validator.c revision 93d6dfaf66258337985427c86181f01fc51f0bb4
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews * Copyright (C) 2000-2002 Internet Software Consortium.
bf43fdafa3bff9e84cb03f1a19aca74514d2516eBob Halley * Permission to use, copy, modify, and distribute this software for any
bf43fdafa3bff9e84cb03f1a19aca74514d2516eBob Halley * purpose with or without fee is hereby granted, provided that the above
bf43fdafa3bff9e84cb03f1a19aca74514d2516eBob Halley * copyright notice and this permission notice appear in all copies.
15a44745412679c30a6d022733925af70a38b715David Lawrence * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
15a44745412679c30a6d022733925af70a38b715David Lawrence * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
15a44745412679c30a6d022733925af70a38b715David Lawrence * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
15a44745412679c30a6d022733925af70a38b715David Lawrence * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
15a44745412679c30a6d022733925af70a38b715David Lawrence * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
15a44745412679c30a6d022733925af70a38b715David Lawrence * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
15a44745412679c30a6d022733925af70a38b715David Lawrence * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
15a44745412679c30a6d022733925af70a38b715David Lawrence * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews/* $Id: validator.c,v 1.113 2003/09/30 05:56:14 marka Exp $ */
92ef1a9b9dbd48ecb507b42ac62c15afefdaf838David Lawrence#define VALIDATOR_MAGIC ISC_MAGIC('V', 'a', 'l', '?')
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews#define VALID_VALIDATOR(v) ISC_MAGIC_VALID(v, VALIDATOR_MAGIC)
0ec4b862c9abd11c82c88ed62438f0cf06fed25dBob Halley#define SHUTDOWN(v) (((v)->attributes & VALATTR_SHUTDOWN) != 0)
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrewsget_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo,
ed019cabc1cc75d4412010c331876e4ae5080a4dDavid Lawrencevalidate(dns_validator_t *val, isc_boolean_t resume);
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrewsvalidatezonekey(dns_validator_t *val, isc_boolean_t resume);
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrewsnsecvalidate(dns_validator_t *val, isc_boolean_t resume);
ed019cabc1cc75d4412010c331876e4ae5080a4dDavid Lawrenceproveunsecure(dns_validator_t *val, isc_boolean_t resume);
23e4260821eefa5019808e18e14e2b366461aad7Brian Wellingtonvalidator_logv(dns_validator_t *val, isc_logcategory_t *category,
23e4260821eefa5019808e18e14e2b366461aad7Brian Wellington isc_logmodule_t *module, int level, const char *fmt, va_list ap)
76c8294c81fb48b1da6e1fc5b83322a4cedb8e58Andreas Gustafssonvalidator_log(dns_validator_t *val, int level, const char *fmt, ...)
0ec4b862c9abd11c82c88ed62438f0cf06fed25dBob Halleyvalidator_done(dns_validator_t *val, isc_result_t result) {
0ec4b862c9abd11c82c88ed62438f0cf06fed25dBob Halley * Caller must be holding the lock.
e44487bfc23599b6b240e09d83d1c862fecfcc82Michael Graff val->event->ev_type = DNS_EVENT_VALIDATORDONE;
0ec4b862c9abd11c82c88ed62438f0cf06fed25dBob Halley isc_task_sendanddetach(&task, (isc_event_t **)&val->event);
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * Caller must be holding the lock.
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews if (val->fetch != NULL || val->subvalidator != NULL)
98d010a24a9f1b4b45ce9791845941ef90426d0cBrian Wellington for (result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
98d010a24a9f1b4b45ce9791845941ef90426d0cBrian Wellington result = dns_message_nextname(message, DNS_SECTION_AUTHORITY))
98d010a24a9f1b4b45ce9791845941ef90426d0cBrian Wellington dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrewsisdelegation(dns_name_t *name, dns_rdataset_t *rdataset,
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews REQUIRE(dbresult == DNS_R_NXRRSET || dbresult == DNS_R_NCACHENXRRSET);
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews result = dns_ncache_getrdataset(rdataset, name,
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews found = dns_nsec_typepresent(&rdata, dns_rdatatype_ns);
b5debbe212097d1c573a2ba3bd9a3d526d86b0aeBrian Wellingtonfetch_callback_validator(isc_task_t *task, isc_event_t *event) {
e44487bfc23599b6b240e09d83d1c862fecfcc82Michael Graff INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
34aa7909371f13b4bc0ba6d155cfc38bfa1e3c5cAndreas Gustafsson validator_log(val, ISC_LOG_DEBUG(3), "in fetch_callback_validator");
ca9af3aaf798f98624fc1dc69d8c7d51bf01334dBrian Wellington * Only extract the dst key if the keyset is secure.
ca9af3aaf798f98624fc1dc69d8c7d51bf01334dBrian Wellington result = get_dst_key(val, val->siginfo, rdataset);
1b1e1fda4638334b484aa38c15f53a131c0b0fdfAndreas Gustafsson "fetch_callback_validator: got %s",
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrewsdsfetched(isc_task_t *task, isc_event_t *event) {
48ed268b3378a8b729a0037bc4ae2ed73647a96aBrian Wellington INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews validator_log(val, ISC_LOG_DEBUG(3), "in dsfetched");
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews "falling back to insecurity proof");
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews "dsfetched: got %s",
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * XXX there's too much duplicated code here.
