void
drill_pkt_print_footer(FILE *fd, ldns_resolver *r, ldns_pkt *p)
{
ldns_rr_list *hostnames;
if (verbosity < 5) {
return;
}
hostnames = ldns_get_rr_list_name_by_addr(r, ldns_pkt_answerfrom(p), 0, 0);
fprintf(fd, ";; Received %d bytes from %s#%d(",
(int) ldns_pkt_size(p),
ldns_rdf2str(ldns_pkt_answerfrom(p)),
(int) ldns_resolver_port(r));
/* if we can resolve this print it, other print the ip again */
if (hostnames) {
ldns_rdf_print(fd,
ldns_rr_rdf(ldns_rr_list_rr(hostnames, 0), 0));
ldns_rr_list_deep_free(hostnames);
} else {
fprintf(fd, "%s", ldns_rdf2str(ldns_pkt_answerfrom(p)));
}
fprintf(fd, ") in %u ms\n\n", (unsigned int)ldns_pkt_querytime(p));
}
void
drill_pkt_print(FILE *fd, ldns_resolver *r, ldns_pkt *p)
{
ldns_rr_list *new_nss;
ldns_rr_list *hostnames;
if (verbosity < 5) {
return;
}
hostnames = ldns_get_rr_list_name_by_addr(r, ldns_pkt_answerfrom(p), 0, 0);
new_nss = ldns_pkt_rr_list_by_type(p,
LDNS_RR_TYPE_NS, LDNS_SECTION_ANSWER);
ldns_rr_list_print(fd, new_nss);
/* new_nss can be empty.... */
fprintf(fd, ";; Received %d bytes from %s#%d(",
(int) ldns_pkt_size(p),
ldns_rdf2str(ldns_pkt_answerfrom(p)),
(int) ldns_resolver_port(r));
/* if we can resolve this print it, other print the ip again */
if (hostnames) {
ldns_rdf_print(fd,
ldns_rr_rdf(ldns_rr_list_rr(hostnames, 0), 0));
ldns_rr_list_deep_free(hostnames);
} else {
fprintf(fd, "%s", ldns_rdf2str(ldns_pkt_answerfrom(p)));
}
fprintf(fd, ") in %u ms\n\n", (unsigned int)ldns_pkt_querytime(p));
}
ldns_pkt *
ldns_resolver_search(const ldns_resolver *r,const ldns_rdf *name, ldns_rr_type type,
ldns_rr_class c, uint16_t flags)
{
char *str_dname;
ldns_rdf *new_name;
ldns_rdf **search_list;
size_t i;
ldns_pkt *p;
str_dname = ldns_rdf2str(name);
if (ldns_dname_str_absolute(str_dname)) {
/* query as-is */
return ldns_resolver_query(r, name, type, c, flags);
} else {
search_list = ldns_resolver_searchlist(r);
for (i = 0; i < ldns_resolver_searchlist_count(r); i++) {
new_name = ldns_dname_cat_clone(name, search_list[i]);
p = ldns_resolver_query(r, new_name, type, c, flags);
ldns_rdf_free(new_name);
if (p) {
return p;
}
}
}
return NULL;
}
static DCPluginSyncFilterResult
apply_block_ips(DCPluginDNSPacket *dcp_packet, Blocking * const blocking,
ldns_pkt * const packet)
{
StrList *scanned;
ldns_rr_list *answers;
ldns_rr *answer;
char *answer_str;
ldns_rr_type type;
size_t answers_count;
size_t i;
answers = ldns_pkt_answer(packet);
answers_count = ldns_rr_list_rr_count(answers);
for (i = (size_t) 0U; i < answers_count; i++) {
answer = ldns_rr_list_rr(answers, i);
type = ldns_rr_get_type(answer);
if (type != LDNS_RR_TYPE_A && type != LDNS_RR_TYPE_AAAA) {
continue;
}
if ((answer_str = ldns_rdf2str(ldns_rr_a_address(answer))) == NULL) {
