Lines Matching refs:val
108 #define NEEDNODATA(val) ((val->attributes & VALATTR_NEEDNODATA) != 0)
109 #define NEEDNOQNAME(val) ((val->attributes & VALATTR_NEEDNOQNAME) != 0)
110 #define NEEDNOWILDCARD(val) ((val->attributes & VALATTR_NEEDNOWILDCARD) != 0)
111 #define DLVTRIED(val) ((val->attributes & VALATTR_DLVTRIED) != 0)
112 #define FOUNDNODATA(val) ((val->attributes & VALATTR_FOUNDNODATA) != 0)
113 #define FOUNDNOQNAME(val) ((val->attributes & VALATTR_FOUNDNOQNAME) != 0)
114 #define FOUNDNOWILDCARD(val) ((val->attributes & VALATTR_FOUNDNOWILDCARD) != 0)
115 #define FOUNDCLOSEST(val) ((val->attributes & VALATTR_FOUNDCLOSEST) != 0)
116 #define FOUNDOPTOUT(val) ((val->attributes & VALATTR_FOUNDOPTOUT) != 0)
124 destroy(dns_validator_t *val);
127 get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo,
131 validate(dns_validator_t *val, isc_boolean_t resume);
134 validatezonekey(dns_validator_t *val);
137 nsecvalidate(dns_validator_t *val, isc_boolean_t resume);
140 proveunsecure(dns_validator_t *val, isc_boolean_t have_ds,
144 validator_logv(dns_validator_t *val, isc_logcategory_t *category,
149 validator_log(void *val, int level, const char *fmt, ...)
153 validator_logcreate(dns_validator_t *val,
158 dlv_validatezonekey(dns_validator_t *val);
161 dlv_validator_start(dns_validator_t *val);
164 finddlvsep(dns_validator_t *val, isc_boolean_t resume);
167 startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure);
173 markanswer(dns_validator_t *val, const char *where) {
174 validator_log(val, ISC_LOG_DEBUG(3), "marking as answer (%s)", where);
175 if (val->event->rdataset != NULL)
176 dns_rdataset_settrust(val->event->rdataset, dns_trust_answer);
177 if (val->event->sigrdataset != NULL)
178 dns_rdataset_settrust(val->event->sigrdataset,
191 validator_done(dns_validator_t *val, isc_result_t result) {
194 if (val->event == NULL)
201 val->event->result = result;
202 task = val->event->ev_sender;
203 val->event->ev_sender = val;
204 val->event->ev_type = DNS_EVENT_VALIDATORDONE;
205 val->event->ev_action = val->action;
206 val->event->ev_arg = val->arg;
207 isc_task_sendanddetach(&task, (isc_event_t **)&val->event);
211 exit_check(dns_validator_t *val) {
215 if (!SHUTDOWN(val))
218 INSIST(val->event == NULL);
220 if (val->fetch != NULL || val->subvalidator != NULL)
230 dlv_algorithm_supported(dns_validator_t *val) {
235 for (result = dns_rdataset_first(&val->dlv);
237 result = dns_rdataset_next(&val->dlv)) {
239 dns_rdataset_current(&val->dlv, &rdata);
243 if (!dns_resolver_algorithm_supported(val->view->resolver,
244 val->event->name,
248 if (!dns_resolver_ds_digest_supported(val->view->resolver,
249 val->event->name,
383 dns_validator_t *val;
394 val = devent->ev_arg;
395 rdataset = &val->frdataset;
403 if (dns_rdataset_isassociated(&val->fsigrdataset))
404 dns_rdataset_disassociate(&val->fsigrdataset);
407 INSIST(val->event != NULL);
409 validator_log(val, ISC_LOG_DEBUG(3), "in fetch_callback_validator");
410 LOCK(&val->lock);
411 fetch = val->fetch;
412 val->fetch = NULL;
413 if (CANCELED(val)) {
414 validator_done(val, ISC_R_CANCELED);
416 validator_log(val, ISC_LOG_DEBUG(3),
423 result = get_dst_key(val, val->siginfo, rdataset);
425 val->keyset = &val->frdataset;
427 result = validate(val, ISC_TRUE);
429 (val->attributes & VALATTR_TRIEDVERIFY) == 0)
432 validator_log(val, ISC_LOG_DEBUG(3),
434 val->attributes |= VALATTR_INSECURITY;
435 result = proveunsecure(val, ISC_FALSE, ISC_FALSE);
440 validator_done(val, result);
442 validator_log(val, ISC_LOG_DEBUG(3),
446 validator_done(val, eresult);
448 validator_done(val, DNS_R_BROKENCHAIN);
450 want_destroy = exit_check(val);
451 UNLOCK(&val->lock);
455 destroy(val);
466 dns_validator_t *val;
476 val = devent->ev_arg;
477 rdataset = &val->frdataset;
485 if (dns_rdataset_isassociated(&val->fsigrdataset))
486 dns_rdataset_disassociate(&val->fsigrdataset);
489 INSIST(val->event != NULL);
491 validator_log(val, ISC_LOG_DEBUG(3), "in dsfetched");
492 LOCK(&val->lock);
493 fetch = val->fetch;
494 val->fetch = NULL;
495 if (CANCELED(val)) {
496 validator_done(val, ISC_R_CANCELED);
498 validator_log(val, ISC_LOG_DEBUG(3),
501 val->dsset = &val->frdataset;
502 result = validatezonekey(val);
504 validator_done(val, result);
510 validator_log(val, ISC_LOG_DEBUG(3),
513 val->attributes |= VALATTR_INSECURITY;
514 result = proveunsecure(val, ISC_FALSE, ISC_FALSE);
516 validator_done(val, result);
518 validator_log(val, ISC_LOG_DEBUG(3),
522 validator_done(val, eresult);
524 validator_done(val, DNS_R_BROKENCHAIN);
526 want_destroy = exit_check(val);
527 UNLOCK(&val->lock);
531 destroy(val);
548 dns_validator_t *val;
558 val = devent->ev_arg;
566 if (dns_rdataset_isassociated(&val->fsigrdataset))
567 dns_rdataset_disassociate(&val->fsigrdataset);
569 INSIST(val->event != NULL);
571 validator_log(val, ISC_LOG_DEBUG(3), "in dsfetched2: %s",
573 LOCK(&val->lock);
574 fetch = val->fetch;
575 val->fetch = NULL;
576 if (CANCELED(val)) {
577 validator_done(val, ISC_R_CANCELED);
587 isdelegation(tname, &val->frdataset, eresult)) {
588 if (val->mustbesecure) {
589 validator_log(val, ISC_LOG_WARNING,
592 validator_done(val, DNS_R_MUSTBESECURE);
593 } else if (val->view->dlv == NULL || DLVTRIED(val)) {
594 markanswer(val, "dsfetched2");
595 validator_done(val, ISC_R_SUCCESS);
597 result = startfinddlvsep(val, tname);
599 validator_done(val, result);
602 result = proveunsecure(val, ISC_FALSE, ISC_TRUE);
604 validator_done(val, result);
615 result = proveunsecure(val, ISC_TF(eresult == ISC_R_SUCCESS),
618 validator_done(val, result);
621 validator_done(val, eresult);
623 validator_done(val, DNS_R_NOVALIDDS);
626 want_destroy = exit_check(val);
627 UNLOCK(&val->lock);
631 destroy(val);
642 dns_validator_t *val;
652 val = devent->ev_arg;
656 dns_validator_destroy(&val->subvalidator);
658 INSIST(val->event != NULL);
660 validator_log(val, ISC_LOG_DEBUG(3), "in keyvalidated");
661 LOCK(&val->lock);
662 if (CANCELED(val)) {
663 validator_done(val, ISC_R_CANCELED);
665 validator_log(val, ISC_LOG_DEBUG(3),
667 dns_trust_totext(val->frdataset.trust));
671 if (val->frdataset.trust >= dns_trust_secure)
672 (void) get_dst_key(val, val->siginfo, &val->frdataset);
673 result = validate(val, ISC_TRUE);
675 (val->attributes & VALATTR_TRIEDVERIFY) == 0)
678 validator_log(val, ISC_LOG_DEBUG(3),
680 val->attributes |= VALATTR_INSECURITY;
681 result = proveunsecure(val, ISC_FALSE, ISC_FALSE);
686 validator_done(val, result);
689 if (dns_rdataset_isassociated(&val->frdataset))
690 dns_rdataset_expire(&val->frdataset);
691 if (dns_rdataset_isassociated(&val->fsigrdataset))
692 dns_rdataset_expire(&val->fsigrdataset);
694 validator_log(val, ISC_LOG_DEBUG(3),
697 validator_done(val, DNS_R_BROKENCHAIN);
699 want_destroy = exit_check(val);
700 UNLOCK(&val->lock);
702 destroy(val);
713 dns_validator_t *val;
722 val = devent->ev_arg;
726 dns_validator_destroy(&val->subvalidator);
728 INSIST(val->event != NULL);
730 validator_log(val, ISC_LOG_DEBUG(3), "in dsvalidated");
731 LOCK(&val->lock);
732 if (CANCELED(val)) {
733 validator_done(val, ISC_R_CANCELED);
737 validator_log(val, ISC_LOG_DEBUG(3),
739 val->frdataset.type == dns_rdatatype_ds ?
