/contrib/bind9/lib/dns/validator.c
C | 4369 lines | 3257 code | 378 blank | 734 comment | 1178 complexity | a9e623957e291c360bd8b11e4018b46b MD5 | raw file
Possible License(s): MPL-2.0-no-copyleft-exception, BSD-3-Clause, LGPL-2.0, LGPL-2.1, BSD-2-Clause, 0BSD, JSON, AGPL-1.0, GPL-2.0
- /*
- * Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003 Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
- /* $Id$ */
- #include <config.h>
- #include <isc/base32.h>
- #include <isc/mem.h>
- #include <isc/print.h>
- #include <isc/sha2.h>
- #include <isc/string.h>
- #include <isc/task.h>
- #include <isc/util.h>
- #include <dns/db.h>
- #include <dns/dnssec.h>
- #include <dns/ds.h>
- #include <dns/events.h>
- #include <dns/keytable.h>
- #include <dns/keyvalues.h>
- #include <dns/log.h>
- #include <dns/message.h>
- #include <dns/ncache.h>
- #include <dns/nsec.h>
- #include <dns/nsec3.h>
- #include <dns/rdata.h>
- #include <dns/rdataset.h>
- #include <dns/rdatatype.h>
- #include <dns/resolver.h>
- #include <dns/result.h>
- #include <dns/validator.h>
- #include <dns/view.h>
- /*! \file
- * \brief
- * Basic processing sequences.
- *
- * \li When called with rdataset and sigrdataset:
- * validator_start -> validate -> proveunsecure -> startfinddlvsep ->
- * dlv_validator_start -> validator_start -> validate -> proveunsecure
- *
- * validator_start -> validate -> nsecvalidate (secure wildcard answer)
- *
- * \li When called with rdataset, sigrdataset and with DNS_VALIDATOR_DLV:
- * validator_start -> startfinddlvsep -> dlv_validator_start ->
- * validator_start -> validate -> proveunsecure
- *
- * \li When called with rdataset:
- * validator_start -> proveunsecure -> startfinddlvsep ->
- * dlv_validator_start -> validator_start -> proveunsecure
- *
- * \li When called with rdataset and with DNS_VALIDATOR_DLV:
- * validator_start -> startfinddlvsep -> dlv_validator_start ->
- * validator_start -> proveunsecure
- *
- * \li When called without a rdataset:
- * validator_start -> nsecvalidate -> proveunsecure -> startfinddlvsep ->
- * dlv_validator_start -> validator_start -> nsecvalidate -> proveunsecure
- *
- * Note: there isn't a case for DNS_VALIDATOR_DLV here as we want nsecvalidate()
- * to always validate the authority section even when it does not contain
- * signatures.
- *
- * validator_start: determines what type of validation to do.
- * validate: attempts to perform a positive validation.
- * proveunsecure: attempts to prove the answer comes from a unsecure zone.
- * nsecvalidate: attempts to prove a negative response.
- * startfinddlvsep: starts the DLV record lookup.
- * dlv_validator_start: resets state and restarts the lookup using the
- * DLV RRset found by startfinddlvsep.
- */
- #define VALIDATOR_MAGIC ISC_MAGIC('V', 'a', 'l', '?')
- #define VALID_VALIDATOR(v) ISC_MAGIC_VALID(v, VALIDATOR_MAGIC)
- #define VALATTR_SHUTDOWN 0x0001 /*%< Shutting down. */
- #define VALATTR_CANCELED 0x0002 /*%< Canceled. */
- #define VALATTR_TRIEDVERIFY 0x0004 /*%< We have found a key and
- * have attempted a verify. */
- #define VALATTR_INSECURITY 0x0010 /*%< Attempting proveunsecure. */
- #define VALATTR_DLVTRIED 0x0020 /*%< Looked for a DLV record. */
- /*!
- * NSEC proofs to be looked for.
- */
- #define VALATTR_NEEDNOQNAME 0x00000100
- #define VALATTR_NEEDNOWILDCARD 0x00000200
- #define VALATTR_NEEDNODATA 0x00000400
- /*!
- * NSEC proofs that have been found.
- */
- #define VALATTR_FOUNDNOQNAME 0x00001000
- #define VALATTR_FOUNDNOWILDCARD 0x00002000
- #define VALATTR_FOUNDNODATA 0x00004000
- #define VALATTR_FOUNDCLOSEST 0x00008000
- /*
- *
- */
- #define VALATTR_FOUNDOPTOUT 0x00010000
- #define VALATTR_FOUNDUNKNOWN 0x00020000
- #define NEEDNODATA(val) ((val->attributes & VALATTR_NEEDNODATA) != 0)
- #define NEEDNOQNAME(val) ((val->attributes & VALATTR_NEEDNOQNAME) != 0)
- #define NEEDNOWILDCARD(val) ((val->attributes & VALATTR_NEEDNOWILDCARD) != 0)
- #define DLVTRIED(val) ((val->attributes & VALATTR_DLVTRIED) != 0)
- #define FOUNDNODATA(val) ((val->attributes & VALATTR_FOUNDNODATA) != 0)
- #define FOUNDNOQNAME(val) ((val->attributes & VALATTR_FOUNDNOQNAME) != 0)
- #define FOUNDNOWILDCARD(val) ((val->attributes & VALATTR_FOUNDNOWILDCARD) != 0)
- #define FOUNDCLOSEST(val) ((val->attributes & VALATTR_FOUNDCLOSEST) != 0)
- #define FOUNDOPTOUT(val) ((val->attributes & VALATTR_FOUNDOPTOUT) != 0)
- #define SHUTDOWN(v) (((v)->attributes & VALATTR_SHUTDOWN) != 0)
- #define CANCELED(v) (((v)->attributes & VALATTR_CANCELED) != 0)
- #define NEGATIVE(r) (((r)->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
- static void
- destroy(dns_validator_t *val);
- static isc_result_t
- get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo,
- dns_rdataset_t *rdataset);
- static isc_result_t
- validate(dns_validator_t *val, isc_boolean_t resume);
- static isc_result_t
- validatezonekey(dns_validator_t *val);
- static isc_result_t
- nsecvalidate(dns_validator_t *val, isc_boolean_t resume);
- static isc_result_t
- proveunsecure(dns_validator_t *val, isc_boolean_t have_ds,
- isc_boolean_t resume);
- static void
- validator_logv(dns_validator_t *val, isc_logcategory_t *category,
- isc_logmodule_t *module, int level, const char *fmt, va_list ap)
- ISC_FORMAT_PRINTF(5, 0);
- static void
- validator_log(dns_validator_t *val, int level, const char *fmt, ...)
- ISC_FORMAT_PRINTF(3, 4);
- static void
- validator_logcreate(dns_validator_t *val,
- dns_name_t *name, dns_rdatatype_t type,
- const char *caller, const char *operation);
- static isc_result_t
- dlv_validatezonekey(dns_validator_t *val);
- static void
- dlv_validator_start(dns_validator_t *val);
- static isc_result_t
- finddlvsep(dns_validator_t *val, isc_boolean_t resume);
- static isc_result_t
- startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure);
- /*%
- * Mark the RRsets as a answer.
- */
- static inline void
- markanswer(dns_validator_t *val, const char *where) {
- validator_log(val, ISC_LOG_DEBUG(3), "marking as answer (%s)", where);
- if (val->event->rdataset != NULL)
- dns_rdataset_settrust(val->event->rdataset, dns_trust_answer);
- if (val->event->sigrdataset != NULL)
- dns_rdataset_settrust(val->event->sigrdataset,
- dns_trust_answer);
- }
- static inline void
- marksecure(dns_validatorevent_t *event) {
- dns_rdataset_settrust(event->rdataset, dns_trust_secure);
- if (event->sigrdataset != NULL)
- dns_rdataset_settrust(event->sigrdataset, dns_trust_secure);
- }
- static void
- validator_done(dns_validator_t *val, isc_result_t result) {
- isc_task_t *task;
- if (val->event == NULL)
- return;
- /*
- * Caller must be holding the lock.
- */
- val->event->result = result;
- task = val->event->ev_sender;
- val->event->ev_sender = val;
- val->event->ev_type = DNS_EVENT_VALIDATORDONE;
- val->event->ev_action = val->action;
- val->event->ev_arg = val->arg;
- isc_task_sendanddetach(&task, (isc_event_t **)&val->event);
- }
- static inline isc_boolean_t
- exit_check(dns_validator_t *val) {
- /*
- * Caller must be holding the lock.
- */
- if (!SHUTDOWN(val))
- return (ISC_FALSE);
- INSIST(val->event == NULL);
- if (val->fetch != NULL || val->subvalidator != NULL)
- return (ISC_FALSE);
- return (ISC_TRUE);
- }
- /*
- * Check that we have atleast one supported algorithm in the DLV RRset.
- */
- static inline isc_boolean_t
- dlv_algorithm_supported(dns_validator_t *val) {
- dns_rdata_t rdata = DNS_RDATA_INIT;
- dns_rdata_dlv_t dlv;
- isc_result_t result;
- for (result = dns_rdataset_first(&val->dlv);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(&val->dlv)) {
- dns_rdata_reset(&rdata);
- dns_rdataset_current(&val->dlv, &rdata);
- result = dns_rdata_tostruct(&rdata, &dlv, NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- if (!dns_resolver_algorithm_supported(val->view->resolver,
- val->event->name,
- dlv.algorithm))
- continue;
- #ifdef HAVE_OPENSSL_GOST
- if (dlv.digest_type != DNS_DSDIGEST_SHA256 &&
- dlv.digest_type != DNS_DSDIGEST_SHA1 &&
- dlv.digest_type != DNS_DSDIGEST_GOST)
- continue;
- #else
- if (dlv.digest_type != DNS_DSDIGEST_SHA256 &&
- dlv.digest_type != DNS_DSDIGEST_SHA1)
- continue;
- #endif
- return (ISC_TRUE);
- }
- return (ISC_FALSE);
- }
- /*%
- * Look in the NSEC record returned from a DS query to see if there is
- * a NS RRset at this name. If it is found we are at a delegation point.
- */
- static isc_boolean_t
- isdelegation(dns_name_t *name, dns_rdataset_t *rdataset,
- isc_result_t dbresult)
- {
- dns_fixedname_t fixed;
- dns_label_t hashlabel;
- dns_name_t nsec3name;
- dns_rdata_nsec3_t nsec3;
- dns_rdata_t rdata = DNS_RDATA_INIT;
- dns_rdataset_t set;
- int order;
- int scope;
- isc_boolean_t found;
- isc_buffer_t buffer;
- isc_result_t result;
- unsigned char hash[NSEC3_MAX_HASH_LENGTH];
- unsigned char owner[NSEC3_MAX_HASH_LENGTH];
- unsigned int length;
- REQUIRE(dbresult == DNS_R_NXRRSET || dbresult == DNS_R_NCACHENXRRSET);
- dns_rdataset_init(&set);
- if (dbresult == DNS_R_NXRRSET)
- dns_rdataset_clone(rdataset, &set);
- else {
- result = dns_ncache_getrdataset(rdataset, name,
- dns_rdatatype_nsec, &set);
- if (result == ISC_R_NOTFOUND)
- goto trynsec3;
- if (result != ISC_R_SUCCESS)
- return (ISC_FALSE);
- }
- INSIST(set.type == dns_rdatatype_nsec);
- found = ISC_FALSE;
- result = dns_rdataset_first(&set);
- if (result == ISC_R_SUCCESS) {
- dns_rdataset_current(&set, &rdata);
- found = dns_nsec_typepresent(&rdata, dns_rdatatype_ns);
- dns_rdata_reset(&rdata);
- }
- dns_rdataset_disassociate(&set);
- return (found);
- trynsec3:
- /*
- * Iterate over the ncache entry.
- */
- found = ISC_FALSE;
- dns_name_init(&nsec3name, NULL);
- dns_fixedname_init(&fixed);
- dns_name_downcase(name, dns_fixedname_name(&fixed), NULL);
- name = dns_fixedname_name(&fixed);
- for (result = dns_rdataset_first(rdataset);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(rdataset))
- {
- dns_ncache_current(rdataset, &nsec3name, &set);
- if (set.type != dns_rdatatype_nsec3) {
- dns_rdataset_disassociate(&set);
- continue;
- }
- dns_name_getlabel(&nsec3name, 0, &hashlabel);
- isc_region_consume(&hashlabel, 1);
- isc_buffer_init(&buffer, owner, sizeof(owner));
- result = isc_base32hex_decoderegion(&hashlabel, &buffer);
- if (result != ISC_R_SUCCESS) {
- dns_rdataset_disassociate(&set);
- continue;
- }
- for (result = dns_rdataset_first(&set);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(&set))
- {
- dns_rdata_reset(&rdata);
- dns_rdataset_current(&set, &rdata);
- (void)dns_rdata_tostruct(&rdata, &nsec3, NULL);
- if (nsec3.hash != 1)
- continue;
- length = isc_iterated_hash(hash, nsec3.hash,
- nsec3.iterations, nsec3.salt,
- nsec3.salt_length,
- name->ndata, name->length);
- if (length != isc_buffer_usedlength(&buffer))
- continue;
- order = memcmp(hash, owner, length);
- if (order == 0) {
- found = dns_nsec3_typepresent(&rdata,
- dns_rdatatype_ns);
- dns_rdataset_disassociate(&set);
- return (found);
- }
- if ((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) == 0)
- continue;
- /*
- * Does this optout span cover the name?
- */
- scope = memcmp(owner, nsec3.next, nsec3.next_length);
- if ((scope < 0 && order > 0 &&
- memcmp(hash, nsec3.next, length) < 0) ||
- (scope >= 0 && (order > 0 ||
- memcmp(hash, nsec3.next, length) < 0)))
- {
- dns_rdataset_disassociate(&set);
- return (ISC_TRUE);
- }
- }
- dns_rdataset_disassociate(&set);
- }
- return (found);
- }
- /*%
- * We have been asked to look for a key.
- * If found resume the validation process.
- * If not found fail the validation process.
- */
- static void
- fetch_callback_validator(isc_task_t *task, isc_event_t *event) {
- dns_fetchevent_t *devent;
- dns_validator_t *val;
- dns_rdataset_t *rdataset;
- isc_boolean_t want_destroy;
- isc_result_t result;
- isc_result_t eresult;
- isc_result_t saved_result;
- UNUSED(task);
- INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
- devent = (dns_fetchevent_t *)event;
- val = devent->ev_arg;
- rdataset = &val->frdataset;
- eresult = devent->result;
- /* Free resources which are not of interest. */
- if (devent->node != NULL)
- dns_db_detachnode(devent->db, &devent->node);
- if (devent->db != NULL)
- dns_db_detach(&devent->db);
- if (dns_rdataset_isassociated(&val->fsigrdataset))
- dns_rdataset_disassociate(&val->fsigrdataset);
- isc_event_free(&event);
- dns_resolver_destroyfetch(&val->fetch);
- INSIST(val->event != NULL);
- validator_log(val, ISC_LOG_DEBUG(3), "in fetch_callback_validator");
- LOCK(&val->lock);
- if (CANCELED(val)) {
- validator_done(val, ISC_R_CANCELED);
- } else if (eresult == ISC_R_SUCCESS) {
- validator_log(val, ISC_LOG_DEBUG(3),
- "keyset with trust %s",
- dns_trust_totext(rdataset->trust));
- /*
- * Only extract the dst key if the keyset is secure.
- */
- if (rdataset->trust >= dns_trust_secure) {
- result = get_dst_key(val, val->siginfo, rdataset);
- if (result == ISC_R_SUCCESS)
- val->keyset = &val->frdataset;
- }
- result = validate(val, ISC_TRUE);
- if (result == DNS_R_NOVALIDSIG &&
- (val->attributes & VALATTR_TRIEDVERIFY) == 0)
- {
- saved_result = result;
- validator_log(val, ISC_LOG_DEBUG(3),
- "falling back to insecurity proof");
- val->attributes |= VALATTR_INSECURITY;
- result = proveunsecure(val, ISC_FALSE, ISC_FALSE);
- if (result == DNS_R_NOTINSECURE)
- result = saved_result;
- }
- if (result != DNS_R_WAIT)
- validator_done(val, result);
- } else {
- validator_log(val, ISC_LOG_DEBUG(3),
- "fetch_callback_validator: got %s",
- isc_result_totext(eresult));
- if (eresult == ISC_R_CANCELED)
- validator_done(val, eresult);
- else
- validator_done(val, DNS_R_BROKENCHAIN);
- }
- want_destroy = exit_check(val);
- UNLOCK(&val->lock);
- if (want_destroy)
- destroy(val);
- }
- /*%
- * We were asked to look for a DS record as part of following a key chain
- * upwards. If found resume the validation process. If not found fail the
- * validation process.
- */
- static void
- dsfetched(isc_task_t *task, isc_event_t *event) {
- dns_fetchevent_t *devent;
- dns_validator_t *val;
- dns_rdataset_t *rdataset;
- isc_boolean_t want_destroy;
- isc_result_t result;
- isc_result_t eresult;
- UNUSED(task);
- INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
- devent = (dns_fetchevent_t *)event;
- val = devent->ev_arg;
- rdataset = &val->frdataset;
- eresult = devent->result;
- /* Free resources which are not of interest. */
- if (devent->node != NULL)
- dns_db_detachnode(devent->db, &devent->node);
- if (devent->db != NULL)
- dns_db_detach(&devent->db);
- if (dns_rdataset_isassociated(&val->fsigrdataset))
- dns_rdataset_disassociate(&val->fsigrdataset);
- isc_event_free(&event);
- dns_resolver_destroyfetch(&val->fetch);
- INSIST(val->event != NULL);
- validator_log(val, ISC_LOG_DEBUG(3), "in dsfetched");
- LOCK(&val->lock);
- if (CANCELED(val)) {
- validator_done(val, ISC_R_CANCELED);
- } else if (eresult == ISC_R_SUCCESS) {
- validator_log(val, ISC_LOG_DEBUG(3),
- "dsset with trust %s",
- dns_trust_totext(rdataset->trust));
- val->dsset = &val->frdataset;
- result = validatezonekey(val);
- if (result != DNS_R_WAIT)
- validator_done(val, result);
- } else if (eresult == DNS_R_CNAME ||
- eresult == DNS_R_NXRRSET ||
- eresult == DNS_R_NCACHENXRRSET ||
- eresult == DNS_R_SERVFAIL) /* RFC 1034 parent? */
- {
- validator_log(val, ISC_LOG_DEBUG(3),
- "falling back to insecurity proof (%s)",
- dns_result_totext(eresult));
- val->attributes |= VALATTR_INSECURITY;
- result = proveunsecure(val, ISC_FALSE, ISC_FALSE);
- if (result != DNS_R_WAIT)
- validator_done(val, result);
- } else {
- validator_log(val, ISC_LOG_DEBUG(3),
- "dsfetched: got %s",
- isc_result_totext(eresult));
- if (eresult == ISC_R_CANCELED)
- validator_done(val, eresult);
- else
- validator_done(val, DNS_R_BROKENCHAIN);
- }
- want_destroy = exit_check(val);
- UNLOCK(&val->lock);
- if (want_destroy)
- destroy(val);
- }
- /*%
- * We were asked to look for the DS record as part of proving that a
- * name is unsecure.
