/** * Compare tasks. * */ int task_compare(const void* a, const void* b) { task_type* x = (task_type*)a; task_type* y = (task_type*)b; zone_type* zx = NULL; zone_type* zy = NULL; ods_log_assert(x); ods_log_assert(y); zx = (zone_type*) x->zone; zy = (zone_type*) y->zone; if (!ldns_dname_compare((const void*) zx->apex, (const void*) zy->apex)) { /* if dname is the same, consider the same task */ return 0; } /* order task on time, what to do, dname */ if (x->when != y->when) { return (int) x->when - y->when; } if (x->what != y->what) { return (int) x->what - y->what; } /* this is unfair, it prioritizes zones that are first in canonical line */ return ldns_dname_compare((const void*) zx->apex, (const void*) zy->apex); }
static ldns_rbnode_t * ldns_dnssec_zone_find_nsec3_original(ldns_dnssec_zone *zone, ldns_rr *rr) { ldns_rbnode_t *current_node = ldns_rbtree_first(zone->names); ldns_dnssec_name *current_name; ldns_rdf *hashed_name; hashed_name = ldns_dname_label(ldns_rr_owner(rr), 0); while (current_node != LDNS_RBTREE_NULL) { current_name = (ldns_dnssec_name *) current_node->data; if (!current_name->hashed_name) { current_name->hashed_name = ldns_nsec3_hash_name_frm_nsec3(rr, current_name->name); } if (ldns_dname_compare(hashed_name, current_name->hashed_name) == 0) { ldns_rdf_deep_free(hashed_name); return current_node; } current_node = ldns_rbtree_next(current_node); } ldns_rdf_deep_free(hashed_name); return NULL; }
static int udp_bind(int sock, int port, const char *my_address) { struct sockaddr_in addr; in_addr_t maddr = INADDR_ANY; if (my_address) { #ifdef AF_INET6 if (inet_pton(AF_INET6, my_address, &maddr) < 1) { #else if (0) { #endif if (inet_pton(AF_INET, my_address, &maddr) < 1) { return -2; } } } #ifndef S_SPLINT_S addr.sin_family = AF_INET; #endif addr.sin_port = (in_port_t) htons((uint16_t)port); addr.sin_addr.s_addr = maddr; return bind(sock, (struct sockaddr *)&addr, (socklen_t) sizeof(addr)); } /* this will probably be moved to a better place in the library itself */ ldns_rr_list * get_rrset(const ldns_zone *zone, const ldns_rdf *owner_name, const ldns_rr_type qtype, const ldns_rr_class qclass) { uint16_t i; ldns_rr_list *rrlist = ldns_rr_list_new(); ldns_rr *cur_rr; if (!zone || !owner_name) { fprintf(stderr, "Warning: get_rrset called with NULL zone or owner name\n"); return rrlist; } for (i = 0; i < ldns_zone_rr_count(zone); i++) { cur_rr = ldns_rr_list_rr(ldns_zone_rrs(zone), i); if (ldns_dname_compare(ldns_rr_owner(cur_rr), owner_name) == 0 && ldns_rr_get_class(cur_rr) == qclass && ldns_rr_get_type(cur_rr) == qtype ) { ldns_rr_list_push_rr(rrlist, ldns_rr_clone(cur_rr)); } } printf("Found rrset of %u rrs\n", (unsigned int) ldns_rr_list_rr_count(rrlist)); return rrlist; }
/* this is a linear speed test (slow for large numbers). but the dig response will be small anyway. */ int check_done(ldns_rdf *qname) { struct donelist* p = done; while(p) { if(ldns_dname_compare(qname, p->name)==0) return 1; p = p->next; } /* not done yet add to list */ p = (struct donelist*)malloc(sizeof(struct donelist)); p->name = qname; p->next = done; done = p; return 0; }
/** * Compare two zones. * */ static int zone_compare(const void* a, const void* b) { zone_type* x = (zone_type*)a; zone_type* y = (zone_type*)b; ods_log_assert(x); ods_log_assert(y); if (x->klass != y->klass) { if (x->klass < y->klass) { return -1; } return 1; } return ldns_dname_compare(x->apex, y->apex); }
int ldns_dnssec_name_cmp(const void *a, const void *b) { ldns_dnssec_name *na = (ldns_dnssec_name *) a; ldns_dnssec_name *nb = (ldns_dnssec_name *) b; if (na && nb) { return ldns_dname_compare(ldns_dnssec_name_name(na), ldns_dnssec_name_name(nb)); } else if (na) { return 1; } else if (nb) { return -1; } else { return 0; } }
/** * ACL matches TSIG. * */ static int acl_tsig_matches(acl_type* acl, tsig_rr_type* tsig) { if (!acl || !tsig) { ods_log_debug("[%s] no match: no acl or tsig", acl_str); return 0; /* missing required elements */ } if (!acl->tsig) { if (tsig->status == TSIG_NOT_PRESENT) { return 1; } ods_log_debug("[%s] no match: tsig present but no config", acl_str); return 0; /* TSIG present but no config */ } if (tsig->status != TSIG_OK) { ods_log_debug("[%s] no match: tsig %s", acl_str, tsig_status2str(tsig->status)); return 0; /* query has no TSIG */ } if (tsig->error_code != LDNS_RCODE_NOERROR) { ods_log_debug("[%s] no match: tsig error %d", acl_str, tsig->error_code); return 0; /* query has bork TSIG */ } if (!tsig->key_name || !tsig->algo) { ods_log_debug("[%s] no match: missing key/algo", acl_str); return 0; } if (!acl->tsig->key) { ods_log_debug("[%s] no match: no config", acl_str); return 0; /* missing TSIG config */ } if (ldns_dname_compare(tsig->key_name, acl->tsig->key->dname) != 0) { ods_log_debug("[%s] no match: key names not the same", acl_str); return 0; /* wrong key name */ } if (ods_strlowercmp(tsig->algo->txt_name, acl->tsig->algorithm) != 0) { ods_log_debug("[%s] no match: algorithms not the same", acl_str); return 0; /* wrong algorithm name */ } /* tsig matches */ return 1; }
void check_cover(ldns_rr_list *list, ldns_rdf *qname) { ldns_status status; size_t i; if(check_done(qname)) return; for(i=0; i<ldns_rr_list_rr_count(list); ++i) { ldns_rr* nsec3 = ldns_rr_list_rr(list, i); if(ldns_rr_get_type(nsec3) != LDNS_RR_TYPE_NSEC3) { /* skip non nsec3 */ continue; } ldns_rdf* hashed = ldns_nsec3_hash_name_frm_nsec3( nsec3, qname); status = ldns_dname_cat(hashed, ldns_dname_left_chop( ldns_rr_owner(nsec3))); if(status != LDNS_STATUS_OK) abort_ldns_error("ldns_dname_cat", status); if(ldns_dname_compare(hashed, ldns_rr_owner(nsec3)) == 0) { ldns_rdf_print(stdout, ldns_rr_owner(nsec3)); printf(" proves "); ldns_rdf_print(stdout, qname); printf(" exists.\n"); } else if(ldns_nsec_covers_name(nsec3, hashed)) { ldns_rdf_print(stdout, ldns_rr_owner(nsec3)); printf(" proves "); ldns_rdf_print(stdout, qname); printf(" does not exist.\n"); } ldns_rdf_free(hashed); } }