return DCP_SYNC_FILTER_RESULT_FATAL;
}
scanned = blocking->ips;
do {
if (strcasecmp(scanned->str, answer_str) == 0) {
LDNS_RCODE_SET(dcplugin_get_wire_data(dcp_packet),
LDNS_RCODE_REFUSED);
break;
}
} while ((scanned = scanned->next) != NULL);
free(answer_str);
}
return DCP_SYNC_FILTER_RESULT_OK;
}
static DCPluginSyncFilterResult
apply_block_domains(DCPluginDNSPacket *dcp_packet, Blocking * const blocking,
ldns_pkt * const packet)
{
StrList *scanned;
ldns_rr *question;
char *owner_str;
size_t owner_str_len;
scanned = blocking->domains;
question = ldns_rr_list_rr(ldns_pkt_question(packet), 0U);
if ((owner_str = ldns_rdf2str(ldns_rr_owner(question))) == NULL) {
return DCP_SYNC_FILTER_RESULT_FATAL;
}
owner_str_len = strlen(owner_str);
if (owner_str_len > (size_t) 1U && owner_str[--owner_str_len] == '.') {
owner_str[owner_str_len] = 0;
}
do {
if (wildcard_match(owner_str, scanned->str)) {
LDNS_RCODE_SET(dcplugin_get_wire_data(dcp_packet),
LDNS_RCODE_REFUSED);
break;
}
} while ((scanned = scanned->next) != NULL);
free(owner_str);
return DCP_SYNC_FILTER_RESULT_OK;
}
/** dump message to rrset reference */
static int
dump_msg_ref(SSL* ssl, struct ub_packed_rrset_key* k)
{
ldns_rdf* rdf;
ldns_status status;
size_t pos;
char* nm, *tp, *cl;
pos = 0;
status = ldns_wire2dname(&rdf, k->rk.dname, k->rk.dname_len, &pos);
if(status != LDNS_STATUS_OK) {
return ssl_printf(ssl, "BADREF\n");
}
nm = ldns_rdf2str(rdf);
ldns_rdf_deep_free(rdf);
tp = ldns_rr_type2str(ntohs(k->rk.type));
cl = ldns_rr_class2str(ntohs(k->rk.rrset_class));
if(!nm || !cl || !tp) {
free(nm);
free(tp);
free(cl);
return ssl_printf(ssl, "BADREF\n");
}
if(!ssl_printf(ssl, "%s %s %s %d\n", nm, cl, tp, (int)k->rk.flags)) {
free(nm);
free(tp);
free(cl);
return 0;
}
free(nm);
free(tp);
free(cl);
return 1;
}
ldns_pkt *mp_ldns_resolver_query(const ldns_resolver *r, const ldns_rdf *name, ldns_rr_type t, ldns_rr_class c, uint16_t flags) {
if (mp_verbose >= 3) {
printf("--[ Query ]-------------------------------------------------\n");
printf("Name: %s\n", ldns_rdf2str(name));
printf("Type: %s\n", ldns_rr_type2str(t));
printf("Class: %s\n", ldns_rr_class2str(c));
printf("------------------------------------------------------------\n");
}
return ldns_resolver_query(r, name, t, c, flags);
}
getdns_return_t
getdns_convert_dns_name_to_fqdn(
const struct getdns_bindata *dns_name_wire_fmt, char **fqdn_as_string)
{
ldns_rdf *rdf = ldns_rdf_new(LDNS_RDF_TYPE_DNAME,
dns_name_wire_fmt->size,
(void *)dns_name_wire_fmt->data); /* unconst is safe here */
if (!rdf) return GETDNS_RETURN_MEMORY_ERROR;
*fqdn_as_string = ldns_rdf2str(rdf);
ldns_rdf_free(rdf);
return *fqdn_as_string ? GETDNS_RETURN_GOOD
: GETDNS_RETURN_GENERIC_ERROR;
}
/**
* Lookup zone by dname.