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrewsdsfetched2(isc_task_t *task, isc_event_t *event) {
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews validator_log(val, ISC_LOG_DEBUG(3), "in dsfetched2");
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews if (eresult == DNS_R_NXRRSET || eresult == DNS_R_NCACHENXRRSET) {
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews * There is no DS. If this is a delegation, we're done.
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews tname = dns_fixedname_name(&devent->foundname);
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews if (isdelegation(tname, &val->frdataset, eresult)) {
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews val->event->rdataset->trust = dns_trust_answer;
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * Either there is a DS or this is not a zone cut. Continue.
3676eeb6ca95c66aae1256f37af8c990d9f25eb4Brian Wellingtonkeyvalidated(isc_task_t *task, isc_event_t *event) {
e44487bfc23599b6b240e09d83d1c862fecfcc82Michael Graff INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
34aa7909371f13b4bc0ba6d155cfc38bfa1e3c5cAndreas Gustafsson validator_log(val, ISC_LOG_DEBUG(3), "in keyvalidated");
76c8294c81fb48b1da6e1fc5b83322a4cedb8e58Andreas Gustafsson "keyset with trust %d", val->frdataset.trust);
ca9af3aaf798f98624fc1dc69d8c7d51bf01334dBrian Wellington * Only extract the dst key if the keyset is secure.
ca9af3aaf798f98624fc1dc69d8c7d51bf01334dBrian Wellington if (val->frdataset.trust >= dns_trust_secure)
ca9af3aaf798f98624fc1dc69d8c7d51bf01334dBrian Wellington (void) get_dst_key(val, val->siginfo, &val->frdataset);
1b1e1fda4638334b484aa38c15f53a131c0b0fdfAndreas Gustafsson "keyvalidated: got %s",
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrewsdsvalidated(isc_task_t *task, isc_event_t *event) {
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews validator_log(val, ISC_LOG_DEBUG(3), "in dsvalidated");
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews if ((val->attributes & VALATTR_INSECURITY) != 0)
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews "dsvalidated: got %s",
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrewsnsecprovesnonexistence(dns_validator_t *val, dns_name_t *nsecname,
c99d9017ba00099bfa89e1ed53e63a5cb07d28d5Mark Andrews INSIST(DNS_MESSAGE_VALID(val->event->message));
c99d9017ba00099bfa89e1ed53e63a5cb07d28d5Mark Andrews if (val->event->message->rcode == dns_rcode_nxdomain)
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews "failure processing NSEC set");
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews validator_log(val, ISC_LOG_DEBUG(3), "looking for relevant nsec");
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews relation = dns_name_fullcompare(val->event->name, nsecname,
c99d9017ba00099bfa89e1ed53e63a5cb07d28d5Mark Andrews * The names are the same. Look for the type present bit.
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews "NSEC record seen at nonexistent name");
34aa7909371f13b4bc0ba6d155cfc38bfa1e3c5cAndreas Gustafsson validator_log(val, ISC_LOG_DEBUG(3), "invalid type %d",
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews if (dns_nsec_typepresent(&rdata, val->event->type)) {
ca9af3aaf798f98624fc1dc69d8c7d51bf01334dBrian Wellington "type should not be present");
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews validator_log(val, ISC_LOG_DEBUG(3), "nsec bitmask ok");
ca9af3aaf798f98624fc1dc69d8c7d51bf01334dBrian Wellington } else if (order > 0) {
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews * The NSEC owner name is less than the nonexistent name.
421e4cf66e4cba0b0751a34a9c027e39fe0474f9Mark Andrews * Is this a empty node?
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews result = dns_rdata_tostruct(&rdata, &nsec, NULL);
8b5de9701428e2b5eb50aba96af23dc1186124ddMark Andrews if (order > 0 && relation == dns_namereln_subdomain) {
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews "nsec proves empty node, ok");
8b5de9701428e2b5eb50aba96af23dc1186124ddMark Andrews * Look for empty wildcard matches.
8b5de9701428e2b5eb50aba96af23dc1186124ddMark Andrews if (nlabels >= olabels && nlabels + 1 < labels) {
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews "nsec proves empty wildcard, ok");
8b5de9701428e2b5eb50aba96af23dc1186124ddMark Andrews * We are not a empty name.
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews "missing NSEC record at name");
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews if (dns_name_issubdomain(val->event->name, nsecname) &&
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews dns_nsec_typepresent(&rdata, dns_rdatatype_ns) &&
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews !dns_nsec_typepresent(&rdata, dns_rdatatype_soa))
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews * This NSEC record is from somewhere higher in
638fe804a524ee0c028863c0301b999c79de7651Mark Andrews * the DNS, and at the parent of a delegation.
