/** match two rr lists */
static int
match_list(ldns_rr_list* q, ldns_rr_list *p)
{
size_t i;
if(ldns_rr_list_rr_count(q) != ldns_rr_list_rr_count(p)) {
verbose(3, "rrlistcount different %d %d",
(int)ldns_rr_list_rr_count(q),
(int)ldns_rr_list_rr_count(p));
return 0;
}
for(i=0; i<ldns_rr_list_rr_count(q); i++)
{
if(matches_nolocation) {
if(!ldns_rr_list_contains_rr(p, ldns_rr_list_rr(q, i)))
{
verbose(3, "rr %u not found", (unsigned)i);
return 0;
}
} else {
if(ldns_rr_compare(ldns_rr_list_rr(q, i),
ldns_rr_list_rr(p, i)) != 0) {
verbose(3, "rr %u different", (unsigned)i);
return 0;
}
/* and check the ttl */
if(ldns_rr_ttl(ldns_rr_list_rr(q, i)) !=
ldns_rr_ttl(ldns_rr_list_rr(p, i))) {
verbose(3, "rr %u ttl different", (unsigned)i);
return 0;
}
}
}
return 1;
}
int
main(int argc, char **argv)
{
size_t i;
if(argc != 1) {
usage(stderr);
return 0;
}
/* read in */
ldns_rr_list *list = ldns_rr_list_new();
ldns_rdf *qname = 0;
read_in(list, &qname, stdin);
/* check covers */
covertests(list, qname);
for(i=0; i<ldns_rr_list_rr_count(list); ++i)
{
ldns_rr* rr = ldns_rr_list_rr(list, i);
if(!ldns_dname_is_subdomain(qname, ldns_rr_owner(rr))) {
covertests(list, ldns_rr_owner(rr));
}
}
ldns_rr_list_deep_free(list);
return 0;
}
bool
ldns_resolver_trusted_key(const ldns_resolver *r, ldns_rr_list * keys, ldns_rr_list * trusted_keys)
{
size_t i;
bool result = false;
ldns_rr_list * trust_anchors;
ldns_rr * cur_rr;
if (!r || !keys) { return false; }
trust_anchors = ldns_resolver_dnssec_anchors(r);
if (!trust_anchors) { return false; }
for (i = 0; i < ldns_rr_list_rr_count(keys); i++) {
cur_rr = ldns_rr_list_rr(keys, i);
if (ldns_rr_list_contains_rr(trust_anchors, cur_rr)) {
if (trusted_keys) { ldns_rr_list_push_rr(trusted_keys, cur_rr); }
result = true;
}
}
return result;
}
void
read_in(ldns_rr_list* list, ldns_rdf** qname, FILE *in)
{
char* buf;
while((buf=skip_comments_and_query(in, qname)))
{
/* add rr */
ldns_rr *rr=0;
ldns_rdf *origin=0, *prev=0;
ldns_status err;
uint16_t ttl = 3600;
if((err=ldns_rr_new_frm_str(&rr, buf, ttl, origin, &prev)) !=
LDNS_STATUS_OK)
abort_ldns_error("read rr", err);
ldns_rr_list_push_rr(list, rr);
}
printf("nsec3-covers: read %d rrs\n", (int)ldns_rr_list_rr_count(list));
if(!qname) {
printf("Could not read question name\n");
exit(1);
}
printf("nsec3-covers: qname is ");
ldns_rdf_print(stdout, *qname);
printf("\n");
}
static DCPluginSyncFilterResult
empty_aaa_sync_pre(DCPlugin *dcplugin, DCPluginDNSPacket *dcp_packet)
{
ldns_pkt *packet;
ldns_rr_list *questions;
uint8_t *wire_data;
DCPluginSyncFilterResult result = DCP_SYNC_FILTER_RESULT_OK;
wire_data = dcplugin_get_wire_data(dcp_packet);
ldns_wire2pkt(&packet, wire_data, dcplugin_get_wire_data_len(dcp_packet));
if (packet == NULL) {
return DCP_SYNC_FILTER_RESULT_ERROR;
}
questions = ldns_pkt_question(packet);
if (ldns_rr_list_rr_count(questions) == (size_t) 1U &&
ldns_rr_get_type(ldns_rr_list_rr(questions,
(size_t) 0U)) == LDNS_RR_TYPE_AAAA) {
LDNS_QR_SET(wire_data);
LDNS_RA_SET(wire_data);
result = DCP_SYNC_FILTER_RESULT_DIRECT;
}
ldns_pkt_free(packet);
return result;
}
static DCPluginSyncFilterResult
apply_block_ips(DCPluginDNSPacket *dcp_packet, Blocking * const blocking,
ldns_pkt * const packet)
{
StrList *scanned;
ldns_rr_list *answers;
ldns_rr *answer;
char *answer_str;
ldns_rr_type type;
size_t answers_count;
size_t i;
answers = ldns_pkt_answer(packet);
answers_count = ldns_rr_list_rr_count(answers);
for (i = (size_t) 0U; i < answers_count; i++) {
answer = ldns_rr_list_rr(answers, i);
type = ldns_rr_get_type(answer);
if (type != LDNS_RR_TYPE_A && type != LDNS_RR_TYPE_AAAA) {
continue;
}
if ((answer_str = ldns_rdf2str(ldns_rr_a_address(answer))) == NULL) {
return DCP_SYNC_FILTER_RESULT_FATAL;
}
scanned = blocking->ips;
do {
if (strcasecmp(scanned->str, answer_str) == 0) {
LDNS_RCODE_SET(dcplugin_get_wire_data(dcp_packet),
LDNS_RCODE_REFUSED);
break;
}
} while ((scanned = scanned->next) != NULL);
free(answer_str);
}
return DCP_SYNC_FILTER_RESULT_OK;
}
int process_dns_answer(packetinfo *pi, ldns_pkt *dns_pkt) {
int rrcount_query;
int j;
ldns_rr_list *dns_query_domains;
ldns_buffer *dns_buff;
dns_query_domains = ldns_pkt_question(dns_pkt);
rrcount_query = ldns_rr_list_rr_count(dns_query_domains);
dns_buff = ldns_buffer_new(LDNS_MIN_BUFLEN);
dlog("[*] rrcount_query: %d\n", rrcount_query);
// Do we ever have more than one Question?
// If we do - are we handling it correct ?
for (j = 0; j < rrcount_query; j++) {
ldns_rdf *rdf_data;
rdf_data = ldns_rr_owner(ldns_rr_list_rr(dns_query_domains, j));
dlog("[D] rdf_data: %p\n", rdf_data);
if ( cache_dns_objects(pi, rdf_data, dns_buff, dns_pkt) != 0 ) {
dlog("[D] cache_dns_objects() returned error\n");
}
}
ldns_buffer_free(dns_buff);
update_dns_stats(pi,SUCCESS);
return(0);
}
ldns_zone *
ldns_zone_sign_nsec3(ldns_zone *zone, ldns_key_list *key_list, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt)
{
ldns_dnssec_zone *dnssec_zone;
ldns_zone *signed_zone;
ldns_rr_list *new_rrs;
size_t i;
signed_zone = ldns_zone_new();
dnssec_zone = ldns_dnssec_zone_new();
(void) ldns_dnssec_zone_add_rr(dnssec_zone, ldns_zone_soa(zone));
ldns_zone_set_soa(signed_zone, ldns_zone_soa(zone));
for (i = 0; i < ldns_rr_list_rr_count(ldns_zone_rrs(zone)); i++) {
(void) ldns_dnssec_zone_add_rr(dnssec_zone,
ldns_rr_list_rr(ldns_zone_rrs(zone),
i));
ldns_zone_push_rr(signed_zone,
ldns_rr_clone(ldns_rr_list_rr(ldns_zone_rrs(zone),
i)));
}
new_rrs = ldns_rr_list_new();
(void) ldns_dnssec_zone_sign_nsec3(dnssec_zone,
new_rrs,
key_list,
ldns_dnssec_default_replace_signatures,
NULL,
algorithm,
flags,
iterations,
salt_length,
salt);
for (i = 0; i < ldns_rr_list_rr_count(new_rrs); i++) {
ldns_rr_list_push_rr(ldns_zone_rrs(signed_zone),
ldns_rr_clone(ldns_rr_list_rr(new_rrs, i)));
}
ldns_rr_list_deep_free(new_rrs);
ldns_dnssec_zone_free(dnssec_zone);
return signed_zone;
}
struct zversion_t* zversion_read(struct zone_entry_t* entry, uint32_t serial)
{
const char* fn = zinfo_ixfr_name(entry, serial);
struct zversion_t* v;
FILE* in = fopen(fn, "ra");
ldns_status status;
ldns_rr* rr = 0;
uint32_t dttl = 3600;
ldns_rdf* origin = 0, *prev = 0;
int line_nr = 1;
if(!in) {
perror(fn);
return NULL;
}
v = (struct zversion_t*)calloc(1, sizeof(*v));
if(!v) {
fclose(in);
printf("out of memory\n");
return NULL;
}
v->serial = serial;
v->ixfr = ldns_rr_list_new();
while(!feof(in)) {
status = ldns_rr_new_frm_fp_l(&rr, in, &dttl, &origin,
&prev, &line_nr);
if(status == LDNS_STATUS_SYNTAX_TTL ||
status == LDNS_STATUS_SYNTAX_ORIGIN ||
status == LDNS_STATUS_SYNTAX_EMPTY)
continue;
if(status != LDNS_STATUS_OK) {
printf("error %s:%d: %s\n", fn, line_nr,
ldns_get_errorstr_by_id(status));
fclose(in);
ldns_rdf_deep_free(origin);
ldns_rdf_deep_free(prev);
ldns_rr_list_deep_free(v->ixfr);
free(v);
return NULL;
}
ldns_rr_list_push_rr(v->ixfr, rr);
}
ldns_rdf_deep_free(origin);
ldns_rdf_deep_free(prev);
fclose(in);
if(ldns_rr_list_rr_count(v->ixfr) < 1 ||
ldns_rr_get_type(ldns_rr_list_rr(v->ixfr, 0))
!= LDNS_RR_TYPE_SOA) {
printf("invalid IXFR format in %s\n", fn);
ldns_rr_list_deep_free(v->ixfr);
free(v);
return NULL;
}
v->next_serial = ldns_rdf2native_int32(ldns_rr_rdf(
ldns_rr_list_rr(v->ixfr, 0), 2));
return v;
}
/*
* generic function to get some RRset from a nameserver
* and possible some signatures too (that would be the day...)