741 dns_trust_totext(val->frdataset.trust));
742 have_dsset = ISC_TF(val->frdataset.type == dns_rdatatype_ds);
743 name = dns_fixedname_name(&val->fname);
744 if ((val->attributes & VALATTR_INSECURITY) != 0 &&
745 val->frdataset.covers == dns_rdatatype_ds &&
746 NEGATIVE(&val->frdataset) &&
747 isdelegation(name, &val->frdataset, DNS_R_NCACHENXRRSET)) {
748 if (val->mustbesecure) {
749 validator_log(val, ISC_LOG_WARNING,
753 } else if (val->view->dlv == NULL || DLVTRIED(val)) {
754 markanswer(val, "dsvalidated");
757 result = startfinddlvsep(val, name);
758 } else if ((val->attributes & VALATTR_INSECURITY) != 0) {
759 result = proveunsecure(val, have_dsset, ISC_TRUE);
761 result = validatezonekey(val);
763 validator_done(val, result);
766 if (dns_rdataset_isassociated(&val->frdataset))
767 dns_rdataset_expire(&val->frdataset);
768 if (dns_rdataset_isassociated(&val->fsigrdataset))
769 dns_rdataset_expire(&val->fsigrdataset);
771 validator_log(val, ISC_LOG_DEBUG(3),
774 validator_done(val, DNS_R_BROKENCHAIN);
776 want_destroy = exit_check(val);
777 UNLOCK(&val->lock);
779 destroy(val);
790 dns_validator_t *val;
799 val = devent->ev_arg;
803 dns_validator_destroy(&val->subvalidator);
805 INSIST(val->event != NULL);
806 INSIST((val->attributes & VALATTR_INSECURITY) != 0);
808 validator_log(val, ISC_LOG_DEBUG(3), "in cnamevalidated");
809 LOCK(&val->lock);
810 if (CANCELED(val)) {
811 validator_done(val, ISC_R_CANCELED);
813 validator_log(val, ISC_LOG_DEBUG(3), "cname with trust %s",
814 dns_trust_totext(val->frdataset.trust));
815 result = proveunsecure(val, ISC_FALSE, ISC_TRUE);
817 validator_done(val, result);
820 if (dns_rdataset_isassociated(&val->frdataset))
821 dns_rdataset_expire(&val->frdataset);
822 if (dns_rdataset_isassociated(&val->fsigrdataset))
823 dns_rdataset_expire(&val->fsigrdataset);
825 validator_log(val, ISC_LOG_DEBUG(3),
828 validator_done(val, DNS_R_BROKENCHAIN);
830 want_destroy = exit_check(val);
831 UNLOCK(&val->lock);
833 destroy(val);
846 dns_validator_t *val;
857 val = devent->ev_arg;
859 dns_validator_destroy(&val->subvalidator);
861 INSIST(val->event != NULL);
863 validator_log(val, ISC_LOG_DEBUG(3), "in authvalidated");
864 LOCK(&val->lock);
865 if (CANCELED(val)) {
866 validator_done(val, ISC_R_CANCELED);
868 validator_log(val, ISC_LOG_DEBUG(3),
872 val->authfail++;
874 validator_done(val, result);
876 result = nsecvalidate(val, ISC_TRUE);
878 validator_done(val, result);
881 dns_name_t **proofs = val->event->proofs;
882 dns_name_t *wild = dns_fixedname_name(&val->wild);
885 val->seensig = ISC_TRUE;
889 (NEEDNODATA(val) || NEEDNOQNAME(val)) &&
890 !FOUNDNODATA(val) && !FOUNDNOQNAME(val) &&
891 dns_nsec_noexistnodata(val->event->type, val->event->name,
893 &data, wild, validator_log, val)
897 val->attributes |= VALATTR_FOUNDNODATA;
898 if (NEEDNODATA(val))
906 val->attributes |= VALATTR_FOUNDNOQNAME;
908 closest = dns_fixedname_name(&val->closest);
919 val->attributes |= VALATTR_FOUNDCLOSEST;
924 if (NEEDNOQNAME(val))
930 result = nsecvalidate(val, ISC_TRUE);
932 validator_done(val, result);
934 want_destroy = exit_check(val);
935 UNLOCK(&val->lock);
937 destroy(val);
961 view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) {
975 if (dns_rdataset_isassociated(&val->frdataset))
976 dns_rdataset_disassociate(&val->frdataset);
977 if (dns_rdataset_isassociated(&val->fsigrdataset))
978 dns_rdataset_disassociate(&val->fsigrdataset);
981 dns_resolver_getbadcache(val->view->resolver, name, type, &now)) {
985 validator_log(val, ISC_LOG_INFO, "bad cache hit (%s/%s)",
995 result = dns_view_find(val->view, name, type, 0, options,
997 &val->frdataset, &val->fsigrdataset);
1000 if (dns_rdataset_isassociated(&val->frdataset))
1001 dns_rdataset_disassociate(&val->frdataset);
1002 if (dns_rdataset_isassociated(&val->fsigrdataset))
1003 dns_rdataset_disassociate(&val->fsigrdataset);
1005 validator_log(val, ISC_LOG_DEBUG(3), "DNS_R_COVERINGNSEC");
1010 if (val->frdataset.trust != dns_trust_secure) {
1011 validator_log(val, ISC_LOG_DEBUG(3),
1013 dns_trust_totext(val->frdataset.trust));
1016 result = dns_rdataset_first(&val->frdataset);
1019 dns_rdataset_current(&val->frdataset, &rdata);
1024 validator_log(val, ISC_LOG_DEBUG(3),
1041 validator_log(val, ISC_LOG_DEBUG(3),
1054 validator_log(val, ISC_LOG_DEBUG(3),
1062 validator_log(val, ISC_LOG_DEBUG(3),
1066 if (dns_rdataset_isassociated(&val->frdataset))
1067 dns_rdataset_disassociate(&val->frdataset);
1068 if (dns_rdataset_isassociated(&val->fsigrdataset))
1069 dns_rdataset_disassociate(&val->fsigrdataset);
1083 if (dns_rdataset_isassociated(&val->frdataset))
1084 dns_rdataset_disassociate(&val->frdataset);
1085 if (dns_rdataset_isassociated(&val->fsigrdataset))
1086 dns_rdataset_disassociate(&val->fsigrdataset);
1095 check_deadlock(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
1100 for (parent = val; parent != NULL; parent = parent->parent) {
1115 validator_log(val, ISC_LOG_DEBUG(3),
1128 create_fetch(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
1133 if (dns_rdataset_isassociated(&val->frdataset))
1134 dns_rdataset_disassociate(&val->frdataset);
1135 if (dns_rdataset_isassociated(&val->fsigrdataset))
1136 dns_rdataset_disassociate(&val->fsigrdataset);
1138 if (check_deadlock(val, name, type, NULL, NULL)) {
1139 validator_log(val, ISC_LOG_DEBUG(3),