*
*/
zone_type*
zonelist_lookup_zone_by_dname(zonelist_type* zonelist, ldns_rdf* dname,
ldns_rr_class klass)
{
char* name = NULL;
zone_type* result = NULL;
if (zonelist && zonelist->zones && dname && klass) {
name = ldns_rdf2str(dname);
result = zonelist_lookup_zone_by_name(zonelist, name, klass);
free((void*)name);
}
return result;
}
static ldns_status
ldns_tsig_mac_new(ldns_rdf **tsig_mac, uint8_t *pkt_wire, size_t pkt_wire_size,
const char *key_data, ldns_rdf *key_name_rdf, ldns_rdf *fudge_rdf,
ldns_rdf *algorithm_rdf, ldns_rdf *time_signed_rdf, ldns_rdf *error_rdf,
ldns_rdf *other_data_rdf, ldns_rdf *orig_mac_rdf, int tsig_timers_only)
{
ldns_status status;
char *wireformat;
int wiresize;
unsigned char *mac_bytes = NULL;
unsigned char *key_bytes = NULL;
int key_size;
const EVP_MD *digester;
char *algorithm_name = NULL;
unsigned int md_len = EVP_MAX_MD_SIZE;
ldns_rdf *result = NULL;
ldns_buffer *data_buffer = NULL;
ldns_rdf *canonical_key_name_rdf = NULL;
ldns_rdf *canonical_algorithm_rdf = NULL;
if (key_name_rdf == NULL || algorithm_rdf == NULL) {
return LDNS_STATUS_NULL;
}
canonical_key_name_rdf = ldns_rdf_clone(key_name_rdf);
if (canonical_key_name_rdf == NULL) {
return LDNS_STATUS_MEM_ERR;
}
canonical_algorithm_rdf = ldns_rdf_clone(algorithm_rdf);
if (canonical_algorithm_rdf == NULL) {
ldns_rdf_deep_free(canonical_key_name_rdf);
return LDNS_STATUS_MEM_ERR;
}
/*
* prepare the digestable information
*/
data_buffer = ldns_buffer_new(LDNS_MAX_PACKETLEN);
if (!data_buffer) {
status = LDNS_STATUS_MEM_ERR;
goto clean;
}
/* if orig_mac is not NULL, add it too */
if (orig_mac_rdf) {
(void) ldns_rdf2buffer_wire(data_buffer, orig_mac_rdf);
}
ldns_buffer_write(data_buffer, pkt_wire, pkt_wire_size);
if (!tsig_timers_only) {
ldns_dname2canonical(canonical_key_name_rdf);
(void)ldns_rdf2buffer_wire(data_buffer,
canonical_key_name_rdf);
ldns_buffer_write_u16(data_buffer, LDNS_RR_CLASS_ANY);
ldns_buffer_write_u32(data_buffer, 0);
ldns_dname2canonical(canonical_algorithm_rdf);
(void)ldns_rdf2buffer_wire(data_buffer,
canonical_algorithm_rdf);
}
(void)ldns_rdf2buffer_wire(data_buffer, time_signed_rdf);
(void)ldns_rdf2buffer_wire(data_buffer, fudge_rdf);
if (!tsig_timers_only) {
(void)ldns_rdf2buffer_wire(data_buffer, error_rdf);
(void)ldns_rdf2buffer_wire(data_buffer, other_data_rdf);
}
wireformat = (char *) data_buffer->_data;
wiresize = (int) ldns_buffer_position(data_buffer);
algorithm_name = ldns_rdf2str(algorithm_rdf);
if(!algorithm_name) {
status = LDNS_STATUS_MEM_ERR;
goto clean;
}
/* prepare the key */
key_bytes = LDNS_XMALLOC(unsigned char,
ldns_b64_pton_calculate_size(strlen(key_data)));
if(!key_bytes) {
status = LDNS_STATUS_MEM_ERR;
goto clean;
}
key_size = ldns_b64_pton(key_data, key_bytes,
ldns_b64_pton_calculate_size(strlen(key_data)));
if (key_size < 0) {
status = LDNS_STATUS_INVALID_B64;
goto clean;
}
/* hmac it */
/* 2 spare bytes for the length */
mac_bytes = LDNS_XMALLOC(unsigned char, md_len+2);
if(!mac_bytes) {
status = LDNS_STATUS_MEM_ERR;
goto clean;
}
memset(mac_bytes, 0, md_len+2);
digester = ldns_digest_function(algorithm_name);
if (digester) {
(void) HMAC(digester, key_bytes, key_size, (void *)wireformat,
(size_t) wiresize, mac_bytes + 2, &md_len);
ldns_write_uint16(mac_bytes, md_len);
result = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_INT16_DATA, md_len + 2,
mac_bytes);
} else {
status = LDNS_STATUS_CRYPTO_UNKNOWN_ALGO;
goto clean;
}
*tsig_mac = result;
status = LDNS_STATUS_OK;
clean:
LDNS_FREE(mac_bytes);
LDNS_FREE(key_bytes);
LDNS_FREE(algorithm_name);
ldns_buffer_free(data_buffer);
ldns_rdf_deep_free(canonical_algorithm_rdf);
ldns_rdf_deep_free(canonical_key_name_rdf);
return status;
}
int
main(int argc, char *argv[])
{
ldns_resolver *res;
ldns_rdf *ns;
ldns_rdf *domain;
ldns_rr_list *l = NULL;
ldns_rr_list *dns_root = NULL;
const char *root_file = "/etc/named.root";
ldns_status status;
int i;
char *domain_str;
char *outputfile_str;
ldns_buffer *outputfile_buffer;
