upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-20 23:00:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

- Merge #759 from Tom Carpay: Add EDE (RFC8914) caching.

Browse source
This commit is contained in:
George Thessalonikefs 2023-07-30 11:44:44 +02:00
commit 6819c1e444
50 changed files with 847 additions and 209 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
daemon/cachedump.c
View file

@ -166,8 +166,7 @@ dump_msg_ref(RES* ssl, struct ub_packed_rrset_key* k)
/** dump message entry */
static int
dump_msg(RES* ssl, struct query_info* k, struct reply_info* d,
time_t now)
dump_msg(RES* ssl, struct query_info* k, struct reply_info* d, time_t now)
{
size_t i;
char* nm, *tp, *cl;
@ -192,13 +191,15 @@ dump_msg(RES* ssl, struct query_info* k, struct reply_info* d,
}
/* meta line */
if(!ssl_printf(ssl, "msg %s %s %s %d %d " ARG_LL "d %d %u %u %u\n",
if(!ssl_printf(ssl, "msg %s %s %s %d %d " ARG_LL "d %d %u %u %u %d %s\n",
nm, cl, tp,
(int)d->flags, (int)d->qdcount,
(long long)(d->ttl-now), (int)d->security,
(unsigned)d->an_numrrsets,
(unsigned)d->an_numrrsets,
(unsigned)d->ns_numrrsets,
(unsigned)d->ar_numrrsets)) {
(unsigned)d->ar_numrrsets,
(int)d->reason_bogus,
d->reason_bogus_str?d->reason_bogus_str:"")) {
free(nm);
free(tp);
free(cl);
@ -633,6 +634,9 @@ load_msg(RES* ssl, sldns_buffer* buf, struct worker* worker)
long long ttl;
size_t i;
int go_on = 1;
int ede;
int consumed = 0;
char* ede_str = NULL;
regional_free_all(region);
@ -647,11 +651,16 @@ load_msg(RES* ssl, sldns_buffer* buf, struct worker* worker)
}
/* read remainder of line */
if(sscanf(s, " %u %u " ARG_LL "d %u %u %u %u", &flags, &qdcount, &ttl,
&security, &an, &ns, &ar) != 7) {
/* note the last space before any possible EDE text */
if(sscanf(s, " %u %u " ARG_LL "d %u %u %u %u %d %n", &flags, &qdcount, &ttl,
&security, &an, &ns, &ar, &ede, &consumed) != 8) {
log_warn("error cannot parse numbers: %s", s);
return 0;
}
/* there may be EDE text after the numbers */
if(consumed > 0 && (size_t)consumed < strlen(s))
ede_str = s + consumed;
memset(&rep, 0, sizeof(rep));
rep.flags = (uint16_t)flags;
rep.qdcount = (uint16_t)qdcount;
rep.ttl = (time_t)ttl;
@ -666,6 +675,8 @@ load_msg(RES* ssl, sldns_buffer* buf, struct worker* worker)
rep.ns_numrrsets = (size_t)ns;
rep.ar_numrrsets = (size_t)ar;
rep.rrset_count = (size_t)an+(size_t)ns+(size_t)ar;
rep.reason_bogus = (sldns_ede_code)ede;
rep.reason_bogus_str = ede_str?(char*)regional_strdup(region, ede_str):NULL;
rep.rrsets = (struct ub_packed_rrset_key**)regional_alloc_zero(
region, sizeof(struct ub_packed_rrset_key*)*rep.rrset_count);

23
daemon/worker.c
View file

@ -507,11 +507,12 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
msg->rep, LDNS_RCODE_SERVFAIL, edns, repinfo, worker->scratchpad,
worker->env.now_tv))
return 0;
/* TODO store the reason for the bogus reply in cache
* and implement in here instead of the hardcoded EDE */
if (worker->env.cfg->ede) {
EDNS_OPT_LIST_APPEND_EDE(&edns->opt_list_out,
worker->scratchpad, LDNS_EDE_DNSSEC_BOGUS, "");
/* Attach the cached EDE (RFC8914) */
if(worker->env.cfg->ede &&
msg->rep->reason_bogus != LDNS_EDE_NONE) {
edns_opt_list_append_ede(&edns->opt_list_out,
worker->scratchpad, msg->rep->reason_bogus,
msg->rep->reason_bogus_str);
}
error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL,
&msg->qinfo, id, flags, edns);
@ -693,11 +694,11 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
LDNS_RCODE_SERVFAIL, edns, repinfo, worker->scratchpad,
worker->env.now_tv))
goto bail_out;
/* TODO store the reason for the bogus reply in cache
* and implement in here instead of the hardcoded EDE */
if (worker->env.cfg->ede) {
EDNS_OPT_LIST_APPEND_EDE(&edns->opt_list_out,
worker->scratchpad, LDNS_EDE_DNSSEC_BOGUS, "");
/* Attach the cached EDE (RFC8914) */
if(worker->env.cfg->ede && rep->reason_bogus != LDNS_EDE_NONE) {
edns_opt_list_append_ede(&edns->opt_list_out,
worker->scratchpad, rep->reason_bogus,
rep->reason_bogus_str);
}
error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL,
qinfo, id, flags, edns);
@ -1668,7 +1669,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
* ACLs allow the snooping. */
if(!(LDNS_RD_WIRE(sldns_buffer_begin(c->buffer))) &&
acl != acl_allow_snoop ) {
if (worker->env.cfg->ede) {
if(worker->env.cfg->ede) {
EDNS_OPT_LIST_APPEND_EDE(&edns.opt_list_out,
worker->scratchpad, LDNS_EDE_NOT_AUTHORITATIVE, "");
}

2
dns64/dns64.c
View file

@ -841,7 +841,7 @@ dns64_adjust_a(int id, struct module_qstate* super, struct module_qstate* qstate
cp = construct_reply_info_base(super->region, rep->flags, rep->qdcount,
rep->ttl, rep->prefetch_ttl, rep->serve_expired_ttl,
rep->an_numrrsets, rep->ns_numrrsets, rep->ar_numrrsets,
rep->rrset_count, rep->security);
rep->rrset_count, rep->security, LDNS_EDE_NONE);
if(!cp)
return;

3
doc/Changelog
View file

@ -1,3 +1,6 @@
30 July 2023: George
- Merge #759 from Tom Carpay: Add EDE (RFC8914) caching.
28 July 2023: George
- Fix unused variable compile warning for kernel timestamps in
netevent.c

3
iterator/iterator.c
View file

@ -3826,6 +3826,9 @@ processFinished(struct module_qstate* qstate, struct iter_qstate* iq,
/* make sure QR flag is on */
iq->response->rep->flags |= BIT_QR;
/* explicitly set the EDE string to NULL */
iq->response->rep->reason_bogus_str = NULL;
/* we have finished processing this query */
qstate->ext_state[id] = module_finished;

5
services/cache/dns.c vendored
View file

@ -157,7 +157,7 @@ dns_cache_store_msg(struct module_env* env, struct query_info* qinfo,
/* we do not store the message, but we did store the RRs,
* which could be useful for delegation information */
verbose(VERB_ALGO, "TTL 0: dropped msg from cache");
free(rep);
reply_info_delete(rep, NULL);
/* if the message is in the cache, remove that msg,
* so that the TTL 0 response can be returned for future
* responses (i.e. don't get answered from
@ -1057,7 +1057,6 @@ dns_cache_store(struct module_env* env, struct query_info* msgqinf,
/* ttl must be relative ;i.e. 0..86400 not time(0)+86400.
* the env->now is added to message and RRsets in this routine. */
/* the leeway is used to invalidate other rrsets earlier */
if(is_referral) {
/* store rrsets */
struct rrset_ref ref;
@ -1074,7 +1073,7 @@ dns_cache_store(struct module_env* env, struct query_info* msgqinf,
((ntohs(ref.key->rk.type)==LDNS_RR_TYPE_NS
&& !pside) ? qstarttime:*env->now + leeway));
}
free(rep);
reply_info_delete(rep, NULL);
return 1;
} else {
/* store msg, and rrsets */

1
services/localzone.c
View file

@ -1308,6 +1308,7 @@ local_encode(struct query_info* qinfo, struct module_env* env,
else rep.ns_numrrsets = 1;
rep.rrset_count = 1;
rep.rrsets = &rrset;
rep.reason_bogus = LDNS_EDE_NONE;
udpsize = edns->udp_size;
edns->edns_version = EDNS_ADVERTISED_VERSION;
edns->udp_size = EDNS_ADVERTISED_SIZE;

