/**
* Compare tasks.
*
*/
int
task_compare(const void* a, const void* b)
{
task_type* x = (task_type*)a;
task_type* y = (task_type*)b;
zone_type* zx = NULL;
zone_type* zy = NULL;
ods_log_assert(x);
ods_log_assert(y);
zx = (zone_type*) x->zone;
zy = (zone_type*) y->zone;
if (!ldns_dname_compare((const void*) zx->apex,
(const void*) zy->apex)) {
/* if dname is the same, consider the same task */
return 0;
}
/* order task on time, what to do, dname */
if (x->when != y->when) {
return (int) x->when - y->when;
}
if (x->what != y->what) {
return (int) x->what - y->what;
}
/* this is unfair, it prioritizes zones that are first in canonical line */
return ldns_dname_compare((const void*) zx->apex,
(const void*) zy->apex);
}
static ldns_rbnode_t *
ldns_dnssec_zone_find_nsec3_original(ldns_dnssec_zone *zone,
ldns_rr *rr) {
ldns_rbnode_t *current_node = ldns_rbtree_first(zone->names);
ldns_dnssec_name *current_name;
ldns_rdf *hashed_name;
hashed_name = ldns_dname_label(ldns_rr_owner(rr), 0);
while (current_node != LDNS_RBTREE_NULL) {
current_name = (ldns_dnssec_name *) current_node->data;
if (!current_name->hashed_name) {
current_name->hashed_name =
ldns_nsec3_hash_name_frm_nsec3(rr, current_name->name);
}
if (ldns_dname_compare(hashed_name,
current_name->hashed_name)
== 0) {
ldns_rdf_deep_free(hashed_name);
return current_node;
}
current_node = ldns_rbtree_next(current_node);
}
ldns_rdf_deep_free(hashed_name);
return NULL;
}
static int udp_bind(int sock, int port, const char *my_address)
{
struct sockaddr_in addr;
in_addr_t maddr = INADDR_ANY;
if (my_address) {
#ifdef AF_INET6
if (inet_pton(AF_INET6, my_address, &maddr) < 1) {
#else
if (0) {
#endif
if (inet_pton(AF_INET, my_address, &maddr) < 1) {
return -2;
}
}
}
#ifndef S_SPLINT_S
addr.sin_family = AF_INET;
#endif
addr.sin_port = (in_port_t) htons((uint16_t)port);
addr.sin_addr.s_addr = maddr;
return bind(sock, (struct sockaddr *)&addr, (socklen_t) sizeof(addr));
}
/* this will probably be moved to a better place in the library itself */
ldns_rr_list *
get_rrset(const ldns_zone *zone, const ldns_rdf *owner_name, const ldns_rr_type qtype, const ldns_rr_class qclass)
{
uint16_t i;
ldns_rr_list *rrlist = ldns_rr_list_new();
ldns_rr *cur_rr;
if (!zone || !owner_name) {
fprintf(stderr, "Warning: get_rrset called with NULL zone or owner name\n");
return rrlist;
}
for (i = 0; i < ldns_zone_rr_count(zone); i++) {
cur_rr = ldns_rr_list_rr(ldns_zone_rrs(zone), i);
if (ldns_dname_compare(ldns_rr_owner(cur_rr), owner_name) == 0 &&
ldns_rr_get_class(cur_rr) == qclass &&
ldns_rr_get_type(cur_rr) == qtype
) {
ldns_rr_list_push_rr(rrlist, ldns_rr_clone(cur_rr));
}
}
printf("Found rrset of %u rrs\n", (unsigned int) ldns_rr_list_rr_count(rrlist));
return rrlist;
}
/* this is a linear speed test (slow for large numbers).
but the dig response will be small anyway. */
int check_done(ldns_rdf *qname)
{
struct donelist* p = done;
while(p) {
if(ldns_dname_compare(qname, p->name)==0)
return 1;
p = p->next;
}
/* not done yet add to list */
p = (struct donelist*)malloc(sizeof(struct donelist));
p->name = qname;
p->next = done;
done = p;
return 0;
}
/**
* Compare two zones.
*
*/
static int
zone_compare(const void* a, const void* b)
{
zone_type* x = (zone_type*)a;
zone_type* y = (zone_type*)b;
ods_log_assert(x);
ods_log_assert(y);
if (x->klass != y->klass) {
if (x->klass < y->klass) {
return -1;
}
return 1;
}
return ldns_dname_compare(x->apex, y->apex);
}
int
ldns_dnssec_name_cmp(const void *a, const void *b)
{
ldns_dnssec_name *na = (ldns_dnssec_name *) a;
ldns_dnssec_name *nb = (ldns_dnssec_name *) b;
if (na && nb) {
return ldns_dname_compare(ldns_dnssec_name_name(na),
ldns_dnssec_name_name(nb));
} else if (na) {
return 1;
} else if (nb) {
return -1;
} else {
return 0;
}
}
/**
* ACL matches TSIG.
*
*/
static int
acl_tsig_matches(acl_type* acl, tsig_rr_type* tsig)
{
if (!acl || !tsig) {
ods_log_debug("[%s] no match: no acl or tsig", acl_str);
return 0; /* missing required elements */
}
if (!acl->tsig) {
if (tsig->status == TSIG_NOT_PRESENT) {
return 1;
}
ods_log_debug("[%s] no match: tsig present but no config", acl_str);
return 0; /* TSIG present but no config */
}
if (tsig->status != TSIG_OK) {
ods_log_debug("[%s] no match: tsig %s", acl_str,
tsig_status2str(tsig->status));
return 0; /* query has no TSIG */
}
if (tsig->error_code != LDNS_RCODE_NOERROR) {
ods_log_debug("[%s] no match: tsig error %d", acl_str,
tsig->error_code);
return 0; /* query has bork TSIG */
}
if (!tsig->key_name || !tsig->algo) {
ods_log_debug("[%s] no match: missing key/algo", acl_str);
return 0;
}
if (!acl->tsig->key) {
ods_log_debug("[%s] no match: no config", acl_str);
return 0; /* missing TSIG config */
}
if (ldns_dname_compare(tsig->key_name, acl->tsig->key->dname) != 0) {
ods_log_debug("[%s] no match: key names not the same", acl_str);
return 0; /* wrong key name */
}
if (ods_strlowercmp(tsig->algo->txt_name, acl->tsig->algorithm) != 0) {
ods_log_debug("[%s] no match: algorithms not the same", acl_str);
return 0; /* wrong algorithm name */
}
/* tsig matches */
return 1;
}
void
check_cover(ldns_rr_list *list, ldns_rdf *qname)
{
ldns_status status;
size_t i;
if(check_done(qname))
return;
for(i=0; i<ldns_rr_list_rr_count(list); ++i)
{
ldns_rr* nsec3 = ldns_rr_list_rr(list, i);
if(ldns_rr_get_type(nsec3) != LDNS_RR_TYPE_NSEC3) {
/* skip non nsec3 */