FILE *outputfile;
ldns_rr *k;
bool insecure = false;
ldns_pkt *pkt;
domain = NULL;
res = NULL;
if (argc < 2) {
usage(stdout, argv[0]);
exit(EXIT_FAILURE);
} else {
for (i = 1; i < argc; i++) {
if (strncmp("-4", argv[i], 3) == 0) {
if (address_family != 0) {
fprintf(stderr, "Options -4 and -6 cannot be specified at the same time\n");
exit(EXIT_FAILURE);
}
address_family = 1;
} else if (strncmp("-6", argv[i], 3) == 0) {
if (address_family != 0) {
fprintf(stderr, "Options -4 and -6 cannot be specified at the same time\n");
exit(EXIT_FAILURE);
}
address_family = 2;
} else if (strncmp("-h", argv[i], 3) == 0) {
usage(stdout, argv[0]);
exit(EXIT_SUCCESS);
} else if (strncmp("-i", argv[i], 2) == 0) {
insecure = true;
} else if (strncmp("-r", argv[i], 2) == 0) {
if (strlen(argv[i]) > 2) {
root_file = argv[i]+2;
} else if (i+1 >= argc) {
usage(stdout, argv[0]);
exit(EXIT_FAILURE);
} else {
root_file = argv[i+1];
i++;
}
} else if (strncmp("-s", argv[i], 3) == 0) {
store_in_file = true;
} else if (strncmp("-v", argv[i], 2) == 0) {
if (strlen(argv[i]) > 2) {
verbosity = atoi(argv[i]+2);
} else if (i+1 > argc) {
usage(stdout, argv[0]);
exit(EXIT_FAILURE);
} else {
verbosity = atoi(argv[i+1]);
i++;
}
} else {
/* create a rdf from the command line arg */
if (domain) {
fprintf(stdout, "You can only specify one domain at a time\n");
exit(EXIT_FAILURE);
}
domain = ldns_dname_new_frm_str(argv[i]);
}
}
if (!domain) {
usage(stdout, argv[0]);
exit(EXIT_FAILURE);
}
}
dns_root = read_root_hints(root_file);
if (!dns_root) {
fprintf(stderr, "cannot read the root hints file\n");
exit(EXIT_FAILURE);
}
/* create a new resolver from /etc/resolv.conf */
status = ldns_resolver_new_frm_file(&res, NULL);
if (status != LDNS_STATUS_OK) {
fprintf(stderr, "Warning: Unable to create stub resolver from /etc/resolv.conf:\n");
fprintf(stderr, "%s\n", ldns_get_errorstr_by_id(status));
fprintf(stderr, "defaulting to nameserver at 127.0.0.1 for separate nameserver name lookups\n");
res = ldns_resolver_new();
ns = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_A, "127.0.0.1");
status = ldns_resolver_push_nameserver(res, ns);
if (status != LDNS_STATUS_OK) {
fprintf(stderr, "Unable to create stub resolver: %s\n", ldns_get_errorstr_by_id(status));
exit(EXIT_FAILURE);
}
ldns_rdf_deep_free(ns);
}
ldns_resolver_set_ip6(res, address_family);
if (insecure) {
pkt = ldns_resolver_query(res, domain, LDNS_RR_TYPE_DNSKEY, LDNS_RR_CLASS_IN, LDNS_RD);
if (pkt) {
l = ldns_pkt_rr_list_by_type(pkt, LDNS_RR_TYPE_DNSKEY, LDNS_SECTION_ANY_NOQUESTION);
}
} else {
l = retrieve_dnskeys(res, domain, LDNS_RR_TYPE_DNSKEY, LDNS_RR_CLASS_IN, dns_root);
}
/* separator for result data and verbosity data */
if (verbosity > 0) {
fprintf(stdout, "; ---------------------------\n");
fprintf(stdout, "; Got the following keys:\n");
}
if (l) {
if (store_in_file) {
/* create filename:
* K<domain>.+<alg>.+<id>.key
*/
for (i = 0; (size_t) i < ldns_rr_list_rr_count(l); i++) {
k = ldns_rr_list_rr(l, (size_t) i);
outputfile_buffer = ldns_buffer_new(300);
domain_str = ldns_rdf2str(ldns_rr_owner(k));
ldns_buffer_printf(outputfile_buffer, "K%s+%03u+%05u.key", domain_str, ldns_rdf2native_int8(ldns_rr_rdf(k, 2)),
(unsigned int) ldns_calc_keytag(k));
outputfile_str = ldns_buffer_export(outputfile_buffer);
if (verbosity >= 1) {
fprintf(stdout, "Writing key to file %s\n", outputfile_str);
}
outputfile = fopen(outputfile_str, "w");
if (!outputfile) {
fprintf(stderr, "Error writing key to file %s: %s\n", outputfile_str, strerror(errno));
} else {
ldns_rr_print(outputfile, k);
fclose(outputfile);
}
LDNS_FREE(domain_str);
LDNS_FREE(outputfile_str);
LDNS_FREE(outputfile_buffer);
}
} else {
ldns_rr_list_print(stdout, l);
}
} else {
fprintf(stderr, "no answer packet received, stub resolver config:\n");
ldns_resolver_print(stderr, res);
}
printf("\n");
ldns_rdf_deep_free(domain);
ldns_resolver_deep_free(res);
ldns_rr_list_deep_free(l);
ldns_rr_list_deep_free(dns_root);
return EXIT_SUCCESS;
}
/**
* Process RR.
