral proved no DS."); 2631 *ke = key_entry_create_null(qstate->region, 2632 qinfo->qname, qinfo->qname_len, 2633 qinfo->qclass, proof_ttl, 2634 *qstate->env->now); 2635 return (*ke) != NULL; 2636 case sec_status_insecure: 2637 verbose(VERB_DETAIL, "NSEC RRset for the " 2638 "referral proved not a delegation point"); 2639 *ke = NULL; 2640 return 1; 2641 case sec_status_bogus: 2642 verbose(VERB_DETAIL, "NSEC RRset for the " 2643 "referral did not prove no DS."); 2644 errinf(qstate, reason); 2645 goto return_bogus; 2646 case sec_status_unchecked: 2647 default: 2648 /* NSEC proof did not work, try next */ 2649 break; 2650 } 2651 2652 sec = nsec3_prove_nods(qstate->env, ve, 2653 msg->rep->rrsets + msg->rep->an_numrrsets, 2654 msg->rep->ns_numrrsets, qinfo, vq->key_entry, &reason, 2655 qstate); 2656 switch(sec) { 2657 case sec_status_insecure: 2658 /* case insecure also continues to unsigned 2659 * space. If nsec3-iter-count too high or 2660 * optout, then treat below as unsigned */ 2661 case sec_status_secure: 2662 verbose(VERB_DETAIL, "NSEC3s for the " 2663 "referral proved no DS."); 2664 *ke = key_entry_create_null(qstate->region, 2665 qinfo->qname, qinfo->qname_len, 2666 qinfo->qclass, proof_ttl, 2667 *qstate->env->now); 2668 return (*ke) != NULL; 2669 case sec_status_indeterminate: 2670 verbose(VERB_DETAIL, "NSEC3s for the " 2671 "referral proved no delegation"); 2672 *ke = NULL; 2673 return 1; 2674 case sec_status_bogus: 2675 verbose(VERB_DETAIL, "NSEC3s for the " 2676 "referral did not prove no DS."); 2677 errinf(qstate, reason); 2678 goto return_bogus; 2679 case sec_status_unchecked: 2680 default: 2681 /* NSEC3 proof did not work */ 2682 break; 2683 } 2684 2685 /* Apparently, no available NSEC/NSEC3 proved NODATA, so 2686 * this is BOGUS. */ 2687 verbose(VERB_DETAIL, "DS %s ran out of options, so return " 2688 "bogus", val_classification_to_string(subtype)); 2689 errinf(qstate, "no DS but also no proof of that"); 2690 goto return_bogus; 2691 } else if(subtype == VAL_CLASS_CNAME || 2692 subtype == VAL_CLASS_CNAMENOANSWER) { 2693 /* if the CNAME matches the exact name we want and is signed 2694 * properly, then also, we are sure that no DS exists there, 2695 * much like a NODATA proof */ 2696 enum sec_status sec; 2697 struct ub_packed_rrset_key* cname; 2698 cname = reply_find_rrset_section_an(msg->rep, qinfo->qname, 2699 qinfo->qname_len, LDNS_RR_TYPE_CNAME, qinfo->qclass); 2700 if(!cname) { 2701 errinf(qstate, "validator classified CNAME but no " 2702 "CNAME of the queried name for DS"); 2703 goto return_bogus; 2704 } 2705 if(((struct packed_rrset_data*)cname->entry.data)->rrsig_count 2706 == 0) { 2707 if(msg->rep->an_numrrsets != 0 && ntohs(msg->rep-> 2708 rrsets[0]->rk.type)==LDNS_RR_TYPE_DNAME) { 2709 errinf(qstate, "DS got DNAME answer"); 2710 } else { 2711 errinf(qstate, "DS got unsigned CNAME answer"); 2712 } 2713 goto return_bogus; 2714 } 2715 sec = val_verify_rrset_entry(qstate->env, ve, cname, 2716 vq->key_entry, &reason, LDNS_SECTION_ANSWER, qstate); 2717 if(sec == sec_status_secure) { 2718 verbose(VERB_ALGO, "CNAME validated, " 2719 "proof that DS does not exist"); 2720 /* and that it is not a referral point */ 2721 *ke = NULL; 2722 return 1; 2723 } 2724 errinf(qstate, "CNAME