*/
ldns_pkt_type
get_dnssec_rr(ldns_pkt *p, ldns_rdf *name, ldns_rr_type t,
ldns_rr_list **rrlist, ldns_rr_list **sig)
{
ldns_pkt_type pt = LDNS_PACKET_UNKNOWN;
ldns_rr_list *rr = NULL;
ldns_rr_list *sigs = NULL;
size_t i;
if (!p) {
if (rrlist) {
*rrlist = NULL;
}
return LDNS_PACKET_UNKNOWN;
}
pt = ldns_pkt_reply_type(p);
if (name) {
rr = ldns_pkt_rr_list_by_name_and_type(p, name, t, LDNS_SECTION_ANSWER);
if (!rr) {
rr = ldns_pkt_rr_list_by_name_and_type(p, name, t, LDNS_SECTION_AUTHORITY);
}
sigs = ldns_pkt_rr_list_by_name_and_type(p, name, LDNS_RR_TYPE_RRSIG,
LDNS_SECTION_ANSWER);
if (!sigs) {
sigs = ldns_pkt_rr_list_by_name_and_type(p, name, LDNS_RR_TYPE_RRSIG,
LDNS_SECTION_AUTHORITY);
}
} else {
/* A DS-referral - get the DS records if they are there */
rr = ldns_pkt_rr_list_by_type(p, t, LDNS_SECTION_AUTHORITY);
sigs = ldns_pkt_rr_list_by_type(p, LDNS_RR_TYPE_RRSIG,
LDNS_SECTION_AUTHORITY);
}
if (sig) {
*sig = ldns_rr_list_new();
for (i = 0; i < ldns_rr_list_rr_count(sigs); i++) {
/* only add the sigs that cover this type */
if (ldns_rdf2rr_type(ldns_rr_rrsig_typecovered(ldns_rr_list_rr(sigs, i))) ==
t) {
ldns_rr_list_push_rr(*sig, ldns_rr_clone(ldns_rr_list_rr(sigs, i)));
}
}
}
ldns_rr_list_deep_free(sigs);
if (rrlist) {
*rrlist = rr;
}
if (pt == LDNS_PACKET_NXDOMAIN || pt == LDNS_PACKET_NODATA) {
return pt;
} else {
return LDNS_PACKET_ANSWER;
}
}
void dnspkt_proc (const char *bytes, uint16_t len, struct timeval ts, host_t *src, host_t *dst) {
ldns_pkt *pkt;
if (ldns_wire2pkt(&pkt, bytes, len) != LDNS_STATUS_OK) {
return;
}
if (ldns_pkt_get_opcode(pkt) != LDNS_PACKET_QUERY) goto done;
uint16_t i;
ldns_rr_list *rrlist;
if (ldns_pkt_qr(pkt) == 0) {
rrlist = ldns_pkt_question(pkt);
for (i = 0; i < ldns_rr_list_rr_count(rrlist); i++) {
dnspkt_printqry(ldns_rr_list_rr(rrlist, i), ts, src, dst);
}
} else {
dnspkt_printresp(pkt, ts, src, dst);
if (ldns_pkt_aa(pkt) == 0) goto done;
if (ldns_pkt_tc(pkt) == 1) goto done;
if (ldns_pkt_rd(pkt) == 1) goto done;
if (ldns_pkt_get_rcode(pkt) != LDNS_RCODE_NOERROR) goto done;
rrlist = ldns_pkt_answer(pkt);
for (i = 0; i < ldns_rr_list_rr_count(rrlist); i++) {
dnspkt_printrr(ldns_rr_list_rr(rrlist, i), ts, src, dst, 0);
}
rrlist = ldns_pkt_authority(pkt);
for (i = 0; i < ldns_rr_list_rr_count(rrlist); i++) {
dnspkt_printrr(ldns_rr_list_rr(rrlist, i), ts, src, dst, 1);
}
rrlist = ldns_pkt_additional(pkt);
for (i = 0; i < ldns_rr_list_rr_count(rrlist); i++) {
dnspkt_printrr(ldns_rr_list_rr(rrlist, i), ts, src, dst, 2);
}
}
done:
ldns_pkt_free(pkt);
}
/** match two rr lists */
static int
match_list(ldns_rr_list* q, ldns_rr_list *p, bool mttl)
{
size_t i;
if(ldns_rr_list_rr_count(q) != ldns_rr_list_rr_count(p))
return 0;
for(i=0; i<ldns_rr_list_rr_count(q); i++)
{
if(ldns_rr_compare(ldns_rr_list_rr(q, i),
ldns_rr_list_rr(p, i)) != 0) {
verbose(3, "rr %d different", (int)i);
return 0;
}
if(mttl && ldns_rr_ttl(ldns_rr_list_rr(q, i)) !=
ldns_rr_ttl(ldns_rr_list_rr(p, i))) {
verbose(3, "rr %d ttl different", (int)i);
return 0;
}
}
return 1;
}
ldns_zone *
ldns_zone_sign(const ldns_zone *zone, ldns_key_list *key_list)
{
ldns_dnssec_zone *dnssec_zone;
ldns_zone *signed_zone;
ldns_rr_list *new_rrs;
size_t i;
signed_zone = ldns_zone_new();
dnssec_zone = ldns_dnssec_zone_new();
(void) ldns_dnssec_zone_add_rr(dnssec_zone, ldns_zone_soa(zone));
ldns_zone_set_soa(signed_zone, ldns_zone_soa(zone));
for (i = 0; i < ldns_rr_list_rr_count(ldns_zone_rrs(zone)); i++) {
(void) ldns_dnssec_zone_add_rr(dnssec_zone,
ldns_rr_list_rr(ldns_zone_rrs(zone),
i));
ldns_zone_push_rr(signed_zone,
ldns_rr_clone(ldns_rr_list_rr(ldns_zone_rrs(zone),
i)));
}
new_rrs = ldns_rr_list_new();
(void) ldns_dnssec_zone_sign(dnssec_zone,
new_rrs,
key_list,
ldns_dnssec_default_replace_signatures,
NULL);
for (i = 0; i < ldns_rr_list_rr_count(new_rrs); i++) {
ldns_rr_list_push_rr(ldns_zone_rrs(signed_zone),
ldns_rr_clone(ldns_rr_list_rr(new_rrs, i)));
}
ldns_rr_list_deep_free(new_rrs);
ldns_dnssec_zone_free(dnssec_zone);
return signed_zone;
}
/* convert a rr list to wireformat */
ldns_status
ldns_rr_list2buffer_wire(ldns_buffer *buffer,const ldns_rr_list *rr_list)
{
uint16_t rr_count;
uint16_t i;
rr_count = ldns_rr_list_rr_count(rr_list);
for(i = 0; i < rr_count; i++) {
(void)ldns_rr2buffer_wire(buffer, ldns_rr_list_rr(rr_list, i),
LDNS_SECTION_ANY);
}
return ldns_buffer_status(buffer);
}
static int udp_bind(int sock, int port, const char *my_address)
{
struct sockaddr_in addr;
in_addr_t maddr = INADDR_ANY;
if (my_address) {
#ifdef AF_INET6
if (inet_pton(AF_INET6, my_address, &maddr) < 1) {
#else
if (0) {
#endif
if (inet_pton(AF_INET, my_address, &maddr) < 1) {
return -2;
}
}
}
#ifndef S_SPLINT_S
addr.sin_family = AF_INET;
#endif
addr.sin_port = (in_port_t) htons((uint16_t)port);
addr.sin_addr.s_addr = maddr;
return bind(sock, (struct sockaddr *)&addr, (socklen_t) sizeof(addr));
}
/* this will probably be moved to a better place in the library itself */
ldns_rr_list *
get_rrset(const ldns_zone *zone, const ldns_rdf *owner_name, const ldns_rr_type qtype, const ldns_rr_class qclass)
{
uint16_t i;
ldns_rr_list *rrlist = ldns_rr_list_new();
ldns_rr *cur_rr;
if (!zone || !owner_name) {
fprintf(stderr, "Warning: get_rrset called with NULL zone or owner name\n");
return rrlist;
}
for (i = 0; i < ldns_zone_rr_count(zone); i++) {
cur_rr = ldns_rr_list_rr(ldns_zone_rrs(zone), i);
if (ldns_dname_compare(ldns_rr_owner(cur_rr), owner_name) == 0 &&
ldns_rr_get_class(cur_rr) == qclass &&
ldns_rr_get_type(cur_rr) == qtype
) {
ldns_rr_list_push_rr(rrlist, ldns_rr_clone(cur_rr));
}
}
printf("Found rrset of %u rrs\n", (unsigned int) ldns_rr_list_rr_count(rrlist));
return rrlist;
}
/** sign the rrs with the keys */
static void
signit(ldns_rr_list* rrs, ldns_key_list* keys)
{
ldns_rr_list* rrset;
ldns_rr_list* sigs;
while(ldns_rr_list_rr_count(rrs) > 0) {
rrset = ldns_rr_list_pop_rrset(rrs);
if(!rrset) fatal_exit("copy alloc failure");
sigs = ldns_sign_public(rrset, keys);
if(!sigs) fatal_exit("failed to sign");
ldns_rr_list_print(stdout, rrset);
ldns_rr_list_print(stdout, sigs);
printf("\n");
ldns_rr_list_free(rrset);
ldns_rr_list_free(sigs);
}
}
ldns_status
ldns_resolver_push_nameserver_rr_list(ldns_resolver *r, ldns_rr_list *rrlist)
{
ldns_rr *rr;
ldns_status stat;
size_t i;
stat = LDNS_STATUS_OK;
if (rrlist) {
for(i = 0; i < ldns_rr_list_rr_count(rrlist); i++) {
rr = ldns_rr_list_rr(rrlist, i);
if (ldns_resolver_push_nameserver_rr(r, rr) != LDNS_STATUS_OK) {
stat = LDNS_STATUS_ERR;
}
}
return stat;
} else {
return LDNS_STATUS_ERR;
}
}
/*
* Read a hints file as root
*
* The file with the given path should contain a list of NS RRs
* for the root zone and A records for those NS RRs.
* Read them, check them, and append the a records to the rr list given.