638fe804a524ee0c028863c0301b999c79de7651Mark Andrews * It can not be legitimately used here.
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews "ignoring parent nsec");
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews result = dns_rdata_tostruct(&rdata, &nsec, NULL);
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews relation = dns_name_fullcompare(&nsec.next, val->event->name,
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews * The NSEC next name is less than the nonexistent
ca9af3aaf798f98624fc1dc69d8c7d51bf01334dBrian Wellington * name. This is only ok if the next name is the zone
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews if (!dns_name_equal(val->soaname, &nsec.next)) {
ca9af3aaf798f98624fc1dc69d8c7d51bf01334dBrian Wellington "next name is not greater");
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews "nsec points to zone apex, ok");
421e4cf66e4cba0b0751a34a9c027e39fe0474f9Mark Andrews } else if (relation == dns_namereln_subdomain) {
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews "nsec proves empty node, bad");
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews validator_log(val, ISC_LOG_DEBUG(3), "nsec range ok");
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews "nsec owner name is not less");
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews * The NSEC owner name is greater than the supposedly
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews * nonexistent name. This NSEC is irrelevant.
94766449d6125cd5870891b70d46573e5deaceb4Brian Wellingtonauthvalidated(isc_task_t *task, isc_event_t *event) {
94766449d6125cd5870891b70d46573e5deaceb4Brian Wellington INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
34aa7909371f13b4bc0ba6d155cfc38bfa1e3c5cAndreas Gustafsson validator_log(val, ISC_LOG_DEBUG(3), "in authvalidated");
94766449d6125cd5870891b70d46573e5deaceb4Brian Wellington "authvalidated: got %s",
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews if (val->soaname != NULL && val->nsecset != NULL &&
86f6b92e35c7bdb5fc1fd1021af75b981863313eMark Andrews (val->attributes & VALATTR_FOUNDNONEXISTENCE) == 0 &&
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews nsecprovesnonexistence(val, devent->name, rdataset))
ca9af3aaf798f98624fc1dc69d8c7d51bf01334dBrian Wellington val->attributes |= VALATTR_FOUNDNONEXISTENCE;
ca9af3aaf798f98624fc1dc69d8c7d51bf01334dBrian Wellington * Free stuff from the event.
5c6117688525d0e8d247f50c63364f66bd8d4185Brian Wellingtonnegauthvalidated(isc_task_t *task, isc_event_t *event) {
5c6117688525d0e8d247f50c63364f66bd8d4185Brian Wellington INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
34aa7909371f13b4bc0ba6d155cfc38bfa1e3c5cAndreas Gustafsson validator_log(val, ISC_LOG_DEBUG(3), "in negauthvalidated");
ca9af3aaf798f98624fc1dc69d8c7d51bf01334dBrian Wellington val->attributes |= VALATTR_FOUNDNONEXISTENCE;
ca9af3aaf798f98624fc1dc69d8c7d51bf01334dBrian Wellington "nonexistence proof found");
5c6117688525d0e8d247f50c63364f66bd8d4185Brian Wellington "negauthvalidated: got %s",
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrewsview_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) {
ca9af3aaf798f98624fc1dc69d8c7d51bf01334dBrian Wellington if (dns_rdataset_isassociated(&val->frdataset))
ca9af3aaf798f98624fc1dc69d8c7d51bf01334dBrian Wellington dns_rdataset_disassociate(&val->frdataset);
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews if (dns_rdataset_isassociated(&val->fsigrdataset))
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews return (dns_view_simplefind(val->view, name, type, 0,
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrewscheck_deadlock(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) {
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews for (parent = val->parent; parent != NULL; parent = parent->parent) {
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews "continuing validation would lead to "
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews "deadlock: aborting validation");
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrewscreate_fetch(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
ca9af3aaf798f98624fc1dc69d8c7d51bf01334dBrian Wellington if (dns_rdataset_isassociated(&val->frdataset))
ca9af3aaf798f98624fc1dc69d8c7d51bf01334dBrian Wellington dns_rdataset_disassociate(&val->frdataset);
ca9af3aaf798f98624fc1dc69d8c7d51bf01334dBrian Wellington if (dns_rdataset_isassociated(&val->fsigrdataset))
ca9af3aaf798f98624fc1dc69d8c7d51bf01334dBrian Wellington dns_rdataset_disassociate(&val->fsigrdataset);
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews validator_logcreate(val, name, type, caller, "fetch");
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews return (dns_resolver_createfetch(val->view->resolver, name, type,
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrewscreate_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews validator_logcreate(val, name, type, caller, "validator");
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews result = dns_validator_create(val->view, name, type,
93c786e0924aeca2c258e32355349e6ae60a0f72Andreas Gustafsson * Try to find a key that could have signed 'siginfo' among those
93c786e0924aeca2c258e32355349e6ae60a0f72Andreas Gustafsson * in 'rdataset'. If found, build a dst_key_t for it and point
93c786e0924aeca2c258e32355349e6ae60a0f72Andreas Gustafsson * val->key at it.
d6643ef587324e40d8bda63e9f80be8141e101edBrian Wellington * If val->key is non-NULL, this returns the next matching key.
