validator.c revision ea8278253210df030a24f0c89342b43fe279a127
/*
* Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2003 Internet Software Consortium.
*
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: validator.c,v 1.203 2011/05/26 04:35:02 marka Exp $ */
#include <config.h>
#include <dns/keytable.h>
#include <dns/keyvalues.h>
#include <dns/rdataset.h>
#include <dns/rdatatype.h>
#include <dns/resolver.h>
#include <dns/validator.h>
/*! \file
* \brief
* Basic processing sequences.
*
* \li When called with rdataset and sigrdataset:
* validator_start -> validate -> proveunsecure -> startfinddlvsep ->
* dlv_validator_start -> validator_start -> validate -> proveunsecure
*
* validator_start -> validate -> nsecvalidate (secure wildcard answer)
*
* \li When called with rdataset, sigrdataset and with DNS_VALIDATOR_DLV:
* validator_start -> startfinddlvsep -> dlv_validator_start ->
* validator_start -> validate -> proveunsecure
*
* \li When called with rdataset:
* validator_start -> proveunsecure -> startfinddlvsep ->
* dlv_validator_start -> validator_start -> proveunsecure
*
* \li When called with rdataset and with DNS_VALIDATOR_DLV:
* validator_start -> startfinddlvsep -> dlv_validator_start ->
* validator_start -> proveunsecure
*
* \li When called without a rdataset:
* validator_start -> nsecvalidate -> proveunsecure -> startfinddlvsep ->
* dlv_validator_start -> validator_start -> nsecvalidate -> proveunsecure
*
* Note: there isn't a case for DNS_VALIDATOR_DLV here as we want nsecvalidate()
* to always validate the authority section even when it does not contain
* signatures.
*
* validator_start: determines what type of validation to do.
* validate: attempts to perform a positive validation.
* proveunsecure: attempts to prove the answer comes from a unsecure zone.
* nsecvalidate: attempts to prove a negative response.
* startfinddlvsep: starts the DLV record lookup.
* dlv_validator_start: resets state and restarts the lookup using the
* DLV RRset found by startfinddlvsep.
*/
* have attempted a verify. */
/*!
* NSEC proofs to be looked for.
*/
#define VALATTR_NEEDNOQNAME 0x00000100
#define VALATTR_NEEDNOWILDCARD 0x00000200
#define VALATTR_NEEDNODATA 0x00000400
/*!
* NSEC proofs that have been found.
*/
#define VALATTR_FOUNDNOQNAME 0x00001000
#define VALATTR_FOUNDNOWILDCARD 0x00002000
#define VALATTR_FOUNDNODATA 0x00004000
#define VALATTR_FOUNDCLOSEST 0x00008000
/*
*
*/
#define VALATTR_FOUNDOPTOUT 0x00010000
#define VALATTR_FOUNDUNKNOWN 0x00020000
static void
static isc_result_t
static isc_result_t
static isc_result_t
static isc_result_t
static isc_result_t
static void
ISC_FORMAT_PRINTF(5, 0);
static void
static void
static isc_result_t
static void
static isc_result_t
static isc_result_t
/*%
* Mark the RRsets as a answer.
*/
static inline void
}
static inline void
}
static void
return;
/*
* Caller must be holding the lock.
*/
}
static inline isc_boolean_t
/*
* Caller must be holding the lock.
*/
return (ISC_FALSE);
return (ISC_FALSE);
return (ISC_TRUE);
}
/*
* Check that we have atleast one supported algorithm in the DLV RRset.
*/
static inline isc_boolean_t
result == ISC_R_SUCCESS;
continue;
#ifdef HAVE_OPENSSL_GOST
continue;
#else
continue;
#endif
return (ISC_TRUE);
}
return (ISC_FALSE);
}
/*%
* Look in the NSEC record returned from a DS query to see if there is
* a NS RRset at this name. If it is found we are at a delegation point.
*/
static isc_boolean_t
{
int order;
int scope;
unsigned char hash[NSEC3_MAX_HASH_LENGTH];
unsigned char owner[NSEC3_MAX_HASH_LENGTH];
unsigned int length;
if (dbresult == DNS_R_NXRRSET)
else {
if (result == ISC_R_NOTFOUND)
goto trynsec3;
if (result != ISC_R_SUCCESS)
return (ISC_FALSE);
}
if (result == ISC_R_SUCCESS) {
}
return (found);
/*
* Iterate over the ncache entry.
*/
result == ISC_R_SUCCESS;
{
continue;
}
if (result != ISC_R_SUCCESS) {
continue;
}
result == ISC_R_SUCCESS;
{
continue;
continue;
if (order == 0) {
return (found);
}
continue;
/*
* Does this optout span cover the name?
*/
{
return (ISC_TRUE);
}
}
}
return (found);
}
/*%
* We have been asked to look for a key.
* If found resume the validation process.
* If not found fail the validation process.
*/
static void
/* Free resources which are not of interest. */
} else if (eresult == ISC_R_SUCCESS) {
"keyset with trust %s",
/*
* Only extract the dst key if the keyset is secure.
*/
if (result == ISC_R_SUCCESS)
}
if (result == DNS_R_NOVALIDSIG &&
{
"falling back to insecurity proof");
if (result == DNS_R_NOTINSECURE)
}
if (result != DNS_R_WAIT)
} else {
"fetch_callback_validator: got %s",
if (eresult == ISC_R_CANCELED)
else
}
if (want_destroy)
}
/*%
* We were asked to look for a DS record as part of following a key chain
* upwards. If found resume the validation process. If not found fail the
* validation process.
*/
static void
/* Free resources which are not of interest. */
} else if (eresult == ISC_R_SUCCESS) {
"dsset with trust %s",
if (result != DNS_R_WAIT)
} else if (eresult == DNS_R_CNAME ||
eresult == DNS_R_NXRRSET ||
eresult == DNS_R_NCACHENXRRSET ||
{
"falling back to insecurity proof (%s)",
if (result != DNS_R_WAIT)
} else {
"dsfetched: got %s",
if (eresult == ISC_R_CANCELED)
else
}
if (want_destroy)
}
/*%
* We were asked to look for the DS record as part of proving that a
* name is unsecure.