1144 if ((val->options & DNS_VALIDATOR_NOCDFLAG) != 0)
1147 if ((val->options & DNS_VALIDATOR_NONTA) != 0)
1150 validator_logcreate(val, name, type, caller, "fetch");
1151 return (dns_resolver_createfetch(val->view->resolver, name, type,
1153 val->event->ev_sender,
1154 callback, val,
1155 &val->frdataset,
1156 &val->fsigrdataset,
1157 &val->fetch));
1164 create_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
1171 if (check_deadlock(val, name, type, rdataset, sigrdataset)) {
1172 validator_log(val, ISC_LOG_DEBUG(3),
1178 vopts |= (val->options & (DNS_VALIDATOR_NOCDFLAG|DNS_VALIDATOR_NONTA));
1180 validator_logcreate(val, name, type, caller, "validator");
1181 result = dns_validator_create(val->view, name, type,
1183 val->task, action, val,
1184 &val->subvalidator);
1186 val->subvalidator->parent = val;
1187 val->subvalidator->depth = val->depth + 1;
1195 * val->key at it.
1197 * If val->key is non-NULL, this returns the next matching key.
1200 get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo,
1206 dst_key_t *oldkey = val->key;
1213 val->key = NULL;
1224 INSIST(val->key == NULL);
1226 val->view->mctx, &val->key);
1230 (dns_secalg_t)dst_key_alg(val->key) &&
1232 (dns_keytag_t)dst_key_id(val->key) &&
1233 dst_key_iszonekey(val->key))
1240 else if (dst_key_compare(oldkey, val->key) == ISC_TRUE)
1246 dst_key_free(&val->key);
1264 get_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo) {
1276 namereln = dns_name_fullcompare(val->event->name, &siginfo->signer,
1287 if (val->event->rdataset->type == dns_rdatatype_dnskey)
1294 if (dns_rdatatype_atparent(val->event->rdataset->type))
1301 if (val->event->rdataset->type == dns_rdatatype_soa ||
1302 val->event->rdataset->type == dns_rdatatype_ns) {
1305 if (val->event->rdataset->type == dns_rdatatype_soa)
1309 validator_log(val, ISC_LOG_DEBUG(3),
1318 result = view_find(val, &siginfo->signer, dns_rdatatype_dnskey);
1323 val->keyset = &val->frdataset;
1324 if ((DNS_TRUST_PENDING(val->frdataset.trust) ||
1325 DNS_TRUST_ANSWER(val->frdataset.trust)) &&
1326 dns_rdataset_isassociated(&val->fsigrdataset))
1333 result = create_validator(val, &siginfo->signer,
1335 &val->frdataset,
1336 &val->fsigrdataset,
1342 } else if (DNS_TRUST_PENDING(val->frdataset.trust)) {
1348 } else if (val->frdataset.trust < dns_trust_secure) {
1353 val->key = NULL;
1359 validator_log(val, ISC_LOG_DEBUG(3),
1361 dns_trust_totext(val->frdataset.trust));
1362 result = get_dst_key(val, siginfo, val->keyset);
1376 result = create_fetch(val, &siginfo->signer,
1395 if (dns_rdataset_isassociated(&val->frdataset) &&
1396 val->keyset != &val->frdataset)
1397 dns_rdataset_disassociate(&val->frdataset);
1398 if (dns_rdataset_isassociated(&val->fsigrdataset))
1399 dns_rdataset_disassociate(&val->fsigrdataset);
1416 isselfsigned(dns_validator_t *val) {
1429 rdataset = val->event->rdataset;
1430 sigrdataset = val->event->sigrdataset;
1431 name = val->event->name;
1432 mctx = val->view->mctx;
1471 val->view->maxbits,
1480 dns_view_untrust(val->view, name, &key, mctx);
1496 verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata,
1504 val->attributes |= VALATTR_TRIEDVERIFY;
1508 result = dns_dnssec_verify3(val->event->name, val->event->rdataset,
1509 key, ignore, val->view->maxbits,
1510 val->view->mctx, rdata, wild);
1512 val->view->acceptexpired)
1518 validator_log(val, ISC_LOG_INFO,
1523 validator_log(val, ISC_LOG_INFO,
1527 validator_log(val, ISC_LOG_DEBUG(3),
1531 if (!dns_name_equal(val->event->name, wild)) {
1539 closest = dns_fixedname_name(&val->closest);
1543 val->attributes |= VALATTR_NEEDNOQNAME;
1560 validate(dns_validator_t *val, isc_boolean_t resume) {
1569 event = val->event;
1576 validator_log(val, ISC_LOG_DEBUG(3), "resuming validate");
1587 if (val->siginfo == NULL) {
1588 val->siginfo = isc_mem_get(val->view->mctx,
1589 sizeof(*val->siginfo));
1590 if (val->siginfo == NULL)
1593 result = dns_rdata_tostruct(&rdata, val->siginfo, NULL);
1601 if (!dns_resolver_algorithm_supported(val->view->resolver,
1603 val->siginfo->algorithm)) {
1609 result = get_key(val, val->siginfo);
1620 if (val->key == NULL) {
1626 vresult = verify(val, val->key, &rdata,
1627 val->siginfo->keyid);
1630 if (val->keynode != NULL) {
1633 val->keytable,
1634 val->keynode,
1636 dns_keytable_detachkeynode(val->keytable,
1637 &val->keynode);
1638 val->keynode = nextnode;
1640 val->key = NULL;
1643 val->key = dns_keynode_key(val->keynode);
1644 if (val->key == NULL)
1647 if (get_dst_key(val, val->siginfo, val->keyset)
1653 validator_log(val, ISC_LOG_DEBUG(3),
1658 val->siginfo, val->start,
1659 val->view->acceptexpired);
1662 if (val->keynode != NULL)
1663 dns_keytable_detachkeynode(val->keytable,
1664 &val->keynode);
1666 if (val->key != NULL)
1667 dst_key_free(&val->key);
1668 if (val->keyset != NULL) {
1669 dns_rdataset_disassociate(val->keyset);
1670 val->keyset = NULL;
1673 val->key = NULL;
1674 if (NEEDNOQNAME(val)) {
1675 if (val->event->message == NULL) {
1676 validator_log(val, ISC_LOG_DEBUG(3),
1680 validator_log(val, ISC_LOG_DEBUG(3),
1682 return (nsecvalidate(val, ISC_FALSE));
1685 validator_log(val, ISC_LOG_DEBUG(3),
1690 validator_log(val, ISC_LOG_DEBUG(3),
1697 validator_log(val, ISC_LOG_DEBUG(3),
1703 validator_log(val, ISC_LOG_INFO, "no valid signature found");
1709 * (val->event->rdataset).