- *
- * If the DS record doesn't exist and the query name corresponds to
- * a delegation point we are transitioning from a secure zone to a
- * unsecure zone.
- *
- * If the DS record exists it will be secure. We can continue looking
- * for the break point in the chain of trust.
- */
- static void
- dsfetched2(isc_task_t *task, isc_event_t *event) {
- dns_fetchevent_t *devent;
- dns_validator_t *val;
- dns_name_t *tname;
- isc_boolean_t want_destroy;
- isc_result_t result;
- isc_result_t eresult;
- UNUSED(task);
- INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
- devent = (dns_fetchevent_t *)event;
- val = devent->ev_arg;
- eresult = devent->result;
- /* Free resources which are not of interest. */
- if (devent->node != NULL)
- dns_db_detachnode(devent->db, &devent->node);
- if (devent->db != NULL)
- dns_db_detach(&devent->db);
- if (dns_rdataset_isassociated(&val->fsigrdataset))
- dns_rdataset_disassociate(&val->fsigrdataset);
- dns_resolver_destroyfetch(&val->fetch);
- INSIST(val->event != NULL);
- validator_log(val, ISC_LOG_DEBUG(3), "in dsfetched2: %s",
- dns_result_totext(eresult));
- LOCK(&val->lock);
- if (CANCELED(val)) {
- validator_done(val, ISC_R_CANCELED);
- } else if (eresult == DNS_R_CNAME ||
- eresult == DNS_R_NXRRSET ||
- eresult == DNS_R_NCACHENXRRSET)
- {
- /*
- * There is no DS. If this is a delegation, we're done.
- */
- tname = dns_fixedname_name(&devent->foundname);
- if (eresult != DNS_R_CNAME &&
- isdelegation(tname, &val->frdataset, eresult)) {
- if (val->mustbesecure) {
- validator_log(val, ISC_LOG_WARNING,
- "must be secure failure, no DS"
- " and this is a delegation");
- validator_done(val, DNS_R_MUSTBESECURE);
- } else if (val->view->dlv == NULL || DLVTRIED(val)) {
- markanswer(val, "dsfetched2");
- validator_done(val, ISC_R_SUCCESS);
- } else {
- result = startfinddlvsep(val, tname);
- if (result != DNS_R_WAIT)
- validator_done(val, result);
- }
- } else {
- result = proveunsecure(val, ISC_FALSE, ISC_TRUE);
- if (result != DNS_R_WAIT)
- validator_done(val, result);
- }
- } else if (eresult == ISC_R_SUCCESS ||
- eresult == DNS_R_NXDOMAIN ||
- eresult == DNS_R_NCACHENXDOMAIN)
- {
- /*
- * There is a DS which may or may not be a zone cut.
- * In either case we are still in a secure zone resume
- * validation.
- */
- result = proveunsecure(val, ISC_TF(eresult == ISC_R_SUCCESS),
- ISC_TRUE);
- if (result != DNS_R_WAIT)
- validator_done(val, result);
- } else {
- if (eresult == ISC_R_CANCELED)
- validator_done(val, eresult);
- else
- validator_done(val, DNS_R_NOVALIDDS);
- }
- isc_event_free(&event);
- want_destroy = exit_check(val);
- UNLOCK(&val->lock);
- if (want_destroy)
- destroy(val);
- }
- /*%
- * Callback from when a DNSKEY RRset has been validated.
- *
- * Resumes the stalled validation process.
- */
- static void
- keyvalidated(isc_task_t *task, isc_event_t *event) {
- dns_validatorevent_t *devent;
- dns_validator_t *val;
- isc_boolean_t want_destroy;
- isc_result_t result;
- isc_result_t eresult;
- isc_result_t saved_result;
- UNUSED(task);
- INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
- devent = (dns_validatorevent_t *)event;
- val = devent->ev_arg;
- eresult = devent->result;
- isc_event_free(&event);
- dns_validator_destroy(&val->subvalidator);
- INSIST(val->event != NULL);
- validator_log(val, ISC_LOG_DEBUG(3), "in keyvalidated");
- LOCK(&val->lock);
- if (CANCELED(val)) {
- validator_done(val, ISC_R_CANCELED);
- } else if (eresult == ISC_R_SUCCESS) {
- validator_log(val, ISC_LOG_DEBUG(3),
- "keyset with trust %s",
- dns_trust_totext(val->frdataset.trust));
- /*
- * Only extract the dst key if the keyset is secure.
- */
- if (val->frdataset.trust >= dns_trust_secure)
- (void) get_dst_key(val, val->siginfo, &val->frdataset);
- result = validate(val, ISC_TRUE);
- if (result == DNS_R_NOVALIDSIG &&
- (val->attributes & VALATTR_TRIEDVERIFY) == 0)
- {
- saved_result = result;
- validator_log(val, ISC_LOG_DEBUG(3),
- "falling back to insecurity proof");
- val->attributes |= VALATTR_INSECURITY;
- result = proveunsecure(val, ISC_FALSE, ISC_FALSE);
- if (result == DNS_R_NOTINSECURE)
- result = saved_result;
- }
- if (result != DNS_R_WAIT)
- validator_done(val, result);
- } else {
- if (eresult != DNS_R_BROKENCHAIN) {
- if (dns_rdataset_isassociated(&val->frdataset))
- dns_rdataset_expire(&val->frdataset);
- if (dns_rdataset_isassociated(&val->fsigrdataset))
- dns_rdataset_expire(&val->fsigrdataset);
- }
- validator_log(val, ISC_LOG_DEBUG(3),
- "keyvalidated: got %s",
- isc_result_totext(eresult));
- validator_done(val, DNS_R_BROKENCHAIN);
- }
- want_destroy = exit_check(val);
- UNLOCK(&val->lock);
- if (want_destroy)
- destroy(val);
- }
- /*%
- * Callback when the DS record has been validated.
- *
- * Resumes validation of the zone key or the unsecure zone proof.
- */
- static void
- dsvalidated(isc_task_t *task, isc_event_t *event) {
- dns_validatorevent_t *devent;
- dns_validator_t *val;
- isc_boolean_t want_destroy;
- isc_result_t result;
- isc_result_t eresult;
- UNUSED(task);
- INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
- devent = (dns_validatorevent_t *)event;
- val = devent->ev_arg;
- eresult = devent->result;
- isc_event_free(&event);
- dns_validator_destroy(&val->subvalidator);
- INSIST(val->event != NULL);
- validator_log(val, ISC_LOG_DEBUG(3), "in dsvalidated");
- LOCK(&val->lock);
- if (CANCELED(val)) {
- validator_done(val, ISC_R_CANCELED);
- } else if (eresult == ISC_R_SUCCESS) {
- isc_boolean_t have_dsset;
- dns_name_t *name;
- validator_log(val, ISC_LOG_DEBUG(3),
- "%s with trust %s",
- val->frdataset.type == dns_rdatatype_ds ?
- "dsset" : "ds non-existance",
- dns_trust_totext(val->frdataset.trust));
- have_dsset = ISC_TF(val->frdataset.type == dns_rdatatype_ds);
- name = dns_fixedname_name(&val->fname);
- if ((val->attributes & VALATTR_INSECURITY) != 0 &&
- val->frdataset.covers == dns_rdatatype_ds &&
- NEGATIVE(&val->frdataset) &&
- isdelegation(name, &val->frdataset, DNS_R_NCACHENXRRSET)) {
- if (val->mustbesecure) {
- validator_log(val, ISC_LOG_WARNING,
- "must be secure failure, no DS "
- "and this is a delegation");
- result = DNS_R_MUSTBESECURE;
- } else if (val->view->dlv == NULL || DLVTRIED(val)) {
- markanswer(val, "dsvalidated");
- result = ISC_R_SUCCESS;;
- } else
- result = startfinddlvsep(val, name);
- } else if ((val->attributes & VALATTR_INSECURITY) != 0) {
- result = proveunsecure(val, have_dsset, ISC_TRUE);
- } else
- result = validatezonekey(val);
- if (result != DNS_R_WAIT)
- validator_done(val, result);
- } else {
- if (eresult != DNS_R_BROKENCHAIN) {
- if (dns_rdataset_isassociated(&val->frdataset))
- dns_rdataset_expire(&val->frdataset);
- if (dns_rdataset_isassociated(&val->fsigrdataset))
- dns_rdataset_expire(&val->fsigrdataset);
- }
- validator_log(val, ISC_LOG_DEBUG(3),
- "dsvalidated: got %s",
- isc_result_totext(eresult));
- validator_done(val, DNS_R_BROKENCHAIN);
- }
- want_destroy = exit_check(val);
- UNLOCK(&val->lock);
- if (want_destroy)
- destroy(val);
- }
- /*%
- * Callback when the CNAME record has been validated.
- *
- * Resumes validation of the unsecure zone proof.
- */
- static void
- cnamevalidated(isc_task_t *task, isc_event_t *event) {
- dns_validatorevent_t *devent;
- dns_validator_t *val;
- isc_boolean_t want_destroy;
- isc_result_t result;
- isc_result_t eresult;
- UNUSED(task);
- INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
- devent = (dns_validatorevent_t *)event;
- val = devent->ev_arg;
- eresult = devent->result;
- isc_event_free(&event);
- dns_validator_destroy(&val->subvalidator);
- INSIST(val->event != NULL);
- INSIST((val->attributes & VALATTR_INSECURITY) != 0);
- validator_log(val, ISC_LOG_DEBUG(3), "in cnamevalidated");
- LOCK(&val->lock);
- if (CANCELED(val)) {
- validator_done(val, ISC_R_CANCELED);
- } else if (eresult == ISC_R_SUCCESS) {
- validator_log(val, ISC_LOG_DEBUG(3), "cname with trust %s",
- dns_trust_totext(val->frdataset.trust));
- result = proveunsecure(val, ISC_FALSE, ISC_TRUE);
- if (result != DNS_R_WAIT)
- validator_done(val, result);
- } else {
- if (eresult != DNS_R_BROKENCHAIN) {
- if (dns_rdataset_isassociated(&val->frdataset))
- dns_rdataset_expire(&val->frdataset);
- if (dns_rdataset_isassociated(&val->fsigrdataset))
- dns_rdataset_expire(&val->fsigrdataset);
- }
- validator_log(val, ISC_LOG_DEBUG(3),
- "cnamevalidated: got %s",
- isc_result_totext(eresult));
- validator_done(val, DNS_R_BROKENCHAIN);
- }
- want_destroy = exit_check(val);
- UNLOCK(&val->lock);
- if (want_destroy)
- destroy(val);
- }
- /*%
- * Return ISC_R_SUCCESS if we can determine that the name doesn't exist
- * or we can determine whether there is data or not at the name.
- * If the name does not exist return the wildcard name.
- *
- * Return ISC_R_IGNORE when the NSEC is not the appropriate one.
- */
- static isc_result_t
- nsecnoexistnodata(dns_validator_t *val, dns_name_t *name, dns_name_t *nsecname,
- dns_rdataset_t *nsecset, isc_boolean_t *exists,
- isc_boolean_t *data, dns_name_t *wild)
- {
- int order;
- dns_rdata_t rdata = DNS_RDATA_INIT;
- isc_result_t result;
- dns_namereln_t relation;
- unsigned int olabels, nlabels, labels;
- dns_rdata_nsec_t nsec;
- isc_boolean_t atparent;
- isc_boolean_t ns;
- isc_boolean_t soa;
- REQUIRE(exists != NULL);
- REQUIRE(data != NULL);
- REQUIRE(nsecset != NULL &&
- nsecset->type == dns_rdatatype_nsec);
- result = dns_rdataset_first(nsecset);
- if (result != ISC_R_SUCCESS) {
- validator_log(val, ISC_LOG_DEBUG(3),
- "failure processing NSEC set");
- return (result);
- }
- dns_rdataset_current(nsecset, &rdata);
- validator_log(val, ISC_LOG_DEBUG(3), "looking for relevant nsec");
- relation = dns_name_fullcompare(name, nsecname, &order, &olabels);
- if (order < 0) {
- /*
- * The name is not within the NSEC range.
- */
- validator_log(val, ISC_LOG_DEBUG(3),
- "NSEC does not cover name, before NSEC");
- return (ISC_R_IGNORE);
- }
- if (order == 0) {
- /*
- * The names are the same. If we are validating "."
- * then atparent should not be set as there is no parent.
- */
- atparent = (olabels != 1) &&
- dns_rdatatype_atparent(val->event->type);
- ns = dns_nsec_typepresent(&rdata, dns_rdatatype_ns);
- soa = dns_nsec_typepresent(&rdata, dns_rdatatype_soa);
- if (ns && !soa) {
- if (!atparent) {
- /*
- * This NSEC record is from somewhere higher in
- * the DNS, and at the parent of a delegation.
- * It can not be legitimately used here.
- */
- validator_log(val, ISC_LOG_DEBUG(3),
- "ignoring parent nsec");
- return (ISC_R_IGNORE);
- }
- } else if (atparent && ns && soa) {
- /*
- * This NSEC record is from the child.
- * It can not be legitimately used here.
- */
- validator_log(val, ISC_LOG_DEBUG(3),
- "ignoring child nsec");
- return (ISC_R_IGNORE);
- }
- if (val->event->type == dns_rdatatype_cname ||
- val->event->type == dns_rdatatype_nxt ||
- val->event->type == dns_rdatatype_nsec ||
- val->event->type == dns_rdatatype_key ||
- !dns_nsec_typepresent(&rdata, dns_rdatatype_cname)) {
- *exists = ISC_TRUE;
- *data = dns_nsec_typepresent(&rdata, val->event->type);
- validator_log(val, ISC_LOG_DEBUG(3),
- "nsec proves name exists (owner) data=%d",
- *data);
- return (ISC_R_SUCCESS);
- }
- validator_log(val, ISC_LOG_DEBUG(3), "NSEC proves CNAME exists");
- return (ISC_R_IGNORE);
- }
- if (relation == dns_namereln_subdomain &&
- dns_nsec_typepresent(&rdata, dns_rdatatype_ns) &&
- !dns_nsec_typepresent(&rdata, dns_rdatatype_soa))
- {
- /*
- * This NSEC record is from somewhere higher in
- * the DNS, and at the parent of a delegation.
- * It can not be legitimately used here.
- */
- validator_log(val, ISC_LOG_DEBUG(3), "ignoring parent nsec");
- return (ISC_R_IGNORE);
- }
- result = dns_rdata_tostruct(&rdata, &nsec, NULL);
- if (result != ISC_R_SUCCESS)
- return (result);
- relation = dns_name_fullcompare(&nsec.next, name, &order, &nlabels);
- if (order == 0) {
- dns_rdata_freestruct(&nsec);
- validator_log(val, ISC_LOG_DEBUG(3),
- "ignoring nsec matches next name");
- return (ISC_R_IGNORE);
- }
- if (order < 0 && !dns_name_issubdomain(nsecname, &nsec.next)) {
- /*
- * The name is not within the NSEC range.
- */
- dns_rdata_freestruct(&nsec);
- validator_log(val, ISC_LOG_DEBUG(3),
- "ignoring nsec because name is past end of range");
- return (ISC_R_IGNORE);
- }
- if (order > 0 && relation == dns_namereln_subdomain) {
- validator_log(val, ISC_LOG_DEBUG(3),
- "nsec proves name exist (empty)");
- dns_rdata_freestruct(&nsec);
- *exists = ISC_TRUE;
- *data = ISC_FALSE;
- return (ISC_R_SUCCESS);
- }
- if (wild != NULL) {
- dns_name_t common;
- dns_name_init(&common, NULL);
- if (olabels > nlabels) {
- labels = dns_name_countlabels(nsecname);
- dns_name_getlabelsequence(nsecname, labels - olabels,
- olabels, &common);
- } else {
- labels = dns_name_countlabels(&nsec.next);
- dns_name_getlabelsequence(&nsec.next, labels - nlabels,
- nlabels, &common);
- }
- result = dns_name_concatenate(dns_wildcardname, &common,
- wild, NULL);
- if (result != ISC_R_SUCCESS) {
- dns_rdata_freestruct(&nsec);
- validator_log(val, ISC_LOG_DEBUG(3),
- "failure generating wildcard name");
- return (result);
- }
- }
- dns_rdata_freestruct(&nsec);
- validator_log(val, ISC_LOG_DEBUG(3), "nsec range ok");
- *exists = ISC_FALSE;
- return (ISC_R_SUCCESS);
- }
- static isc_result_t
- nsec3noexistnodata(dns_validator_t *val, dns_name_t* name,
- dns_name_t *nsec3name, dns_rdataset_t *nsec3set,
- dns_name_t *zonename, isc_boolean_t *exists,
- isc_boolean_t *data, isc_boolean_t *optout,
- isc_boolean_t *unknown, isc_boolean_t *setclosest,
- isc_boolean_t *setnearest, dns_name_t *closest,
- dns_name_t *nearest)
- {
- char namebuf[DNS_NAME_FORMATSIZE];
- dns_fixedname_t fzone;
- dns_fixedname_t qfixed;
- dns_label_t hashlabel;
- dns_name_t *qname;
- dns_name_t *zone;
- dns_rdata_nsec3_t nsec3;
- dns_rdata_t rdata = DNS_RDATA_INIT;
- int order;
- int scope;
- isc_boolean_t atparent;
- isc_boolean_t first;
- isc_boolean_t ns;
- isc_boolean_t soa;
- isc_buffer_t buffer;
- isc_result_t answer = ISC_R_IGNORE;
- isc_result_t result;
- unsigned char hash[NSEC3_MAX_HASH_LENGTH];
- unsigned char owner[NSEC3_MAX_HASH_LENGTH];
- unsigned int length;
- unsigned int qlabels;
- unsigned int zlabels;
- REQUIRE((exists == NULL && data == NULL) ||
- (exists != NULL && data != NULL));
- REQUIRE(nsec3set != NULL && nsec3set->type == dns_rdatatype_nsec3);
- REQUIRE((setclosest == NULL && closest == NULL) ||
- (setclosest != NULL && closest != NULL));
- REQUIRE((setnearest == NULL && nearest == NULL) ||
- (setnearest != NULL && nearest != NULL));
- result = dns_rdataset_first(nsec3set);
- if (result != ISC_R_SUCCESS) {
- validator_log(val, ISC_LOG_DEBUG(3),
- "failure processing NSEC3 set");
- return (result);
- }
- dns_rdataset_current(nsec3set, &rdata);
- result = dns_rdata_tostruct(&rdata, &nsec3, NULL);
- if (result != ISC_R_SUCCESS)
- return (result);
- validator_log(val, ISC_LOG_DEBUG(3), "looking for relevant NSEC3");
- dns_fixedname_init(&fzone);
- zone = dns_fixedname_name(&fzone);
- zlabels = dns_name_countlabels(nsec3name);
- /*
- * NSEC3 records must have two or more labels to be valid.