*
* If the DS record doesn't exist and the query name corresponds to
* a delegation point we are transitioning from a secure zone to a
* unsecure zone.
*
* If the DS record exists it will be secure. We can continue looking
* for the break point in the chain of trust.
*/
static void
/* Free resources which are not of interest. */
} else if (eresult == DNS_R_CNAME ||
eresult == DNS_R_NXRRSET ||
{
/*
* There is no DS. If this is a delegation, we're done.
*/
if (eresult != DNS_R_CNAME &&
if (val->mustbesecure) {
"must be secure failure, no DS"
" and this is a delegation");
} else {
if (result != DNS_R_WAIT)
}
} else {
if (result != DNS_R_WAIT)
}
} else if (eresult == ISC_R_SUCCESS ||
eresult == DNS_R_NXDOMAIN ||
{
/*
* There is a DS which may or may not be a zone cut.
* In either case we are still in a secure zone resume
* validation.
*/
ISC_TRUE);
if (result != DNS_R_WAIT)
} else {
if (eresult == ISC_R_CANCELED)
else
}
if (want_destroy)
}
/*%
* Callback from when a DNSKEY RRset has been validated.
*
* Resumes the stalled validation process.
*/
static void
} else if (eresult == ISC_R_SUCCESS) {
"keyset with trust %s",
/*
* Only extract the dst key if the keyset is secure.
*/
if (result == DNS_R_NOVALIDSIG &&
{
"falling back to insecurity proof");
if (result == DNS_R_NOTINSECURE)
}
if (result != DNS_R_WAIT)
} else {
if (eresult != DNS_R_BROKENCHAIN) {
}
"keyvalidated: got %s",
}
if (want_destroy)
}
/*%
* Callback when the DS record has been validated.
*
* Resumes validation of the zone key or the unsecure zone proof.
*/
static void
} else if (eresult == ISC_R_SUCCESS) {
"%s with trust %s",
"dsset" : "ds non-existance",
if (val->mustbesecure) {
"must be secure failure, no DS "
"and this is a delegation");
result = ISC_R_SUCCESS;;
} else
} else
if (result != DNS_R_WAIT)
} else {
if (eresult != DNS_R_BROKENCHAIN) {
}
"dsvalidated: got %s",
}
if (want_destroy)
}
/*%
* Callback when the CNAME record has been validated.
*
* Resumes validation of the unsecure zone proof.
*/
static void
} else if (eresult == ISC_R_SUCCESS) {
if (result != DNS_R_WAIT)
} else {
if (eresult != DNS_R_BROKENCHAIN) {
}
"cnamevalidated: got %s",
}
if (want_destroy)
}
/*%
* Return ISC_R_SUCCESS if we can determine that the name doesn't exist
* or we can determine whether there is data or not at the name.
* If the name does not exist return the wildcard name.
*
* Return ISC_R_IGNORE when the NSEC is not the appropriate one.
*/
static isc_result_t
{
int order;
if (result != ISC_R_SUCCESS) {
"failure processing NSEC set");
return (result);
}
if (order < 0) {
/*
* The name is not within the NSEC range.
*/
"NSEC does not cover name, before NSEC");
return (ISC_R_IGNORE);
}
if (order == 0) {
/*
* The names are the same.
*/
if (!atparent) {
/*
* This NSEC record is from somewhere higher in
* the DNS, and at the parent of a delegation.
* It can not be legitimately used here.
*/
"ignoring parent nsec");
return (ISC_R_IGNORE);
}
/*
* This NSEC record is from the child.
* It can not be legitimately used here.
*/
"ignoring child nsec");
return (ISC_R_IGNORE);
}
"nsec proves name exists (owner) data=%d",
*data);
return (ISC_R_SUCCESS);
}
return (ISC_R_IGNORE);
}
if (relation == dns_namereln_subdomain &&
{
/*
* This NSEC record is from somewhere higher in
* the DNS, and at the parent of a delegation.
* It can not be legitimately used here.
*/
return (ISC_R_IGNORE);
}
if (result != ISC_R_SUCCESS)
return (result);
if (order == 0) {
"ignoring nsec matches next name");
return (ISC_R_IGNORE);
}
/*
* The name is not within the NSEC range.
*/
"ignoring nsec because name is past end of range");
return (ISC_R_IGNORE);
}
"nsec proves name exist (empty)");
return (ISC_R_SUCCESS);
}
} else {
}
if (result != ISC_R_SUCCESS) {
"failure generating wildcard name");
return (result);
}
}
return (ISC_R_SUCCESS);
}
static isc_result_t
{
char namebuf[DNS_NAME_FORMATSIZE];
int order;
int scope;
unsigned char hash[NSEC3_MAX_HASH_LENGTH];
unsigned char owner[NSEC3_MAX_HASH_LENGTH];
unsigned int length;
unsigned int qlabels;
unsigned int zlabels;
if (result != ISC_R_SUCCESS) {
"failure processing NSEC3 set");
return (result);
}
if (result != ISC_R_SUCCESS)
return (result);
/*
* NSEC3 records must have two or more labels to be valid.
*/
if (zlabels < 2)
return (ISC_R_IGNORE);
/*
* Strip off the NSEC3 hash to get the zone.
*/
zlabels--;
/*
* If not below the zone name we can ignore this record.
*/
return (ISC_R_IGNORE);
/*
* Is this zone the same or deeper than the current zone?
*/
if (dns_name_countlabels(zonename) == 0 ||
return (ISC_R_IGNORE);
/*
* Are we only looking for the most enclosing zone?
*/
return (ISC_R_SUCCESS);
/*
* Only set unknown once we are sure that this NSEC3 is from
* the deepest covering zone.
*/
return (ISC_R_IGNORE);
}
/*
* Recover the hash from the first label.
*/
if (result != ISC_R_SUCCESS)
return (result);
/*
* The hash lengths should match. If not ignore the record.