in DS response was not secure."); 2725 errinf(qstate, reason); 2726 goto return_bogus; 2727 } else { 2728 verbose(VERB_QUERY, "Encountered an unhandled type of " 2729 "DS response, thus bogus."); 2730 errinf(qstate, "no DS and"); 2731 if(FLAGS_GET_RCODE(msg->rep->flags) != LDNS_RCODE_NOERROR) { 2732 char rc[16]; 2733 rc[0]=0; 2734 (void)sldns_wire2str_rcode_buf((int)FLAGS_GET_RCODE( 2735 msg->rep->flags), rc, sizeof(rc)); 2736 errinf(qstate, rc); 2737 } else errinf(qstate, val_classification_to_string(subtype)); 2738 errinf(qstate, "message fails to prove that"); 2739 goto return_bogus; 2740 } 2741 return_bogus: 2742 *ke = key_entry_create_bad(qstate->region, qinfo->qname, 2743 qinfo->qname_len, qinfo->qclass, 2744 BOGUS_KEY_TTL, *qstate->env->now); 2745 return (*ke) != NULL; 2746 } 2747 2748 /** 2749 * Process DS response. Called from inform_supers. 2750 * Because it is in inform_supers, the mesh itself is busy doing callbacks 2751 * for a state that is to be deleted soon; don't touch the mesh; instead 2752 * set a state in the super, as the super will be reactivated soon. 2753 * Perform processing to determine what state to set in the super. 2754 * 2755 * @param qstate: query state that is validating and asked for a DS. 2756 * @param vq: validator query state 2757 * @param id: module id. 2758 * @param rcode: rcode result value. 2759 * @param msg: result message (if rcode is OK). 2760 * @param qinfo: from the sub query state, query info. 2761 * @param origin: the origin of msg. 2762 */ 2763 static void 2764 process_ds_response(struct module_qstate* qstate, struct val_qstate* vq, 2765 int id, int rcode, struct dns_msg* msg, struct query_info* qinfo, 2766 struct sock_list* origin) 2767 { 2768 struct key_entry_key* dske = NULL; 2769 uint8_t* olds = vq->empty_DS_name; 2770 vq->empty_DS_name = NULL; 2771 if(!ds_response_to_ke(qstate, vq, id, rcode, msg, qinfo, &dske)) { 2772 log_err("malloc failure in process_ds_response"); 2773 vq->key_entry = NULL; /* make it error */ 2774 vq->state = VAL_VALIDATE_STATE; 2775 return; 2776 } 2777 if(dske == NULL) { 2778 vq->empty_DS_name = regional_alloc_init(qstate->region, 2779 qinfo->qname, qinfo->qname_len); 2780 if(!vq->empty_DS_name) { 2781 log_err("malloc failure in empty_DS_name"); 2782 vq->key_entry = NULL; /* make it error */ 2783 vq->state = VAL_VALIDATE_STATE; 2784 return; 2785 } 2786 vq->empty_DS_len = qinfo->qname_len; 2787 vq->chain_blacklist = NULL; 2788 /* ds response indicated that we aren't on a delegation point. 2789 * Keep the forState.state on FINDKEY. */ 2790 } else if(key_entry_isgood(dske)) { 2791 vq->ds_rrset = key_entry_get_rrset(dske, qstate->region); 2792 if(!vq->ds_rrset) { 2793 log_err("malloc failure in process DS"); 2794 vq->key_entry = NULL; /* make it error */ 2795 vq->state = VAL_VALIDATE_STATE; 2796 return; 2797 } 2798 vq->chain_blacklist = NULL; /* fresh blacklist for next part*/ 2799 /* Keep the forState.state on FINDKEY. */ 2800 } else if(key_entry_isbad(dske) 2801 && vq->restart_count < VAL_MAX_RESTART_COUNT) { 2802 vq->empty_DS_name = olds; 2803 val_blacklist(&vq->chain_blacklist, qstate->region, origin, 1); 2804 qstate->errinf = NULL; 2805 vq->restart_count++; 2806 } else { 2807 if(key_entry_isbad(dske)) { 2808 errinf_origin(qstate, origin); 2809 errinf_dname(qstate, "for DS", qinfo->qname); 2810 } 2811 /* NOTE: the reason for the DS to be not good (that is, 2812 * either bad or null) should have been logged by 2813 * dsResponseToKE. */ 2814 vq->key_entry = dske; 2815 /* The FINDKEY phase has ended, so move on. */ 2816 vq->state = VAL_VALIDATE_STATE; 2817 } 2818 } 2819 2820 /** 2821 * Process DNSKEY response. Called from inform_supers. 