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrewsget_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo,
6e49e91bd08778d7eae45a2229dcf41ed97cc636David Lawrence isc_buffer_init(&b, rdata.data, rdata.length);
5c29047792191d6141f69b2684314d0b762fedebBrian Wellington result = dst_key_fromdns(&siginfo->signer, rdata.rdclass, &b,
d6643ef587324e40d8bda63e9f80be8141e101edBrian Wellington * This is the key we're looking for.
d6643ef587324e40d8bda63e9f80be8141e101edBrian Wellington else if (dst_key_compare(oldkey, val->key) == ISC_TRUE)
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrewsget_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo) {
23e4260821eefa5019808e18e14e2b366461aad7Brian Wellington * Is the signer name appropriate for this signature?
23e4260821eefa5019808e18e14e2b366461aad7Brian Wellington * The signer name must be at the same level as the owner name
23e4260821eefa5019808e18e14e2b366461aad7Brian Wellington * or closer to the the DNS root.
23e4260821eefa5019808e18e14e2b366461aad7Brian Wellington namereln = dns_name_fullcompare(val->event->name, &siginfo->signer,
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * If this is a self-signed keyset, it must not be a zone key
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * (since get_key is not called from validatezonekey).
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews if (val->event->rdataset->type == dns_rdatatype_dnskey)
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * Records appearing in the parent zone at delegation
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * points cannot be self-signed.
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews if (dns_rdatatype_atparent(val->event->rdataset->type))
0ec4b862c9abd11c82c88ed62438f0cf06fed25dBob Halley * Do we know about this key?
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews result = view_find(val, &siginfo->signer, dns_rdatatype_dnskey);
0ec4b862c9abd11c82c88ed62438f0cf06fed25dBob Halley * We have an rrset for the given keyname.
ca9af3aaf798f98624fc1dc69d8c7d51bf01334dBrian Wellington if (val->frdataset.trust == dns_trust_pending &&
ca9af3aaf798f98624fc1dc69d8c7d51bf01334dBrian Wellington dns_rdataset_isassociated(&val->fsigrdataset))
0ec4b862c9abd11c82c88ed62438f0cf06fed25dBob Halley * We know the key but haven't validated it yet.
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews result = create_validator(val, &siginfo->signer,
ca9af3aaf798f98624fc1dc69d8c7d51bf01334dBrian Wellington } else if (val->frdataset.trust == dns_trust_pending) {
d6643ef587324e40d8bda63e9f80be8141e101edBrian Wellington * Having a pending key with no signature means that
d6643ef587324e40d8bda63e9f80be8141e101edBrian Wellington * something is broken.
ca9af3aaf798f98624fc1dc69d8c7d51bf01334dBrian Wellington } else if (val->frdataset.trust < dns_trust_secure) {
d6643ef587324e40d8bda63e9f80be8141e101edBrian Wellington * The key is legitimately insecure. There's no
d6643ef587324e40d8bda63e9f80be8141e101edBrian Wellington * point in even attempting verification.
0ec4b862c9abd11c82c88ed62438f0cf06fed25dBob Halley * See if we've got the key used in the signature.
ca9af3aaf798f98624fc1dc69d8c7d51bf01334dBrian Wellington "keyset with trust %d",
77c67dfb2607618f5e7940486daebafd42a502abBrian Wellington result = get_dst_key(val, siginfo, val->keyset);
0ec4b862c9abd11c82c88ed62438f0cf06fed25dBob Halley * Either the key we're looking for is not
0ec4b862c9abd11c82c88ed62438f0cf06fed25dBob Halley * in the rrset, or something bad happened.
0ec4b862c9abd11c82c88ed62438f0cf06fed25dBob Halley * We don't know anything about this key.
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews result = create_fetch(val, &siginfo->signer, dns_rdatatype_dnskey,
0ec4b862c9abd11c82c88ed62438f0cf06fed25dBob Halley * This key doesn't exist.
77c67dfb2607618f5e7940486daebafd42a502abBrian Wellington if (dns_rdataset_isassociated(&val->frdataset) &&
ca9af3aaf798f98624fc1dc69d8c7d51bf01334dBrian Wellington dns_rdataset_disassociate(&val->frdataset);
ca9af3aaf798f98624fc1dc69d8c7d51bf01334dBrian Wellington if (dns_rdataset_isassociated(&val->fsigrdataset))
ca9af3aaf798f98624fc1dc69d8c7d51bf01334dBrian Wellington dns_rdataset_disassociate(&val->fsigrdataset);
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrewscompute_keytag(dns_rdata_t *rdata, dns_rdata_dnskey_t *key) {
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews return (dst_region_computeid(&r, key->algorithm));
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * Is this keyset self-signed?