*/
return (ISC_R_IGNORE);
/*
* Work out what this NSEC3 covers.
* Inside (<0) or outside (>=0).
*/
/*
* Prepare to compute all the hashes.
*/
/*
* The computed hash length should match.
*/
"ignoring NSEC bad length %u vs %u",
return (ISC_R_IGNORE);
}
/*
* The hashes are the same.
*/
if (!atparent) {
/*
* This NSEC3 record is from somewhere
* higher in the DNS, and at the
* parent of a delegation. It can not
* be legitimately used here.
*/
"ignoring parent NSEC3");
return (ISC_R_IGNORE);
}
/*
* This NSEC3 record is from the child.
* It can not be legitimately used here.
*/
"ignoring child NSEC3");
return (ISC_R_IGNORE);
}
"NSEC3 proves name exists (owner) "
"data=%d", *data);
return (ISC_R_SUCCESS);
}
"NSEC3 proves CNAME exists");
return (ISC_R_IGNORE);
}
if (order == 0 &&
{
/*
* This NSEC3 record is from somewhere higher in
* the DNS, and at the parent of a delegation.
* It can not be legitimately used here.
*/
"ignoring parent NSEC3");
return (ISC_R_IGNORE);
}
/*
* Potential closest encloser.
*/
if (order == 0) {
(dns_name_countlabels(closest) == 0 ||
{
sizeof(namebuf));
"NSEC3 indicates potential "
"closest encloser: '%s'",
namebuf);
*setclosest = ISC_TRUE;
}
"NSEC3 at super-domain %s", namebuf);
return (answer);
}
/*
* Find if the name does not exist.
*
* We continue as we need to find the name closest to the
* closest encloser that doesn't exist.
*
* We also need to continue to ensure that we are not
* proving the non-existence of a record in a sub-zone.
* If that would be the case we will return ISC_R_IGNORE
* above.
*/
{
char namebuf[DNS_NAME_FORMATSIZE];
"name does not exist: '%s'", namebuf);
(dns_name_countlabels(nearest) == 0 ||
*setnearest = ISC_TRUE;
}
"NSEC3 indicates optout");
*optout =
}
}
qlabels--;
if (qlabels > 0)
}
return (answer);
}
/*%
* Callback for when NSEC records have been validated.
*
* Looks for NOQNAME, NODATA and OPTOUT proofs.
*
* Resumes nsecvalidate.
*/
static void
} else if (result != ISC_R_SUCCESS) {
"authvalidated: got %s",
if (result == DNS_R_BROKENCHAIN)
if (result == ISC_R_CANCELED)
else {
if (result != DNS_R_WAIT)
}
} else {
== ISC_R_SUCCESS)
{
if (NEEDNODATA(val))
}
if (!exists) {
/*
* The NSEC noqname proof also contains
* the closest encloser.
*/
if (NEEDNOQNAME(val))
}
}
if (result != DNS_R_WAIT)
}
if (want_destroy)
/*
* Free stuff from the event.
*/
}
/*%
* Looks for the requested name and type in the view (zones and cache).
*
* When looking for a DLV record also checks to make sure the NSEC record
* returns covers the query name as part of aggressive negative caching.
*
* Returns:
* \li ISC_R_SUCCESS
* \li ISC_R_NOTFOUND
* \li DNS_R_NCACHENXDOMAIN
* \li DNS_R_NCACHENXRRSET
* \li DNS_R_NXRRSET
* \li DNS_R_NXDOMAIN
* \li DNS_R_BROKENCHAIN
*/
static inline isc_result_t
unsigned int options;
char buf1[DNS_NAME_FORMATSIZE];
char buf2[DNS_NAME_FORMATSIZE];
char buf3[DNS_NAME_FORMATSIZE];
char namebuf[DNS_NAME_FORMATSIZE];
char typebuf[DNS_RDATATYPE_FORMATSIZE];
return (ISC_R_CANCELED);
return (DNS_R_BROKENCHAIN);
}
if (type == dns_rdatatype_dlv)
if (result == DNS_R_NXDOMAIN) {
} else if (result == DNS_R_COVERINGNSEC) {
/*
* Check if the returned NSEC covers the name.
*/
"covering nsec: trust %s",
goto notfound;
}
if (result != ISC_R_SUCCESS)
goto notfound;
/* Parent NSEC record. */
"covering nsec: for parent");
goto notfound;
}
}
if (result != ISC_R_SUCCESS)
goto notfound;
/* End of zone chain. */
/*
* XXXMPA We could look for a parent NSEC
* at nsec.next and if found retest with
* this NSEC.
*/
"covering nsec: not in zone");
goto notfound;
}
/*
* XXXMPA We could check if this NSEC is at a zone
* apex and if the qname is not below it and look for
* a parent NSEC with the same name. This requires
* that we can cache both NSEC records which we
* currently don't support.
*/
"covering nsec: not in range");
goto notfound;
}
"covering nsec found: '%s' '%s' '%s'",
}
} else if (result != ISC_R_SUCCESS &&
result != DNS_R_NCACHENXDOMAIN &&
result != DNS_R_NCACHENXRRSET &&
result != DNS_R_EMPTYNAME &&
result != DNS_R_NXRRSET &&
result != ISC_R_NOTFOUND) {
goto notfound;
}
return (result);
return (ISC_R_NOTFOUND);
}
/*%
* Checks to make sure we are not going to loop. As we use a SHARED fetch
* the validation process will stall if looping was to occur.
*/
static inline isc_boolean_t
{
/*
* As NSEC3 records are meta data you sometimes
* need to prove a NSEC3 record which says that
* itself doesn't exist.
*/
{
"continuing validation would lead to "
"deadlock: aborting validation");
return (ISC_TRUE);
}
}
return (ISC_FALSE);
}
/*%
* Start a fetch for the requested name and type.
*/
static inline isc_result_t
{
"deadlock found (create_fetch)");
return (DNS_R_NOVALIDSIG);
}
&val->fsigrdataset,
}
/*%
* Start a subvalidation process.