2822 * Sets the key entry in the state. 2823 * Because it is in inform_supers, the mesh itself is busy doing callbacks 2824 * for a state that is to be deleted soon; don't touch the mesh; instead 2825 * set a state in the super, as the super will be reactivated soon. 2826 * Perform processing to determine what state to set in the super. 2827 * 2828 * @param qstate: query state that is validating and asked for a DNSKEY. 2829 * @param vq: validator query state 2830 * @param id: module id. 2831 * @param rcode: rcode result value. 2832 * @param msg: result message (if rcode is OK). 2833 * @param qinfo: from the sub query state, query info. 2834 * @param origin: the origin of msg. 2835 */ 2836 static void 2837 process_dnskey_response(struct module_qstate* qstate, struct val_qstate* vq, 2838 int id, int rcode, struct dns_msg* msg, struct query_info* qinfo, 2839 struct sock_list* origin) 2840 { 2841 struct val_env* ve = (struct val_env*)qstate->env->modinfo[id]; 2842 struct key_entry_key* old = vq->key_entry; 2843 struct ub_packed_rrset_key* dnskey = NULL; 2844 int downprot; 2845 char* reason = NULL; 2846 2847 if(rcode == LDNS_RCODE_NOERROR) 2848 dnskey = reply_find_answer_rrset(qinfo, msg->rep); 2849 2850 if(dnskey == NULL) { 2851 /* bad response */ 2852 verbose(VERB_DETAIL, "Missing DNSKEY RRset in response to " 2853 "DNSKEY query."); 2854 if(vq->restart_count < VAL_MAX_RESTART_COUNT) { 2855 val_blacklist(&vq->chain_blacklist, qstate->region, 2856 origin, 1); 2857 qstate->errinf = NULL; 2858 vq->restart_count++; 2859 return; 2860 } 2861 vq->key_entry = key_entry_create_bad(qstate->region, 2862 qinfo->qname, qinfo->qname_len, qinfo->qclass, 2863 BOGUS_KEY_TTL, *qstate->env->now); 2864 if(!vq->key_entry) { 2865 log_err("alloc failure in missing dnskey response"); 2866 /* key_entry is NULL for failure in Validate */ 2867 } 2868 errinf(qstate, "No DNSKEY record"); 2869 errinf_origin(qstate, origin); 2870 errinf_dname(qstate, "for key", qinfo->qname); 2871 vq->state = VAL_VALIDATE_STATE; 2872 return; 2873 } 2874 if(!vq->ds_rrset) { 2875 log_err("internal error: no DS rrset for new DNSKEY response"); 2876 vq->key_entry = NULL; 2877 vq->state = VAL_VALIDATE_STATE; 2878 return; 2879 } 2880 downprot = qstate->env->cfg->harden_algo_downgrade; 2881 vq->key_entry = val_verify_new_DNSKEYs(qstate->region, qstate->env, 2882 ve, dnskey, vq->ds_rrset, downprot, &reason, qstate); 2883 2884 if(!vq->key_entry) { 2885 log_err("out of memory in verify new DNSKEYs"); 2886 vq->state = VAL_VALIDATE_STATE; 2887 return; 2888 } 2889 /* If the key entry isBad or isNull, then we can move on to the next 2890 * state. */ 2891 if(!key_entry_isgood(vq->key_entry)) { 2892 if(key_entry_isbad(vq->key_entry)) { 2893 if(vq->restart_count < VAL_MAX_RESTART_COUNT) { 2894 