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews INSIST(rdataset->type == dns_rdatatype_dnskey);
25496cebadd170fd5fae2aabf0469eef551259aaBrian Wellington for (result = dns_rdataset_first(rdataset);
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews (void)dns_rdata_tostruct(&sigrdata, &sig, NULL);
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrewsverify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata) {
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews result = dns_dnssec_verify(val->event->name, val->event->rdataset,
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews "verify rdataset: %s",
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * Attempts positive response validation of a normal RRset.
3ce4b8b03ebd017c1d1b320429219ba91e705ea4Andreas Gustafsson * ISC_R_SUCCESS Validation completed successfully
3ce4b8b03ebd017c1d1b320429219ba91e705ea4Andreas Gustafsson * DNS_R_WAIT Validation has started but is waiting
3ce4b8b03ebd017c1d1b320429219ba91e705ea4Andreas Gustafsson * for an event.
3ce4b8b03ebd017c1d1b320429219ba91e705ea4Andreas Gustafsson * Other return codes are possible and all indicate failure.
0ec4b862c9abd11c82c88ed62438f0cf06fed25dBob Halleyvalidate(dns_validator_t *val, isc_boolean_t resume) {
0ec4b862c9abd11c82c88ed62438f0cf06fed25dBob Halley * Caller must be holding the validator lock.
78951552dccf0d0004d61072bbc71fa4b1aab30fAndreas Gustafsson * We already have a sigrdataset.
34aa7909371f13b4bc0ba6d155cfc38bfa1e3c5cAndreas Gustafsson validator_log(val, ISC_LOG_DEBUG(3), "resuming validate");
93c786e0924aeca2c258e32355349e6ae60a0f72Andreas Gustafsson result = dns_rdataset_next(event->sigrdataset))
0ec4b862c9abd11c82c88ed62438f0cf06fed25dBob Halley dns_rdataset_current(event->sigrdataset, &rdata);
23e4260821eefa5019808e18e14e2b366461aad7Brian Wellington val->siginfo = isc_mem_get(val->view->mctx,
1f1d36a87b65186d9f89aac7f456ab1fd2a39ef6Andreas Gustafsson result = dns_rdata_tostruct(&rdata, val->siginfo, NULL);
0ec4b862c9abd11c82c88ed62438f0cf06fed25dBob Halley * At this point we could check that the signature algorithm
0ec4b862c9abd11c82c88ed62438f0cf06fed25dBob Halley * was known and "sufficiently good". For now, any algorithm
0ec4b862c9abd11c82c88ed62438f0cf06fed25dBob Halley * is acceptable.
93c786e0924aeca2c258e32355349e6ae60a0f72Andreas Gustafsson continue; /* Try the next SIG RR. */
23e4260821eefa5019808e18e14e2b366461aad7Brian Wellington * The key is insecure, so mark the data as insecure also.
d6643ef587324e40d8bda63e9f80be8141e101edBrian Wellington event->sigrdataset->trust = dns_trust_answer;
d6643ef587324e40d8bda63e9f80be8141e101edBrian Wellington "marking as answer");
feb40fc5f911d0b2050fb9fd34950a52930b981dBrian Wellington if (get_dst_key(val, val->siginfo, val->keyset)
d6643ef587324e40d8bda63e9f80be8141e101edBrian Wellington "failed to verify rdataset");
538fea1c91c68c0a5569c7b8552c8fd0490055efBrian Wellington event->sigrdataset->trust = dns_trust_secure;
5c6117688525d0e8d247f50c63364f66bd8d4185Brian Wellington "marking as secure");
777ac454c0cdec27dc11d80b9b2a8d7239d833a8Brian Wellington "verify failure: %s",
c70908209ee26c51a8e7242a56fdb73847249728Brian Wellington "failed to iterate signatures: %s",
e1f16346db02486f751c6db683fffe53c866c186Andreas Gustafsson validator_log(val, ISC_LOG_INFO, "no valid signature found");
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * Attempts positive response validation of an RRset containing zone keys.
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * ISC_R_SUCCESS Validation completed successfully
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * DNS_R_WAIT Validation has started but is waiting
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * for an event.
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * Other return codes are possible and all indicate failure.
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrewsvalidatezonekey(dns_validator_t *val, isc_boolean_t resume) {
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * Caller must be holding the validator lock.
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * First, see if this key was signed by a trusted key.
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews for (result = dns_rdataset_first(val->event->sigrdataset);
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews result = dns_rdataset_next(val->event->sigrdataset))
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews dns_keynode_t *keynode = NULL, *nextnode = NULL;
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews (void)dns_rdata_tostruct(&sigrdata, &sig, NULL);
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews result = dns_keytable_findkeynode(val->keytable,
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews "signed by trusted key; "
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews "marking as secure");
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * If this is the root name and there was no trusted key,
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * give up, since there's no DS at the root.