*/
static inline isc_result_t
{
"deadlock found (create_validator)");
return (DNS_R_NOVALIDSIG);
}
&val->subvalidator);
if (result == ISC_R_SUCCESS) {
}
return (result);
}
/*%
* Try to find a key that could have signed 'siginfo' among those
* in 'rdataset'. If found, build a dst_key_t for it and point
* val->key at it.
*
* If val->key is non-NULL, this returns the next matching key.
*/
static isc_result_t
{
isc_buffer_t b;
else {
}
if (result != ISC_R_SUCCESS)
goto failure;
do {
if (result != ISC_R_SUCCESS)
goto failure;
{
if (foundold)
/*
* This is the key we're looking for.
*/
return (ISC_R_SUCCESS);
{
}
}
} while (result == ISC_R_SUCCESS);
if (result == ISC_R_NOMORE)
return (result);
}
/*%
* Get the key that generated this signature.
*/
static isc_result_t
unsigned int nlabels;
int order;
/*
* Is the signer name appropriate for this signature?
*
* The signer name must be at the same level as the owner name
* or closer to the DNS root.
*/
if (namereln != dns_namereln_subdomain &&
return (DNS_R_CONTINUE);
if (namereln == dns_namereln_equal) {
/*
* If this is a self-signed keyset, it must not be a zone key
* (since get_key is not called from validatezonekey).
*/
return (DNS_R_CONTINUE);
/*
* Records appearing in the parent zone at delegation
* points cannot be self-signed.
*/
return (DNS_R_CONTINUE);
} else {
/*
* SOA and NS RRsets can only be signed by a key with
* the same name.
*/
const char *typename;
typename = "SOA";
else
typename = "NS";
"%s signer mismatch", typename);
return (DNS_R_CONTINUE);
}
}
/*
* Do we know about this key?
*/
if (result == ISC_R_SUCCESS) {
/*
* We have an rrset for the given keyname.
*/
{
/*
* We know the key but haven't validated it yet or
* record for the zone may have been added.
*/
&val->fsigrdataset,
"get_key");
if (result != ISC_R_SUCCESS)
return (result);
return (DNS_R_WAIT);
/*
* Having a pending key with no signature means that
* something is broken.
*/
/*
* The key is legitimately insecure. There's no
* point in even attempting verification.
*/
} else {
/*
* See if we've got the key used in the signature.
*/
"keyset with trust %s",
if (result != ISC_R_SUCCESS) {
/*
* Either the key we're looking for is not
* in the rrset, or something bad happened.
* Give up.
*/
}
}
} else if (result == ISC_R_NOTFOUND) {
/*
* We don't know anything about this key.
*/
fetch_callback_validator, "get_key");
if (result != ISC_R_SUCCESS)
return (result);
return (DNS_R_WAIT);
} else if (result == DNS_R_NCACHENXDOMAIN ||
result == DNS_R_NCACHENXRRSET ||
result == DNS_R_EMPTYNAME ||
result == DNS_R_NXDOMAIN ||
result == DNS_R_NXRRSET)
{
/*
* This key doesn't exist.
*/
} else if (result == DNS_R_BROKENCHAIN)
return (result);
return (result);
}
static dns_keytag_t
isc_region_t r;
dns_rdata_toregion(rdata, &r);
}
/*%
* Is this keyset self-signed?
*/
static isc_boolean_t
result == ISC_R_SUCCESS;
{
result == ISC_R_SUCCESS;
{
continue;
&dstkey);
if (result != ISC_R_SUCCESS)
continue;
if (result != ISC_R_SUCCESS)
continue;
continue;
}
}
}
return (answer);
}
/*%
* Attempt to verify the rdataset using the given key and rdata (RRSIG).
* The signature was good and from a wildcard record and the QNAME does
* not match the wildcard we need to look for a NOQNAME proof.
*
* Returns:
* \li ISC_R_SUCCESS if the verification succeeds.
* \li Others if the verification fails.
*/
static isc_result_t
{
goto again;
}
"accepted expired %sRRSIG (keyid=%u)",
(result == DNS_R_FROMWILDCARD) ?
else
"verify rdataset (keyid=%u): %s",
if (result == DNS_R_FROMWILDCARD) {
}
return (result);
}
/*%
* Attempts positive response validation of a normal RRset.
*
* Returns:
* \li ISC_R_SUCCESS Validation completed successfully
* \li DNS_R_WAIT Validation has started but is waiting
* for an event.
* \li Other return codes are possible and all indicate failure.
*/
static isc_result_t
/*
* Caller must be holding the validator lock.
*/
if (resume) {
/*
* We already have a sigrdataset.
*/
} else {
}
for (;
result == ISC_R_SUCCESS;
{
return (ISC_R_NOMEMORY);
}
if (result != ISC_R_SUCCESS)
return (result);
/*
* At this point we could check that the signature algorithm
* was known and "sufficiently good".
*/
continue;
}
if (!resume) {
if (result == DNS_R_CONTINUE)
continue; /* Try the next SIG RR. */
if (result != ISC_R_SUCCESS)
return (result);
}
/*
* There isn't a secure DNSKEY for this signature so move
* onto the next RRSIG.
*/
continue;
}
do {
if (result == ISC_R_SUCCESS)
break;
&nextnode);
if (result != ISC_R_SUCCESS) {
break;
}
break;
} else {
!= ISC_R_SUCCESS)
break;
}
} while (1);
if (result != ISC_R_SUCCESS)
"failed to verify rdataset");
else {
}
else {
}
}
if (NEEDNOQNAME(val)) {
"no message available for noqname proof");
return (DNS_R_NOVALIDSIG);
}
"looking for noqname proof");
} else if (result == ISC_R_SUCCESS) {
"marking as secure, "
"noqname proof not needed");
return (result);
} else {
"verify failure: %s",
}
}
if (result != ISC_R_NOMORE) {
"failed to iterate signatures: %s",
return (result);
}
return (DNS_R_NOVALIDSIG);
}
/*%
* Check whether this DNSKEY (keyrdata) signed the DNSKEY RRset
* (val->event->rdataset).