1712 checkkey(dns_validator_t *val, dns_rdata_t *keyrdata, isc_uint16_t keyid,
1719 for (result = dns_rdataset_first(val->event->sigrdataset);
1721 result = dns_rdataset_next(val->event->sigrdataset))
1725 dns_rdataset_current(val->event->sigrdataset, &rdata);
1731 result = dns_dnssec_keyfromrdata(val->event->name,
1733 val->view->mctx,
1741 result = verify(val, dstkey, &rdata, sig.keyid);
1754 keyfromds(dns_validator_t *val, dns_rdataset_t *rdataset, dns_rdata_t *dsrdata,
1777 result = dns_ds_buildrdata(val->event->name, keyrdata, digest,
1780 validator_log(val, ISC_LOG_DEBUG(3),
1796 dlv_validatezonekey(dns_validator_t *val) {
1805 validator_log(val, ISC_LOG_DEBUG(3), "dlv_validatezonekey");
1821 for (result = dns_rdataset_first(&val->dlv);
1823 result = dns_rdataset_next(&val->dlv)) {
1825 dns_rdataset_current(&val->dlv, &dlvrdata);
1829 if (!dns_resolver_ds_digest_supported(val->view->resolver,
1830 val->event->name,
1834 if (!dns_resolver_algorithm_supported(val->view->resolver,
1835 val->event->name,
1849 for (result = dns_rdataset_first(&val->dlv);
1851 result = dns_rdataset_next(&val->dlv))
1854 dns_rdataset_current(&val->dlv, &dlvrdata);
1861 if (!dns_resolver_ds_digest_supported(val->view->resolver,
1862 val->event->name,
1866 if (!dns_resolver_algorithm_supported(val->view->resolver,
1867 val->event->name,
1874 dns_rdataset_clone(val->event->rdataset, &trdataset);
1880 result = keyfromds(val, &trdataset, &dlvrdata,
1885 validator_log(val, ISC_LOG_DEBUG(3),
1890 validator_log(val, ISC_LOG_DEBUG(3),
1895 result = checkkey(val, &keyrdata, dlv.key_tag, dlv.algorithm);
1900 validator_log(val, ISC_LOG_DEBUG(3),
1904 marksecure(val->event);
1905 validator_log(val, ISC_LOG_DEBUG(3), "marking as secure (dlv)");
1908 if (val->mustbesecure) {
1909 validator_log(val, ISC_LOG_WARNING,
1914 validator_log(val, ISC_LOG_DEBUG(3),
1916 markanswer(val, "dlv_validatezonekey (2)");
1933 validatezonekey(dns_validator_t *val) {
1952 event = val->event;
1954 if (val->havedlvsep && val->dlv.trust >= dns_trust_secure &&
1955 dns_name_equal(event->name, dns_fixedname_name(&val->dlvsep)))
1956 return (dlv_validatezonekey(val));
1958 if (val->dsset == NULL) {
1964 * need to check whether val->event->name is "." prior to
1967 if (val->havedlvsep)
1973 for (result = dns_rdataset_first(val->event->sigrdataset);
1975 result = dns_rdataset_next(val->event->sigrdataset))
1984 dns_rdataset_current(val->event->sigrdataset,
1989 if (!dns_name_equal(val->event->name, &sig.signer))
1992 result = dns_keytable_findkeynode(val->keytable,
1993 val->event->name,
1997 dns_keytable_finddeepestmatch(val->keytable,
1998 val->event->name, found) != ISC_R_SUCCESS) {
1999 if (val->mustbesecure) {
2000 validator_log(val, ISC_LOG_WARNING,
2005 validator_log(val, ISC_LOG_DEBUG(3),
2007 if (val->view->dlv == NULL) {
2008 markanswer(val, "validatezonekey (1)");
2011 return (startfinddlvsep(val, dns_rootname));
2021 val->keytable,
2025 result = verify(val, dstkey, &sigrdata,
2029 val->keytable,
2034 val->keytable,
2037 dns_keytable_detachkeynode(val->keytable,
2043 validator_log(val, ISC_LOG_DEBUG(3),
2056 dns_name_format(val->event->name, namebuf,
2058 validator_log(val, ISC_LOG_NOTICE,
2071 if ((val->attributes & VALATTR_TRIEDVERIFY) != 0) {
2072 validator_log(val, ISC_LOG_DEBUG(3),
2076 validator_log(val, ISC_LOG_DEBUG(3),
2085 result = view_find(val, val->event->name, dns_rdatatype_ds);
2090 val->dsset = &val->frdataset;
2091 if ((DNS_TRUST_PENDING(val->frdataset.trust) ||
2092 DNS_TRUST_ANSWER(val->frdataset.trust)) &&
2093 dns_rdataset_isassociated(&val->fsigrdataset))
2095 result = create_validator(val,
2096 val->event->name,
2098 &val->frdataset,
2099 &val->fsigrdataset,
2105 } else if (DNS_TRUST_PENDING(val->frdataset.trust)) {
2109 dns_rdataset_disassociate(&val->frdataset);
2110 validator_log(val, ISC_LOG_DEBUG(2),
2121 result = create_fetch(val, val->event->name,
2137 if (dns_rdataset_isassociated(&val->frdataset))
2138 dns_rdataset_disassociate(&val->frdataset);
2139 if (dns_rdataset_isassociated(&val->fsigrdataset))
2140 dns_rdataset_disassociate(&val->fsigrdataset);
2141 validator_log(val, ISC_LOG_DEBUG(2), "no DS record");
2150 INSIST(val->dsset != NULL);
2152 if (val->dsset->trust < dns_trust_secure) {
2153 if (val->mustbesecure) {
2154 validator_log(val, ISC_LOG_WARNING,
2159 if (val->view->dlv == NULL || DLVTRIED(val)) {
2160 markanswer(val, "validatezonekey (2)");
2163 return (startfinddlvsep(val, val->event->name));
2181 for (result = dns_rdataset_first(val->dsset);
2183 result = dns_rdataset_next(val->dsset)) {
2185 dns_rdataset_current(val->dsset, &dsrdata);
2189 if (!dns_resolver_ds_digest_supported(val->view->resolver,
2190 val->event->name,
2194 if (!dns_resolver_algorithm_supported(val->view->resolver,
2195 val->event->name,
2209 for (result = dns_rdataset_first(val->dsset);
2211 result = dns_rdataset_next(val->dsset))
2214 dns_rdataset_current(val->dsset, &dsrdata);
2221 if (!dns_resolver_ds_digest_supported(val->view->resolver,
2222 val->event->name,
2226 if (!dns_resolver_algorithm_supported(val->view->resolver,
2227 val->event->name,
2234 dns_rdataset_clone(val->event->rdataset, &trdataset);
2239 result = keyfromds(val, &trdataset, &dsrdata, ds.digest_type,
2243 validator_log(val, ISC_LOG_DEBUG(3),
2251 result = checkkey(val, &keyrdata, ds.key_tag, ds.algorithm);
2256 validator_log(val, ISC_LOG_DEBUG(3),
2261 validator_log(val, ISC_LOG_DEBUG(3), "marking as secure (DS)");