- */
- if (zlabels < 2)
- return (ISC_R_IGNORE);
- /*
- * Strip off the NSEC3 hash to get the zone.
- */
- zlabels--;
- dns_name_split(nsec3name, zlabels, NULL, zone);
- /*
- * If not below the zone name we can ignore this record.
- */
- if (!dns_name_issubdomain(name, zone))
- return (ISC_R_IGNORE);
- /*
- * Is this zone the same or deeper than the current zone?
- */
- if (dns_name_countlabels(zonename) == 0 ||
- dns_name_issubdomain(zone, zonename))
- dns_name_copy(zone, zonename, NULL);
- if (!dns_name_equal(zone, zonename))
- return (ISC_R_IGNORE);
- /*
- * Are we only looking for the most enclosing zone?
- */
- if (exists == NULL || data == NULL)
- return (ISC_R_SUCCESS);
- /*
- * Only set unknown once we are sure that this NSEC3 is from
- * the deepest covering zone.
- */
- if (!dns_nsec3_supportedhash(nsec3.hash)) {
- if (unknown != NULL)
- *unknown = ISC_TRUE;
- return (ISC_R_IGNORE);
- }
- /*
- * Recover the hash from the first label.
- */
- dns_name_getlabel(nsec3name, 0, &hashlabel);
- isc_region_consume(&hashlabel, 1);
- isc_buffer_init(&buffer, owner, sizeof(owner));
- result = isc_base32hex_decoderegion(&hashlabel, &buffer);
- if (result != ISC_R_SUCCESS)
- return (result);
- /*
- * The hash lengths should match. If not ignore the record.
- */
- if (isc_buffer_usedlength(&buffer) != nsec3.next_length)
- return (ISC_R_IGNORE);
- /*
- * Work out what this NSEC3 covers.
- * Inside (<0) or outside (>=0).
- */
- scope = memcmp(owner, nsec3.next, nsec3.next_length);
- /*
- * Prepare to compute all the hashes.
- */
- dns_fixedname_init(&qfixed);
- qname = dns_fixedname_name(&qfixed);
- dns_name_downcase(name, qname, NULL);
- qlabels = dns_name_countlabels(qname);
- first = ISC_TRUE;
- while (qlabels >= zlabels) {
- length = isc_iterated_hash(hash, nsec3.hash, nsec3.iterations,
- nsec3.salt, nsec3.salt_length,
- qname->ndata, qname->length);
- /*
- * The computed hash length should match.
- */
- if (length != nsec3.next_length) {
- validator_log(val, ISC_LOG_DEBUG(3),
- "ignoring NSEC bad length %u vs %u",
- length, nsec3.next_length);
- return (ISC_R_IGNORE);
- }
- order = memcmp(hash, owner, length);
- if (first && order == 0) {
- /*
- * The hashes are the same.
- */
- atparent = dns_rdatatype_atparent(val->event->type);
- ns = dns_nsec3_typepresent(&rdata, dns_rdatatype_ns);
- soa = dns_nsec3_typepresent(&rdata, dns_rdatatype_soa);
- if (ns && !soa) {
- if (!atparent) {
- /*
- * This NSEC3 record is from somewhere
- * higher in the DNS, and at the
- * parent of a delegation. It can not
- * be legitimately used here.
- */
- validator_log(val, ISC_LOG_DEBUG(3),
- "ignoring parent NSEC3");
- return (ISC_R_IGNORE);
- }
- } else if (atparent && ns && soa) {
- /*
- * This NSEC3 record is from the child.
- * It can not be legitimately used here.
- */
- validator_log(val, ISC_LOG_DEBUG(3),
- "ignoring child NSEC3");
- return (ISC_R_IGNORE);
- }
- if (val->event->type == dns_rdatatype_cname ||
- val->event->type == dns_rdatatype_nxt ||
- val->event->type == dns_rdatatype_nsec ||
- val->event->type == dns_rdatatype_key ||
- !dns_nsec3_typepresent(&rdata, dns_rdatatype_cname)) {
- *exists = ISC_TRUE;
- *data = dns_nsec3_typepresent(&rdata,
- val->event->type);
- validator_log(val, ISC_LOG_DEBUG(3),
- "NSEC3 proves name exists (owner) "
- "data=%d", *data);
- return (ISC_R_SUCCESS);
- }
- validator_log(val, ISC_LOG_DEBUG(3),
- "NSEC3 proves CNAME exists");
- return (ISC_R_IGNORE);
- }
- if (order == 0 &&
- dns_nsec3_typepresent(&rdata, dns_rdatatype_ns) &&
- !dns_nsec3_typepresent(&rdata, dns_rdatatype_soa))
- {
- /*
- * This NSEC3 record is from somewhere higher in
- * the DNS, and at the parent of a delegation.
- * It can not be legitimately used here.
- */
- validator_log(val, ISC_LOG_DEBUG(3),
- "ignoring parent NSEC3");
- return (ISC_R_IGNORE);
- }
- /*
- * Potential closest encloser.
- */
- if (order == 0) {
- if (closest != NULL &&
- (dns_name_countlabels(closest) == 0 ||
- dns_name_issubdomain(qname, closest)) &&
- !dns_nsec3_typepresent(&rdata, dns_rdatatype_ds) &&
- !dns_nsec3_typepresent(&rdata, dns_rdatatype_dname) &&
- (dns_nsec3_typepresent(&rdata, dns_rdatatype_soa) ||
- !dns_nsec3_typepresent(&rdata, dns_rdatatype_ns)))
- {
- dns_name_format(qname, namebuf,
- sizeof(namebuf));
- validator_log(val, ISC_LOG_DEBUG(3),
- "NSEC3 indicates potential "
- "closest encloser: '%s'",
- namebuf);
- dns_name_copy(qname, closest, NULL);
- *setclosest = ISC_TRUE;
- }
- dns_name_format(qname, namebuf, sizeof(namebuf));
- validator_log(val, ISC_LOG_DEBUG(3),
- "NSEC3 at super-domain %s", namebuf);
- return (answer);
- }
- /*
- * Find if the name does not exist.
- *
- * We continue as we need to find the name closest to the
- * closest encloser that doesn't exist.
- *
- * We also need to continue to ensure that we are not
- * proving the non-existence of a record in a sub-zone.
- * If that would be the case we will return ISC_R_IGNORE
- * above.
- */
- if ((scope < 0 && order > 0 &&
- memcmp(hash, nsec3.next, length) < 0) ||
- (scope >= 0 && (order > 0 ||
- memcmp(hash, nsec3.next, length) < 0)))
- {
- char namebuf[DNS_NAME_FORMATSIZE];
- dns_name_format(qname, namebuf, sizeof(namebuf));
- validator_log(val, ISC_LOG_DEBUG(3), "NSEC3 proves "
- "name does not exist: '%s'", namebuf);
- if (nearest != NULL &&
- (dns_name_countlabels(nearest) == 0 ||
- dns_name_issubdomain(nearest, qname))) {
- dns_name_copy(qname, nearest, NULL);
- *setnearest = ISC_TRUE;
- }
- *exists = ISC_FALSE;
- *data = ISC_FALSE;
- if (optout != NULL) {
- if ((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0)
- validator_log(val, ISC_LOG_DEBUG(3),
- "NSEC3 indicates optout");
- *optout =
- ISC_TF(nsec3.flags & DNS_NSEC3FLAG_OPTOUT);
- }
- answer = ISC_R_SUCCESS;
- }
- qlabels--;
- if (qlabels > 0)
- dns_name_split(qname, qlabels, NULL, qname);
- first = ISC_FALSE;
- }
- return (answer);
- }
- /*%
- * Callback for when NSEC records have been validated.
- *
- * Looks for NOQNAME, NODATA and OPTOUT proofs.
- *
- * Resumes nsecvalidate.
- */
- static void
- authvalidated(isc_task_t *task, isc_event_t *event) {
- dns_validatorevent_t *devent;
- dns_validator_t *val;
- dns_rdataset_t *rdataset;
- isc_boolean_t want_destroy;
- isc_result_t result;
- isc_boolean_t exists, data;
- UNUSED(task);
- INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
- devent = (dns_validatorevent_t *)event;
- rdataset = devent->rdataset;
- val = devent->ev_arg;
- result = devent->result;
- dns_validator_destroy(&val->subvalidator);
- INSIST(val->event != NULL);
- validator_log(val, ISC_LOG_DEBUG(3), "in authvalidated");
- LOCK(&val->lock);
- if (CANCELED(val)) {
- validator_done(val, ISC_R_CANCELED);
- } else if (result != ISC_R_SUCCESS) {
- validator_log(val, ISC_LOG_DEBUG(3),
- "authvalidated: got %s",
- isc_result_totext(result));
- if (result == DNS_R_BROKENCHAIN)
- val->authfail++;
- if (result == ISC_R_CANCELED)
- validator_done(val, result);
- else {
- result = nsecvalidate(val, ISC_TRUE);
- if (result != DNS_R_WAIT)
- validator_done(val, result);
- }
- } else {
- dns_name_t **proofs = val->event->proofs;
- dns_name_t *wild = dns_fixedname_name(&val->wild);
- if (rdataset->trust == dns_trust_secure)
- val->seensig = ISC_TRUE;
- if (rdataset->type == dns_rdatatype_nsec &&
- rdataset->trust == dns_trust_secure &&
- (NEEDNODATA(val) || NEEDNOQNAME(val)) &&
- !FOUNDNODATA(val) && !FOUNDNOQNAME(val) &&
- nsecnoexistnodata(val, val->event->name, devent->name,
- rdataset, &exists, &data, wild)
- == ISC_R_SUCCESS)
- {
- if (exists && !data) {
- val->attributes |= VALATTR_FOUNDNODATA;
- if (NEEDNODATA(val))
- proofs[DNS_VALIDATOR_NODATAPROOF] =
- devent->name;
- }
- if (!exists) {
- val->attributes |= VALATTR_FOUNDNOQNAME;
- val->attributes |= VALATTR_FOUNDCLOSEST;
- /*
- * The NSEC noqname proof also contains
- * the closest encloser.
- */
- if (NEEDNOQNAME(val))
- proofs[DNS_VALIDATOR_NOQNAMEPROOF] =
- devent->name;
- }
- }
- result = nsecvalidate(val, ISC_TRUE);
- if (result != DNS_R_WAIT)
- validator_done(val, result);
- }
- want_destroy = exit_check(val);
- UNLOCK(&val->lock);
- if (want_destroy)
- destroy(val);
- /*
- * Free stuff from the event.
- */
- isc_event_free(&event);
- }
- /*%
- * Looks for the requested name and type in the view (zones and cache).
- *
- * When looking for a DLV record also checks to make sure the NSEC record
- * returns covers the query name as part of aggressive negative caching.
- *
- * Returns:
- * \li ISC_R_SUCCESS
- * \li ISC_R_NOTFOUND
- * \li DNS_R_NCACHENXDOMAIN
- * \li DNS_R_NCACHENXRRSET
- * \li DNS_R_NXRRSET
- * \li DNS_R_NXDOMAIN
- * \li DNS_R_BROKENCHAIN
- */
- static inline isc_result_t
- view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) {
- dns_fixedname_t fixedname;
- dns_name_t *foundname;
- dns_rdata_nsec_t nsec;
- dns_rdata_t rdata = DNS_RDATA_INIT;
- isc_result_t result;
- unsigned int options;
- isc_time_t now;
- char buf1[DNS_NAME_FORMATSIZE];
- char buf2[DNS_NAME_FORMATSIZE];
- char buf3[DNS_NAME_FORMATSIZE];
- char namebuf[DNS_NAME_FORMATSIZE];
- char typebuf[DNS_RDATATYPE_FORMATSIZE];
- if (dns_rdataset_isassociated(&val->frdataset))
- dns_rdataset_disassociate(&val->frdataset);
- if (dns_rdataset_isassociated(&val->fsigrdataset))
- dns_rdataset_disassociate(&val->fsigrdataset);
- if (val->view->zonetable == NULL)
- return (ISC_R_CANCELED);
- if (isc_time_now(&now) == ISC_R_SUCCESS &&
- dns_resolver_getbadcache(val->view->resolver, name, type, &now)) {
- dns_name_format(name, namebuf, sizeof(namebuf));
- dns_rdatatype_format(type, typebuf, sizeof(typebuf));
- validator_log(val, ISC_LOG_INFO, "bad cache hit (%s/%s)",
- namebuf, typebuf);
- return (DNS_R_BROKENCHAIN);
- }
- options = DNS_DBFIND_PENDINGOK;
- if (type == dns_rdatatype_dlv)
- options |= DNS_DBFIND_COVERINGNSEC;
- dns_fixedname_init(&fixedname);
- foundname = dns_fixedname_name(&fixedname);
- result = dns_view_find(val->view, name, type, 0, options,
- ISC_FALSE, NULL, NULL, foundname,
- &val->frdataset, &val->fsigrdataset);
- if (result == DNS_R_NXDOMAIN) {
- if (dns_rdataset_isassociated(&val->frdataset))
- dns_rdataset_disassociate(&val->frdataset);
- if (dns_rdataset_isassociated(&val->fsigrdataset))
- dns_rdataset_disassociate(&val->fsigrdataset);
- } else if (result == DNS_R_COVERINGNSEC) {
- validator_log(val, ISC_LOG_DEBUG(3), "DNS_R_COVERINGNSEC");
- /*
- * Check if the returned NSEC covers the name.
- */
- INSIST(type == dns_rdatatype_dlv);
- if (val->frdataset.trust != dns_trust_secure) {
- validator_log(val, ISC_LOG_DEBUG(3),
- "covering nsec: trust %s",
- dns_trust_totext(val->frdataset.trust));
- goto notfound;
- }
- result = dns_rdataset_first(&val->frdataset);
- if (result != ISC_R_SUCCESS)
- goto notfound;
- dns_rdataset_current(&val->frdataset, &rdata);
- if (dns_nsec_typepresent(&rdata, dns_rdatatype_ns) &&
- !dns_nsec_typepresent(&rdata, dns_rdatatype_soa)) {
- /* Parent NSEC record. */
- if (dns_name_issubdomain(name, foundname)) {
- validator_log(val, ISC_LOG_DEBUG(3),
- "covering nsec: for parent");
- goto notfound;
- }
- }
- result = dns_rdata_tostruct(&rdata, &nsec, NULL);
- if (result != ISC_R_SUCCESS)
- goto notfound;
- if (dns_name_compare(foundname, &nsec.next) >= 0) {
- /* End of zone chain. */
- if (!dns_name_issubdomain(name, &nsec.next)) {
- /*
- * XXXMPA We could look for a parent NSEC
- * at nsec.next and if found retest with
- * this NSEC.
- */
- dns_rdata_freestruct(&nsec);
- validator_log(val, ISC_LOG_DEBUG(3),
- "covering nsec: not in zone");
- goto notfound;
- }
- } else if (dns_name_compare(name, &nsec.next) >= 0) {
- /*
- * XXXMPA We could check if this NSEC is at a zone
- * apex and if the qname is not below it and look for
- * a parent NSEC with the same name. This requires
- * that we can cache both NSEC records which we
- * currently don't support.
- */
- dns_rdata_freestruct(&nsec);
- validator_log(val, ISC_LOG_DEBUG(3),
- "covering nsec: not in range");
- goto notfound;
- }
- if (isc_log_wouldlog(dns_lctx,ISC_LOG_DEBUG(3))) {
- dns_name_format(name, buf1, sizeof buf1);
- dns_name_format(foundname, buf2, sizeof buf2);
- dns_name_format(&nsec.next, buf3, sizeof buf3);
- validator_log(val, ISC_LOG_DEBUG(3),
- "covering nsec found: '%s' '%s' '%s'",
- buf1, buf2, buf3);
- }
- if (dns_rdataset_isassociated(&val->frdataset))
- dns_rdataset_disassociate(&val->frdataset);
- if (dns_rdataset_isassociated(&val->fsigrdataset))
- dns_rdataset_disassociate(&val->fsigrdataset);
- dns_rdata_freestruct(&nsec);
- result = DNS_R_NCACHENXDOMAIN;
- } else if (result != ISC_R_SUCCESS &&
- result != DNS_R_NCACHENXDOMAIN &&
- result != DNS_R_NCACHENXRRSET &&
- result != DNS_R_EMPTYNAME &&
- result != DNS_R_NXRRSET &&
- result != ISC_R_NOTFOUND) {
- goto notfound;
- }
- return (result);
- notfound:
- if (dns_rdataset_isassociated(&val->frdataset))
- dns_rdataset_disassociate(&val->frdataset);
- if (dns_rdataset_isassociated(&val->fsigrdataset))
- dns_rdataset_disassociate(&val->fsigrdataset);
- return (ISC_R_NOTFOUND);
- }
- /*%
- * Checks to make sure we are not going to loop. As we use a SHARED fetch
- * the validation process will stall if looping was to occur.
- */
- static inline isc_boolean_t
- check_deadlock(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
- dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
- {
- dns_validator_t *parent;
- for (parent = val; parent != NULL; parent = parent->parent) {
- if (parent->event != NULL &&
- parent->event->type == type &&
- dns_name_equal(parent->event->name, name) &&
- /*
- * As NSEC3 records are meta data you sometimes
- * need to prove a NSEC3 record which says that
- * itself doesn't exist.
- */
- (parent->event->type != dns_rdatatype_nsec3 ||
- rdataset == NULL || sigrdataset == NULL ||
- parent->event->message == NULL ||
- parent->event->rdataset != NULL ||
- parent->event->sigrdataset != NULL))
- {
- validator_log(val, ISC_LOG_DEBUG(3),
- "continuing validation would lead to "
- "deadlock: aborting validation");
- return (ISC_TRUE);
- }
- }
- return (ISC_FALSE);
- }
- /*%
- * Start a fetch for the requested name and type.