*/
static isc_result_t
{
result == ISC_R_SUCCESS;
{
continue;
&dstkey);
if (result != ISC_R_SUCCESS)
/*
* This really shouldn't happen, but...
*/
continue;
}
if (result == ISC_R_SUCCESS)
break;
}
return (result);
}
/*%
* Find the DNSKEY that corresponds to the DS.
*/
static isc_result_t
{
unsigned char dsbuf[DNS_DS_BUFFERSIZE];
result == ISC_R_SUCCESS;
{
continue;
dsbuf, &newdsrdata);
if (result != ISC_R_SUCCESS) {
"dns_ds_buildrdata() -> %s",
continue;
}
break;
}
return (result);
}
/*%
* Validate the DNSKEY RRset by looking for a DNSKEY that matches a
* DLV record and that also verifies the DNSKEY RRset.
*/
static isc_result_t
char digest_types[256];
/*
* Look through the DLV record and find the keys that can sign the
* key set and the matching signature. For each such key, attempt
* verification.
*/
/*
* If DNS_DSDIGEST_SHA256 is present we are required to prefer
* it over DNS_DSDIGEST_SHA1. This in practice means that we
* need to ignore DNS_DSDIGEST_SHA1 if a DNS_DSDIGEST_SHA256
* is present.
*/
result == ISC_R_SUCCESS;
continue;
break;
}
}
result == ISC_R_SUCCESS;
{
continue;
continue;
continue;
/*
* Convert to DLV to DS and find matching DNSKEY.
*/
if (result != ISC_R_SUCCESS) {
"no DNSKEY matching DLV");
continue;
}
"Found matching DLV record: checking for signature");
/*
* Check that this DNSKEY signed the DNSKEY rrset.
*/
if (result == ISC_R_SUCCESS)
break;
"no RRSIG matching DLV key");
}
if (result == ISC_R_SUCCESS) {
return (result);
if (val->mustbesecure) {
"must be secure failure,"
return (DNS_R_MUSTBESECURE);
}
return (ISC_R_SUCCESS);
} else
return (DNS_R_NOVALIDSIG);
}
/*%
* Attempts positive response validation of an RRset containing zone keys
* (i.e. a DNSKEY rrset).
*
* Returns:
* \li ISC_R_SUCCESS Validation completed successfully
* \li DNS_R_WAIT Validation has started but is waiting
* for an event.
* \li Other return codes are possible and all indicate failure.
*/
static isc_result_t
char namebuf[DNS_NAME_FORMATSIZE];
char digest_types[256];
/*
* Caller must be holding the validator lock.
*/
return (dlv_validatezonekey(val));
/*
* We have a dlv sep. Skip looking up the SEP from
* {trusted,managed}-keys. If the dlv sep is for the
* root then it will have been handled above so we don't
* need to check whether val->event->name is "." prior to
* looking up the DS.
*/
if (val->havedlvsep)
goto find_ds;
/*
* First, see if this key was signed by a trusted key.
*/
result == ISC_R_SUCCESS;
{
&sigrdata);
continue;
if (result == ISC_R_NOTFOUND &&
if (val->mustbesecure) {
"must be secure failure, "
"not beneath secure root");
return (DNS_R_MUSTBESECURE);
} else
"not beneath secure root");
return (ISC_R_SUCCESS);
}
}
if (result == DNS_R_PARTIALMATCH ||
result == ISC_R_SUCCESS)
while (result == ISC_R_SUCCESS) {
&keynode);
break;
}
if (result == ISC_R_SUCCESS) {
&keynode);
break;
}
&nextnode);
&keynode);
}
if (result == ISC_R_SUCCESS) {
"signed by trusted key; "
"marking as secure");
return (result);
}
}
if (atsep) {
/*
* We have not found a key to verify this DNSKEY
* RRset. As this is a SEP we have to assume that
* the RRset is invalid.
*/
sizeof(namebuf));
"unable to find a DNSKEY which verifies "
"the DNSKEY RRset and also matches a "
"trusted key for '%s'",
namebuf);
"please check the 'trusted-keys' for "
"'%s' in named.conf.", namebuf);
return (DNS_R_NOVALIDKEY);
}
/*
* If this is the root name and there was no trusted key,
* give up, since there's no DS at the root.
*/
"root key failed to validate");
return (DNS_R_NOVALIDSIG);
} else {
"no trusted root key");
return (DNS_R_NOVALIDDS);
}
}
/*
* Otherwise, try to find the DS record.
*/
if (result == ISC_R_SUCCESS) {
/*
* We have DS records.
*/
{
&val->fsigrdataset,
"validatezonekey");
if (result != ISC_R_SUCCESS)
return (result);
return (DNS_R_WAIT);
/*
* There should never be an unsigned DS.
*/
"unsigned DS record");
return (DNS_R_NOVALIDSIG);
} else {
}
} else if (result == ISC_R_NOTFOUND) {
/*
* We don't have the DS. Find it.
*/
"validatezonekey");
if (result != ISC_R_SUCCESS)
return (result);
return (DNS_R_WAIT);
} else if (result == DNS_R_NCACHENXDOMAIN ||
result == DNS_R_NCACHENXRRSET ||
result == DNS_R_EMPTYNAME ||
result == DNS_R_NXDOMAIN ||
result == DNS_R_NXRRSET ||
result == DNS_R_CNAME)
{
/*
* The DS does not exist.
*/
return (DNS_R_NOVALIDSIG);
} else if (result == DNS_R_BROKENCHAIN)
return (result);
}
/*
* We have a DS set.
*/
if (val->mustbesecure) {
"must be secure failure,"
" insecure DS");
return (DNS_R_MUSTBESECURE);
}
return (ISC_R_SUCCESS);
}
}
/*
* Look through the DS record and find the keys that can sign the
* key set and the matching signature. For each such key, attempt
* verification.
*/
/*
* If DNS_DSDIGEST_SHA256 is present we are required to prefer
* it over DNS_DSDIGEST_SHA1. This in practice means that we
* need to ignore DNS_DSDIGEST_SHA1 if a DNS_DSDIGEST_SHA256
* is present.