*/
ldns_rr_list *
read_root_hints(const char *filename)
{
FILE *fp = NULL;
int line_nr = 0;
ldns_zone *z;
ldns_status status;
ldns_rr_list *addresses = NULL;
ldns_rr *rr;
size_t i;
fp = fopen(filename, "r");
if (!fp) {
fprintf(stderr, "Unable to open %s for reading: %s\n", filename, strerror(errno));
return NULL;
}
status = ldns_zone_new_frm_fp_l(&z, fp, NULL, 0, 0, &line_nr);
fclose(fp);
if (status != LDNS_STATUS_OK) {
fprintf(stderr, "Error reading root hints file: %s\n", ldns_get_errorstr_by_id(status));
return NULL;
} else {
addresses = ldns_rr_list_new();
for (i = 0; i < ldns_rr_list_rr_count(ldns_zone_rrs(z)); i++) {
rr = ldns_rr_list_rr(ldns_zone_rrs(z), i);
/*if ((address_family == 0 || address_family == 1) &&
*/
if ( ldns_rr_get_type(rr) == LDNS_RR_TYPE_A ) {
ldns_rr_list_push_rr(addresses, ldns_rr_clone(rr));
}
/*if ((address_family == 0 || address_family == 2) &&*/
if ( ldns_rr_get_type(rr) == LDNS_RR_TYPE_AAAA) {
ldns_rr_list_push_rr(addresses, ldns_rr_clone(rr));
}
}
ldns_zone_deep_free(z);
return addresses;
}
}
void dnspkt_printresp (ldns_pkt *pkt, struct timeval ts, host_t *src, host_t *dst) {
FILE *output = dnsfile_resp();
__print_ts(output, ts);
__print_ip(output, src);
__print_ip(output, dst);
fprintf(output, "%u\t", (uint16_t)ldns_pkt_size(pkt));
fprintf(output, "%u\t", ldns_pkt_aa(pkt));
fprintf(output, "%u\t", ldns_pkt_tc(pkt));
fprintf(output, "%u\t", ldns_pkt_rd(pkt));
fprintf(output, "%u\t", ldns_pkt_ra(pkt));
fprintf(output, "%u\t", ldns_pkt_get_rcode(pkt));
fprintf(output, "%u\t", ldns_pkt_qdcount(pkt));
fprintf(output, "%u\t", ldns_pkt_ancount(pkt));
fprintf(output, "%u\t", ldns_pkt_nscount(pkt));
fprintf(output, "%u\t", ldns_pkt_arcount(pkt));
ldns_rr_list *rrlist = ldns_pkt_question(pkt);
if (ldns_rr_list_rr_count(rrlist) > 0) {
ldns_rr_print(output, ldns_rr_list_rr(rrlist, 0));
} else {
fprintf(output, "\t\t\n");
}
}
void
check_cover(ldns_rr_list *list, ldns_rdf *qname)
{
ldns_status status;
size_t i;
if(check_done(qname))
return;
for(i=0; i<ldns_rr_list_rr_count(list); ++i)
{
ldns_rr* nsec3 = ldns_rr_list_rr(list, i);
if(ldns_rr_get_type(nsec3) != LDNS_RR_TYPE_NSEC3) {
/* skip non nsec3 */
continue;
}
ldns_rdf* hashed = ldns_nsec3_hash_name_frm_nsec3(
nsec3, qname);
status = ldns_dname_cat(hashed, ldns_dname_left_chop(
ldns_rr_owner(nsec3)));
if(status != LDNS_STATUS_OK)
abort_ldns_error("ldns_dname_cat", status);
if(ldns_dname_compare(hashed, ldns_rr_owner(nsec3)) == 0) {
ldns_rdf_print(stdout, ldns_rr_owner(nsec3));
printf(" proves ");
ldns_rdf_print(stdout, qname);
printf(" exists.\n");
}
else if(ldns_nsec_covers_name(nsec3, hashed)) {
ldns_rdf_print(stdout, ldns_rr_owner(nsec3));
printf(" proves ");
ldns_rdf_print(stdout, qname);
printf(" does not exist.\n");
}
ldns_rdf_free(hashed);
}
}
int
main(int argc, char **argv)
{
char *filename;
FILE *fp;
ldns_zone *z;
int line_nr = 0;
int c;
bool canonicalize = false;
bool sort = false;
bool strip = false;
bool only_dnssec = false;
bool print_soa = true;
ldns_status s;
size_t i;
ldns_rr_list *stripped_list;
ldns_rr *cur_rr;
ldns_rr_type cur_rr_type;
while ((c = getopt(argc, argv, "cdhnsvz")) != -1) {
switch(c) {
case 'c':
canonicalize = true;
break;
case 'd':
only_dnssec = true;
if (strip) {
fprintf(stderr, "Warning: stripping both DNSSEC and non-DNSSEC records. Output will be sparse.\n");
}
break;
case 'h':
printf("Usage: %s [-c] [-v] [-z] <zonefile>\n", argv[0]);
printf("\tReads the zonefile and prints it.\n");
printf("\tThe RR count of the zone is printed to stderr.\n");
printf("\t-c canonicalize all rrs in the zone.\n");
printf("\t-d only show DNSSEC data from the zone\n");
printf("\t-h show this text\n");
printf("\t-n do not print the SOA record\n");
printf("\t-s strip DNSSEC data from the zone\n");
printf("\t-v shows the version and exits\n");
printf("\t-z sort the zone (implies -c).\n");
printf("\nif no file is given standard input is read\n");
exit(EXIT_SUCCESS);
break;
case 'n':
print_soa = false;
break;
case 's':
strip = true;
if (only_dnssec) {
fprintf(stderr, "Warning: stripping both DNSSEC and non-DNSSEC records. Output will be sparse.\n");
}
break;
case 'v':
printf("read zone version %s (ldns version %s)\n", LDNS_VERSION, ldns_version());
exit(EXIT_SUCCESS);
break;
case 'z':
canonicalize = true;
sort = true;
break;
}
}
argc -= optind;
argv += optind;
if (argc == 0) {
fp = stdin;
} else {
filename = argv[0];
fp = fopen(filename, "r");
if (!fp) {
fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno));
exit(EXIT_FAILURE);
}
}
s = ldns_zone_new_frm_fp_l(&z, fp, NULL, 0, LDNS_RR_CLASS_IN, &line_nr);
if (strip) {
stripped_list = ldns_rr_list_new();
while ((cur_rr = ldns_rr_list_pop_rr(ldns_zone_rrs(z)))) {
cur_rr_type = ldns_rr_get_type(cur_rr);
if (cur_rr_type == LDNS_RR_TYPE_RRSIG ||
cur_rr_type == LDNS_RR_TYPE_NSEC ||
cur_rr_type == LDNS_RR_TYPE_NSEC3 ||
cur_rr_type == LDNS_RR_TYPE_NSEC3PARAMS
) {
ldns_rr_free(cur_rr);
} else {
ldns_rr_list_push_rr(stripped_list, cur_rr);
}
}
ldns_rr_list_free(ldns_zone_rrs(z));
ldns_zone_set_rrs(z, stripped_list);
}
if (only_dnssec) {
stripped_list = ldns_rr_list_new();
while ((cur_rr = ldns_rr_list_pop_rr(ldns_zone_rrs(z)))) {
cur_rr_type = ldns_rr_get_type(cur_rr);
if (cur_rr_type == LDNS_RR_TYPE_RRSIG ||
cur_rr_type == LDNS_RR_TYPE_NSEC ||
cur_rr_type == LDNS_RR_TYPE_NSEC3 ||
cur_rr_type == LDNS_RR_TYPE_NSEC3PARAMS
) {
ldns_rr_list_push_rr(stripped_list, cur_rr);
} else {
ldns_rr_free(cur_rr);
}
}
ldns_rr_list_free(ldns_zone_rrs(z));
ldns_zone_set_rrs(z, stripped_list);
}
if (s == LDNS_STATUS_OK) {
if (canonicalize) {
ldns_rr2canonical(ldns_zone_soa(z));
for (i = 0; i < ldns_rr_list_rr_count(ldns_zone_rrs(z)); i++) {
ldns_rr2canonical(ldns_rr_list_rr(ldns_zone_rrs(z), i));
}
}
if (sort) {
ldns_zone_sort(z);
}
if (print_soa && ldns_zone_soa(z)) {
ldns_rr_print(stdout, ldns_zone_soa(z));
}
ldns_rr_list_print(stdout, ldns_zone_rrs(z));
ldns_zone_deep_free(z);
} else {
fprintf(stderr, "%s at %d\n",
ldns_get_errorstr_by_id(s),
line_nr);
exit(EXIT_FAILURE);
}
fclose(fp);
exit(EXIT_SUCCESS);
}
int
main(int argc, char **argv)
{
char *filename;
FILE *fp;
ldns_zone *z;
int line_nr = 0;
int c;
bool canonicalize = false;
bool sort = false;
bool strip = false;
bool only_dnssec = false;
bool print_soa = true;
ldns_status s;
size_t i;
ldns_rr_list *stripped_list;
ldns_rr *cur_rr;
ldns_rr_type cur_rr_type;
ldns_output_format_storage fmt_storage;
ldns_output_format* fmt = ldns_output_format_init(&fmt_storage);
ldns_soa_serial_increment_func_t soa_serial_increment_func = NULL;
int soa_serial_increment_func_data = 0;
while ((c = getopt(argc, argv, "0bcdhnpsu:U:vzS:")) != -1) {
switch(c) {
case 'b':
fmt->flags |=
( LDNS_COMMENT_BUBBLEBABBLE |
LDNS_COMMENT_FLAGS );
break;
case '0':
fmt->flags |= LDNS_FMT_ZEROIZE_RRSIGS;
break;
case 'c':
canonicalize = true;
break;
case 'd':
only_dnssec = true;
if (strip) {
fprintf(stderr, "Warning: stripping both DNSSEC and non-DNSSEC records. Output will be sparse.\n");
}
break;
case 'h':
print_usage("ldns-read-zone");
break;
case 'n':
print_soa = false;
break;
case 'p':
fmt->flags |= LDNS_FMT_PAD_SOA_SERIAL;
break;
case 's':
strip = true;
if (only_dnssec) {
fprintf(stderr, "Warning: stripping both DNSSEC and non-DNSSEC records. Output will be sparse.\n");
}
break;
case 'u':
s = ldns_output_format_set_type(fmt,
ldns_get_rr_type_by_name(optarg));
if (s != LDNS_STATUS_OK) {
fprintf( stderr
, "Cannot set rr type %s "
"in output format to "
"print as unknown type: %s\n"
, ldns_rr_descript(
ldns_get_rr_type_by_name(optarg)
)->_name
, ldns_get_errorstr_by_id(s)
);
exit(EXIT_FAILURE);
}
break;
case 'U':
s = ldns_output_format_clear_type(fmt,