- */
- static inline isc_result_t
- create_fetch(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
- isc_taskaction_t callback, const char *caller)
- {
- if (dns_rdataset_isassociated(&val->frdataset))
- dns_rdataset_disassociate(&val->frdataset);
- if (dns_rdataset_isassociated(&val->fsigrdataset))
- dns_rdataset_disassociate(&val->fsigrdataset);
- if (check_deadlock(val, name, type, NULL, NULL)) {
- validator_log(val, ISC_LOG_DEBUG(3),
- "deadlock found (create_fetch)");
- return (DNS_R_NOVALIDSIG);
- }
- validator_logcreate(val, name, type, caller, "fetch");
- return (dns_resolver_createfetch(val->view->resolver, name, type,
- NULL, NULL, NULL, 0,
- val->event->ev_sender,
- callback, val,
- &val->frdataset,
- &val->fsigrdataset,
- &val->fetch));
- }
- /*%
- * Start a subvalidation process.
- */
- static inline isc_result_t
- create_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
- dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
- isc_taskaction_t action, const char *caller)
- {
- isc_result_t result;
- if (check_deadlock(val, name, type, rdataset, sigrdataset)) {
- validator_log(val, ISC_LOG_DEBUG(3),
- "deadlock found (create_validator)");
- return (DNS_R_NOVALIDSIG);
- }
- validator_logcreate(val, name, type, caller, "validator");
- result = dns_validator_create(val->view, name, type,
- rdataset, sigrdataset, NULL, 0,
- val->task, action, val,
- &val->subvalidator);
- if (result == ISC_R_SUCCESS) {
- val->subvalidator->parent = val;
- val->subvalidator->depth = val->depth + 1;
- }
- return (result);
- }
- /*%
- * Try to find a key that could have signed 'siginfo' among those
- * in 'rdataset'. If found, build a dst_key_t for it and point
- * val->key at it.
- *
- * If val->key is non-NULL, this returns the next matching key.
- */
- static isc_result_t
- get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo,
- dns_rdataset_t *rdataset)
- {
- isc_result_t result;
- isc_buffer_t b;
- dns_rdata_t rdata = DNS_RDATA_INIT;
- dst_key_t *oldkey = val->key;
- isc_boolean_t foundold;
- if (oldkey == NULL)
- foundold = ISC_TRUE;
- else {
- foundold = ISC_FALSE;
- val->key = NULL;
- }
- result = dns_rdataset_first(rdataset);
- if (result != ISC_R_SUCCESS)
- goto failure;
- do {
- dns_rdataset_current(rdataset, &rdata);
- isc_buffer_init(&b, rdata.data, rdata.length);
- isc_buffer_add(&b, rdata.length);
- INSIST(val->key == NULL);
- result = dst_key_fromdns(&siginfo->signer, rdata.rdclass, &b,
- val->view->mctx, &val->key);
- if (result != ISC_R_SUCCESS)
- goto failure;
- if (siginfo->algorithm ==
- (dns_secalg_t)dst_key_alg(val->key) &&
- siginfo->keyid ==
- (dns_keytag_t)dst_key_id(val->key) &&
- dst_key_iszonekey(val->key))
- {
- if (foundold)
- /*
- * This is the key we're looking for.
- */
- return (ISC_R_SUCCESS);
- else if (dst_key_compare(oldkey, val->key) == ISC_TRUE)
- {
- foundold = ISC_TRUE;
- dst_key_free(&oldkey);
- }
- }
- dst_key_free(&val->key);
- dns_rdata_reset(&rdata);
- result = dns_rdataset_next(rdataset);
- } while (result == ISC_R_SUCCESS);
- if (result == ISC_R_NOMORE)
- result = ISC_R_NOTFOUND;
- failure:
- if (oldkey != NULL)
- dst_key_free(&oldkey);
- return (result);
- }
- /*%
- * Get the key that generated this signature.
- */
- static isc_result_t
- get_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo) {
- isc_result_t result;
- unsigned int nlabels;
- int order;
- dns_namereln_t namereln;
- /*
- * Is the signer name appropriate for this signature?
- *
- * The signer name must be at the same level as the owner name
- * or closer to the DNS root.
- */
- namereln = dns_name_fullcompare(val->event->name, &siginfo->signer,
- &order, &nlabels);
- if (namereln != dns_namereln_subdomain &&
- namereln != dns_namereln_equal)
- return (DNS_R_CONTINUE);
- if (namereln == dns_namereln_equal) {
- /*
- * If this is a self-signed keyset, it must not be a zone key
- * (since get_key is not called from validatezonekey).
- */
- if (val->event->rdataset->type == dns_rdatatype_dnskey)
- return (DNS_R_CONTINUE);
- /*
- * Records appearing in the parent zone at delegation
- * points cannot be self-signed.
- */
- if (dns_rdatatype_atparent(val->event->rdataset->type))
- return (DNS_R_CONTINUE);
- } else {
- /*
- * SOA and NS RRsets can only be signed by a key with
- * the same name.
- */
- if (val->event->rdataset->type == dns_rdatatype_soa ||
- val->event->rdataset->type == dns_rdatatype_ns) {
- const char *typename;
- if (val->event->rdataset->type == dns_rdatatype_soa)
- typename = "SOA";
- else
- typename = "NS";
- validator_log(val, ISC_LOG_DEBUG(3),
- "%s signer mismatch", typename);
- return (DNS_R_CONTINUE);
- }
- }
- /*
- * Do we know about this key?
- */
- result = view_find(val, &siginfo->signer, dns_rdatatype_dnskey);
- if (result == ISC_R_SUCCESS) {
- /*
- * We have an rrset for the given keyname.
- */
- val->keyset = &val->frdataset;
- if ((DNS_TRUST_PENDING(val->frdataset.trust) ||
- DNS_TRUST_ANSWER(val->frdataset.trust)) &&
- dns_rdataset_isassociated(&val->fsigrdataset))
- {
- /*
- * We know the key but haven't validated it yet or
- * we have a key of trust answer but a DS/DLV
- * record for the zone may have been added.
- */
- result = create_validator(val, &siginfo->signer,
- dns_rdatatype_dnskey,
- &val->frdataset,
- &val->fsigrdataset,
- keyvalidated,
- "get_key");
- if (result != ISC_R_SUCCESS)
- return (result);
- return (DNS_R_WAIT);
- } else if (DNS_TRUST_PENDING(val->frdataset.trust)) {
- /*
- * Having a pending key with no signature means that
- * something is broken.
- */
- result = DNS_R_CONTINUE;
- } else if (val->frdataset.trust < dns_trust_secure) {
- /*
- * The key is legitimately insecure. There's no
- * point in even attempting verification.
- */
- val->key = NULL;
- result = ISC_R_SUCCESS;
- } else {
- /*
- * See if we've got the key used in the signature.
- */
- validator_log(val, ISC_LOG_DEBUG(3),
- "keyset with trust %s",
- dns_trust_totext(val->frdataset.trust));
- result = get_dst_key(val, siginfo, val->keyset);
- if (result != ISC_R_SUCCESS) {
- /*
- * Either the key we're looking for is not
- * in the rrset, or something bad happened.
- * Give up.
- */
- result = DNS_R_CONTINUE;
- }
- }
- } else if (result == ISC_R_NOTFOUND) {
- /*
- * We don't know anything about this key.
- */
- result = create_fetch(val, &siginfo->signer,
- dns_rdatatype_dnskey,
- fetch_callback_validator, "get_key");
- if (result != ISC_R_SUCCESS)
- return (result);
- return (DNS_R_WAIT);
- } else if (result == DNS_R_NCACHENXDOMAIN ||
- result == DNS_R_NCACHENXRRSET ||
- result == DNS_R_EMPTYNAME ||
- result == DNS_R_NXDOMAIN ||
- result == DNS_R_NXRRSET)
- {
- /*
- * This key doesn't exist.
- */
- result = DNS_R_CONTINUE;
- } else if (result == DNS_R_BROKENCHAIN)
- return (result);
- if (dns_rdataset_isassociated(&val->frdataset) &&
- val->keyset != &val->frdataset)
- dns_rdataset_disassociate(&val->frdataset);
- if (dns_rdataset_isassociated(&val->fsigrdataset))
- dns_rdataset_disassociate(&val->fsigrdataset);
- return (result);
- }
- static dns_keytag_t
- compute_keytag(dns_rdata_t *rdata, dns_rdata_dnskey_t *key) {
- isc_region_t r;
- dns_rdata_toregion(rdata, &r);
- return (dst_region_computeid(&r, key->algorithm));
- }
- /*%
- * Is this keyset self-signed?
- */
- static isc_boolean_t
- isselfsigned(dns_validator_t *val) {
- dns_fixedname_t fixed;
- dns_rdataset_t *rdataset, *sigrdataset;
- dns_rdata_t rdata = DNS_RDATA_INIT;
- dns_rdata_t sigrdata = DNS_RDATA_INIT;
- dns_rdata_dnskey_t key;
- dns_rdata_rrsig_t sig;
- dns_keytag_t keytag;
- dns_name_t *name;
- isc_result_t result;
- dst_key_t *dstkey;
- isc_mem_t *mctx;
- isc_boolean_t answer = ISC_FALSE;
- rdataset = val->event->rdataset;
- sigrdataset = val->event->sigrdataset;
- name = val->event->name;
- mctx = val->view->mctx;
- INSIST(rdataset->type == dns_rdatatype_dnskey);
- for (result = dns_rdataset_first(rdataset);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(rdataset))
- {
- dns_rdata_reset(&rdata);
- dns_rdataset_current(rdataset, &rdata);
- result = dns_rdata_tostruct(&rdata, &key, NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- keytag = compute_keytag(&rdata, &key);
- for (result = dns_rdataset_first(sigrdataset);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(sigrdataset))
- {
- dns_rdata_reset(&sigrdata);
- dns_rdataset_current(sigrdataset, &sigrdata);
- result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- if (sig.algorithm != key.algorithm ||
- sig.keyid != keytag ||
- !dns_name_equal(name, &sig.signer))
- continue;
- dstkey = NULL;
- result = dns_dnssec_keyfromrdata(name, &rdata, mctx,
- &dstkey);
- if (result != ISC_R_SUCCESS)
- continue;
- result = dns_dnssec_verify2(name, rdataset, dstkey,
- ISC_TRUE, mctx, &sigrdata,
- dns_fixedname_name(&fixed));
- dst_key_free(&dstkey);
- if (result != ISC_R_SUCCESS)
- continue;
- if ((key.flags & DNS_KEYFLAG_REVOKE) == 0) {
- answer = ISC_TRUE;
- continue;
- }
- dns_view_untrust(val->view, name, &key, mctx);
- }
- }
- return (answer);
- }
- /*%
- * Attempt to verify the rdataset using the given key and rdata (RRSIG).
- * The signature was good and from a wildcard record and the QNAME does
- * not match the wildcard we need to look for a NOQNAME proof.
- *
- * Returns:
- * \li ISC_R_SUCCESS if the verification succeeds.
- * \li Others if the verification fails.
- */
- static isc_result_t
- verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata,
- isc_uint16_t keyid)
- {
- isc_result_t result;
- dns_fixedname_t fixed;
- isc_boolean_t ignore = ISC_FALSE;
- dns_name_t *wild;
- val->attributes |= VALATTR_TRIEDVERIFY;
- dns_fixedname_init(&fixed);
- wild = dns_fixedname_name(&fixed);
- again:
- result = dns_dnssec_verify2(val->event->name, val->event->rdataset,
- key, ignore, val->view->mctx, rdata, wild);
- if ((result == DNS_R_SIGEXPIRED || result == DNS_R_SIGFUTURE) &&
- val->view->acceptexpired)
- {
- ignore = ISC_TRUE;
- goto again;
- }
- if (ignore && (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD))
- validator_log(val, ISC_LOG_INFO,
- "accepted expired %sRRSIG (keyid=%u)",
- (result == DNS_R_FROMWILDCARD) ?
- "wildcard " : "", keyid);
- else if (result == DNS_R_SIGEXPIRED || result == DNS_R_SIGFUTURE)
- validator_log(val, ISC_LOG_INFO,
- "verify failed due to bad signature (keyid=%u): "
- "%s", keyid, isc_result_totext(result));
- else
- validator_log(val, ISC_LOG_DEBUG(3),
- "verify rdataset (keyid=%u): %s",
- keyid, isc_result_totext(result));
- if (result == DNS_R_FROMWILDCARD) {
- if (!dns_name_equal(val->event->name, wild)) {
- dns_name_t *closest;
- unsigned int labels;
- /*
- * Compute the closest encloser in case we need it
- * for the NSEC3 NOQNAME proof.
- */
- closest = dns_fixedname_name(&val->closest);
- dns_name_copy(wild, closest, NULL);
- labels = dns_name_countlabels(closest) - 1;
- dns_name_getlabelsequence(closest, 1, labels, closest);
- val->attributes |= VALATTR_NEEDNOQNAME;
- }
- result = ISC_R_SUCCESS;
- }
- return (result);
- }
- /*%
- * Attempts positive response validation of a normal RRset.
- *
- * Returns:
- * \li ISC_R_SUCCESS Validation completed successfully
- * \li DNS_R_WAIT Validation has started but is waiting
- * for an event.
- * \li Other return codes are possible and all indicate failure.
- */
- static isc_result_t
- validate(dns_validator_t *val, isc_boolean_t resume) {
- isc_result_t result;
- dns_validatorevent_t *event;
- dns_rdata_t rdata = DNS_RDATA_INIT;
- /*
- * Caller must be holding the validator lock.
- */
- event = val->event;
- if (resume) {
- /*
- * We already have a sigrdataset.
- */
- result = ISC_R_SUCCESS;
- validator_log(val, ISC_LOG_DEBUG(3), "resuming validate");
- } else {
- result = dns_rdataset_first(event->sigrdataset);
- }
- for (;
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(event->sigrdataset))
- {
- dns_rdata_reset(&rdata);
- dns_rdataset_current(event->sigrdataset, &rdata);
- if (val->siginfo == NULL) {
- val->siginfo = isc_mem_get(val->view->mctx,
- sizeof(*val->siginfo));
- if (val->siginfo == NULL)
- return (ISC_R_NOMEMORY);
- }
- result = dns_rdata_tostruct(&rdata, val->siginfo, NULL);
- if (result != ISC_R_SUCCESS)
- return (result);
- /*
- * At this point we could check that the signature algorithm
- * was known and "sufficiently good".
- */
- if (!dns_resolver_algorithm_supported(val->view->resolver,
- event->name,
- val->siginfo->algorithm)) {
- resume = ISC_FALSE;
- continue;
- }
- if (!resume) {
- result = get_key(val, val->siginfo);
- if (result == DNS_R_CONTINUE)
- continue; /* Try the next SIG RR. */
- if (result != ISC_R_SUCCESS)
- return (result);
- }
- /*
- * There isn't a secure DNSKEY for this signature so move
- * onto the next RRSIG.
- */
- if (val->key == NULL) {
- resume = ISC_FALSE;
- continue;
- }
- do {
- result = verify(val, val->key, &rdata,
- val->siginfo->keyid);
- if (result == ISC_R_SUCCESS)
- break;
- if (val->keynode != NULL) {
- dns_keynode_t *nextnode = NULL;
- result = dns_keytable_findnextkeynode(
- val->keytable,
- val->keynode,
- &nextnode);
- dns_keytable_detachkeynode(val->keytable,
- &val->keynode);
- val->keynode = nextnode;
- if (result != ISC_R_SUCCESS) {
- val->key = NULL;
- break;
- }
- val->key = dns_keynode_key(val->keynode);
- if (val->key == NULL)
- break;
- } else {
- if (get_dst_key(val, val->siginfo, val->keyset)
- != ISC_R_SUCCESS)
- break;
- }
- } while (1);
- if (result != ISC_R_SUCCESS)
- validator_log(val, ISC_LOG_DEBUG(3),
- "failed to verify rdataset");
- else {
- isc_uint32_t ttl;
- isc_stdtime_t now;
- isc_stdtime_get(&now);
- ttl = ISC_MIN(event->rdataset->ttl,
- ISC_MIN(val->siginfo->originalttl,
- val->siginfo->timeexpire - now));
- event->rdataset->ttl = ttl;
- event->sigrdataset->ttl = ttl;
- }
- if (val->keynode != NULL)
- dns_keytable_detachkeynode(val->keytable,
- &val->keynode);
- else {
- if (val->key != NULL)
- dst_key_free(&val->key);
- if (val->keyset != NULL) {
- dns_rdataset_disassociate(val->keyset);
- val->keyset = NULL;
- }
- }
- val->key = NULL;
- if (NEEDNOQNAME(val)) {
- if (val->event->message == NULL) {
- validator_log(val, ISC_LOG_DEBUG(3),
- "no message available for noqname proof");
- return (DNS_R_NOVALIDSIG);
- }
- validator_log(val, ISC_LOG_DEBUG(3),
- "looking for noqname proof");
- return (nsecvalidate(val, ISC_FALSE));
- } else if (result == ISC_R_SUCCESS) {
- marksecure(event);
- validator_log(val, ISC_LOG_DEBUG(3),
- "marking as secure, "
- "noqname proof not needed");
- return (result);
- } else {
- validator_log(val, ISC_LOG_DEBUG(3),
- "verify failure: %s",
- isc_result_totext(result));
- resume = ISC_FALSE;
- }
- }
- if (result != ISC_R_NOMORE) {
- validator_log(val, ISC_LOG_DEBUG(3),
- "failed to iterate signatures: %s",
- isc_result_totext(result));
- return (result);
- }
- validator_log(val, ISC_LOG_INFO, "no valid signature found");
- return (DNS_R_NOVALIDSIG);
- }
- /*%
- * Check whether this DNSKEY (keyrdata) signed the DNSKEY RRset
- * (val->event->rdataset).
- */
- static isc_result_t
- checkkey(dns_validator_t *val, dns_rdata_t *keyrdata, isc_uint16_t keyid,
- dns_secalg_t algorithm)
- {
- dns_rdata_rrsig_t sig;
- dst_key_t *dstkey = NULL;
- isc_result_t result;
- for (result = dns_rdataset_first(val->event->sigrdataset);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(val->event->sigrdataset))
- {
- dns_rdata_t rdata = DNS_RDATA_INIT;
- dns_rdataset_current(val->event->sigrdataset, &rdata);
- result = dns_rdata_tostruct(&rdata, &sig, NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- if (keyid != sig.keyid || algorithm != sig.algorithm)
- continue;
- if (dstkey == NULL) {
- result = dns_dnssec_keyfromrdata(val->event->name,
- keyrdata,
- val->view->mctx,
- &dstkey);
- if (result != ISC_R_SUCCESS)
- /*
- * This really shouldn't happen, but...
- */
- continue;
- }
- result = verify(val, dstkey, &rdata, sig.keyid);
- if (result == ISC_R_SUCCESS)
- break;
- }
- if (dstkey != NULL)
- dst_key_free(&dstkey);
- return (result);
- }
- /*%
- * Find the DNSKEY that corresponds to the DS.