*/
result == ISC_R_SUCCESS;
continue;
break;
}
}
result == ISC_R_SUCCESS;
{
continue;
continue;
continue;
/*
* Find matching DNSKEY from DS.
*/
if (result != ISC_R_SUCCESS) {
"no DNSKEY matching DS");
continue;
}
/*
* Check that this DNSKEY signed the DNSKEY rrset.
*/
if (result == ISC_R_SUCCESS)
break;
"no RRSIG matching DS key");
}
if (result == ISC_R_SUCCESS) {
return (result);
if (val->mustbesecure) {
"must be secure failure, "
return (DNS_R_MUSTBESECURE);
}
return (ISC_R_SUCCESS);
} else {
"no valid signature found (DS)");
return (DNS_R_NOVALIDSIG);
}
}
/*%
* Starts a positive response validation.
*
* Returns:
* \li ISC_R_SUCCESS Validation completed successfully
* \li DNS_R_WAIT Validation has started but is waiting
* for an event.
* \li Other return codes are possible and all indicate failure.
*/
static isc_result_t
/*
* If this is not a key, go straight into validate().
*/
return (validatezonekey(val));
}
/*%
* val_rdataset_first and val_rdataset_next provide iteration methods
* that hide whether we are iterating across a message or a negative
* cache rdataset.
*/
static isc_result_t
{
} else {
}
if (result != ISC_R_SUCCESS)
return (result);
} else {
if (result == ISC_R_SUCCESS)
*rdatasetp);
}
return (result);
}
static isc_result_t
{
if (result == ISC_R_SUCCESS) {
namep);
}
}
} else {
if (result == ISC_R_SUCCESS)
*rdatasetp);
}
return (result);
}
/*%
* Look for NODATA at the wildcard and NOWILDCARD proofs in the
* previously validated NSEC records. As these proofs are mutually
* exclusive we stop when one is found.
*
* Returns
* \li ISC_R_SUCCESS
*/
static isc_result_t
{
char namebuf[DNS_NAME_FORMATSIZE];
if (dns_name_countlabels(wild) == 0) {
"in checkwildcard: no wildcard to check");
return (ISC_R_SUCCESS);
}
} else {
}
result == ISC_R_SUCCESS;
{
continue;
== ISC_R_SUCCESS)
{
name;
if (!exists)
val->attributes |=
name;
return (ISC_R_SUCCESS);
}
NULL) == ISC_R_SUCCESS)
{
name;
if (!exists)
val->attributes |=
name;
return (ISC_R_SUCCESS);
}
}
if (result == ISC_R_NOMORE)
return (result);
}
static isc_result_t
} else {
}
result == ISC_R_SUCCESS;
{
continue;
NULL);
return (result);
}
}
if (result != ISC_R_NOMORE)
if (dns_name_countlabels(zonename) == 0)
return (ISC_R_SUCCESS);
result == ISC_R_SUCCESS;
{
continue;
/*
* We process all NSEC3 records to find the closest
* encloser and nearest name to the closest encloser.
*/
if (setclosest)
if (unknown)
if (result != ISC_R_SUCCESS)
continue;
}
if (!exists && setnearest) {
if (optout)
}
}
if (result == ISC_R_NOMORE)
/*
* To know we have a valid noqname and optout proofs we need to also
* have a valid closest encloser. Otherwise we could still be looking
* at proofs from the parent zone.
*/
if (dns_name_countlabels(closest) > 0 &&
{
NULL);
} else {
}
/*
* Do we need to check for the wildcard?
*/
if (result != ISC_R_SUCCESS)
return (result);
}
return (result);
}
/*%
* Validate the authority section records.
*/
static isc_result_t
if (!resume)
else
for (;
result == ISC_R_SUCCESS;
{
if (resume) {
} else
for (;
{
continue;
sigrdataset != NULL;
link))
{
break;
}
/*
* If a signed zone is missing the zone key, bad
* things could happen. A query for data in the zone
* would lead to a query for the zone key, which
* would return a negative answer, which would contain
* an SOA and an NSEC signed by the missing key, which
* would trigger another query for the DNSKEY (since
* the first one is still in progress), and go into an
* infinite loop. Avoid that.
*/
{
if (result != ISC_R_SUCCESS)
return (result);
if (dns_nsec_typepresent(&nsec,
continue;
}
"validate_authority");
if (result != ISC_R_SUCCESS)
return (result);
return (DNS_R_WAIT);
}
}
if (result == ISC_R_NOMORE)
return (result);
}
/*%
* Validate the ncache elements.
*/
static isc_result_t
if (!resume)
else
for (;
result == ISC_R_SUCCESS;
{
continue;
&val->fsigrdataset);
if (result == ISC_R_SUCCESS)
/*
* If a signed zone is missing the zone key, bad
* things could happen. A query for data in the zone
* would lead to a query for the zone key, which
* would return a negative answer, which would contain
* an SOA and an NSEC signed by the missing key, which
* would trigger another query for the DNSKEY (since
* the first one is still in progress), and go into an
* infinite loop. Avoid that.
*/
{
if (result != ISC_R_SUCCESS)
return (result);
if (dns_nsec_typepresent(&nsec,
continue;
}
"validate_ncache");
if (result != ISC_R_SUCCESS)
return (result);
return (DNS_R_WAIT);
}
if (result == ISC_R_NOMORE)
return (result);
}
/*%
* Prove a negative answer is good or that there is a NOQNAME when the
* answer is from a wildcard.
*
* Loop through the authority section looking for NODATA, NOWILDCARD
* and NOQNAME proofs in the NSEC records by calling authvalidated().
*
* If the required proofs are found we are done.
*
* If the proofs are not found attempt to prove this is a unsecure
* response.
*/
static isc_result_t
if (resume)
else
if (result != ISC_R_SUCCESS)
return (result);
/*
* Do we only need to check for NOQNAME? To get here we must have
* had a secure wildcard answer.