48
services/mesh.c
View file

@ -1232,36 +1232,34 @@ mesh_is_rpz_respip_tcponly_action(struct mesh_state const* m)
}
static inline int
mesh_is_udp(struct mesh_reply const* r) {
mesh_is_udp(struct mesh_reply const* r)
{
return r->query_reply.c->type == comm_udp;
}
static inline void
mesh_find_and_attach_ede_and_reason(struct mesh_state* m,
struct reply_info* rep, struct mesh_reply* r) {
char *reason = m->s.env->cfg->val_log_level >= 2
? errinf_to_str_bogus(&m->s) : NULL;
/* During validation the EDE code can be received via two
struct reply_info* rep, struct mesh_reply* r)
{
/* OLD note:
* During validation the EDE code can be received via two
* code paths. One code path fills the reply_info EDE, and
* the other fills it in the errinf_strlist. These paths
* intersect at some points, but where is opaque due to
* the complexity of the validator. At the time of writing
* we make the choice to prefer the EDE from errinf_strlist
* but a compelling reason to do otherwise is just as valid
* NEW note:
* The compelling reason is that with caching support, the value
* in the reply_info is cached.
* The reason members of the reply_info struct should be
* updated as they are already cached. No reason to
* try and find the EDE information in errinf anymore.
*/
sldns_ede_code reason_bogus = errinf_to_reason_bogus(&m->s);
if ((reason_bogus == LDNS_EDE_DNSSEC_BOGUS &&
rep->reason_bogus != LDNS_EDE_NONE) ||
reason_bogus == LDNS_EDE_NONE) {
reason_bogus = rep->reason_bogus;
}
if(reason_bogus != LDNS_EDE_NONE) {
if(rep->reason_bogus != LDNS_EDE_NONE) {
edns_opt_list_append_ede(&r->edns.opt_list_out,
m->s.region, reason_bogus, reason);
m->s.region, rep->reason_bogus, rep->reason_bogus_str);
}
free(reason);
}
/**
@ -1355,13 +1353,11 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
&r->edns, &r->query_reply, m->s.region, &r->start_time))
r->edns.opt_list_inplace_cb_out = NULL;
}
/* Send along EDE BOGUS EDNS0 option when validation is bogus */
if(m->s.env->cfg->ede && rcode == LDNS_RCODE_SERVFAIL &&
m->s.env->need_to_validate && (!(r->qflags&BIT_CD) ||
m->s.env->cfg->ignore_cd) && rep &&
(rep->security <= sec_status_bogus ||
rep->security == sec_status_secure_sentinel_fail)) {
/* Send along EDE EDNS0 option when SERVFAILing; usually
* DNSSEC validation failures */
/* Since we are SERVFAILing here, CD bit and rep->security
* is already handled. */
if(m->s.env->cfg->ede && rep) {
mesh_find_and_attach_ede_and_reason(m, rep, r);
}
error_encode(r_buffer, rcode, &m->s.qinfo, r->qid,
@ -1378,8 +1374,10 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
m->s.qinfo.qname = r->qname;
m->s.qinfo.local_alias = r->local_alias;
/* Attach EDE without servfail if the validation failed */
if (m->s.env->cfg->ede && rep &&
/* Attach EDE without SERVFAIL if the validation failed.
* Need to explicitly check for rep->security otherwise failed
* validation paths may attach to a secure answer. */
if(m->s.env->cfg->ede && rep &&
(rep->security <= sec_status_bogus ||
rep->security == sec_status_secure_sentinel_fail)) {
mesh_find_and_attach_ede_and_reason(m, rep, r);

9
services/rpz.c
View file

@ -1882,7 +1882,8 @@ rpz_synthesize_nodata(struct rpz* ATTR_UNUSED(r), struct module_qstate* ms,
0, /* ns */
0, /* ar */
0, /* total */
sec_status_insecure);
sec_status_insecure,
LDNS_EDE_NONE);
if(msg->rep)
msg->rep->authoritative = 1;
if(!rpz_add_soa(msg->rep, ms, az))
@ -1911,7 +1912,8 @@ rpz_synthesize_nxdomain(struct rpz* r, struct module_qstate* ms,
0, /* ns */
0, /* ar */
0, /* total */
sec_status_insecure);
sec_status_insecure,
LDNS_EDE_NONE);
if(msg->rep)
msg->rep->authoritative = 1;
if(!rpz_add_soa(msg->rep, ms, az))
@ -1941,7 +1943,8 @@ rpz_synthesize_localdata_from_rrset(struct rpz* ATTR_UNUSED(r), struct module_qs
0, /* ns */
0, /* ar */
1, /* total */
sec_status_insecure);
sec_status_insecure,
LDNS_EDE_NONE);
if(new_reply_info == NULL) {
log_err("out of memory");
return NULL;

18
testdata/autotrust_init_fail.rpl vendored
View file

@ -5,6 +5,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -159,6 +160,23 @@ www.example.com. IN A
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 21 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
www.example.com. IN A
ENTRY_END
STEP 22 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=9
REPLY QR RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
ENTRY_END
; The autotrust anchor was probed due to the query.
STEP 30 CHECK_AUTOTRUST example.com

18
testdata/autotrust_init_failsig.rpl vendored
View file

@ -6,6 +6,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -147,6 +148,23 @@ www.example.com. IN A
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 21 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
www.example.com. IN A
ENTRY_END
STEP 22 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=6
REPLY QR RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
ENTRY_END
; The autotrust anchor was probed due to the query.
STEP 30 CHECK_AUTOTRUST example.com

18
testdata/autotrust_probefail.rpl vendored
View file

@ -5,6 +5,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -164,4 +165,21 @@ www.example.com. IN A
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 40 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
www.example.com. IN A
ENTRY_END
STEP 50 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=9
REPLY QR RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
ENTRY_END
SCENARIO_END

18
testdata/autotrust_probefailsig.rpl vendored
View file

@ -5,6 +5,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -164,4 +165,21 @@ www.example.com. IN A
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 40 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
www.example.com. IN A
ENTRY_END
STEP 50 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=6
REPLY QR RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
ENTRY_END
SCENARIO_END

35
testdata/black_ds_entry.rpl vendored
View file

@ -7,6 +7,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -586,6 +587,23 @@ www.sub.example.com. IN A
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 20 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
www.sub.example.com. IN A
ENTRY_END
STEP 30 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=7
REPLY QR RA DO SERVFAIL
SECTION QUESTION
www.sub.example.com. IN A
SECTION ANSWER
ENTRY_END
; no more outgoing traffic possible.
STEP 110 QUERY
ENTRY_BEGIN
@ -603,6 +621,23 @@ ftp.sub.example.com. IN A
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 121 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
ftp.sub.example.com. IN A
ENTRY_END
STEP 122 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=7
REPLY QR RA DO SERVFAIL
SECTION QUESTION
ftp.sub.example.com. IN A
SECTION ANSWER
ENTRY_END
; wait for timeout seconds.
STEP 130 TIME_PASSES ELAPSE 901

35
testdata/black_key_entry.rpl vendored
View file

@ -7,6 +7,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -568,6 +569,23 @@ www.sub.example.com. IN A
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 20 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
www.sub.example.com. IN A
ENTRY_END
STEP 30 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=7
REPLY QR RA DO SERVFAIL
SECTION QUESTION
www.sub.example.com. IN A
SECTION ANSWER
ENTRY_END
; no more outgoing traffic possible.
STEP 110 QUERY
ENTRY_BEGIN
@ -585,6 +603,23 @@ ftp.sub.example.com. IN A
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 121 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
ftp.sub.example.com. IN A
ENTRY_END
STEP 122 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=7
REPLY QR RA DO SERVFAIL
SECTION QUESTION
ftp.sub.example.com. IN A
SECTION ANSWER
ENTRY_END
; wait for timeout seconds.
STEP 130 TIME_PASSES ELAPSE 901

33
testdata/black_prime_entry.rpl vendored
View file

@ -8,6 +8,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -292,6 +293,22 @@ SECTION QUESTION
www.example.com. IN A
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 11 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
www.example.com. IN A
ENTRY_END
STEP 12 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=7
REPLY QR RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
ENTRY_END
STEP 100 TIME_PASSES ELAPSE 10
; second query should not result in going to the network.
@ -311,5 +328,21 @@ SECTION QUESTION
ftp.example.com. IN A
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 121 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
ftp.example.com. IN A
ENTRY_END
STEP 122 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=7
REPLY QR RA DO SERVFAIL
SECTION QUESTION
ftp.example.com. IN A
ENTRY_END
SCENARIO_END

0
testdata/ede_cache_snoop_noth_auth.rpl → testdata/ede_cache_snoop_not_auth.rpl vendored
View file