*
*/
static ods_status
adapi_process_rr(zone_type* zone, ldns_rr* rr, int add, int backup)
{
ods_status status = ODS_STATUS_OK;
uint32_t tmp = 0;
ods_log_assert(rr);
ods_log_assert(zone);
ods_log_assert(zone->name);
ods_log_assert(zone->db);
ods_log_assert(zone->signconf);
/* We only support IN class */
if (ldns_rr_get_class(rr) != LDNS_RR_CLASS_IN) {
ods_log_warning("[%s] only class in is supported, changing class "
"to in", adapi_str);
ldns_rr_set_class(rr, LDNS_RR_CLASS_IN);
}
/* RR processing */
if (ldns_rr_get_type(rr) == LDNS_RR_TYPE_SOA) {
if (ldns_dname_compare(ldns_rr_owner(rr), zone->apex)) {
ods_log_error("[%s] unable to %s rr to zone: soa record has "
"invalid owner name", adapi_str, add?"add":"delete");
return ODS_STATUS_ERR;
}
status = adapi_process_soa(zone, rr, add, backup);
if (status != ODS_STATUS_OK) {
ods_log_error("[%s] unable to %s rr: failed to process soa "
"record", adapi_str, add?"add":"delete");
return status;
}
} else {
if (ldns_dname_compare(ldns_rr_owner(rr), zone->apex) &&
!ldns_dname_is_subdomain(ldns_rr_owner(rr), zone->apex)) {
ods_log_warning("[%s] zone %s contains out-of-zone data, "
"skipping", adapi_str, zone->name);
return ODS_STATUS_UNCHANGED;
} else if (ldns_rr_get_type(rr) == LDNS_RR_TYPE_DNSKEY) {
adapi_process_dnskey(zone, rr);
} else if (util_is_dnssec_rr(rr) && !backup) {
ods_log_warning("[%s] zone %s contains dnssec data (type=%u), "
"skipping", adapi_str, zone->name,
(unsigned) ldns_rr_get_type(rr));
return ODS_STATUS_UNCHANGED;
} else if (zone->signconf->max_zone_ttl) {
/* Convert MaxZoneTTL */
tmp = (uint32_t) duration2time(zone->signconf->max_zone_ttl);
}
}
/* //MaxZoneTTL. Only set for RRtype != SOA && RRtype != DNSKEY */
if (tmp && tmp < ldns_rr_ttl(rr)) {
char* str = ldns_rdf2str(ldns_rr_owner(rr));
if (str) {
size_t i = 0;
str[(strlen(str))-1] = '\0';
/* replace tabs with white space */
for (i=0; i < strlen(str); i++) {
if (str[i] == '\t') {
str[i] = ' ';
}
}
ods_log_debug("[%s] capping ttl %u to MaxZoneTTL %u for rrset "
"<%s,%s>", adapi_str, ldns_rr_ttl(rr), tmp, str,
rrset_type2str(ldns_rr_get_type(rr)));
}
ldns_rr_set_ttl(rr, tmp);
}
/* TODO: DNAME and CNAME checks */
/* TODO: NS and DS checks */
if (add) {
return zone_add_rr(zone, rr, 1);
} else {
return zone_del_rr(zone, rr, 1);
}
/* not reached */
return ODS_STATUS_ERR;
}
/** dump message entry */
static int
dump_msg(SSL* ssl, struct query_info* k, struct reply_info* d,
uint32_t now)
{
size_t i;
char* nm, *tp, *cl;
ldns_rdf* rdf;
ldns_status status;
size_t pos;
if(!k || !d) return 1;
if(d->ttl < now) return 1; /* expired */
pos = 0;
status = ldns_wire2dname(&rdf, k->qname, k->qname_len, &pos);
if(status != LDNS_STATUS_OK) {
return 1; /* skip this entry */
}
nm = ldns_rdf2str(rdf);
ldns_rdf_deep_free(rdf);
tp = ldns_rr_type2str(k->qtype);
cl = ldns_rr_class2str(k->qclass);
if(!nm || !tp || !cl) {
free(nm);
free(tp);
free(cl);
return 1; /* skip this entry */
}
if(!rrset_array_lock(d->ref, d->rrset_count, now)) {
/* rrsets have timed out or do not exist */
free(nm);
free(tp);
free(cl);
return 1; /* skip this entry */
}