continue;
}
ldns_rdf* hashed = ldns_nsec3_hash_name_frm_nsec3(
nsec3, qname);
status = ldns_dname_cat(hashed, ldns_dname_left_chop(
ldns_rr_owner(nsec3)));
if(status != LDNS_STATUS_OK)
abort_ldns_error("ldns_dname_cat", status);
if(ldns_dname_compare(hashed, ldns_rr_owner(nsec3)) == 0) {
ldns_rdf_print(stdout, ldns_rr_owner(nsec3));
printf(" proves ");
ldns_rdf_print(stdout, qname);
printf(" exists.\n");
}
else if(ldns_nsec_covers_name(nsec3, hashed)) {
ldns_rdf_print(stdout, ldns_rr_owner(nsec3));
printf(" proves ");
ldns_rdf_print(stdout, qname);
printf(" does not exist.\n");
}
ldns_rdf_free(hashed);
}
}
int
main(int argc, char **argv)
{
char *fn1, *fn2;
FILE *fp1, *fp2;
ldns_zone *z1, *z2;
ldns_status s;
size_t i , j;
ldns_rr_list *rrl1, *rrl2;
int rr_cmp, rr_chg = 0;
ldns_rr *rr1 = NULL, *rr2 = NULL, *rrx = NULL;
int line_nr1 = 0, line_nr2 = 0;
size_t rrc1 , rrc2;
size_t num_ins = 0, num_del = 0, num_chg = 0;
int c;
bool opt_deleted = false, opt_inserted = false, opt_changed = false;
bool sort = true, inc_soa = false;
char op = 0;
while ((c = getopt(argc, argv, "ahvdicsz")) != -1) {
switch (c) {
case 'h':
usage(argc, argv);
exit(EXIT_SUCCESS);
break;
case 'v':
printf("%s version %s (ldns version %s)\n",
argv[0],
LDNS_VERSION,
ldns_version());
exit(EXIT_SUCCESS);
break;
case 's':
inc_soa = true;
break;
case 'z':
sort = false;
break;
case 'd':
opt_deleted = true;
break;
case 'i':
opt_inserted = true;
break;
case 'c':
opt_changed = true;
break;
case 'a':
opt_deleted = true;
opt_inserted = true;
opt_changed = true;
break;
}
}
argc -= optind;
argv += optind;
if (argc != 2) {
argc -= optind;
argv -= optind;
usage(argc, argv);
exit(EXIT_FAILURE);
}
fn1 = argv[0];
fp1 = fopen(fn1, "r");
if (!fp1) {
fprintf(stderr, "Unable to open %s: %s\n", fn1, strerror(errno));
exit(EXIT_FAILURE);
}
/* Read first zone */
s = ldns_zone_new_frm_fp_l(&z1, fp1, NULL, 0,
LDNS_RR_CLASS_IN, &line_nr1);
if (s != LDNS_STATUS_OK) {
fclose(fp1);
fprintf(stderr, "%s: %s at %d\n",
fn1,
ldns_get_errorstr_by_id(s),
line_nr1);
exit(EXIT_FAILURE);
}
fclose(fp1);
fn2 = argv[1];
fp2 = fopen(fn2, "r");
if (!fp2) {
fprintf(stderr, "Unable to open %s: %s\n", fn2, strerror(errno));
exit(EXIT_FAILURE);
}
/* Read second zone */
s = ldns_zone_new_frm_fp_l(&z2, fp2, NULL, 0,
LDNS_RR_CLASS_IN, &line_nr2);
if (s != LDNS_STATUS_OK) {
ldns_zone_deep_free(z1);
fclose(fp2);
fprintf(stderr, "%s: %s at %d\n",
fn2,
ldns_get_errorstr_by_id(s),
line_nr2);
exit(EXIT_FAILURE);
}
fclose(fp2);
rrl1 = ldns_zone_rrs(z1);
rrc1 = ldns_rr_list_rr_count(rrl1);
rrl2 = ldns_zone_rrs(z2);
rrc2 = ldns_rr_list_rr_count(rrl2);
if (sort) {
/* canonicalize zone 1 */
ldns_rr2canonical(ldns_zone_soa(z1));
for (i = 0; i < ldns_rr_list_rr_count(ldns_zone_rrs(z1)); i++) {
ldns_rr2canonical(ldns_rr_list_rr(ldns_zone_rrs(z1), i));
}
/* sort zone 1 */
ldns_zone_sort(z1);
/* canonicalize zone 2 */
ldns_rr2canonical(ldns_zone_soa(z2));
for (i = 0; i < ldns_rr_list_rr_count(ldns_zone_rrs(z2)); i++) {
ldns_rr2canonical(ldns_rr_list_rr(ldns_zone_rrs(z2), i));
}
/* sort zone 2 */
ldns_zone_sort(z2);
}
if(inc_soa) {
ldns_rr_list* wsoa = ldns_rr_list_new();
ldns_rr_list_push_rr(wsoa, ldns_zone_soa(z1));
ldns_rr_list_cat(wsoa, rrl1);
rrl1 = wsoa;
rrc1 = ldns_rr_list_rr_count(rrl1);
wsoa = ldns_rr_list_new();
ldns_rr_list_push_rr(wsoa, ldns_zone_soa(z2));
ldns_rr_list_cat(wsoa, rrl2);
rrl2 = wsoa;
rrc2 = ldns_rr_list_rr_count(rrl2);
if(sort) {
ldns_rr_list_sort(rrl1);
ldns_rr_list_sort(rrl2);
}
}
/*
* Walk through both zones. The previously seen resource record is
* kept (in the variable rrx) so that we can recognize when we are
* handling a new owner name. If the owner name changes, we have to
* set the operator again.
*/
for (i = 0, j = 0; i < rrc1 || j < rrc2;) {
rr_cmp = 0;
if (i < rrc1 && j < rrc2) {
rr1 = ldns_rr_list_rr(rrl1, i);
rr2 = ldns_rr_list_rr(rrl2, j);
rr_cmp = ldns_rr_compare(rr1, rr2);
/* Completely skip if the rrs are equal */
if (rr_cmp == 0) {
i++;
j++;
continue;
}
rr_chg = ldns_dname_compare(ldns_rr_owner(rr1),
ldns_rr_owner(rr2));
} else if (i >= rrc1) {
/* we have reached the end of zone 1, so the current record
* from zone 2 automatically sorts higher
*/
rr1 = NULL;
rr2 = ldns_rr_list_rr(rrl2, j);
rr_chg = rr_cmp = 1;
} else if (j >= rrc2) {
/* we have reached the end of zone 2, so the current record
* from zone 1 automatically sorts lower
*/
rr1 = ldns_rr_list_rr(rrl1, i);
rr2 = NULL;
rr_chg = rr_cmp = -1;
}
if (rr_cmp < 0) {
i++;
if ((rrx != NULL) && (ldns_dname_compare(ldns_rr_owner(rr1),
ldns_rr_owner(rrx)
) != 0)) {
/* The owner name is different, forget previous rr */
rrx = NULL;
}
if (rrx == NULL) {
if (rr_chg == 0) {
num_chg++;
op = OP_CHG;
} else {
num_del++;
op = OP_DEL;
}
rrx = rr1;
}
if (((op == OP_DEL) && opt_deleted) ||
((op == OP_CHG) && opt_changed)) {
printf("%c-", op);
ldns_rr_print(stdout, rr1);
}
} else if (rr_cmp > 0) {
j++;
if ((rrx != NULL) && (ldns_dname_compare(ldns_rr_owner(rr2),
ldns_rr_owner(rrx)
) != 0)) {
rrx = NULL;
}
if (rrx == NULL) {
if (rr_chg == 0) {
num_chg++;
op = OP_CHG;
} else {
num_ins++;
op = OP_INS;
}
/* remember this rr for it's name in the next iteration */
rrx = rr2;
}
if (((op == OP_INS) && opt_inserted) ||
((op == OP_CHG) && opt_changed)) {
printf("%c+", op);
ldns_rr_print(stdout, rr2);
}
}
}
printf("\t%c%u\t%c%u\t%c%u\n",
OP_INS,
(unsigned int) num_ins,