- */
- static isc_result_t
- keyfromds(dns_validator_t *val, dns_rdataset_t *rdataset, dns_rdata_t *dsrdata,
- isc_uint8_t digest, isc_uint16_t keyid, dns_secalg_t algorithm,
- dns_rdata_t *keyrdata)
- {
- dns_keytag_t keytag;
- dns_rdata_dnskey_t key;
- isc_result_t result;
- unsigned char dsbuf[DNS_DS_BUFFERSIZE];
- for (result = dns_rdataset_first(rdataset);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(rdataset))
- {
- dns_rdata_t newdsrdata = DNS_RDATA_INIT;
- dns_rdata_reset(keyrdata);
- dns_rdataset_current(rdataset, keyrdata);
- result = dns_rdata_tostruct(keyrdata, &key, NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- keytag = compute_keytag(keyrdata, &key);
- if (keyid != keytag || algorithm != key.algorithm)
- continue;
- dns_rdata_reset(&newdsrdata);
- result = dns_ds_buildrdata(val->event->name, keyrdata, digest,
- dsbuf, &newdsrdata);
- if (result != ISC_R_SUCCESS) {
- validator_log(val, ISC_LOG_DEBUG(3),
- "dns_ds_buildrdata() -> %s",
- dns_result_totext(result));
- continue;
- }
- if (dns_rdata_compare(dsrdata, &newdsrdata) == 0)
- break;
- }
- return (result);
- }
- /*%
- * Validate the DNSKEY RRset by looking for a DNSKEY that matches a
- * DLV record and that also verifies the DNSKEY RRset.
- */
- static isc_result_t
- dlv_validatezonekey(dns_validator_t *val) {
- dns_rdata_dlv_t dlv;
- dns_rdata_t dlvrdata = DNS_RDATA_INIT;
- dns_rdata_t keyrdata = DNS_RDATA_INIT;
- dns_rdataset_t trdataset;
- isc_boolean_t supported_algorithm;
- isc_result_t result;
- char digest_types[256];
- validator_log(val, ISC_LOG_DEBUG(3), "dlv_validatezonekey");
- /*
- * Look through the DLV record and find the keys that can sign the
- * key set and the matching signature. For each such key, attempt
- * verification.
- */
- supported_algorithm = ISC_FALSE;
- /*
- * If DNS_DSDIGEST_SHA256 is present we are required to prefer
- * it over DNS_DSDIGEST_SHA1. This in practice means that we
- * need to ignore DNS_DSDIGEST_SHA1 if a DNS_DSDIGEST_SHA256
- * is present.
- */
- memset(digest_types, 1, sizeof(digest_types));
- for (result = dns_rdataset_first(&val->dlv);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(&val->dlv)) {
- dns_rdata_reset(&dlvrdata);
- dns_rdataset_current(&val->dlv, &dlvrdata);
- result = dns_rdata_tostruct(&dlvrdata, &dlv, NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- if (!dns_resolver_algorithm_supported(val->view->resolver,
- val->event->name,
- dlv.algorithm))
- continue;
- if (dlv.digest_type == DNS_DSDIGEST_SHA256 &&
- dlv.length == ISC_SHA256_DIGESTLENGTH) {
- digest_types[DNS_DSDIGEST_SHA1] = 0;
- break;
- }
- }
- for (result = dns_rdataset_first(&val->dlv);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(&val->dlv))
- {
- dns_rdata_reset(&dlvrdata);
- dns_rdataset_current(&val->dlv, &dlvrdata);
- result = dns_rdata_tostruct(&dlvrdata, &dlv, NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- if (!dns_resolver_digest_supported(val->view->resolver,
- dlv.digest_type))
- continue;
- if (digest_types[dlv.digest_type] == 0)
- continue;
- if (!dns_resolver_algorithm_supported(val->view->resolver,
- val->event->name,
- dlv.algorithm))
- continue;
- supported_algorithm = ISC_TRUE;
- dns_rdataset_init(&trdataset);
- dns_rdataset_clone(val->event->rdataset, &trdataset);
- /*
- * Convert to DLV to DS and find matching DNSKEY.
- */
- dlvrdata.type = dns_rdatatype_ds;
- result = keyfromds(val, &trdataset, &dlvrdata,
- dlv.digest_type, dlv.key_tag,
- dlv.algorithm, &keyrdata);
- if (result != ISC_R_SUCCESS) {
- dns_rdataset_disassociate(&trdataset);
- validator_log(val, ISC_LOG_DEBUG(3),
- "no DNSKEY matching DLV");
- continue;
- }
- validator_log(val, ISC_LOG_DEBUG(3),
- "Found matching DLV record: checking for signature");
- /*
- * Check that this DNSKEY signed the DNSKEY rrset.
- */
- result = checkkey(val, &keyrdata, dlv.key_tag, dlv.algorithm);
- dns_rdataset_disassociate(&trdataset);
- if (result == ISC_R_SUCCESS)
- break;
- validator_log(val, ISC_LOG_DEBUG(3),
- "no RRSIG matching DLV key");
- }
- if (result == ISC_R_SUCCESS) {
- marksecure(val->event);
- validator_log(val, ISC_LOG_DEBUG(3), "marking as secure (dlv)");
- return (result);
- } else if (result == ISC_R_NOMORE && !supported_algorithm) {
- if (val->mustbesecure) {
- validator_log(val, ISC_LOG_WARNING,
- "must be secure failure,"
- "no supported algorithm/digest (dlv)");
- return (DNS_R_MUSTBESECURE);
- }
- validator_log(val, ISC_LOG_DEBUG(3),
- "no supported algorithm/digest (dlv)");
- markanswer(val, "dlv_validatezonekey (2)");
- return (ISC_R_SUCCESS);
- } else
- return (DNS_R_NOVALIDSIG);
- }
- /*%
- * Attempts positive response validation of an RRset containing zone keys
- * (i.e. a DNSKEY rrset).
- *
- * Returns:
- * \li ISC_R_SUCCESS Validation completed successfully
- * \li DNS_R_WAIT Validation has started but is waiting
- * for an event.
- * \li Other return codes are possible and all indicate failure.
- */
- static isc_result_t
- validatezonekey(dns_validator_t *val) {
- isc_result_t result;
- dns_validatorevent_t *event;
- dns_rdataset_t trdataset;
- dns_rdata_t dsrdata = DNS_RDATA_INIT;
- dns_rdata_t keyrdata = DNS_RDATA_INIT;
- dns_rdata_t sigrdata = DNS_RDATA_INIT;
- char namebuf[DNS_NAME_FORMATSIZE];
- dns_rdata_ds_t ds;
- dns_rdata_rrsig_t sig;
- dst_key_t *dstkey;
- isc_boolean_t supported_algorithm;
- isc_boolean_t atsep = ISC_FALSE;
- char digest_types[256];
- /*
- * Caller must be holding the validator lock.
- */
- event = val->event;
- if (val->havedlvsep && val->dlv.trust >= dns_trust_secure &&
- dns_name_equal(event->name, dns_fixedname_name(&val->dlvsep)))
- return (dlv_validatezonekey(val));
- if (val->dsset == NULL) {
- /*
- * We have a dlv sep. Skip looking up the SEP from
- * {trusted,managed}-keys. If the dlv sep is for the
- * root then it will have been handled above so we don't
- * need to check whether val->event->name is "." prior to
- * looking up the DS.
- */
- if (val->havedlvsep)
- goto find_ds;
- /*
- * First, see if this key was signed by a trusted key.
- */
- for (result = dns_rdataset_first(val->event->sigrdataset);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(val->event->sigrdataset))
- {
- dns_keynode_t *keynode = NULL;
- dns_fixedname_t fixed;
- dns_name_t *found;
- dns_fixedname_init(&fixed);
- found = dns_fixedname_name(&fixed);
- dns_rdata_reset(&sigrdata);
- dns_rdataset_current(val->event->sigrdataset,
- &sigrdata);
- result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- if (!dns_name_equal(val->event->name, &sig.signer))
- continue;
- result = dns_keytable_findkeynode(val->keytable,
- val->event->name,
- sig.algorithm,
- sig.keyid, &keynode);
- if (result == ISC_R_NOTFOUND &&
- dns_keytable_finddeepestmatch(val->keytable,
- val->event->name, found) != ISC_R_SUCCESS) {
- if (val->mustbesecure) {
- validator_log(val, ISC_LOG_WARNING,
- "must be secure failure, "
- "not beneath secure root");
- return (DNS_R_MUSTBESECURE);
- } else
- validator_log(val, ISC_LOG_DEBUG(3),
- "not beneath secure root");
- if (val->view->dlv == NULL) {
- markanswer(val, "validatezonekey (1)");
- return (ISC_R_SUCCESS);
- }
- return (startfinddlvsep(val, dns_rootname));
- }
- if (result == DNS_R_PARTIALMATCH ||
- result == ISC_R_SUCCESS)
- atsep = ISC_TRUE;
- while (result == ISC_R_SUCCESS) {
- dns_keynode_t *nextnode = NULL;
- dstkey = dns_keynode_key(keynode);
- if (dstkey == NULL) {
- dns_keytable_detachkeynode(
- val->keytable,
- &keynode);
- break;
- }
- result = verify(val, dstkey, &sigrdata,
- sig.keyid);
- if (result == ISC_R_SUCCESS) {
- dns_keytable_detachkeynode(
- val->keytable,
- &keynode);
- break;
- }
- result = dns_keytable_findnextkeynode(
- val->keytable,
- keynode,
- &nextnode);
- dns_keytable_detachkeynode(val->keytable,
- &keynode);
- keynode = nextnode;
- }
- if (result == ISC_R_SUCCESS) {
- marksecure(event);
- validator_log(val, ISC_LOG_DEBUG(3),
- "signed by trusted key; "
- "marking as secure");
- return (result);
- }
- }
- if (atsep) {
- /*
- * We have not found a key to verify this DNSKEY
- * RRset. As this is a SEP we have to assume that
- * the RRset is invalid.
- */
- dns_name_format(val->event->name, namebuf,
- sizeof(namebuf));
- validator_log(val, ISC_LOG_NOTICE,
- "unable to find a DNSKEY which verifies "
- "the DNSKEY RRset and also matches a "
- "trusted key for '%s'",
- namebuf);
- validator_log(val, ISC_LOG_NOTICE,
- "please check the 'trusted-keys' for "
- "'%s' in named.conf.", namebuf);
- return (DNS_R_NOVALIDKEY);
- }
- /*
- * If this is the root name and there was no trusted key,
- * give up, since there's no DS at the root.
- */
- if (dns_name_equal(event->name, dns_rootname)) {
- if ((val->attributes & VALATTR_TRIEDVERIFY) != 0) {
- validator_log(val, ISC_LOG_DEBUG(3),
- "root key failed to validate");
- return (DNS_R_NOVALIDSIG);
- } else {
- validator_log(val, ISC_LOG_DEBUG(3),
- "no trusted root key");
- return (DNS_R_NOVALIDDS);
- }
- }
- find_ds:
- /*
- * Otherwise, try to find the DS record.
- */
- result = view_find(val, val->event->name, dns_rdatatype_ds);
- if (result == ISC_R_SUCCESS) {
- /*
- * We have DS records.
- */
- val->dsset = &val->frdataset;
- if ((DNS_TRUST_PENDING(val->frdataset.trust) ||
- DNS_TRUST_ANSWER(val->frdataset.trust)) &&
- dns_rdataset_isassociated(&val->fsigrdataset))
- {
- result = create_validator(val,
- val->event->name,
- dns_rdatatype_ds,
- &val->frdataset,
- &val->fsigrdataset,
- dsvalidated,
- "validatezonekey");
- if (result != ISC_R_SUCCESS)
- return (result);
- return (DNS_R_WAIT);
- } else if (DNS_TRUST_PENDING(val->frdataset.trust)) {
- /*
- * There should never be an unsigned DS.
- */
- dns_rdataset_disassociate(&val->frdataset);
- validator_log(val, ISC_LOG_DEBUG(2),
- "unsigned DS record");
- return (DNS_R_NOVALIDSIG);
- } else {
- result = ISC_R_SUCCESS;
- POST(result);
- }
- } else if (result == ISC_R_NOTFOUND) {
- /*
- * We don't have the DS. Find it.
- */
- result = create_fetch(val, val->event->name,
- dns_rdatatype_ds, dsfetched,
- "validatezonekey");
- if (result != ISC_R_SUCCESS)
- return (result);
- return (DNS_R_WAIT);
- } else if (result == DNS_R_NCACHENXDOMAIN ||
- result == DNS_R_NCACHENXRRSET ||
- result == DNS_R_EMPTYNAME ||
- result == DNS_R_NXDOMAIN ||
- result == DNS_R_NXRRSET ||
- result == DNS_R_CNAME)
- {
- /*
- * The DS does not exist.
- */
- if (dns_rdataset_isassociated(&val->frdataset))
- dns_rdataset_disassociate(&val->frdataset);
- if (dns_rdataset_isassociated(&val->fsigrdataset))
- dns_rdataset_disassociate(&val->fsigrdataset);
- validator_log(val, ISC_LOG_DEBUG(2), "no DS record");
- return (DNS_R_NOVALIDSIG);
- } else if (result == DNS_R_BROKENCHAIN)
- return (result);
- }
- /*
- * We have a DS set.
- */
- INSIST(val->dsset != NULL);
- if (val->dsset->trust < dns_trust_secure) {
- if (val->mustbesecure) {
- validator_log(val, ISC_LOG_WARNING,
- "must be secure failure,"
- " insecure DS");
- return (DNS_R_MUSTBESECURE);
- }
- if (val->view->dlv == NULL || DLVTRIED(val)) {
- markanswer(val, "validatezonekey (2)");
- return (ISC_R_SUCCESS);
- }
- return (startfinddlvsep(val, val->event->name));
- }
- /*
- * Look through the DS record and find the keys that can sign the
- * key set and the matching signature. For each such key, attempt
- * verification.
- */
- supported_algorithm = ISC_FALSE;
- /*
- * If DNS_DSDIGEST_SHA256 is present we are required to prefer
- * it over DNS_DSDIGEST_SHA1. This in practice means that we
- * need to ignore DNS_DSDIGEST_SHA1 if a DNS_DSDIGEST_SHA256
- * is present.
- */
- memset(digest_types, 1, sizeof(digest_types));
- for (result = dns_rdataset_first(val->dsset);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(val->dsset)) {
- dns_rdata_reset(&dsrdata);
- dns_rdataset_current(val->dsset, &dsrdata);
- result = dns_rdata_tostruct(&dsrdata, &ds, NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- if (!dns_resolver_algorithm_supported(val->view->resolver,
- val->event->name,
- ds.algorithm))
- continue;
- if (ds.digest_type == DNS_DSDIGEST_SHA256 &&
- ds.length == ISC_SHA256_DIGESTLENGTH) {
- digest_types[DNS_DSDIGEST_SHA1] = 0;
- break;
- }
- }
- for (result = dns_rdataset_first(val->dsset);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(val->dsset))
- {
- dns_rdata_reset(&dsrdata);
- dns_rdataset_current(val->dsset, &dsrdata);
- result = dns_rdata_tostruct(&dsrdata, &ds, NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- if (!dns_resolver_digest_supported(val->view->resolver,
- ds.digest_type))
- continue;
- if (digest_types[ds.digest_type] == 0)
- continue;
- if (!dns_resolver_algorithm_supported(val->view->resolver,
- val->event->name,
- ds.algorithm))
- continue;
- supported_algorithm = ISC_TRUE;
- dns_rdataset_init(&trdataset);
- dns_rdataset_clone(val->event->rdataset, &trdataset);
- /*
- * Find matching DNSKEY from DS.
- */
- result = keyfromds(val, &trdataset, &dsrdata, ds.digest_type,
- ds.key_tag, ds.algorithm, &keyrdata);
- if (result != ISC_R_SUCCESS) {
- dns_rdataset_disassociate(&trdataset);
- validator_log(val, ISC_LOG_DEBUG(3),
- "no DNSKEY matching DS");
- continue;
- }
- /*
- * Check that this DNSKEY signed the DNSKEY rrset.
- */
- result = checkkey(val, &keyrdata, ds.key_tag, ds.algorithm);
- dns_rdataset_disassociate(&trdataset);
- if (result == ISC_R_SUCCESS)
- break;
- validator_log(val, ISC_LOG_DEBUG(3),
- "no RRSIG matching DS key");
- }
- if (result == ISC_R_SUCCESS) {
- marksecure(event);
- validator_log(val, ISC_LOG_DEBUG(3), "marking as secure (DS)");
- return (result);
- } else if (result == ISC_R_NOMORE && !supported_algorithm) {
- if (val->mustbesecure) {
- validator_log(val, ISC_LOG_WARNING,
- "must be secure failure, "
- "no supported algorithm/digest (DS)");
- return (DNS_R_MUSTBESECURE);
- }
- validator_log(val, ISC_LOG_DEBUG(3),
- "no supported algorithm/digest (DS)");
- markanswer(val, "validatezonekey (3)");
- return (ISC_R_SUCCESS);
- } else {
- validator_log(val, ISC_LOG_INFO,
- "no valid signature found (DS)");
- return (DNS_R_NOVALIDSIG);
- }
- }
- /*%
- * Starts a positive response validation.
- *
- * Returns:
- * \li ISC_R_SUCCESS Validation completed successfully
- * \li DNS_R_WAIT Validation has started but is waiting
- * for an event.
- * \li Other return codes are possible and all indicate failure.
- */
- static isc_result_t
- start_positive_validation(dns_validator_t *val) {
- /*
- * If this is not a key, go straight into validate().
- */
- if (val->event->type != dns_rdatatype_dnskey || !isselfsigned(val))
- return (validate(val, ISC_FALSE));
- return (validatezonekey(val));
- }
- /*%
- * val_rdataset_first and val_rdataset_next provide iteration methods
- * that hide whether we are iterating across a message or a negative
- * cache rdataset.