30
testdata/nsid_bogus.rpl vendored
View file

@ -10,6 +10,7 @@ server:
minimal-responses: no
nsid: "ascii_hopsa kidee"
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -175,4 +176,33 @@ SECTION ADDITIONAL
HEX_EDNSDATA_END
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 11 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
www.example.com. IN A
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
00 03 ; Opcode NSID (3)
00 00 ; Length 0
HEX_EDNSDATA_END
ENTRY_END
STEP 12 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=9
REPLY QR RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
00 03 ; Opcode NSID (3)
00 0b ; Length 11
68 6F 70 73 61 20 ; "hopsa "
6B 69 64 65 65 ; "kidee"
HEX_EDNSDATA_END
ENTRY_END
SCENARIO_END

33
testdata/root_key_sentinel.rpl vendored
View file

@ -5,6 +5,7 @@ server:
target-fetch-policy: "0 0 0 0 0"
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -145,6 +146,22 @@ SECTION QUESTION
root-key-sentinel-not-ta-19036. IN A
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 23 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
root-key-sentinel-not-ta-19036. IN A
ENTRY_END
STEP 24 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=6
REPLY QR RA DO SERVFAIL
SECTION QUESTION
root-key-sentinel-not-ta-19036. IN A
ENTRY_END
STEP 30 QUERY
ENTRY_BEGIN
REPLY RD DO
@ -161,6 +178,22 @@ SECTION QUESTION
root-key-sentinel-is-ta-20326. IN A
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 34 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
root-key-sentinel-is-ta-20326. IN A
ENTRY_END
STEP 35 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=6
REPLY QR RA DO SERVFAIL
SECTION QUESTION
root-key-sentinel-is-ta-20326. IN A
ENTRY_END
STEP 40 QUERY
ENTRY_BEGIN
REPLY RD DO

19
testdata/val_cnametocloser_nosig.rpl vendored
View file

@ -6,6 +6,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
forward-zone:
name: "."
@ -89,11 +90,27 @@ ENTRY_END
; recursion happens here.
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=9
MATCH all ede=10
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN AAAA
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 20 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
www.example.com. IN AAAA
ENTRY_END
STEP 21 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=10
REPLY QR RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN AAAA
SECTION ANSWER
ENTRY_END
SCENARIO_END

18
testdata/val_cnametonodata_nonsec.rpl vendored
View file

@ -9,6 +9,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -268,4 +269,21 @@ www.example.com. IN A
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 11 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
www.example.com. IN A
ENTRY_END
STEP 12 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=10
REPLY QR RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
ENTRY_END
SCENARIO_END

18
testdata/val_cnametoposnowc.rpl vendored
View file

@ -9,6 +9,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -261,4 +262,21 @@ www.example.com. IN A
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 11 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
www.example.com. IN A
ENTRY_END
STEP 12 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=6
REPLY QR RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
ENTRY_END
SCENARIO_END

18
testdata/val_deleg_nons.rpl vendored
View file

@ -8,6 +8,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -269,4 +270,21 @@ foo.www.example.com. IN A
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 11 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
foo.www.example.com. IN A
ENTRY_END
STEP 12 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=10
REPLY QR RA DO SERVFAIL
SECTION QUESTION
foo.www.example.com. IN A
SECTION ANSWER
ENTRY_END
SCENARIO_END

18
testdata/val_dnamewc.rpl vendored
View file

@ -9,6 +9,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -264,4 +265,21 @@ www.sub.example.com. IN A
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 11 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
www.sub.example.com. IN A
ENTRY_END
STEP 12 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=6
REPLY QR RA DO SERVFAIL
SECTION QUESTION
www.sub.example.com. IN A
SECTION ANSWER
ENTRY_END
SCENARIO_END

17
testdata/val_ds_cname.rpl vendored
View file

@ -8,6 +8,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -204,4 +205,20 @@ SECTION QUESTION
www.example.com. IN A
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 11 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
www.example.com. IN A
ENTRY_END
STEP 12 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=10
REPLY QR RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
ENTRY_END
SCENARIO_END

18
testdata/val_faildnskey.rpl vendored
View file

@ -8,6 +8,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -171,4 +172,21 @@ www.example.com. IN A
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 11 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
www.example.com. IN A
ENTRY_END
STEP 12 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=9
REPLY QR RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
ENTRY_END
SCENARIO_END

18
testdata/val_nodata_failsig.rpl vendored
View file

@ -8,6 +8,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -162,4 +163,21 @@ www.example.com. IN A
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 11 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
www.example.com. IN A
ENTRY_END
STEP 12 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=6
REPLY QR RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
ENTRY_END
SCENARIO_END

22
testdata/val_nodata_failwc.rpl vendored
View file

@ -8,6 +8,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "nsecwc.nlnetlabs.nl"
@ -17,8 +18,8 @@ CONFIG_END
SCENARIO_BEGIN Test validator with nodata response with wildcard expanded NSEC record, original NSEC owner does not provide proof for QNAME. CVE-2017-15105 test.
; ns.example.com.
RANGE_BEGIN 0 100
; ns.example.com.
RANGE_BEGIN 0 100
ADDRESS 185.49.140.60
; response to DNSKEY priming query
@ -69,4 +70,21 @@ _25._tcp.mail.nsecwc.nlnetlabs.nl. IN TLSA
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 11 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
_25._tcp.mail.nsecwc.nlnetlabs.nl. IN TLSA
ENTRY_END
STEP 12 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=6
REPLY QR RA DO SERVFAIL
SECTION QUESTION
_25._tcp.mail.nsecwc.nlnetlabs.nl. IN TLSA
SECTION ANSWER
ENTRY_END
SCENARIO_END

18
testdata/val_nokeyprime.rpl vendored
View file

@ -7,6 +7,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -161,4 +162,21 @@ www.example.com. IN A
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 11 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
www.example.com. IN A
ENTRY_END
STEP 12 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=9
REPLY QR RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
ENTRY_END
SCENARIO_END

25
testdata/val_nsec3_b1_nameerror_nowc.rpl vendored
View file

@ -7,6 +7,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -140,12 +141,24 @@ SECTION QUESTION
a.c.x.w.example. IN A
SECTION ANSWER
SECTION AUTHORITY
; example. SOA ns1.example. bugs.x.w.example. 1 3600 300 ( 3600000 3600 )
; example. RRSIG SOA 7 1 3600 20150420235959 20051021000000 ( 40430 example. Hu25UIyNPmvPIVBrldN+9Mlp9Zql39qaUd8i q4ZLlYWfUUbbAS41pG+68z81q1xhkYAcEyHd VI2LmKusbZsT0Q== )
; 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd ( 2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS SOA NSEC3PARAM RRSIG )
; 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 ( 40430 example. OSgWSm26B+cS+dDL8b5QrWr/dEWhtCsKlwKL IBHYH6blRxK9rC0bMJPwQ4mLIuw85H2EY762 BOCXJZMnpuwhpA== )
; b4um86eghhds6nea196smvmlo4ors995.example. NSEC3 1 1 12 aabbccdd ( gjeqe526plbf1g8mklp59enfd789njgi MX RRSIG )
; b4um86eghhds6nea196smvmlo4ors995.example. RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 ( 40430 example. ZkPG3M32lmoHM6pa3D6gZFGB/rhL//Bs3Omh 5u4m/CUiwtblEVOaAKKZd7S959OeiX43aLX3 pOv0TSTyiTxIZg== )
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 11 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
a.c.x.w.example. IN A
ENTRY_END
STEP 12 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=6
REPLY QR RA DO SERVFAIL
SECTION QUESTION
a.c.x.w.example. IN A
SECTION ANSWER
SECTION AUTHORITY
ENTRY_END
SCENARIO_END

18
testdata/val_nsec3_b2_nodata_nons.rpl vendored
View file

@ -6,6 +6,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -138,4 +139,21 @@ ns1.example. IN MX
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 11 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
ns1.example. IN MX
ENTRY_END
STEP 12 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=12
REPLY QR RA DO SERVFAIL
SECTION QUESTION
ns1.example. IN MX
SECTION ANSWER
ENTRY_END
SCENARIO_END

18
testdata/val_nsec3_entnodata_optout_badopt.rpl vendored
View file

@ -7,6 +7,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -194,4 +195,21 @@ ent.example.com. IN A
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 11 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
ent.example.com. IN A
ENTRY_END
STEP 12 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=6
REPLY QR RA DO SERVFAIL
SECTION QUESTION
ent.example.com. IN A
SECTION ANSWER
ENTRY_END
SCENARIO_END