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews if (dns_name_equal(event->name, dns_rootname)) {
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews if ((val->attributes & VALATTR_TRIEDVERIFY) != 0)
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * Otherwise, try to find the DS record.
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews result = view_find(val, val->event->name, dns_rdatatype_ds);
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * We have DS records.
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews if (val->frdataset.trust == dns_trust_pending &&
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews "validatezonekey");
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews } else if (val->frdataset.trust == dns_trust_pending) {
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * There should never be an unsigned DS.
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews "unsigned DS record");
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * We don't have the DS. Find it.
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews "validatezonekey");
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * The DS does not exist.
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews if (dns_rdataset_isassociated(&val->frdataset))
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews if (dns_rdataset_isassociated(&val->fsigrdataset))
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews validator_log(val, ISC_LOG_DEBUG(2), "no DS record");
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * We have a DS set.
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews val->event->rdataset->trust = dns_trust_answer;
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews val->event->sigrdataset->trust = dns_trust_answer;
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * Look through the DS record and find the keys that can sign the
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * key set and the matching signature. For each such key, attempt
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * verification.
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews dns_rdataset_clone(val->event->rdataset, &trdataset);
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews (void)dns_rdata_tostruct(&keyrdata, &key, NULL);
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews if (dns_rdata_compare(&dsrdata, &newdsrdata) == 0)
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews "no KEY matching DS");
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews for (result = dns_rdataset_first(val->event->sigrdataset);
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews result = dns_rdataset_next(val->event->sigrdataset))
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews (void)dns_rdata_tostruct(&sigrdata, &sig, NULL);
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews "no SIG matching DS key");
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews result = dns_dnssec_keyfromrdata(val->event->name,
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * This really shouldn't happen, but...
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews validator_log(val, ISC_LOG_DEBUG(3), "marking as secure");
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * Starts a positive response validation.
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * ISC_R_SUCCESS Validation completed successfully
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * DNS_R_WAIT Validation has started but is waiting
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * for an event.
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * Other return codes are possible and all indicate failure.
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrewsstart_positive_validation(dns_validator_t *val) {
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * If this is not a key, go straight into validate().
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews if (val->event->type != dns_rdatatype_dnskey || !isselfsigned(val))
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrewsnsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
e83cae7fa837e4757c687035d6f6c0900f152749Brian Wellington dns_message_t *message = val->event->message;
e83cae7fa837e4757c687035d6f6c0900f152749Brian Wellington result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews validator_log(val, ISC_LOG_DEBUG(3), "resuming nsecvalidate");
e83cae7fa837e4757c687035d6f6c0900f152749Brian Wellington result = dns_message_nextname(message, DNS_SECTION_AUTHORITY))
94766449d6125cd5870891b70d46573e5deaceb4Brian Wellington dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
e83cae7fa837e4757c687035d6f6c0900f152749Brian Wellington dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
94766449d6125cd5870891b70d46573e5deaceb4Brian Wellington rdataset = ISC_LIST_NEXT(val->currentset, link);
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews } else if (rdataset->type == dns_rdatatype_nsec)
94766449d6125cd5870891b70d46573e5deaceb4Brian Wellington for (sigrdataset = ISC_LIST_HEAD(name->list);
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews if (sigrdataset->type == dns_rdatatype_rrsig &&
d6be55c63f83194d97a565d0fd7b632b31b52a68Brian Wellington * If a signed zone is missing the zone key, bad
d6be55c63f83194d97a565d0fd7b632b31b52a68Brian Wellington * things could happen. A query for data in the zone
d6be55c63f83194d97a565d0fd7b632b31b52a68Brian Wellington * would lead to a query for the zone key, which
d6be55c63f83194d97a565d0fd7b632b31b52a68Brian Wellington * would return a negative answer, which would contain
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews * an SOA and an NSEC signed by the missing key, which
d6be55c63f83194d97a565d0fd7b632b31b52a68Brian Wellington * would trigger another query for the KEY (since the
d6be55c63f83194d97a565d0fd7b632b31b52a68Brian Wellington * first one is still in progress), and go into an
d6be55c63f83194d97a565d0fd7b632b31b52a68Brian Wellington * infinite loop. Avoid that.
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews if (val->event->type == dns_rdatatype_dnskey &&
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews result = create_validator(val, name, rdataset->type,
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews "nsecvalidate");
5c6117688525d0e8d247f50c63364f66bd8d4185Brian Wellington if ((val->attributes & VALATTR_FOUNDNONEXISTENCE) == 0) {
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews result = create_validator(val, name, dns_rdatatype_soa,
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews "nsecvalidate");
5c6117688525d0e8d247f50c63364f66bd8d4185Brian Wellington "nonexistence proof not found");
5c6117688525d0e8d247f50c63364f66bd8d4185Brian Wellington "nonexistence proof found");
613efcd8fbd0d1ce0d0afd1ac85d95cf85bffc27Brian Wellingtonproveunsecure(dns_validator_t *val, isc_boolean_t resume) {
23e4260821eefa5019808e18e14e2b366461aad7Brian Wellington result = dns_keytable_finddeepestmatch(val->keytable,
e27021ee1f37185ab839a7a3b6bc078c24255e62Brian Wellington * If the name is not under a security root, it must be insecure.