- */
- static isc_result_t
- val_rdataset_first(dns_validator_t *val, dns_name_t **namep,
- dns_rdataset_t **rdatasetp)
- {
- dns_message_t *message = val->event->message;
- isc_result_t result;
- REQUIRE(rdatasetp != NULL);
- REQUIRE(namep != NULL);
- if (message == NULL) {
- REQUIRE(*rdatasetp != NULL);
- REQUIRE(*namep != NULL);
- } else {
- REQUIRE(*rdatasetp == NULL);
- REQUIRE(*namep == NULL);
- }
- if (message != NULL) {
- result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
- if (result != ISC_R_SUCCESS)
- return (result);
- dns_message_currentname(message, DNS_SECTION_AUTHORITY, namep);
- *rdatasetp = ISC_LIST_HEAD((*namep)->list);
- INSIST(*rdatasetp != NULL);
- } else {
- result = dns_rdataset_first(val->event->rdataset);
- if (result == ISC_R_SUCCESS)
- dns_ncache_current(val->event->rdataset, *namep,
- *rdatasetp);
- }
- return (result);
- }
- static isc_result_t
- val_rdataset_next(dns_validator_t *val, dns_name_t **namep,
- dns_rdataset_t **rdatasetp)
- {
- dns_message_t *message = val->event->message;
- isc_result_t result = ISC_R_SUCCESS;
- REQUIRE(rdatasetp != NULL && *rdatasetp != NULL);
- REQUIRE(namep != NULL && *namep != NULL);
- if (message != NULL) {
- dns_rdataset_t *rdataset = *rdatasetp;
- rdataset = ISC_LIST_NEXT(rdataset, link);
- if (rdataset == NULL) {
- *namep = NULL;
- result = dns_message_nextname(message,
- DNS_SECTION_AUTHORITY);
- if (result == ISC_R_SUCCESS) {
- dns_message_currentname(message,
- DNS_SECTION_AUTHORITY,
- namep);
- rdataset = ISC_LIST_HEAD((*namep)->list);
- INSIST(rdataset != NULL);
- }
- }
- *rdatasetp = rdataset;
- } else {
- dns_rdataset_disassociate(*rdatasetp);
- result = dns_rdataset_next(val->event->rdataset);
- if (result == ISC_R_SUCCESS)
- dns_ncache_current(val->event->rdataset, *namep,
- *rdatasetp);
- }
- return (result);
- }
- /*%
- * Look for NODATA at the wildcard and NOWILDCARD proofs in the
- * previously validated NSEC records. As these proofs are mutually
- * exclusive we stop when one is found.
- *
- * Returns
- * \li ISC_R_SUCCESS
- */
- static isc_result_t
- checkwildcard(dns_validator_t *val, dns_rdatatype_t type, dns_name_t *zonename)
- {
- dns_name_t *name, *wild, tname;
- isc_result_t result;
- isc_boolean_t exists, data;
- char namebuf[DNS_NAME_FORMATSIZE];
- dns_rdataset_t *rdataset, trdataset;
- dns_name_init(&tname, NULL);
- dns_rdataset_init(&trdataset);
- wild = dns_fixedname_name(&val->wild);
- if (dns_name_countlabels(wild) == 0) {
- validator_log(val, ISC_LOG_DEBUG(3),
- "in checkwildcard: no wildcard to check");
- return (ISC_R_SUCCESS);
- }
- dns_name_format(wild, namebuf, sizeof(namebuf));
- validator_log(val, ISC_LOG_DEBUG(3), "in checkwildcard: %s", namebuf);
- if (val->event->message == NULL) {
- name = &tname;
- rdataset = &trdataset;
- } else {
- name = NULL;
- rdataset = NULL;
- }
- for (result = val_rdataset_first(val, &name, &rdataset);
- result == ISC_R_SUCCESS;
- result = val_rdataset_next(val, &name, &rdataset))
- {
- if (rdataset->type != type ||
- rdataset->trust != dns_trust_secure)
- continue;
- if (rdataset->type == dns_rdatatype_nsec &&
- (NEEDNODATA(val) || NEEDNOWILDCARD(val)) &&
- !FOUNDNODATA(val) && !FOUNDNOWILDCARD(val) &&
- nsecnoexistnodata(val, wild, name, rdataset,
- &exists, &data, NULL)
- == ISC_R_SUCCESS)
- {
- dns_name_t **proofs = val->event->proofs;
- if (exists && !data)
- val->attributes |= VALATTR_FOUNDNODATA;
- if (exists && !data && NEEDNODATA(val))
- proofs[DNS_VALIDATOR_NODATAPROOF] =
- name;
- if (!exists)
- val->attributes |=
- VALATTR_FOUNDNOWILDCARD;
- if (!exists && NEEDNOQNAME(val))
- proofs[DNS_VALIDATOR_NOWILDCARDPROOF] =
- name;
- if (dns_rdataset_isassociated(&trdataset))
- dns_rdataset_disassociate(&trdataset);
- return (ISC_R_SUCCESS);
- }
- if (rdataset->type == dns_rdatatype_nsec3 &&
- (NEEDNODATA(val) || NEEDNOWILDCARD(val)) &&
- !FOUNDNODATA(val) && !FOUNDNOWILDCARD(val) &&
- nsec3noexistnodata(val, wild, name, rdataset,
- zonename, &exists, &data,
- NULL, NULL, NULL, NULL, NULL,
- NULL) == ISC_R_SUCCESS)
- {
- dns_name_t **proofs = val->event->proofs;
- if (exists && !data)
- val->attributes |= VALATTR_FOUNDNODATA;
- if (exists && !data && NEEDNODATA(val))
- proofs[DNS_VALIDATOR_NODATAPROOF] =
- name;
- if (!exists)
- val->attributes |=
- VALATTR_FOUNDNOWILDCARD;
- if (!exists && NEEDNOQNAME(val))
- proofs[DNS_VALIDATOR_NOWILDCARDPROOF] =
- name;
- if (dns_rdataset_isassociated(&trdataset))
- dns_rdataset_disassociate(&trdataset);
- return (ISC_R_SUCCESS);
- }
- }
- if (result == ISC_R_NOMORE)
- result = ISC_R_SUCCESS;
- if (dns_rdataset_isassociated(&trdataset))
- dns_rdataset_disassociate(&trdataset);
- return (result);
- }
- static isc_result_t
- findnsec3proofs(dns_validator_t *val) {
- dns_name_t *name, tname;
- isc_result_t result;
- isc_boolean_t exists, data, optout, unknown;
- isc_boolean_t setclosest, setnearest, *setclosestp;
- dns_fixedname_t fclosest, fnearest, fzonename;
- dns_name_t *closest, *nearest, *zonename, *closestp;
- dns_name_t **proofs = val->event->proofs;
- dns_rdataset_t *rdataset, trdataset;
- dns_name_init(&tname, NULL);
- dns_rdataset_init(&trdataset);
- dns_fixedname_init(&fclosest);
- dns_fixedname_init(&fnearest);
- dns_fixedname_init(&fzonename);
- closest = dns_fixedname_name(&fclosest);
- nearest = dns_fixedname_name(&fnearest);
- zonename = dns_fixedname_name(&fzonename);
- if (val->event->message == NULL) {
- name = &tname;
- rdataset = &trdataset;
- } else {
- name = NULL;
- rdataset = NULL;
- }
- for (result = val_rdataset_first(val, &name, &rdataset);
- result == ISC_R_SUCCESS;
- result = val_rdataset_next(val, &name, &rdataset))
- {
- if (rdataset->type != dns_rdatatype_nsec3 ||
- rdataset->trust != dns_trust_secure)
- continue;
- result = nsec3noexistnodata(val, val->event->name,
- name, rdataset,
- zonename, NULL, NULL, NULL,
- NULL, NULL, NULL, NULL,
- NULL);
- if (result != ISC_R_IGNORE && result != ISC_R_SUCCESS) {
- if (dns_rdataset_isassociated(&trdataset))
- dns_rdataset_disassociate(&trdataset);
- return (result);
- }
- }
- if (result != ISC_R_NOMORE)
- result = ISC_R_SUCCESS;
- POST(result);
- if (dns_name_countlabels(zonename) == 0)
- return (ISC_R_SUCCESS);
- /*
- * If the val->closest is set then we want to use it otherwise
- * we need to discover it.
- */
- if (dns_name_countlabels(dns_fixedname_name(&val->closest)) != 0) {
- char namebuf[DNS_NAME_FORMATSIZE];
- dns_name_format(dns_fixedname_name(&val->closest),
- namebuf, sizeof(namebuf));
- validator_log(val, ISC_LOG_DEBUG(3), "closest encloser from "
- "wildcard signature '%s'", namebuf);
- dns_name_copy(dns_fixedname_name(&val->closest), closest, NULL);
- closestp = NULL;
- setclosestp = NULL;
- } else {
- closestp = closest;
- setclosestp = &setclosest;
- }
- for (result = val_rdataset_first(val, &name, &rdataset);
- result == ISC_R_SUCCESS;
- result = val_rdataset_next(val, &name, &rdataset))
- {
- if (rdataset->type != dns_rdatatype_nsec3 ||
- rdataset->trust != dns_trust_secure)
- continue;
- /*
- * We process all NSEC3 records to find the closest
- * encloser and nearest name to the closest encloser.
- */
- setclosest = setnearest = ISC_FALSE;
- optout = ISC_FALSE;
- unknown = ISC_FALSE;
- (void)nsec3noexistnodata(val, val->event->name, name, rdataset,
- zonename, &exists, &data, &optout,
- &unknown, setclosestp, &setnearest,
- closestp, nearest);
- if (setclosest)
- proofs[DNS_VALIDATOR_CLOSESTENCLOSER] = name;
- if (unknown)
- val->attributes |= VALATTR_FOUNDUNKNOWN;
- if (result != ISC_R_SUCCESS)
- continue;
- if (exists && !data && NEEDNODATA(val)) {
- val->attributes |= VALATTR_FOUNDNODATA;
- proofs[DNS_VALIDATOR_NODATAPROOF] = name;
- }
- if (!exists && setnearest) {
- val->attributes |= VALATTR_FOUNDNOQNAME;
- proofs[DNS_VALIDATOR_NOQNAMEPROOF] = name;
- if (optout)
- val->attributes |= VALATTR_FOUNDOPTOUT;
- }
- }
- if (result == ISC_R_NOMORE)
- result = ISC_R_SUCCESS;
- /*
- * To know we have a valid noqname and optout proofs we need to also
- * have a valid closest encloser. Otherwise we could still be looking
- * at proofs from the parent zone.
- */
- if (dns_name_countlabels(closest) > 0 &&
- dns_name_countlabels(nearest) ==
- dns_name_countlabels(closest) + 1 &&
- dns_name_issubdomain(nearest, closest))
- {
- val->attributes |= VALATTR_FOUNDCLOSEST;
- result = dns_name_concatenate(dns_wildcardname, closest,
- dns_fixedname_name(&val->wild),
- NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- } else {
- val->attributes &= ~VALATTR_FOUNDNOQNAME;
- val->attributes &= ~VALATTR_FOUNDOPTOUT;
- proofs[DNS_VALIDATOR_NOQNAMEPROOF] = NULL;
- }
- /*
- * Do we need to check for the wildcard?
- */
- if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) &&
- ((NEEDNODATA(val) && !FOUNDNODATA(val)) || NEEDNOWILDCARD(val))) {
- result = checkwildcard(val, dns_rdatatype_nsec3, zonename);
- if (result != ISC_R_SUCCESS)
- return (result);
- }
- return (result);
- }
- /*%
- * Validate the authority section records.
- */
- static isc_result_t
- validate_authority(dns_validator_t *val, isc_boolean_t resume) {
- dns_name_t *name;
- dns_message_t *message = val->event->message;
- isc_result_t result;
- if (!resume)
- result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
- else
- result = ISC_R_SUCCESS;
- for (;
- result == ISC_R_SUCCESS;
- result = dns_message_nextname(message, DNS_SECTION_AUTHORITY))
- {
- dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
- name = NULL;
- dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
- if (resume) {
- rdataset = ISC_LIST_NEXT(val->currentset, link);
- val->currentset = NULL;
- resume = ISC_FALSE;
- } else
- rdataset = ISC_LIST_HEAD(name->list);
- for (;
- rdataset != NULL;
- rdataset = ISC_LIST_NEXT(rdataset, link))
- {
- if (rdataset->type == dns_rdatatype_rrsig)
- continue;
- for (sigrdataset = ISC_LIST_HEAD(name->list);
- sigrdataset != NULL;
- sigrdataset = ISC_LIST_NEXT(sigrdataset,
- link))
- {
- if (sigrdataset->type == dns_rdatatype_rrsig &&
- sigrdataset->covers == rdataset->type)
- break;
- }
- /*
- * If a signed zone is missing the zone key, bad
- * things could happen. A query for data in the zone
- * would lead to a query for the zone key, which
- * would return a negative answer, which would contain
- * an SOA and an NSEC signed by the missing key, which
- * would trigger another query for the DNSKEY (since
- * the first one is still in progress), and go into an
- * infinite loop. Avoid that.
- */
- if (val->event->type == dns_rdatatype_dnskey &&
- rdataset->type == dns_rdatatype_nsec &&
- dns_name_equal(name, val->event->name))
- {
- dns_rdata_t nsec = DNS_RDATA_INIT;
- result = dns_rdataset_first(rdataset);
- if (result != ISC_R_SUCCESS)
- return (result);
- dns_rdataset_current(rdataset, &nsec);
- if (dns_nsec_typepresent(&nsec,
- dns_rdatatype_soa))
- continue;
- }
- val->currentset = rdataset;
- result = create_validator(val, name, rdataset->type,
- rdataset, sigrdataset,
- authvalidated,
- "validate_authority");
- if (result != ISC_R_SUCCESS)
- return (result);
- val->authcount++;
- return (DNS_R_WAIT);
- }
- }
- if (result == ISC_R_NOMORE)
- result = ISC_R_SUCCESS;
- return (result);
- }
- /*%
- * Validate the ncache elements.
- */
- static isc_result_t
- validate_ncache(dns_validator_t *val, isc_boolean_t resume) {
- dns_name_t *name;
- isc_result_t result;
- if (!resume)
- result = dns_rdataset_first(val->event->rdataset);
- else
- result = dns_rdataset_next(val->event->rdataset);
- for (;
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(val->event->rdataset))
- {
- dns_rdataset_t *rdataset, *sigrdataset = NULL;
- if (dns_rdataset_isassociated(&val->frdataset))
- dns_rdataset_disassociate(&val->frdataset);
- if (dns_rdataset_isassociated(&val->fsigrdataset))
- dns_rdataset_disassociate(&val->fsigrdataset);
- dns_fixedname_init(&val->fname);
- name = dns_fixedname_name(&val->fname);
- rdataset = &val->frdataset;
- dns_ncache_current(val->event->rdataset, name, rdataset);
- if (val->frdataset.type == dns_rdatatype_rrsig)
- continue;
- result = dns_ncache_getsigrdataset(val->event->rdataset, name,
- rdataset->type,
- &val->fsigrdataset);
- if (result == ISC_R_SUCCESS)
- sigrdataset = &val->fsigrdataset;
- /*
- * If a signed zone is missing the zone key, bad
- * things could happen. A query for data in the zone
- * would lead to a query for the zone key, which
- * would return a negative answer, which would contain
- * an SOA and an NSEC signed by the missing key, which
- * would trigger another query for the DNSKEY (since
- * the first one is still in progress), and go into an
- * infinite loop. Avoid that.
- */
- if (val->event->type == dns_rdatatype_dnskey &&
- rdataset->type == dns_rdatatype_nsec &&
- dns_name_equal(name, val->event->name))
- {
- dns_rdata_t nsec = DNS_RDATA_INIT;
- result = dns_rdataset_first(rdataset);
- if (result != ISC_R_SUCCESS)
- return (result);
- dns_rdataset_current(rdataset, &nsec);
- if (dns_nsec_typepresent(&nsec,
- dns_rdatatype_soa))
- continue;
- }
- val->currentset = rdataset;
- result = create_validator(val, name, rdataset->type,
- rdataset, sigrdataset,
- authvalidated,
- "validate_ncache");
- if (result != ISC_R_SUCCESS)
- return (result);
- val->authcount++;
- return (DNS_R_WAIT);
- }
- if (result == ISC_R_NOMORE)
- result = ISC_R_SUCCESS;
- return (result);
- }
- /*%
- * Prove a negative answer is good or that there is a NOQNAME when the
- * answer is from a wildcard.
- *
- * Loop through the authority section looking for NODATA, NOWILDCARD
- * and NOQNAME proofs in the NSEC records by calling authvalidated().
- *
- * If the required proofs are found we are done.
- *
- * If the proofs are not found attempt to prove this is a unsecure
- * response.
- */
- static isc_result_t
- nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
- isc_result_t result;
- if (resume)
- validator_log(val, ISC_LOG_DEBUG(3), "resuming nsecvalidate");
- if (val->event->message == NULL)
- result = validate_ncache(val, resume);
- else
- result = validate_authority(val, resume);
- if (result != ISC_R_SUCCESS)
- return (result);
- /*
- * Do we only need to check for NOQNAME? To get here we must have
- * had a secure wildcard answer.
- */
- if (!NEEDNODATA(val) && !NEEDNOWILDCARD(val) && NEEDNOQNAME(val)) {
- if (!FOUNDNOQNAME(val))
- findnsec3proofs(val);
- if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val)) {
- validator_log(val, ISC_LOG_DEBUG(3),
- "marking as secure, noqname proof found");
- marksecure(val->event);
- return (ISC_R_SUCCESS);
- } else if (FOUNDOPTOUT(val) &&
- dns_name_countlabels(dns_fixedname_name(&val->wild))
- != 0) {
- validator_log(val, ISC_LOG_DEBUG(3),
- "optout proof found");
- val->event->optout = ISC_TRUE;
- markanswer(val, "nsecvalidate (1)");
- return (ISC_R_SUCCESS);
- } else if ((val->attributes & VALATTR_FOUNDUNKNOWN) != 0) {
- validator_log(val, ISC_LOG_DEBUG(3),
- "unknown NSEC3 hash algorithm found");
- markanswer(val, "nsecvalidate (2)");
- return (ISC_R_SUCCESS);
- }
- validator_log(val, ISC_LOG_DEBUG(3),
- "noqname proof not found");
- return (DNS_R_NOVALIDNSEC);
- }
- if (!FOUNDNOQNAME(val) && !FOUNDNODATA(val))
- findnsec3proofs(val);
- /*
- * Do we need to check for the wildcard?