val_blacklist(&vq->chain_blacklist, 2895 qstate->region, origin, 1); 2896 qstate->errinf = NULL; 2897 vq->restart_count++; 2898 vq->key_entry = old; 2899 return; 2900 } 2901 verbose(VERB_DETAIL, "Did not match a DS to a DNSKEY, " 2902 "thus bogus."); 2903 errinf(qstate, reason); 2904 errinf_origin(qstate, origin); 2905 errinf_dname(qstate, "for key", qinfo->qname); 2906 } 2907 vq->chain_blacklist = NULL; 2908 vq->state = VAL_VALIDATE_STATE; 2909 return; 2910 } 2911 vq->chain_blacklist = NULL; 2912 qstate->errinf = NULL; 2913 2914 /* The DNSKEY validated, so cache it as a trusted key rrset. */ 2915 key_cache_insert(ve->kcache, vq->key_entry, qstate); 2916 2917 /* If good, we stay in the FINDKEY state. */ 2918 log_query_info(VERB_DETAIL, "validated DNSKEY", qinfo); 2919 } 2920 2921 /** 2922 * Process prime response 2923 * Sets the key entry in the state. 2924 * 2925 * @param qstate: query state that is validating and primed a trust anchor. 2926 * @param vq: validator query state 2927 * @param id: module id. 2928 * @param rcode: rcode result value. 2929 * @param msg: result message (if rcode is OK). 2930 * @param origin: the origin of msg. 2931 */ 2932 static void 2933 process_prime_response(struct module_qstate* qstate, struct val_qstate* vq, 2934 int id, int rcode, struct dns_msg* msg, struct sock_list* origin) 2935 { 2936 struct val_env* ve = (struct val_env*)qstate->env->modinfo[id]; 2937 struct ub_packed_rrset_key* dnskey_rrset = NULL; 2938 struct trust_anchor* ta = anchor_find(qstate->env->anchors, 2939 vq->trust_anchor_name, vq->trust_anchor_labs, 2940 vq->trust_anchor_len, vq->qchase.qclass); 2941 if(!ta) { 2942 /* trust anchor revoked, restart with less anchors */ 2943 vq->state = VAL_INIT_STATE; 2944 if(!vq->trust_anchor_name) 2945 vq->state = VAL_VALIDATE_STATE; /* break a loop */ 2946 vq->trust_anchor_name = NULL; 2947 return; 2948 } 2949 /* Fetch and validate the keyEntry that corresponds to the 2950 * current trust anchor. */ 2951 if(rcode == LDNS_RCODE_NOERROR) { 2952 dnskey_rrset = reply_find_rrset_section_an(msg->rep, 2953 ta->name, ta->namelen, LDNS_RR_TYPE_DNSKEY, 2954 ta->dclass); 2955 } 2956 2957 if(ta->autr) { 2958 if(!autr_process_prime(qstate->env, ve, ta, dnskey_rrset, 2959 qstate)) { 2960 /* trust anchor revoked, restart with less anchors */ 2961 vq->state = VAL_INIT_STATE; 2962 vq->trust_anchor_name = NULL; 2963 return; 2964 } 2965 } 2966 vq->key_entry = primeResponseToKE(dnskey_rrset, ta, qstate, id); 2967 lock_basic_unlock(&ta->lock); 2968 if(vq->key_entry) { 2969 if(key_entry_isbad(vq->key_entry) 2970 && vq->restart_count < VAL_MAX_RESTART_COUNT) { 2971 val_blacklist(&vq->chain_blacklist, qstate->region, 2972 origin, 1); 2973 qstate->errinf = NULL; 2974 vq->restart_count++; 2975 vq->key_entry = NULL; 2976 vq->state = VAL_INIT_STATE; 2977 return; 2978 } 2979 vq->chain_blacklist = NULL; 2980 errinf_origin(qstate, origin); 2981 errinf_dname(qstate, "for trust anchor", ta->name); 2982 /* store the freshly primed entry in the cache */ 2983 key_cache_insert(ve->kcache, vq->key_entry, qstate); 2984 } 2985 2986 /* If the result of the prime is a null key, skip the FINDKEY state.