*/
if (!FOUNDNOQNAME(val))
"marking as secure, noqname proof found");
return (ISC_R_SUCCESS);
} else if (FOUNDOPTOUT(val) &&
!= 0) {
"optout proof found");
return (ISC_R_SUCCESS);
"unknown NSEC3 hash algorithm found");
return (ISC_R_SUCCESS);
}
"noqname proof not found");
return (DNS_R_NOVALIDNSEC);
}
/*
* Do we need to check for the wildcard?
*/
if (result != ISC_R_SUCCESS)
return (result);
}
FOUNDCLOSEST(val))) {
"nonexistence proof(s) found");
return (ISC_R_SUCCESS);
}
return (DNS_R_BROKENCHAIN);
"nonexistence proof(s) not found");
}
static isc_boolean_t
result == ISC_R_SUCCESS;
ds.digest_type) &&
return (ISC_TRUE);
}
}
return (ISC_FALSE);
}
static void
} else if (eresult == ISC_R_SUCCESS) {
"dlvset with trust %s",
if (dlv_algorithm_supported(val))
else {
}
} else {
if (eresult != DNS_R_BROKENCHAIN) {
}
"dlvvalidated: got %s",
}
if (want_destroy)
}
/*%
* Callback from fetching a DLV record.
*
* Resumes the DLV lookup process.
*/
static void
char namebuf[DNS_NAME_FORMATSIZE];
/* Free resources which are not of interest. */
if (eresult == ISC_R_SUCCESS) {
sizeof(namebuf));
if (dlv_algorithm_supported(val)) {
namebuf);
} else {
"DLV %s found with no supported algorithms",
namebuf);
}
} else if (eresult == DNS_R_NXRRSET ||
eresult == DNS_R_NXDOMAIN ||
eresult == DNS_R_NCACHENXRRSET ||
eresult == DNS_R_NCACHENXDOMAIN) {
if (result == ISC_R_SUCCESS) {
if (dlv_algorithm_supported(val)) {
"DLV %s found", namebuf);
} else {
"DLV %s found with no supported "
"algorithms", namebuf);
}
} else if (result == ISC_R_NOTFOUND) {
} else {
if (result != DNS_R_WAIT)
}
} else {
}
if (want_destroy)
}
/*%
* Start the DLV lookup process.
*
* Returns
* \li ISC_R_SUCCESS
* \li DNS_R_WAIT
* \li Others on validation failures.
*/
static isc_result_t
char namebuf[DNS_NAME_FORMATSIZE];
"plain DNSSEC returns unsecure (%s): looking for DLV",
namebuf);
" %s is under DLV (startfinddlvsep)", namebuf);
return (DNS_R_MUSTBESECURE);
}
if (result == ISC_R_NOTFOUND) {
return (ISC_R_SUCCESS);
}
if (result != ISC_R_SUCCESS) {
return (result);
}
sizeof(namebuf));
if (dlv_algorithm_supported(val)) {
return (DNS_R_WAIT);
}
"algorithms", namebuf);
return (ISC_R_SUCCESS);
}
/*%
* Continue the DLV lookup process.
*
* Returns
* \li ISC_R_SUCCESS
* \li ISC_R_NOTFOUND
* \li DNS_R_WAIT
* \li Others on validation failure.
*/
static isc_result_t
char namebuf[DNS_NAME_FORMATSIZE];
unsigned int labels;
if (!resume) {
sizeof(namebuf));
"must be secure failure, "
"%s is under DLV (finddlvsep)", namebuf);
return (DNS_R_MUSTBESECURE);
}
/*
* If this is a response to a DS query, we need to look in
* the parent zone for the trust anchor.
*/
if (labels == 0)
return (ISC_R_NOTFOUND);
dlvsep);
}
} else {
}
if (labels == 0)
return (ISC_R_NOTFOUND);
while (result == ISC_R_NOSPACE) {
}
if (result != ISC_R_SUCCESS) {
return (DNS_R_NOVALIDSIG);
}
while (dns_name_countlabels(dlvname) >=
namebuf);
if (result == ISC_R_SUCCESS) {
{
NULL);
&val->fsigrdataset,
"finddlvsep");
if (result != ISC_R_SUCCESS)
return (result);
return (DNS_R_WAIT);
}
"DLV not validated");
return (DNS_R_NOVALIDSIG);
}
return (ISC_R_SUCCESS);
}
if (result == ISC_R_NOTFOUND) {
dlvfetched, "finddlvsep");
if (result != ISC_R_SUCCESS)
return (result);
return (DNS_R_WAIT);
}
if (result != DNS_R_NXRRSET &&
result != DNS_R_NXDOMAIN &&
result != DNS_R_EMPTYNAME &&
result != DNS_R_NCACHENXRRSET &&
return (result);
/*
* Strip first labels from both dlvsep and dlvname.
*/
if (labels == 0)
break;
}
return (ISC_R_NOTFOUND);
}
/*%
* proveunsecure walks down from the SEP looking for a break in the
* chain of trust. That occurs when we can prove the DS record does
* not exist at a delegation point or the DS exists at a delegation
*
* If DLV is active and we look for a DLV record at or below the
* point we go insecure. If found we restart the validation process.
* If not found or DLV isn't active we mark the response as a answer.
*
* Returns:
* \li ISC_R_SUCCESS val->event->name is in a unsecure zone
* \li DNS_R_WAIT validation is in progress.
* \li DNS_R_MUSTBESECURE val->event->name is supposed to be secure
* (policy) but we proved that it is unsecure.
* \li DNS_R_NOVALIDSIG
* \li DNS_R_NOVALIDNSEC
* \li DNS_R_NOTINSECURE
* \li DNS_R_BROKENCHAIN
*/
static isc_result_t
{
char namebuf[DNS_NAME_FORMATSIZE];
if (val->havedlvsep)
else {
unsigned int labels;
/*
* If this is a response to a DS query, we need to look in
* the parent zone for the trust anchor.
*/
secroot);
if (result == ISC_R_NOTFOUND) {
if (val->mustbesecure) {
"must be secure failure, "
"not beneath secure root");
goto out;
} else
"not beneath secure root");
return (ISC_R_SUCCESS);
}
} else if (result != ISC_R_SUCCESS)
return (result);
}
if (!resume) {
/*
* We are looking for breaks below the SEP so add a label.