OP_DEL,
(unsigned int) num_del,
OP_CHG,
(unsigned int) num_chg);
/* Free resources */
if(inc_soa) {
ldns_rr_list_free(rrl1);
ldns_rr_list_free(rrl2);
}
ldns_zone_deep_free(z2);
ldns_zone_deep_free(z1);
return 0;
}
ldns_status
ldns_dnssec_zone_add_empty_nonterminals(ldns_dnssec_zone *zone)
{
ldns_dnssec_name *new_name;
ldns_rdf *cur_name;
ldns_rdf *next_name;
ldns_rbnode_t *cur_node, *next_node, *new_node;
/* for the detection */
uint16_t i, cur_label_count, next_label_count;
uint16_t soa_label_count = 0;
ldns_rdf *l1, *l2;
int lpos;
if (!zone) {
return LDNS_STATUS_ERR;
}
if (zone->soa && zone->soa->name) {
soa_label_count = ldns_dname_label_count(zone->soa->name);
}
cur_node = ldns_rbtree_first(zone->names);
while (cur_node != LDNS_RBTREE_NULL) {
next_node = ldns_rbtree_next(cur_node);
/* skip glue */
while (next_node != LDNS_RBTREE_NULL &&
next_node->data &&
((ldns_dnssec_name *)next_node->data)->is_glue
) {
next_node = ldns_rbtree_next(next_node);
}
if (next_node == LDNS_RBTREE_NULL) {
next_node = ldns_rbtree_first(zone->names);
}
if (! cur_node->data || ! next_node->data) {
return LDNS_STATUS_ERR;
}
cur_name = ((ldns_dnssec_name *)cur_node->data)->name;
next_name = ((ldns_dnssec_name *)next_node->data)->name;
cur_label_count = ldns_dname_label_count(cur_name);
next_label_count = ldns_dname_label_count(next_name);
/* Since the names are in canonical order, we can
* recognize empty non-terminals by their labels;
* every label after the first one on the next owner
* name is a non-terminal if it either does not exist
* in the current name or is different from the same
* label in the current name (counting from the end)
*/
for (i = 1; i < next_label_count - soa_label_count; i++) {
lpos = (int)cur_label_count - (int)next_label_count + (int)i;
if (lpos >= 0) {
l1 = ldns_dname_clone_from(cur_name, (uint8_t)lpos);
} else {
l1 = NULL;
}
l2 = ldns_dname_clone_from(next_name, i);
if (!l1 || ldns_dname_compare(l1, l2) != 0) {
/* We have an empty nonterminal, add it to the
* tree
*/
new_name = ldns_dnssec_name_new();
if (!new_name) {
return LDNS_STATUS_MEM_ERR;
}
new_name->name = ldns_dname_clone_from(next_name,
i);
if (!new_name->name) {
ldns_dnssec_name_free(new_name);
return LDNS_STATUS_MEM_ERR;
}
new_name->name_alloced = true;
new_node = LDNS_MALLOC(ldns_rbnode_t);
if (!new_node) {
ldns_dnssec_name_free(new_name);
return LDNS_STATUS_MEM_ERR;
}
new_node->key = new_name->name;
new_node->data = new_name;
(void)ldns_rbtree_insert(zone->names, new_node);
ldns_dnssec_name_make_hashed_name(
zone, new_name, NULL);
}
ldns_rdf_deep_free(l1);
ldns_rdf_deep_free(l2);
}
/* we might have inserted a new node after
* the current one so we can't just use next()
*/
if (next_node != ldns_rbtree_first(zone->names)) {
cur_node = next_node;
} else {
cur_node = LDNS_RBTREE_NULL;
}
}
return LDNS_STATUS_OK;
}
/* use for dname comparison in tree */
int
ldns_dname_compare_v(const void *a, const void *b) {
return ldns_dname_compare((ldns_rdf *)a, (ldns_rdf *)b);
}
/**
* Process RR.
*
*/
static ods_status
adapi_process_rr(zone_type* zone, ldns_rr* rr, int add, int backup)
{
ods_status status = ODS_STATUS_OK;
uint32_t tmp = 0;
ods_log_assert(rr);
ods_log_assert(zone);
ods_log_assert(zone->name);
ods_log_assert(zone->db);
ods_log_assert(zone->signconf);
/* We only support IN class */
if (ldns_rr_get_class(rr) != LDNS_RR_CLASS_IN) {
ods_log_warning("[%s] only class in is supported, changing class "
"to in", adapi_str);
ldns_rr_set_class(rr, LDNS_RR_CLASS_IN);
}
/* RR processing */
if (ldns_rr_get_type(rr) == LDNS_RR_TYPE_SOA) {
if (ldns_dname_compare(ldns_rr_owner(rr), zone->apex)) {
ods_log_error("[%s] unable to %s rr to zone: soa record has "
"invalid owner name", adapi_str, add?"add":"delete");
return ODS_STATUS_ERR;
}
status = adapi_process_soa(zone, rr, add, backup);
if (status != ODS_STATUS_OK) {
ods_log_error("[%s] unable to %s rr: failed to process soa "
"record", adapi_str, add?"add":"delete");
return status;
}
} else {
if (ldns_dname_compare(ldns_rr_owner(rr), zone->apex) &&
!ldns_dname_is_subdomain(ldns_rr_owner(rr), zone->apex)) {
ods_log_warning("[%s] zone %s contains out-of-zone data, "
"skipping", adapi_str, zone->name);
return ODS_STATUS_UNCHANGED;
} else if (ldns_rr_get_type(rr) == LDNS_RR_TYPE_DNSKEY) {
adapi_process_dnskey(zone, rr);
} else if (util_is_dnssec_rr(rr) && !backup) {
ods_log_warning("[%s] zone %s contains dnssec data (type=%u), "
"skipping", adapi_str, zone->name,
(unsigned) ldns_rr_get_type(rr));
return ODS_STATUS_UNCHANGED;
} else if (zone->signconf->max_zone_ttl) {
/* Convert MaxZoneTTL */
tmp = (uint32_t) duration2time(zone->signconf->max_zone_ttl);
}
}
/* //MaxZoneTTL. Only set for RRtype != SOA && RRtype != DNSKEY */
if (tmp && tmp < ldns_rr_ttl(rr)) {
char* str = ldns_rdf2str(ldns_rr_owner(rr));
if (str) {
size_t i = 0;
str[(strlen(str))-1] = '\0';
/* replace tabs with white space */
for (i=0; i < strlen(str); i++) {
if (str[i] == '\t') {
str[i] = ' ';
}
}
ods_log_debug("[%s] capping ttl %u to MaxZoneTTL %u for rrset "
"<%s,%s>", adapi_str, ldns_rr_ttl(rr), tmp, str,
rrset_type2str(ldns_rr_get_type(rr)));
}
ldns_rr_set_ttl(rr, tmp);
}
/* TODO: DNAME and CNAME checks */
/* TODO: NS and DS checks */
if (add) {
return zone_add_rr(zone, rr, 1);
} else {
return zone_del_rr(zone, rr, 1);
}
/* not reached */
return ODS_STATUS_ERR;
}
/**
* Add RR.