2264 if (val->mustbesecure) {
2265 validator_log(val, ISC_LOG_WARNING,
2270 validator_log(val, ISC_LOG_DEBUG(3),
2272 markanswer(val, "validatezonekey (3)");
2275 validator_log(val, ISC_LOG_INFO,
2291 start_positive_validation(dns_validator_t *val) {
2295 if (val->event->type != dns_rdatatype_dnskey || !isselfsigned(val))
2296 return (validate(val, ISC_FALSE));
2298 return (validatezonekey(val));
2307 val_rdataset_first(dns_validator_t *val, dns_name_t **namep,
2310 dns_message_t *message = val->event->message;
2331 result = dns_rdataset_first(val->event->rdataset);
2333 dns_ncache_current(val->event->rdataset, *namep,
2340 val_rdataset_next(dns_validator_t *val, dns_name_t **namep,
2343 dns_message_t *message = val->event->message;
2367 result = dns_rdataset_next(val->event->rdataset);
2369 dns_ncache_current(val->event->rdataset, *namep,
2384 checkwildcard(dns_validator_t *val, dns_rdatatype_t type, dns_name_t *zonename)
2394 wild = dns_fixedname_name(&val->wild);
2397 validator_log(val, ISC_LOG_DEBUG(3),
2403 validator_log(val, ISC_LOG_DEBUG(3), "in checkwildcard: %s", namebuf);
2405 if (val->event->message == NULL) {
2413 for (result = val_rdataset_first(val, &name, &rdataset);
2415 result = val_rdataset_next(val, &name, &rdataset))
2422 (NEEDNODATA(val) || NEEDNOWILDCARD(val)) &&
2423 !FOUNDNODATA(val) && !FOUNDNOWILDCARD(val) &&
2424 dns_nsec_noexistnodata(val->event->type, wild, name,
2426 validator_log, val)
2429 dns_name_t **proofs = val->event->proofs;
2431 val->attributes |= VALATTR_FOUNDNODATA;
2432 if (exists && !data && NEEDNODATA(val))
2436 val->attributes |=
2438 if (!exists && NEEDNOQNAME(val))
2447 (NEEDNODATA(val) || NEEDNOWILDCARD(val)) &&
2448 !FOUNDNODATA(val) && !FOUNDNOWILDCARD(val) &&
2449 dns_nsec3_noexistnodata(val->event->type, wild, name,
2452 validator_log, val)
2455 dns_name_t **proofs = val->event->proofs;
2457 val->attributes |= VALATTR_FOUNDNODATA;
2458 if (exists && !data && NEEDNODATA(val))
2462 val->attributes |=
2464 if (!exists && NEEDNOQNAME(val))
2480 findnsec3proofs(dns_validator_t *val) {
2487 dns_name_t **proofs = val->event->proofs;
2499 if (val->event->message == NULL) {
2507 for (result = val_rdataset_first(val, &name, &rdataset);
2509 result = val_rdataset_next(val, &name, &rdataset))
2515 result = dns_nsec3_noexistnodata(val->event->type,
2516 val->event->name, name,
2520 val);
2535 * If the val->closest is set then we want to use it otherwise
2538 if (dns_name_countlabels(dns_fixedname_name(&val->closest)) != 0) {
2541 dns_name_format(dns_fixedname_name(&val->closest),
2543 validator_log(val, ISC_LOG_DEBUG(3), "closest encloser from "
2545 dns_name_copy(dns_fixedname_name(&val->closest), closest, NULL);
2553 for (result = val_rdataset_first(val, &name, &rdataset);
2555 result = val_rdataset_next(val, &name, &rdataset))
2568 result = dns_nsec3_noexistnodata(val->event->type,
2569 val->event->name,
2574 nearest, validator_log, val);
2576 val->attributes |= VALATTR_FOUNDUNKNOWN;
2581 if (exists && !data && NEEDNODATA(val)) {
2582 val->attributes |= VALATTR_FOUNDNODATA;
2586 val->attributes |= VALATTR_FOUNDNOQNAME;
2589 val->attributes |= VALATTR_FOUNDOPTOUT;
2605 val->attributes |= VALATTR_FOUNDCLOSEST;
2607 dns_fixedname_name(&val->wild),
2611 val->attributes &= ~VALATTR_FOUNDNOQNAME;
2612 val->attributes &= ~VALATTR_FOUNDOPTOUT;
2619 if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) &&
2620 ((NEEDNODATA(val) && !FOUNDNODATA(val)) || NEEDNOWILDCARD(val))) {
2621 result = checkwildcard(val, dns_rdatatype_nsec3, zonename);
2632 validate_authority(dns_validator_t *val, isc_boolean_t resume) {
2634 dns_message_t *message = val->event->message;
2651 rdataset = ISC_LIST_NEXT(val->currentset, link);
2652 val->currentset = NULL;
2683 if (val->event->type == dns_rdatatype_dnskey &&
2685 dns_name_equal(name, val->event->name))
2697 val->currentset = rdataset;
2698 result = create_validator(val, name, rdataset->type,
2704 val->authcount++;
2717 validate_ncache(dns_validator_t *val, isc_boolean_t resume) {
2722 result = dns_rdataset_first(val->event->rdataset);
2724 result = dns_rdataset_next(val->event->rdataset);
2728 result = dns_rdataset_next(val->event->rdataset))
2732 if (dns_rdataset_isassociated(&val->frdataset))
2733 dns_rdataset_disassociate(&val->frdataset);
2734 if (dns_rdataset_isassociated(&val->fsigrdataset))
2735 dns_rdataset_disassociate(&val->fsigrdataset);
2737 dns_fixedname_init(&val->fname);
2738 name = dns_fixedname_name(&val->fname);
2739 rdataset = &val->frdataset;
2740 dns_ncache_current(val->event->rdataset, name, rdataset);
2742 if (val->frdataset.type == dns_rdatatype_rrsig)
2745 result = dns_ncache_getsigrdataset(val->event->rdataset, name,
2747 &val->fsigrdataset);
2749 sigrdataset = &val->fsigrdataset;
2761 if (val->event->type == dns_rdatatype_dnskey &&
2763 dns_name_equal(name, val->event->name))
2775 val->currentset = rdataset;
2776 result = create_validator(val, name, rdataset->type,
2782 val->authcount++;
2803 nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
2807 validator_log(val, ISC_LOG_DEBUG(3), "resuming nsecvalidate");
2809 if (val->event->message == NULL)
2810 result = validate_ncache(val, resume);
2812 result = validate_authority(val, resume);
2821 if (!NEEDNODATA(val) && !NEEDNOWILDCARD(val) && NEEDNOQNAME(val)) {
2822 if (!FOUNDNOQNAME(val))
2823 findnsec3proofs(val);
2824 if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) &&
2825 !FOUNDOPTOUT(val)) {
2826 validator_log(val, ISC_LOG_DEBUG(3),