- */
- if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) &&
- ((NEEDNODATA(val) && !FOUNDNODATA(val)) || NEEDNOWILDCARD(val))) {
- result = checkwildcard(val, dns_rdatatype_nsec, NULL);
- if (result != ISC_R_SUCCESS)
- return (result);
- }
- if ((NEEDNODATA(val) && (FOUNDNODATA(val) || FOUNDOPTOUT(val))) ||
- (NEEDNOQNAME(val) && FOUNDNOQNAME(val) &&
- NEEDNOWILDCARD(val) && FOUNDNOWILDCARD(val) &&
- FOUNDCLOSEST(val))) {
- if ((val->attributes & VALATTR_FOUNDOPTOUT) != 0)
- val->event->optout = ISC_TRUE;
- validator_log(val, ISC_LOG_DEBUG(3),
- "nonexistence proof(s) found");
- if (val->event->message == NULL)
- marksecure(val->event);
- return (ISC_R_SUCCESS);
- }
- if (val->authfail != 0 && val->authcount == val->authfail)
- return (DNS_R_BROKENCHAIN);
- validator_log(val, ISC_LOG_DEBUG(3),
- "nonexistence proof(s) not found");
- val->attributes |= VALATTR_INSECURITY;
- return (proveunsecure(val, ISC_FALSE, ISC_FALSE));
- }
- static isc_boolean_t
- check_ds(dns_validator_t *val, dns_name_t *name, dns_rdataset_t *rdataset) {
- dns_rdata_t dsrdata = DNS_RDATA_INIT;
- dns_rdata_ds_t ds;
- isc_result_t result;
- for (result = dns_rdataset_first(rdataset);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(rdataset)) {
- dns_rdataset_current(rdataset, &dsrdata);
- result = dns_rdata_tostruct(&dsrdata, &ds, NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- if (dns_resolver_digest_supported(val->view->resolver,
- ds.digest_type) &&
- dns_resolver_algorithm_supported(val->view->resolver,
- name, ds.algorithm)) {
- dns_rdata_reset(&dsrdata);
- return (ISC_TRUE);
- }
- dns_rdata_reset(&dsrdata);
- }
- return (ISC_FALSE);
- }
- static void
- dlvvalidated(isc_task_t *task, isc_event_t *event) {
- dns_validatorevent_t *devent;
- dns_validator_t *val;
- isc_result_t eresult;
- isc_boolean_t want_destroy;
- UNUSED(task);
- INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
- devent = (dns_validatorevent_t *)event;
- val = devent->ev_arg;
- eresult = devent->result;
- isc_event_free(&event);
- dns_validator_destroy(&val->subvalidator);
- INSIST(val->event != NULL);
- validator_log(val, ISC_LOG_DEBUG(3), "in dlvvalidated");
- LOCK(&val->lock);
- if (CANCELED(val)) {
- validator_done(val, ISC_R_CANCELED);
- } else if (eresult == ISC_R_SUCCESS) {
- validator_log(val, ISC_LOG_DEBUG(3),
- "dlvset with trust %s",
- dns_trust_totext(val->frdataset.trust));
- dns_rdataset_clone(&val->frdataset, &val->dlv);
- val->havedlvsep = ISC_TRUE;
- if (dlv_algorithm_supported(val))
- dlv_validator_start(val);
- else {
- markanswer(val, "dlvvalidated");
- validator_done(val, ISC_R_SUCCESS);
- }
- } else {
- if (eresult != DNS_R_BROKENCHAIN) {
- if (dns_rdataset_isassociated(&val->frdataset))
- dns_rdataset_expire(&val->frdataset);
- if (dns_rdataset_isassociated(&val->fsigrdataset))
- dns_rdataset_expire(&val->fsigrdataset);
- }
- validator_log(val, ISC_LOG_DEBUG(3),
- "dlvvalidated: got %s",
- isc_result_totext(eresult));
- validator_done(val, DNS_R_BROKENCHAIN);
- }
- want_destroy = exit_check(val);
- UNLOCK(&val->lock);
- if (want_destroy)
- destroy(val);
- }
- /*%
- * Callback from fetching a DLV record.
- *
- * Resumes the DLV lookup process.
- */
- static void
- dlvfetched(isc_task_t *task, isc_event_t *event) {
- char namebuf[DNS_NAME_FORMATSIZE];
- dns_fetchevent_t *devent;
- dns_validator_t *val;
- isc_boolean_t want_destroy;
- isc_result_t eresult;
- isc_result_t result;
- UNUSED(task);
- INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
- devent = (dns_fetchevent_t *)event;
- val = devent->ev_arg;
- eresult = devent->result;
- /* Free resources which are not of interest. */
- if (devent->node != NULL)
- dns_db_detachnode(devent->db, &devent->node);
- if (devent->db != NULL)
- dns_db_detach(&devent->db);
- if (dns_rdataset_isassociated(&val->fsigrdataset))
- dns_rdataset_disassociate(&val->fsigrdataset);
- isc_event_free(&event);
- dns_resolver_destroyfetch(&val->fetch);
- INSIST(val->event != NULL);
- validator_log(val, ISC_LOG_DEBUG(3), "in dlvfetched: %s",
- dns_result_totext(eresult));
- LOCK(&val->lock);
- if (eresult == ISC_R_SUCCESS) {
- dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf,
- sizeof(namebuf));
- dns_rdataset_clone(&val->frdataset, &val->dlv);
- val->havedlvsep = ISC_TRUE;
- if (dlv_algorithm_supported(val)) {
- validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found",
- namebuf);
- dlv_validator_start(val);
- } else {
- validator_log(val, ISC_LOG_DEBUG(3),
- "DLV %s found with no supported algorithms",
- namebuf);
- markanswer(val, "dlvfetched (1)");
- validator_done(val, ISC_R_SUCCESS);
- }
- } else if (eresult == DNS_R_NXRRSET ||
- eresult == DNS_R_NXDOMAIN ||
- eresult == DNS_R_NCACHENXRRSET ||
- eresult == DNS_R_NCACHENXDOMAIN) {
- result = finddlvsep(val, ISC_TRUE);
- if (result == ISC_R_SUCCESS) {
- if (dlv_algorithm_supported(val)) {
- dns_name_format(dns_fixedname_name(&val->dlvsep),
- namebuf, sizeof(namebuf));
- validator_log(val, ISC_LOG_DEBUG(3),
- "DLV %s found", namebuf);
- dlv_validator_start(val);
- } else {
- validator_log(val, ISC_LOG_DEBUG(3),
- "DLV %s found with no supported "
- "algorithms", namebuf);
- markanswer(val, "dlvfetched (2)");
- validator_done(val, ISC_R_SUCCESS);
- }
- } else if (result == ISC_R_NOTFOUND) {
- validator_log(val, ISC_LOG_DEBUG(3), "DLV not found");
- markanswer(val, "dlvfetched (3)");
- validator_done(val, ISC_R_SUCCESS);
- } else {
- validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s",
- dns_result_totext(result));
- if (result != DNS_R_WAIT)
- validator_done(val, result);
- }
- } else {
- validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s",
- dns_result_totext(eresult));
- validator_done(val, eresult);
- }
- want_destroy = exit_check(val);
- UNLOCK(&val->lock);
- if (want_destroy)
- destroy(val);
- }
- /*%
- * Start the DLV lookup process.
- *
- * Returns
- * \li ISC_R_SUCCESS
- * \li DNS_R_WAIT
- * \li Others on validation failures.
- */
- static isc_result_t
- startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure) {
- char namebuf[DNS_NAME_FORMATSIZE];
- isc_result_t result;
- INSIST(!DLVTRIED(val));
- val->attributes |= VALATTR_DLVTRIED;
- dns_name_format(unsecure, namebuf, sizeof(namebuf));
- validator_log(val, ISC_LOG_DEBUG(3),
- "plain DNSSEC returns unsecure (%s): looking for DLV",
- namebuf);
- if (dns_name_issubdomain(val->event->name, val->view->dlv)) {
- validator_log(val, ISC_LOG_WARNING, "must be secure failure, "
- " %s is under DLV (startfinddlvsep)", namebuf);
- return (DNS_R_MUSTBESECURE);
- }
- val->dlvlabels = dns_name_countlabels(unsecure) - 1;
- result = finddlvsep(val, ISC_FALSE);
- if (result == ISC_R_NOTFOUND) {
- validator_log(val, ISC_LOG_DEBUG(3), "DLV not found");
- markanswer(val, "startfinddlvsep (1)");
- return (ISC_R_SUCCESS);
- }
- if (result != ISC_R_SUCCESS) {
- validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s",
- dns_result_totext(result));
- return (result);
- }
- dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf,
- sizeof(namebuf));
- if (dlv_algorithm_supported(val)) {
- validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
- dlv_validator_start(val);
- return (DNS_R_WAIT);
- }
- validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found with no supported "
- "algorithms", namebuf);
- markanswer(val, "startfinddlvsep (2)");
- validator_done(val, ISC_R_SUCCESS);
- return (ISC_R_SUCCESS);
- }
- /*%
- * Continue the DLV lookup process.
- *
- * Returns
- * \li ISC_R_SUCCESS
- * \li ISC_R_NOTFOUND
- * \li DNS_R_WAIT
- * \li Others on validation failure.
- */
- static isc_result_t
- finddlvsep(dns_validator_t *val, isc_boolean_t resume) {
- char namebuf[DNS_NAME_FORMATSIZE];
- dns_fixedname_t dlvfixed;
- dns_name_t *dlvname;
- dns_name_t *dlvsep;
- dns_name_t noroot;
- isc_result_t result;
- unsigned int labels;
- INSIST(val->view->dlv != NULL);
- if (!resume) {
- if (dns_name_issubdomain(val->event->name, val->view->dlv)) {
- dns_name_format(val->event->name, namebuf,
- sizeof(namebuf));
- validator_log(val, ISC_LOG_WARNING,
- "must be secure failure, "
- "%s is under DLV (finddlvsep)", namebuf);
- return (DNS_R_MUSTBESECURE);
- }
- dns_fixedname_init(&val->dlvsep);
- dlvsep = dns_fixedname_name(&val->dlvsep);
- dns_name_copy(val->event->name, dlvsep, NULL);
- /*
- * If this is a response to a DS query, we need to look in
- * the parent zone for the trust anchor.
- */
- if (val->event->type == dns_rdatatype_ds) {
- labels = dns_name_countlabels(dlvsep);
- if (labels == 0)
- return (ISC_R_NOTFOUND);
- dns_name_getlabelsequence(dlvsep, 1, labels - 1,
- dlvsep);
- }
- } else {
- dlvsep = dns_fixedname_name(&val->dlvsep);
- labels = dns_name_countlabels(dlvsep);
- dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep);
- }
- dns_name_init(&noroot, NULL);
- dns_fixedname_init(&dlvfixed);
- dlvname = dns_fixedname_name(&dlvfixed);
- labels = dns_name_countlabels(dlvsep);
- if (labels == 0)
- return (ISC_R_NOTFOUND);
- dns_name_getlabelsequence(dlvsep, 0, labels - 1, &noroot);
- result = dns_name_concatenate(&noroot, val->view->dlv, dlvname, NULL);
- while (result == ISC_R_NOSPACE) {
- labels = dns_name_countlabels(dlvsep);
- dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep);
- dns_name_getlabelsequence(dlvsep, 0, labels - 2, &noroot);
- result = dns_name_concatenate(&noroot, val->view->dlv,
- dlvname, NULL);
- }
- if (result != ISC_R_SUCCESS) {
- validator_log(val, ISC_LOG_DEBUG(2), "DLV concatenate failed");
- return (DNS_R_NOVALIDSIG);
- }
- while (dns_name_countlabels(dlvname) >=
- dns_name_countlabels(val->view->dlv) + val->dlvlabels) {
- dns_name_format(dlvname, namebuf, sizeof(namebuf));
- validator_log(val, ISC_LOG_DEBUG(3), "looking for DLV %s",
- namebuf);
- result = view_find(val, dlvname, dns_rdatatype_dlv);
- if (result == ISC_R_SUCCESS) {
- if (DNS_TRUST_PENDING(val->frdataset.trust) &&
- dns_rdataset_isassociated(&val->fsigrdataset))
- {
- dns_fixedname_init(&val->fname);
- dns_name_copy(dlvname,
- dns_fixedname_name(&val->fname),
- NULL);
- result = create_validator(val,
- dns_fixedname_name(&val->fname),
- dns_rdatatype_dlv,
- &val->frdataset,
- &val->fsigrdataset,
- dlvvalidated,
- "finddlvsep");
- if (result != ISC_R_SUCCESS)
- return (result);
- return (DNS_R_WAIT);
- }
- if (val->frdataset.trust < dns_trust_secure) {
- validator_log(val, ISC_LOG_DEBUG(3),
- "DLV not validated");
- return (DNS_R_NOVALIDSIG);
- }
- val->havedlvsep = ISC_TRUE;
- dns_rdataset_clone(&val->frdataset, &val->dlv);
- return (ISC_R_SUCCESS);
- }
- if (result == ISC_R_NOTFOUND) {
- result = create_fetch(val, dlvname, dns_rdatatype_dlv,
- dlvfetched, "finddlvsep");
- if (result != ISC_R_SUCCESS)
- return (result);
- return (DNS_R_WAIT);
- }
- if (result != DNS_R_NXRRSET &&
- result != DNS_R_NXDOMAIN &&
- result != DNS_R_EMPTYNAME &&
- result != DNS_R_NCACHENXRRSET &&
- result != DNS_R_NCACHENXDOMAIN)
- return (result);
- /*
- * Strip first labels from both dlvsep and dlvname.
- */
- labels = dns_name_countlabels(dlvsep);
- if (labels == 0)
- break;
- dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep);
- labels = dns_name_countlabels(dlvname);
- dns_name_getlabelsequence(dlvname, 1, labels - 1, dlvname);
- }
- return (ISC_R_NOTFOUND);
- }
- /*%
- * proveunsecure walks down from the SEP looking for a break in the
- * chain of trust. That occurs when we can prove the DS record does
- * not exist at a delegation point or the DS exists at a delegation
- * but we don't support the algorithm/digest.
- *
- * If DLV is active and we look for a DLV record at or below the
- * point we go insecure. If found we restart the validation process.
- * If not found or DLV isn't active we mark the response as a answer.
- *
- * Returns:
- * \li ISC_R_SUCCESS val->event->name is in a unsecure zone
- * \li DNS_R_WAIT validation is in progress.
- * \li DNS_R_MUSTBESECURE val->event->name is supposed to be secure
- * (policy) but we proved that it is unsecure.
- * \li DNS_R_NOVALIDSIG
- * \li DNS_R_NOVALIDNSEC
- * \li DNS_R_NOTINSECURE
- * \li DNS_R_BROKENCHAIN
- */
- static isc_result_t
- proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
- {
- isc_result_t result;
- dns_fixedname_t fixedsecroot;
- dns_name_t *secroot;
- dns_name_t *tname;
- char namebuf[DNS_NAME_FORMATSIZE];
- dns_name_t *found;
- dns_fixedname_t fixedfound;
- dns_fixedname_init(&fixedsecroot);
- secroot = dns_fixedname_name(&fixedsecroot);
- dns_fixedname_init(&fixedfound);
- found = dns_fixedname_name(&fixedfound);
- if (val->havedlvsep)
- dns_name_copy(dns_fixedname_name(&val->dlvsep), secroot, NULL);
- else {
- unsigned int labels;
- dns_name_copy(val->event->name, secroot, NULL);
- /*
- * If this is a response to a DS query, we need to look in
- * the parent zone for the trust anchor.
- */
- labels = dns_name_countlabels(secroot);
- if (val->event->type == dns_rdatatype_ds && labels > 1U)
- dns_name_getlabelsequence(secroot, 1, labels - 1,
- secroot);
- result = dns_keytable_finddeepestmatch(val->keytable,
- secroot, secroot);
- if (result == ISC_R_NOTFOUND) {
- if (val->mustbesecure) {
- validator_log(val, ISC_LOG_WARNING,
- "must be secure failure, "
- "not beneath secure root");
- result = DNS_R_MUSTBESECURE;
- goto out;
- } else
- validator_log(val, ISC_LOG_DEBUG(3),
- "not beneath secure root");
- if (val->view->dlv == NULL || DLVTRIED(val)) {
- markanswer(val, "proveunsecure (1)");
- return (ISC_R_SUCCESS);
- }
- return (startfinddlvsep(val, dns_rootname));
- } else if (result != ISC_R_SUCCESS)
- return (result);
- }
- if (!resume) {
- /*
- * We are looking for breaks below the SEP so add a label.
- */
- val->labels = dns_name_countlabels(secroot) + 1;
- } else {
- validator_log(val, ISC_LOG_DEBUG(3), "resuming proveunsecure");
- /*
- * If we have a DS rdataset and it is secure then check if
- * the DS rdataset has a supported algorithm combination.
- * If not this is an insecure delegation as far as this
- * resolver is concerned. Fall back to DLV if available.
- */
- if (have_ds && val->frdataset.trust >= dns_trust_secure &&
- !check_ds(val, dns_fixedname_name(&val->fname),
- &val->frdataset)) {
- dns_name_format(dns_fixedname_name(&val->fname),
- namebuf, sizeof(namebuf));
- if ((val->view->dlv == NULL || DLVTRIED(val)) &&
- val->mustbesecure) {
- validator_log(val, ISC_LOG_WARNING,
- "must be secure failure at '%s', "
- "can't fall back to DLV",
- namebuf);
- result = DNS_R_MUSTBESECURE;
- goto out;
- }
- validator_log(val, ISC_LOG_DEBUG(3),
- "no supported algorithm/digest (%s/DS)",
- namebuf);
- if (val->view->dlv == NULL || DLVTRIED(val)) {
- markanswer(val, "proveunsecure (2)");
- result = ISC_R_SUCCESS;
- goto out;
- }
- return(startfinddlvsep(val,
- dns_fixedname_name(&val->fname)));
- }
- val->labels++;
- }
- for (;
- val->labels <= dns_name_countlabels(val->event->name);
- val->labels++)
- {
- dns_fixedname_init(&val->fname);
- tname = dns_fixedname_name(&val->fname);
- if (val->labels == dns_name_countlabels(val->event->name))
- dns_name_copy(val->event->name, tname, NULL);
- else
- dns_name_split(val->event->name, val->labels,
- NULL, tname);
- dns_name_format(tname, namebuf, sizeof(namebuf));
- validator_log(val, ISC_LOG_DEBUG(3),
- "checking existence of DS at '%s'",
- namebuf);
- result = view_find(val, tname, dns_rdatatype_ds);
- if (result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) {
- /*
- * There is no DS. If this is a delegation,
- * we may be done.
- */
- /*
- * If we have "trust == answer" then this namespace
- * has switched from insecure to should be secure.
- */
- if (DNS_TRUST_PENDING(val->frdataset.trust) ||
- DNS_TRUST_ANSWER(val->frdataset.trust)) {
- result = create_validator(val, tname,
- dns_rdatatype_ds,
- &val->frdataset,
- NULL, dsvalidated,
- "proveunsecure");
- if (result != ISC_R_SUCCESS)
- goto out;
- return (DNS_R_WAIT);
- }
- /*
- * Zones using NSEC3 don't return a NSEC RRset so
- * we need to use dns_view_findzonecut2 to find
- * the zone cut.