*
*/
ods_status
zone_add_rr(zone_type* zone, ldns_rr* rr, int do_stats)
{
domain_type* domain = NULL;
rrset_type* rrset = NULL;
rr_type* record = NULL;
ods_status status = ODS_STATUS_OK;
ods_log_assert(rr);
ods_log_assert(zone);
ods_log_assert(zone->name);
ods_log_assert(zone->db);
ods_log_assert(zone->signconf);
/* If we already have this RR, return ODS_STATUS_UNCHANGED */
domain = namedb_lookup_domain(zone->db, ldns_rr_owner(rr));
if (!domain) {
domain = namedb_add_domain(zone->db, ldns_rr_owner(rr));
if (!domain) {
ods_log_error("[%s] unable to add RR to zone %s: "
"failed to add domain", zone_str, zone->name);
return ODS_STATUS_ERR;
}
if (ldns_dname_compare(domain->dname, zone->apex) == 0) {
domain->is_apex = 1;
} else {
status = namedb_domain_entize(zone->db, domain, zone->apex);
if (status != ODS_STATUS_OK) {
ods_log_error("[%s] unable to add RR to zone %s: "
"failed to entize domain", zone_str, zone->name);
return ODS_STATUS_ERR;
}
}
}
rrset = domain_lookup_rrset(domain, ldns_rr_get_type(rr));
if (!rrset) {
rrset = rrset_create(domain->zone, ldns_rr_get_type(rr));
if (!rrset) {
ods_log_error("[%s] unable to add RR to zone %s: "
"failed to add RRset", zone_str, zone->name);
return ODS_STATUS_ERR;
}
domain_add_rrset(domain, rrset);
}
record = rrset_lookup_rr(rrset, rr);
if (record) {
record->is_added = 1; /* already exists, just mark added */
record->is_removed = 0; /* unset is_removed */
if (ldns_rr_ttl(rr) != ldns_rr_ttl(record->rr)) {
ldns_rr_set_ttl(record->rr, ldns_rr_ttl(rr));
rrset->needs_signing = 1;
}
return ODS_STATUS_UNCHANGED;
} else {
record = rrset_add_rr(rrset, rr);
ods_log_assert(record);
ods_log_assert(record->rr);
ods_log_assert(record->is_added);
}
/* update stats */
if (do_stats && zone->stats) {
zone->stats->sort_count += 1;
}
return ODS_STATUS_OK;
}
/* this is NOT the hash, but the original name! */
ldns_rdf *
ldns_nsec3_closest_encloser(ldns_rdf *qname, ldns_rr_type qtype, ldns_rr_list *nsec3s)
{
/* remember parameters, they must match */
uint8_t algorithm;
uint32_t iterations;
uint8_t salt_length;
uint8_t *salt;
ldns_rdf *sname, *hashed_sname, *tmp;
ldns_rr *ce;
bool flag;
bool exact_match_found;
bool in_range_found;
ldns_status status;
ldns_rdf *zone_name;
size_t nsec_i;
ldns_rr *nsec;
ldns_rdf *result = NULL;
if (!qname || !nsec3s || ldns_rr_list_rr_count(nsec3s) < 1) {
return NULL;
}
if (verbosity >= 4) {
printf(";; finding closest encloser for type %d ", qtype);
ldns_rdf_print(stdout, qname);
printf("\n");
}
nsec = ldns_rr_list_rr(nsec3s, 0);
algorithm = ldns_nsec3_algorithm(nsec);
salt_length = ldns_nsec3_salt_length(nsec);
salt = ldns_nsec3_salt_data(nsec);
iterations = ldns_nsec3_iterations(nsec);
sname = ldns_rdf_clone(qname);
ce = NULL;
flag = false;
zone_name = ldns_dname_left_chop(ldns_rr_owner(nsec));
/* algorithm from nsec3-07 8.3 */
while (ldns_dname_label_count(sname) > 0) {
exact_match_found = false;
in_range_found = false;
if (verbosity >= 3) {
printf(";; ");
ldns_rdf_print(stdout, sname);
printf(" hashes to: ");
}
hashed_sname = ldns_nsec3_hash_name(sname, algorithm, iterations, salt_length, salt);
status = ldns_dname_cat(hashed_sname, zone_name);
if (verbosity >= 3) {
ldns_rdf_print(stdout, hashed_sname);
printf("\n");
}
for (nsec_i = 0; nsec_i < ldns_rr_list_rr_count(nsec3s); nsec_i++) {
nsec = ldns_rr_list_rr(nsec3s, nsec_i);
/* check values of iterations etc! */
/* exact match? */
if (ldns_dname_compare(ldns_rr_owner(nsec), hashed_sname) == 0) {
if (verbosity >= 4) {
printf(";; exact match found\n");
}
exact_match_found = true;
} else if (ldns_nsec_covers_name(nsec, hashed_sname)) {
if (verbosity >= 4) {
printf(";; in range of an nsec\n");
}
in_range_found = true;
}
}
if (!exact_match_found && in_range_found) {
flag = true;
} else if (exact_match_found && flag) {
result = ldns_rdf_clone(sname);
} else if (exact_match_found && !flag) {
// error!
if (verbosity >= 4) {
printf(";; the closest encloser is the same name (ie. this is an exact match, ie there is no closest encloser)\n");
}
ldns_rdf_deep_free(hashed_sname);
goto done;
} else {
flag = false;
}
ldns_rdf_deep_free(hashed_sname);
tmp = sname;
sname = ldns_dname_left_chop(sname);
ldns_rdf_deep_free(tmp);
}
done:
LDNS_FREE(salt);
ldns_rdf_deep_free(zone_name);
ldns_rdf_deep_free(sname);
if (!result) {
if (verbosity >= 4) {
printf(";; no closest encloser found\n");
}
}
/* todo checks from end of 6.2. here or in caller? */
return result;
}
/*return hash name match*/
ldns_rr *
ldns_nsec3_exact_match(ldns_rdf *qname, ldns_rr_type qtype, ldns_rr_list *nsec3s) {
uint8_t algorithm;
uint32_t iterations;
uint8_t salt_length;
uint8_t *salt;
ldns_rdf *sname, *hashed_sname;
size_t nsec_i;
ldns_rr *nsec;
ldns_rr *result = NULL;
ldns_status status;
const ldns_rr_descriptor *descriptor;
ldns_rdf *zone_name;
if (verbosity >= 4) {
printf(";; finding exact match for ");
descriptor = ldns_rr_descript(qtype);
if (descriptor && descriptor->_name) {
printf("%s ", descriptor->_name);
} else {
printf("TYPE%d ", qtype);
}
ldns_rdf_print(stdout, qname);
printf("\n");
}
if (!qname || !nsec3s || ldns_rr_list_rr_count(nsec3s) < 1) {
if (verbosity >= 4) {
printf("no qname, nsec3s or list empty\n");
}
return NULL;
}
nsec = ldns_rr_list_rr(nsec3s, 0);
algorithm = ldns_nsec3_algorithm(nsec);
salt_length = ldns_nsec3_salt_length(nsec);
salt = ldns_nsec3_salt_data(nsec);
iterations = ldns_nsec3_iterations(nsec);
sname = ldns_rdf_clone(qname);
if (verbosity >= 4) {
printf(";; owner name hashes to: ");
}
hashed_sname = ldns_nsec3_hash_name(sname, algorithm, iterations, salt_length, salt);
zone_name = ldns_dname_left_chop(ldns_rr_owner(nsec));
status = ldns_dname_cat(hashed_sname, zone_name);
if (verbosity >= 4) {
ldns_rdf_print(stdout, hashed_sname);
printf("\n");
}
for (nsec_i = 0; nsec_i < ldns_rr_list_rr_count(nsec3s); nsec_i++) {
nsec = ldns_rr_list_rr(nsec3s, nsec_i);
/* check values of iterations etc! */
/* exact match? */
if (ldns_dname_compare(ldns_rr_owner(nsec), hashed_sname) == 0) {
result = nsec;
goto done;
}
}
done:
ldns_rdf_deep_free(zone_name);
ldns_rdf_deep_free(sname);
ldns_rdf_deep_free(hashed_sname);
LDNS_FREE(salt);
if (verbosity >= 4) {
if (result) {
printf(";; Found.\n");
} else {
printf(";; Not foud.\n");
}
}
return result;
}
ldns_status
ldns_verify_denial(ldns_pkt *pkt, ldns_rdf *name, ldns_rr_type type, ldns_rr_list **nsec_rrs, ldns_rr_list **nsec_rr_sigs)
{
uint16_t nsec_i;
ldns_rr_list *nsecs;
ldns_status result;
if (verbosity >= 5) {
printf("VERIFY DENIAL FROM:\n");
ldns_pkt_print(stdout, pkt);
}
result = LDNS_STATUS_CRYPTO_NO_RRSIG;
/* Try to see if there are NSECS in the packet */
nsecs = ldns_pkt_rr_list_by_type(pkt, LDNS_RR_TYPE_NSEC, LDNS_SECTION_ANY_NOQUESTION);
if (nsecs) {
for (nsec_i = 0; nsec_i < ldns_rr_list_rr_count(nsecs); nsec_i++) {
/* there are four options:
* - name equals ownername and is covered by the type bitmap
* - name equals ownername but is not covered by the type bitmap
* - name falls within nsec coverage but is not equal to the owner name
* - name falls outside of nsec coverage
*/