int main(int argc, char **argv) { char *fn1, *fn2; FILE *fp1, *fp2; ldns_zone *z1, *z2; ldns_status s; size_t i , j; ldns_rr_list *rrl1, *rrl2; int rr_cmp, rr_chg = 0; ldns_rr *rr1 = NULL, *rr2 = NULL, *rrx = NULL; int line_nr1 = 0, line_nr2 = 0; size_t rrc1 , rrc2; size_t num_ins = 0, num_del = 0, num_chg = 0; int c; bool opt_deleted = false, opt_inserted = false, opt_changed = false; bool sort = true, inc_soa = false; char op = 0; while ((c = getopt(argc, argv, "ahvdicsz")) != -1) { switch (c) { case 'h': usage(argc, argv); exit(EXIT_SUCCESS); break; case 'v': printf("%s version %s (ldns version %s)\n", argv[0], LDNS_VERSION, ldns_version()); exit(EXIT_SUCCESS); break; case 's': inc_soa = true; break; case 'z': sort = false; break; case 'd': opt_deleted = true; break; case 'i': opt_inserted = true; break; case 'c': opt_changed = true; break; case 'a': opt_deleted = true; opt_inserted = true; opt_changed = true; break; } } argc -= optind; argv += optind; if (argc != 2) { argc -= optind; argv -= optind; usage(argc, argv); exit(EXIT_FAILURE); } fn1 = argv[0]; fp1 = fopen(fn1, "r"); if (!fp1) { fprintf(stderr, "Unable to open %s: %s\n", fn1, strerror(errno)); exit(EXIT_FAILURE); } /* Read first zone */ s = ldns_zone_new_frm_fp_l(&z1, fp1, NULL, 0, LDNS_RR_CLASS_IN, &line_nr1); if (s != LDNS_STATUS_OK) { fclose(fp1); fprintf(stderr, "%s: %s at %d\n", fn1, ldns_get_errorstr_by_id(s), line_nr1); exit(EXIT_FAILURE); } fclose(fp1); fn2 = argv[1]; fp2 = fopen(fn2, "r"); if (!fp2) { fprintf(stderr, "Unable to open %s: %s\n", fn2, strerror(errno)); exit(EXIT_FAILURE); } /* Read second zone */ s = ldns_zone_new_frm_fp_l(&z2, fp2, NULL, 0, LDNS_RR_CLASS_IN, &line_nr2); if (s != LDNS_STATUS_OK) { ldns_zone_deep_free(z1); fclose(fp2); fprintf(stderr, "%s: %s at %d\n", fn2, ldns_get_errorstr_by_id(s), line_nr2); exit(EXIT_FAILURE); } fclose(fp2); rrl1 = ldns_zone_rrs(z1); rrc1 = ldns_rr_list_rr_count(rrl1); rrl2 = ldns_zone_rrs(z2); rrc2 = ldns_rr_list_rr_count(rrl2); if (sort) { /* canonicalize zone 1 */ ldns_rr2canonical(ldns_zone_soa(z1)); for (i = 0; i < ldns_rr_list_rr_count(ldns_zone_rrs(z1)); i++) { ldns_rr2canonical(ldns_rr_list_rr(ldns_zone_rrs(z1), i)); } /* sort zone 1 */ ldns_zone_sort(z1); /* canonicalize zone 2 */ ldns_rr2canonical(ldns_zone_soa(z2)); for (i = 0; i < ldns_rr_list_rr_count(ldns_zone_rrs(z2)); i++) { ldns_rr2canonical(ldns_rr_list_rr(ldns_zone_rrs(z2), i)); } /* sort zone 2 */ ldns_zone_sort(z2); } if(inc_soa) { ldns_rr_list* wsoa = ldns_rr_list_new(); ldns_rr_list_push_rr(wsoa, ldns_zone_soa(z1)); ldns_rr_list_cat(wsoa, rrl1); rrl1 = wsoa; rrc1 = ldns_rr_list_rr_count(rrl1); wsoa = ldns_rr_list_new(); ldns_rr_list_push_rr(wsoa, ldns_zone_soa(z2)); ldns_rr_list_cat(wsoa, rrl2); rrl2 = wsoa; rrc2 = ldns_rr_list_rr_count(rrl2); if(sort) { ldns_rr_list_sort(rrl1); ldns_rr_list_sort(rrl2); } } /* * Walk through both zones. The previously seen resource record is * kept (in the variable rrx) so that we can recognize when we are * handling a new owner name. If the owner name changes, we have to * set the operator again. */ for (i = 0, j = 0; i < rrc1 || j < rrc2;) { rr_cmp = 0; if (i < rrc1 && j < rrc2) { rr1 = ldns_rr_list_rr(rrl1, i); rr2 = ldns_rr_list_rr(rrl2, j); rr_cmp = ldns_rr_compare(rr1, rr2); /* Completely skip if the rrs are equal */ if (rr_cmp == 0) { i++; j++; continue; } rr_chg = ldns_dname_compare(ldns_rr_owner(rr1), ldns_rr_owner(rr2)); } else if (i >= rrc1) { /* we have reached the end of zone 1, so the current record * from zone 2 automatically sorts higher */ rr1 = NULL; rr2 = ldns_rr_list_rr(rrl2, j); rr_chg = rr_cmp = 1; } else if (j >= rrc2) { /* we have reached the end of zone 2, so the current record * from zone 1 automatically sorts lower */ rr1 = ldns_rr_list_rr(rrl1, i); rr2 = NULL; rr_chg = rr_cmp = -1; } if (rr_cmp < 0) { i++; if ((rrx != NULL) && (ldns_dname_compare(ldns_rr_owner(rr1), ldns_rr_owner(rrx) ) != 0)) { /* The owner name is different, forget previous rr */ rrx = NULL; } if (rrx == NULL) { if (rr_chg == 0) { num_chg++; op = OP_CHG; } else { num_del++; op = OP_DEL; } rrx = rr1; } if (((op == OP_DEL) && opt_deleted) || ((op == OP_CHG) && opt_changed)) { printf("%c-", op); ldns_rr_print(stdout, rr1); } } else if (rr_cmp > 0) { j++; if ((rrx != NULL) && (ldns_dname_compare(ldns_rr_owner(rr2), ldns_rr_owner(rrx) ) != 0)) { rrx = NULL; } if (rrx == NULL) { if (rr_chg == 0) { num_chg++; op = OP_CHG; } else { num_ins++; op = OP_INS; } /* remember this rr for it's name in the next iteration */ rrx = rr2; } if (((op == OP_INS) && opt_inserted) || ((op == OP_CHG) && opt_changed)) { printf("%c+", op); ldns_rr_print(stdout, rr2); } } } printf("\t%c%u\t%c%u\t%c%u\n", OP_INS, (unsigned int) num_ins, OP_DEL, (unsigned int) num_del, OP_CHG, (unsigned int) num_chg); /* Free resources */ if(inc_soa) { ldns_rr_list_free(rrl1); ldns_rr_list_free(rrl2); } ldns_zone_deep_free(z2); ldns_zone_deep_free(z1); return 0; }