613efcd8fbd0d1ce0d0afd1ac85d95cf85bffc27Brian Wellington val->labels = dns_name_depth(dns_fixedname_name(&secroot)) + 1;
34aa7909371f13b4bc0ba6d155cfc38bfa1e3c5cAndreas Gustafsson validator_log(val, ISC_LOG_DEBUG(3), "resuming proveunsecure");
613efcd8fbd0d1ce0d0afd1ac85d95cf85bffc27Brian Wellington val->labels <= dns_name_depth(val->event->name);
5c6117688525d0e8d247f50c63364f66bd8d4185Brian Wellington if (val->labels == dns_name_depth(val->event->name)) {
613efcd8fbd0d1ce0d0afd1ac85d95cf85bffc27Brian Wellington result = dns_name_splitatdepth(val->event->name,
6036112f4874637240d461c3ccbcb8dbfb1f405bAndreas Gustafsson dns_name_format(tname, namebuf, sizeof(namebuf));
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews "checking existence of DS at '%s'",
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews result = view_find(val, tname, dns_rdatatype_ds);
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews if (result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) {
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews * There is no DS. If this is a delegation,
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews * we're done.
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * This shouldn't happen, since the negative
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * response should have been validated. Since
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * there's no way of validating existing
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * negative response blobs, give up.
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews if (isdelegation(tname, &val->frdataset, result)) {
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews val->event->rdataset->trust = dns_trust_answer;
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews * There is a DS here. Verify that it's secure and
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews else if (!dns_rdataset_isassociated(&val->fsigrdataset))
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews result = create_validator(val, tname, dns_rdatatype_ds,
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews "proveunsecure");
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews * This is not a zone cut. Assuming things are
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * as expected, continue.
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews if (!dns_rdataset_isassociated(&val->frdataset)) {
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews * There should be an NSEC here, since we
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * are still in a secure zone.
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews } else if (val->frdataset.trust < dns_trust_secure) {
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * This shouldn't happen, since the negative
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * response should have been validated. Since
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * there's no way of validating existing
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * negative response blobs, give up.
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews * We don't know anything about the DS. Find it.
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews result = create_fetch(val, tname, dns_rdatatype_ds,
34aa7909371f13b4bc0ba6d155cfc38bfa1e3c5cAndreas Gustafsson validator_log(val, ISC_LOG_DEBUG(3), "insecurity proof failed");
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews return (DNS_R_NOTINSECURE); /* Couldn't complete insecurity proof */
ca9af3aaf798f98624fc1dc69d8c7d51bf01334dBrian Wellington if (dns_rdataset_isassociated(&val->frdataset))
ca9af3aaf798f98624fc1dc69d8c7d51bf01334dBrian Wellington dns_rdataset_disassociate(&val->frdataset);
ca9af3aaf798f98624fc1dc69d8c7d51bf01334dBrian Wellington if (dns_rdataset_isassociated(&val->fsigrdataset))
ca9af3aaf798f98624fc1dc69d8c7d51bf01334dBrian Wellington dns_rdataset_disassociate(&val->fsigrdataset);
b5debbe212097d1c573a2ba3bd9a3d526d86b0aeBrian Wellingtonvalidator_start(isc_task_t *task, isc_event_t *event) {
e44487bfc23599b6b240e09d83d1c862fecfcc82Michael Graff REQUIRE(event->ev_type == DNS_EVENT_VALIDATORSTART);
9cd6710f91bdffef5aed68ab02533e398f6134d7Brian Wellington /* If the validator has been cancelled, val->event == NULL */
34aa7909371f13b4bc0ba6d155cfc38bfa1e3c5cAndreas Gustafsson validator_log(val, ISC_LOG_DEBUG(3), "starting");
0ec4b862c9abd11c82c88ed62438f0cf06fed25dBob Halley if (val->event->rdataset != NULL && val->event->sigrdataset != NULL) {
0ec4b862c9abd11c82c88ed62438f0cf06fed25dBob Halley * This looks like a simple validation. We say "looks like"
23e4260821eefa5019808e18e14e2b366461aad7Brian Wellington * because it might end up requiring an insecurity proof.
94766449d6125cd5870891b70d46573e5deaceb4Brian Wellington "attempting positive response validation");
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews INSIST(dns_rdataset_isassociated(val->event->rdataset));
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews INSIST(dns_rdataset_isassociated(val->event->sigrdataset));
6bc1a645619a14707da68b130dafe41721fd2f25Brian Wellington (val->attributes & VALATTR_TRIEDVERIFY) == 0)
6bc1a645619a14707da68b130dafe41721fd2f25Brian Wellington "falling back to insecurity proof");
34aa7909371f13b4bc0ba6d155cfc38bfa1e3c5cAndreas Gustafsson * This is either an unsecure subdomain or a response from
34aa7909371f13b4bc0ba6d155cfc38bfa1e3c5cAndreas Gustafsson * a broken server.