if (ldns_dname_compare(ldns_rr_owner(ldns_rr_list_rr(nsecs, nsec_i)), name) == 0) {
/*
printf("CHECKING NSEC:\n");
ldns_rr_print(stdout, ldns_rr_list_rr(nsecs, nsec_i));
printf("DAWASEM\n");
*/
if (ldns_nsec_bitmap_covers_type(
ldns_nsec_get_bitmap(ldns_rr_list_rr(nsecs,
nsec_i)),
type)) {
/* Error, according to the nsec this rrset is signed */
result = LDNS_STATUS_CRYPTO_NO_RRSIG;
} else {
/* ok nsec denies existence */
if (verbosity >= 3) {
printf(";; Existence of data set with this type denied by NSEC\n");
}
/*printf(";; Verifiably insecure.\n");*/
if (nsec_rrs && nsec_rr_sigs) {
(void) get_dnssec_rr(pkt, ldns_rr_owner(ldns_rr_list_rr(nsecs, nsec_i)), LDNS_RR_TYPE_NSEC, nsec_rrs, nsec_rr_sigs);
}
ldns_rr_list_deep_free(nsecs);
return LDNS_STATUS_OK;
}
} else if (ldns_nsec_covers_name(ldns_rr_list_rr(nsecs, nsec_i), name)) {
if (verbosity >= 3) {
printf(";; Existence of data set with this name denied by NSEC\n");
}
if (nsec_rrs && nsec_rr_sigs) {
(void) get_dnssec_rr(pkt, ldns_rr_owner(ldns_rr_list_rr(nsecs, nsec_i)), LDNS_RR_TYPE_NSEC, nsec_rrs, nsec_rr_sigs);
}
ldns_rr_list_deep_free(nsecs);
return LDNS_STATUS_OK;
} else {
/* nsec has nothing to do with this data */
}
}
ldns_rr_list_deep_free(nsecs);
} else if( (nsecs = ldns_pkt_rr_list_by_type(pkt, LDNS_RR_TYPE_NSEC3, LDNS_SECTION_ANY_NOQUESTION)) ) {
ldns_rr_list* sigs = ldns_pkt_rr_list_by_type(pkt, LDNS_RR_TYPE_RRSIG, LDNS_SECTION_ANY_NOQUESTION);
ldns_rr* q = ldns_rr_new();
if(!sigs) return LDNS_STATUS_MEM_ERR;
if(!q) return LDNS_STATUS_MEM_ERR;
ldns_rr_set_question(q, 1);
ldns_rr_set_ttl(q, 0);
ldns_rr_set_owner(q, ldns_rdf_clone(name));
if(!ldns_rr_owner(q)) return LDNS_STATUS_MEM_ERR;
ldns_rr_set_type(q, type);
result = ldns_dnssec_verify_denial_nsec3(q, nsecs, sigs, ldns_pkt_get_rcode(pkt), type, ldns_pkt_ancount(pkt) == 0);
ldns_rr_free(q);
ldns_rr_list_deep_free(nsecs);
ldns_rr_list_deep_free(sigs);
}
return result;
}
/*
* Parses data buffer to a query, finds the correct answer
* and calls the given function for every packet to send.
*/
void
handle_query(uint8_t* inbuf, ssize_t inlen, struct entry* entries, int* count,
enum transport_type transport, void (*sendfunc)(uint8_t*, size_t, void*),
void* userdata, FILE* verbose_out)
{
ldns_status status;
ldns_pkt *query_pkt = NULL;
ldns_pkt *answer_pkt = NULL;
struct reply_packet *p;
ldns_rr *query_rr = NULL;
uint8_t *outbuf = NULL;
size_t answer_size = 0;
struct entry* entry = NULL;
ldns_rdf *stop_command = ldns_dname_new_frm_str("server.stop.");
status = ldns_wire2pkt(&query_pkt, inbuf, (size_t)inlen);
if (status != LDNS_STATUS_OK) {
verbose(1, "Got bad packet: %s\n", ldns_get_errorstr_by_id(status));
ldns_rdf_free(stop_command);
return;
}
query_rr = ldns_rr_list_rr(ldns_pkt_question(query_pkt), 0);
verbose(1, "query %d: id %d: %s %d bytes: ", ++(*count), (int)ldns_pkt_id(query_pkt),
(transport==transport_tcp)?"TCP":"UDP", (int)inlen);
if(verbose_out) ldns_rr_print(verbose_out, query_rr);
if(verbose_out) ldns_pkt_print(verbose_out, query_pkt);
if (ldns_rr_get_type(query_rr) == LDNS_RR_TYPE_TXT &&
ldns_rr_get_class(query_rr) == LDNS_RR_CLASS_CH &&
ldns_dname_compare(ldns_rr_owner(query_rr), stop_command) == 0) {
exit(0);
}
/* fill up answer packet */
entry = find_match(entries, query_pkt, transport);
if(!entry || !entry->reply_list) {
verbose(1, "no answer packet for this query, no reply.\n");
ldns_pkt_free(query_pkt);
ldns_rdf_free(stop_command);
return;
}
for(p = entry->reply_list; p; p = p->next)
{
verbose(3, "Answer pkt:\n");
if (p->reply_from_hex) {
/* try to parse the hex packet, if it can be
* parsed, we can use adjust rules. if not,
* send packet literally */
status = ldns_buffer2pkt_wire(&answer_pkt, p->reply_from_hex);
if (status == LDNS_STATUS_OK) {
adjust_packet(entry, answer_pkt, query_pkt);
if(verbose_out) ldns_pkt_print(verbose_out, answer_pkt);
status = ldns_pkt2wire(&outbuf, answer_pkt, &answer_size);
verbose(2, "Answer packet size: %u bytes.\n", (unsigned int)answer_size);
if (status != LDNS_STATUS_OK) {
verbose(1, "Error creating answer: %s\n", ldns_get_errorstr_by_id(status));
ldns_pkt_free(query_pkt);
ldns_rdf_free(stop_command);
return;
}
ldns_pkt_free(answer_pkt);
answer_pkt = NULL;
} else {
verbose(3, "Could not parse hex data (%s), sending hex data directly.\n", ldns_get_errorstr_by_id(status));
/* still try to adjust ID */
answer_size = ldns_buffer_capacity(p->reply_from_hex);
outbuf = LDNS_XMALLOC(uint8_t, answer_size);
memcpy(outbuf, ldns_buffer_export(p->reply_from_hex), answer_size);
if(entry->copy_id) {
ldns_write_uint16(outbuf,
ldns_pkt_id(query_pkt));
}
}
} else {
answer_pkt = ldns_pkt_clone(p->reply);
adjust_packet(entry, answer_pkt, query_pkt);
if(verbose_out) ldns_pkt_print(verbose_out, answer_pkt);
status = ldns_pkt2wire(&outbuf, answer_pkt, &answer_size);
verbose(1, "Answer packet size: %u bytes.\n", (unsigned int)answer_size);
if (status != LDNS_STATUS_OK) {
verbose(1, "Error creating answer: %s\n", ldns_get_errorstr_by_id(status));
ldns_pkt_free(query_pkt);
ldns_rdf_free(stop_command);
return;
}
ldns_pkt_free(answer_pkt);
answer_pkt = NULL;
}
if(p->packet_sleep) {
verbose(3, "sleeping for next packet %d secs\n",
p->packet_sleep);
#ifdef HAVE_SLEEP
sleep(p->packet_sleep);
#else
Sleep(p->packet_sleep * 1000);
#endif
verbose(3, "wakeup for next packet "
"(slept %d secs)\n", p->packet_sleep);
}
sendfunc(outbuf, answer_size, userdata);
LDNS_FREE(outbuf);
outbuf = NULL;
answer_size = 0;
}
ldns_pkt_free(query_pkt);
ldns_rdf_free(stop_command);
}
/* finds entry in list, or returns NULL */
struct entry*
find_match(struct entry* entries, ldns_pkt* query_pkt,
enum transport_type transport)
{
struct entry* p = entries;
ldns_pkt* reply = NULL;
for(p=entries; p; p=p->next) {
verbose(3, "comparepkt: ");
reply = p->reply_list->reply;
if(p->match_opcode && ldns_pkt_get_opcode(query_pkt) !=
ldns_pkt_get_opcode(reply)) {
verbose(3, "bad opcode\n");
continue;
}
if(p->match_qtype && get_qtype(query_pkt) != get_qtype(reply)) {
verbose(3, "bad qtype\n");
continue;
}
if(p->match_qname) {
if(!get_owner(query_pkt) || !get_owner(reply) ||
ldns_dname_compare(
get_owner(query_pkt), get_owner(reply)) != 0) {
verbose(3, "bad qname\n");
continue;
}
}
if(p->match_subdomain) {
if(!get_owner(query_pkt) || !get_owner(reply) ||
(ldns_dname_compare(get_owner(query_pkt),
get_owner(reply)) != 0 &&
!ldns_dname_is_subdomain(
get_owner(query_pkt), get_owner(reply))))
{
verbose(3, "bad subdomain\n");
continue;
}
}
if(p->match_serial && get_serial(query_pkt) != p->ixfr_soa_serial) {
verbose(3, "bad serial\n");
continue;
}
if(p->match_do && !ldns_pkt_edns_do(query_pkt)) {
verbose(3, "no DO bit set\n");
continue;
}
if(p->match_noedns && ldns_pkt_edns(query_pkt)) {
verbose(3, "bad; EDNS OPT present\n");
continue;
}
if(p->match_transport != transport_any && p->match_transport != transport) {
verbose(3, "bad transport\n");
continue;
}
if(p->match_all && !match_all(query_pkt, reply, p->match_ttl)) {
verbose(3, "bad allmatch\n");
continue;
}
verbose(3, "match!\n");
return p;
}
return NULL;
}
/**
* Read IXFR from file.