*/ 2987 if(!vq->key_entry || key_entry_isnull(vq->key_entry) || 2988 key_entry_isbad(vq->key_entry)) { 2989 vq->state = VAL_VALIDATE_STATE; 2990 } 2991 /* the qstate will be reactivated after inform_super is done */ 2992 } 2993 2994 /** 2995 * Process DLV response. Called from inform_supers. 2996 * Because it is in inform_supers, the mesh itself is busy doing callbacks 2997 * for a state that is to be deleted soon; don't touch the mesh; instead 2998 * set a state in the super, as the super will be reactivated soon. 2999 * Perform processing to determine what state to set in the super. 3000 * 3001 * @param qstate: query state that is validating and asked for a DLV. 3002 * @param vq: validator query state 3003 * @param id: module id. 3004 * @param rcode: rcode result value. 3005 * @param msg: result message (if rcode is OK). 3006 * @param qinfo: from the sub query state, query info. 3007 */ 3008 static void 3009 process_dlv_response(struct module_qstate* qstate, struct val_qstate* vq, 3010 int id, int rcode, struct dns_msg* msg, struct query_info* qinfo) 3011 { 3012 struct val_env* ve = (struct val_env*)qstate->env->modinfo[id]; 3013 3014 verbose(VERB_ALGO, "process dlv response to super"); 3015 if(rcode != LDNS_RCODE_NOERROR) { 3016 /* lookup failed, set in vq to give up */ 3017 vq->dlv_status = dlv_error; 3018 verbose(VERB_ALGO, "response is error"); 3019 return; 3020 } 3021 if(msg->rep->security != sec_status_secure) { 3022 vq->dlv_status = dlv_error; 3023 verbose(VERB_ALGO, "response is not secure, %s", 3024 sec_status_to_string(msg->rep->security)); 3025 return; 3026 } 3027 /* was the lookup a success? validated DLV? */ 3028 if(FLAGS_GET_RCODE(msg->rep->flags) == LDNS_RCODE_NOERROR && 3029 msg->rep->an_numrrsets == 1 && 3030 msg->rep->security == sec_status_secure && 3031 ntohs(msg->rep->rrsets[0]->rk.type) == LDNS_RR_TYPE_DLV && 3032 ntohs(msg->rep->rrsets[0]->rk.rrset_class) == qinfo->qclass && 3033 query_dname_compare(msg->rep->rrsets[0]->rk.dname, 3034 vq->dlv_lookup_name) == 0) { 3035 /* yay! it is just like a DS */ 3036 vq->ds_rrset = (struct ub_packed_rrset_key*) 3037 regional_alloc_init(qstate->region, 3038 msg->rep->rrsets[0], sizeof(*vq->ds_rrset)); 3039 if(!vq->ds_rrset) { 3040 log_err("out of memory in process_dlv"); 3041 return; 3042 } 3043 vq->ds_rrset->entry.key = vq->ds_rrset; 3044 vq->ds_rrset->rk.dname = (uint8_t*)regional_alloc_init( 3045 qstate->region, vq->ds_rrset->rk.dname, 3046 vq->ds_rrset->rk.dname_len); 3047 if(!vq->ds_rrset->rk.dname) { 3048 log_err("out of memory in process_dlv"); 3049 vq->dlv_status = dlv_error; 3050 return; 3051 } 3052 vq->ds_rrset->entry.data = regional_alloc_init(qstate->region, 3053 vq->ds_rrset->entry.data, 3054 packed_rrset_sizeof(vq->ds_rrset->entry.data)); 3055 if(!vq->ds_rrset->entry.data) { 3056 log_err("out of memory in process_dlv"); 3057 vq->dlv_status = dlv_error; 3058 return; 3059 } 3060 packed_rrset_ptr_fixup(vq->ds_rrset->entry.data); 3061 /* make vq do a DNSKEY query next up */ 3062 vq->dlv_status = dlv_success; 3063 return; 3064 } 3065 /* store NSECs into negative cache */ 3066 val_neg_addreply(ve->neg_cache, msg->rep); 3067 3068 /* was the lookup a failure? 3069 * if we have to go up into the DLV for a higher DLV anchor 3070 * then set this in the vq, so it can make queries when activated. 