2828 marksecure(val->event);
2830 } else if (FOUNDOPTOUT(val) &&
2831 dns_name_countlabels(dns_fixedname_name(&val->wild))
2833 validator_log(val, ISC_LOG_DEBUG(3),
2835 val->event->optout = ISC_TRUE;
2836 markanswer(val, "nsecvalidate (1)");
2838 } else if ((val->attributes & VALATTR_FOUNDUNKNOWN) != 0) {
2839 validator_log(val, ISC_LOG_DEBUG(3),
2841 markanswer(val, "nsecvalidate (2)");
2844 validator_log(val, ISC_LOG_DEBUG(3),
2849 if (!FOUNDNOQNAME(val) && !FOUNDNODATA(val))
2850 findnsec3proofs(val);
2855 if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) &&
2856 ((NEEDNODATA(val) && !FOUNDNODATA(val)) || NEEDNOWILDCARD(val))) {
2857 result = checkwildcard(val, dns_rdatatype_nsec, NULL);
2862 if ((NEEDNODATA(val) && (FOUNDNODATA(val) || FOUNDOPTOUT(val))) ||
2863 (NEEDNOQNAME(val) && FOUNDNOQNAME(val) &&
2864 NEEDNOWILDCARD(val) && FOUNDNOWILDCARD(val) &&
2865 FOUNDCLOSEST(val))) {
2866 if ((val->attributes & VALATTR_FOUNDOPTOUT) != 0)
2867 val->event->optout = ISC_TRUE;
2868 validator_log(val, ISC_LOG_DEBUG(3),
2870 if (val->event->message == NULL)
2871 marksecure(val->event);
2873 val->event->secure = ISC_TRUE;
2877 if (val->authfail != 0 && val->authcount == val->authfail)
2879 validator_log(val, ISC_LOG_DEBUG(3),
2881 val->attributes |= VALATTR_INSECURITY;
2882 return (proveunsecure(val, ISC_FALSE, ISC_FALSE));
2886 check_ds(dns_validator_t *val, dns_name_t *name, dns_rdataset_t *rdataset) {
2898 if (dns_resolver_ds_digest_supported(val->view->resolver,
2900 dns_resolver_algorithm_supported(val->view->resolver,
2913 dns_validator_t *val;
2921 val = devent->ev_arg;
2925 dns_validator_destroy(&val->subvalidator);
2927 INSIST(val->event != NULL);
2929 validator_log(val, ISC_LOG_DEBUG(3), "in dlvvalidated");
2930 LOCK(&val->lock);
2931 if (CANCELED(val)) {
2932 validator_done(val, ISC_R_CANCELED);
2934 validator_log(val, ISC_LOG_DEBUG(3),
2936 dns_trust_totext(val->frdataset.trust));
2937 dns_rdataset_clone(&val->frdataset, &val->dlv);
2938 val->havedlvsep = ISC_TRUE;
2939 if (dlv_algorithm_supported(val))
2940 dlv_validator_start(val);
2942 markanswer(val, "dlvvalidated");
2943 validator_done(val, ISC_R_SUCCESS);
2947 if (dns_rdataset_isassociated(&val->frdataset))
2948 dns_rdataset_expire(&val->frdataset);
2949 if (dns_rdataset_isassociated(&val->fsigrdataset))
2950 dns_rdataset_expire(&val->fsigrdataset);
2952 validator_log(val, ISC_LOG_DEBUG(3),
2955 validator_done(val, DNS_R_BROKENCHAIN);
2957 want_destroy = exit_check(val);
2958 UNLOCK(&val->lock);
2960 destroy(val);
2972 dns_validator_t *val;
2981 val = devent->ev_arg;
2989 if (dns_rdataset_isassociated(&val->fsigrdataset))
2990 dns_rdataset_disassociate(&val->fsigrdataset);
2993 INSIST(val->event != NULL);
2994 validator_log(val, ISC_LOG_DEBUG(3), "in dlvfetched: %s",
2997 LOCK(&val->lock);
2998 fetch = val->fetch;
2999 val->fetch = NULL;
3001 dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf,
3003 dns_rdataset_clone(&val->frdataset, &val->dlv);
3004 val->havedlvsep = ISC_TRUE;
3005 if (dlv_algorithm_supported(val)) {
3006 validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found",
3008 dlv_validator_start(val);
3010 validator_log(val, ISC_LOG_DEBUG(3),
3013 markanswer(val, "dlvfetched (1)");
3014 validator_done(val, ISC_R_SUCCESS);
3020 result = finddlvsep(val, ISC_TRUE);
3022 if (dlv_algorithm_supported(val)) {
3023 dns_name_format(dns_fixedname_name(&val->dlvsep),
3025 validator_log(val, ISC_LOG_DEBUG(3),
3027 dlv_validator_start(val);
3029 validator_log(val, ISC_LOG_DEBUG(3),
3032 markanswer(val, "dlvfetched (2)");
3033 validator_done(val, ISC_R_SUCCESS);
3036 validator_log(val, ISC_LOG_DEBUG(3), "DLV not found");
3037 markanswer(val, "dlvfetched (3)");
3038 validator_done(val, ISC_R_SUCCESS);
3040 validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s",
3043 validator_done(val, result);
3046 validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s",
3048 validator_done(val, eresult);
3050 want_destroy = exit_check(val);
3051 UNLOCK(&val->lock);
3055 destroy(val);
3067 startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure) {
3071 INSIST(!DLVTRIED(val));
3073 val->attributes |= VALATTR_DLVTRIED;
3076 validator_log(val, ISC_LOG_DEBUG(3),
3080 if (dns_name_issubdomain(val->event->name, val->view->dlv)) {
3081 validator_log(val, ISC_LOG_WARNING, "must be secure failure, "
3086 val->dlvlabels = dns_name_countlabels(unsecure) - 1;
3087 result = finddlvsep(val, ISC_FALSE);
3089 validator_log(val, ISC_LOG_DEBUG(3), "DLV not found");
3090 markanswer(val, "startfinddlvsep (1)");
3094 validator_log(val, ISC_LOG_DEBUG(3), "DLV covered by NTA");
3095 validator_done(val, ISC_R_SUCCESS);
3099 validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s",
3103 dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf,
3105 if (dlv_algorithm_supported(val)) {
3106 validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
3107 dlv_validator_start(val);
3110 validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found with no supported "
3112 markanswer(val, "startfinddlvsep (2)");
3113 validator_done(val, ISC_R_SUCCESS);
3127 finddlvsep(dns_validator_t *val, isc_boolean_t resume) {
3136 INSIST(val->view->dlv != NULL);
3139 if (dns_name_issubdomain(val->event->name, val->view->dlv)) {
3140 dns_name_format(val->event->name, namebuf,
3142 validator_log(val, ISC_LOG_WARNING,
3148 dns_fixedname_init(&val->dlvsep);
3149 dlvsep = dns_fixedname_name(&val->dlvsep);