*
*/
static ods_status
addns_read_file(FILE* fd, zone_type* zone)
{
ldns_rr* rr = NULL;
uint32_t new_serial = 0;
uint32_t old_serial = 0;
uint32_t tmp_serial = 0;
ldns_rdf* prev = NULL;
ldns_rdf* orig = NULL;
ldns_rdf* dname = NULL;
uint32_t ttl = 0;
size_t rr_count = 0;
ods_status result = ODS_STATUS_OK;
ldns_status status = LDNS_STATUS_OK;
char line[SE_ADFILE_MAXLINE];
unsigned is_axfr = 0;
unsigned del_mode = 0;
unsigned soa_seen = 0;
unsigned line_update_interval = 100000;
unsigned line_update = line_update_interval;
unsigned l = 0;
ods_log_assert(fd);
ods_log_assert(zone);
/* $ORIGIN <zone name> */
dname = adapi_get_origin(zone);
if (!dname) {
ods_log_error("[%s] error getting default value for $ORIGIN",
adapter_str);
return ODS_STATUS_ERR;
}
orig = ldns_rdf_clone(dname);
if (!orig) {
ods_log_error("[%s] error setting default value for $ORIGIN",
adapter_str);
return ODS_STATUS_ERR;
}
/* $TTL <default ttl> */
ttl = adapi_get_ttl(zone);
/* read RRs */
while ((rr = addns_read_rr(fd, line, &orig, &prev, &ttl, &status, &l))
!= NULL) {
/* check status */
if (status != LDNS_STATUS_OK) {
ods_log_error("[%s] error reading RR at line %i (%s): %s",
adapter_str, l, ldns_get_errorstr_by_id(status), line);
result = ODS_STATUS_ERR;
break;
}
/* debug update */
if (l > line_update) {
ods_log_debug("[%s] ...at line %i: %s", adapter_str, l, line);
line_update += line_update_interval;
}
/* first RR: check if SOA and correct zone & serialno */
if (rr_count == 0) {
rr_count++;
if (ldns_rr_get_type(rr) != LDNS_RR_TYPE_SOA) {
ods_log_error("[%s] bad xfr, first rr is not soa",
adapter_str);
ldns_rr_free(rr);
rr = NULL;
result = ODS_STATUS_ERR;
break;
}
soa_seen++;
if (ldns_dname_compare(ldns_rr_owner(rr), zone->apex)) {
ods_log_error("[%s] bad xfr, soa dname not equal to zone "
"dname %s", adapter_str, zone->name);
ldns_rr_free(rr);
rr = NULL;
result = ODS_STATUS_ERR;
break;
}
tmp_serial =
ldns_rdf2native_int32(ldns_rr_rdf(rr, SE_SOA_RDATA_SERIAL));
old_serial = adapi_get_serial(zone);
if (!util_serial_gt(tmp_serial, old_serial)) {
ods_log_info("[%s] zone %s is already up to date, have "
"serial %u, got serial %u", adapter_str, zone->name,
old_serial, tmp_serial);
new_serial = tmp_serial;
ldns_rr_free(rr);
rr = NULL;
result = ODS_STATUS_UNCHANGED;
break;
}
ldns_rr_free(rr);
rr = NULL;
result = ODS_STATUS_OK;
continue;
}
/* second RR: if not soa, this is an AXFR */
if (rr_count == 1) {
if (ldns_rr_get_type(rr) != LDNS_RR_TYPE_SOA) {
ods_log_verbose("[%s] detected axfr serial=%u for zone %s",
adapter_str, tmp_serial, zone->name);
new_serial = tmp_serial;
is_axfr = 1;
del_mode = 0;
} else {
ods_log_verbose("[%s] detected ixfr serial=%u for zone %s",
adapter_str, tmp_serial, zone->name);
new_serial = tmp_serial;
tmp_serial =
ldns_rdf2native_int32(ldns_rr_rdf(rr, SE_SOA_RDATA_SERIAL));
ldns_rr_free(rr);
rr = NULL;
rr_count++;
if (tmp_serial < new_serial) {
del_mode = 1;
result = ODS_STATUS_OK;
continue;
} else {
ods_log_error("[%s] bad xfr for zone %s, bad soa serial",
adapter_str, zone->name);
result = ODS_STATUS_ERR;
break;
}
}
}
/* soa means swap */
rr_count++;
if (ldns_rr_get_type(rr) == LDNS_RR_TYPE_SOA) {
if (!is_axfr) {
tmp_serial =
ldns_rdf2native_int32(ldns_rr_rdf(rr, SE_SOA_RDATA_SERIAL));
if (tmp_serial <= new_serial) {
if (tmp_serial == new_serial) {
soa_seen++;
}
del_mode = !del_mode;
ldns_rr_free(rr);
rr = NULL;
result = ODS_STATUS_OK;
continue;
} else {
ods_log_assert(tmp_serial > new_serial);
ods_log_error("[%s] bad xfr for zone %s, bad soa serial",
adapter_str, zone->name);
ldns_rr_free(rr);
rr = NULL;
result = ODS_STATUS_ERR;
break;
}
} else {
/* for axfr */
soa_seen++;
}
}
/* [add to/remove from] the zone */
if (!is_axfr && del_mode) {
ods_log_debug("[%s] delete RR #%i at line %i: %s",
adapter_str, rr_count, l, line);
result = adapi_del_rr(zone, rr, 0);
ldns_rr_free(rr);
rr = NULL;
} else {
ods_log_debug("[%s] add RR #%i at line %i: %s",
adapter_str, rr_count, l, line);
result = adapi_add_rr(zone, rr, 0);
}
if (result == ODS_STATUS_UNCHANGED) {
ods_log_debug("[%s] skipping RR at line %i (%s): %s",
adapter_str, l, del_mode?"not found":"duplicate", line);
ldns_rr_free(rr);
rr = NULL;
result = ODS_STATUS_OK;
continue;
} else if (result != ODS_STATUS_OK) {
ods_log_error("[%s] error %s RR at line %i: %s",
adapter_str, del_mode?"deleting":"adding", l, line);
ldns_rr_free(rr);
rr = NULL;
break;
}
}
/* and done */
if (orig) {
ldns_rdf_deep_free(orig);
orig = NULL;
}
if (prev) {
ldns_rdf_deep_free(prev);
prev = NULL;
}
if (result == ODS_STATUS_OK && status != LDNS_STATUS_OK) {
ods_log_error("[%s] error reading RR at line %i (%s): %s",
adapter_str, l, ldns_get_errorstr_by_id(status), line);
result = ODS_STATUS_ERR;
}
/* check the number of SOAs seen */
if (result == ODS_STATUS_OK) {
if ((is_axfr && soa_seen != 2) || (!is_axfr && soa_seen != 3)) {
ods_log_error("[%s] bad %s, wrong number of SOAs (%u)",
adapter_str, is_axfr?"axfr":"ixfr", soa_seen);
result = ODS_STATUS_ERR;
}
}
/* input zone ok, set inbound serial and apply differences */
if (result == ODS_STATUS_OK || result == ODS_STATUS_UNCHANGED) {
adapi_set_serial(zone, new_serial);
if (is_axfr) {
adapi_trans_full(zone);
} else {
adapi_trans_diff(zone);
}