ldns_get_rr_type_by_name(optarg));
if (s != LDNS_STATUS_OK) {
fprintf( stderr
, "Cannot set rr type %s "
"in output format to not "
"print as unknown type: %s\n"
, ldns_rr_descript(
ldns_get_rr_type_by_name(optarg)
)->_name
, ldns_get_errorstr_by_id(s)
);
exit(EXIT_FAILURE);
}
break;
case 'v':
printf("read zone version %s (ldns version %s)\n", LDNS_VERSION, ldns_version());
exit(EXIT_SUCCESS);
break;
case 'z':
canonicalize = true;
sort = true;
break;
case 'S':
strip = true;
if (*optarg == '+' || *optarg == '-') {
soa_serial_increment_func_data =
atoi(optarg);
soa_serial_increment_func =
ldns_soa_serial_increment_by;
} else if (! strtok(optarg, "0123456789")) {
soa_serial_increment_func_data =
atoi(optarg);
soa_serial_increment_func =
ldns_soa_serial_identity;
} else if (!strcasecmp(optarg, "YYYYMMDDxx")){
soa_serial_increment_func =
ldns_soa_serial_datecounter;
} else if (!strcasecmp(optarg, "unixtime")){
soa_serial_increment_func =
ldns_soa_serial_unixtime;
} else {
fprintf(stderr, "-S expects a number "
"optionally preceded by a "
"+ or - sign to indicate an "
"offset, or the text YYYYMM"
"DDxx or unixtime\n");
exit(EXIT_FAILURE);
}
break;
}
}
argc -= optind;
argv += optind;
if (argc == 0) {
fp = stdin;
} else {
filename = argv[0];
fp = fopen(filename, "r");
if (!fp) {
fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno));
exit(EXIT_FAILURE);
}
}
s = ldns_zone_new_frm_fp_l(&z, fp, NULL, 0, LDNS_RR_CLASS_IN, &line_nr);
fclose(fp);
if (s != LDNS_STATUS_OK) {
fprintf(stderr, "%s at %d\n",
ldns_get_errorstr_by_id(s),
line_nr);
exit(EXIT_FAILURE);
}
if (strip) {
stripped_list = ldns_rr_list_new();
while ((cur_rr = ldns_rr_list_pop_rr(ldns_zone_rrs(z)))) {
cur_rr_type = ldns_rr_get_type(cur_rr);
if (cur_rr_type == LDNS_RR_TYPE_RRSIG ||
cur_rr_type == LDNS_RR_TYPE_NSEC ||
cur_rr_type == LDNS_RR_TYPE_NSEC3 ||
cur_rr_type == LDNS_RR_TYPE_NSEC3PARAM
) {
ldns_rr_free(cur_rr);
} else {
ldns_rr_list_push_rr(stripped_list, cur_rr);
}
}
ldns_rr_list_free(ldns_zone_rrs(z));
ldns_zone_set_rrs(z, stripped_list);
}
if (only_dnssec) {
stripped_list = ldns_rr_list_new();
while ((cur_rr = ldns_rr_list_pop_rr(ldns_zone_rrs(z)))) {
cur_rr_type = ldns_rr_get_type(cur_rr);
if (cur_rr_type == LDNS_RR_TYPE_RRSIG ||
cur_rr_type == LDNS_RR_TYPE_NSEC ||
cur_rr_type == LDNS_RR_TYPE_NSEC3 ||
cur_rr_type == LDNS_RR_TYPE_NSEC3PARAM
) {
ldns_rr_list_push_rr(stripped_list, cur_rr);
} else {
ldns_rr_free(cur_rr);
}
}
ldns_rr_list_free(ldns_zone_rrs(z));
ldns_zone_set_rrs(z, stripped_list);
}
if (canonicalize) {
ldns_rr2canonical(ldns_zone_soa(z));
for (i = 0; i < ldns_rr_list_rr_count(ldns_zone_rrs(z)); i++) {
ldns_rr2canonical(ldns_rr_list_rr(ldns_zone_rrs(z), i));
}
}
if (sort) {
ldns_zone_sort(z);
}
if (print_soa && ldns_zone_soa(z)) {
if (soa_serial_increment_func) {
ldns_rr_soa_increment_func_int(
ldns_zone_soa(z)
, soa_serial_increment_func
, soa_serial_increment_func_data
);
}
ldns_rr_print_fmt(stdout, fmt, ldns_zone_soa(z));
}
ldns_rr_list_print_fmt(stdout, fmt, ldns_zone_rrs(z));
ldns_zone_deep_free(z);
exit(EXIT_SUCCESS);
}
ldns_status
ldns_dnssec_zone_create_rrsigs(ldns_dnssec_zone *zone,
ldns_rr_list *new_rrs,
ldns_key_list *key_list,
int (*func)(ldns_rr *, void*),
void *arg)
{
ldns_status result = LDNS_STATUS_OK;
ldns_rbnode_t *cur_node;
ldns_rr_list *rr_list;
ldns_dnssec_name *cur_name;
ldns_dnssec_rrsets *cur_rrset;
ldns_dnssec_rrs *cur_rr;
ldns_rr_list *siglist;
size_t i;
ldns_rr_list *pubkey_list = ldns_rr_list_new();
zone = zone;
new_rrs = new_rrs;
key_list = key_list;
for (i = 0; i<ldns_key_list_key_count(key_list); i++) {
ldns_rr_list_push_rr(pubkey_list,
ldns_key2rr(ldns_key_list_key(key_list, i)));
}
/* TODO: callback to see is list should be signed */
/* TODO: remove 'old' signatures from signature list */
cur_node = ldns_rbtree_first(zone->names);
while (cur_node != LDNS_RBTREE_NULL) {
cur_name = (ldns_dnssec_name *) cur_node->data;
if (!cur_name->is_glue) {
cur_rrset = cur_name->rrsets;
while (cur_rrset) {
/* reset keys to use */
ldns_key_list_set_use(key_list, true);
/* walk through old sigs, remove the old,
and mark which keys (not) to use) */
cur_rrset->signatures =
ldns_dnssec_remove_signatures(cur_rrset->signatures,
key_list,
func,
arg);
/* TODO: just set count to zero? */
rr_list = ldns_rr_list_new();
cur_rr = cur_rrset->rrs;
while (cur_rr) {
ldns_rr_list_push_rr(rr_list, cur_rr->rr);
cur_rr = cur_rr->next;
}
/* only sign non-delegation RRsets */
/* (glue should have been marked earlier) */
if ((ldns_rr_list_type(rr_list) != LDNS_RR_TYPE_NS ||
ldns_dname_compare(ldns_rr_list_owner(rr_list),
zone->soa->name) == 0) &&
/* OK, there is also the possibility that the record
* is glue, but at the same owner name as other records that
* are not NS nor A/AAAA. Bleh, our current data structure
* doesn't really support that... */
!((ldns_rr_list_type(rr_list) == LDNS_RR_TYPE_A ||
ldns_rr_list_type(rr_list) == LDNS_RR_TYPE_AAAA) &&
!ldns_dname_compare(ldns_rr_list_owner(rr_list), zone->soa->name) == 0 &&
ldns_dnssec_zone_find_rrset(zone, ldns_rr_list_owner(rr_list), LDNS_RR_TYPE_NS)
)) {
siglist = ldns_sign_public(rr_list, key_list);
for (i = 0; i < ldns_rr_list_rr_count(siglist); i++) {
if (cur_rrset->signatures) {
ldns_dnssec_rrs_add_rr(cur_rrset->signatures,
ldns_rr_list_rr(siglist,
i));
} else {
cur_rrset->signatures = ldns_dnssec_rrs_new();
cur_rrset->signatures->rr =
ldns_rr_list_rr(siglist, i);
ldns_rr_list_push_rr(new_rrs,
ldns_rr_list_rr(siglist,
i));
}
}
ldns_rr_list_free(siglist);
}
ldns_rr_list_free(rr_list);
cur_rrset = cur_rrset->next;
}
/* sign the nsec */
cur_name->nsec_signatures =
ldns_dnssec_remove_signatures(cur_name->nsec_signatures,
key_list,
func,
arg);
rr_list = ldns_rr_list_new();
ldns_rr_list_push_rr(rr_list, cur_name->nsec);
siglist = ldns_sign_public(rr_list, key_list);
for (i = 0; i < ldns_rr_list_rr_count(siglist); i++) {
if (cur_name->nsec_signatures) {
ldns_dnssec_rrs_add_rr(cur_name->nsec_signatures,
ldns_rr_list_rr(siglist, i));
} else {
cur_name->nsec_signatures = ldns_dnssec_rrs_new();
cur_name->nsec_signatures->rr =
ldns_rr_list_rr(siglist, i);
ldns_rr_list_push_rr(new_rrs,
ldns_rr_list_rr(siglist, i));
}
}
ldns_rr_list_free(siglist);
ldns_rr_list_free(rr_list);
}
cur_node = ldns_rbtree_next(cur_node);
}
ldns_rr_list_deep_free(pubkey_list);
return result;
}
/**
* use this function to sign with a public/private key alg
* return the created signatures
*/
ldns_rr_list *
ldns_sign_public(ldns_rr_list *rrset, ldns_key_list *keys)
{
ldns_rr_list *signatures;
ldns_rr_list *rrset_clone;
ldns_rr *current_sig;
ldns_rdf *b64rdf;
ldns_key *current_key;
size_t key_count;
uint16_t i;
ldns_buffer *sign_buf;
ldns_rdf *new_owner;
if (!rrset || ldns_rr_list_rr_count(rrset) < 1 || !keys) {
return NULL;
}
new_owner = NULL;
key_count = 0;
signatures = ldns_rr_list_new();
/* prepare a signature and add all the know data
* prepare the rrset. Sign this together. */
rrset_clone = ldns_rr_list_clone(rrset);
if (!rrset_clone) {
return NULL;
}
/* make it canonical */
for(i = 0; i < ldns_rr_list_rr_count(rrset_clone); i++) {
ldns_rr2canonical(ldns_rr_list_rr(rrset_clone, i));
}
/* sort */
ldns_rr_list_sort(rrset_clone);
for (key_count = 0;
key_count < ldns_key_list_key_count(keys);
key_count++) {
if (!ldns_key_use(ldns_key_list_key(keys, key_count))) {
continue;
}
sign_buf = ldns_buffer_new(LDNS_MAX_PACKETLEN);
if (!sign_buf) {
ldns_rr_list_free(rrset_clone);
ldns_rr_list_free(signatures);
ldns_rdf_free(new_owner);
return NULL;
}
b64rdf = NULL;
current_key = ldns_key_list_key(keys, key_count);
/* sign all RRs with keys that have ZSKbit, !SEPbit.