3150 dns_name_copy(val->event->name, dlvsep, NULL);
3155 if (val->event->type == dns_rdatatype_ds) {
3163 dlvsep = dns_fixedname_name(&val->dlvsep);
3174 result = dns_name_concatenate(&noroot, val->view->dlv, dlvname, NULL);
3179 result = dns_name_concatenate(&noroot, val->view->dlv,
3183 validator_log(val, ISC_LOG_DEBUG(2), "DLV concatenate failed");
3187 if (((val->options & DNS_VALIDATOR_NONTA) == 0) &&
3188 dns_view_ntacovers(val->view, val->start, dlvname, val->view->dlv))
3192 dns_name_countlabels(val->view->dlv) + val->dlvlabels) {
3194 validator_log(val, ISC_LOG_DEBUG(3), "looking for DLV %s",
3196 result = view_find(val, dlvname, dns_rdatatype_dlv);
3198 if (DNS_TRUST_PENDING(val->frdataset.trust) &&
3199 dns_rdataset_isassociated(&val->fsigrdataset))
3201 dns_fixedname_init(&val->fname);
3203 dns_fixedname_name(&val->fname),
3205 result = create_validator(val,
3206 dns_fixedname_name(&val->fname),
3208 &val->frdataset,
3209 &val->fsigrdataset,
3216 if (val->frdataset.trust < dns_trust_secure) {
3217 validator_log(val, ISC_LOG_DEBUG(3),
3221 val->havedlvsep = ISC_TRUE;
3222 dns_rdataset_clone(&val->frdataset, &val->dlv);
3226 result = create_fetch(val, dlvname, dns_rdatatype_dlv,
3262 * \li ISC_R_SUCCESS val->event->name is in a unsecure zone
3264 * \li DNS_R_MUSTBESECURE val->event->name is supposed to be secure
3272 proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
3286 if (val->havedlvsep)
3287 dns_name_copy(dns_fixedname_name(&val->dlvsep), secroot, NULL);
3290 dns_name_copy(val->event->name, secroot, NULL);
3297 if (val->event->type == dns_rdatatype_ds && labels > 1U)
3300 result = dns_keytable_finddeepestmatch(val->keytable,
3303 if (val->mustbesecure) {
3304 validator_log(val, ISC_LOG_WARNING,
3310 validator_log(val, ISC_LOG_DEBUG(3),
3312 if (val->view->dlv == NULL || DLVTRIED(val)) {
3313 markanswer(val, "proveunsecure (1)");
3316 return (startfinddlvsep(val, dns_rootname));
3325 val->labels = dns_name_countlabels(secroot) + 1;
3327 validator_log(val, ISC_LOG_DEBUG(3), "resuming proveunsecure");
3334 if (have_ds && val->frdataset.trust >= dns_trust_secure &&
3335 !check_ds(val, dns_fixedname_name(&val->fname),
3336 &val->frdataset)) {
3337 dns_name_format(dns_fixedname_name(&val->fname),
3339 if ((val->view->dlv == NULL || DLVTRIED(val)) &&
3340 val->mustbesecure) {
3341 validator_log(val, ISC_LOG_WARNING,
3348 validator_log(val, ISC_LOG_DEBUG(3),
3351 if (val->view->dlv == NULL || DLVTRIED(val)) {
3352 markanswer(val, "proveunsecure (2)");
3356 return(startfinddlvsep(val,
3357 dns_fixedname_name(&val->fname)));
3359 val->labels++;
3363 val->labels <= dns_name_countlabels(val->event->name);
3364 val->labels++)
3367 dns_fixedname_init(&val->fname);
3368 tname = dns_fixedname_name(&val->fname);
3369 if (val->labels == dns_name_countlabels(val->event->name))
3370 dns_name_copy(val->event->name, tname, NULL);
3372 dns_name_split(val->event->name, val->labels,
3376 validator_log(val, ISC_LOG_DEBUG(3),
3380 result = view_find(val, tname, dns_rdatatype_ds);
3390 if (DNS_TRUST_PENDING(val->frdataset.trust) ||
3391 DNS_TRUST_ANSWER(val->frdataset.trust)) {
3392 result = create_validator(val, tname,
3394 &val->frdataset,
3407 !dns_rdataset_isassociated(&val->frdataset) &&
3408 dns_view_findzonecut2(val->view, tname, found,
3412 if (val->mustbesecure) {
3413 validator_log(val, ISC_LOG_WARNING,
3418 if (val->view->dlv == NULL || DLVTRIED(val)) {
3419 markanswer(val, "proveunsecure (3)");
3422 return (startfinddlvsep(val, tname));
3424 if (val->frdataset.trust < dns_trust_secure) {
3431 validator_log(val, ISC_LOG_WARNING,
3437 if (isdelegation(tname, &val->frdataset, result)) {
3438 if (val->mustbesecure) {
3439 validator_log(val, ISC_LOG_WARNING,
3445 if (val->view->dlv == NULL || DLVTRIED(val)) {
3446 markanswer(val, "proveunsecure (4)");
3449 return (startfinddlvsep(val, tname));
3453 if (DNS_TRUST_PENDING(val->frdataset.trust) ||
3454 DNS_TRUST_ANSWER(val->frdataset.trust)) {
3455 result = create_validator(val, tname,
3457 &val->frdataset,
3471 if (val->frdataset.trust >= dns_trust_secure) {
3472 if (!check_ds(val, tname, &val->frdataset)) {
3473 validator_log(val, ISC_LOG_DEBUG(3),
3476 if (val->mustbesecure) {
3477 validator_log(val,
3486 if (val->view->dlv == NULL ||
3487 DLVTRIED(val)) {
3488 markanswer(val,
3493 return(startfinddlvsep(val, tname));
3497 else if (!dns_rdataset_isassociated(&val->fsigrdataset))
3499 validator_log(val, ISC_LOG_DEBUG(3),
3507 result = create_validator(val, tname, dns_rdatatype_ds,
3508 &val->frdataset,
3509 &val->fsigrdataset,
3521 if (!dns_rdataset_isassociated(&val->frdataset)) {
3528 } else if (DNS_TRUST_PENDING(val->frdataset.trust) ||
3529 DNS_TRUST_ANSWER(val->frdataset.trust)) {
3534 result = create_validator(val, tname,
3536 &val->frdataset,
3542 } else if (val->frdataset.trust < dns_trust_secure) {
3549 validator_log(val, ISC_LOG_WARNING,
3561 result = create_fetch(val, tname, dns_rdatatype_ds,
3571 validator_log(val, ISC_LOG_DEBUG(3), "insecurity proof failed");
3575 if (dns_rdataset_isassociated(&val->frdataset))
3576 dns_rdataset_disassociate(&val->frdataset);
3577 if (dns_rdataset_isassociated(&val->fsigrdataset))
3578 dns_rdataset_disassociate(&val->fsigrdataset);
3586 dlv_validator_start(dns_validator_t *val) {
3589 validator_log(val, ISC_LOG_DEBUG(3), "dlv_validator_start");
3594 val->attributes &= VALATTR_DLVTRIED;
3595 val->options &= ~DNS_VALIDATOR_DLV;
3597 event = (isc_event_t *)val->event;