ldns_status ldns_dnssec_zone_add_empty_nonterminals(ldns_dnssec_zone *zone) { ldns_dnssec_name *new_name; ldns_rdf *cur_name; ldns_rdf *next_name; ldns_rbnode_t *cur_node, *next_node, *new_node; /* for the detection */ uint16_t i, cur_label_count, next_label_count; uint16_t soa_label_count = 0; ldns_rdf *l1, *l2; int lpos; if (!zone) { return LDNS_STATUS_ERR; } if (zone->soa && zone->soa->name) { soa_label_count = ldns_dname_label_count(zone->soa->name); } cur_node = ldns_rbtree_first(zone->names); while (cur_node != LDNS_RBTREE_NULL) { next_node = ldns_rbtree_next(cur_node); /* skip glue */ while (next_node != LDNS_RBTREE_NULL && next_node->data && ((ldns_dnssec_name *)next_node->data)->is_glue ) { next_node = ldns_rbtree_next(next_node); } if (next_node == LDNS_RBTREE_NULL) { next_node = ldns_rbtree_first(zone->names); } if (! cur_node->data || ! next_node->data) { return LDNS_STATUS_ERR; } cur_name = ((ldns_dnssec_name *)cur_node->data)->name; next_name = ((ldns_dnssec_name *)next_node->data)->name; cur_label_count = ldns_dname_label_count(cur_name); next_label_count = ldns_dname_label_count(next_name); /* Since the names are in canonical order, we can * recognize empty non-terminals by their labels; * every label after the first one on the next owner * name is a non-terminal if it either does not exist * in the current name or is different from the same * label in the current name (counting from the end) */ for (i = 1; i < next_label_count - soa_label_count; i++) { lpos = (int)cur_label_count - (int)next_label_count + (int)i; if (lpos >= 0) { l1 = ldns_dname_clone_from(cur_name, (uint8_t)lpos); } else { l1 = NULL; } l2 = ldns_dname_clone_from(next_name, i); if (!l1 || ldns_dname_compare(l1, l2) != 0) { /* We have an empty nonterminal, add it to the * tree */ new_name = ldns_dnssec_name_new(); if (!new_name) { return LDNS_STATUS_MEM_ERR; } new_name->name = ldns_dname_clone_from(next_name, i); if (!new_name->name) { ldns_dnssec_name_free(new_name); return LDNS_STATUS_MEM_ERR; } new_name->name_alloced = true; new_node = LDNS_MALLOC(ldns_rbnode_t); if (!new_node) { ldns_dnssec_name_free(new_name); return LDNS_STATUS_MEM_ERR; } new_node->key = new_name->name; new_node->data = new_name; (void)ldns_rbtree_insert(zone->names, new_node); ldns_dnssec_name_make_hashed_name( zone, new_name, NULL); } ldns_rdf_deep_free(l1); ldns_rdf_deep_free(l2); } /* we might have inserted a new node after * the current one so we can't just use next() */ if (next_node != ldns_rbtree_first(zone->names)) { cur_node = next_node; } else { cur_node = LDNS_RBTREE_NULL; } } return LDNS_STATUS_OK; }
/* use for dname comparison in tree */ int ldns_dname_compare_v(const void *a, const void *b) { return ldns_dname_compare((ldns_rdf *)a, (ldns_rdf *)b); }
/** * Process RR. * */ static ods_status adapi_process_rr(zone_type* zone, ldns_rr* rr, int add, int backup) { ods_status status = ODS_STATUS_OK; uint32_t tmp = 0; ods_log_assert(rr); ods_log_assert(zone); ods_log_assert(zone->name); ods_log_assert(zone->db); ods_log_assert(zone->signconf); /* We only support IN class */ if (ldns_rr_get_class(rr) != LDNS_RR_CLASS_IN) { ods_log_warning("[%s] only class in is supported, changing class " "to in", adapi_str); ldns_rr_set_class(rr, LDNS_RR_CLASS_IN); } /* RR processing */ if (ldns_rr_get_type(rr) == LDNS_RR_TYPE_SOA) { if (ldns_dname_compare(ldns_rr_owner(rr), zone->apex)) { ods_log_error("[%s] unable to %s rr to zone: soa record has " "invalid owner name", adapi_str, add?"add":"delete"); return ODS_STATUS_ERR; } status = adapi_process_soa(zone, rr, add, backup); if (status != ODS_STATUS_OK) { ods_log_error("[%s] unable to %s rr: failed to process soa " "record", adapi_str, add?"add":"delete"); return status; } } else { if (ldns_dname_compare(ldns_rr_owner(rr), zone->apex) && !ldns_dname_is_subdomain(ldns_rr_owner(rr), zone->apex)) { ods_log_warning("[%s] zone %s contains out-of-zone data, " "skipping", adapi_str, zone->name); return ODS_STATUS_UNCHANGED; } else if (ldns_rr_get_type(rr) == LDNS_RR_TYPE_DNSKEY) { adapi_process_dnskey(zone, rr); } else if (util_is_dnssec_rr(rr) && !backup) { ods_log_warning("[%s] zone %s contains dnssec data (type=%u), " "skipping", adapi_str, zone->name, (unsigned) ldns_rr_get_type(rr)); return ODS_STATUS_UNCHANGED; } else if (zone->signconf->max_zone_ttl) { /* Convert MaxZoneTTL */ tmp = (uint32_t) duration2time(zone->signconf->max_zone_ttl); } } /* //MaxZoneTTL. Only set for RRtype != SOA && RRtype != DNSKEY */ if (tmp && tmp < ldns_rr_ttl(rr)) { char* str = ldns_rdf2str(ldns_rr_owner(rr)); if (str) { size_t i = 0; str[(strlen(str))-1] = '\0'; /* replace tabs with white space */ for (i=0; i < strlen(str); i++) { if (str[i] == '\t') { str[i] = ' '; } } ods_log_debug("[%s] capping ttl %u to MaxZoneTTL %u for rrset " "<%s,%s>", adapi_str, ldns_rr_ttl(rr), tmp, str, rrset_type2str(ldns_rr_get_type(rr))); } ldns_rr_set_ttl(rr, tmp); } /* TODO: DNAME and CNAME checks */ /* TODO: NS and DS checks */ if (add) { return zone_add_rr(zone, rr, 1); } else { return zone_del_rr(zone, rr, 1); } /* not reached */ return ODS_STATUS_ERR; }
/** * Add RR. * */ ods_status zone_add_rr(zone_type* zone, ldns_rr* rr, int do_stats) { domain_type* domain = NULL; rrset_type* rrset = NULL; rr_type* record = NULL; ods_status status = ODS_STATUS_OK; ods_log_assert(rr); ods_log_assert(zone); ods_log_assert(zone->name); ods_log_assert(zone->db); ods_log_assert(zone->signconf); /* If we already have this RR, return ODS_STATUS_UNCHANGED */ domain = namedb_lookup_domain(zone->db, ldns_rr_owner(rr)); if (!domain) { domain = namedb_add_domain(zone->db, ldns_rr_owner(rr)); if (!domain) { ods_log_error("[%s] unable to add RR to zone %s: " "failed to add domain", zone_str, zone->name); return ODS_STATUS_ERR; } if (ldns_dname_compare(domain->dname, zone->apex) == 0) { domain->is_apex = 1; } else { status = namedb_domain_entize(zone->db, domain, zone->apex); if (status != ODS_STATUS_OK) { ods_log_error("[%s] unable to add RR to zone %s: " "failed to entize domain", zone_str, zone->name); return ODS_STATUS_ERR; } } } rrset = domain_lookup_rrset(domain, ldns_rr_get_type(rr)); if (!rrset) { rrset = rrset_create(domain->zone, ldns_rr_get_type(rr)); if (!rrset) { ods_log_error("[%s] unable to add RR to zone %s: " "failed to add RRset", zone_str, zone->name); return ODS_STATUS_ERR; } domain_add_rrset(domain, rrset); } record = rrset_lookup_rr(rrset, rr); if (record) { record->is_added = 1; /* already exists, just mark added */ record->is_removed = 0; /* unset is_removed */ if (ldns_rr_ttl(rr) != ldns_rr_ttl(record->rr)) { ldns_rr_set_ttl(record->rr, ldns_rr_ttl(rr)); rrset->needs_signing = 1; } return ODS_STATUS_UNCHANGED; } else { record = rrset_add_rr(rrset, rr); ods_log_assert(record); ods_log_assert(record->rr); ods_log_assert(record->is_added); } /* update stats */ if (do_stats && zone->stats) { zone->stats->sort_count += 1; } return ODS_STATUS_OK; }