17
testdata/val_nsec3_nods_badsig.rpl vendored
View file

@ -8,6 +8,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -234,4 +235,20 @@ www.sub.example.com. IN A
SECTION ANSWER
ENTRY_END
STEP 11 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
www.sub.example.com. IN A
ENTRY_END
STEP 12 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=7
REPLY QR RA DO SERVFAIL
SECTION QUESTION
www.sub.example.com. IN A
SECTION ANSWER
ENTRY_END
SCENARIO_END

18
testdata/val_nx_failwc.rpl vendored
View file

@ -8,6 +8,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "nsecwc.nlnetlabs.nl"
@ -67,4 +68,21 @@ a.nsecwc.nlnetlabs.nl. IN TXT
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 11 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
a.nsecwc.nlnetlabs.nl. IN TXT
ENTRY_END
STEP 12 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=6
REPLY QR RA DO SERVFAIL
SECTION QUESTION
a.nsecwc.nlnetlabs.nl. IN TXT
SECTION ANSWER
ENTRY_END
SCENARIO_END

18
testdata/val_nx_overreach.rpl vendored
View file

@ -8,6 +8,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -162,4 +163,21 @@ www.example.com. IN A
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 11 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
www.example.com. IN A
ENTRY_END
STEP 12 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=6
REPLY QR RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
ENTRY_END
SCENARIO_END

16
testdata/val_secds_nosig.rpl vendored
View file

@ -7,6 +7,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -230,4 +231,19 @@ SECTION QUESTION
www.sub.example.com. IN A
ENTRY_END
STEP 11 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
www.sub.example.com. IN A
ENTRY_END
STEP 12 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=10
REPLY QR RA DO SERVFAIL
SECTION QUESTION
www.sub.example.com. IN A
ENTRY_END
SCENARIO_END

19
testdata/val_ta_algo_missing.rpl vendored
View file

@ -11,6 +11,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -166,11 +167,27 @@ ENTRY_END
; recursion happens here.
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=9
MATCH all ede=6
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
ENTRY_END
STEP 11 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
www.example.com. IN A
ENTRY_END
STEP 12 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=6
REPLY QR RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
ENTRY_END
SCENARIO_END

47
util/data/msgreply.c
View file

@ -94,7 +94,7 @@ parse_create_qinfo(sldns_buffer* pkt, struct msg_parse* msg,
struct reply_info*
construct_reply_info_base(struct regional* region, uint16_t flags, size_t qd,
time_t ttl, time_t prettl, time_t expttl, size_t an, size_t ns,
size_t ar, size_t total, enum sec_status sec)
size_t ar, size_t total, enum sec_status sec, sldns_ede_code reason_bogus)
{
struct reply_info* rep;
/* rrset_count-1 because the first ref is part of the struct. */
@ -117,7 +117,9 @@ construct_reply_info_base(struct regional* region, uint16_t flags, size_t qd,
rep->ar_numrrsets = ar;
rep->rrset_count = total;
rep->security = sec;
rep->reason_bogus = LDNS_EDE_NONE;
rep->reason_bogus = reason_bogus;
/* this is only allocated and used for caching on copy */
rep->reason_bogus_str = NULL;
rep->authoritative = 0;
/* array starts after the refs */
if(region)
@ -137,7 +139,7 @@ parse_create_repinfo(struct msg_parse* msg, struct reply_info** rep,
{
*rep = construct_reply_info_base(region, msg->flags, msg->qdcount, 0,
0, 0, msg->an_rrsets, msg->ns_rrsets, msg->ar_rrsets,
msg->rrset_count, sec_status_unchecked);
msg->rrset_count, sec_status_unchecked, LDNS_EDE_NONE);
if(!*rep)
return 0;
return 1;
@ -182,7 +184,7 @@ make_new_reply_info(const struct reply_info* rep, struct regional* region,
new_rep = construct_reply_info_base(region, rep->flags,
rep->qdcount, rep->ttl, rep->prefetch_ttl,
rep->serve_expired_ttl, an_numrrsets, 0, 0, an_numrrsets,
sec_status_insecure);
sec_status_insecure, LDNS_EDE_NONE);
if(!new_rep)
return NULL;
if(!reply_info_alloc_rrset_keys(new_rep, NULL, region))
@ -580,6 +582,10 @@ reply_info_parsedelete(struct reply_info* rep, struct alloc_cache* alloc)
for(i=0; i<rep->rrset_count; i++) {
ub_packed_rrset_parsedelete(rep->rrsets[i], alloc);
}
if(rep->reason_bogus_str) {
free(rep->reason_bogus_str);
rep->reason_bogus_str = NULL;
}
free(rep);
}
@ -661,6 +667,10 @@ void
reply_info_delete(void* d, void* ATTR_UNUSED(arg))
{
struct reply_info* r = (struct reply_info*)d;
if(r->reason_bogus_str) {
free(r->reason_bogus_str);
r->reason_bogus_str = NULL;
}
free(r);
}
@ -737,17 +747,36 @@ repinfo_copy_rrsets(struct reply_info* dest, struct reply_info* from,
return 1;
}
struct reply_info*
reply_info_copy(struct reply_info* rep, struct alloc_cache* alloc,
struct reply_info*
reply_info_copy(struct reply_info* rep, struct alloc_cache* alloc,
struct regional* region)
{
struct reply_info* cp;
cp = construct_reply_info_base(region, rep->flags, rep->qdcount,
rep->ttl, rep->prefetch_ttl, rep->serve_expired_ttl,
cp = construct_reply_info_base(region, rep->flags, rep->qdcount,
rep->ttl, rep->prefetch_ttl, rep->serve_expired_ttl,
rep->an_numrrsets, rep->ns_numrrsets, rep->ar_numrrsets,
rep->rrset_count, rep->security);
rep->rrset_count, rep->security, rep->reason_bogus);
if(!cp)
return NULL;
if(rep->reason_bogus_str && *rep->reason_bogus_str != 0) {
if(region) {
cp->reason_bogus_str = (char*)regional_alloc(region,
sizeof(char)
* (strlen(rep->reason_bogus_str)+1));
} else {
cp->reason_bogus_str = malloc(sizeof(char)
* (strlen(rep->reason_bogus_str)+1));
}
if(!cp->reason_bogus_str) {
if(!region)
reply_info_parsedelete(cp, alloc);
return NULL;
}
memcpy(cp->reason_bogus_str, rep->reason_bogus_str,
strlen(rep->reason_bogus_str)+1);
}
/* allocate ub_key structures special or not */
if(!reply_info_alloc_rrset_keys(cp, alloc, region)) {
if(!region)

14
util/data/msgreply.h
View file

@ -170,9 +170,17 @@ struct reply_info {
/**
* EDE (rfc8914) code with reason for DNSSEC bogus status.
* Used for caching the EDE.
*/
sldns_ede_code reason_bogus;
/**
* EDE (rfc8914) NULL-terminated string with human-readable reason
* for DNSSEC bogus status.
* Used for caching the EDE.
*/
char* reason_bogus_str;
/**
* Number of RRsets in each section.
* The answer section. Add up the RRs in every RRset to calculate
@ -240,13 +248,15 @@ struct msgreply_entry {
* @param ar: ar count
* @param total: total rrset count (presumably an+ns+ar).
* @param sec: security status of the reply info.
* @param reason_bogus: the Extended DNS Error for DNSSEC bogus status
* @return the reply_info base struct with the array for putting the rrsets
* in. The array has been zeroed. Returns NULL on malloc failure.
*/
struct reply_info*
construct_reply_info_base(struct regional* region, uint16_t flags, size_t qd,
time_t ttl, time_t prettl, time_t expttl, size_t an, size_t ns,
size_t ar, size_t total, enum sec_status sec);
time_t ttl, time_t prettl, time_t expttl, size_t an, size_t ns,
size_t ar, size_t total, enum sec_status sec,
sldns_ede_code reason_bogus);
/**
* Parse wire query into a queryinfo structure, return 0 on parse error.