sign DNSKEY RRs with keys that have ZSKbit&SEPbit */
if (
ldns_key_flags(current_key) & LDNS_KEY_ZONE_KEY &&
(!(ldns_key_flags(current_key) & LDNS_KEY_SEP_KEY)
|| ldns_rr_get_type(ldns_rr_list_rr(rrset, 0))
== LDNS_RR_TYPE_DNSKEY)
) {
current_sig = ldns_create_empty_rrsig(rrset_clone,
current_key);
/* right now, we have: a key, a semi-sig and an rrset. For
* which we can create the sig and base64 encode that and
* add that to the signature */
if (ldns_rrsig2buffer_wire(sign_buf, current_sig)
!= LDNS_STATUS_OK) {
ldns_buffer_free(sign_buf);
/* ERROR */
ldns_rr_list_deep_free(rrset_clone);
return NULL;
}
/* add the rrset in sign_buf */
if (ldns_rr_list2buffer_wire(sign_buf, rrset_clone)
!= LDNS_STATUS_OK) {
ldns_buffer_free(sign_buf);
ldns_rr_list_deep_free(rrset_clone);
return NULL;
}
b64rdf = ldns_sign_public_buffer(sign_buf, current_key);
if (!b64rdf) {
/* signing went wrong */
ldns_rr_list_deep_free(rrset_clone);
return NULL;
}
ldns_rr_rrsig_set_sig(current_sig, b64rdf);
/* push the signature to the signatures list */
ldns_rr_list_push_rr(signatures, current_sig);
}
ldns_buffer_free(sign_buf); /* restart for the next key */
}
ldns_rr_list_deep_free(rrset_clone);
return signatures;
}
ldns_status
do_chase(ldns_resolver *res,
ldns_rdf *name,
ldns_rr_type type,
ldns_rr_class c,
ldns_rr_list *trusted_keys,
ldns_pkt *pkt_o,
uint16_t qflags,
ldns_rr_list *prev_key_list,
int verbosity)
{
ldns_rr_list *rrset = NULL;
ldns_status result;
ldns_rr *orig_rr = NULL;
/*
ldns_rr_list *sigs;
ldns_rr *cur_sig;
uint16_t sig_i;
ldns_rr_list *keys;
*/
ldns_pkt *pkt;
ldns_status tree_result;
ldns_dnssec_data_chain *chain;
ldns_dnssec_trust_tree *tree;
const ldns_rr_descriptor *descriptor;
descriptor = ldns_rr_descript(type);
ldns_dname2canonical(name);
pkt = ldns_pkt_clone(pkt_o);
if (!name) {
ldns_pkt_free(pkt);
return LDNS_STATUS_EMPTY_LABEL;
}
if (verbosity != -1) {
printf(";; Chasing: ");
ldns_rdf_print(stdout, name);
if (descriptor && descriptor->_name) {
printf(" %s\n", descriptor->_name);
} else {
printf(" type %d\n", type);
}
}
if (!trusted_keys || ldns_rr_list_rr_count(trusted_keys) < 1) {
}
if (pkt) {
rrset = ldns_pkt_rr_list_by_name_and_type(pkt,
name,
type,
LDNS_SECTION_ANSWER
);
if (!rrset) {
/* nothing in answer, try authority */
rrset = ldns_pkt_rr_list_by_name_and_type(pkt,
name,
type,
LDNS_SECTION_AUTHORITY
);
}
/* answer might be a cname, chase that first, then chase
cname target? (TODO) */
if (!rrset) {
rrset = ldns_pkt_rr_list_by_name_and_type(pkt,
name,
LDNS_RR_TYPE_CNAME,
LDNS_SECTION_ANSWER
);
if (!rrset) {
/* nothing in answer, try authority */
rrset = ldns_pkt_rr_list_by_name_and_type(pkt,
name,
LDNS_RR_TYPE_CNAME,
LDNS_SECTION_AUTHORITY
);
}
}
} else {
/* no packet? */
if (verbosity >= 0) {
fprintf(stderr, "%s", ldns_get_errorstr_by_id(LDNS_STATUS_MEM_ERR));
fprintf(stderr, "\n");
}
return LDNS_STATUS_MEM_ERR;
}
if (!rrset) {
/* not found in original packet, try again */
ldns_pkt_free(pkt);
pkt = NULL;
pkt = ldns_resolver_query(res, name, type, c, qflags);
if (!pkt) {
if (verbosity >= 0) {
fprintf(stderr, "%s", ldns_get_errorstr_by_id(LDNS_STATUS_NETWORK_ERR));
fprintf(stderr, "\n");
}
return LDNS_STATUS_NETWORK_ERR;
}
if (verbosity >= 5) {
ldns_pkt_print(stdout, pkt);
}
rrset = ldns_pkt_rr_list_by_name_and_type(pkt,
name,
type,
LDNS_SECTION_ANSWER
);
}
orig_rr = ldns_rr_new();
/* if the answer had no answer section, we need to construct our own rr (for instance if
* the rr qe asked for doesn't exist. This rr will be destroyed when the chain is freed */
if (ldns_pkt_ancount(pkt) < 1) {
ldns_rr_set_type(orig_rr, type);
ldns_rr_set_owner(orig_rr, ldns_rdf_clone(name));
chain = ldns_dnssec_build_data_chain(res, qflags, rrset, pkt, ldns_rr_clone(orig_rr));
} else {
/* chase the first answer */
chain = ldns_dnssec_build_data_chain(res, qflags, rrset, pkt, NULL);
}
if (verbosity >= 4) {
printf("\n\nDNSSEC Data Chain:\n");
ldns_dnssec_data_chain_print(stdout, chain);
}
result = LDNS_STATUS_OK;
tree = ldns_dnssec_derive_trust_tree(chain, NULL);
if (verbosity >= 2) {
printf("\n\nDNSSEC Trust tree:\n");
ldns_dnssec_trust_tree_print(stdout, tree, 0, true);
}
if (ldns_rr_list_rr_count(trusted_keys) > 0) {
tree_result = ldns_dnssec_trust_tree_contains_keys(tree, trusted_keys);
if (tree_result == LDNS_STATUS_DNSSEC_EXISTENCE_DENIED) {
if (verbosity >= 1) {
printf("Existence denied or verifiably insecure\n");
}
result = LDNS_STATUS_OK;
} else if (tree_result != LDNS_STATUS_OK) {
if (verbosity >= 1) {
printf("No trusted keys found in tree: first error was: %s\n", ldns_get_errorstr_by_id(tree_result));
}
result = tree_result;
}
} else {
result = -1;
if (verbosity >= 0) {
printf("You have not provided any trusted keys.\n");
}
}
ldns_rr_free(orig_rr);
ldns_dnssec_trust_tree_free(tree);
ldns_dnssec_data_chain_deep_free(chain);
ldns_rr_list_deep_free(rrset);
ldns_pkt_free(pkt);
/* ldns_rr_free(orig_rr);*/
return result;
}
/**
* Main function of drill
* parse the arguments and prepare a query
*/
int
main(int argc, char *argv[])
{
ldns_resolver *res = NULL;
ldns_resolver *cmdline_res = NULL; /* only used to resolv @name names */
ldns_rr_list *cmdline_rr_list = NULL;
ldns_rdf *cmdline_dname = NULL;
ldns_rdf *qname, *qname_tmp;
ldns_pkt *pkt;
ldns_pkt *qpkt;
char *serv;
const char *name;
char *name2;
char *progname;
char *query_file = NULL;
char *answer_file = NULL;
ldns_buffer *query_buffer = NULL;
ldns_rdf *serv_rdf;
ldns_rr_type type;
ldns_rr_class clas;
#if 0
ldns_pkt_opcode opcode = LDNS_PACKET_QUERY;
#endif
int i, c;
int int_type;
int int_clas;
int PURPOSE;
char *tsig_name = NULL;
char *tsig_data = NULL;
char *tsig_algorithm = NULL;
size_t tsig_separator;
size_t tsig_separator2;
ldns_rr *axfr_rr;
ldns_status status;
char *type_str;
/* list of keys used in dnssec operations */
ldns_rr_list *key_list = ldns_rr_list_new();
/* what key verify the current answer */
ldns_rr_list *key_verified;
/* resolver options */
uint16_t qflags;
uint16_t qbuf;
uint16_t qport;
uint8_t qfamily;
bool qdnssec;
bool qfallback;
bool qds;
bool qusevc;
bool qrandom;
char *resolv_conf_file = NULL;
ldns_rdf *trace_start_name = NULL;
int result = 0;
#ifdef USE_WINSOCK
int r;
WSADATA wsa_data;
#endif
int_type = -1; serv = NULL; type = 0;
int_clas = -1; name = NULL; clas = 0;
qname = NULL;
progname = strdup(argv[0]);
#ifdef USE_WINSOCK
r = WSAStartup(MAKEWORD(2,2), &wsa_data);
if(r != 0) {
printf("Failed WSAStartup: %d\n", r);
result = EXIT_FAILURE;
goto exit;
}
#endif /* USE_WINSOCK */
PURPOSE = DRILL_QUERY;
qflags = LDNS_RD;
qport = LDNS_PORT;
verbosity = 2;
qdnssec = false;
qfamily = LDNS_RESOLV_INETANY;
qfallback = false;
qds = false;
qbuf = 0;
qusevc = false;
qrandom = true;
key_verified = NULL;
ldns_init_random(NULL, 0);
if (argc == 0) {
usage(stdout, progname);
result = EXIT_FAILURE;
goto exit;
}
/* string from orig drill: "i:w:I46Sk:TNp:b:DsvhVcuaq:f:xr" */
/* global first, query opt next, option with parm's last
* and sorted */ /* "46DITSVQf:i:w:q:achuvxzy:so:p:b:k:" */
while ((c = getopt(argc, argv, "46ab:c:d:Df:hi:Ik:o:p:q:Qr:sStTuvV:w:xy:z")) != -1) {
switch(c) {
/* global options */
case '4':
qfamily = LDNS_RESOLV_INET;
break;
case '6':
qfamily = LDNS_RESOLV_INET6;
break;
case 'D':
qdnssec = true;
break;
case 'I':
/* reserved for backward compatibility */
break;
case 'T':
if (PURPOSE == DRILL_CHASE) {
fprintf(stderr, "-T and -S cannot be used at the same time.\n");
exit(EXIT_FAILURE);
}
PURPOSE = DRILL_TRACE;
break;
#ifdef HAVE_SSL
case 'S':
if (PURPOSE == DRILL_TRACE) {
fprintf(stderr, "-T and -S cannot be used at the same time.\n");
exit(EXIT_FAILURE);
}
PURPOSE = DRILL_CHASE;
break;
#endif /* HAVE_SSL */
case 'V':
if (strtok(optarg, "0123456789") != NULL) {
fprintf(stderr, "-V expects an number as an argument.\n");
exit(EXIT_FAILURE);
}
verbosity = atoi(optarg);
break;
case 'Q':
verbosity = -1;
break;
case 'f':
query_file = optarg;
break;
case 'i':
answer_file = optarg;
PURPOSE = DRILL_AFROMFILE;
break;
case 'w':
answer_file = optarg;
break;
case 'q':
query_file = optarg;
PURPOSE = DRILL_QTOFILE;
break;
case 'r':
if (global_dns_root) {
fprintf(stderr, "There was already a series of root servers set\n");
exit(EXIT_FAILURE);
}
global_dns_root = read_root_hints(optarg);
if (!global_dns_root) {
fprintf(stderr, "Unable to read root hints file %s, aborting\n", optarg);
exit(EXIT_FAILURE);
}
break;
/* query options */
case 'a':
qfallback = true;
break;
case 'b':
qbuf = (uint16_t)atoi(optarg);
if (qbuf == 0) {