3598 isc_task_send(val->task, &event);
3615 dns_validator_t *val;
3623 val = vevent->validator;
3625 /* If the validator has been canceled, val->event == NULL */
3626 if (val->event == NULL)
3629 if (DLVTRIED(val))
3630 validator_log(val, ISC_LOG_DEBUG(3), "restarting using DLV");
3632 validator_log(val, ISC_LOG_DEBUG(3), "starting");
3634 LOCK(&val->lock);
3636 if ((val->options & DNS_VALIDATOR_DLV) != 0 &&
3637 val->event->rdataset != NULL) {
3638 validator_log(val, ISC_LOG_DEBUG(3), "looking for DLV");
3639 result = startfinddlvsep(val, dns_rootname);
3640 } else if (val->event->rdataset != NULL &&
3641 val->event->sigrdataset != NULL) {
3648 validator_log(val, ISC_LOG_DEBUG(3),
3651 INSIST(dns_rdataset_isassociated(val->event->rdataset));
3652 INSIST(dns_rdataset_isassociated(val->event->sigrdataset));
3653 result = start_positive_validation(val);
3655 (val->attributes & VALATTR_TRIEDVERIFY) == 0)
3658 validator_log(val, ISC_LOG_DEBUG(3),
3660 val->attributes |= VALATTR_INSECURITY;
3661 result = proveunsecure(val, ISC_FALSE, ISC_FALSE);
3665 } else if (val->event->rdataset != NULL &&
3666 val->event->rdataset->type != 0) {
3671 INSIST(dns_rdataset_isassociated(val->event->rdataset));
3672 validator_log(val, ISC_LOG_DEBUG(3),
3675 val->attributes |= VALATTR_INSECURITY;
3676 result = proveunsecure(val, ISC_FALSE, ISC_FALSE);
3678 validator_log(val, ISC_LOG_INFO,
3681 } else if (val->event->rdataset == NULL &&
3682 val->event->sigrdataset == NULL)
3687 validator_log(val, ISC_LOG_DEBUG(3),
3690 if (val->event->message->rcode == dns_rcode_nxdomain) {
3691 val->attributes |= VALATTR_NEEDNOQNAME;
3692 val->attributes |= VALATTR_NEEDNOWILDCARD;
3694 val->attributes |= VALATTR_NEEDNODATA;
3695 result = nsecvalidate(val, ISC_FALSE);
3696 } else if (val->event->rdataset != NULL &&
3697 NEGATIVE(val->event->rdataset))
3702 validator_log(val, ISC_LOG_DEBUG(3),
3705 if (val->event->rdataset->covers == dns_rdatatype_any) {
3706 val->attributes |= VALATTR_NEEDNOQNAME;
3707 val->attributes |= VALATTR_NEEDNOWILDCARD;
3709 val->attributes |= VALATTR_NEEDNODATA;
3710 result = nsecvalidate(val, ISC_FALSE);
3719 want_destroy = exit_check(val);
3720 validator_done(val, result);
3723 UNLOCK(&val->lock);
3725 destroy(val);
3736 dns_validator_t *val;
3745 val = isc_mem_get(view->mctx, sizeof(*val));
3746 if (val == NULL)
3748 val->view = NULL;
3749 dns_view_weakattach(view, &val->view);
3761 event->validator = val;
3771 result = isc_mutex_init(&val->lock);
3774 val->event = event;
3775 val->options = options;
3776 val->attributes = 0;
3777 val->fetch = NULL;
3778 val->subvalidator = NULL;
3779 val->parent = NULL;
3781 val->keytable = NULL;
3782 result = dns_view_getsecroots(val->view, &val->keytable);
3785 val->keynode = NULL;
3786 val->key = NULL;
3787 val->siginfo = NULL;
3788 val->task = task;
3789 val->action = action;
3790 val->arg = arg;
3791 val->labels = 0;
3792 val->currentset = NULL;
3793 val->keyset = NULL;
3794 val->dsset = NULL;
3795 dns_rdataset_init(&val->dlv);
3796 val->seensig = ISC_FALSE;
3797 val->havedlvsep = ISC_FALSE;
3798 val->depth = 0;
3799 val->authcount = 0;
3800 val->authfail = 0;
3801 val->mustbesecure = dns_resolver_getmustbesecure(view->resolver, name);
3802 dns_rdataset_init(&val->frdataset);
3803 dns_rdataset_init(&val->fsigrdataset);
3804 dns_fixedname_init(&val->wild);
3805 dns_fixedname_init(&val->nearest);
3806 dns_fixedname_init(&val->closest);
3807 isc_stdtime_get(&val->start);
3808 ISC_LINK_INIT(val, link);
3809 val->magic = VALIDATOR_MAGIC;
3814 *validatorp = val;
3819 DESTROYLOCK(&val->lock);
3826 dns_view_weakdetach(&val->view);
3827 isc_mem_put(view->mctx, val, sizeof(*val));
3881 destroy(dns_validator_t *val) {
3884 REQUIRE(SHUTDOWN(val));
3885 REQUIRE(val->event == NULL);
3886 REQUIRE(val->fetch == NULL);
3888 if (val->keynode != NULL)
3889 dns_keytable_detachkeynode(val->keytable, &val->keynode);
3890 else if (val->key != NULL)
3891 dst_key_free(&val->key);
3892 if (val->keytable != NULL)
3893 dns_keytable_detach(&val->keytable);
3894 if (val->subvalidator != NULL)
3895 dns_validator_destroy(&val->subvalidator);
3896 if (val->havedlvsep)
3897 dns_rdataset_disassociate(&val->dlv);
3898 if (dns_rdataset_isassociated(&val->frdataset))
3899 dns_rdataset_disassociate(&val->frdataset);
3900 if (dns_rdataset_isassociated(&val->fsigrdataset))
3901 dns_rdataset_disassociate(&val->fsigrdataset);
3902 mctx = val->view->mctx;
3903 if (val->siginfo != NULL)
3904 isc_mem_put(mctx, val->siginfo, sizeof(*val->siginfo));
3905 DESTROYLOCK(&val->lock);
3906 dns_view_weakdetach(&val->view);
3907 val->magic = 0;
3908 isc_mem_put(mctx, val, sizeof(*val));
3913 dns_validator_t *val;
3917 val = *validatorp;
3918 REQUIRE(VALID_VALIDATOR(val));
3920 LOCK(&val->lock);
3922 val->attributes |= VALATTR_SHUTDOWN;
3923 validator_log(val, ISC_LOG_DEBUG(4), "dns_validator_destroy");
3925 want_destroy = exit_check(val);
3927 UNLOCK(&val->lock);
3930 destroy(val);
3936 validator_logv(dns_validator_t *val, isc_logcategory_t *category,
3941 int depth = val->depth * 2;
3948 if (val->event != NULL && val->event->name != NULL) {
3952 dns_name_format(val->event->name, namebuf, sizeof(namebuf));
3953 dns_rdatatype_format(val->event->type, typebuf,
3961 val, msgbuf);
3966 validator_log(void *val, int level, const char *fmt, ...) {
3974 validator_logv(val, DNS_LOGCATEGORY_DNSSEC,
3980 validator_logcreate(dns_validator_t *val,
3989 validator_log(val, ISC_LOG_DEBUG(9), "%s: creating %s for %s %s",