16
util/module.c
View file

@ -84,8 +84,10 @@ void errinf_ede(struct module_qstate* qstate,
const char* str, sldns_ede_code reason_bogus)
{
struct errinf_strlist* p;
if((qstate->env->cfg->val_log_level < 2 && !qstate->env->cfg->log_servfail) || !str)
if(!str || (qstate->env->cfg->val_log_level < 2 &&
!qstate->env->cfg->log_servfail)) {
return;
}
p = (struct errinf_strlist*)regional_alloc(qstate->region, sizeof(*p));
if(!p) {
log_err("malloc failure in validator-error-info string");
@ -152,15 +154,19 @@ char* errinf_to_str_bogus(struct module_qstate* qstate)
return p;
}
/* Try to find the latest (most specific) dnssec failure */
sldns_ede_code errinf_to_reason_bogus(struct module_qstate* qstate)
{
struct errinf_strlist* s;
sldns_ede_code ede = LDNS_EDE_NONE;
for(s=qstate->errinf; s; s=s->next) {
if (s->reason_bogus != LDNS_EDE_NONE) {
return s->reason_bogus;
}
if(s->reason_bogus == LDNS_EDE_NONE) continue;
if(ede != LDNS_EDE_NONE
&& ede != LDNS_EDE_DNSSEC_BOGUS
&& s->reason_bogus == LDNS_EDE_DNSSEC_BOGUS) continue;
ede = s->reason_bogus;
}
return LDNS_EDE_NONE;
return ede;
}
char* errinf_to_str_servfail(struct module_qstate* qstate)

6
util/module.h
View file

@ -826,11 +826,11 @@ void errinf_dname(struct module_qstate* qstate, const char* str,
* This string is malloced and has to be freed by caller.
*/
char* errinf_to_str_bogus(struct module_qstate* qstate);
/**
* Check the sldns_ede_code of the qstate.
* Check the sldns_ede_code of the qstate->errinf.
* @param qstate: query state.
* @return LDNS_EDE_DNSSEC_BOGUS by default, or the first explicitly set
* sldns_ede_code.
* @return the latest explicitly set sldns_ede_code or LDNS_EDE_NONE.
*/
sldns_ede_code errinf_to_reason_bogus(struct module_qstate* qstate);

10
validator/val_kcache.c
View file

@ -81,17 +81,11 @@ key_cache_delete(struct key_cache* kcache)
void
key_cache_insert(struct key_cache* kcache, struct key_entry_key* kkey,
struct module_qstate* qstate)
int copy_reason)
{
struct key_entry_key* k = key_entry_copy(kkey);
struct key_entry_key* k = key_entry_copy(kkey, copy_reason);
if(!k)
return;
if(key_entry_isbad(k) && qstate->errinf &&
qstate->env->cfg->val_log_level >= 2) {
/* on malloc failure there is simply no reason string */
key_entry_set_reason(k, errinf_to_str_bogus(qstate));
key_entry_set_reason_bogus(k, errinf_to_reason_bogus(qstate));
}
key_entry_hash(k);
slabhash_insert(kcache->slab, k->entry.hash, &k->entry,
k->entry.data, NULL);

4
validator/val_kcache.h
View file

@ -76,10 +76,10 @@ void key_cache_delete(struct key_cache* kcache);
* @param kcache: the key cache.
* @param kkey: key entry key, assumed malloced in a region, is copied
* to perform update or insertion. Its data pointer is also copied.
* @param qstate: store errinf reason in case its bad.
* @param copy_reason: if the reason string needs to be copied (allocated).
*/
void key_cache_insert(struct key_cache* kcache, struct key_entry_key* kkey,
struct module_qstate* qstate);
int copy_reason);
/**
* Remove an entry from the key cache.

48
validator/val_kentry.c
View file

@ -152,7 +152,7 @@ key_entry_copy_toregion(struct key_entry_key* kkey, struct regional* region)
}
struct key_entry_key*
key_entry_copy(struct key_entry_key* kkey)
key_entry_copy(struct key_entry_key* kkey, int copy_reason)
{
struct key_entry_key* newk;
if(!kkey)
@ -190,7 +190,7 @@ key_entry_copy(struct key_entry_key* kkey)
}
packed_rrset_ptr_fixup(newd->rrset_data);
}
if(d->reason) {
if(copy_reason && d->reason && *d->reason != 0) {
newd->reason = strdup(d->reason);
if(!newd->reason) {
free(newd->rrset_data);
@ -199,6 +199,8 @@ key_entry_copy(struct key_entry_key* kkey)
free(newk);
return NULL;
}
} else {
newd->reason = NULL;
}
if(d->algo) {
newd->algo = (uint8_t*)strdup((char*)d->algo);
@ -237,22 +239,6 @@ key_entry_isbad(struct key_entry_key* kkey)
return (int)(d->isbad);
}
void
key_entry_set_reason(struct key_entry_key* kkey, char* reason)
{
struct key_entry_data* d = (struct key_entry_data*)kkey->entry.data;
d->reason = reason;
}
void
key_entry_set_reason_bogus(struct key_entry_key* kkey, sldns_ede_code ede)
{
struct key_entry_data* d = (struct key_entry_data*)kkey->entry.data;
if (ede != LDNS_EDE_NONE) { /* reason_bogus init is LDNS_EDE_NONE already */
d->reason_bogus = ede;
}
}
char*
key_entry_get_reason(struct key_entry_key* kkey)
{
@ -294,6 +280,7 @@ key_entry_setup(struct regional* region,
struct key_entry_key*
key_entry_create_null(struct regional* region,
uint8_t* name, size_t namelen, uint16_t dclass, time_t ttl,
sldns_ede_code reason_bogus, const char* reason,
time_t now)
{
struct key_entry_key* k;
@ -302,8 +289,10 @@ key_entry_create_null(struct regional* region,
return NULL;
d->ttl = now + ttl;
d->isbad = 0;
d->reason = NULL;
d->reason_bogus = LDNS_EDE_NONE;
d->reason = (!reason || *reason == 0)
?NULL :(char*)regional_strdup(region, reason);
/* On allocation error we don't store the reason string */
d->reason_bogus = reason_bogus;
d->rrset_type = LDNS_RR_TYPE_DNSKEY;
d->rrset_data = NULL;
d->algo = NULL;
@ -313,7 +302,9 @@ key_entry_create_null(struct regional* region,
struct key_entry_key*
key_entry_create_rrset(struct regional* region,
uint8_t* name, size_t namelen, uint16_t dclass,
struct ub_packed_rrset_key* rrset, uint8_t* sigalg, time_t now)
struct ub_packed_rrset_key* rrset, uint8_t* sigalg,
sldns_ede_code reason_bogus, const char* reason,
time_t now)
{
struct key_entry_key* k;
struct key_entry_data* d;
@ -323,8 +314,10 @@ key_entry_create_rrset(struct regional* region,
return NULL;
d->ttl = rd->ttl + now;
d->isbad = 0;
d->reason = NULL;
d->reason_bogus = LDNS_EDE_NONE;
d->reason = (!reason || *reason == 0)
?NULL :(char*)regional_strdup(region, reason);
/* On allocation error we don't store the reason string */
d->reason_bogus = reason_bogus;
d->rrset_type = ntohs(rrset->rk.type);
d->rrset_data = (struct packed_rrset_data*)regional_alloc_init(region,
rd, packed_rrset_sizeof(rd));
@ -341,7 +334,8 @@ key_entry_create_rrset(struct regional* region,
struct key_entry_key*
key_entry_create_bad(struct regional* region,
uint8_t* name, size_t namelen, uint16_t dclass, time_t ttl,
uint8_t* name, size_t namelen, uint16_t dclass, time_t ttl,
sldns_ede_code reason_bogus, const char* reason,
time_t now)
{
struct key_entry_key* k;
@ -350,8 +344,10 @@ key_entry_create_bad(struct regional* region,
return NULL;
d->ttl = now + ttl;
d->isbad = 1;
d->reason = NULL;
d->reason_bogus = LDNS_EDE_NONE;
d->reason = (!reason || *reason == 0)
?NULL :(char*)regional_strdup(region, reason);
/* On allocation error we don't store the reason string */
d->reason_bogus = reason_bogus;
d->rrset_type = LDNS_RR_TYPE_DNSKEY;
d->rrset_data = NULL;
d->algo = NULL;