*/
} else {
/*
* If we have a DS rdataset and it is secure then check if
* the DS rdataset has a supported algorithm combination.
* If not this is an insecure delegation as far as this
* resolver is concerned. Fall back to DLV if available.
*/
val->mustbesecure) {
"must be secure failure at '%s', "
"can't fall back to DLV",
namebuf);
goto out;
}
namebuf);
goto out;
}
goto out;
}
}
for (;
{
else
"checking existence of DS at '%s'",
namebuf);
/*
* There is no DS. If this is a delegation,
* we may be done.
*/
/*
* If we have "trust == answer" then this namespace
* has switched from insecure to should be secure.
*/
"proveunsecure");
if (result != ISC_R_SUCCESS)
goto out;
return (DNS_R_WAIT);
}
/*
* Zones using NSEC3 don't return a NSEC RRset so
* we need to use dns_view_findzonecut2 to find
* the zone cut.
*/
if (result == DNS_R_NXRRSET &&
if (val->mustbesecure) {
"must be secure failure, "
"no DS at zone cut");
return (DNS_R_MUSTBESECURE);
}
return (ISC_R_SUCCESS);
}
}
/*
* This shouldn't happen, since the negative
* response should have been validated. Since
* there's no way of validating existing
* negative response blobs, give up.
*/
"can't validate existing "
"negative responses (no DS)");
goto out;
}
if (val->mustbesecure) {
"must be secure failure, "
"%s is a delegation",
namebuf);
return (DNS_R_MUSTBESECURE);
}
return (ISC_R_SUCCESS);
}
}
continue;
} else if (result == DNS_R_CNAME) {
"proveunsecure "
"(cname)");
if (result != ISC_R_SUCCESS)
goto out;
return (DNS_R_WAIT);
}
continue;
} else if (result == ISC_R_SUCCESS) {
/*
* There is a DS here. Verify that it's secure and
* continue.
*/
"no supported algorithm/"
if (val->mustbesecure) {
"must be secure failure, "
"no supported algorithm/"
namebuf);
goto out;
}
"proveunsecure (5)");
goto out;
}
goto out;
}
continue;
}
{
"DS is unsigned");
goto out;
}
/*
* Validate / re-validate answer.
*/
&val->fsigrdataset,
"proveunsecure");
if (result != ISC_R_SUCCESS)
goto out;
return (DNS_R_WAIT);
} else if (result == DNS_R_NXDOMAIN ||
result == DNS_R_NCACHENXDOMAIN) {
/*
* This is not a zone cut. Assuming things are
* as expected, continue.
*/
/*
* There should be an NSEC here, since we
* are still in a secure zone.
*/
goto out;
/*
* If we have "trust == answer" then this namespace
* has switched from insecure to should be secure.
*/
"proveunsecure");
if (result != ISC_R_SUCCESS)
goto out;
return (DNS_R_WAIT);
/*
* This shouldn't happen, since the negative
* response should have been validated. Since
* there's no way of validating existing
* negative response blobs, give up.
*/
"can't validate existing "
"negative responses "
"(not a zone cut)");
goto out;
}
continue;
} else if (result == ISC_R_NOTFOUND) {
/*
* We don't know anything about the DS. Find it.
*/
dsfetched2, "proveunsecure");
if (result != ISC_R_SUCCESS)
goto out;
return (DNS_R_WAIT);
} else if (result == DNS_R_BROKENCHAIN)
return (result);
}
/* Couldn't complete insecurity proof */
return (DNS_R_NOTINSECURE);
out:
return (result);
}
/*%
* Reset state and revalidate the answer using DLV.
*/
static void
/*
* Reset state and try again.
*/
}
/*%
* Start the validation process.
*
* Attempt to validate the answer based on the category it appears to
* fall in.
* \li 1. secure positive answer.
* \li 2. unsecure positive answer.
* \li 3. a negative answer (secure or unsecure).
*
* Note a answer that appears to be a secure positive answer may actually
* be an unsecure positive answer.
*/
static void
/* If the validator has been canceled, val->event == NULL */
return;
else
/*
* This looks like a simple validation. We say "looks like"
* because it might end up requiring an insecurity proof.
*/
"attempting positive response validation");
if (result == DNS_R_NOVALIDSIG &&
{
"falling back to insecurity proof");
if (result == DNS_R_NOTINSECURE)
}
/*
* This is either an unsecure subdomain or a response from
* a broken server.
*/
"attempting insecurity proof");
if (result == DNS_R_NOTINSECURE)
"got insecure response; "
"parent indicates it should be secure");
{
/*
* This is a nonexistence validation.
*/
"attempting negative response validation");
} else
{
/*
* This is a nonexistence validation.
*/
"attempting negative response validation");
} else
} else {
/*
* This shouldn't happen.
*/
INSIST(0);
}
if (result != DNS_R_WAIT) {
}
if (want_destroy)
}
{
return (ISC_R_NOMEMORY);
event = (dns_validatorevent_t *)
sizeof(dns_validatorevent_t));
goto cleanup_val;
}
if (result != ISC_R_SUCCESS)
goto cleanup_event;
val->attributes = 0;
if (result != ISC_R_SUCCESS)
return (result);
if ((options & DNS_VALIDATOR_DEFER) == 0)
*validatorp = val;
return (ISC_R_SUCCESS);
return (result);
}
void
}
void
}
}
}
}
static void
if (val->havedlvsep)
}
void
val = *validatorp;
if (want_destroy)
*validatorp = NULL;
}
static void
{
char msgbuf[2048];
static const char spaces[] = " *";
char namebuf[DNS_NAME_FORMATSIZE];
char typebuf[DNS_RDATATYPE_FORMATSIZE];
sizeof(typebuf));
} else {
}
}
static void
return;
}
static void
{
char namestr[DNS_NAME_FORMATSIZE];
char typestr[DNS_RDATATYPE_FORMATSIZE];
}