error("%s", "<bufsize> could not be converted");
}
break;
case 'c':
resolv_conf_file = optarg;
break;
case 't':
qusevc = true;
break;
case 'k':
status = read_key_file(optarg,
key_list, false);
if (status != LDNS_STATUS_OK) {
error("Could not parse the key file %s: %s", optarg, ldns_get_errorstr_by_id(status));
}
qdnssec = true; /* enable that too */
break;
case 'o':
/* only looks at the first hit: capital=ON, lowercase=OFF*/
if (strstr(optarg, "QR")) {
DRILL_ON(qflags, LDNS_QR);
}
if (strstr(optarg, "qr")) {
DRILL_OFF(qflags, LDNS_QR);
}
if (strstr(optarg, "AA")) {
DRILL_ON(qflags, LDNS_AA);
}
if (strstr(optarg, "aa")) {
DRILL_OFF(qflags, LDNS_AA);
}
if (strstr(optarg, "TC")) {
DRILL_ON(qflags, LDNS_TC);
}
if (strstr(optarg, "tc")) {
DRILL_OFF(qflags, LDNS_TC);
}
if (strstr(optarg, "RD")) {
DRILL_ON(qflags, LDNS_RD);
}
if (strstr(optarg, "rd")) {
DRILL_OFF(qflags, LDNS_RD);
}
if (strstr(optarg, "CD")) {
DRILL_ON(qflags, LDNS_CD);
}
if (strstr(optarg, "cd")) {
DRILL_OFF(qflags, LDNS_CD);
}
if (strstr(optarg, "RA")) {
DRILL_ON(qflags, LDNS_RA);
}
if (strstr(optarg, "ra")) {
DRILL_OFF(qflags, LDNS_RA);
}
if (strstr(optarg, "AD")) {
DRILL_ON(qflags, LDNS_AD);
}
if (strstr(optarg, "ad")) {
DRILL_OFF(qflags, LDNS_AD);
}
break;
case 'p':
qport = (uint16_t)atoi(optarg);
if (qport == 0) {
error("%s", "<port> could not be converted");
}
break;
case 's':
qds = true;
break;
case 'u':
qusevc = false;
break;
case 'v':
version(stdout, progname);
result = EXIT_SUCCESS;
goto exit;
case 'x':
PURPOSE = DRILL_REVERSE;
break;
case 'y':
#ifdef HAVE_SSL
if (strchr(optarg, ':')) {
tsig_separator = (size_t) (strchr(optarg, ':') - optarg);
if (strchr(optarg + tsig_separator + 1, ':')) {
tsig_separator2 = (size_t) (strchr(optarg + tsig_separator + 1, ':') - optarg);
tsig_algorithm = xmalloc(strlen(optarg) - tsig_separator2);
strncpy(tsig_algorithm, optarg + tsig_separator2 + 1, strlen(optarg) - tsig_separator2);
tsig_algorithm[strlen(optarg) - tsig_separator2 - 1] = '\0';
} else {
tsig_separator2 = strlen(optarg);
tsig_algorithm = xmalloc(26);
strncpy(tsig_algorithm, "hmac-md5.sig-alg.reg.int.", 25);
tsig_algorithm[25] = '\0';
}
tsig_name = xmalloc(tsig_separator + 1);
tsig_data = xmalloc(tsig_separator2 - tsig_separator);
strncpy(tsig_name, optarg, tsig_separator);
strncpy(tsig_data, optarg + tsig_separator + 1, tsig_separator2 - tsig_separator - 1);
/* strncpy does not append \0 if source is longer than n */
tsig_name[tsig_separator] = '\0';
tsig_data[ tsig_separator2 - tsig_separator - 1] = '\0';
}
#else
fprintf(stderr, "TSIG requested, but SSL is not supported\n");
result = EXIT_FAILURE;
goto exit;
#endif /* HAVE_SSL */
break;
case 'z':
qrandom = false;
break;
case 'd':
trace_start_name = ldns_dname_new_frm_str(optarg);
if (!trace_start_name) {
fprintf(stderr, "Unable to parse argument for -%c\n", c);
result = EXIT_FAILURE;
goto exit;
}
break;
case 'h':
version(stdout, progname);
usage(stdout, progname);
result = EXIT_SUCCESS;
goto exit;
break;
default:
fprintf(stderr, "Unknown argument: -%c, use -h to see usage\n", c);
result = EXIT_FAILURE;
goto exit;
}
}
argc -= optind;
argv += optind;
if ((PURPOSE == DRILL_CHASE || (PURPOSE == DRILL_TRACE && qdnssec)) &&
ldns_rr_list_rr_count(key_list) == 0) {
(void) read_key_file(LDNS_TRUST_ANCHOR_FILE, key_list, true);
}
if (ldns_rr_list_rr_count(key_list) > 0) {
printf(";; Number of trusted keys: %d\n",
(int) ldns_rr_list_rr_count(key_list));
}
/* do a secure trace when requested */
if (PURPOSE == DRILL_TRACE && qdnssec) {
#ifdef HAVE_SSL
if (ldns_rr_list_rr_count(key_list) == 0) {
warning("%s", "No trusted keys were given. Will not be able to verify authenticity!");
}
PURPOSE = DRILL_SECTRACE;
#else
fprintf(stderr, "ldns has not been compiled with OpenSSL support. Secure trace not available\n");
exit(1);
#endif /* HAVE_SSL */
}
/* parse the arguments, with multiple arguments, the last argument
* found is used */
for(i = 0; i < argc; i++) {
/* if ^@ then it's a server */
if (argv[i][0] == '@') {
if (strlen(argv[i]) == 1) {
warning("%s", "No nameserver given");
exit(EXIT_FAILURE);
}
serv = argv[i] + 1;
continue;
}
/* if has a dot, it's a name */
if (strchr(argv[i], '.')) {
name = argv[i];
continue;
}
/* if it matches a type, it's a type */
if (int_type == -1) {
type = ldns_get_rr_type_by_name(argv[i]);
if (type != 0) {
int_type = 0;
continue;
}
}
/* if it matches a class, it's a class */
if (int_clas == -1) {
clas = ldns_get_rr_class_by_name(argv[i]);
if (clas != 0) {
int_clas = 0;
continue;
}
}
/* it all fails assume it's a name */
name = argv[i];
}
/* act like dig and use for . NS */
if (!name) {
name = ".";
int_type = 0;
type = LDNS_RR_TYPE_NS;
}
/* defaults if not given */
if (int_clas == -1) {
clas = LDNS_RR_CLASS_IN;
}
if (int_type == -1) {
if (PURPOSE != DRILL_REVERSE) {
type = LDNS_RR_TYPE_A;
} else {
type = LDNS_RR_TYPE_PTR;
}
}
/* set the nameserver to use */
if (!serv) {
/* no server given make a resolver from /etc/resolv.conf */
status = ldns_resolver_new_frm_file(&res, resolv_conf_file);
if (status != LDNS_STATUS_OK) {
warning("Could not create a resolver structure: %s (%s)\n"
"Try drill @localhost if you have a resolver running on your machine.",
ldns_get_errorstr_by_id(status), resolv_conf_file);
result = EXIT_FAILURE;
goto exit;
}
} else {
res = ldns_resolver_new();
if (!res || strlen(serv) <= 0) {
warning("Could not create a resolver structure");
result = EXIT_FAILURE;
goto exit;
}
/* add the nameserver */
serv_rdf = ldns_rdf_new_addr_frm_str(serv);
if (!serv_rdf) {
/* try to resolv the name if possible */
status = ldns_resolver_new_frm_file(&cmdline_res, resolv_conf_file);
if (status != LDNS_STATUS_OK) {
error("%s", "@server ip could not be converted");
}
ldns_resolver_set_dnssec(cmdline_res, qdnssec);
ldns_resolver_set_ip6(cmdline_res, qfamily);
ldns_resolver_set_fallback(cmdline_res, qfallback);
ldns_resolver_set_usevc(cmdline_res, qusevc);
cmdline_dname = ldns_dname_new_frm_str(serv);
cmdline_rr_list = ldns_get_rr_list_addr_by_name(
cmdline_res,
cmdline_dname,
LDNS_RR_CLASS_IN,
qflags);
ldns_rdf_deep_free(cmdline_dname);
if (!cmdline_rr_list) {
/* This error msg is not always accurate */
error("%s `%s\'", "could not find any address for the name:", serv);
} else {
if (ldns_resolver_push_nameserver_rr_list(
res,
cmdline_rr_list
) != LDNS_STATUS_OK) {
error("%s", "pushing nameserver");
}
}
} else {
if (ldns_resolver_push_nameserver(res, serv_rdf) != LDNS_STATUS_OK) {
error("%s", "pushing nameserver");
} else {
ldns_rdf_deep_free(serv_rdf);
}
}
}
/* set the resolver options */
ldns_resolver_set_port(res, qport);
if (verbosity >= 5) {
ldns_resolver_set_debug(res, true);
} else {
ldns_resolver_set_debug(res, false);
}
ldns_resolver_set_dnssec(res, qdnssec);
/* ldns_resolver_set_dnssec_cd(res, qdnssec);*/
ldns_resolver_set_ip6(res, qfamily);
ldns_resolver_set_fallback(res, qfallback);
ldns_resolver_set_usevc(res, qusevc);
ldns_resolver_set_random(res, qrandom);
if (qbuf != 0) {
ldns_resolver_set_edns_udp_size(res, qbuf);
}
if (!name &&
PURPOSE != DRILL_AFROMFILE &&
!query_file
) {
usage(stdout, progname);
result = EXIT_FAILURE;
goto exit;
}
if (tsig_name && tsig_data) {
ldns_resolver_set_tsig_keyname(res, tsig_name);
ldns_resolver_set_tsig_keydata(res, tsig_data);
ldns_resolver_set_tsig_algorithm(res, tsig_algorithm);
}
/* main switching part of drill */
switch(PURPOSE) {
case DRILL_TRACE:
/* do a trace from the root down */
if (!global_dns_root) {
init_root();
}
qname = ldns_dname_new_frm_str(name);
if (!qname) {
error("%s", "parsing query name");
}
/* don't care about return packet */
(void)do_trace(res, qname, type, clas);
clear_root();
break;
case DRILL_SECTRACE:
/* do a secure trace from the root down */
if (!global_dns_root) {
init_root();
}
qname = ldns_dname_new_frm_str(name);
if (!qname) {
error("%s", "making qname");
}
/* don't care about return packet */
#ifdef HAVE_SSL
result = do_secure_trace(res, qname, type, clas, key_list, trace_start_name);
#endif /* HAVE_SSL */
clear_root();
break;
case DRILL_CHASE:
qname = ldns_dname_new_frm_str(name);
if (!qname) {
error("%s", "making qname");
}
ldns_resolver_set_dnssec(res, true);
ldns_resolver_set_dnssec_cd(res, true);
/* set dnssec implies udp_size of 4096 */
ldns_resolver_set_edns_udp_size(res, 4096);
pkt = ldns_resolver_query(res, qname, type, clas, qflags);
if (!pkt) {
error("%s", "error pkt sending");
result = EXIT_FAILURE;
} else {
if (verbosity >= 3) {
ldns_pkt_print(stdout, pkt);
}
if (!ldns_pkt_answer(pkt)) {
mesg("No answer in packet");