/* this is NOT the hash, but the original name! */ ldns_rdf * ldns_nsec3_closest_encloser(ldns_rdf *qname, ldns_rr_type qtype, ldns_rr_list *nsec3s) { /* remember parameters, they must match */ uint8_t algorithm; uint32_t iterations; uint8_t salt_length; uint8_t *salt; ldns_rdf *sname, *hashed_sname, *tmp; ldns_rr *ce; bool flag; bool exact_match_found; bool in_range_found; ldns_status status; ldns_rdf *zone_name; size_t nsec_i; ldns_rr *nsec; ldns_rdf *result = NULL; if (!qname || !nsec3s || ldns_rr_list_rr_count(nsec3s) < 1) { return NULL; } if (verbosity >= 4) { printf(";; finding closest encloser for type %d ", qtype); ldns_rdf_print(stdout, qname); printf("\n"); } nsec = ldns_rr_list_rr(nsec3s, 0); algorithm = ldns_nsec3_algorithm(nsec); salt_length = ldns_nsec3_salt_length(nsec); salt = ldns_nsec3_salt_data(nsec); iterations = ldns_nsec3_iterations(nsec); sname = ldns_rdf_clone(qname); ce = NULL; flag = false; zone_name = ldns_dname_left_chop(ldns_rr_owner(nsec)); /* algorithm from nsec3-07 8.3 */ while (ldns_dname_label_count(sname) > 0) { exact_match_found = false; in_range_found = false; if (verbosity >= 3) { printf(";; "); ldns_rdf_print(stdout, sname); printf(" hashes to: "); } hashed_sname = ldns_nsec3_hash_name(sname, algorithm, iterations, salt_length, salt); status = ldns_dname_cat(hashed_sname, zone_name); if (verbosity >= 3) { ldns_rdf_print(stdout, hashed_sname); printf("\n"); } for (nsec_i = 0; nsec_i < ldns_rr_list_rr_count(nsec3s); nsec_i++) { nsec = ldns_rr_list_rr(nsec3s, nsec_i); /* check values of iterations etc! */ /* exact match? */ if (ldns_dname_compare(ldns_rr_owner(nsec), hashed_sname) == 0) { if (verbosity >= 4) { printf(";; exact match found\n"); } exact_match_found = true; } else if (ldns_nsec_covers_name(nsec, hashed_sname)) { if (verbosity >= 4) { printf(";; in range of an nsec\n"); } in_range_found = true; } } if (!exact_match_found && in_range_found) { flag = true; } else if (exact_match_found && flag) { result = ldns_rdf_clone(sname); } else if (exact_match_found && !flag) { // error! if (verbosity >= 4) { printf(";; the closest encloser is the same name (ie. this is an exact match, ie there is no closest encloser)\n"); } ldns_rdf_deep_free(hashed_sname); goto done; } else { flag = false; } ldns_rdf_deep_free(hashed_sname); tmp = sname; sname = ldns_dname_left_chop(sname); ldns_rdf_deep_free(tmp); } done: LDNS_FREE(salt); ldns_rdf_deep_free(zone_name); ldns_rdf_deep_free(sname); if (!result) { if (verbosity >= 4) { printf(";; no closest encloser found\n"); } } /* todo checks from end of 6.2. here or in caller? */ return result; }
/*return hash name match*/ ldns_rr * ldns_nsec3_exact_match(ldns_rdf *qname, ldns_rr_type qtype, ldns_rr_list *nsec3s) { uint8_t algorithm; uint32_t iterations; uint8_t salt_length; uint8_t *salt; ldns_rdf *sname, *hashed_sname; size_t nsec_i; ldns_rr *nsec; ldns_rr *result = NULL; ldns_status status; const ldns_rr_descriptor *descriptor; ldns_rdf *zone_name; if (verbosity >= 4) { printf(";; finding exact match for "); descriptor = ldns_rr_descript(qtype); if (descriptor && descriptor->_name) { printf("%s ", descriptor->_name); } else { printf("TYPE%d ", qtype); } ldns_rdf_print(stdout, qname); printf("\n"); } if (!qname || !nsec3s || ldns_rr_list_rr_count(nsec3s) < 1) { if (verbosity >= 4) { printf("no qname, nsec3s or list empty\n"); } return NULL; } nsec = ldns_rr_list_rr(nsec3s, 0); algorithm = ldns_nsec3_algorithm(nsec); salt_length = ldns_nsec3_salt_length(nsec); salt = ldns_nsec3_salt_data(nsec); iterations = ldns_nsec3_iterations(nsec); sname = ldns_rdf_clone(qname); if (verbosity >= 4) { printf(";; owner name hashes to: "); } hashed_sname = ldns_nsec3_hash_name(sname, algorithm, iterations, salt_length, salt); zone_name = ldns_dname_left_chop(ldns_rr_owner(nsec)); status = ldns_dname_cat(hashed_sname, zone_name); if (verbosity >= 4) { ldns_rdf_print(stdout, hashed_sname); printf("\n"); } for (nsec_i = 0; nsec_i < ldns_rr_list_rr_count(nsec3s); nsec_i++) { nsec = ldns_rr_list_rr(nsec3s, nsec_i); /* check values of iterations etc! */ /* exact match? */ if (ldns_dname_compare(ldns_rr_owner(nsec), hashed_sname) == 0) { result = nsec; goto done; } } done: ldns_rdf_deep_free(zone_name); ldns_rdf_deep_free(sname); ldns_rdf_deep_free(hashed_sname); LDNS_FREE(salt); if (verbosity >= 4) { if (result) { printf(";; Found.\n"); } else { printf(";; Not foud.\n"); } } return result; }