37
validator/val_kentry.h
View file

@ -120,9 +120,11 @@ struct key_entry_key* key_entry_copy_toregion(struct key_entry_key* kkey,
/**
* Copy a key entry, malloced.
* @param kkey: the key entry key (and data pointer) to copy.
* @param copy_reason: if the reason string needs to be copied (allocated).
* @return newly allocated entry or NULL on a failure to allocate memory.
*/
struct key_entry_key* key_entry_copy(struct key_entry_key* kkey);
struct key_entry_key* key_entry_copy(struct key_entry_key* kkey,
int copy_reason);
/**
* See if this is a null entry. Does not do locking.
@ -145,23 +147,6 @@ int key_entry_isgood(struct key_entry_key* kkey);
*/
int key_entry_isbad(struct key_entry_key* kkey);
/**
* Set reason why a key is bad.
* @param kkey: bad key.
* @param reason: string to attach, you must allocate it.
* Not safe to call twice unless you deallocate it yourself.
*/
void key_entry_set_reason(struct key_entry_key* kkey, char* reason);
/**
* Set the EDE (RFC8914) code why the key is bad, if it
* exists (so not LDNS_EDE_NONE).
* @param kkey: bad key.
* @param ede: EDE code to attach to this key.
*/
void key_entry_set_reason_bogus(struct key_entry_key* kkey, sldns_ede_code ede);
/**
* Get reason why a key is bad.
* @param kkey: bad key
@ -184,11 +169,14 @@ sldns_ede_code key_entry_get_reason_bogus(struct key_entry_key* kkey);
* @param namelen: length of name
* @param dclass: class of key entry. (host order);
* @param ttl: what ttl should the key have. relative.
* @param reason_bogus: accompanying EDE code.
* @param reason: accompanying NULL-terminated EDE string (or NULL).
* @param now: current time (added to ttl).
* @return new key entry or NULL on alloc failure
*/
struct key_entry_key* key_entry_create_null(struct regional* region,
uint8_t* name, size_t namelen, uint16_t dclass, time_t ttl,
uint8_t* name, size_t namelen, uint16_t dclass, time_t ttl,
sldns_ede_code reason_bogus, const char* reason,
time_t now);
/**
@ -199,12 +187,16 @@ struct key_entry_key* key_entry_create_null(struct regional* region,
* @param dclass: class of key entry. (host order);
* @param rrset: data for key entry. This is copied to the region.
* @param sigalg: signalled algorithm list (or NULL).
* @param reason_bogus: accompanying EDE code (usually LDNS_EDE_NONE).
* @param reason: accompanying NULL-terminated EDE string (or NULL).
* @param now: current time (added to ttl of rrset)
* @return new key entry or NULL on alloc failure
*/
struct key_entry_key* key_entry_create_rrset(struct regional* region,
uint8_t* name, size_t namelen, uint16_t dclass,
struct ub_packed_rrset_key* rrset, uint8_t* sigalg, time_t now);
uint8_t* name, size_t namelen, uint16_t dclass,
struct ub_packed_rrset_key* rrset, uint8_t* sigalg,
sldns_ede_code reason_bogus, const char* reason,
time_t now);
/**
* Create a bad entry, in the given region.
@ -213,11 +205,14 @@ struct key_entry_key* key_entry_create_rrset(struct regional* region,
* @param namelen: length of name
* @param dclass: class of key entry. (host order);
* @param ttl: what ttl should the key have. relative.
* @param reason_bogus: accompanying EDE code.
* @param reason: accompanying NULL-terminated EDE string (or NULL).
* @param now: current time (added to ttl).
* @return new key entry or NULL on alloc failure
*/
struct key_entry_key* key_entry_create_bad(struct regional* region,
uint8_t* name, size_t namelen, uint16_t dclass, time_t ttl,
sldns_ede_code reason_bogus, const char* reason,
time_t now);
/**

19
validator/val_nsec.c
View file

@ -174,9 +174,10 @@ val_nsec_proves_no_ds(struct ub_packed_rrset_key* nsec,
/** check security status from cache or verify rrset, returns true if secure */
static int
nsec_verify_rrset(struct module_env* env, struct val_env* ve,
struct ub_packed_rrset_key* nsec, struct key_entry_key* kkey,
char** reason, struct module_qstate* qstate)
nsec_verify_rrset(struct module_env* env, struct val_env* ve,
struct ub_packed_rrset_key* nsec, struct key_entry_key* kkey,
char** reason, sldns_ede_code* reason_bogus,
struct module_qstate* qstate)
{
struct packed_rrset_data* d = (struct packed_rrset_data*)
nsec->entry.data;
@ -187,7 +188,7 @@ nsec_verify_rrset(struct module_env* env, struct val_env* ve,
if(d->security == sec_status_secure)
return 1;
d->security = val_verify_rrset_entry(env, ve, nsec, kkey, reason,
NULL, LDNS_SECTION_AUTHORITY, qstate);
reason_bogus, LDNS_SECTION_AUTHORITY, qstate);
if(d->security == sec_status_secure) {
rrset_update_sec_status(env->rrset_cache, nsec, *env->now);
return 1;
@ -199,7 +200,7 @@ enum sec_status
val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve,
struct query_info* qinfo, struct reply_info* rep,
struct key_entry_key* kkey, time_t* proof_ttl, char** reason,
struct module_qstate* qstate)
sldns_ede_code* reason_bogus, struct module_qstate* qstate)
{
struct ub_packed_rrset_key* nsec = reply_find_rrset_section_ns(
rep, qinfo->qname, qinfo->qname_len, LDNS_RR_TYPE_NSEC,
@ -216,7 +217,8 @@ val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve,
* 1) this is a delegation point and there is no DS
* 2) this is not a delegation point */
if(nsec) {
if(!nsec_verify_rrset(env, ve, nsec, kkey, reason, qstate)) {
if(!nsec_verify_rrset(env, ve, nsec, kkey, reason,
reason_bogus, qstate)) {
verbose(VERB_ALGO, "NSEC RRset for the "
"referral did not verify.");
return sec_status_bogus;
@ -225,6 +227,7 @@ val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve,
if(sec == sec_status_bogus) {
/* something was wrong. */
*reason = "NSEC does not prove absence of DS";
*reason_bogus = LDNS_EDE_DNSSEC_BOGUS;
return sec;
} else if(sec == sec_status_insecure) {
/* this wasn't a delegation point. */
@ -246,9 +249,11 @@ val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve,
if(rep->rrsets[i]->rk.type != htons(LDNS_RR_TYPE_NSEC))
continue;
if(!nsec_verify_rrset(env, ve, rep->rrsets[i], kkey, reason,
qstate)) {
reason_bogus, qstate)) {
verbose(VERB_ALGO, "NSEC for empty non-terminal "
"did not verify.");
*reason = "NSEC for empty non-terminal "
"did not verify.";
return sec_status_bogus;
}
if(nsec_proves_nodata(rep->rrsets[i], qinfo, &wc)) {

5
validator/val_nsec.h
View file

@ -44,6 +44,7 @@
#ifndef VALIDATOR_VAL_NSEC_H
#define VALIDATOR_VAL_NSEC_H
#include "util/data/packed_rrset.h"
#include "sldns/rrdef.h"
struct val_env;
struct module_env;
struct module_qstate;
@ -65,6 +66,7 @@ struct key_entry_key;
* @param kkey: key entry to use for verification of signatures.
* @param proof_ttl: if secure, the TTL of how long this proof lasts.
* @param reason: string explaining why bogus.
* @param reason_bogus: relevant EDE code for validation failure.
* @param qstate: qstate with region.
* @return security status.
* SECURE: proved absence of DS.
@ -75,7 +77,8 @@ struct key_entry_key;
enum sec_status val_nsec_prove_nodata_dsreply(struct module_env* env,
struct val_env* ve, struct query_info* qinfo,
struct reply_info* rep, struct key_entry_key* kkey,
time_t* proof_ttl, char** reason, struct module_qstate* qstate);
time_t* proof_ttl, char** reason, sldns_ede_code* reason_bogus,
struct module_qstate* qstate);
/**
* nsec typemap check, takes an NSEC-type bitmap as argument, checks for type.

4
validator/val_sigcrypt.c
View file

@ -718,9 +718,9 @@ dnskey_verify_rrset(struct module_env* env, struct val_env* ve,
}
verbose(VERB_ALGO, "rrset failed to verify: all signatures are bogus");
if(!numchecked) {
*reason = "signature missing";
*reason = "signature for expected key and algorithm missing";
if(reason_bogus)
*reason_bogus = LDNS_EDE_RRSIGS_MISSING;
*reason_bogus = LDNS_EDE_DNSSEC_BOGUS;
} else if(numchecked == numindeterminate) {
verbose(VERB_ALGO, "rrset failed to verify due to algorithm "
"refusal by cryptolib");