3071 * See if the NSECs indicate that we should look for higher DLV 3072 * or, that there is no DLV securely */ 3073 if(!val_nsec_check_dlv(qinfo, msg->rep, &vq->dlv_lookup_name, 3074 &vq->dlv_lookup_name_len)) { 3075 vq->dlv_status = dlv_error; 3076 verbose(VERB_ALGO, "nsec error"); 3077 return; 3078 } 3079 if(!dname_subdomain_c(vq->dlv_lookup_name, 3080 qstate->env->anchors->dlv_anchor->name)) { 3081 vq->dlv_status = dlv_there_is_no_dlv; 3082 return; 3083 } 3084 vq->dlv_status = dlv_ask_higher; 3085 } 3086 3087 /* 3088 * inform validator super. 3089 * 3090 * @param qstate: query state that finished. 3091 * @param id: module id. 3092 * @param super: the qstate to inform. 3093 */ 3094 void 3095 val_inform_super(struct module_qstate* qstate, int id, 3096 struct module_qstate* super) 3097 { 3098 struct val_qstate* vq = (struct val_qstate*)super->minfo[id]; 3099 log_query_info(VERB_ALGO, "validator: inform_super, sub is", 3100 &qstate->qinfo); 3101 log_query_info(VERB_ALGO, "super is", &super->qinfo); 3102 if(!vq) { 3103 verbose(VERB_ALGO, "super: has no validator state"); 3104 return; 3105 } 3106 if(vq->wait_prime_ta) { 3107 vq->wait_prime_ta = 0; 3108 process_prime_response(super, vq, id, qstate->return_rcode, 3109 qstate->return_msg, qstate->reply_origin); 3110 return; 3111 } 3112 if(qstate->qinfo.qtype == LDNS_RR_TYPE_DS) { 3113 process_ds_response(super, vq, id, qstate->return_rcode, 3114 qstate->return_msg, &qstate->qinfo, 3115 qstate->reply_origin); 3116 return; 3117 } else if(qstate->qinfo.qtype == LDNS_RR_TYPE_DNSKEY) { 3118 process_dnskey_response(super, vq, id, qstate->return_rcode, 3119 qstate->return_msg, &qstate->qinfo, 3120 qstate->reply_origin); 3121 return; 3122 } else if(qstate->qinfo.qtype == LDNS_RR_TYPE_DLV) { 3123 process_dlv_response(super, vq, id, qstate->return_rcode, 3124 qstate->return_msg, &qstate->qinfo); 3125 return; 3126 } 3127 log_err("internal error in validator: no inform_supers possible"); 3128 } 3129 3130 void 3131 val_clear(struct module_qstate* qstate, int id) 3132 { 3133 if(!qstate) 3134 return; 3135 /* everything is allocated in the region, so assign NULL */ 3136 qstate->minfo[id] = NULL; 3137 } 3138 3139 size_t 3140 val_get_mem(struct module_env* env, int id) 3141 { 3142 struct val_env* ve = (struct val_env*)env->modinfo[id]; 3143 if(!ve) 3144 return 0; 3145 return sizeof(*ve) + key_cache_get_mem(ve->kcache) + 3146 val_neg_get_mem(ve->neg_cache) + 3147 sizeof(size_t)*2*ve->nsec3_keyiter_count; 3148 } 3149 3150 /** 3151 * The validator function block 3152 */ 3153 static struct module_func_block val_block = { 3154 "validator", 3155 &val_init, &val_deinit, &val_operate, &val_inform_super, &val_clear, 3156 &val_get_mem 3157 }; 3158 3159 struct module_func_block* 3160 val_get_funcblock(void) 3161 { 3162 return &val_block; 3163 } 3164 3165 const char* 3166 val_state_to_string(enum val_state state) 3167 { 3168 switch(state) { 3169 case VAL_INIT_STATE: return "VAL_INIT_STATE"; 3170 case VAL_FINDKEY_STATE: return "VAL_FINDKEY_STATE"; 3171 case VAL_VALIDATE_STATE: return "VAL_VALIDATE_STATE"; 3172 case VAL_FINISHED_STATE: return "VAL_FINISHED_STATE"; 3173 case VAL_DLVLOOKUP_STATE: return "VAL_DLVLOOKUP_STATE"; 3174 } 3175 return "UNKNOWN VALIDATOR STATE"; 3176 } 3177 3178