ldns_status ldns_verify_denial(ldns_pkt *pkt, ldns_rdf *name, ldns_rr_type type, ldns_rr_list **nsec_rrs, ldns_rr_list **nsec_rr_sigs) { uint16_t nsec_i; ldns_rr_list *nsecs; ldns_status result; if (verbosity >= 5) { printf("VERIFY DENIAL FROM:\n"); ldns_pkt_print(stdout, pkt); } result = LDNS_STATUS_CRYPTO_NO_RRSIG; /* Try to see if there are NSECS in the packet */ nsecs = ldns_pkt_rr_list_by_type(pkt, LDNS_RR_TYPE_NSEC, LDNS_SECTION_ANY_NOQUESTION); if (nsecs) { for (nsec_i = 0; nsec_i < ldns_rr_list_rr_count(nsecs); nsec_i++) { /* there are four options: * - name equals ownername and is covered by the type bitmap * - name equals ownername but is not covered by the type bitmap * - name falls within nsec coverage but is not equal to the owner name * - name falls outside of nsec coverage */ if (ldns_dname_compare(ldns_rr_owner(ldns_rr_list_rr(nsecs, nsec_i)), name) == 0) { /* printf("CHECKING NSEC:\n"); ldns_rr_print(stdout, ldns_rr_list_rr(nsecs, nsec_i)); printf("DAWASEM\n"); */ if (ldns_nsec_bitmap_covers_type( ldns_nsec_get_bitmap(ldns_rr_list_rr(nsecs, nsec_i)), type)) { /* Error, according to the nsec this rrset is signed */ result = LDNS_STATUS_CRYPTO_NO_RRSIG; } else { /* ok nsec denies existence */ if (verbosity >= 3) { printf(";; Existence of data set with this type denied by NSEC\n"); } /*printf(";; Verifiably insecure.\n");*/ if (nsec_rrs && nsec_rr_sigs) { (void) get_dnssec_rr(pkt, ldns_rr_owner(ldns_rr_list_rr(nsecs, nsec_i)), LDNS_RR_TYPE_NSEC, nsec_rrs, nsec_rr_sigs); } ldns_rr_list_deep_free(nsecs); return LDNS_STATUS_OK; } } else if (ldns_nsec_covers_name(ldns_rr_list_rr(nsecs, nsec_i), name)) { if (verbosity >= 3) { printf(";; Existence of data set with this name denied by NSEC\n"); } if (nsec_rrs && nsec_rr_sigs) { (void) get_dnssec_rr(pkt, ldns_rr_owner(ldns_rr_list_rr(nsecs, nsec_i)), LDNS_RR_TYPE_NSEC, nsec_rrs, nsec_rr_sigs); } ldns_rr_list_deep_free(nsecs); return LDNS_STATUS_OK; } else { /* nsec has nothing to do with this data */ } } ldns_rr_list_deep_free(nsecs); } else if( (nsecs = ldns_pkt_rr_list_by_type(pkt, LDNS_RR_TYPE_NSEC3, LDNS_SECTION_ANY_NOQUESTION)) ) { ldns_rr_list* sigs = ldns_pkt_rr_list_by_type(pkt, LDNS_RR_TYPE_RRSIG, LDNS_SECTION_ANY_NOQUESTION); ldns_rr* q = ldns_rr_new(); if(!sigs) return LDNS_STATUS_MEM_ERR; if(!q) return LDNS_STATUS_MEM_ERR; ldns_rr_set_question(q, 1); ldns_rr_set_ttl(q, 0); ldns_rr_set_owner(q, ldns_rdf_clone(name)); if(!ldns_rr_owner(q)) return LDNS_STATUS_MEM_ERR; ldns_rr_set_type(q, type); result = ldns_dnssec_verify_denial_nsec3(q, nsecs, sigs, ldns_pkt_get_rcode(pkt), type, ldns_pkt_ancount(pkt) == 0); ldns_rr_free(q); ldns_rr_list_deep_free(nsecs); ldns_rr_list_deep_free(sigs); } return result; }
/* * Parses data buffer to a query, finds the correct answer * and calls the given function for every packet to send. */ void handle_query(uint8_t* inbuf, ssize_t inlen, struct entry* entries, int* count, enum transport_type transport, void (*sendfunc)(uint8_t*, size_t, void*), void* userdata, FILE* verbose_out) { ldns_status status; ldns_pkt *query_pkt = NULL; ldns_pkt *answer_pkt = NULL; struct reply_packet *p; ldns_rr *query_rr = NULL; uint8_t *outbuf = NULL; size_t answer_size = 0; struct entry* entry = NULL; ldns_rdf *stop_command = ldns_dname_new_frm_str("server.stop."); status = ldns_wire2pkt(&query_pkt, inbuf, (size_t)inlen); if (status != LDNS_STATUS_OK) { verbose(1, "Got bad packet: %s\n", ldns_get_errorstr_by_id(status)); ldns_rdf_free(stop_command); return; } query_rr = ldns_rr_list_rr(ldns_pkt_question(query_pkt), 0); verbose(1, "query %d: id %d: %s %d bytes: ", ++(*count), (int)ldns_pkt_id(query_pkt), (transport==transport_tcp)?"TCP":"UDP", (int)inlen); if(verbose_out) ldns_rr_print(verbose_out, query_rr); if(verbose_out) ldns_pkt_print(verbose_out, query_pkt); if (ldns_rr_get_type(query_rr) == LDNS_RR_TYPE_TXT && ldns_rr_get_class(query_rr) == LDNS_RR_CLASS_CH && ldns_dname_compare(ldns_rr_owner(query_rr), stop_command) == 0) { exit(0); } /* fill up answer packet */ entry = find_match(entries, query_pkt, transport); if(!entry || !entry->reply_list) { verbose(1, "no answer packet for this query, no reply.\n"); ldns_pkt_free(query_pkt); ldns_rdf_free(stop_command); return; } for(p = entry->reply_list; p; p = p->next) { verbose(3, "Answer pkt:\n"); if (p->reply_from_hex) { /* try to parse the hex packet, if it can be * parsed, we can use adjust rules. if not, * send packet literally */ status = ldns_buffer2pkt_wire(&answer_pkt, p->reply_from_hex); if (status == LDNS_STATUS_OK) { adjust_packet(entry, answer_pkt, query_pkt); if(verbose_out) ldns_pkt_print(verbose_out, answer_pkt); status = ldns_pkt2wire(&outbuf, answer_pkt, &answer_size); verbose(2, "Answer packet size: %u bytes.\n", (unsigned int)answer_size); if (status != LDNS_STATUS_OK) { verbose(1, "Error creating answer: %s\n", ldns_get_errorstr_by_id(status)); ldns_pkt_free(query_pkt); ldns_rdf_free(stop_command); return; } ldns_pkt_free(answer_pkt); answer_pkt = NULL; } else { verbose(3, "Could not parse hex data (%s), sending hex data directly.\n", ldns_get_errorstr_by_id(status)); /* still try to adjust ID */ answer_size = ldns_buffer_capacity(p->reply_from_hex); outbuf = LDNS_XMALLOC(uint8_t, answer_size); memcpy(outbuf, ldns_buffer_export(p->reply_from_hex), answer_size); if(entry->copy_id) { ldns_write_uint16(outbuf, ldns_pkt_id(query_pkt)); } } } else { answer_pkt = ldns_pkt_clone(p->reply); adjust_packet(entry, answer_pkt, query_pkt); if(verbose_out) ldns_pkt_print(verbose_out, answer_pkt); status = ldns_pkt2wire(&outbuf, answer_pkt, &answer_size); verbose(1, "Answer packet size: %u bytes.\n", (unsigned int)answer_size); if (status != LDNS_STATUS_OK) { verbose(1, "Error creating answer: %s\n", ldns_get_errorstr_by_id(status)); ldns_pkt_free(query_pkt); ldns_rdf_free(stop_command); return; } ldns_pkt_free(answer_pkt); answer_pkt = NULL; } if(p->packet_sleep) { verbose(3, "sleeping for next packet %d secs\n", p->packet_sleep); #ifdef HAVE_SLEEP sleep(p->packet_sleep); #else Sleep(p->packet_sleep * 1000); #endif verbose(3, "wakeup for next packet " "(slept %d secs)\n", p->packet_sleep); } sendfunc(outbuf, answer_size, userdata); LDNS_FREE(outbuf); outbuf = NULL; answer_size = 0; } ldns_pkt_free(query_pkt); ldns_rdf_free(stop_command); }