/* meta line */
if(!ssl_printf(ssl, "msg %s %s %s %d %d %u %d %u %u %u\n",
nm, cl, tp,
(int)d->flags, (int)d->qdcount,
(unsigned)(d->ttl-now), (int)d->security,
(unsigned)d->an_numrrsets,
(unsigned)d->ns_numrrsets,
(unsigned)d->ar_numrrsets)) {
free(nm);
free(tp);
free(cl);
rrset_array_unlock(d->ref, d->rrset_count);
return 0;
}
free(nm);
free(tp);
free(cl);
for(i=0; i<d->rrset_count; i++) {
if(!dump_msg_ref(ssl, d->rrsets[i])) {
rrset_array_unlock(d->ref, d->rrset_count);
return 0;
}
}
rrset_array_unlock(d->ref, d->rrset_count);
return 1;
}
void massdns_handle_packet(ldns_pkt *packet, struct sockaddr_storage ns, void *ctx)
{
if (!packet || ldns_pkt_qdcount(packet) != 1)
{
return;
}
struct timeval now;
gettimeofday(&now, NULL);
lookup_context_t *context = (lookup_context_t *) ctx;
ldns_pkt_rcode response_code = ldns_pkt_get_rcode(packet);
ldns_rr_list l = ldns_pkt_question(packet)[0];
ldns_rr *question = ldns_rr_list_rr(&l, 0);
ldns_rdf* owner = ldns_rr_owner(question);
char* name = ldns_rdf2str(owner);
size_t name_len = strlen(name);
if(name_len > 0 && name[name_len - 1] == '.')
{
name[name_len - 1] = 0;
}
lookup_t *lookup = hashmapGet(context->map, name);
free(name);
if (lookup == NULL)
{
return;
}
if (response_code == LDNS_RCODE_NOERROR || response_code == LDNS_RCODE_NXDOMAIN ||
lookup->tries == context->cmd_args.resolve_count)
{
switch (response_code)
{
case LDNS_RCODE_NOERROR:
stats.noerr++;
break;
case LDNS_RCODE_FORMERR:
stats.formerr++;
break;
case LDNS_RCODE_SERVFAIL:
stats.servfail++;
break;
case LDNS_RCODE_NXDOMAIN:
stats.nxdomain++;
break;
case LDNS_RCODE_NOTIMPL:
stats.notimp++;
break;
case LDNS_RCODE_REFUSED:
stats.refused++;
break;
default:
stats.other++;
break;
}
context->current_rate++;
ldns_buffer *buf = ldns_buffer_new(LDNS_MAX_PACKETLEN);
if(buf == NULL)
{
abort();
}
if(LDNS_STATUS_OK != output_packet(buf, packet, ns, context))
{
abort();
}
char* packetstr = ldns_buffer_export2str(buf);
if(packetstr == NULL)
{
abort();
}
fprintf(stdout, "%s", packetstr);
free(packetstr);
if (timediff(&now, &context->next_update) <= 0)
{
print_stats(context);
}
ldns_buffer_free(buf);
hashmapRemove(context->map, lookup->domain);
free(lookup->domain);
free(lookup);
}
}
int main(int argc, char **argv) {
/* Local Vars */
int i;
int soa_valid = 0;
int ns_valid = 0;
ldns_rdf *rd_domain;
ldns_rdf *rd_trace;
ldns_rdf *rd_cdomain;
ldns_pkt *pkt;
ldns_resolver *res;
ldns_rr *rr;
ldns_rr_list *rrl;
ldns_rr_list *rrl_domain_soa;
ldns_rr_list *rrl_domain_soa_rrsig;
ldns_rr_list *rrl_domain_ns;
ldns_rr_list *rrl_domain_ns_rrsig;
ldns_rr_list *rrl_valid_keys;
ldns_status status;
/* Set signal handling and alarm */
if (signal(SIGALRM, timeout_alarm_handler) == SIG_ERR)
critical("Setup SIGALRM trap failed!");
/* Process check arguments */
if (process_arguments(argc, argv) != OK)
unknown("Parsing arguments failed!");
/* Start plugin timeout */
alarm(mp_timeout);
rd_domain = ldns_dname_new_frm_str(domainname);
if (!rd_domain)
unknown("Illegal domain name");
rd_trace = ldns_dname_new_frm_str(domaintrace);
if (!rd_trace)
unknown("Illegal trace domain name");