19
validator/val_utils.c
View file

@ -587,16 +587,18 @@ val_verify_new_DNSKEYs(struct regional* region, struct module_env* env,
return key_entry_create_rrset(region,
ds_rrset->rk.dname, ds_rrset->rk.dname_len,
ntohs(ds_rrset->rk.rrset_class), dnskey_rrset,
downprot?sigalg:NULL, *env->now);
downprot?sigalg:NULL, LDNS_EDE_NONE, NULL,
*env->now);
} else if(sec == sec_status_insecure) {
return key_entry_create_null(region, ds_rrset->rk.dname,
ds_rrset->rk.dname_len,
ds_rrset->rk.dname_len,
ntohs(ds_rrset->rk.rrset_class),
rrset_get_ttl(ds_rrset), *env->now);
rrset_get_ttl(ds_rrset), *reason_bogus, *reason,
*env->now);
}
return key_entry_create_bad(region, ds_rrset->rk.dname,
ds_rrset->rk.dname_len, ntohs(ds_rrset->rk.rrset_class),
BOGUS_KEY_TTL, *env->now);
BOGUS_KEY_TTL, *reason_bogus, *reason, *env->now);
}
enum sec_status
@ -694,7 +696,7 @@ val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve,
has_useful_ta = 1;
sec = dnskey_verify_rrset(env, ve, dnskey_rrset,
ta_dnskey, i, reason, NULL, LDNS_SECTION_ANSWER, qstate);
ta_dnskey, i, reason, reason_bogus, LDNS_SECTION_ANSWER, qstate);
if(sec == sec_status_secure) {
if(!sigalg || algo_needs_set_secure(&needs,
(uint8_t)dnskey_get_algo(ta_dnskey, i))) {
@ -743,16 +745,17 @@ val_verify_new_DNSKEYs_with_ta(struct regional* region, struct module_env* env,
return key_entry_create_rrset(region,
dnskey_rrset->rk.dname, dnskey_rrset->rk.dname_len,
ntohs(dnskey_rrset->rk.rrset_class), dnskey_rrset,
downprot?sigalg:NULL, *env->now);
downprot?sigalg:NULL, LDNS_EDE_NONE, NULL, *env->now);
} else if(sec == sec_status_insecure) {
return key_entry_create_null(region, dnskey_rrset->rk.dname,
dnskey_rrset->rk.dname_len,
ntohs(dnskey_rrset->rk.rrset_class),
rrset_get_ttl(dnskey_rrset), *env->now);
rrset_get_ttl(dnskey_rrset), *reason_bogus, *reason,
*env->now);
}
return key_entry_create_bad(region, dnskey_rrset->rk.dname,
dnskey_rrset->rk.dname_len, ntohs(dnskey_rrset->rk.rrset_class),
BOGUS_KEY_TTL, *env->now);
BOGUS_KEY_TTL, *reason_bogus, *reason, *env->now);
}
int