} else {
#ifdef HAVE_SSL
ldns_resolver_set_dnssec_anchors(res, ldns_rr_list_clone(key_list));
result = do_chase(res, qname, type,
clas, key_list,
pkt, qflags, NULL,
verbosity);
if (result == LDNS_STATUS_OK) {
if (verbosity != -1) {
mesg("Chase successful");
}
result = 0;
} else {
if (verbosity != -1) {
mesg("Chase failed.");
}
}
#endif /* HAVE_SSL */
}
ldns_pkt_free(pkt);
}
break;
case DRILL_AFROMFILE:
pkt = read_hex_pkt(answer_file);
if (pkt) {
if (verbosity != -1) {
ldns_pkt_print(stdout, pkt);
}
ldns_pkt_free(pkt);
}
break;
case DRILL_QTOFILE:
qname = ldns_dname_new_frm_str(name);
if (!qname) {
error("%s", "making qname");
}
status = ldns_resolver_prepare_query_pkt(&qpkt, res, qname, type, clas, qflags);
if(status != LDNS_STATUS_OK) {
error("%s", "making query: %s",
ldns_get_errorstr_by_id(status));
}
dump_hex(qpkt, query_file);
ldns_pkt_free(qpkt);
break;
case DRILL_NSEC:
break;
case DRILL_REVERSE:
/* ipv4 or ipv6 addr? */
if (strchr(name, ':')) {
if (strchr(name, '.')) {
error("Syntax error: both '.' and ':' seen in address\n");
}
name2 = malloc(IP6_ARPA_MAX_LEN + 20);
c = 0;
for (i=0; i<(int)strlen(name); i++) {
if (i >= IP6_ARPA_MAX_LEN) {
error("%s", "reverse argument to long");
}
if (name[i] == ':') {
if (i < (int) strlen(name) && name[i + 1] == ':') {
error("%s", ":: not supported (yet)");
} else {
if (i + 2 == (int) strlen(name) || name[i + 2] == ':') {
name2[c++] = '0';
name2[c++] = '.';
name2[c++] = '0';
name2[c++] = '.';
name2[c++] = '0';
name2[c++] = '.';
} else if (i + 3 == (int) strlen(name) || name[i + 3] == ':') {
name2[c++] = '0';
name2[c++] = '.';
name2[c++] = '0';
name2[c++] = '.';
} else if (i + 4 == (int) strlen(name) || name[i + 4] == ':') {
name2[c++] = '0';
name2[c++] = '.';
}
}
} else {
name2[c++] = name[i];
name2[c++] = '.';
}
}
name2[c++] = '\0';
qname = ldns_dname_new_frm_str(name2);
qname_tmp = ldns_dname_reverse(qname);
ldns_rdf_deep_free(qname);
qname = qname_tmp;
qname_tmp = ldns_dname_new_frm_str("ip6.arpa.");
status = ldns_dname_cat(qname, qname_tmp);
if (status != LDNS_STATUS_OK) {
error("%s", "could not create reverse address for ip6: %s\n", ldns_get_errorstr_by_id(status));
}
ldns_rdf_deep_free(qname_tmp);
free(name2);
} else {
qname = ldns_dname_new_frm_str(name);
qname_tmp = ldns_dname_reverse(qname);
ldns_rdf_deep_free(qname);
qname = qname_tmp;
qname_tmp = ldns_dname_new_frm_str("in-addr.arpa.");
status = ldns_dname_cat(qname, qname_tmp);
if (status != LDNS_STATUS_OK) {
error("%s", "could not create reverse address for ip4: %s\n", ldns_get_errorstr_by_id(status));
}
ldns_rdf_deep_free(qname_tmp);
}
if (!qname) {
error("%s", "-x implies an ip address");
}
/* create a packet and set the RD flag on it */
pkt = ldns_resolver_query(res, qname, type, clas, qflags);
if (!pkt) {
error("%s", "pkt sending");
result = EXIT_FAILURE;
} else {
if (verbosity != -1) {
ldns_pkt_print(stdout, pkt);
}
ldns_pkt_free(pkt);
}
break;
case DRILL_QUERY:
default:
if (query_file) {
/* this old way, the query packet needed
to be parseable, but we want to be able
to send mangled packets, so we need
to do it directly */
#if 0
qpkt = read_hex_pkt(query_file);
if (qpkt) {
status = ldns_resolver_send_pkt(&pkt, res, qpkt);
if (status != LDNS_STATUS_OK) {
printf("Error: %s\n", ldns_get_errorstr_by_id(status));
exit(1);
}
} else {
/* qpkt was bogus, reset pkt */
pkt = NULL;
}
#endif
query_buffer = read_hex_buffer(query_file);
if (query_buffer) {
status = ldns_send_buffer(&pkt, res, query_buffer, NULL);
ldns_buffer_free(query_buffer);
if (status != LDNS_STATUS_OK) {
printf("Error: %s\n", ldns_get_errorstr_by_id(status));
exit(1);
}
} else {
printf("NO BUFFER\n");
pkt = NULL;
}
} else {
qname = ldns_dname_new_frm_str(name);
if (!qname) {
error("%s", "error in making qname");
}
if (type == LDNS_RR_TYPE_AXFR) {
status = ldns_axfr_start(res, qname, clas);
if(status != LDNS_STATUS_OK) {
error("Error starting axfr: %s",
ldns_get_errorstr_by_id(status));
}
axfr_rr = ldns_axfr_next(res);
if(!axfr_rr) {
fprintf(stderr, "AXFR failed.\n");
ldns_pkt_print(stdout,
ldns_axfr_last_pkt(res));
goto exit;
}
while (axfr_rr) {
if (verbosity != -1) {
ldns_rr_print(stdout, axfr_rr);
}
ldns_rr_free(axfr_rr);
axfr_rr = ldns_axfr_next(res);
}
goto exit;
} else {
/* create a packet and set the RD flag on it */
pkt = ldns_resolver_query(res, qname, type, clas, qflags);
}
}
if (!pkt) {
mesg("No packet received");
result = EXIT_FAILURE;
} else {
if (verbosity != -1) {
ldns_pkt_print(stdout, pkt);
if (ldns_pkt_tc(pkt)) {
fprintf(stdout,
"\n;; WARNING: The answer packet was truncated; you might want to\n");
fprintf(stdout,
";; query again with TCP (-t argument), or EDNS0 (-b for buffer size)\n");
}
}
if (qds) {
if (verbosity != -1) {
print_ds_of_keys(pkt);
printf("\n");
}
}
if (ldns_rr_list_rr_count(key_list) > 0) {
/* -k's were given on the cmd line */
ldns_rr_list *rrset_verified;
uint16_t key_count;
rrset_verified = ldns_pkt_rr_list_by_name_and_type(
pkt, qname, type,
LDNS_SECTION_ANY_NOQUESTION);
if (type == LDNS_RR_TYPE_ANY) {
/* don't verify this */
break;
}
if (verbosity != -1) {
printf("; ");
ldns_rr_list_print(stdout, rrset_verified);
}
/* verify */
#ifdef HAVE_SSL
key_verified = ldns_rr_list_new();
result = ldns_pkt_verify(pkt, type, qname, key_list, NULL, key_verified);
if (result == LDNS_STATUS_ERR) {
/* is the existence denied then? */
result = ldns_verify_denial(pkt, qname, type, NULL, NULL);
if (result == LDNS_STATUS_OK) {
if (verbosity != -1) {
printf("Existence denied for ");
ldns_rdf_print(stdout, qname);
type_str = ldns_rr_type2str(type);
printf("\t%s\n", type_str);
LDNS_FREE(type_str);
}
} else {
if (verbosity != -1) {
printf("Bad data; RR for name and "
"type not found or failed to "
"verify, and denial of "
"existence failed.\n");
}
}
} else if (result == LDNS_STATUS_OK) {
for(key_count = 0; key_count < ldns_rr_list_rr_count(key_verified);
key_count++) {
if (verbosity != -1) {
printf("; VALIDATED by id = %u, owner = ",
(unsigned int)ldns_calc_keytag(
ldns_rr_list_rr(key_verified, key_count)));
ldns_rdf_print(stdout, ldns_rr_owner(
ldns_rr_list_rr(key_list, key_count)));
printf("\n");
}
}
} else {
for(key_count = 0; key_count < ldns_rr_list_rr_count(key_list);
key_count++) {
if (verbosity != -1) {
printf("; %s for id = %u, owner = ",
ldns_get_errorstr_by_id(result),
(unsigned int)ldns_calc_keytag(
ldns_rr_list_rr(key_list, key_count)));
ldns_rdf_print(stdout, ldns_rr_owner(
ldns_rr_list_rr(key_list,
key_count)));
printf("\n");
}
}
}
ldns_rr_list_free(key_verified);
#else
(void) key_count;
#endif /* HAVE_SSL */
}
if (answer_file) {
dump_hex(pkt, answer_file);
}
ldns_pkt_free(pkt);
}
break;
}
exit:
ldns_rdf_deep_free(qname);
ldns_resolver_deep_free(res);
ldns_resolver_deep_free(cmdline_res);
ldns_rr_list_deep_free(key_list);
ldns_rr_list_deep_free(cmdline_rr_list);
ldns_rdf_deep_free(trace_start_name);
xfree(progname);
xfree(tsig_name);
xfree(tsig_data);
xfree(tsig_algorithm);
#ifdef HAVE_SSL
ERR_remove_state(0);
CRYPTO_cleanup_all_ex_data();
ERR_free_strings();
EVP_cleanup();
#endif
#ifdef USE_WINSOCK
WSACleanup();
#endif
return result;
}
int cache_dns_objects(packetinfo *pi, ldns_rdf *rdf_data,
ldns_buffer *buff, ldns_pkt *dns_pkt) {
int j;
int dns_answer_domain_cnt;
uint64_t dnshash;
ldns_status status;
pdns_record *pr = NULL;
ldns_rr_list *dns_answer_domains;
unsigned char *domain_name = 0;
ldns_buffer_clear(buff);
status = ldns_rdf2buffer_str(buff, rdf_data);
if (status != LDNS_STATUS_OK) {
dlog("[D] Error in ldns_rdf2buffer_str(): %d\n", status);
return(-1);
}
dns_answer_domains = ldns_pkt_answer(dns_pkt);
dns_answer_domain_cnt = ldns_rr_list_rr_count(dns_answer_domains);
domain_name = (unsigned char *) ldns_buffer2str(buff);
if (domain_name == NULL) {
dlog("[D] Error in ldns_buffer2str(%p)\n", buff);
return(-1);
} else {
dlog("[D] domain_name: %s\n", domain_name);
dlog("[D] dns_answer_domain_cnt: %d\n",dns_answer_domain_cnt);
}
if (dns_answer_domain_cnt == 0 && ldns_pkt_get_rcode(dns_pkt) != 0) {
uint16_t rcode = ldns_pkt_get_rcode(dns_pkt);
dlog("[D] Error return code: %d\n", rcode);
/* PROBLEM:
* As there is no valid ldns_rr here and we cant fake one that will
* be very unique, we cant push this to the normal
* bucket[hash->linked_list]. We should probably allocate a static
* bucket[MAX_NXDOMAIN] to hold NXDOMAINS, and when that is full, pop
* out the oldest (LRU). A simple script quering for random non existing
* domains could easly put stress on passivedns (think conficker etc.)