/* Check domain is subdomain from trace start */
if (!ldns_dname_is_subdomain(rd_domain, rd_trace)) {
ldns_rr_list_deep_free(trusted_keys);
ldns_rdf_deep_free(rd_domain);
ldns_rdf_deep_free(rd_trace);
unknown("'%s' is not a subdomain of '%s'.", domainname,
domaintrace);
}
/* Add trusted keys for trace domain to rrl_valid_keys. */
rrl_valid_keys = ldns_rr_list_new();
for(i = 0; i < ldns_rr_list_rr_count(trusted_keys); i++) {
rr = ldns_rr_list_rr(trusted_keys, i);
if (ldns_dname_compare(ldns_rr_owner(rr),rd_trace) == 0)
ldns_rr_list_push_rr(rrl_valid_keys, ldns_rr_clone(rr));
}
ldns_rr_list_deep_free(trusted_keys);
if (ldns_rr_list_rr_count(rrl_valid_keys) == 0) {
ldns_rdf_deep_free(rd_domain);
ldns_rdf_deep_free(rd_trace);
ldns_rr_list_deep_free(rrl_valid_keys);
critical("No trusted key for trace start '%s'", domaintrace?domaintrace:".");
}
if (mp_verbose >= 2) {
printf("--[ Trusted keys used ]-------------------------------------\n");
ldns_rr_list_sort(rrl_valid_keys);
ldns_rr_list_print(stdout, rrl_valid_keys);
printf("------------------------------------------------------------\n");
}
/* create a new resolver with dns_server or server from /etc/resolv.conf */
res = createResolver(hostname);
if (!res) {
ldns_rdf_deep_free(rd_domain);
ldns_rdf_deep_free(rd_trace);
ldns_rr_list_deep_free(rrl_valid_keys);
unknown("Creating resolver failed.");
}
resolverEnableDnssec(res);
ldns_resolver_set_dnssec_anchors(res, rrl_valid_keys);
/* check domain exists */
pkt = mp_ldns_resolver_query(res, rd_domain, LDNS_RR_TYPE_SOA,
LDNS_RR_CLASS_IN, LDNS_RD);
if (pkt == NULL || ldns_pkt_get_rcode(pkt) != LDNS_RCODE_NOERROR) {
ldns_rdf_deep_free(rd_domain);
ldns_rdf_deep_free(rd_trace);
ldns_resolver_deep_free(res);
if (pkt && ldns_pkt_get_rcode(pkt) == LDNS_RCODE_NXDOMAIN) {
ldns_pkt_free(pkt);
critical("Domain '%s' don't exist.", domainname);
}
ldns_pkt_free(pkt);
critical("Unable to get SOA for %s.", domainname);
}
rrl_domain_soa = ldns_pkt_rr_list_by_name_and_type(pkt, rd_domain,
LDNS_RR_TYPE_SOA,
LDNS_SECTION_ANSWER);
if (rrl_domain_soa == NULL || ldns_rr_list_rr_count(rrl_domain_soa) == 0) {
ldns_rdf_deep_free(rd_domain);
ldns_rdf_deep_free(rd_trace);
ldns_resolver_deep_free(res);
ldns_pkt_free(pkt);
critical("Domain '%s' not found.", domainname);
}
rrl_domain_soa_rrsig = ldns_dnssec_pkt_get_rrsigs_for_name_and_type(pkt,
rd_domain, LDNS_RR_TYPE_SOA);
if (rrl_domain_soa_rrsig == NULL ||
ldns_rr_list_rr_count(rrl_domain_soa_rrsig) == 0) {
free(domaintrace);
ldns_rdf_deep_free(rd_domain);
ldns_rdf_deep_free(rd_trace);
ldns_resolver_deep_free(res);
ldns_pkt_free(pkt);
ldns_rr_list_deep_free(rrl_domain_soa);
critical("Domain '%s' not signed.", domainname);
}
ldns_pkt_free(pkt);
pkt = ldns_resolver_query(res, rd_domain, LDNS_RR_TYPE_NS,
LDNS_RR_CLASS_IN, LDNS_RD);
rrl_domain_ns = ldns_pkt_rr_list_by_name_and_type(pkt, rd_domain,
LDNS_RR_TYPE_NS,
LDNS_SECTION_ANSWER);
rrl_domain_ns_rrsig = ldns_dnssec_pkt_get_rrsigs_for_name_and_type(pkt,
rd_domain,
LDNS_RR_TYPE_NS);
ldns_pkt_free(pkt);
if (mp_verbose >= 2) {
printf("--[ Checked Domain ]----------------------------------------\n");