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews INSIST(dns_rdataset_isassociated(val->event->rdataset));
94766449d6125cd5870891b70d46573e5deaceb4Brian Wellington "attempting insecurity proof");
0ec4b862c9abd11c82c88ed62438f0cf06fed25dBob Halley * This is a nonexistence validation.
94766449d6125cd5870891b70d46573e5deaceb4Brian Wellington "attempting negative response validation");
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence * This shouldn't happen.
ec371edc34e2adb9e337b774d1a6e613f5863655Brian Wellingtondns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
bf43fdafa3bff9e84cb03f1a19aca74514d2516eBob Halley dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
bf43fdafa3bff9e84cb03f1a19aca74514d2516eBob Halley isc_task_t *task, isc_taskaction_t action, void *arg,
ec371edc34e2adb9e337b774d1a6e613f5863655Brian Wellington (rdataset == NULL && sigrdataset == NULL && message != NULL));
bf43fdafa3bff9e84cb03f1a19aca74514d2516eBob Halley REQUIRE(validatorp != NULL && *validatorp == NULL);
f3ca27e9fe307b55e35ea8d7b37351650630e5a3Andreas Gustafsson val = isc_mem_get(view->mctx, sizeof(*val));
23e4260821eefa5019808e18e14e2b366461aad7Brian Wellington dns_keytable_attach(val->view->secroots, &val->keytable);
b5debbe212097d1c573a2ba3bd9a3d526d86b0aeBrian Wellington isc_task_send(task, (isc_event_t **)&event);
f3ca27e9fe307b55e35ea8d7b37351650630e5a3Andreas Gustafsson isc_mem_put(view->mctx, val, sizeof(*val));
bf43fdafa3bff9e84cb03f1a19aca74514d2516eBob Halleydns_validator_cancel(dns_validator_t *validator) {
34aa7909371f13b4bc0ba6d155cfc38bfa1e3c5cAndreas Gustafsson validator_log(validator, ISC_LOG_DEBUG(3), "dns_validator_cancel");
264fd373f3f6cc7f271bdff14a020385620015f1Andreas Gustafsson dns_resolver_cancelfetch(validator->fetch);
0ec4b862c9abd11c82c88ed62438f0cf06fed25dBob Halley dns_keytable_detachkeynode(val->keytable, &val->keynode);
f3ca27e9fe307b55e35ea8d7b37351650630e5a3Andreas Gustafsson isc_mem_put(mctx, val->siginfo, sizeof(*val->siginfo));
bf43fdafa3bff9e84cb03f1a19aca74514d2516eBob Halleydns_validator_destroy(dns_validator_t **validatorp) {
34aa7909371f13b4bc0ba6d155cfc38bfa1e3c5cAndreas Gustafsson validator_log(val, ISC_LOG_DEBUG(3), "dns_validator_destroy");
1b1e1fda4638334b484aa38c15f53a131c0b0fdfAndreas Gustafssonvalidator_logv(dns_validator_t *val, isc_logcategory_t *category,
9cd6710f91bdffef5aed68ab02533e398f6134d7Brian Wellington isc_logmodule_t *module, int level, const char *fmt, va_list ap)
1b1e1fda4638334b484aa38c15f53a131c0b0fdfAndreas Gustafsson vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
94766449d6125cd5870891b70d46573e5deaceb4Brian Wellington if (val->event != NULL && val->event->name != NULL) {
1b1e1fda4638334b484aa38c15f53a131c0b0fdfAndreas Gustafsson dns_name_format(val->event->name, namebuf, sizeof(namebuf));
18b7133679efa8f60fd4e396c628576f3f416b3eBrian Wellington dns_rdatatype_format(val->event->type, typebuf,
1b1e1fda4638334b484aa38c15f53a131c0b0fdfAndreas Gustafsson isc_log_write(dns_lctx, category, module, level,
1b1e1fda4638334b484aa38c15f53a131c0b0fdfAndreas Gustafsson isc_log_write(dns_lctx, category, module, level,
18b7133679efa8f60fd4e396c628576f3f416b3eBrian Wellingtonvalidator_log(dns_validator_t *val, int level, const char *fmt, ...) {
1b1e1fda4638334b484aa38c15f53a131c0b0fdfAndreas Gustafsson validator_logv(val, DNS_LOGCATEGORY_DNSSEC,
1b1e1fda4638334b484aa38c15f53a131c0b0fdfAndreas Gustafsson DNS_LOGMODULE_VALIDATOR, level, fmt, ap);
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews dns_name_format(name, namestr, sizeof(namestr));
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews dns_rdatatype_format(type, typestr, sizeof(typestr));
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews validator_log(val, ISC_LOG_DEBUG(9), "%s: creating %s for %s %s",