* if the bucket is to big or non efficient. We would still store data
* such as: fistseen,lastseen,client_ip,server_ip,class,query,NXDOMAIN
*/
if (config.dnsfe & (pdns_chk_dnsfe(rcode))) {
ldns_rr_list *dns_query_domains;
ldns_rr_class class;
ldns_rr_type type;
ldns_rr *rr;
dnshash = hash(domain_name);
dlog("[D] Hash: %lu\n", dnshash);
/* Check if the node exists, if not, make it */
pr = get_pdns_record(dnshash, pi, domain_name);
/* Set the SRC flag: */
//lname_node->srcflag |= pdns_chk_dnsfe(rcode);
dns_query_domains = ldns_pkt_question(dns_pkt);
rr = ldns_rr_list_rr(dns_query_domains, 0);
class = ldns_rr_get_class(rr);
type = ldns_rr_get_type(rr);
if ((pr->last_seen.tv_sec - pr->last_print.tv_sec) >= config.dnsprinttime) {
/* Print the SRC Error record */
print_passet_err(pr, rdf_data, rr, rcode);
}
} else {
ldns_status
ldns_dnssec_zone_new_frm_fp_l(ldns_dnssec_zone** z, FILE* fp, ldns_rdf* origin,
uint32_t ttl, ldns_rr_class ATTR_UNUSED(c), int* line_nr)
{
ldns_rr* cur_rr;
size_t i;
ldns_rdf *my_origin = NULL;
ldns_rdf *my_prev = NULL;
ldns_dnssec_zone *newzone = ldns_dnssec_zone_new();
/* when reading NSEC3s, there is a chance that we encounter nsecs
for empty nonterminals, whose nonterminals we cannot derive yet
because the needed information is to be read later. in that case
we keep a list of those nsec3's and retry to add them later */
ldns_rr_list* todo_nsec3s = ldns_rr_list_new();
ldns_rr_list* todo_nsec3_rrsigs = ldns_rr_list_new();
ldns_status status = LDNS_STATUS_MEM_ERR;
#ifdef FASTER_DNSSEC_ZONE_NEW_FRM_FP
ldns_zone* zone = NULL;
if (ldns_zone_new_frm_fp_l(&zone, fp, origin,ttl, c, line_nr)
!= LDNS_STATUS_OK) goto error;
#else
uint32_t my_ttl = ttl;
#endif
if (!newzone || !todo_nsec3s || !todo_nsec3_rrsigs ) goto error;
if (origin) {
if (!(my_origin = ldns_rdf_clone(origin))) goto error;
if (!(my_prev = ldns_rdf_clone(origin))) goto error;
}
#ifdef FASTER_DNSSEC_ZONE_NEW_FRM_FP
if (ldns_dnssec_zone_add_rr(newzone, ldns_zone_soa(zone))
!= LDNS_STATUS_OK) goto error;
for (i = 0; i < ldns_rr_list_rr_count(ldns_zone_rrs(zone)); i++) {
cur_rr = ldns_rr_list_rr(ldns_zone_rrs(zone), i);
status = LDNS_STATUS_OK;
#else
while (!feof(fp)) {
status = ldns_rr_new_frm_fp_l(&cur_rr, fp, &my_ttl, &my_origin,
&my_prev, line_nr);
#endif
switch (status) {
case LDNS_STATUS_OK:
status = ldns_dnssec_zone_add_rr(newzone, cur_rr);
if (status ==
LDNS_STATUS_DNSSEC_NSEC3_ORIGINAL_NOT_FOUND) {
if (rr_is_rrsig_covering(cur_rr,
LDNS_RR_TYPE_NSEC3)){
ldns_rr_list_push_rr(todo_nsec3_rrsigs,
cur_rr);
} else {
ldns_rr_list_push_rr(todo_nsec3s,
cur_rr);
}
status = LDNS_STATUS_OK;
} else if (status != LDNS_STATUS_OK)
goto error;
break;
case LDNS_STATUS_SYNTAX_EMPTY: /* empty line was seen */
case LDNS_STATUS_SYNTAX_TTL: /* the ttl was set*/
case LDNS_STATUS_SYNTAX_ORIGIN: /* the origin was set*/
status = LDNS_STATUS_OK;
break;
case LDNS_STATUS_SYNTAX_INCLUDE:/* $include not implemented */
status = LDNS_STATUS_SYNTAX_INCLUDE_ERR_NOTIMPL;
break;
default:
goto error;
}
}
if (ldns_rr_list_rr_count(todo_nsec3s) > 0) {
(void) ldns_dnssec_zone_add_empty_nonterminals(newzone);
for (i = 0; status == LDNS_STATUS_OK &&
i < ldns_rr_list_rr_count(todo_nsec3s); i++) {
cur_rr = ldns_rr_list_rr(todo_nsec3s, i);
status = ldns_dnssec_zone_add_rr(newzone, cur_rr);
}
}
if (ldns_rr_list_rr_count(todo_nsec3_rrsigs) > 0) {
for (i = 0; status == LDNS_STATUS_OK &&
i < ldns_rr_list_rr_count(todo_nsec3_rrsigs);
i++){
cur_rr = ldns_rr_list_rr(todo_nsec3_rrsigs, i);
status = ldns_dnssec_zone_add_rr(newzone, cur_rr);
}
}
if (z) {
*z = newzone;
newzone = NULL;
} else {
ldns_dnssec_zone_free(newzone);
}
error:
#ifdef FASTER_DNSSEC_ZONE_NEW_FRM_FP
if (zone) {
ldns_zone_free(zone);
}
#endif
ldns_rr_list_free(todo_nsec3_rrsigs);
ldns_rr_list_free(todo_nsec3s);
if (my_origin) {
ldns_rdf_deep_free(my_origin);
}
if (my_prev) {
ldns_rdf_deep_free(my_prev);
}
if (newzone) {
ldns_dnssec_zone_free(newzone);
}
return status;
}
ldns_status
ldns_dnssec_zone_new_frm_fp(ldns_dnssec_zone** z, FILE* fp, ldns_rdf* origin,
uint32_t ttl, ldns_rr_class ATTR_UNUSED(c))
{
return ldns_dnssec_zone_new_frm_fp_l(z, fp, origin, ttl, c, NULL);
}
static void
ldns_dnssec_name_node_free(ldns_rbnode_t *node, void *arg) {
(void) arg;
ldns_dnssec_name_free((ldns_dnssec_name *)node->data);
LDNS_FREE(node);
}
switch_status_t ldns_lookup(const char *number, const char *root, char *server_name[ENUM_MAXNAMESERVERS] , enum_record_t **results)
{
ldns_resolver *res = NULL;
ldns_rdf *domain = NULL;
ldns_pkt *p = NULL;
ldns_rr_list *naptr = NULL;
ldns_status s = LDNS_STATUS_ERR;
ldns_rdf *serv_rdf;
switch_status_t status = SWITCH_STATUS_FALSE;
char *name = NULL;
struct timeval to = { 0, 0};
int inameserver = 0;
int added_server = 0;
if (!(name = reverse_number(number, root))) {
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "Parse Error!\n");
goto end;
}
if (!(domain = ldns_dname_new_frm_str(name))) {
goto end;
}
if (server_name) {
res = ldns_resolver_new();
switch_assert(res);
for(inameserver=0; inameserver<ENUM_MAXNAMESERVERS; inameserver++) {
if ( server_name[inameserver] != NULL ) {
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "Adding Nameserver [%s]\n", server_name[inameserver]);
if ((serv_rdf = ldns_rdf_new_addr_frm_str( server_name[inameserver] ))) {
s = ldns_resolver_push_nameserver(res, serv_rdf);
ldns_rdf_deep_free(serv_rdf);
added_server = 1;
}
}
}
}
if (!added_server) {
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "No Nameservers specified, using host default\n");
/* create a new resolver from /etc/resolv.conf */
s = ldns_resolver_new_frm_file(&res, NULL);
}
if (s != LDNS_STATUS_OK) {
goto end;
}
to.tv_sec = globals.timeout / 1000;
to.tv_usec = (globals.timeout % 1000) * 1000;
ldns_resolver_set_timeout(res, to);
ldns_resolver_set_retry(res, (uint8_t)globals.retries);
ldns_resolver_set_random(res, globals.random);
if ((p = ldns_resolver_query(res,
domain,
LDNS_RR_TYPE_NAPTR,
LDNS_RR_CLASS_IN,
LDNS_RD))) {
/* retrieve the NAPTR records from the answer section of that
* packet
*/
if ((naptr = ldns_pkt_rr_list_by_type(p, LDNS_RR_TYPE_NAPTR, LDNS_SECTION_ANSWER))) {
size_t i;
ldns_rr_list_sort(naptr);
for (i = 0; i < ldns_rr_list_rr_count(naptr); i++) {
parse_naptr(ldns_rr_list_rr(naptr, i), number, results);
}
//ldns_rr_list_print(stdout, naptr);
ldns_rr_list_deep_free(naptr);
status = SWITCH_STATUS_SUCCESS;
}
}
end:
switch_safe_free(name);
if (domain) {
ldns_rdf_deep_free(domain);
}
if (p) {
ldns_pkt_free(p);
}
if (res) {
ldns_resolver_deep_free(res);
}
return status;
}
int
main(int argc, char *argv[])
{
ldns_resolver *res;
ldns_rdf *name;
ldns_rdf *version, *id;
ldns_pkt *p;
ldns_rr_list *addr;
ldns_rr_list *info;
ldns_status s;
ldns_rdf *pop;
size_t i;
if (argc != 2) {
usage(stdout, argv[0]);
exit(EXIT_FAILURE);
} else {
/* create a rdf from the command line arg */
name = ldns_dname_new_frm_str(argv[1]);
if (!name) {
usage(stdout, argv[0]);
exit(EXIT_FAILURE);
}
}
/* create rdf for what we are going to ask */
version = ldns_dname_new_frm_str("version.bind");
id = ldns_dname_new_frm_str("hostname.bind");
/* create a new resolver from /etc/resolv.conf */
s = ldns_resolver_new_frm_file(&res, NULL);
if (s != LDNS_STATUS_OK) {
ldns_rdf_deep_free(name);
exit(EXIT_FAILURE);
}
ldns_resolver_set_retry(res, 1); /* don't want to wait too long */
/* use the resolver to send it a query for the a/aaaa of name */
addr = ldns_get_rr_list_addr_by_name(res, name, LDNS_RR_CLASS_IN, LDNS_RD);
if (!addr) {
fprintf(stderr, " *** could not get an address for %s\n", argv[1]);
ldns_rdf_deep_free(name);
ldns_resolver_deep_free(res);
exit(EXIT_FAILURE);
}
/* remove current list of nameservers from resolver */
while((pop = ldns_resolver_pop_nameserver(res))) { ldns_rdf_deep_free(pop); }
/* can be multihomed */
for(i = 0; i < ldns_rr_list_rr_count(addr); i++) {
if (i > 0) {
fprintf(stdout, "\n");
}
if (ldns_resolver_push_nameserver_rr(res,
ldns_rr_list_rr(addr, i)) != LDNS_STATUS_OK) {
printf("Error adding nameserver to resolver\n");
}
ldns_rr_print(stdout, ldns_rr_list_rr(addr, i));
fprintf(stdout, "\n");
p = ldns_resolver_query(res, version, LDNS_RR_TYPE_TXT,
LDNS_RR_CLASS_CH, LDNS_RD);
if (p) {
ldns_pkt_print(stdout, p);
info = ldns_pkt_rr_list_by_type(p,
LDNS_RR_TYPE_TXT, LDNS_SECTION_ANSWER);
if (info) {
ldns_rr_list_print(stdout, info);
ldns_rr_list_deep_free(info);
} else {
printf(" *** version retrieval failed\n");
}
ldns_pkt_free(p);
} else {
printf(" *** query failed\n");
}
p = ldns_resolver_query(res, id, LDNS_RR_TYPE_TXT,
LDNS_RR_CLASS_CH, LDNS_RD);
if (p) {
info = ldns_pkt_rr_list_by_type(p,
LDNS_RR_TYPE_TXT, LDNS_SECTION_ANSWER);
if (info) {
ldns_rr_list_print(stdout, info);
ldns_rr_list_deep_free(info);
} else {
printf(" *** id retrieval failed\n");
}
ldns_pkt_free(p);
} else {
printf(" *** query failed for\n");
}
ldns_rdf_deep_free(ldns_resolver_pop_nameserver(res));
}
ldns_rdf_deep_free(name);
ldns_resolver_deep_free(res);
exit(EXIT_SUCCESS);
}