- */
- if (result == DNS_R_NXRRSET &&
- !dns_rdataset_isassociated(&val->frdataset) &&
- dns_view_findzonecut2(val->view, tname, found,
- 0, 0, ISC_FALSE, ISC_FALSE,
- NULL, NULL) == ISC_R_SUCCESS &&
- dns_name_equal(tname, found)) {
- if (val->mustbesecure) {
- validator_log(val, ISC_LOG_WARNING,
- "must be secure failure, "
- "no DS at zone cut");
- return (DNS_R_MUSTBESECURE);
- }
- if (val->view->dlv == NULL || DLVTRIED(val)) {
- markanswer(val, "proveunsecure (3)");
- return (ISC_R_SUCCESS);
- }
- return (startfinddlvsep(val, tname));
- }
- if (val->frdataset.trust < dns_trust_secure) {
- /*
- * This shouldn't happen, since the negative
- * response should have been validated. Since
- * there's no way of validating existing
- * negative response blobs, give up.
- */
- validator_log(val, ISC_LOG_WARNING,
- "can't validate existing "
- "negative responses (no DS)");
- result = DNS_R_NOVALIDSIG;
- goto out;
- }
- if (isdelegation(tname, &val->frdataset, result)) {
- if (val->mustbesecure) {
- validator_log(val, ISC_LOG_WARNING,
- "must be secure failure, "
- "%s is a delegation",
- namebuf);
- return (DNS_R_MUSTBESECURE);
- }
- if (val->view->dlv == NULL || DLVTRIED(val)) {
- markanswer(val, "proveunsecure (4)");
- return (ISC_R_SUCCESS);
- }
- return (startfinddlvsep(val, tname));
- }
- continue;
- } else if (result == DNS_R_CNAME) {
- if (DNS_TRUST_PENDING(val->frdataset.trust) ||
- DNS_TRUST_ANSWER(val->frdataset.trust)) {
- result = create_validator(val, tname,
- dns_rdatatype_cname,
- &val->frdataset,
- NULL, cnamevalidated,
- "proveunsecure "
- "(cname)");
- if (result != ISC_R_SUCCESS)
- goto out;
- return (DNS_R_WAIT);
- }
- continue;
- } else if (result == ISC_R_SUCCESS) {
- /*
- * There is a DS here. Verify that it's secure and
- * continue.
- */
- if (val->frdataset.trust >= dns_trust_secure) {
- if (!check_ds(val, tname, &val->frdataset)) {
- validator_log(val, ISC_LOG_DEBUG(3),
- "no supported algorithm/"
- "digest (%s/DS)", namebuf);
- if (val->mustbesecure) {
- validator_log(val,
- ISC_LOG_WARNING,
- "must be secure failure, "
- "no supported algorithm/"
- "digest (%s/DS)",
- namebuf);
- result = DNS_R_MUSTBESECURE;
- goto out;
- }
- if (val->view->dlv == NULL ||
- DLVTRIED(val)) {
- markanswer(val,
- "proveunsecure (5)");
- result = ISC_R_SUCCESS;
- goto out;
- }
- return(startfinddlvsep(val, tname));
- }
- continue;
- }
- else if (!dns_rdataset_isassociated(&val->fsigrdataset))
- {
- validator_log(val, ISC_LOG_DEBUG(3),
- "DS is unsigned");
- result = DNS_R_NOVALIDSIG;
- goto out;
- }
- /*
- * Validate / re-validate answer.
- */
- result = create_validator(val, tname, dns_rdatatype_ds,
- &val->frdataset,
- &val->fsigrdataset,
- dsvalidated,
- "proveunsecure");
- if (result != ISC_R_SUCCESS)
- goto out;
- return (DNS_R_WAIT);
- } else if (result == DNS_R_NXDOMAIN ||
- result == DNS_R_NCACHENXDOMAIN) {
- /*
- * This is not a zone cut. Assuming things are
- * as expected, continue.
- */
- if (!dns_rdataset_isassociated(&val->frdataset)) {
- /*
- * There should be an NSEC here, since we
- * are still in a secure zone.
- */
- result = DNS_R_NOVALIDNSEC;
- goto out;
- } else if (DNS_TRUST_PENDING(val->frdataset.trust) ||
- DNS_TRUST_ANSWER(val->frdataset.trust)) {
- /*
- * If we have "trust == answer" then this namespace
- * has switched from insecure to should be secure.
- */
- result = create_validator(val, tname,
- dns_rdatatype_ds,
- &val->frdataset,
- NULL, dsvalidated,
- "proveunsecure");
- if (result != ISC_R_SUCCESS)
- goto out;
- return (DNS_R_WAIT);
- } else if (val->frdataset.trust < dns_trust_secure) {
- /*
- * This shouldn't happen, since the negative
- * response should have been validated. Since
- * there's no way of validating existing
- * negative response blobs, give up.
- */
- validator_log(val, ISC_LOG_WARNING,
- "can't validate existing "
- "negative responses "
- "(not a zone cut)");
- result = DNS_R_NOVALIDSIG;
- goto out;
- }
- continue;
- } else if (result == ISC_R_NOTFOUND) {
- /*
- * We don't know anything about the DS. Find it.
- */
- result = create_fetch(val, tname, dns_rdatatype_ds,
- dsfetched2, "proveunsecure");
- if (result != ISC_R_SUCCESS)
- goto out;
- return (DNS_R_WAIT);
- } else if (result == DNS_R_BROKENCHAIN)
- return (result);
- }
- /* Couldn't complete insecurity proof */
- validator_log(val, ISC_LOG_DEBUG(3), "insecurity proof failed");
- return (DNS_R_NOTINSECURE);
- out:
- if (dns_rdataset_isassociated(&val->frdataset))
- dns_rdataset_disassociate(&val->frdataset);
- if (dns_rdataset_isassociated(&val->fsigrdataset))
- dns_rdataset_disassociate(&val->fsigrdataset);
- return (result);
- }
- /*%
- * Reset state and revalidate the answer using DLV.
- */
- static void
- dlv_validator_start(dns_validator_t *val) {
- isc_event_t *event;
- validator_log(val, ISC_LOG_DEBUG(3), "dlv_validator_start");
- /*
- * Reset state and try again.
- */
- val->attributes &= VALATTR_DLVTRIED;
- val->options &= ~DNS_VALIDATOR_DLV;
- event = (isc_event_t *)val->event;
- isc_task_send(val->task, &event);
- }
- /*%
- * Start the validation process.
- *
- * Attempt to validate the answer based on the category it appears to
- * fall in.
- * \li 1. secure positive answer.
- * \li 2. unsecure positive answer.
- * \li 3. a negative answer (secure or unsecure).
- *
- * Note a answer that appears to be a secure positive answer may actually
- * be an unsecure positive answer.
- */
- static void
- validator_start(isc_task_t *task, isc_event_t *event) {
- dns_validator_t *val;
- dns_validatorevent_t *vevent;
- isc_boolean_t want_destroy = ISC_FALSE;
- isc_result_t result = ISC_R_FAILURE;
- UNUSED(task);
- REQUIRE(event->ev_type == DNS_EVENT_VALIDATORSTART);
- vevent = (dns_validatorevent_t *)event;
- val = vevent->validator;
- /* If the validator has been canceled, val->event == NULL */
- if (val->event == NULL)
- return;
- if (DLVTRIED(val))
- validator_log(val, ISC_LOG_DEBUG(3), "restarting using DLV");
- else
- validator_log(val, ISC_LOG_DEBUG(3), "starting");
- LOCK(&val->lock);
- if ((val->options & DNS_VALIDATOR_DLV) != 0 &&
- val->event->rdataset != NULL) {
- validator_log(val, ISC_LOG_DEBUG(3), "looking for DLV");
- result = startfinddlvsep(val, dns_rootname);
- } else if (val->event->rdataset != NULL &&
- val->event->sigrdataset != NULL) {
- isc_result_t saved_result;
- /*
- * This looks like a simple validation. We say "looks like"
- * because it might end up requiring an insecurity proof.
- */
- validator_log(val, ISC_LOG_DEBUG(3),
- "attempting positive response validation");
- INSIST(dns_rdataset_isassociated(val->event->rdataset));
- INSIST(dns_rdataset_isassociated(val->event->sigrdataset));
- result = start_positive_validation(val);
- if (result == DNS_R_NOVALIDSIG &&
- (val->attributes & VALATTR_TRIEDVERIFY) == 0)
- {
- saved_result = result;
- validator_log(val, ISC_LOG_DEBUG(3),
- "falling back to insecurity proof");
- val->attributes |= VALATTR_INSECURITY;
- result = proveunsecure(val, ISC_FALSE, ISC_FALSE);
- if (result == DNS_R_NOTINSECURE)
- result = saved_result;
- }
- } else if (val->event->rdataset != NULL &&
- val->event->rdataset->type != 0) {
- /*
- * This is either an unsecure subdomain or a response from
- * a broken server.
- */
- INSIST(dns_rdataset_isassociated(val->event->rdataset));
- validator_log(val, ISC_LOG_DEBUG(3),
- "attempting insecurity proof");
- val->attributes |= VALATTR_INSECURITY;
- result = proveunsecure(val, ISC_FALSE, ISC_FALSE);
- if (result == DNS_R_NOTINSECURE)
- validator_log(val, ISC_LOG_INFO,
- "got insecure response; "
- "parent indicates it should be secure");
- } else if (val->event->rdataset == NULL &&
- val->event->sigrdataset == NULL)
- {
- /*
- * This is a nonexistence validation.
- */
- validator_log(val, ISC_LOG_DEBUG(3),
- "attempting negative response validation");
- if (val->event->message->rcode == dns_rcode_nxdomain) {
- val->attributes |= VALATTR_NEEDNOQNAME;
- val->attributes |= VALATTR_NEEDNOWILDCARD;
- } else
- val->attributes |= VALATTR_NEEDNODATA;
- result = nsecvalidate(val, ISC_FALSE);
- } else if (val->event->rdataset != NULL &&
- NEGATIVE(val->event->rdataset))
- {
- /*
- * This is a nonexistence validation.
- */
- validator_log(val, ISC_LOG_DEBUG(3),
- "attempting negative response validation");
- if (val->event->rdataset->covers == dns_rdatatype_any) {
- val->attributes |= VALATTR_NEEDNOQNAME;
- val->attributes |= VALATTR_NEEDNOWILDCARD;
- } else
- val->attributes |= VALATTR_NEEDNODATA;
- result = nsecvalidate(val, ISC_FALSE);
- } else {
- /*
- * This shouldn't happen.
- */
- INSIST(0);
- }
- if (result != DNS_R_WAIT) {
- want_destroy = exit_check(val);
- validator_done(val, result);
- }
- UNLOCK(&val->lock);
- if (want_destroy)
- destroy(val);
- }
- isc_result_t
- dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
- dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
- dns_message_t *message, unsigned int options,
- isc_task_t *task, isc_taskaction_t action, void *arg,
- dns_validator_t **validatorp)
- {
- isc_result_t result = ISC_R_FAILURE;
- dns_validator_t *val;
- isc_task_t *tclone = NULL;
- dns_validatorevent_t *event;
- REQUIRE(name != NULL);
- REQUIRE(rdataset != NULL ||
- (rdataset == NULL && sigrdataset == NULL && message != NULL));
- REQUIRE(validatorp != NULL && *validatorp == NULL);
- val = isc_mem_get(view->mctx, sizeof(*val));
- if (val == NULL)
- return (ISC_R_NOMEMORY);
- val->view = NULL;
- dns_view_weakattach(view, &val->view);
- event = (dns_validatorevent_t *)
- isc_event_allocate(view->mctx, task,
- DNS_EVENT_VALIDATORSTART,
- validator_start, NULL,
- sizeof(dns_validatorevent_t));
- if (event == NULL) {
- result = ISC_R_NOMEMORY;
- goto cleanup_val;
- }
- isc_task_attach(task, &tclone);
- event->validator = val;
- event->result = ISC_R_FAILURE;
- event->name = name;
- event->type = type;
- event->rdataset = rdataset;
- event->sigrdataset = sigrdataset;
- event->message = message;
- memset(event->proofs, 0, sizeof(event->proofs));
- event->optout = ISC_FALSE;
- result = isc_mutex_init(&val->lock);
- if (result != ISC_R_SUCCESS)
- goto cleanup_event;
- val->event = event;
- val->options = options;
- val->attributes = 0;
- val->fetch = NULL;
- val->subvalidator = NULL;
- val->parent = NULL;
- val->keytable = NULL;
- result = dns_view_getsecroots(val->view, &val->keytable);
- if (result != ISC_R_SUCCESS)
- return (result);
- val->keynode = NULL;
- val->key = NULL;
- val->siginfo = NULL;
- val->task = task;
- val->action = action;
- val->arg = arg;
- val->labels = 0;
- val->currentset = NULL;
- val->keyset = NULL;
- val->dsset = NULL;
- dns_rdataset_init(&val->dlv);
- val->seensig = ISC_FALSE;
- val->havedlvsep = ISC_FALSE;
- val->depth = 0;
- val->authcount = 0;
- val->authfail = 0;
- val->mustbesecure = dns_resolver_getmustbesecure(view->resolver, name);
- dns_rdataset_init(&val->frdataset);
- dns_rdataset_init(&val->fsigrdataset);
- dns_fixedname_init(&val->wild);
- dns_fixedname_init(&val->nearest);
- dns_fixedname_init(&val->closest);
- ISC_LINK_INIT(val, link);
- val->magic = VALIDATOR_MAGIC;
- if ((options & DNS_VALIDATOR_DEFER) == 0)
- isc_task_send(task, ISC_EVENT_PTR(&event));
- *validatorp = val;
- return (ISC_R_SUCCESS);
- cleanup_event:
- isc_task_detach(&tclone);
- isc_event_free(ISC_EVENT_PTR(&event));
- cleanup_val:
- dns_view_weakdetach(&val->view);
- isc_mem_put(view->mctx, val, sizeof(*val));
- return (result);
- }
- void
- dns_validator_send(dns_validator_t *validator) {
- isc_event_t *event;
- REQUIRE(VALID_VALIDATOR(validator));
- LOCK(&validator->lock);
- INSIST((validator->options & DNS_VALIDATOR_DEFER) != 0);
- event = (isc_event_t *)validator->event;
- validator->options &= ~DNS_VALIDATOR_DEFER;
- UNLOCK(&validator->lock);
- isc_task_send(validator->task, ISC_EVENT_PTR(&event));
- }
- void
- dns_validator_cancel(dns_validator_t *validator) {
- REQUIRE(VALID_VALIDATOR(validator));
- LOCK(&validator->lock);
- validator_log(validator, ISC_LOG_DEBUG(3), "dns_validator_cancel");
- if ((validator->attributes & VALATTR_CANCELED) == 0) {
- validator->attributes |= VALATTR_CANCELED;
- if (validator->event != NULL) {
- if (validator->fetch != NULL)
- dns_resolver_cancelfetch(validator->fetch);
- if (validator->subvalidator != NULL)
- dns_validator_cancel(validator->subvalidator);
- if ((validator->options & DNS_VALIDATOR_DEFER) != 0) {
- validator->options &= ~DNS_VALIDATOR_DEFER;
- validator_done(validator, ISC_R_CANCELED);
- }
- }
- }
- UNLOCK(&validator->lock);
- }
- static void
- destroy(dns_validator_t *val) {
- isc_mem_t *mctx;
- REQUIRE(SHUTDOWN(val));
- REQUIRE(val->event == NULL);
- REQUIRE(val->fetch == NULL);
- if (val->keynode != NULL)
- dns_keytable_detachkeynode(val->keytable, &val->keynode);
- else if (val->key != NULL)
- dst_key_free(&val->key);
- if (val->keytable != NULL)
- dns_keytable_detach(&val->keytable);
- if (val->subvalidator != NULL)
- dns_validator_destroy(&val->subvalidator);
- if (val->havedlvsep)
- dns_rdataset_disassociate(&val->dlv);
- if (dns_rdataset_isassociated(&val->frdataset))
- dns_rdataset_disassociate(&val->frdataset);
- if (dns_rdataset_isassociated(&val->fsigrdataset))
- dns_rdataset_disassociate(&val->fsigrdataset);
- mctx = val->view->mctx;
- if (val->siginfo != NULL)
- isc_mem_put(mctx, val->siginfo, sizeof(*val->siginfo));
- DESTROYLOCK(&val->lock);
- dns_view_weakdetach(&val->view);
- val->magic = 0;
- isc_mem_put(mctx, val, sizeof(*val));
- }
- void
- dns_validator_destroy(dns_validator_t **validatorp) {
- dns_validator_t *val;
- isc_boolean_t want_destroy = ISC_FALSE;
- REQUIRE(validatorp != NULL);
- val = *validatorp;
- REQUIRE(VALID_VALIDATOR(val));
- LOCK(&val->lock);
- val->attributes |= VALATTR_SHUTDOWN;
- validator_log(val, ISC_LOG_DEBUG(3), "dns_validator_destroy");
- want_destroy = exit_check(val);
- UNLOCK(&val->lock);
- if (want_destroy)
- destroy(val);
- *validatorp = NULL;
- }
- static void
- validator_logv(dns_validator_t *val, isc_logcategory_t *category,
- isc_logmodule_t *module, int level, const char *fmt, va_list ap)
- {
- char msgbuf[2048];
- static const char spaces[] = " *";
- int depth = val->depth * 2;
- vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
- if ((unsigned int) depth >= sizeof spaces)
- depth = sizeof spaces - 1;
- if (val->event != NULL && val->event->name != NULL) {
- char namebuf[DNS_NAME_FORMATSIZE];
- char typebuf[DNS_RDATATYPE_FORMATSIZE];
- dns_name_format(val->event->name, namebuf, sizeof(namebuf));
- dns_rdatatype_format(val->event->type, typebuf,
- sizeof(typebuf));
- isc_log_write(dns_lctx, category, module, level,
- "%.*svalidating @%p: %s %s: %s", depth, spaces,
- val, namebuf, typebuf, msgbuf);
- } else {
- isc_log_write(dns_lctx, category, module, level,
- "%.*svalidator @%p: %s", depth, spaces,
- val, msgbuf);
- }
- }
- static void
- validator_log(dns_validator_t *val, int level, const char *fmt, ...) {
- va_list ap;
- if (! isc_log_wouldlog(dns_lctx, level))
- return;
- va_start(ap, fmt);
- validator_logv(val, DNS_LOGCATEGORY_DNSSEC,
- DNS_LOGMODULE_VALIDATOR, level, fmt, ap);
- va_end(ap);
- }
- static void
- validator_logcreate(dns_validator_t *val,
- dns_name_t *name, dns_rdatatype_t type,
- const char *caller, const char *operation)
- {
- char namestr[DNS_NAME_FORMATSIZE];
- char typestr[DNS_RDATATYPE_FORMATSIZE];
- dns_name_format(name, namestr, sizeof(namestr));
- dns_rdatatype_format(type, typestr, sizeof(typestr));
- validator_log(val, ISC_LOG_DEBUG(9), "%s: creating %s for %s %s",
- caller, operation, namestr, typestr);
- }