ldns_rr_list_print(stdout, rrl_domain_soa);
printf("------------------------------------------------------------\n");
ldns_rr_list_print(stdout, rrl_domain_soa_rrsig);
printf("------------------------------------------------------------\n");
ldns_rr_list_print(stdout, rrl_domain_ns);
printf("------------------------------------------------------------\n");
ldns_rr_list_print(stdout, rrl_domain_ns_rrsig);
printf("------------------------------------------------------------\n");
}
/* create a new resolver with dns_server or server from /etc/resolv.conf */
ldns_resolver_free(res);
res = createResolver(resolver);
if (!res) {
ldns_rdf_deep_free(rd_domain);
ldns_rdf_deep_free(rd_trace);
ldns_rr_list_deep_free(rrl_valid_keys);
unknown("Creating resolver failed.");
}
resolverEnableDnssec(res);
ldns_resolver_set_dnssec_anchors(res, rrl_valid_keys);
/* Fetch valid keys from top down */
i = ldns_dname_label_count(rd_domain) - ldns_dname_label_count(rd_trace);
for (; i>=0; i--) {
rd_cdomain = ldns_dname_clone_from(rd_domain, i);
if (mp_verbose) {
char *str = ldns_rdf2str(rd_cdomain);
printf("Trace: %s\n", str);
free(str);
}
rrl = ldns_fetch_valid_domain_keys(res, rd_cdomain, rrl_valid_keys, &status);
if (mp_verbose >= 2) {
printf("--[ Valid Keys ]----------------------------------------\n");
ldns_rr_list_sort(rrl);
ldns_rr_list_print(stdout, rrl);
printf("------------------------------------------------------------\n");
}
ldns_rr_list_cat(rrl_valid_keys, rrl);
ldns_rr_list_free(rrl);
ldns_rdf_deep_free(rd_cdomain);
}
ldns_rdf_deep_free(rd_trace);
ldns_rdf_deep_free(rd_domain);
/* Validate SOA */
for(i = 0; i < ldns_rr_list_rr_count(rrl_domain_soa_rrsig); i++) {
rr = ldns_rr_list_rr(rrl_domain_soa_rrsig, i);
status = ldns_verify_rrsig_keylist(rrl_domain_soa, rr, rrl_valid_keys, NULL);
if (status == LDNS_STATUS_OK)
soa_valid++;
else if (mp_verbose > 0)
fprintf(stderr, "ldns_verify_rrsig_keylist SOA failed: %s\n",
ldns_get_errorstr_by_id(status));
}
ldns_rr_list_deep_free(rrl_domain_soa);
ldns_rr_list_deep_free(rrl_domain_soa_rrsig);
if (soa_valid == 0) {
critical("No valid Signatur for SOA of '%s'", domainname);
free(domainname);
free(domaintrace);
ldns_resolver_deep_free(res);
ldns_rr_list_deep_free(rrl_domain_ns);
ldns_rr_list_deep_free(rrl_domain_ns_rrsig);
return checkState;
}
/* Validate NS */
for(i = 0; i < ldns_rr_list_rr_count(rrl_domain_ns_rrsig); i++) {
rr = ldns_rr_list_rr(rrl_domain_ns_rrsig, i);
status = ldns_verify_rrsig_keylist(rrl_domain_ns, rr, rrl_valid_keys, NULL);
if (status == LDNS_STATUS_OK)
ns_valid++;
else if (mp_verbose > 0)
fprintf(stderr, "ldns_verify_rrsig_keylist NS failed: %s\n",
ldns_get_errorstr_by_id(status));
}
ldns_rr_list_deep_free(rrl_domain_ns);
ldns_rr_list_deep_free(rrl_domain_ns_rrsig);
ldns_resolver_deep_free(res);
if (ns_valid == 0) {
critical("No valid Signatur for NS of '%s'", domainname);
free(domainname);
free(domaintrace);
return checkState;
}
ok("Trust for '%s' successfull traces from '%s'", domainname,
domaintrace);
free(domainname);
free(domaintrace);
return checkState;
}