if (result == ODS_STATUS_UNCHANGED) {
result = ODS_STATUS_OK;
}
}
return result;
}
ldns_status
ldns_dnssec_zone_create_rrsigs(ldns_dnssec_zone *zone,
ldns_rr_list *new_rrs,
ldns_key_list *key_list,
int (*func)(ldns_rr *, void*),
void *arg)
{
ldns_status result = LDNS_STATUS_OK;
ldns_rbnode_t *cur_node;
ldns_rr_list *rr_list;
ldns_dnssec_name *cur_name;
ldns_dnssec_rrsets *cur_rrset;
ldns_dnssec_rrs *cur_rr;
ldns_rr_list *siglist;
size_t i;
ldns_rr_list *pubkey_list = ldns_rr_list_new();
zone = zone;
new_rrs = new_rrs;
key_list = key_list;
for (i = 0; i<ldns_key_list_key_count(key_list); i++) {
ldns_rr_list_push_rr(pubkey_list,
ldns_key2rr(ldns_key_list_key(key_list, i)));
}
/* TODO: callback to see is list should be signed */
/* TODO: remove 'old' signatures from signature list */
cur_node = ldns_rbtree_first(zone->names);
while (cur_node != LDNS_RBTREE_NULL) {
cur_name = (ldns_dnssec_name *) cur_node->data;
if (!cur_name->is_glue) {
cur_rrset = cur_name->rrsets;
while (cur_rrset) {
/* reset keys to use */
ldns_key_list_set_use(key_list, true);
/* walk through old sigs, remove the old,
and mark which keys (not) to use) */
cur_rrset->signatures =
ldns_dnssec_remove_signatures(cur_rrset->signatures,
key_list,
func,
arg);
/* TODO: just set count to zero? */
rr_list = ldns_rr_list_new();
cur_rr = cur_rrset->rrs;
while (cur_rr) {
ldns_rr_list_push_rr(rr_list, cur_rr->rr);
cur_rr = cur_rr->next;
}
/* only sign non-delegation RRsets */
/* (glue should have been marked earlier) */
if ((ldns_rr_list_type(rr_list) != LDNS_RR_TYPE_NS ||
ldns_dname_compare(ldns_rr_list_owner(rr_list),
zone->soa->name) == 0) &&
/* OK, there is also the possibility that the record
* is glue, but at the same owner name as other records that
* are not NS nor A/AAAA. Bleh, our current data structure
* doesn't really support that... */
!((ldns_rr_list_type(rr_list) == LDNS_RR_TYPE_A ||
ldns_rr_list_type(rr_list) == LDNS_RR_TYPE_AAAA) &&
!ldns_dname_compare(ldns_rr_list_owner(rr_list), zone->soa->name) == 0 &&
ldns_dnssec_zone_find_rrset(zone, ldns_rr_list_owner(rr_list), LDNS_RR_TYPE_NS)
)) {
siglist = ldns_sign_public(rr_list, key_list);
for (i = 0; i < ldns_rr_list_rr_count(siglist); i++) {
if (cur_rrset->signatures) {
ldns_dnssec_rrs_add_rr(cur_rrset->signatures,
ldns_rr_list_rr(siglist,
i));
} else {
cur_rrset->signatures = ldns_dnssec_rrs_new();
cur_rrset->signatures->rr =
ldns_rr_list_rr(siglist, i);
ldns_rr_list_push_rr(new_rrs,
ldns_rr_list_rr(siglist,
i));
}
}
ldns_rr_list_free(siglist);
}
ldns_rr_list_free(rr_list);
cur_rrset = cur_rrset->next;
}
/* sign the nsec */
cur_name->nsec_signatures =
ldns_dnssec_remove_signatures(cur_name->nsec_signatures,
key_list,
func,
arg);
rr_list = ldns_rr_list_new();
ldns_rr_list_push_rr(rr_list, cur_name->nsec);
siglist = ldns_sign_public(rr_list, key_list);
for (i = 0; i < ldns_rr_list_rr_count(siglist); i++) {
if (cur_name->nsec_signatures) {
ldns_dnssec_rrs_add_rr(cur_name->nsec_signatures,
ldns_rr_list_rr(siglist, i));
} else {
cur_name->nsec_signatures = ldns_dnssec_rrs_new();
cur_name->nsec_signatures->rr =
ldns_rr_list_rr(siglist, i);
ldns_rr_list_push_rr(new_rrs,
ldns_rr_list_rr(siglist, i));
}
}
ldns_rr_list_free(siglist);
ldns_rr_list_free(rr_list);
}
cur_node = ldns_rbtree_next(cur_node);
}
ldns_rr_list_deep_free(pubkey_list);
return result;
}
int main(int argc, char **argv) {
/* Local Vars */
int i;
int soa_valid = 0;
int ns_valid = 0;
ldns_rdf *rd_domain;
ldns_rdf *rd_trace;
ldns_rdf *rd_cdomain;
ldns_pkt *pkt;
ldns_resolver *res;
ldns_rr *rr;
ldns_rr_list *rrl;
ldns_rr_list *rrl_domain_soa;
ldns_rr_list *rrl_domain_soa_rrsig;
ldns_rr_list *rrl_domain_ns;
ldns_rr_list *rrl_domain_ns_rrsig;
ldns_rr_list *rrl_valid_keys;
ldns_status status;
/* Set signal handling and alarm */
if (signal(SIGALRM, timeout_alarm_handler) == SIG_ERR)
critical("Setup SIGALRM trap failed!");
/* Process check arguments */
if (process_arguments(argc, argv) != OK)
unknown("Parsing arguments failed!");
/* Start plugin timeout */
alarm(mp_timeout);
rd_domain = ldns_dname_new_frm_str(domainname);
if (!rd_domain)
unknown("Illegal domain name");
rd_trace = ldns_dname_new_frm_str(domaintrace);
if (!rd_trace)
unknown("Illegal trace domain name");
/* Check domain is subdomain from trace start */
if (!ldns_dname_is_subdomain(rd_domain, rd_trace)) {
ldns_rr_list_deep_free(trusted_keys);
ldns_rdf_deep_free(rd_domain);
ldns_rdf_deep_free(rd_trace);
unknown("'%s' is not a subdomain of '%s'.", domainname,
domaintrace);
}
/* Add trusted keys for trace domain to rrl_valid_keys. */
rrl_valid_keys = ldns_rr_list_new();
for(i = 0; i < ldns_rr_list_rr_count(trusted_keys); i++) {
rr = ldns_rr_list_rr(trusted_keys, i);
if (ldns_dname_compare(ldns_rr_owner(rr),rd_trace) == 0)
ldns_rr_list_push_rr(rrl_valid_keys, ldns_rr_clone(rr));
}
ldns_rr_list_deep_free(trusted_keys);
if (ldns_rr_list_rr_count(rrl_valid_keys) == 0) {
ldns_rdf_deep_free(rd_domain);
ldns_rdf_deep_free(rd_trace);
ldns_rr_list_deep_free(rrl_valid_keys);
critical("No trusted key for trace start '%s'", domaintrace?domaintrace:".");
}
if (mp_verbose >= 2) {
printf("--[ Trusted keys used ]-------------------------------------\n");
ldns_rr_list_sort(rrl_valid_keys);