137
validator/validator.c
View file

@ -70,16 +70,16 @@ static void process_ds_response(struct module_qstate* qstate,
struct query_info* qinfo, struct sock_list* origin);
/* Updates the suplied EDE (RFC8914) code selectively so we don't loose
* a more specific code
*/
/* Updates the suplied EDE (RFC8914) code selectively so we don't lose
* a more specific code */
static void
update_reason_bogus(struct reply_info* rep, sldns_ede_code reason_bogus)
{
if (rep->reason_bogus == LDNS_EDE_DNSSEC_BOGUS ||
rep->reason_bogus == LDNS_EDE_NONE) {
rep->reason_bogus = reason_bogus;
}
if(reason_bogus == LDNS_EDE_NONE) return;
if(reason_bogus == LDNS_EDE_DNSSEC_BOGUS
&& rep->reason_bogus != LDNS_EDE_NONE
&& rep->reason_bogus != LDNS_EDE_DNSSEC_BOGUS) return;
rep->reason_bogus = reason_bogus;
}
@ -1672,20 +1672,13 @@ processInit(struct module_qstate* qstate, struct val_qstate* vq,
vq->state = VAL_FINISHED_STATE;
return 1;
} else if(key_entry_isbad(vq->key_entry)) {
sldns_ede_code ede = LDNS_EDE_DNSSEC_BOGUS;
/* the key could have a more spefic EDE than just bogus */
if(key_entry_get_reason_bogus(vq->key_entry) != LDNS_EDE_NONE) {
ede = key_entry_get_reason_bogus(vq->key_entry);
}
/* Bad keys should have the relevant EDE code and text */
sldns_ede_code ede = key_entry_get_reason_bogus(vq->key_entry);
/* key is bad, chain is bad, reply is bogus */
errinf_dname(qstate, "key for validation", vq->key_entry->name);
errinf_ede(qstate, "is marked as invalid", ede);
if(key_entry_get_reason(vq->key_entry)) {
errinf(qstate, "because of a previous");
errinf(qstate, key_entry_get_reason(vq->key_entry));
}
errinf(qstate, "because of a previous");
errinf(qstate, key_entry_get_reason(vq->key_entry));
/* no retries, stop bothering the authority until timeout */
vq->restart_count = ve->max_restart;
@ -1888,7 +1881,8 @@ processValidate(struct module_qstate* qstate, struct val_qstate* vq,
vq->chase_reply->security = sec_status_insecure;
val_mark_insecure(vq->chase_reply, vq->key_entry->name,
qstate->env->rrset_cache, qstate->env);
key_cache_insert(ve->kcache, vq->key_entry, qstate);
key_cache_insert(ve->kcache, vq->key_entry,
qstate->env->cfg->val_log_level >= 2);
return 1;
}
@ -1897,12 +1891,13 @@ processValidate(struct module_qstate* qstate, struct val_qstate* vq,
"of trust to keys for", vq->key_entry->name,
LDNS_RR_TYPE_DNSKEY, vq->key_entry->key_class);
vq->chase_reply->security = sec_status_bogus;
update_reason_bogus(vq->chase_reply, LDNS_EDE_DNSKEY_MISSING);
update_reason_bogus(vq->chase_reply,
key_entry_get_reason_bogus(vq->key_entry));
errinf_ede(qstate, "while building chain of trust",
LDNS_EDE_DNSKEY_MISSING);
key_entry_get_reason_bogus(vq->key_entry));
if(vq->restart_count >= ve->max_restart)
key_cache_insert(ve->kcache, vq->key_entry, qstate);
key_cache_insert(ve->kcache, vq->key_entry,
qstate->env->cfg->val_log_level >= 2);
return 1;
}
@ -2151,9 +2146,19 @@ processFinished(struct module_qstate* qstate, struct val_qstate* vq,
log_query_info(NO_VERBOSE, "validation failure",
&qstate->qinfo);
else {
char* err = errinf_to_str_bogus(qstate);
if(err) log_info("%s", err);
free(err);
char* err_str = errinf_to_str_bogus(qstate);
if(err_str) {
size_t err_str_len = strlen(err_str);
log_info("%s", err_str);
/* allocate space and store the error
* string */
vq->orig_msg->rep->reason_bogus_str = regional_alloc(
qstate->region,
sizeof(char) * (err_str_len+1));
memcpy(vq->orig_msg->rep->reason_bogus_str,
err_str, err_str_len+1);
}
free(err_str);
}
}
/*
@ -2195,6 +2200,9 @@ processFinished(struct module_qstate* qstate, struct val_qstate* vq,
}
}
}
/* Update rep->reason_bogus as it is the one being cached */
update_reason_bogus(vq->orig_msg->rep, errinf_to_reason_bogus(qstate));
/* store results in cache */
if(qstate->query_flags&BIT_RD) {
/* if secure, this will override cache anyway, no need
@ -2370,13 +2378,17 @@ primeResponseToKE(struct ub_packed_rrset_key* dnskey_rrset,
log_nametypeclass(VERB_OPS, "failed to prime trust anchor -- "
"could not fetch DNSKEY rrset",
ta->name, LDNS_RR_TYPE_DNSKEY, ta->dclass);
reason_bogus = LDNS_EDE_DNSKEY_MISSING;
reason = "no DNSKEY rrset";
if(qstate->env->cfg->harden_dnssec_stripped) {
errinf_ede(qstate, "no DNSKEY rrset", LDNS_EDE_DNSKEY_MISSING);
errinf_ede(qstate, reason, reason_bogus);
kkey = key_entry_create_bad(qstate->region, ta->name,
ta->namelen, ta->dclass, BOGUS_KEY_TTL,
reason_bogus, reason,
*qstate->env->now);
} else kkey = key_entry_create_null(qstate->region, ta->name,
ta->namelen, ta->dclass, NULL_KEY_TTL,
reason_bogus, reason,
*qstate->env->now);
if(!kkey) {
log_err("out of memory: allocate fail prime key");
@ -2409,9 +2421,11 @@ primeResponseToKE(struct ub_packed_rrset_key* dnskey_rrset,
errinf_ede(qstate, reason, reason_bogus);
kkey = key_entry_create_bad(qstate->region, ta->name,
ta->namelen, ta->dclass, BOGUS_KEY_TTL,
reason_bogus, reason,
*qstate->env->now);
} else kkey = key_entry_create_null(qstate->region, ta->name,
ta->namelen, ta->dclass, NULL_KEY_TTL,
reason_bogus, reason,
*qstate->env->now);
if(!kkey) {
log_err("out of memory: allocate null prime key");
@ -2458,8 +2472,9 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
/* errors here pretty much break validation */
verbose(VERB_DETAIL, "DS response was error, thus bogus");
errinf(qstate, rc);
errinf_ede(qstate, "no DS", LDNS_EDE_NETWORK_ERROR);
reason = "no DS";
reason_bogus = LDNS_EDE_NETWORK_ERROR;
errinf_ede(qstate, reason, reason_bogus);
goto return_bogus;
}
@ -2473,7 +2488,8 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
if(!ds) {
log_warn("internal error: POSITIVE DS response was "
"missing DS.");
errinf_ede(qstate, "no DS record", LDNS_EDE_DNSSEC_BOGUS);
reason = "no DS record";
errinf_ede(qstate, reason, reason_bogus);
goto return_bogus;
}
/* Verify only returns BOGUS or SECURE. If the rrset is
@ -2492,13 +2508,11 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
if(!val_dsset_isusable(ds)) {
/* If they aren't usable, then we treat it like
* there was no DS. */
/* TODO add EDE Unsupported DS Digest Type; this needs
* EDE to be added on non SERVFAIL answers. */
*ke = key_entry_create_null(qstate->region,
qinfo->qname, qinfo->qname_len, qinfo->qclass,
ub_packed_rrset_ttl(ds), *qstate->env->now);
*ke = key_entry_create_null(qstate->region,
qinfo->qname, qinfo->qname_len, qinfo->qclass,
ub_packed_rrset_ttl(ds),
LDNS_EDE_UNSUPPORTED_DS_DIGEST, NULL,
*qstate->env->now);
return (*ke) != NULL;
}
@ -2506,7 +2520,7 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
log_query_info(VERB_DETAIL, "validated DS", qinfo);
*ke = key_entry_create_rrset(qstate->region,
qinfo->qname, qinfo->qname_len, qinfo->qclass, ds,
NULL, *qstate->env->now);
NULL, LDNS_EDE_NONE, NULL, *qstate->env->now);
return (*ke) != NULL;
} else if(subtype == VAL_CLASS_NODATA ||
subtype == VAL_CLASS_NAMEERROR) {
@ -2518,7 +2532,8 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
/* make sure there are NSECs or NSEC3s with signatures */
if(!val_has_signed_nsecs(msg->rep, &reason)) {
verbose(VERB_ALGO, "no NSECs: %s", reason);
errinf_ede(qstate, reason, LDNS_EDE_NSEC_MISSING);
reason_bogus = LDNS_EDE_NSEC_MISSING;
errinf_ede(qstate, reason, reason_bogus);
goto return_bogus;
}
@ -2530,7 +2545,7 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
/* Try to prove absence of the DS with NSEC */
sec = val_nsec_prove_nodata_dsreply(
qstate->env, ve, qinfo, msg->rep, vq->key_entry,
&proof_ttl, &reason, qstate);
&proof_ttl, &reason, &reason_bogus, qstate);
switch(sec) {
case sec_status_secure:
verbose(VERB_DETAIL, "NSEC RRset for the "
@ -2538,6 +2553,7 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
*ke = key_entry_create_null(qstate->region,
qinfo->qname, qinfo->qname_len,
qinfo->qclass, proof_ttl,
LDNS_EDE_NONE, NULL,
*qstate->env->now);
return (*ke) != NULL;
case sec_status_insecure:
@ -2571,6 +2587,7 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
*ke = key_entry_create_null(qstate->region,
qinfo->qname, qinfo->qname_len,
qinfo->qclass, proof_ttl,
LDNS_EDE_NONE, NULL,
*qstate->env->now);
return (*ke) != NULL;
case sec_status_indeterminate:
@ -2593,7 +2610,8 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
* this is BOGUS. */
verbose(VERB_DETAIL, "DS %s ran out of options, so return "
"bogus", val_classification_to_string(subtype));
errinf(qstate, "no DS but also no proof of that");
reason = "no DS but also no proof of that";
errinf_ede(qstate, reason, reason_bogus);
goto return_bogus;
} else if(subtype == VAL_CLASS_CNAME ||
subtype == VAL_CLASS_CNAMENOANSWER) {
@ -2605,22 +2623,25 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
cname = reply_find_rrset_section_an(msg->rep, qinfo->qname,
qinfo->qname_len, LDNS_RR_TYPE_CNAME, qinfo->qclass);
if(!cname) {
errinf(qstate, "validator classified CNAME but no "
"CNAME of the queried name for DS");
reason = "validator classified CNAME but no "
"CNAME of the queried name for DS";
errinf_ede(qstate, reason, reason_bogus);
goto return_bogus;
}
if(((struct packed_rrset_data*)cname->entry.data)->rrsig_count
== 0) {
if(msg->rep->an_numrrsets != 0 && ntohs(msg->rep->
rrsets[0]->rk.type)==LDNS_RR_TYPE_DNAME) {
errinf(qstate, "DS got DNAME answer");
reason = "DS got DNAME answer";
} else {
errinf(qstate, "DS got unsigned CNAME answer");
reason = "DS got unsigned CNAME answer";
}
errinf_ede(qstate, reason, reason_bogus);
goto return_bogus;
}
sec = val_verify_rrset_entry(qstate->env, ve, cname,
vq->key_entry, &reason, NULL, LDNS_SECTION_ANSWER, qstate);
sec = val_verify_rrset_entry(qstate->env, ve, cname,
vq->key_entry, &reason, &reason_bogus,
LDNS_SECTION_ANSWER, qstate);
if(sec == sec_status_secure) {
verbose(VERB_ALGO, "CNAME validated, "
"proof that DS does not exist");
@ -2629,12 +2650,13 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
return 1;
}
errinf(qstate, "CNAME in DS response was not secure.");
errinf(qstate, reason);
errinf_ede(qstate, reason, reason_bogus);
goto return_bogus;
} else {
verbose(VERB_QUERY, "Encountered an unhandled type of "
"DS response, thus bogus.");
errinf(qstate, "no DS and");
reason = "no DS";
if(FLAGS_GET_RCODE(msg->rep->flags) != LDNS_RCODE_NOERROR) {
char rc[16];
rc[0]=0;
@ -2647,8 +2669,8 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
}
return_bogus:
*ke = key_entry_create_bad(qstate->region, qinfo->qname,
qinfo->qname_len, qinfo->qclass,
BOGUS_KEY_TTL, *qstate->env->now);
qinfo->qname_len, qinfo->qclass, BOGUS_KEY_TTL,
reason_bogus, reason, *qstate->env->now);
return (*ke) != NULL;
}
@ -2768,14 +2790,17 @@ process_dnskey_response(struct module_qstate* qstate, struct val_qstate* vq,
vq->restart_count++;
return;
}
vq->key_entry = key_entry_create_bad(qstate->region,
reason = "No DNSKEY record";
reason_bogus = LDNS_EDE_DNSKEY_MISSING;
vq->key_entry = key_entry_create_bad(qstate->region,
qinfo->qname, qinfo->qname_len, qinfo->qclass,
BOGUS_KEY_TTL, *qstate->env->now);
BOGUS_KEY_TTL, reason_bogus, reason,
*qstate->env->now);
if(!vq->key_entry) {
log_err("alloc failure in missing dnskey response");
/* key_entry is NULL for failure in Validate */
}
errinf_ede(qstate, "No DNSKEY record", LDNS_EDE_DNSKEY_MISSING);
errinf_ede(qstate, reason, reason_bogus);
errinf_origin(qstate, origin);
errinf_dname(qstate, "for key", qinfo->qname);
vq->state = VAL_VALIDATE_STATE;
@ -2822,7 +2847,8 @@ process_dnskey_response(struct module_qstate* qstate, struct val_qstate* vq,
qstate->errinf = NULL;
/* The DNSKEY validated, so cache it as a trusted key rrset. */
key_cache_insert(ve->kcache, vq->key_entry, qstate);
key_cache_insert(ve->kcache, vq->key_entry,
qstate->env->cfg->val_log_level >= 2);
/* If good, we stay in the FINDKEY state. */
log_query_info(VERB_DETAIL, "validated DNSKEY", qinfo);
@ -2890,7 +2916,8 @@ process_prime_response(struct module_qstate* qstate, struct val_qstate* vq,
errinf_origin(qstate, origin);
errinf_dname(qstate, "for trust anchor", ta->name);
/* store the freshly primed entry in the cache */
key_cache_insert(ve->kcache, vq->key_entry, qstate);
key_cache_insert(ve->kcache, vq->key_entry,
qstate->env->cfg->val_log_level >= 2);
}
/* If the result of the prime is a null key, skip the FINDKEY state.*/