/* finds entry in list, or returns NULL */ struct entry* find_match(struct entry* entries, ldns_pkt* query_pkt, enum transport_type transport) { struct entry* p = entries; ldns_pkt* reply = NULL; for(p=entries; p; p=p->next) { verbose(3, "comparepkt: "); reply = p->reply_list->reply; if(p->match_opcode && ldns_pkt_get_opcode(query_pkt) != ldns_pkt_get_opcode(reply)) { verbose(3, "bad opcode\n"); continue; } if(p->match_qtype && get_qtype(query_pkt) != get_qtype(reply)) { verbose(3, "bad qtype\n"); continue; } if(p->match_qname) { if(!get_owner(query_pkt) || !get_owner(reply) || ldns_dname_compare( get_owner(query_pkt), get_owner(reply)) != 0) { verbose(3, "bad qname\n"); continue; } } if(p->match_subdomain) { if(!get_owner(query_pkt) || !get_owner(reply) || (ldns_dname_compare(get_owner(query_pkt), get_owner(reply)) != 0 && !ldns_dname_is_subdomain( get_owner(query_pkt), get_owner(reply)))) { verbose(3, "bad subdomain\n"); continue; } } if(p->match_serial && get_serial(query_pkt) != p->ixfr_soa_serial) { verbose(3, "bad serial\n"); continue; } if(p->match_do && !ldns_pkt_edns_do(query_pkt)) { verbose(3, "no DO bit set\n"); continue; } if(p->match_noedns && ldns_pkt_edns(query_pkt)) { verbose(3, "bad; EDNS OPT present\n"); continue; } if(p->match_transport != transport_any && p->match_transport != transport) { verbose(3, "bad transport\n"); continue; } if(p->match_all && !match_all(query_pkt, reply, p->match_ttl)) { verbose(3, "bad allmatch\n"); continue; } verbose(3, "match!\n"); return p; } return NULL; }
/** * Read IXFR from file. * */ static ods_status addns_read_file(FILE* fd, zone_type* zone) { ldns_rr* rr = NULL; uint32_t new_serial = 0; uint32_t old_serial = 0; uint32_t tmp_serial = 0; ldns_rdf* prev = NULL; ldns_rdf* orig = NULL; ldns_rdf* dname = NULL; uint32_t ttl = 0; size_t rr_count = 0; ods_status result = ODS_STATUS_OK; ldns_status status = LDNS_STATUS_OK; char line[SE_ADFILE_MAXLINE]; unsigned is_axfr = 0; unsigned del_mode = 0; unsigned soa_seen = 0; unsigned line_update_interval = 100000; unsigned line_update = line_update_interval; unsigned l = 0; ods_log_assert(fd); ods_log_assert(zone); /* $ORIGIN <zone name> */ dname = adapi_get_origin(zone); if (!dname) { ods_log_error("[%s] error getting default value for $ORIGIN", adapter_str); return ODS_STATUS_ERR; } orig = ldns_rdf_clone(dname); if (!orig) { ods_log_error("[%s] error setting default value for $ORIGIN", adapter_str); return ODS_STATUS_ERR; } /* $TTL <default ttl> */ ttl = adapi_get_ttl(zone); /* read RRs */ while ((rr = addns_read_rr(fd, line, &orig, &prev, &ttl, &status, &l)) != NULL) { /* check status */ if (status != LDNS_STATUS_OK) { ods_log_error("[%s] error reading RR at line %i (%s): %s", adapter_str, l, ldns_get_errorstr_by_id(status), line); result = ODS_STATUS_ERR; break; } /* debug update */ if (l > line_update) { ods_log_debug("[%s] ...at line %i: %s", adapter_str, l, line); line_update += line_update_interval; } /* first RR: check if SOA and correct zone & serialno */ if (rr_count == 0) { rr_count++; if (ldns_rr_get_type(rr) != LDNS_RR_TYPE_SOA) { ods_log_error("[%s] bad xfr, first rr is not soa", adapter_str); ldns_rr_free(rr); rr = NULL; result = ODS_STATUS_ERR; break; } soa_seen++; if (ldns_dname_compare(ldns_rr_owner(rr), zone->apex)) { ods_log_error("[%s] bad xfr, soa dname not equal to zone " "dname %s", adapter_str, zone->name); ldns_rr_free(rr); rr = NULL; result = ODS_STATUS_ERR; break; } tmp_serial = ldns_rdf2native_int32(ldns_rr_rdf(rr, SE_SOA_RDATA_SERIAL)); old_serial = adapi_get_serial(zone); if (!util_serial_gt(tmp_serial, old_serial)) { ods_log_info("[%s] zone %s is already up to date, have " "serial %u, got serial %u", adapter_str, zone->name, old_serial, tmp_serial); new_serial = tmp_serial; ldns_rr_free(rr); rr = NULL; result = ODS_STATUS_UNCHANGED; break; } ldns_rr_free(rr); rr = NULL; result = ODS_STATUS_OK; continue; } /* second RR: if not soa, this is an AXFR */ if (rr_count == 1) { if (ldns_rr_get_type(rr) != LDNS_RR_TYPE_SOA) { ods_log_verbose("[%s] detected axfr serial=%u for zone %s", adapter_str, tmp_serial, zone->name); new_serial = tmp_serial; is_axfr = 1; del_mode = 0; } else { ods_log_verbose("[%s] detected ixfr serial=%u for zone %s", adapter_str, tmp_serial, zone->name); new_serial = tmp_serial; tmp_serial = ldns_rdf2native_int32(ldns_rr_rdf(rr, SE_SOA_RDATA_SERIAL)); ldns_rr_free(rr); rr = NULL; rr_count++; if (tmp_serial < new_serial) { del_mode = 1; result = ODS_STATUS_OK; continue; } else { ods_log_error("[%s] bad xfr for zone %s, bad soa serial", adapter_str, zone->name); result = ODS_STATUS_ERR; break; } } } /* soa means swap */ rr_count++; if (ldns_rr_get_type(rr) == LDNS_RR_TYPE_SOA) { if (!is_axfr) { tmp_serial = ldns_rdf2native_int32(ldns_rr_rdf(rr, SE_SOA_RDATA_SERIAL)); if (tmp_serial <= new_serial) { if (tmp_serial == new_serial) { soa_seen++; } del_mode = !del_mode; ldns_rr_free(rr); rr = NULL; result = ODS_STATUS_OK; continue; } else { ods_log_assert(tmp_serial > new_serial); ods_log_error("[%s] bad xfr for zone %s, bad soa serial", adapter_str, zone->name); ldns_rr_free(rr); rr = NULL; result = ODS_STATUS_ERR; break; } } else { /* for axfr */ soa_seen++; } } /* [add to/remove from] the zone */ if (!is_axfr && del_mode) { ods_log_debug("[%s] delete RR #%i at line %i: %s", adapter_str, rr_count, l, line); result = adapi_del_rr(zone, rr, 0); ldns_rr_free(rr); rr = NULL; } else { ods_log_debug("[%s] add RR #%i at line %i: %s", adapter_str, rr_count, l, line); result = adapi_add_rr(zone, rr, 0); } if (result == ODS_STATUS_UNCHANGED) { ods_log_debug("[%s] skipping RR at line %i (%s): %s", adapter_str, l, del_mode?"not found":"duplicate", line); ldns_rr_free(rr); rr = NULL; result = ODS_STATUS_OK; continue; } else if (result != ODS_STATUS_OK) { ods_log_error("[%s] error %s RR at line %i: %s", adapter_str, del_mode?"deleting":"adding", l, line); ldns_rr_free(rr); rr = NULL; break; } } /* and done */ if (orig) { ldns_rdf_deep_free(orig); orig = NULL; } if (prev) { ldns_rdf_deep_free(prev); prev = NULL; } if (result == ODS_STATUS_OK && status != LDNS_STATUS_OK) { ods_log_error("[%s] error reading RR at line %i (%s): %s", adapter_str, l, ldns_get_errorstr_by_id(status), line); result = ODS_STATUS_ERR; } /* check the number of SOAs seen */ if (result == ODS_STATUS_OK) { if ((is_axfr && soa_seen != 2) || (!is_axfr && soa_seen != 3)) { ods_log_error("[%s] bad %s, wrong number of SOAs (%u)", adapter_str, is_axfr?"axfr":"ixfr", soa_seen); result = ODS_STATUS_ERR; } } /* input zone ok, set inbound serial and apply differences */ if (result == ODS_STATUS_OK || result == ODS_STATUS_UNCHANGED) { adapi_set_serial(zone, new_serial); if (is_axfr) { adapi_trans_full(zone); } else { adapi_trans_diff(zone); } if (result == ODS_STATUS_UNCHANGED) { result = ODS_STATUS_OK; } } return result; }
ldns_status ldns_dnssec_zone_create_rrsigs(ldns_dnssec_zone *zone, ldns_rr_list *new_rrs, ldns_key_list *key_list, int (*func)(ldns_rr *, void*), void *arg) { ldns_status result = LDNS_STATUS_OK; ldns_rbnode_t *cur_node; ldns_rr_list *rr_list; ldns_dnssec_name *cur_name; ldns_dnssec_rrsets *cur_rrset; ldns_dnssec_rrs *cur_rr; ldns_rr_list *siglist; size_t i; ldns_rr_list *pubkey_list = ldns_rr_list_new(); zone = zone; new_rrs = new_rrs; key_list = key_list; for (i = 0; i<ldns_key_list_key_count(key_list); i++) { ldns_rr_list_push_rr(pubkey_list, ldns_key2rr(ldns_key_list_key(key_list, i))); } /* TODO: callback to see is list should be signed */ /* TODO: remove 'old' signatures from signature list */ cur_node = ldns_rbtree_first(zone->names); while (cur_node != LDNS_RBTREE_NULL) { cur_name = (ldns_dnssec_name *) cur_node->data; if (!cur_name->is_glue) { cur_rrset = cur_name->rrsets; while (cur_rrset) { /* reset keys to use */ ldns_key_list_set_use(key_list, true); /* walk through old sigs, remove the old, and mark which keys (not) to use) */ cur_rrset->signatures = ldns_dnssec_remove_signatures(cur_rrset->signatures, key_list, func, arg); /* TODO: just set count to zero? */ rr_list = ldns_rr_list_new(); cur_rr = cur_rrset->rrs; while (cur_rr) { ldns_rr_list_push_rr(rr_list, cur_rr->rr); cur_rr = cur_rr->next; } /* only sign non-delegation RRsets */ /* (glue should have been marked earlier) */ if ((ldns_rr_list_type(rr_list) != LDNS_RR_TYPE_NS || ldns_dname_compare(ldns_rr_list_owner(rr_list), zone->soa->name) == 0) && /* OK, there is also the possibility that the record * is glue, but at the same owner name as other records that * are not NS nor A/AAAA. Bleh, our current data structure * doesn't really support that... */ !((ldns_rr_list_type(rr_list) == LDNS_RR_TYPE_A || ldns_rr_list_type(rr_list) == LDNS_RR_TYPE_AAAA) && !ldns_dname_compare(ldns_rr_list_owner(rr_list), zone->soa->name) == 0 && ldns_dnssec_zone_find_rrset(zone, ldns_rr_list_owner(rr_list), LDNS_RR_TYPE_NS) )) { siglist = ldns_sign_public(rr_list, key_list); for (i = 0; i < ldns_rr_list_rr_count(siglist); i++) { if (cur_rrset->signatures) { ldns_dnssec_rrs_add_rr(cur_rrset->signatures, ldns_rr_list_rr(siglist, i)); } else { cur_rrset->signatures = ldns_dnssec_rrs_new(); cur_rrset->signatures->rr = ldns_rr_list_rr(siglist, i); ldns_rr_list_push_rr(new_rrs, ldns_rr_list_rr(siglist, i)); } } ldns_rr_list_free(siglist); } ldns_rr_list_free(rr_list); cur_rrset = cur_rrset->next; } /* sign the nsec */ cur_name->nsec_signatures = ldns_dnssec_remove_signatures(cur_name->nsec_signatures, key_list, func, arg); rr_list = ldns_rr_list_new(); ldns_rr_list_push_rr(rr_list, cur_name->nsec); siglist = ldns_sign_public(rr_list, key_list); for (i = 0; i < ldns_rr_list_rr_count(siglist); i++) { if (cur_name->nsec_signatures) { ldns_dnssec_rrs_add_rr(cur_name->nsec_signatures, ldns_rr_list_rr(siglist, i)); } else { cur_name->nsec_signatures = ldns_dnssec_rrs_new(); cur_name->nsec_signatures->rr = ldns_rr_list_rr(siglist, i); ldns_rr_list_push_rr(new_rrs, ldns_rr_list_rr(siglist, i)); } } ldns_rr_list_free(siglist); ldns_rr_list_free(rr_list); } cur_node = ldns_rbtree_next(cur_node); } ldns_rr_list_deep_free(pubkey_list); return result; }
int main(int argc, char **argv) { /* Local Vars */ int i; int soa_valid = 0; int ns_valid = 0; ldns_rdf *rd_domain; ldns_rdf *rd_trace; ldns_rdf *rd_cdomain; ldns_pkt *pkt; ldns_resolver *res; ldns_rr *rr; ldns_rr_list *rrl; ldns_rr_list *rrl_domain_soa; ldns_rr_list *rrl_domain_soa_rrsig; ldns_rr_list *rrl_domain_ns; ldns_rr_list *rrl_domain_ns_rrsig; ldns_rr_list *rrl_valid_keys; ldns_status status; /* Set signal handling and alarm */ if (signal(SIGALRM, timeout_alarm_handler) == SIG_ERR) critical("Setup SIGALRM trap failed!"); /* Process check arguments */ if (process_arguments(argc, argv) != OK) unknown("Parsing arguments failed!"); /* Start plugin timeout */ alarm(mp_timeout); rd_domain = ldns_dname_new_frm_str(domainname); if (!rd_domain) unknown("Illegal domain name"); rd_trace = ldns_dname_new_frm_str(domaintrace); if (!rd_trace) unknown("Illegal trace domain name"); /* Check domain is subdomain from trace start */ if (!ldns_dname_is_subdomain(rd_domain, rd_trace)) { ldns_rr_list_deep_free(trusted_keys); ldns_rdf_deep_free(rd_domain); ldns_rdf_deep_free(rd_trace); unknown("'%s' is not a subdomain of '%s'.", domainname, domaintrace); } /* Add trusted keys for trace domain to rrl_valid_keys. */ rrl_valid_keys = ldns_rr_list_new(); for(i = 0; i < ldns_rr_list_rr_count(trusted_keys); i++) { rr = ldns_rr_list_rr(trusted_keys, i); if (ldns_dname_compare(ldns_rr_owner(rr),rd_trace) == 0) ldns_rr_list_push_rr(rrl_valid_keys, ldns_rr_clone(rr)); } ldns_rr_list_deep_free(trusted_keys); if (ldns_rr_list_rr_count(rrl_valid_keys) == 0) { ldns_rdf_deep_free(rd_domain); ldns_rdf_deep_free(rd_trace); ldns_rr_list_deep_free(rrl_valid_keys); critical("No trusted key for trace start '%s'", domaintrace?domaintrace:"."); } if (mp_verbose >= 2) { printf("--[ Trusted keys used ]-------------------------------------\n"); ldns_rr_list_sort(rrl_valid_keys); ldns_rr_list_print(stdout, rrl_valid_keys); printf("------------------------------------------------------------\n"); } /* create a new resolver with dns_server or server from /etc/resolv.conf */ res = createResolver(hostname); if (!res) { ldns_rdf_deep_free(rd_domain); ldns_rdf_deep_free(rd_trace); ldns_rr_list_deep_free(rrl_valid_keys); unknown("Creating resolver failed."); } resolverEnableDnssec(res); ldns_resolver_set_dnssec_anchors(res, rrl_valid_keys); /* check domain exists */ pkt = mp_ldns_resolver_query(res, rd_domain, LDNS_RR_TYPE_SOA, LDNS_RR_CLASS_IN, LDNS_RD); if (pkt == NULL || ldns_pkt_get_rcode(pkt) != LDNS_RCODE_NOERROR) { ldns_rdf_deep_free(rd_domain); ldns_rdf_deep_free(rd_trace); ldns_resolver_deep_free(res); if (pkt && ldns_pkt_get_rcode(pkt) == LDNS_RCODE_NXDOMAIN) { ldns_pkt_free(pkt); critical("Domain '%s' don't exist.", domainname); } ldns_pkt_free(pkt); critical("Unable to get SOA for %s.", domainname); } rrl_domain_soa = ldns_pkt_rr_list_by_name_and_type(pkt, rd_domain, LDNS_RR_TYPE_SOA, LDNS_SECTION_ANSWER); if (rrl_domain_soa == NULL || ldns_rr_list_rr_count(rrl_domain_soa) == 0) { ldns_rdf_deep_free(rd_domain); ldns_rdf_deep_free(rd_trace); ldns_resolver_deep_free(res); ldns_pkt_free(pkt); critical("Domain '%s' not found.", domainname); } rrl_domain_soa_rrsig = ldns_dnssec_pkt_get_rrsigs_for_name_and_type(pkt, rd_domain, LDNS_RR_TYPE_SOA); if (rrl_domain_soa_rrsig == NULL || ldns_rr_list_rr_count(rrl_domain_soa_rrsig) == 0) { free(domaintrace); ldns_rdf_deep_free(rd_domain); ldns_rdf_deep_free(rd_trace); ldns_resolver_deep_free(res); ldns_pkt_free(pkt); ldns_rr_list_deep_free(rrl_domain_soa); critical("Domain '%s' not signed.", domainname); } ldns_pkt_free(pkt); pkt = ldns_resolver_query(res, rd_domain, LDNS_RR_TYPE_NS, LDNS_RR_CLASS_IN, LDNS_RD); rrl_domain_ns = ldns_pkt_rr_list_by_name_and_type(pkt, rd_domain, LDNS_RR_TYPE_NS, LDNS_SECTION_ANSWER); rrl_domain_ns_rrsig = ldns_dnssec_pkt_get_rrsigs_for_name_and_type(pkt, rd_domain, LDNS_RR_TYPE_NS); ldns_pkt_free(pkt); if (mp_verbose >= 2) { printf("--[ Checked Domain ]----------------------------------------\n"); ldns_rr_list_print(stdout, rrl_domain_soa); printf("------------------------------------------------------------\n"); ldns_rr_list_print(stdout, rrl_domain_soa_rrsig); printf("------------------------------------------------------------\n"); ldns_rr_list_print(stdout, rrl_domain_ns); printf("------------------------------------------------------------\n"); ldns_rr_list_print(stdout, rrl_domain_ns_rrsig); printf("------------------------------------------------------------\n"); } /* create a new resolver with dns_server or server from /etc/resolv.conf */ ldns_resolver_free(res); res = createResolver(resolver); if (!res) { ldns_rdf_deep_free(rd_domain); ldns_rdf_deep_free(rd_trace); ldns_rr_list_deep_free(rrl_valid_keys); unknown("Creating resolver failed."); } resolverEnableDnssec(res); ldns_resolver_set_dnssec_anchors(res, rrl_valid_keys); /* Fetch valid keys from top down */ i = ldns_dname_label_count(rd_domain) - ldns_dname_label_count(rd_trace); for (; i>=0; i--) { rd_cdomain = ldns_dname_clone_from(rd_domain, i); if (mp_verbose) { char *str = ldns_rdf2str(rd_cdomain); printf("Trace: %s\n", str); free(str); } rrl = ldns_fetch_valid_domain_keys(res, rd_cdomain, rrl_valid_keys, &status); if (mp_verbose >= 2) { printf("--[ Valid Keys ]----------------------------------------\n"); ldns_rr_list_sort(rrl); ldns_rr_list_print(stdout, rrl); printf("------------------------------------------------------------\n"); } ldns_rr_list_cat(rrl_valid_keys, rrl); ldns_rr_list_free(rrl); ldns_rdf_deep_free(rd_cdomain); } ldns_rdf_deep_free(rd_trace); ldns_rdf_deep_free(rd_domain); /* Validate SOA */ for(i = 0; i < ldns_rr_list_rr_count(rrl_domain_soa_rrsig); i++) { rr = ldns_rr_list_rr(rrl_domain_soa_rrsig, i); status = ldns_verify_rrsig_keylist(rrl_domain_soa, rr, rrl_valid_keys, NULL); if (status == LDNS_STATUS_OK) soa_valid++; else if (mp_verbose > 0) fprintf(stderr, "ldns_verify_rrsig_keylist SOA failed: %s\n", ldns_get_errorstr_by_id(status)); } ldns_rr_list_deep_free(rrl_domain_soa); ldns_rr_list_deep_free(rrl_domain_soa_rrsig); if (soa_valid == 0) { critical("No valid Signatur for SOA of '%s'", domainname); free(domainname); free(domaintrace); ldns_resolver_deep_free(res); ldns_rr_list_deep_free(rrl_domain_ns); ldns_rr_list_deep_free(rrl_domain_ns_rrsig); return checkState; } /* Validate NS */ for(i = 0; i < ldns_rr_list_rr_count(rrl_domain_ns_rrsig); i++) { rr = ldns_rr_list_rr(rrl_domain_ns_rrsig, i); status = ldns_verify_rrsig_keylist(rrl_domain_ns, rr, rrl_valid_keys, NULL); if (status == LDNS_STATUS_OK) ns_valid++; else if (mp_verbose > 0) fprintf(stderr, "ldns_verify_rrsig_keylist NS failed: %s\n", ldns_get_errorstr_by_id(status)); } ldns_rr_list_deep_free(rrl_domain_ns); ldns_rr_list_deep_free(rrl_domain_ns_rrsig); ldns_resolver_deep_free(res); if (ns_valid == 0) { critical("No valid Signatur for NS of '%s'", domainname); free(domainname); free(domaintrace); return checkState; } ok("Trust for '%s' successfull traces from '%s'", domainname, domaintrace); free(domainname); free(domaintrace); return checkState; }