ldns_rr_list_print(stdout, rrl_valid_keys);
printf("------------------------------------------------------------\n");
}
/* create a new resolver with dns_server or server from /etc/resolv.conf */
res = createResolver(hostname);
if (!res) {
ldns_rdf_deep_free(rd_domain);
ldns_rdf_deep_free(rd_trace);
ldns_rr_list_deep_free(rrl_valid_keys);
unknown("Creating resolver failed.");
}
resolverEnableDnssec(res);
ldns_resolver_set_dnssec_anchors(res, rrl_valid_keys);
/* check domain exists */
pkt = mp_ldns_resolver_query(res, rd_domain, LDNS_RR_TYPE_SOA,
LDNS_RR_CLASS_IN, LDNS_RD);
if (pkt == NULL || ldns_pkt_get_rcode(pkt) != LDNS_RCODE_NOERROR) {
ldns_rdf_deep_free(rd_domain);
ldns_rdf_deep_free(rd_trace);
ldns_resolver_deep_free(res);
if (pkt && ldns_pkt_get_rcode(pkt) == LDNS_RCODE_NXDOMAIN) {
ldns_pkt_free(pkt);
critical("Domain '%s' don't exist.", domainname);
}
ldns_pkt_free(pkt);
critical("Unable to get SOA for %s.", domainname);
}
rrl_domain_soa = ldns_pkt_rr_list_by_name_and_type(pkt, rd_domain,
LDNS_RR_TYPE_SOA,
LDNS_SECTION_ANSWER);
if (rrl_domain_soa == NULL || ldns_rr_list_rr_count(rrl_domain_soa) == 0) {
ldns_rdf_deep_free(rd_domain);
ldns_rdf_deep_free(rd_trace);
ldns_resolver_deep_free(res);
ldns_pkt_free(pkt);
critical("Domain '%s' not found.", domainname);
}
rrl_domain_soa_rrsig = ldns_dnssec_pkt_get_rrsigs_for_name_and_type(pkt,
rd_domain, LDNS_RR_TYPE_SOA);
if (rrl_domain_soa_rrsig == NULL ||
ldns_rr_list_rr_count(rrl_domain_soa_rrsig) == 0) {
free(domaintrace);
ldns_rdf_deep_free(rd_domain);
ldns_rdf_deep_free(rd_trace);
ldns_resolver_deep_free(res);
ldns_pkt_free(pkt);
ldns_rr_list_deep_free(rrl_domain_soa);
critical("Domain '%s' not signed.", domainname);
}
ldns_pkt_free(pkt);
pkt = ldns_resolver_query(res, rd_domain, LDNS_RR_TYPE_NS,
LDNS_RR_CLASS_IN, LDNS_RD);
rrl_domain_ns = ldns_pkt_rr_list_by_name_and_type(pkt, rd_domain,
LDNS_RR_TYPE_NS,
LDNS_SECTION_ANSWER);
rrl_domain_ns_rrsig = ldns_dnssec_pkt_get_rrsigs_for_name_and_type(pkt,
rd_domain,
LDNS_RR_TYPE_NS);
ldns_pkt_free(pkt);
if (mp_verbose >= 2) {
printf("--[ Checked Domain ]----------------------------------------\n");
ldns_rr_list_print(stdout, rrl_domain_soa);
printf("------------------------------------------------------------\n");
ldns_rr_list_print(stdout, rrl_domain_soa_rrsig);
printf("------------------------------------------------------------\n");
ldns_rr_list_print(stdout, rrl_domain_ns);
printf("------------------------------------------------------------\n");
ldns_rr_list_print(stdout, rrl_domain_ns_rrsig);
printf("------------------------------------------------------------\n");
}
/* create a new resolver with dns_server or server from /etc/resolv.conf */
ldns_resolver_free(res);
res = createResolver(resolver);
if (!res) {
ldns_rdf_deep_free(rd_domain);
ldns_rdf_deep_free(rd_trace);
ldns_rr_list_deep_free(rrl_valid_keys);
unknown("Creating resolver failed.");
}
resolverEnableDnssec(res);
ldns_resolver_set_dnssec_anchors(res, rrl_valid_keys);
/* Fetch valid keys from top down */
i = ldns_dname_label_count(rd_domain) - ldns_dname_label_count(rd_trace);
for (; i>=0; i--) {
rd_cdomain = ldns_dname_clone_from(rd_domain, i);
if (mp_verbose) {
char *str = ldns_rdf2str(rd_cdomain);
printf("Trace: %s\n", str);
free(str);
}
rrl = ldns_fetch_valid_domain_keys(res, rd_cdomain, rrl_valid_keys, &status);
if (mp_verbose >= 2) {
printf("--[ Valid Keys ]----------------------------------------\n");
ldns_rr_list_sort(rrl);
ldns_rr_list_print(stdout, rrl);
printf("------------------------------------------------------------\n");
}
ldns_rr_list_cat(rrl_valid_keys, rrl);
ldns_rr_list_free(rrl);
ldns_rdf_deep_free(rd_cdomain);
}
ldns_rdf_deep_free(rd_trace);
ldns_rdf_deep_free(rd_domain);
/* Validate SOA */
for(i = 0; i < ldns_rr_list_rr_count(rrl_domain_soa_rrsig); i++) {
rr = ldns_rr_list_rr(rrl_domain_soa_rrsig, i);
status = ldns_verify_rrsig_keylist(rrl_domain_soa, rr, rrl_valid_keys, NULL);
if (status == LDNS_STATUS_OK)
soa_valid++;
else if (mp_verbose > 0)
fprintf(stderr, "ldns_verify_rrsig_keylist SOA failed: %s\n",
ldns_get_errorstr_by_id(status));
}
ldns_rr_list_deep_free(rrl_domain_soa);
ldns_rr_list_deep_free(rrl_domain_soa_rrsig);
if (soa_valid == 0) {
critical("No valid Signatur for SOA of '%s'", domainname);
free(domainname);
free(domaintrace);
ldns_resolver_deep_free(res);
ldns_rr_list_deep_free(rrl_domain_ns);
ldns_rr_list_deep_free(rrl_domain_ns_rrsig);
return checkState;
}
/* Validate NS */
for(i = 0; i < ldns_rr_list_rr_count(rrl_domain_ns_rrsig); i++) {
rr = ldns_rr_list_rr(rrl_domain_ns_rrsig, i);
status = ldns_verify_rrsig_keylist(rrl_domain_ns, rr, rrl_valid_keys, NULL);
if (status == LDNS_STATUS_OK)
ns_valid++;
else if (mp_verbose > 0)
fprintf(stderr, "ldns_verify_rrsig_keylist NS failed: %s\n",
ldns_get_errorstr_by_id(status));
}
ldns_rr_list_deep_free(rrl_domain_ns);
ldns_rr_list_deep_free(rrl_domain_ns_rrsig);
ldns_resolver_deep_free(res);
if (ns_valid == 0) {
critical("No valid Signatur for NS of '%s'", domainname);
free(domainname);
free(domaintrace);
return checkState;
}
ok("Trust for '%s' successfull traces from '%s'", domainname,
domaintrace);
free(domainname);
free(domaintrace);
return checkState;
}
